Java Code Examples for org.apache.hadoop.yarn.security.NMTokenIdentifier

The following examples show how to use org.apache.hadoop.yarn.security.NMTokenIdentifier. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop   Source File: BaseNMTokenSecretManager.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected byte[] createPassword(NMTokenIdentifier identifier) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("creating password for "
        + identifier.getApplicationAttemptId() + " for user "
        + identifier.getApplicationSubmitter() + " to run on NM "
        + identifier.getNodeId());
  }
  readLock.lock();
  try {
    return createPassword(identifier.getBytes(),
        currentMasterKey.getSecretKey());
  } finally {
    readLock.unlock();
  }
}
 
Example 2
Source Project: hadoop   Source File: ContainerManagerImpl.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Stop a list of containers running on this NodeManager.
 */
@Override
public StopContainersResponse stopContainers(StopContainersRequest requests)
    throws YarnException, IOException {

  List<ContainerId> succeededRequests = new ArrayList<ContainerId>();
  Map<ContainerId, SerializedException> failedRequests =
      new HashMap<ContainerId, SerializedException>();
  UserGroupInformation remoteUgi = getRemoteUgi();
  NMTokenIdentifier identifier = selectNMTokenIdentifier(remoteUgi);
  for (ContainerId id : requests.getContainerIds()) {
    try {
      stopContainerInternal(identifier, id);
      succeededRequests.add(id);
    } catch (YarnException e) {
      failedRequests.put(id, SerializedException.newInstance(e));
    }
  }
  return StopContainersResponse
    .newInstance(succeededRequests, failedRequests);
}
 
Example 3
Source Project: hadoop   Source File: ContainerManagerImpl.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Get a list of container statuses running on this NodeManager
 */
@Override
public GetContainerStatusesResponse getContainerStatuses(
    GetContainerStatusesRequest request) throws YarnException, IOException {

  List<ContainerStatus> succeededRequests = new ArrayList<ContainerStatus>();
  Map<ContainerId, SerializedException> failedRequests =
      new HashMap<ContainerId, SerializedException>();
  UserGroupInformation remoteUgi = getRemoteUgi();
  NMTokenIdentifier identifier = selectNMTokenIdentifier(remoteUgi);
  for (ContainerId id : request.getContainerIds()) {
    try {
      ContainerStatus status = getContainerStatusInternal(id, identifier);
      succeededRequests.add(status);
    } catch (YarnException e) {
      failedRequests.put(id, SerializedException.newInstance(e));
    }
  }
  return GetContainerStatusesResponse.newInstance(succeededRequests,
    failedRequests);
}
 
Example 4
Source Project: hadoop   Source File: ContainerManagerImpl.java    License: Apache License 2.0 6 votes vote down vote up
private ContainerStatus getContainerStatusInternal(ContainerId containerID,
    NMTokenIdentifier nmTokenIdentifier) throws YarnException {
  String containerIDStr = containerID.toString();
  Container container = this.context.getContainers().get(containerID);

  LOG.info("Getting container-status for " + containerIDStr);
  authorizeGetAndStopContainerRequest(containerID, container, false,
    nmTokenIdentifier);

  if (container == null) {
    if (nodeStatusUpdater.isContainerRecentlyStopped(containerID)) {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " was recently stopped on node manager.");
    } else {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " is not handled by this NodeManager");
    }
  }
  ContainerStatus containerStatus = container.cloneAndGetContainerStatus();
  LOG.info("Returning " + containerStatus);
  return containerStatus;
}
 
Example 5
Source Project: hadoop   Source File: TestContainerManagerRecovery.java    License: Apache License 2.0 6 votes vote down vote up
private StartContainersResponse startContainer(Context context,
    final ContainerManagerImpl cm, ContainerId cid,
    ContainerLaunchContext clc, LogAggregationContext logAggregationContext)
        throws Exception {
  UserGroupInformation user = UserGroupInformation.createRemoteUser(
      cid.getApplicationAttemptId().toString());
  StartContainerRequest scReq = StartContainerRequest.newInstance(
      clc, TestContainerManager.createContainerToken(cid, 0,
          context.getNodeId(), user.getShortUserName(),
          context.getContainerTokenSecretManager(), logAggregationContext));
  final List<StartContainerRequest> scReqList =
      new ArrayList<StartContainerRequest>();
  scReqList.add(scReq);
  NMTokenIdentifier nmToken = new NMTokenIdentifier(
      cid.getApplicationAttemptId(), context.getNodeId(),
      user.getShortUserName(),
      context.getNMTokenSecretManager().getCurrentKey().getKeyId());
  user.addTokenIdentifier(nmToken);
  return user.doAs(new PrivilegedExceptionAction<StartContainersResponse>() {
    @Override
    public StartContainersResponse run() throws Exception {
      return cm.startContainers(
          StartContainersRequest.newInstance(scReqList));
    }
  });
}
 
Example 6
Source Project: hadoop   Source File: ContainerManagementProtocolProxy.java    License: Apache License 2.0 6 votes vote down vote up
@Private
@VisibleForTesting
protected ContainerManagementProtocol newProxy(final YarnRPC rpc,
    String containerManagerBindAddr, ContainerId containerId, Token token)
    throws InvalidToken {

  if (token == null) {
    throw new InvalidToken("No NMToken sent for "
        + containerManagerBindAddr);
  }
  
  final InetSocketAddress cmAddr =
      NetUtils.createSocketAddr(containerManagerBindAddr);
  LOG.info("Opening proxy : " + containerManagerBindAddr);
  // the user in createRemoteUser in this context has to be ContainerID
  UserGroupInformation user =
      UserGroupInformation.createRemoteUser(containerId
          .getApplicationAttemptId().toString());

  org.apache.hadoop.security.token.Token<NMTokenIdentifier> nmToken =
      ConverterUtils.convertFromYarn(token, cmAddr);
  user.addToken(nmToken);

  return NMProxy.createNMProxy(conf, ContainerManagementProtocol.class,
    user, rpc, cmAddr);
}
 
Example 7
Source Project: big-c   Source File: BaseNMTokenSecretManager.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected byte[] createPassword(NMTokenIdentifier identifier) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("creating password for "
        + identifier.getApplicationAttemptId() + " for user "
        + identifier.getApplicationSubmitter() + " to run on NM "
        + identifier.getNodeId());
  }
  readLock.lock();
  try {
    return createPassword(identifier.getBytes(),
        currentMasterKey.getSecretKey());
  } finally {
    readLock.unlock();
  }
}
 
Example 8
Source Project: big-c   Source File: ContainerManagerImpl.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Stop a list of containers running on this NodeManager.
 */
@Override
public StopContainersResponse stopContainers(StopContainersRequest requests)
    throws YarnException, IOException {

  List<ContainerId> succeededRequests = new ArrayList<ContainerId>();
  Map<ContainerId, SerializedException> failedRequests =
      new HashMap<ContainerId, SerializedException>();
  UserGroupInformation remoteUgi = getRemoteUgi();
  NMTokenIdentifier identifier = selectNMTokenIdentifier(remoteUgi);
  for (ContainerId id : requests.getContainerIds()) {
    try {
      stopContainerInternal(identifier, id);
      succeededRequests.add(id);
    } catch (YarnException e) {
      failedRequests.put(id, SerializedException.newInstance(e));
    }
  }
  return StopContainersResponse
    .newInstance(succeededRequests, failedRequests);
}
 
Example 9
Source Project: big-c   Source File: ContainerManagerImpl.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Get a list of container statuses running on this NodeManager
 */
@Override
public GetContainerStatusesResponse getContainerStatuses(
    GetContainerStatusesRequest request) throws YarnException, IOException {

  List<ContainerStatus> succeededRequests = new ArrayList<ContainerStatus>();
  Map<ContainerId, SerializedException> failedRequests =
      new HashMap<ContainerId, SerializedException>();
  UserGroupInformation remoteUgi = getRemoteUgi();
  NMTokenIdentifier identifier = selectNMTokenIdentifier(remoteUgi);
  for (ContainerId id : request.getContainerIds()) {
    try {
      ContainerStatus status = getContainerStatusInternal(id, identifier);
      succeededRequests.add(status);
    } catch (YarnException e) {
      failedRequests.put(id, SerializedException.newInstance(e));
    }
  }
  return GetContainerStatusesResponse.newInstance(succeededRequests,
    failedRequests);
}
 
Example 10
Source Project: big-c   Source File: ContainerManagerImpl.java    License: Apache License 2.0 6 votes vote down vote up
private ContainerStatus getContainerStatusInternal(ContainerId containerID,
    NMTokenIdentifier nmTokenIdentifier) throws YarnException {
  String containerIDStr = containerID.toString();
  Container container = this.context.getContainers().get(containerID);

  LOG.info("Getting container-status for " + containerIDStr);
  authorizeGetAndStopContainerRequest(containerID, container, false,
    nmTokenIdentifier);

  if (container == null) {
    if (nodeStatusUpdater.isContainerRecentlyStopped(containerID)) {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " was recently stopped on node manager.");
    } else {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " is not handled by this NodeManager");
    }
  }
  ContainerStatus containerStatus = container.cloneAndGetContainerStatus();
  LOG.info("Returning " + containerStatus);
  return containerStatus;
}
 
Example 11
Source Project: big-c   Source File: TestContainerManagerRecovery.java    License: Apache License 2.0 6 votes vote down vote up
private StartContainersResponse startContainer(Context context,
    final ContainerManagerImpl cm, ContainerId cid,
    ContainerLaunchContext clc, LogAggregationContext logAggregationContext)
        throws Exception {
  UserGroupInformation user = UserGroupInformation.createRemoteUser(
      cid.getApplicationAttemptId().toString());
  StartContainerRequest scReq = StartContainerRequest.newInstance(
      clc, TestContainerManager.createContainerToken(cid, 0,
          context.getNodeId(), user.getShortUserName(),
          context.getContainerTokenSecretManager(), logAggregationContext));
  final List<StartContainerRequest> scReqList =
      new ArrayList<StartContainerRequest>();
  scReqList.add(scReq);
  NMTokenIdentifier nmToken = new NMTokenIdentifier(
      cid.getApplicationAttemptId(), context.getNodeId(),
      user.getShortUserName(),
      context.getNMTokenSecretManager().getCurrentKey().getKeyId());
  user.addTokenIdentifier(nmToken);
  return user.doAs(new PrivilegedExceptionAction<StartContainersResponse>() {
    @Override
    public StartContainersResponse run() throws Exception {
      return cm.startContainers(
          StartContainersRequest.newInstance(scReqList));
    }
  });
}
 
Example 12
Source Project: big-c   Source File: ContainerManagementProtocolProxy.java    License: Apache License 2.0 6 votes vote down vote up
@Private
@VisibleForTesting
protected ContainerManagementProtocol newProxy(final YarnRPC rpc,
    String containerManagerBindAddr, ContainerId containerId, Token token)
    throws InvalidToken {

  if (token == null) {
    throw new InvalidToken("No NMToken sent for "
        + containerManagerBindAddr);
  }
  
  final InetSocketAddress cmAddr =
      NetUtils.createSocketAddr(containerManagerBindAddr);
  LOG.info("Opening proxy : " + containerManagerBindAddr);
  // the user in createRemoteUser in this context has to be ContainerID
  UserGroupInformation user =
      UserGroupInformation.createRemoteUser(containerId
          .getApplicationAttemptId().toString());

  org.apache.hadoop.security.token.Token<NMTokenIdentifier> nmToken =
      ConverterUtils.convertFromYarn(token, cmAddr);
  user.addToken(nmToken);

  return NMProxy.createNMProxy(conf, ContainerManagementProtocol.class,
    user, rpc, cmAddr);
}
 
Example 13
Source Project: hadoop   Source File: BaseNMTokenSecretManager.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public byte[] retrievePassword(NMTokenIdentifier identifier)
    throws org.apache.hadoop.security.token.SecretManager.InvalidToken {
  readLock.lock();
  try {
    return retrivePasswordInternal(identifier, currentMasterKey);
  } finally {
    readLock.unlock();
  }
}
 
Example 14
Source Project: hadoop   Source File: BaseNMTokenSecretManager.java    License: Apache License 2.0 5 votes vote down vote up
protected byte[] retrivePasswordInternal(NMTokenIdentifier identifier,
    MasterKeyData masterKey) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("creating password for "
        + identifier.getApplicationAttemptId() + " for user "
        + identifier.getApplicationSubmitter() + " to run on NM "
        + identifier.getNodeId());
  }
  return createPassword(identifier.getBytes(), masterKey.getSecretKey());
}
 
Example 15
Source Project: hadoop   Source File: BaseNMTokenSecretManager.java    License: Apache License 2.0 5 votes vote down vote up
public static Token newInstance(byte[] password,
    NMTokenIdentifier identifier) {
  NodeId nodeId = identifier.getNodeId();
  // RPC layer client expects ip:port as service for tokens
  InetSocketAddress addr =
      NetUtils.createSocketAddrForHost(nodeId.getHost(), nodeId.getPort());
  Token nmToken =
      Token.newInstance(identifier.getBytes(),
        NMTokenIdentifier.KIND.toString(), password, SecurityUtil
          .buildTokenService(addr).toString());
  return nmToken;
}
 
Example 16
Source Project: hadoop   Source File: NMTokenIdentifierNewForTest.java    License: Apache License 2.0 5 votes vote down vote up
public NMTokenIdentifierNewForTest(NMTokenIdentifier tokenIdentifier, 
    String message) {
  builder = NMTokenIdentifierNewProto.newBuilder();
  builder.setAppAttemptId(tokenIdentifier.getProto().getAppAttemptId());
  builder.setNodeId(tokenIdentifier.getProto().getNodeId());
  builder.setAppSubmitter(tokenIdentifier.getApplicationSubmitter());
  builder.setKeyId(tokenIdentifier.getKeyId());
  builder.setMessage(message);
  proto = builder.build();
  builder = null;
}
 
Example 17
Source Project: hadoop   Source File: NMTokenSecretManagerInNM.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * This method will be used to verify NMTokens generated by different master
 * keys.
 */
@Override
public synchronized byte[] retrievePassword(NMTokenIdentifier identifier)
    throws InvalidToken {
  int keyId = identifier.getKeyId();
  ApplicationAttemptId appAttemptId = identifier.getApplicationAttemptId();

  /*
   * MasterKey used for retrieving password will be as follows. 1) By default
   * older saved master key will be used. 2) If identifier's master key id
   * matches that of previous master key id then previous key will be used. 3)
   * If identifier's master key id matches that of current master key id then
   * current key will be used.
   */
  MasterKeyData oldMasterKey = oldMasterKeys.get(appAttemptId);
  MasterKeyData masterKeyToUse = oldMasterKey;
  if (previousMasterKey != null
      && keyId == previousMasterKey.getMasterKey().getKeyId()) {
    masterKeyToUse = previousMasterKey;
  } else if (keyId == currentMasterKey.getMasterKey().getKeyId()) {
    masterKeyToUse = currentMasterKey;
  }
  
  if (nodeId != null && !identifier.getNodeId().equals(nodeId)) {
    throw new InvalidToken("Given NMToken for application : "
        + appAttemptId.toString() + " is not valid for current node manager."
        + "expected : " + nodeId.toString() + " found : "
        + identifier.getNodeId().toString());
  }
  
  if (masterKeyToUse != null) {
    byte[] password = retrivePasswordInternal(identifier, masterKeyToUse);
    LOG.debug("NMToken password retrieved successfully!!");
    return password;
  }

  throw new InvalidToken("Given NMToken for application : "
      + appAttemptId.toString() + " seems to have been generated illegally.");
}
 
Example 18
Source Project: hadoop   Source File: NMTokenSecretManagerInNM.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * This will be called by startContainer. It will add the master key into
 * the cache used for starting this container. This should be called before
 * validating the startContainer request.
 */
public synchronized void appAttemptStartContainer(
    NMTokenIdentifier identifier)
    throws org.apache.hadoop.security.token.SecretManager.InvalidToken {
  ApplicationAttemptId appAttemptId = identifier.getApplicationAttemptId();
  if (!appToAppAttemptMap.containsKey(appAttemptId.getApplicationId())) {
    // First application attempt for the given application
    appToAppAttemptMap.put(appAttemptId.getApplicationId(),
      new ArrayList<ApplicationAttemptId>());
  }
  MasterKeyData oldKey = oldMasterKeys.get(appAttemptId);

  if (oldKey == null) {
    // This is a new application attempt.
    appToAppAttemptMap.get(appAttemptId.getApplicationId()).add(appAttemptId);
  }
  if (oldKey == null
      || oldKey.getMasterKey().getKeyId() != identifier.getKeyId()) {
    // Update key only if it is modified.
    LOG.debug("NMToken key updated for application attempt : "
        + identifier.getApplicationAttemptId().toString());
    if (identifier.getKeyId() == currentMasterKey.getMasterKey()
      .getKeyId()) {
      updateAppAttemptKey(appAttemptId, currentMasterKey);
    } else if (previousMasterKey != null
        && identifier.getKeyId() == previousMasterKey.getMasterKey()
          .getKeyId()) {
      updateAppAttemptKey(appAttemptId, previousMasterKey);
    } else {
      throw new InvalidToken(
        "Older NMToken should not be used while starting the container.");
    }
  }
}
 
Example 19
Source Project: hadoop   Source File: ContainerManagerImpl.java    License: Apache License 2.0 5 votes vote down vote up
protected void authorizeUser(UserGroupInformation remoteUgi,
    NMTokenIdentifier nmTokenIdentifier) throws YarnException {
  if (!remoteUgi.getUserName().equals(
    nmTokenIdentifier.getApplicationAttemptId().toString())) {
    throw RPCUtil.getRemoteException("Expected applicationAttemptId: "
        + remoteUgi.getUserName() + "Found: "
        + nmTokenIdentifier.getApplicationAttemptId());
  }
}
 
Example 20
Source Project: hadoop   Source File: ContainerManagerImpl.java    License: Apache License 2.0 5 votes vote down vote up
@Private
@VisibleForTesting
protected void updateNMTokenIdentifier(NMTokenIdentifier nmTokenIdentifier)
    throws InvalidToken {
  context.getNMTokenSecretManager().appAttemptStartContainer(
    nmTokenIdentifier);
}
 
Example 21
Source Project: hadoop   Source File: ContainerManagerImpl.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
private void stopContainerInternal(NMTokenIdentifier nmTokenIdentifier,
    ContainerId containerID) throws YarnException, IOException {
  String containerIDStr = containerID.toString();
  Container container = this.context.getContainers().get(containerID);
  LOG.info("Stopping container with container Id: " + containerIDStr);
  authorizeGetAndStopContainerRequest(containerID, container, true,
    nmTokenIdentifier);

  if (container == null) {
    if (!nodeStatusUpdater.isContainerRecentlyStopped(containerID)) {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " is not handled by this NodeManager");
    }
  } else {
    context.getNMStateStore().storeContainerKilled(containerID);
    dispatcher.getEventHandler().handle(
      new ContainerKillEvent(containerID,
          ContainerExitStatus.KILLED_BY_APPMASTER,
          "Container killed by the ApplicationMaster."));

    NMAuditLogger.logSuccess(container.getUser(),    
      AuditConstants.STOP_CONTAINER, "ContainerManageImpl", containerID
        .getApplicationAttemptId().getApplicationId(), containerID);

    // TODO: Move this code to appropriate place once kill_container is
    // implemented.
    nodeStatusUpdater.sendOutofBandHeartBeat();
  }
}
 
Example 22
Source Project: hadoop   Source File: ContainerManagerImpl.java    License: Apache License 2.0 5 votes vote down vote up
@Private
@VisibleForTesting
protected void authorizeGetAndStopContainerRequest(ContainerId containerId,
    Container container, boolean stopRequest, NMTokenIdentifier identifier)
    throws YarnException {
  /*
   * For get/stop container status; we need to verify that 1) User (NMToken)
   * application attempt only has started container. 2) Requested containerId
   * belongs to the same application attempt (NMToken) which was used. (Note:-
   * This will prevent user in knowing another application's containers).
   */
  ApplicationId nmTokenAppId =
      identifier.getApplicationAttemptId().getApplicationId();
  
  if ((!nmTokenAppId.equals(containerId.getApplicationAttemptId().getApplicationId()))
      || (container != null && !nmTokenAppId.equals(container
          .getContainerId().getApplicationAttemptId().getApplicationId()))) {
    if (stopRequest) {
      LOG.warn(identifier.getApplicationAttemptId()
          + " attempted to stop non-application container : "
          + container.getContainerId());
      NMAuditLogger.logFailure("UnknownUser", AuditConstants.STOP_CONTAINER,
        "ContainerManagerImpl", "Trying to stop unknown container!",
        nmTokenAppId, container.getContainerId());
    } else {
      LOG.warn(identifier.getApplicationAttemptId()
          + " attempted to get status for non-application container : "
          + container.getContainerId());
    }
  }
}
 
Example 23
Source Project: hadoop   Source File: TestContainerManager.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected ContainerManagerImpl
    createContainerManager(DeletionService delSrvc) {
  return new ContainerManagerImpl(context, exec, delSrvc, nodeStatusUpdater,
    metrics, new ApplicationACLsManager(conf), dirsHandler) {
    @Override
    public void
        setBlockNewContainerRequests(boolean blockNewContainerRequests) {
      // do nothing
    }

    @Override
    protected UserGroupInformation getRemoteUgi() throws YarnException {
      ApplicationId appId = ApplicationId.newInstance(0, 0);
      ApplicationAttemptId appAttemptId =
          ApplicationAttemptId.newInstance(appId, 1);
      UserGroupInformation ugi =
          UserGroupInformation.createRemoteUser(appAttemptId.toString());
      ugi.addTokenIdentifier(new NMTokenIdentifier(appAttemptId, context
        .getNodeId(), user, context.getNMTokenSecretManager().getCurrentKey()
        .getKeyId()));
      return ugi;
    }

    @Override
    protected void authorizeGetAndStopContainerRequest(ContainerId containerId,
        Container container, boolean stopRequest, NMTokenIdentifier identifier) throws YarnException {
      if(container == null || container.getUser().equals("Fail")){
        throw new YarnException("Reject this container");
      }
    }
  };
}
 
Example 24
Source Project: hadoop   Source File: DummyContainerManager.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected UserGroupInformation getRemoteUgi() throws YarnException {
  ApplicationId appId = ApplicationId.newInstance(0, 0);
  ApplicationAttemptId appAttemptId =
      ApplicationAttemptId.newInstance(appId, 1);
  UserGroupInformation ugi =
      UserGroupInformation.createRemoteUser(appAttemptId.toString());
  ugi.addTokenIdentifier(new NMTokenIdentifier(appAttemptId, getContext()
    .getNodeId(), "testuser", getContext().getNMTokenSecretManager().getCurrentKey()
    .getKeyId()));
  return ugi;
}
 
Example 25
Source Project: big-c   Source File: BaseNMTokenSecretManager.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public byte[] retrievePassword(NMTokenIdentifier identifier)
    throws org.apache.hadoop.security.token.SecretManager.InvalidToken {
  readLock.lock();
  try {
    return retrivePasswordInternal(identifier, currentMasterKey);
  } finally {
    readLock.unlock();
  }
}
 
Example 26
Source Project: big-c   Source File: BaseNMTokenSecretManager.java    License: Apache License 2.0 5 votes vote down vote up
protected byte[] retrivePasswordInternal(NMTokenIdentifier identifier,
    MasterKeyData masterKey) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("creating password for "
        + identifier.getApplicationAttemptId() + " for user "
        + identifier.getApplicationSubmitter() + " to run on NM "
        + identifier.getNodeId());
  }
  return createPassword(identifier.getBytes(), masterKey.getSecretKey());
}
 
Example 27
Source Project: big-c   Source File: BaseNMTokenSecretManager.java    License: Apache License 2.0 5 votes vote down vote up
public static Token newInstance(byte[] password,
    NMTokenIdentifier identifier) {
  NodeId nodeId = identifier.getNodeId();
  // RPC layer client expects ip:port as service for tokens
  InetSocketAddress addr =
      NetUtils.createSocketAddrForHost(nodeId.getHost(), nodeId.getPort());
  Token nmToken =
      Token.newInstance(identifier.getBytes(),
        NMTokenIdentifier.KIND.toString(), password, SecurityUtil
          .buildTokenService(addr).toString());
  return nmToken;
}
 
Example 28
Source Project: big-c   Source File: NMTokenIdentifierNewForTest.java    License: Apache License 2.0 5 votes vote down vote up
public NMTokenIdentifierNewForTest(NMTokenIdentifier tokenIdentifier, 
    String message) {
  builder = NMTokenIdentifierNewProto.newBuilder();
  builder.setAppAttemptId(tokenIdentifier.getProto().getAppAttemptId());
  builder.setNodeId(tokenIdentifier.getProto().getNodeId());
  builder.setAppSubmitter(tokenIdentifier.getApplicationSubmitter());
  builder.setKeyId(tokenIdentifier.getKeyId());
  builder.setMessage(message);
  proto = builder.build();
  builder = null;
}
 
Example 29
Source Project: big-c   Source File: NMTokenSecretManagerInNM.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * This method will be used to verify NMTokens generated by different master
 * keys.
 */
@Override
public synchronized byte[] retrievePassword(NMTokenIdentifier identifier)
    throws InvalidToken {
  int keyId = identifier.getKeyId();
  ApplicationAttemptId appAttemptId = identifier.getApplicationAttemptId();

  /*
   * MasterKey used for retrieving password will be as follows. 1) By default
   * older saved master key will be used. 2) If identifier's master key id
   * matches that of previous master key id then previous key will be used. 3)
   * If identifier's master key id matches that of current master key id then
   * current key will be used.
   */
  MasterKeyData oldMasterKey = oldMasterKeys.get(appAttemptId);
  MasterKeyData masterKeyToUse = oldMasterKey;
  if (previousMasterKey != null
      && keyId == previousMasterKey.getMasterKey().getKeyId()) {
    masterKeyToUse = previousMasterKey;
  } else if (keyId == currentMasterKey.getMasterKey().getKeyId()) {
    masterKeyToUse = currentMasterKey;
  }
  
  if (nodeId != null && !identifier.getNodeId().equals(nodeId)) {
    throw new InvalidToken("Given NMToken for application : "
        + appAttemptId.toString() + " is not valid for current node manager."
        + "expected : " + nodeId.toString() + " found : "
        + identifier.getNodeId().toString());
  }
  
  if (masterKeyToUse != null) {
    byte[] password = retrivePasswordInternal(identifier, masterKeyToUse);
    LOG.debug("NMToken password retrieved successfully!!");
    return password;
  }

  throw new InvalidToken("Given NMToken for application : "
      + appAttemptId.toString() + " seems to have been generated illegally.");
}
 
Example 30
Source Project: big-c   Source File: NMTokenSecretManagerInNM.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * This will be called by startContainer. It will add the master key into
 * the cache used for starting this container. This should be called before
 * validating the startContainer request.
 */
public synchronized void appAttemptStartContainer(
    NMTokenIdentifier identifier)
    throws org.apache.hadoop.security.token.SecretManager.InvalidToken {
  ApplicationAttemptId appAttemptId = identifier.getApplicationAttemptId();
  if (!appToAppAttemptMap.containsKey(appAttemptId.getApplicationId())) {
    // First application attempt for the given application
    appToAppAttemptMap.put(appAttemptId.getApplicationId(),
      new ArrayList<ApplicationAttemptId>());
  }
  MasterKeyData oldKey = oldMasterKeys.get(appAttemptId);

  if (oldKey == null) {
    // This is a new application attempt.
    appToAppAttemptMap.get(appAttemptId.getApplicationId()).add(appAttemptId);
  }
  if (oldKey == null
      || oldKey.getMasterKey().getKeyId() != identifier.getKeyId()) {
    // Update key only if it is modified.
    LOG.debug("NMToken key updated for application attempt : "
        + identifier.getApplicationAttemptId().toString());
    if (identifier.getKeyId() == currentMasterKey.getMasterKey()
      .getKeyId()) {
      updateAppAttemptKey(appAttemptId, currentMasterKey);
    } else if (previousMasterKey != null
        && identifier.getKeyId() == previousMasterKey.getMasterKey()
          .getKeyId()) {
      updateAppAttemptKey(appAttemptId, previousMasterKey);
    } else {
      throw new InvalidToken(
        "Older NMToken should not be used while starting the container.");
    }
  }
}