org.apache.hadoop.security.token.SecretManager.InvalidToken Java Examples

The following examples show how to use org.apache.hadoop.security.token.SecretManager.InvalidToken. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ContainerManagerImpl.java    From hadoop with Apache License 2.0 6 votes vote down vote up
protected ContainerTokenIdentifier verifyAndGetContainerTokenIdentifier(
    org.apache.hadoop.yarn.api.records.Token token,
    ContainerTokenIdentifier containerTokenIdentifier) throws YarnException,
    InvalidToken {
  byte[] password =
      context.getContainerTokenSecretManager().retrievePassword(
        containerTokenIdentifier);
  byte[] tokenPass = token.getPassword().array();
  if (password == null || tokenPass == null
      || !Arrays.equals(password, tokenPass)) {
    throw new InvalidToken(
      "Invalid container token used for starting container on : "
          + context.getNodeId().toString());
  }
  return containerTokenIdentifier;
}
 
Example #2
Source File: DFSInputStream.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Should the block access token be refetched on an exception
 * 
 * @param ex Exception received
 * @param targetAddr Target datanode address from where exception was received
 * @return true if block access token has expired or invalid and it should be
 *         refetched
 */
private static boolean tokenRefetchNeeded(IOException ex,
    InetSocketAddress targetAddr) {
  /*
   * Get a new access token and retry. Retry is needed in 2 cases. 1)
   * When both NN and DN re-started while DFSClient holding a cached
   * access token. 2) In the case that NN fails to update its
   * access key at pre-set interval (by a wide margin) and
   * subsequently restarts. In this case, DN re-registers itself with
   * NN and receives a new access key, but DN will delete the old
   * access key from its memory since it's considered expired based on
   * the estimated expiration date.
   */
  if (ex instanceof InvalidBlockTokenException || ex instanceof InvalidToken) {
    DFSClient.LOG.info("Access token was invalid when connecting to "
        + targetAddr + " : " + ex);
    return true;
  }
  return false;
}
 
Example #3
Source File: TestEnhancedByteBufferAccess.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
public void visit(int numOutstandingMmaps,
    Map<ExtendedBlockId, ShortCircuitReplica> replicas,
    Map<ExtendedBlockId, InvalidToken> failedLoads,
    Map<Long, ShortCircuitReplica> evictable,
    Map<Long, ShortCircuitReplica> evictableMmapped) {
  if (expectedNumOutstandingMmaps >= 0) {
    Assert.assertEquals(expectedNumOutstandingMmaps, numOutstandingMmaps);
  }
  if (expectedNumReplicas >= 0) {
    Assert.assertEquals(expectedNumReplicas, replicas.size());
  }
  if (expectedNumEvictable >= 0) {
    Assert.assertEquals(expectedNumEvictable, evictable.size());
  }
  if (expectedNumMmapedEvictable >= 0) {
    Assert.assertEquals(expectedNumMmapedEvictable, evictableMmapped.size());
  }
}
 
Example #4
Source File: DFSInputStream.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Should the block access token be refetched on an exception
 * 
 * @param ex Exception received
 * @param targetAddr Target datanode address from where exception was received
 * @return true if block access token has expired or invalid and it should be
 *         refetched
 */
private static boolean tokenRefetchNeeded(IOException ex,
    InetSocketAddress targetAddr) {
  /*
   * Get a new access token and retry. Retry is needed in 2 cases. 1)
   * When both NN and DN re-started while DFSClient holding a cached
   * access token. 2) In the case that NN fails to update its
   * access key at pre-set interval (by a wide margin) and
   * subsequently restarts. In this case, DN re-registers itself with
   * NN and receives a new access key, but DN will delete the old
   * access key from its memory since it's considered expired based on
   * the estimated expiration date.
   */
  if (ex instanceof InvalidBlockTokenException || ex instanceof InvalidToken) {
    DFSClient.LOG.info("Access token was invalid when connecting to "
        + targetAddr + " : " + ex);
    return true;
  }
  return false;
}
 
Example #5
Source File: TestDelegationToken.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Test 
public void testCancelDelegationToken() throws Exception {
  Token<DelegationTokenIdentifier> token = generateDelegationToken(
      "SomeUser", "JobTracker");
  //Fake renewer should not be able to renew
  try {
    dtSecretManager.cancelToken(token, "FakeCanceller");
    Assert.fail("should have failed");
  } catch (AccessControlException ace) {
    // PASS
  }
  dtSecretManager.cancelToken(token, "JobTracker");
  try {
    dtSecretManager.renewToken(token, "JobTracker");
    Assert.fail("should have failed");
  } catch (InvalidToken it) {
    // PASS
  }
}
 
Example #6
Source File: TestSaslRPC.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Test
public void testErrorMessage() throws Exception {
  BadTokenSecretManager sm = new BadTokenSecretManager();
  final Server server = new RPC.Builder(conf)
      .setProtocol(TestSaslProtocol.class).setInstance(new TestSaslImpl())
      .setBindAddress(ADDRESS).setPort(0).setNumHandlers(5).setVerbose(true)
      .setSecretManager(sm).build();

  boolean succeeded = false;
  try {
    doDigestRpc(server, sm);
  } catch (RemoteException e) {
    LOG.info("LOGGING MESSAGE: " + e.getLocalizedMessage());
    assertEquals(ERROR_MESSAGE, e.getLocalizedMessage());
    assertTrue(e.unwrapRemoteException() instanceof InvalidToken);
    succeeded = true;
  }
  assertTrue(succeeded);
}
 
Example #7
Source File: TestDelegationToken.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Test 
public void testCancelDelegationToken() throws Exception {
  Token<DelegationTokenIdentifier> token = generateDelegationToken(
      "SomeUser", "JobTracker");
  //Fake renewer should not be able to renew
  try {
    dtSecretManager.cancelToken(token, "FakeCanceller");
    Assert.fail("should have failed");
  } catch (AccessControlException ace) {
    // PASS
  }
  dtSecretManager.cancelToken(token, "JobTracker");
  try {
    dtSecretManager.renewToken(token, "JobTracker");
    Assert.fail("should have failed");
  } catch (InvalidToken it) {
    // PASS
  }
}
 
Example #8
Source File: ContainerManagementProtocolProxy.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Private
@VisibleForTesting
protected ContainerManagementProtocol newProxy(final YarnRPC rpc,
    String containerManagerBindAddr, ContainerId containerId, Token token)
    throws InvalidToken {

  if (token == null) {
    throw new InvalidToken("No NMToken sent for "
        + containerManagerBindAddr);
  }
  
  final InetSocketAddress cmAddr =
      NetUtils.createSocketAddr(containerManagerBindAddr);
  LOG.info("Opening proxy : " + containerManagerBindAddr);
  // the user in createRemoteUser in this context has to be ContainerID
  UserGroupInformation user =
      UserGroupInformation.createRemoteUser(containerId
          .getApplicationAttemptId().toString());

  org.apache.hadoop.security.token.Token<NMTokenIdentifier> nmToken =
      ConverterUtils.convertFromYarn(token, cmAddr);
  user.addToken(nmToken);

  return NMProxy.createNMProxy(conf, ContainerManagementProtocol.class,
    user, rpc, cmAddr);
}
 
Example #9
Source File: Server.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private UserGroupInformation getAuthorizedUgi(String authorizedId)
    throws InvalidToken, AccessControlException {
  if (authMethod == AuthMethod.TOKEN) {
    TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId,
        secretManager);
    UserGroupInformation ugi = tokenId.getUser();
    if (ugi == null) {
      throw new AccessControlException(
          "Can't retrieve username from tokenIdentifier.");
    }
    ugi.addTokenIdentifier(tokenId);
    return ugi;
  } else {
    return UserGroupInformation.createRemoteUser(authorizedId, authMethod);
  }
}
 
Example #10
Source File: TestRMWebServicesDelegationTokens.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private void assertTokenCancelled(String encodedToken) throws Exception {
  Token<RMDelegationTokenIdentifier> realToken =
      new Token<RMDelegationTokenIdentifier>();
  realToken.decodeFromUrlString(encodedToken);
  RMDelegationTokenIdentifier ident = rm.getRMContext()
    .getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
  boolean exceptionCaught = false;
  try {
    rm.getRMContext().getRMDelegationTokenSecretManager()
      .verifyToken(ident, realToken.getPassword());
  } catch (InvalidToken it) {
    exceptionCaught = true;
  }
  assertTrue("InvalidToken exception not thrown", exceptionCaught);
  assertFalse(rm.getRMContext().getRMDelegationTokenSecretManager()
    .getAllTokens().containsKey(ident));
}
 
Example #11
Source File: Server.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private Throwable getCauseForInvalidToken(IOException e) {
  Throwable cause = e;
  while (cause != null) {
    if (cause instanceof RetriableException) {
      return cause;
    } else if (cause instanceof StandbyException) {
      return cause;
    } else if (cause instanceof InvalidToken) {
      // FIXME: hadoop method signatures are restricting the SASL
      // callbacks to only returning InvalidToken, but some services
      // need to throw other exceptions (ex. NN + StandyException),
      // so for now we'll tunnel the real exceptions via an
      // InvalidToken's cause which normally is not set 
      if (cause.getCause() != null) {
        cause = cause.getCause();
      }
      return cause;
    }
    cause = cause.getCause();
  }
  return e;
}
 
Example #12
Source File: TestRMWebServicesDelegationTokens.java    From big-c with Apache License 2.0 6 votes vote down vote up
private void assertTokenCancelled(String encodedToken) throws Exception {
  Token<RMDelegationTokenIdentifier> realToken =
      new Token<RMDelegationTokenIdentifier>();
  realToken.decodeFromUrlString(encodedToken);
  RMDelegationTokenIdentifier ident = rm.getRMContext()
    .getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
  boolean exceptionCaught = false;
  try {
    rm.getRMContext().getRMDelegationTokenSecretManager()
      .verifyToken(ident, realToken.getPassword());
  } catch (InvalidToken it) {
    exceptionCaught = true;
  }
  assertTrue("InvalidToken exception not thrown", exceptionCaught);
  assertFalse(rm.getRMContext().getRMDelegationTokenSecretManager()
    .getAllTokens().containsKey(ident));
}
 
Example #13
Source File: TestDelegationTokenRenewer.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
public long renew(Token<?> t, Configuration conf) throws IOException {
  if ( !(t instanceof MyToken)) {
    // renew in 3 seconds
    return System.currentTimeMillis() + 3000;
  }
  MyToken token = (MyToken)t;
  if(token.isCanceled()) {
    throw new InvalidToken("token has been canceled");
  }
  lastRenewed = token;
  counter ++;
  LOG.info("Called MYDFS.renewdelegationtoken " + token + 
      ";this dfs=" + this.hashCode() + ";c=" + counter);
  if(tokenToRenewIn2Sec == token) { 
    // this token first renewal in 2 seconds
    LOG.info("RENEW in 2 seconds");
    tokenToRenewIn2Sec=null;
    return 2*1000 + System.currentTimeMillis();
  } else {
    return 86400*1000 + System.currentTimeMillis();
  }
}
 
Example #14
Source File: TestSaslRPC.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Test
public void testErrorMessage() throws Exception {
  BadTokenSecretManager sm = new BadTokenSecretManager();
  final Server server = new RPC.Builder(conf)
      .setProtocol(TestSaslProtocol.class).setInstance(new TestSaslImpl())
      .setBindAddress(ADDRESS).setPort(0).setNumHandlers(5).setVerbose(true)
      .setSecretManager(sm).build();

  boolean succeeded = false;
  try {
    doDigestRpc(server, sm);
  } catch (RemoteException e) {
    LOG.info("LOGGING MESSAGE: " + e.getLocalizedMessage());
    assertEquals(ERROR_MESSAGE, e.getLocalizedMessage());
    assertTrue(e.unwrapRemoteException() instanceof InvalidToken);
    succeeded = true;
  }
  assertTrue(succeeded);
}
 
Example #15
Source File: ContainerManagerImpl.java    From big-c with Apache License 2.0 6 votes vote down vote up
protected ContainerTokenIdentifier verifyAndGetContainerTokenIdentifier(
    org.apache.hadoop.yarn.api.records.Token token,
    ContainerTokenIdentifier containerTokenIdentifier) throws YarnException,
    InvalidToken {
  byte[] password =
      context.getContainerTokenSecretManager().retrievePassword(
        containerTokenIdentifier);
  byte[] tokenPass = token.getPassword().array();
  if (password == null || tokenPass == null
      || !Arrays.equals(password, tokenPass)) {
    throw new InvalidToken(
      "Invalid container token used for starting container on : "
          + context.getNodeId().toString());
  }
  return containerTokenIdentifier;
}
 
Example #16
Source File: DFSClient.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public long renew(Token<?> token, Configuration conf) throws IOException {
  Token<DelegationTokenIdentifier> delToken = 
    (Token<DelegationTokenIdentifier>) token;
  ClientProtocol nn = getNNProxy(delToken, conf);
  try {
    return nn.renewDelegationToken(delToken);
  } catch (RemoteException re) {
    throw re.unwrapRemoteException(InvalidToken.class, 
                                   AccessControlException.class);
  }
}
 
Example #17
Source File: DFSClient.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Cancel a delegation token
 * @param token the token to cancel
 * @throws InvalidToken
 * @throws IOException
 * @deprecated Use Token.cancel instead.
 */
@Deprecated
public void cancelDelegationToken(Token<DelegationTokenIdentifier> token)
    throws InvalidToken, IOException {
  LOG.info("Cancelling " + DelegationTokenIdentifier.stringifyToken(token));
  try {
    token.cancel(conf);
   } catch (InterruptedException ie) {                                       
    throw new RuntimeException("caught interrupted", ie);
  } catch (RemoteException re) {
    throw re.unwrapRemoteException(InvalidToken.class,
                                   AccessControlException.class);
  }
}
 
Example #18
Source File: NMClientImpl.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void parseAndThrowException(Throwable t) throws YarnException,
    IOException {
  if (t instanceof YarnException) {
    throw (YarnException) t;
  } else if (t instanceof InvalidToken) {
    throw (InvalidToken) t;
  } else {
    throw (IOException) t;
  }
}
 
Example #19
Source File: AMLauncher.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void parseAndThrowException(Throwable t) throws YarnException,
    IOException {
  if (t instanceof YarnException) {
    throw (YarnException) t;
  } else if (t instanceof InvalidToken) {
    throw (InvalidToken) t;
  } else {
    throw (IOException) t;
  }
}
 
Example #20
Source File: DFSClient.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public void cancel(Token<?> token, Configuration conf) throws IOException {
  Token<DelegationTokenIdentifier> delToken = 
      (Token<DelegationTokenIdentifier>) token;
  LOG.info("Cancelling " + 
           DelegationTokenIdentifier.stringifyToken(delToken));
  ClientProtocol nn = getNNProxy(delToken, conf);
  try {
    nn.cancelDelegationToken(delToken);
  } catch (RemoteException re) {
    throw re.unwrapRemoteException(InvalidToken.class,
        AccessControlException.class);
  }
}
 
Example #21
Source File: ContainerManagementProtocolProxy.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Private
@VisibleForTesting
public ContainerManagementProtocolProxyData(YarnRPC rpc,
    String containerManagerBindAddr,
    ContainerId containerId, Token token) throws InvalidToken {
  this.containerManagerBindAddr = containerManagerBindAddr;
  ;
  this.activeCallers = 0;
  this.scheduledForClose = false;
  this.token = token;
  this.proxy = newProxy(rpc, containerManagerBindAddr, containerId, token);
}
 
Example #22
Source File: NMClientImpl.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void parseAndThrowException(Throwable t) throws YarnException,
    IOException {
  if (t instanceof YarnException) {
    throw (YarnException) t;
  } else if (t instanceof InvalidToken) {
    throw (InvalidToken) t;
  } else {
    throw (IOException) t;
  }
}
 
Example #23
Source File: ContainerManagementProtocolProxy.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Private
@VisibleForTesting
public ContainerManagementProtocolProxyData(YarnRPC rpc,
    String containerManagerBindAddr,
    ContainerId containerId, Token token) throws InvalidToken {
  this.containerManagerBindAddr = containerManagerBindAddr;
  ;
  this.activeCallers = 0;
  this.scheduledForClose = false;
  this.token = token;
  this.proxy = newProxy(rpc, containerManagerBindAddr, containerId, token);
}
 
Example #24
Source File: DataXceiver.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void checkAccess(OutputStream out, final boolean reply, 
    final ExtendedBlock blk,
    final Token<BlockTokenIdentifier> t,
    final Op op,
    final BlockTokenSecretManager.AccessMode mode) throws IOException {
  if (datanode.isBlockTokenEnabled) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Checking block access token for block '" + blk.getBlockId()
          + "' with mode '" + mode + "'");
    }
    try {
      datanode.blockPoolTokenSecretManager.checkAccess(t, null, blk, mode);
    } catch(InvalidToken e) {
      try {
        if (reply) {
          BlockOpResponseProto.Builder resp = BlockOpResponseProto.newBuilder()
            .setStatus(ERROR_ACCESS_TOKEN);
          if (mode == BlockTokenSecretManager.AccessMode.WRITE) {
            DatanodeRegistration dnR = 
              datanode.getDNRegistrationForBP(blk.getBlockPoolId());
            // NB: Unconditionally using the xfer addr w/o hostname
            resp.setFirstBadLink(dnR.getXferAddr());
          }
          resp.build().writeDelimitedTo(out);
          out.flush();
        }
        LOG.warn("Block token verification failed: op=" + op
            + ", remoteAddress=" + remoteAddress
            + ", message=" + e.getLocalizedMessage());
        throw e;
      } finally {
        IOUtils.closeStream(out);
      }
    }
  }
}
 
Example #25
Source File: TestEnhancedByteBufferAccess.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void waitForReplicaAnchorStatus(final ShortCircuitCache cache,
    final ExtendedBlock block, final boolean expectedIsAnchorable,
      final boolean expectedIsAnchored, final int expectedOutstandingMmaps)
        throws Exception {
  GenericTestUtils.waitFor(new Supplier<Boolean>() {
    @Override
    public Boolean get() {
      final MutableBoolean result = new MutableBoolean(false);
      cache.accept(new CacheVisitor() {
        @Override
        public void visit(int numOutstandingMmaps,
            Map<ExtendedBlockId, ShortCircuitReplica> replicas,
            Map<ExtendedBlockId, InvalidToken> failedLoads,
            Map<Long, ShortCircuitReplica> evictable,
            Map<Long, ShortCircuitReplica> evictableMmapped) {
          Assert.assertEquals(expectedOutstandingMmaps, numOutstandingMmaps);
          ShortCircuitReplica replica =
              replicas.get(ExtendedBlockId.fromExtendedBlock(block));
          Assert.assertNotNull(replica);
          Slot slot = replica.getSlot();
          if ((expectedIsAnchorable != slot.isAnchorable()) ||
              (expectedIsAnchored != slot.isAnchored())) {
            LOG.info("replica " + replica + " has isAnchorable = " +
              slot.isAnchorable() + ", isAnchored = " + slot.isAnchored() + 
              ".  Waiting for isAnchorable = " + expectedIsAnchorable + 
              ", isAnchored = " + expectedIsAnchored);
            return;
          }
          result.setValue(true);
        }
      });
      return result.toBoolean();
    }
  }, 10, 60000);
}
 
Example #26
Source File: TestDelegationToken.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testDelegationTokenSecretManager() throws Exception {
  Token<DelegationTokenIdentifier> token = generateDelegationToken(
      "SomeUser", "JobTracker");
  // Fake renewer should not be able to renew
  try {
	  dtSecretManager.renewToken(token, "FakeRenewer");
	  Assert.fail("should have failed");
  } catch (AccessControlException ace) {
    // PASS
  }
 dtSecretManager.renewToken(token, "JobTracker");
  DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
  byte[] tokenId = token.getIdentifier();
  identifier.readFields(new DataInputStream(
           new ByteArrayInputStream(tokenId)));
  Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
  LOG.info("Sleep to expire the token");
 Thread.sleep(6000);
 //Token should be expired
 try {
   dtSecretManager.retrievePassword(identifier);
   //Should not come here
   Assert.fail("Token should have expired");
 } catch (InvalidToken e) {
   //Success
 }
 dtSecretManager.renewToken(token, "JobTracker");
 LOG.info("Sleep beyond the max lifetime");
 Thread.sleep(5000);
 try {
	  dtSecretManager.renewToken(token, "JobTracker");
	  Assert.fail("should have been expired");
 } catch (InvalidToken it) {
   // PASS
 }
}
 
Example #27
Source File: SaslRpcServer.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public static <T extends TokenIdentifier> T getIdentifier(String id,
    SecretManager<T> secretManager) throws InvalidToken {
  byte[] tokenId = decodeIdentifier(id);
  T tokenIdentifier = secretManager.createIdentifier();
  try {
    tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(
        tokenId)));
  } catch (IOException e) {
    throw (InvalidToken) new InvalidToken(
        "Can't de-serialize tokenIdentifier").initCause(e);
  }
  return tokenIdentifier;
}
 
Example #28
Source File: TestDelegationToken.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test 
public void testCancelDelegationToken() throws Exception {
  final TestDelegationTokenSecretManager dtSecretManager = 
    new TestDelegationTokenSecretManager(24*60*60*1000,
      10*1000,1*1000,3600000);
  try {
    dtSecretManager.startThreads();
    final Token<TestDelegationTokenIdentifier> token = 
      generateDelegationToken(dtSecretManager, "SomeUser", "JobTracker");
    //Fake renewer should not be able to renew
    shouldThrow(new PrivilegedExceptionAction<Object>() {
      @Override
      public Object run() throws Exception {
        dtSecretManager.renewToken(token, "FakeCanceller");
        return null;
      }
    }, AccessControlException.class);
    dtSecretManager.cancelToken(token, "JobTracker");
    Assert.assertTrue(dtSecretManager.isRemoveStoredTokenCalled);
    shouldThrow(new PrivilegedExceptionAction<Object>() {
      @Override
      public Object run() throws Exception {
        dtSecretManager.renewToken(token, "JobTracker");
        return null;
      }
    }, InvalidToken.class);
  } finally {
    dtSecretManager.stopThreads();
  }
}
 
Example #29
Source File: TestDelegationToken.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testDelegationTokenSecretManager() throws Exception {
  Token<DelegationTokenIdentifier> token = generateDelegationToken(
      "SomeUser", "JobTracker");
  // Fake renewer should not be able to renew
  try {
	  dtSecretManager.renewToken(token, "FakeRenewer");
	  Assert.fail("should have failed");
  } catch (AccessControlException ace) {
    // PASS
  }
 dtSecretManager.renewToken(token, "JobTracker");
  DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
  byte[] tokenId = token.getIdentifier();
  identifier.readFields(new DataInputStream(
           new ByteArrayInputStream(tokenId)));
  Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
  LOG.info("Sleep to expire the token");
 Thread.sleep(6000);
 //Token should be expired
 try {
   dtSecretManager.retrievePassword(identifier);
   //Should not come here
   Assert.fail("Token should have expired");
 } catch (InvalidToken e) {
   //Success
 }
 dtSecretManager.renewToken(token, "JobTracker");
 LOG.info("Sleep beyond the max lifetime");
 Thread.sleep(5000);
 try {
	  dtSecretManager.renewToken(token, "JobTracker");
	  Assert.fail("should have been expired");
 } catch (InvalidToken it) {
   // PASS
 }
}
 
Example #30
Source File: ContainerManagerImpl.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Private
@VisibleForTesting
protected void updateNMTokenIdentifier(NMTokenIdentifier nmTokenIdentifier)
    throws InvalidToken {
  context.getNMTokenSecretManager().appAttemptStartContainer(
    nmTokenIdentifier);
}