org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier Java Examples

The following examples show how to use org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ClientRMService.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
public CancelDelegationTokenResponse cancelDelegationToken(
    CancelDelegationTokenRequest request) throws YarnException {
  try {
    if (!isAllowedDelegationTokenOp()) {
      throw new IOException(
          "Delegation Token can be cancelled only with kerberos authentication");
    }
    org.apache.hadoop.yarn.api.records.Token protoToken = request.getDelegationToken();
    Token<RMDelegationTokenIdentifier> token = new Token<RMDelegationTokenIdentifier>(
        protoToken.getIdentifier().array(), protoToken.getPassword().array(),
        new Text(protoToken.getKind()), new Text(protoToken.getService()));

    String user = UserGroupInformation.getCurrentUser().getUserName();
    rmDTSecretManager.cancelToken(token, user);
    return Records.newRecord(CancelDelegationTokenResponse.class);
  } catch (IOException e) {
    throw RPCUtil.getRemoteException(e);
  }
}
 
Example #2
Source File: StramClientUtils.java    From attic-apex-core with Apache License 2.0 6 votes vote down vote up
public void addRMDelegationToken(final String renewer, final Credentials credentials) throws IOException, YarnException
{
  // Get the ResourceManager delegation rmToken
  final org.apache.hadoop.yarn.api.records.Token rmDelegationToken = clientRM.getRMDelegationToken(new Text(renewer));

  Token<RMDelegationTokenIdentifier> token;
  // TODO: Use the utility method getRMDelegationTokenService in ClientRMProxy to remove the separate handling of
  // TODO: HA and non-HA cases when hadoop dependency is changed to hadoop 2.4 or above
  if (ConfigUtils.isRMHAEnabled(conf)) {
    LOG.info("Yarn Resource Manager HA is enabled");
    token = getRMHAToken(rmDelegationToken);
  } else {
    LOG.info("Yarn Resource Manager HA is not enabled");
    InetSocketAddress rmAddress = conf.getSocketAddr(YarnConfiguration.RM_ADDRESS,
        YarnConfiguration.DEFAULT_RM_ADDRESS,
        YarnConfiguration.DEFAULT_RM_PORT);

    token = ConverterUtils.convertFromYarn(rmDelegationToken, rmAddress);
  }

  LOG.info("RM dt {}", token);

  credentials.addToken(token.getService(), token);
}
 
Example #3
Source File: RMDelegationTokenSecretManager.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
public void recover(RMState rmState) throws Exception {

  LOG.info("recovering RMDelegationTokenSecretManager.");
  // recover RMDTMasterKeys
  for (DelegationKey dtKey : rmState.getRMDTSecretManagerState()
    .getMasterKeyState()) {
    addKey(dtKey);
  }

  // recover RMDelegationTokens
  Map<RMDelegationTokenIdentifier, Long> rmDelegationTokens =
      rmState.getRMDTSecretManagerState().getTokenState();
  this.delegationTokenSequenceNumber =
      rmState.getRMDTSecretManagerState().getDTSequenceNumber();
  for (Map.Entry<RMDelegationTokenIdentifier, Long> entry : rmDelegationTokens
    .entrySet()) {
    addPersistedDelegationToken(entry.getKey(), entry.getValue());
  }
}
 
Example #4
Source File: RMDelegationTokenIdentifierForTest.java    From big-c with Apache License 2.0 6 votes vote down vote up
public RMDelegationTokenIdentifierForTest(RMDelegationTokenIdentifier token,
    String message) {
  if (token.getOwner() != null) {
    setOwner(new Text(token.getOwner()));
  }
  if (token.getRenewer() != null) {
    setRenewer(new Text(token.getRenewer()));
  }
  if (token.getRealUser() != null) {
    setRealUser(new Text(token.getRealUser()));
  }
  setIssueDate(token.getIssueDate());
  setMaxDate(token.getMaxDate());
  setSequenceNumber(token.getSequenceNumber());
  setMasterKeyId(token.getMasterKeyId());
  builder.setMessage(message);
}
 
Example #5
Source File: StramClientUtils.java    From Bats with Apache License 2.0 6 votes vote down vote up
public void addRMDelegationToken(final String renewer, final Credentials credentials) throws IOException, YarnException
{
  // Get the ResourceManager delegation rmToken
  final org.apache.hadoop.yarn.api.records.Token rmDelegationToken = clientRM.getRMDelegationToken(new Text(renewer));

  Token<RMDelegationTokenIdentifier> token;
  // TODO: Use the utility method getRMDelegationTokenService in ClientRMProxy to remove the separate handling of
  // TODO: HA and non-HA cases when hadoop dependency is changed to hadoop 2.4 or above
  if (ConfigUtils.isRMHAEnabled(conf)) {
    LOG.info("Yarn Resource Manager HA is enabled");
    token = getRMHAToken(rmDelegationToken);
  } else {
    LOG.info("Yarn Resource Manager HA is not enabled");
    InetSocketAddress rmAddress = conf.getSocketAddr(YarnConfiguration.RM_ADDRESS,
        YarnConfiguration.DEFAULT_RM_ADDRESS,
        YarnConfiguration.DEFAULT_RM_PORT);

    token = ConverterUtils.convertFromYarn(rmDelegationToken, rmAddress);
  }

  LOG.info("RM dt {}", token);

  credentials.addToken(token.getService(), token);
}
 
Example #6
Source File: MemoryRMStateStore.java    From big-c with Apache License 2.0 6 votes vote down vote up
private void storeOrUpdateRMDT(RMDelegationTokenIdentifier rmDTIdentifier,
    Long renewDate, boolean isUpdate) throws Exception {
  Map<RMDelegationTokenIdentifier, Long> rmDTState =
      state.rmSecretManagerState.getTokenState();
  if (rmDTState.containsKey(rmDTIdentifier)) {
    IOException e = new IOException("RMDelegationToken: " + rmDTIdentifier
        + "is already stored.");
    LOG.info("Error storing info for RMDelegationToken: " + rmDTIdentifier, e);
    throw e;
  }
  rmDTState.put(rmDTIdentifier, renewDate);
  if(!isUpdate) {
    state.rmSecretManagerState.dtSequenceNumber = 
        rmDTIdentifier.getSequenceNumber();
  }
  LOG.info("Store RMDT with sequence number "
           + rmDTIdentifier.getSequenceNumber());
}
 
Example #7
Source File: ZKRMStateStore.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
protected synchronized void removeRMDelegationTokenState(
    RMDelegationTokenIdentifier rmDTIdentifier) throws Exception {
  String nodeRemovePath =
      getNodePath(delegationTokensRootPath, DELEGATION_TOKEN_PREFIX
          + rmDTIdentifier.getSequenceNumber());
  if (LOG.isDebugEnabled()) {
    LOG.debug("Removing RMDelegationToken_"
        + rmDTIdentifier.getSequenceNumber());
  }
  if (existsWithRetries(nodeRemovePath, false) != null) {
    ArrayList<Op> opList = new ArrayList<Op>();
    opList.add(Op.delete(nodeRemovePath, -1));
    doDeleteMultiWithRetries(opList);
  } else {
    LOG.debug("Attempted to delete a non-existing znode " + nodeRemovePath);
  }
}
 
Example #8
Source File: ZKRMStateStore.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
protected synchronized void updateRMDelegationTokenState(
    RMDelegationTokenIdentifier rmDTIdentifier, Long renewDate)
    throws Exception {
  ArrayList<Op> opList = new ArrayList<Op>();
  String nodeRemovePath =
      getNodePath(delegationTokensRootPath, DELEGATION_TOKEN_PREFIX
          + rmDTIdentifier.getSequenceNumber());
  if (existsWithRetries(nodeRemovePath, false) == null) {
    // in case znode doesn't exist
    addStoreOrUpdateOps(opList, rmDTIdentifier, renewDate, false);
    LOG.debug("Attempted to update a non-existing znode " + nodeRemovePath);
  } else {
    // in case znode exists
    addStoreOrUpdateOps(opList, rmDTIdentifier, renewDate, true);
  }
  doStoreMultiWithRetries(opList);
}
 
Example #9
Source File: MemoryRMStateStore.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private void storeOrUpdateRMDT(RMDelegationTokenIdentifier rmDTIdentifier,
    Long renewDate, boolean isUpdate) throws Exception {
  Map<RMDelegationTokenIdentifier, Long> rmDTState =
      state.rmSecretManagerState.getTokenState();
  if (rmDTState.containsKey(rmDTIdentifier)) {
    IOException e = new IOException("RMDelegationToken: " + rmDTIdentifier
        + "is already stored.");
    LOG.info("Error storing info for RMDelegationToken: " + rmDTIdentifier, e);
    throw e;
  }
  rmDTState.put(rmDTIdentifier, renewDate);
  if(!isUpdate) {
    state.rmSecretManagerState.dtSequenceNumber = 
        rmDTIdentifier.getSequenceNumber();
  }
  LOG.info("Store RMDT with sequence number "
           + rmDTIdentifier.getSequenceNumber());
}
 
Example #10
Source File: StramClientUtils.java    From attic-apex-core with Apache License 2.0 6 votes vote down vote up
private Token<RMDelegationTokenIdentifier> getRMHAToken(org.apache.hadoop.yarn.api.records.Token rmDelegationToken)
{
  // Build a list of service addresses to form the service name
  ArrayList<String> services = new ArrayList<>();
  for (String rmId : ConfigUtils.getRMHAIds(conf)) {
    LOG.info("Yarn Resource Manager id: {}", rmId);
    // Set RM_ID to get the corresponding RM_ADDRESS
    services.add(SecurityUtil.buildTokenService(getRMHAAddress(rmId)).toString());
  }
  Text rmTokenService = new Text(Joiner.on(',').join(services));

  return new Token<>(
      rmDelegationToken.getIdentifier().array(),
      rmDelegationToken.getPassword().array(),
      new Text(rmDelegationToken.getKind()),
      rmTokenService);
}
 
Example #11
Source File: TestRMWebServicesDelegationTokens.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private void assertTokenCancelled(String encodedToken) throws Exception {
  Token<RMDelegationTokenIdentifier> realToken =
      new Token<RMDelegationTokenIdentifier>();
  realToken.decodeFromUrlString(encodedToken);
  RMDelegationTokenIdentifier ident = rm.getRMContext()
    .getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
  boolean exceptionCaught = false;
  try {
    rm.getRMContext().getRMDelegationTokenSecretManager()
      .verifyToken(ident, realToken.getPassword());
  } catch (InvalidToken it) {
    exceptionCaught = true;
  }
  assertTrue("InvalidToken exception not thrown", exceptionCaught);
  assertFalse(rm.getRMContext().getRMDelegationTokenSecretManager()
    .getAllTokens().containsKey(ident));
}
 
Example #12
Source File: TestClientRMService.java    From big-c with Apache License 2.0 6 votes vote down vote up
private void checkTokenRenewal(UserGroupInformation owner,
    UserGroupInformation renewer) throws IOException, YarnException {
  RMDelegationTokenIdentifier tokenIdentifier =
      new RMDelegationTokenIdentifier(
          new Text(owner.getUserName()), new Text(renewer.getUserName()), null);
  Token<?> token =
      new Token<RMDelegationTokenIdentifier>(tokenIdentifier, dtsm);
  org.apache.hadoop.yarn.api.records.Token dToken = BuilderUtils.newDelegationToken(
      token.getIdentifier(), token.getKind().toString(),
      token.getPassword(), token.getService().toString());
  RenewDelegationTokenRequest request =
      Records.newRecord(RenewDelegationTokenRequest.class);
  request.setDelegationToken(dToken);

  RMContext rmContext = mock(RMContext.class);
  ClientRMService rmService = new ClientRMService(
      rmContext, null, null, null, null, dtsm);
  rmService.renewDelegationToken(request);
}
 
Example #13
Source File: TestClientRMService.java    From big-c with Apache License 2.0 6 votes vote down vote up
private void checkTokenCancellation(ClientRMService rmService,
    UserGroupInformation owner, UserGroupInformation renewer)
    throws IOException, YarnException {
  RMDelegationTokenIdentifier tokenIdentifier =
      new RMDelegationTokenIdentifier(new Text(owner.getUserName()),
        new Text(renewer.getUserName()), null);
  Token<?> token =
      new Token<RMDelegationTokenIdentifier>(tokenIdentifier, dtsm);
  org.apache.hadoop.yarn.api.records.Token dToken =
      BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind()
        .toString(), token.getPassword(), token.getService().toString());
  CancelDelegationTokenRequest request =
      Records.newRecord(CancelDelegationTokenRequest.class);
  request.setDelegationToken(dToken);
  rmService.cancelDelegationToken(request);
}
 
Example #14
Source File: RMDelegationTokenSecretManager.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
public void recover(RMState rmState) throws Exception {

  LOG.info("recovering RMDelegationTokenSecretManager.");
  // recover RMDTMasterKeys
  for (DelegationKey dtKey : rmState.getRMDTSecretManagerState()
    .getMasterKeyState()) {
    addKey(dtKey);
  }

  // recover RMDelegationTokens
  Map<RMDelegationTokenIdentifier, Long> rmDelegationTokens =
      rmState.getRMDTSecretManagerState().getTokenState();
  this.delegationTokenSequenceNumber =
      rmState.getRMDTSecretManagerState().getDTSequenceNumber();
  for (Map.Entry<RMDelegationTokenIdentifier, Long> entry : rmDelegationTokens
    .entrySet()) {
    addPersistedDelegationToken(entry.getKey(), entry.getValue());
  }
}
 
Example #15
Source File: ClientRMService.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
public RenewDelegationTokenResponse renewDelegationToken(
    RenewDelegationTokenRequest request) throws YarnException {
  try {
    if (!isAllowedDelegationTokenOp()) {
      throw new IOException(
          "Delegation Token can be renewed only with kerberos authentication");
    }
    
    org.apache.hadoop.yarn.api.records.Token protoToken = request.getDelegationToken();
    Token<RMDelegationTokenIdentifier> token = new Token<RMDelegationTokenIdentifier>(
        protoToken.getIdentifier().array(), protoToken.getPassword().array(),
        new Text(protoToken.getKind()), new Text(protoToken.getService()));

    String user = getRenewerForToken(token);
    long nextExpTime = rmDTSecretManager.renewToken(token, user);
    RenewDelegationTokenResponse renewResponse = Records
        .newRecord(RenewDelegationTokenResponse.class);
    renewResponse.setNextExpirationTime(nextExpTime);
    return renewResponse;
  } catch (IOException e) {
    throw RPCUtil.getRemoteException(e);
  }
}
 
Example #16
Source File: ZKRMStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void addStoreOrUpdateOps(ArrayList<Op> opList,
    RMDelegationTokenIdentifier rmDTIdentifier, Long renewDate,
    boolean isUpdate) throws Exception {
  // store RM delegation token
  String nodeCreatePath =
      getNodePath(delegationTokensRootPath, DELEGATION_TOKEN_PREFIX
          + rmDTIdentifier.getSequenceNumber());
  ByteArrayOutputStream seqOs = new ByteArrayOutputStream();
  DataOutputStream seqOut = new DataOutputStream(seqOs);
  RMDelegationTokenIdentifierData identifierData =
      new RMDelegationTokenIdentifierData(rmDTIdentifier, renewDate);
  try {
    if (LOG.isDebugEnabled()) {
      LOG.debug((isUpdate ? "Storing " : "Updating ") + "RMDelegationToken_" +
          rmDTIdentifier.getSequenceNumber());
    }

    if (isUpdate) {
      opList.add(Op.setData(nodeCreatePath, identifierData.toByteArray(), -1));
    } else {
      opList.add(Op.create(nodeCreatePath, identifierData.toByteArray(), zkAcl,
          CreateMode.PERSISTENT));
      // Update Sequence number only while storing DT
      seqOut.writeInt(rmDTIdentifier.getSequenceNumber());
      if (LOG.isDebugEnabled()) {
        LOG.debug((isUpdate ? "Storing " : "Updating ") +
                  dtSequenceNumberPath + ". SequenceNumber: "
                  + rmDTIdentifier.getSequenceNumber());
      }
      opList.add(Op.setData(dtSequenceNumberPath, seqOs.toByteArray(), -1));
    }
  } finally {
    seqOs.close();
  }
}
 
Example #17
Source File: LeveldbRMStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void storeOrUpdateRMDT(RMDelegationTokenIdentifier tokenId,
    Long renewDate, boolean isUpdate) throws IOException {
  String tokenKey = getRMDTTokenNodeKey(tokenId);
  RMDelegationTokenIdentifierData tokenData =
      new RMDelegationTokenIdentifierData(tokenId, renewDate);
  if (LOG.isDebugEnabled()) {
    LOG.debug("Storing token to " + tokenKey);
  }
  try {
    WriteBatch batch = db.createWriteBatch();
    try {
      batch.put(bytes(tokenKey), tokenData.toByteArray());
      if(!isUpdate) {
        ByteArrayOutputStream bs = new ByteArrayOutputStream();
        try (DataOutputStream ds = new DataOutputStream(bs)) {
          ds.writeInt(tokenId.getSequenceNumber());
        }
        if (LOG.isDebugEnabled()) {
          LOG.debug("Storing " + tokenId.getSequenceNumber() + " to "
              + RM_DT_SEQUENCE_NUMBER_KEY);   
        }
        batch.put(bytes(RM_DT_SEQUENCE_NUMBER_KEY), bs.toByteArray());
      }
      db.write(batch);
    } finally {
      batch.close();
    }
  } catch (DBException e) {
    throw new IOException(e);
  }
}
 
Example #18
Source File: LeveldbRMStateStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void storeOrUpdateRMDT(RMDelegationTokenIdentifier tokenId,
    Long renewDate, boolean isUpdate) throws IOException {
  String tokenKey = getRMDTTokenNodeKey(tokenId);
  RMDelegationTokenIdentifierData tokenData =
      new RMDelegationTokenIdentifierData(tokenId, renewDate);
  if (LOG.isDebugEnabled()) {
    LOG.debug("Storing token to " + tokenKey);
  }
  try {
    WriteBatch batch = db.createWriteBatch();
    try {
      batch.put(bytes(tokenKey), tokenData.toByteArray());
      if(!isUpdate) {
        ByteArrayOutputStream bs = new ByteArrayOutputStream();
        try (DataOutputStream ds = new DataOutputStream(bs)) {
          ds.writeInt(tokenId.getSequenceNumber());
        }
        if (LOG.isDebugEnabled()) {
          LOG.debug("Storing " + tokenId.getSequenceNumber() + " to "
              + RM_DT_SEQUENCE_NUMBER_KEY);   
        }
        batch.put(bytes(RM_DT_SEQUENCE_NUMBER_KEY), bs.toByteArray());
      }
      db.write(batch);
    } finally {
      batch.close();
    }
  } catch (DBException e) {
    throw new IOException(e);
  }
}
 
Example #19
Source File: MemoryRMStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
protected synchronized void updateRMDelegationTokenState(
    RMDelegationTokenIdentifier rmDTIdentifier, Long renewDate)
    throws Exception {
  removeRMDelegationTokenState(rmDTIdentifier);
  storeOrUpdateRMDT(rmDTIdentifier, renewDate, true);
  LOG.info("Update RMDT with sequence number "
      + rmDTIdentifier.getSequenceNumber());
}
 
Example #20
Source File: TestRMWebServicesDelegationTokens.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void verifyKerberosAuthCreate(String mType, String cType,
    String reqBody, String renUser) throws Exception {
  final String mediaType = mType;
  final String contentType = cType;
  final String body = reqBody;
  final String renewer = renUser;
  KerberosTestUtils.doAsClient(new Callable<Void>() {
    @Override
    public Void call() throws Exception {
      ClientResponse response =
          resource().path("ws").path("v1").path("cluster")
            .path("delegation-token").accept(contentType)
            .entity(body, mediaType).post(ClientResponse.class);
      assertEquals(Status.OK, response.getClientResponseStatus());
      DelegationToken tok = getDelegationTokenFromResponse(response);
      assertFalse(tok.getToken().isEmpty());
      Token<RMDelegationTokenIdentifier> token =
          new Token<RMDelegationTokenIdentifier>();
      token.decodeFromUrlString(tok.getToken());
      assertEquals(renewer, token.decodeIdentifier().getRenewer().toString());
      assertValidRMToken(tok.getToken());
      DelegationToken dtoken = new DelegationToken();
      response =
          resource().path("ws").path("v1").path("cluster")
            .path("delegation-token").accept(contentType)
            .entity(dtoken, mediaType).post(ClientResponse.class);
      assertEquals(Status.OK, response.getClientResponseStatus());
      tok = getDelegationTokenFromResponse(response);
      assertFalse(tok.getToken().isEmpty());
      token = new Token<RMDelegationTokenIdentifier>();
      token.decodeFromUrlString(tok.getToken());
      assertEquals("", token.decodeIdentifier().getRenewer().toString());
      assertValidRMToken(tok.getToken());
      return null;
    }
  });
}
 
Example #21
Source File: ZKRMStateStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void addStoreOrUpdateOps(ArrayList<Op> opList,
    RMDelegationTokenIdentifier rmDTIdentifier, Long renewDate,
    boolean isUpdate) throws Exception {
  // store RM delegation token
  String nodeCreatePath =
      getNodePath(delegationTokensRootPath, DELEGATION_TOKEN_PREFIX
          + rmDTIdentifier.getSequenceNumber());
  ByteArrayOutputStream seqOs = new ByteArrayOutputStream();
  DataOutputStream seqOut = new DataOutputStream(seqOs);
  RMDelegationTokenIdentifierData identifierData =
      new RMDelegationTokenIdentifierData(rmDTIdentifier, renewDate);
  try {
    if (LOG.isDebugEnabled()) {
      LOG.debug((isUpdate ? "Storing " : "Updating ") + "RMDelegationToken_" +
          rmDTIdentifier.getSequenceNumber());
    }

    if (isUpdate) {
      opList.add(Op.setData(nodeCreatePath, identifierData.toByteArray(), -1));
    } else {
      opList.add(Op.create(nodeCreatePath, identifierData.toByteArray(), zkAcl,
          CreateMode.PERSISTENT));
      // Update Sequence number only while storing DT
      seqOut.writeInt(rmDTIdentifier.getSequenceNumber());
      if (LOG.isDebugEnabled()) {
        LOG.debug((isUpdate ? "Storing " : "Updating ") +
                  dtSequenceNumberPath + ". SequenceNumber: "
                  + rmDTIdentifier.getSequenceNumber());
      }
      opList.add(Op.setData(dtSequenceNumberPath, seqOs.toByteArray(), -1));
    }
  } finally {
    seqOs.close();
  }
}
 
Example #22
Source File: FileSystemRMStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void storeOrUpdateRMDelegationTokenState(
    RMDelegationTokenIdentifier identifier, Long renewDate,
    boolean isUpdate) throws Exception {
  Path nodeCreatePath =
      getNodePath(rmDTSecretManagerRoot,
        DELEGATION_TOKEN_PREFIX + identifier.getSequenceNumber());
  RMDelegationTokenIdentifierData identifierData =
      new RMDelegationTokenIdentifierData(identifier, renewDate);
  if (isUpdate) {
    LOG.info("Updating RMDelegationToken_" + identifier.getSequenceNumber());
    updateFile(nodeCreatePath, identifierData.toByteArray(), true);
  } else {
    LOG.info("Storing RMDelegationToken_" + identifier.getSequenceNumber());
    writeFileWithRetries(nodeCreatePath, identifierData.toByteArray(), true);

    // store sequence number
    Path latestSequenceNumberPath = getNodePath(rmDTSecretManagerRoot,
          DELEGATION_TOKEN_SEQUENCE_NUMBER_PREFIX
          + identifier.getSequenceNumber());
    LOG.info("Storing " + DELEGATION_TOKEN_SEQUENCE_NUMBER_PREFIX
        + identifier.getSequenceNumber());
    if (dtSequenceNumberPath == null) {
      if (!createFileWithRetries(latestSequenceNumberPath)) {
        throw new Exception("Failed to create " + latestSequenceNumberPath);
      }
    } else {
      if (!renameFileWithRetries(dtSequenceNumberPath,
          latestSequenceNumberPath)) {
        throw new Exception("Failed to rename " + dtSequenceNumberPath);
      }
    }
    dtSequenceNumberPath = latestSequenceNumberPath;
  }
}
 
Example #23
Source File: MemoryRMStateStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public synchronized void removeRMDelegationTokenState(
    RMDelegationTokenIdentifier rmDTIdentifier) throws Exception{
  Map<RMDelegationTokenIdentifier, Long> rmDTState =
      state.rmSecretManagerState.getTokenState();
  rmDTState.remove(rmDTIdentifier);
  LOG.info("Remove RMDT with sequence number "
      + rmDTIdentifier.getSequenceNumber());
}
 
Example #24
Source File: RMWebServices.java    From big-c with Apache License 2.0 5 votes vote down vote up
private Token<RMDelegationTokenIdentifier> extractToken(String encodedToken) {
  Token<RMDelegationTokenIdentifier> token =
      new Token<RMDelegationTokenIdentifier>();
  try {
    token.decodeFromUrlString(encodedToken);
  } catch (Exception ie) {
    String msg = "Could not decode encoded token";
    throw new BadRequestException(msg);
  }
  return token;
}
 
Example #25
Source File: TestRMRestart.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test (timeout = 60000)
public void testAppSubmissionWithOldDelegationTokenAfterRMRestart()
    throws Exception {
  conf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS, 2);
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
      "kerberos");
  conf.set(YarnConfiguration.RM_ADDRESS, "localhost:8032");
  UserGroupInformation.setConfiguration(conf);
  MemoryRMStateStore memStore = new MemoryRMStateStore();
  memStore.init(conf);

  MockRM rm1 = new TestSecurityMockRM(conf, memStore);
  rm1.start();

  GetDelegationTokenRequest request1 =
      GetDelegationTokenRequest.newInstance("renewer1");
  UserGroupInformation.getCurrentUser().setAuthenticationMethod(
      AuthMethod.KERBEROS);
  GetDelegationTokenResponse response1 =
      rm1.getClientRMService().getDelegationToken(request1);
  Token<RMDelegationTokenIdentifier> token1 =
      ConverterUtils.convertFromYarn(response1.getRMDelegationToken(), rmAddr);

  // start new RM
  MockRM rm2 = new TestSecurityMockRM(conf, memStore);
  rm2.start();

  // submit an app with the old delegation token got from previous RM.
  Credentials ts = new Credentials();
  ts.addToken(token1.getService(), token1);
  RMApp app = rm2.submitApp(200, "name", "user",
      new HashMap<ApplicationAccessType, String>(), false, "default", 1, ts);
  rm2.waitForState(app.getApplicationId(), RMAppState.ACCEPTED);
}
 
Example #26
Source File: RMWebServices.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private Response createDelegationToken(DelegationToken tokenData,
    HttpServletRequest hsr, UserGroupInformation callerUGI)
    throws AuthorizationException, IOException, InterruptedException,
    Exception {

  final String renewer = tokenData.getRenewer();
  GetDelegationTokenResponse resp;
  try {
    resp =
        callerUGI
          .doAs(new PrivilegedExceptionAction<GetDelegationTokenResponse>() {
            @Override
            public GetDelegationTokenResponse run() throws IOException,
                YarnException {
              GetDelegationTokenRequest createReq =
                  GetDelegationTokenRequest.newInstance(renewer);
              return rm.getClientRMService().getDelegationToken(createReq);
            }
          });
  } catch (Exception e) {
    LOG.info("Create delegation token request failed", e);
    throw e;
  }

  Token<RMDelegationTokenIdentifier> tk =
      new Token<RMDelegationTokenIdentifier>(resp.getRMDelegationToken()
        .getIdentifier().array(), resp.getRMDelegationToken().getPassword()
        .array(), new Text(resp.getRMDelegationToken().getKind()), new Text(
        resp.getRMDelegationToken().getService()));
  RMDelegationTokenIdentifier identifier = tk.decodeIdentifier();
  long currentExpiration =
      rm.getRMContext().getRMDelegationTokenSecretManager()
        .getRenewDate(identifier);
  DelegationToken respToken =
      new DelegationToken(tk.encodeToUrlString(), renewer, identifier
        .getOwner().toString(), tk.getKind().toString(), currentExpiration,
        identifier.getMaxDate());
  return Response.status(Status.OK).entity(respToken).build();
}
 
Example #27
Source File: RMDelegationTokenIdentifierData.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public RMDelegationTokenIdentifier getTokenIdentifier() throws IOException {
  ByteArrayInputStream in =
      new ByteArrayInputStream(builder.getTokenIdentifier().toByteArray());
  RMDelegationTokenIdentifier identifer = new RMDelegationTokenIdentifier();
  identifer.readFields(new DataInputStream(in));
  return identifer;
}
 
Example #28
Source File: TestRMWebServicesDelegationTokens.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void assertValidRMToken(String encodedToken) throws IOException {
  Token<RMDelegationTokenIdentifier> realToken =
      new Token<RMDelegationTokenIdentifier>();
  realToken.decodeFromUrlString(encodedToken);
  RMDelegationTokenIdentifier ident = rm.getRMContext()
    .getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
  rm.getRMContext().getRMDelegationTokenSecretManager()
    .verifyToken(ident, realToken.getPassword());
  assertTrue(rm.getRMContext().getRMDelegationTokenSecretManager()
    .getAllTokens().containsKey(ident));
}
 
Example #29
Source File: TestRMWebServicesDelegationTokens.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void verifyKerberosAuthCreate(String mType, String cType,
    String reqBody, String renUser) throws Exception {
  final String mediaType = mType;
  final String contentType = cType;
  final String body = reqBody;
  final String renewer = renUser;
  KerberosTestUtils.doAsClient(new Callable<Void>() {
    @Override
    public Void call() throws Exception {
      ClientResponse response =
          resource().path("ws").path("v1").path("cluster")
            .path("delegation-token").accept(contentType)
            .entity(body, mediaType).post(ClientResponse.class);
      assertEquals(Status.OK, response.getClientResponseStatus());
      DelegationToken tok = getDelegationTokenFromResponse(response);
      assertFalse(tok.getToken().isEmpty());
      Token<RMDelegationTokenIdentifier> token =
          new Token<RMDelegationTokenIdentifier>();
      token.decodeFromUrlString(tok.getToken());
      assertEquals(renewer, token.decodeIdentifier().getRenewer().toString());
      assertValidRMToken(tok.getToken());
      DelegationToken dtoken = new DelegationToken();
      response =
          resource().path("ws").path("v1").path("cluster")
            .path("delegation-token").accept(contentType)
            .entity(dtoken, mediaType).post(ClientResponse.class);
      assertEquals(Status.OK, response.getClientResponseStatus());
      tok = getDelegationTokenFromResponse(response);
      assertFalse(tok.getToken().isEmpty());
      token = new Token<RMDelegationTokenIdentifier>();
      token.decodeFromUrlString(tok.getToken());
      assertEquals("", token.decodeIdentifier().getRenewer().toString());
      assertValidRMToken(tok.getToken());
      return null;
    }
  });
}
 
Example #30
Source File: MemoryRMStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public synchronized void removeRMDelegationTokenState(
    RMDelegationTokenIdentifier rmDTIdentifier) throws Exception{
  Map<RMDelegationTokenIdentifier, Long> rmDTState =
      state.rmSecretManagerState.getTokenState();
  rmDTState.remove(rmDTIdentifier);
  LOG.info("Remove RMDT with sequence number "
      + rmDTIdentifier.getSequenceNumber());
}