diff --git hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/AppContext.java hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/AppContext.java index 0a54add..fd8c1e8 100644 --- hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/AppContext.java +++ hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/AppContext.java @@ -29,6 +29,7 @@ import org.apache.hadoop.yarn.api.records.ApplicationId; import org.apache.hadoop.yarn.api.records.Token; import org.apache.hadoop.yarn.event.EventHandler; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager; /** @@ -59,4 +60,6 @@ ClusterInfo getClusterInfo(); Map getNMTokens(); + + ClientToAMTokenSecretManager getClientToAMTokenSecretManager(); } diff --git hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRAppMaster.java hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRAppMaster.java index d3f158d..5348af2 100644 --- hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRAppMaster.java +++ hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRAppMaster.java @@ -125,6 +125,7 @@ import org.apache.hadoop.yarn.event.Event; import org.apache.hadoop.yarn.event.EventHandler; import org.apache.hadoop.yarn.security.ApplicationTokenIdentifier; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager; import org.apache.hadoop.yarn.exceptions.YarnRuntimeException; import org.apache.hadoop.yarn.service.AbstractService; import org.apache.hadoop.yarn.service.CompositeService; @@ -886,9 +887,12 @@ protected void serviceStop() throws Exception { private final ClusterInfo clusterInfo = new ClusterInfo(); private final ConcurrentHashMap nmTokens = new ConcurrentHashMap(); + private final ClientToAMTokenSecretManager clientToAMTokenSecretManager; public RunningAppContext(Configuration config) { this.conf = config; + this.clientToAMTokenSecretManager = + new ClientToAMTokenSecretManager(appAttemptID, null); } @Override @@ -945,6 +949,11 @@ public ClusterInfo getClusterInfo() { public Map getNMTokens() { return this.nmTokens; } + + @Override + public ClientToAMTokenSecretManager getClientToAMTokenSecretManager() { + return clientToAMTokenSecretManager; + } } @SuppressWarnings("unchecked") diff --git hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRClientSecurityInfo.java hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRClientSecurityInfo.java index 2b8efea..b4ed52f 100644 --- hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRClientSecurityInfo.java +++ hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRClientSecurityInfo.java @@ -27,7 +27,7 @@ import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.security.token.TokenInfo; import org.apache.hadoop.security.token.TokenSelector; -import org.apache.hadoop.yarn.security.client.ClientTokenSelector; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenSelector; public class MRClientSecurityInfo extends SecurityInfo { @@ -51,7 +51,7 @@ public TokenInfo getTokenInfo(Class protocol, Configuration conf) { @Override public Class> value() { - return ClientTokenSelector.class; + return ClientToAMTokenSelector.class; } }; } diff --git hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/client/MRClientService.java hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/client/MRClientService.java index 9fff213..13a3d48 100644 --- hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/client/MRClientService.java +++ hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/client/MRClientService.java @@ -23,7 +23,6 @@ import java.util.Arrays; import java.util.Collection; -import org.apache.commons.codec.binary.Base64; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; @@ -81,7 +80,6 @@ import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.PolicyProvider; -import org.apache.hadoop.yarn.api.ApplicationConstants; import org.apache.hadoop.yarn.factories.RecordFactory; import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; import org.apache.hadoop.yarn.ipc.YarnRPC; @@ -117,19 +115,9 @@ protected void serviceStart() throws Exception { YarnRPC rpc = YarnRPC.create(conf); InetSocketAddress address = new InetSocketAddress(0); - ClientToAMTokenSecretManager secretManager = null; - if (UserGroupInformation.isSecurityEnabled()) { - String secretKeyStr = - System - .getenv(ApplicationConstants.APPLICATION_CLIENT_SECRET_ENV_NAME); - byte[] bytes = Base64.decodeBase64(secretKeyStr); - secretManager = - new ClientToAMTokenSecretManager( - this.appContext.getApplicationAttemptId(), bytes); - } server = rpc.getServer(MRClientProtocol.class, protocolHandler, address, - conf, secretManager, + conf, appContext.getClientToAMTokenSecretManager(), conf.getInt(MRJobConfig.MR_AM_JOB_CLIENT_THREAD_COUNT, MRJobConfig.DEFAULT_MR_AM_JOB_CLIENT_THREAD_COUNT), MRJobConfig.MR_AM_JOB_CLIENT_PORT_RANGE); diff --git hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMCommunicator.java hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMCommunicator.java index 27f2b27..9893004 100644 --- hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMCommunicator.java +++ hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/rm/RMCommunicator.java @@ -20,6 +20,7 @@ import java.io.IOException; import java.net.InetSocketAddress; +import java.nio.ByteBuffer; import java.security.PrivilegedAction; import java.util.Map; import java.util.concurrent.ConcurrentLinkedQueue; @@ -152,6 +153,7 @@ protected void register() { } RegisterApplicationMasterResponse response = scheduler.registerApplicationMaster(request); + setClientToAMToken(response.getClientToAMTokenMasterKey()); minContainerCapability = response.getMinimumResourceCapability(); maxContainerCapability = response.getMaximumResourceCapability(); this.context.getClusterInfo().setMinContainerCapability( @@ -167,6 +169,11 @@ protected void register() { } } + private void setClientToAMToken(ByteBuffer clientToAMTokenMasterKey) { + byte[] key = clientToAMTokenMasterKey.array(); + context.getClientToAMTokenSecretManager().setMasterKey(key); + } + protected void unregister() { try { FinalApplicationStatus finishState = FinalApplicationStatus.UNDEFINED; diff --git hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/MockAppContext.java hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/MockAppContext.java index 2b8be46..2574b69 100644 --- hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/MockAppContext.java +++ hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/MockAppContext.java @@ -30,6 +30,7 @@ import org.apache.hadoop.yarn.api.records.NodeId; import org.apache.hadoop.yarn.api.records.Token; import org.apache.hadoop.yarn.event.EventHandler; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager; import com.google.common.collect.Maps; @@ -122,4 +123,10 @@ public ClusterInfo getClusterInfo() { // Not added. return null; } + + @Override + public ClientToAMTokenSecretManager getClientToAMTokenSecretManager() { + // Not Implemented. + return null; + } } diff --git hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestRuntimeEstimators.java hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestRuntimeEstimators.java index ac55585..b938ba5 100644 --- hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestRuntimeEstimators.java +++ hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/TestRuntimeEstimators.java @@ -74,6 +74,7 @@ import org.apache.hadoop.yarn.event.EventHandler; import org.apache.hadoop.yarn.factories.RecordFactory; import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager; import org.apache.hadoop.yarn.service.CompositeService; import org.junit.Assert; import org.junit.Test; @@ -857,5 +858,11 @@ public ClusterInfo getClusterInfo() { // Not implemented. return null; } + + @Override + public ClientToAMTokenSecretManager getClientToAMTokenSecretManager() { + // Not Implemented + return null; + } } } diff --git hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/JobHistory.java hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/JobHistory.java index 8be1657..56d1d9c 100644 --- hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/JobHistory.java +++ hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/JobHistory.java @@ -47,6 +47,7 @@ import org.apache.hadoop.yarn.event.EventHandler; import org.apache.hadoop.yarn.exceptions.YarnRuntimeException; import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager; import org.apache.hadoop.yarn.service.AbstractService; import org.apache.hadoop.yarn.service.Service; @@ -309,4 +310,10 @@ public ClusterInfo getClusterInfo() { // Not implemented. return null; } + + @Override + public ClientToAMTokenSecretManager getClientToAMTokenSecretManager() { + // Not implemented. + return null; + } } diff --git hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/ClientServiceDelegate.java hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/ClientServiceDelegate.java index 6620e73..7c9d3c2 100644 --- hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/ClientServiceDelegate.java +++ hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/ClientServiceDelegate.java @@ -74,7 +74,7 @@ import org.apache.hadoop.yarn.factories.RecordFactory; import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; import org.apache.hadoop.yarn.ipc.YarnRPC; -import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier; import org.apache.hadoop.yarn.util.ProtoUtils; public class ClientServiceDelegate { @@ -181,7 +181,7 @@ private MRClientProtocol getProxy() throws IOException { application.getHost(), application.getRpcPort()); if (UserGroupInformation.isSecurityEnabled()) { org.apache.hadoop.yarn.api.records.Token clientToken = application.getClientToken(); - Token token = + Token token = ProtoUtils.convertFromProtoFormat(clientToken, serviceAddr); newUgi.addToken(token); } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/ApplicationConstants.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/ApplicationConstants.java index 8a824ec..053250a 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/ApplicationConstants.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/ApplicationConstants.java @@ -28,10 +28,6 @@ * TODO: Investigate the semantics and security of each cross-boundary refs. */ public interface ApplicationConstants { - - // TODO: They say tokens via env isn't good. - public static final String APPLICATION_CLIENT_SECRET_ENV_NAME = - "AppClientSecretEnv"; /** * The environment variable for APP_SUBMIT_TIME. Set in AppMaster environment diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/RegisterApplicationMasterResponse.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/RegisterApplicationMasterResponse.java index ca507d0..3789ff9 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/RegisterApplicationMasterResponse.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/RegisterApplicationMasterResponse.java @@ -18,6 +18,7 @@ package org.apache.hadoop.yarn.api.protocolrecords; +import java.nio.ByteBuffer; import java.util.Map; import org.apache.hadoop.classification.InterfaceAudience.Private; @@ -98,4 +99,18 @@ public static RegisterApplicationMasterResponse newInstance( @Private @Unstable public abstract void setApplicationACLs(Map acls); + + /** + * Set ClientToAMToken master key. + */ + @Public + @Stable + public abstract void setClientToAMTokenMasterKey(ByteBuffer key); + + /** + * Get ClientToAMToken master key. + */ + @Public + @Stable + public abstract ByteBuffer getClientToAMTokenMasterKey(); } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/RegisterApplicationMasterResponsePBImpl.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/RegisterApplicationMasterResponsePBImpl.java index aeeba99..d697a37 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/RegisterApplicationMasterResponsePBImpl.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/RegisterApplicationMasterResponsePBImpl.java @@ -19,6 +19,7 @@ package org.apache.hadoop.yarn.api.protocolrecords.impl.pb; +import java.nio.ByteBuffer; import java.util.HashMap; import java.util.Iterator; import java.util.List; @@ -34,6 +35,8 @@ import org.apache.hadoop.yarn.proto.YarnServiceProtos.RegisterApplicationMasterResponseProtoOrBuilder; import org.apache.hadoop.yarn.util.ProtoUtils; +import com.google.protobuf.ByteString; + public class RegisterApplicationMasterResponsePBImpl extends RegisterApplicationMasterResponse { @@ -230,7 +233,23 @@ public void setApplicationACLs( this.applicationACLS.clear(); this.applicationACLS.putAll(appACLs); } - + + @Override + public void setClientToAMTokenMasterKey(ByteBuffer key) { + if (key == null) { + return; + } + maybeInitBuilder(); + builder.setClientToAmTokenMasterKey(ByteString.copyFrom(key)); + } + + @Override + public ByteBuffer getClientToAMTokenMasterKey() { + ByteBuffer key = + ByteBuffer.wrap(builder.getClientToAmTokenMasterKey().toByteArray()); + return key; + } + private Resource convertFromProtoFormat(ResourceProto resource) { return new ResourcePBImpl(resource); } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_service_protos.proto hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_service_protos.proto index d697fb5..1a9053a 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_service_protos.proto +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_service_protos.proto @@ -37,7 +37,8 @@ message RegisterApplicationMasterRequestProto { message RegisterApplicationMasterResponseProto { optional ResourceProto minimumCapability = 1; optional ResourceProto maximumCapability = 2; - repeated ApplicationACLMapProto application_ACLs = 3; + optional bytes client_to_am_token_master_key = 3; + repeated ApplicationACLMapProto application_ACLs = 4; } message FinishApplicationMasterRequestProto { diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/BaseClientToAMTokenSecretManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/BaseClientToAMTokenSecretManager.java index 796f71c..b3807b0 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/BaseClientToAMTokenSecretManager.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/BaseClientToAMTokenSecretManager.java @@ -24,20 +24,20 @@ import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; public abstract class BaseClientToAMTokenSecretManager extends - SecretManager { + SecretManager { public abstract SecretKey getMasterKey( ApplicationAttemptId applicationAttemptId); @Override public synchronized byte[] createPassword( - ClientTokenIdentifier identifier) { + ClientToAMTokenIdentifier identifier) { return createPassword(identifier.getBytes(), getMasterKey(identifier.getApplicationAttemptID())); } @Override - public byte[] retrievePassword(ClientTokenIdentifier identifier) + public byte[] retrievePassword(ClientToAMTokenIdentifier identifier) throws SecretManager.InvalidToken { SecretKey masterKey = getMasterKey(identifier.getApplicationAttemptID()); if (masterKey == null) { @@ -47,8 +47,8 @@ public abstract SecretKey getMasterKey( } @Override - public ClientTokenIdentifier createIdentifier() { - return new ClientTokenIdentifier(); + public ClientToAMTokenIdentifier createIdentifier() { + return new ClientToAMTokenIdentifier(); } } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java new file mode 100644 index 0000000..452f0dc --- /dev/null +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java @@ -0,0 +1,89 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.yarn.security.client; + +import java.io.DataInput; +import java.io.DataOutput; +import java.io.IOException; + +import org.apache.hadoop.classification.InterfaceAudience; +import org.apache.hadoop.io.Text; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.token.Token; +import org.apache.hadoop.security.token.TokenIdentifier; +import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; +import org.apache.hadoop.yarn.api.records.ApplicationId; + +public class ClientToAMTokenIdentifier extends TokenIdentifier { + + public static final Text KIND_NAME = new Text("YARN_CLIENT_TOKEN"); + + private ApplicationAttemptId applicationAttemptId; + + // TODO: Add more information in the tokenID such that it is not + // transferrable, more secure etc. + + public ClientToAMTokenIdentifier() { + } + + public ClientToAMTokenIdentifier(ApplicationAttemptId id) { + this(); + this.applicationAttemptId = id; + } + + public ApplicationAttemptId getApplicationAttemptID() { + return this.applicationAttemptId; + } + + @Override + public void write(DataOutput out) throws IOException { + out.writeLong(this.applicationAttemptId.getApplicationId() + .getClusterTimestamp()); + out.writeInt(this.applicationAttemptId.getApplicationId().getId()); + out.writeInt(this.applicationAttemptId.getAttemptId()); + } + + @Override + public void readFields(DataInput in) throws IOException { + this.applicationAttemptId = + ApplicationAttemptId.newInstance( + ApplicationId.newInstance(in.readLong(), in.readInt()), in.readInt()); + } + + @Override + public Text getKind() { + return KIND_NAME; + } + + @Override + public UserGroupInformation getUser() { + if (this.applicationAttemptId == null) { + return null; + } + return UserGroupInformation.createRemoteUser(this.applicationAttemptId.toString()); + } + + @InterfaceAudience.Private + public static class Renewer extends Token.TrivialRenewer { + @Override + protected Text getKind() { + return KIND_NAME; + } + } +} diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenSecretManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenSecretManager.java index 60dc6eb..7a3f462 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenSecretManager.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenSecretManager.java @@ -27,12 +27,17 @@ BaseClientToAMTokenSecretManager { // Only one client-token and one master-key for AM - private final SecretKey masterKey; + private SecretKey masterKey; public ClientToAMTokenSecretManager( - ApplicationAttemptId applicationAttemptID, byte[] secretKeyBytes) { + ApplicationAttemptId applicationAttemptID, byte[] key) { super(); - this.masterKey = SecretManager.createSecretKey(secretKeyBytes); + if (key != null) { + this.masterKey = SecretManager.createSecretKey(key); + } else { + this.masterKey = null; + } + } @Override @@ -41,4 +46,7 @@ public SecretKey getMasterKey(ApplicationAttemptId applicationAttemptID) { return this.masterKey; } + public void setMasterKey(byte[] key) { + this.masterKey = SecretManager.createSecretKey(key); + } } \ No newline at end of file diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenSelector.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenSelector.java new file mode 100644 index 0000000..e102fb2 --- /dev/null +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenSelector.java @@ -0,0 +1,54 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.yarn.security.client; + +import java.util.Collection; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.io.Text; +import org.apache.hadoop.security.token.Token; +import org.apache.hadoop.security.token.TokenIdentifier; +import org.apache.hadoop.security.token.TokenSelector; + +public class ClientToAMTokenSelector implements + TokenSelector { + + private static final Log LOG = LogFactory + .getLog(ClientToAMTokenSelector.class); + + @SuppressWarnings("unchecked") + public Token selectToken(Text service, + Collection> tokens) { + if (service == null) { + return null; + } + LOG.debug("Looking for a token with service " + service.toString()); + for (Token token : tokens) { + LOG.debug("Token kind is " + token.getKind().toString() + + " and the token's service name is " + token.getService()); + if (ClientToAMTokenIdentifier.KIND_NAME.equals(token.getKind()) + && service.equals(token.getService())) { + return (Token) token; + } + } + return null; + } + +} diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientTokenIdentifier.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientTokenIdentifier.java deleted file mode 100644 index fb2258d..0000000 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientTokenIdentifier.java +++ /dev/null @@ -1,89 +0,0 @@ -/** -* Licensed to the Apache Software Foundation (ASF) under one -* or more contributor license agreements. See the NOTICE file -* distributed with this work for additional information -* regarding copyright ownership. The ASF licenses this file -* to you under the Apache License, Version 2.0 (the -* "License"); you may not use this file except in compliance -* with the License. You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -package org.apache.hadoop.yarn.security.client; - -import java.io.DataInput; -import java.io.DataOutput; -import java.io.IOException; - -import org.apache.hadoop.classification.InterfaceAudience; -import org.apache.hadoop.io.Text; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.token.Token; -import org.apache.hadoop.security.token.TokenIdentifier; -import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; -import org.apache.hadoop.yarn.api.records.ApplicationId; - -public class ClientTokenIdentifier extends TokenIdentifier { - - public static final Text KIND_NAME = new Text("YARN_CLIENT_TOKEN"); - - private ApplicationAttemptId applicationAttemptId; - - // TODO: Add more information in the tokenID such that it is not - // transferrable, more secure etc. - - public ClientTokenIdentifier() { - } - - public ClientTokenIdentifier(ApplicationAttemptId id) { - this(); - this.applicationAttemptId = id; - } - - public ApplicationAttemptId getApplicationAttemptID() { - return this.applicationAttemptId; - } - - @Override - public void write(DataOutput out) throws IOException { - out.writeLong(this.applicationAttemptId.getApplicationId() - .getClusterTimestamp()); - out.writeInt(this.applicationAttemptId.getApplicationId().getId()); - out.writeInt(this.applicationAttemptId.getAttemptId()); - } - - @Override - public void readFields(DataInput in) throws IOException { - this.applicationAttemptId = - ApplicationAttemptId.newInstance( - ApplicationId.newInstance(in.readLong(), in.readInt()), in.readInt()); - } - - @Override - public Text getKind() { - return KIND_NAME; - } - - @Override - public UserGroupInformation getUser() { - if (this.applicationAttemptId == null) { - return null; - } - return UserGroupInformation.createRemoteUser(this.applicationAttemptId.toString()); - } - - @InterfaceAudience.Private - public static class Renewer extends Token.TrivialRenewer { - @Override - protected Text getKind() { - return KIND_NAME; - } - } -} diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientTokenSelector.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientTokenSelector.java deleted file mode 100644 index 07ecba0..0000000 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientTokenSelector.java +++ /dev/null @@ -1,54 +0,0 @@ -/** -* Licensed to the Apache Software Foundation (ASF) under one -* or more contributor license agreements. See the NOTICE file -* distributed with this work for additional information -* regarding copyright ownership. The ASF licenses this file -* to you under the Apache License, Version 2.0 (the -* "License"); you may not use this file except in compliance -* with the License. You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -package org.apache.hadoop.yarn.security.client; - -import java.util.Collection; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.io.Text; -import org.apache.hadoop.security.token.Token; -import org.apache.hadoop.security.token.TokenIdentifier; -import org.apache.hadoop.security.token.TokenSelector; - -public class ClientTokenSelector implements - TokenSelector { - - private static final Log LOG = LogFactory - .getLog(ClientTokenSelector.class); - - @SuppressWarnings("unchecked") - public Token selectToken(Text service, - Collection> tokens) { - if (service == null) { - return null; - } - LOG.debug("Looking for a token with service " + service.toString()); - for (Token token : tokens) { - LOG.debug("Token kind is " + token.getKind().toString() - + " and the token's service name is " + token.getService()); - if (ClientTokenIdentifier.KIND_NAME.equals(token.getKind()) - && service.equals(token.getService())) { - return (Token) token; - } - } - return null; - } - -} diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenIdentifier hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenIdentifier index 2334040..d01a32d 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenIdentifier +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenIdentifier @@ -13,5 +13,5 @@ # org.apache.hadoop.yarn.security.ContainerTokenIdentifier org.apache.hadoop.yarn.security.ApplicationTokenIdentifier -org.apache.hadoop.yarn.security.client.ClientTokenIdentifier +org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java index 410fc8a..50dbccf 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ApplicationMasterService.java @@ -216,6 +216,9 @@ public RegisterApplicationMasterResponse registerApplicationMaster( .getMaximumResourceCapability()); response.setApplicationACLs(app.getRMAppAttempt(applicationAttemptId) .getSubmissionContext().getAMContainerSpec().getApplicationACLs()); + response.setClientToAMTokenMasterKey(java.nio.ByteBuffer.wrap(rmContext + .getClientToAMTokenSecretManager() + .getMasterKey(applicationAttemptId).getEncoded())); return response; } } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java index 4ec82e4..c732ac5 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java @@ -165,12 +165,12 @@ private ContainerLaunchContext createAMContainerLaunchContext( new String[0]))); // Finalize the container - setupTokensAndEnv(container, containerID); + setupTokens(container, containerID); return container; } - private void setupTokensAndEnv( + private void setupTokens( ContainerLaunchContext container, ContainerId containerID) throws IOException { Map environment = container.getEnvironment(); @@ -210,15 +210,6 @@ private void setupTokensAndEnv( credentials.writeTokenStorageToStream(dob); container.setTokens(ByteBuffer.wrap(dob.getData(), 0, dob.getLength())); - - SecretKey clientSecretKey = - this.rmContext.getClientToAMTokenSecretManager().getMasterKey( - application.getAppAttemptId()); - String encoded = - Base64.encodeBase64URLSafeString(clientSecretKey.getEncoded()); - environment.put( - ApplicationConstants.APPLICATION_CLIENT_SECRET_ENV_NAME, - encoded); } } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java index 0665022..9525911 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java @@ -42,7 +42,7 @@ import org.apache.hadoop.yarn.event.Dispatcher; import org.apache.hadoop.yarn.event.EventHandler; import org.apache.hadoop.yarn.security.ApplicationTokenIdentifier; -import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier; import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationAttemptStateDataPBImpl; import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationStateDataPBImpl; import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; @@ -382,7 +382,7 @@ private Credentials getTokensFromAppAttempt(RMAppAttempt appAttempt) { if(appToken != null){ credentials.addToken(appToken.getService(), appToken); } - Token clientToken = appAttempt.getClientToken(); + Token clientToken = appAttempt.getClientToken(); if(clientToken != null){ credentials.addToken(clientToken.getService(), clientToken); } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java index 539ab33..aad280a 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java @@ -47,7 +47,7 @@ import org.apache.hadoop.yarn.event.Dispatcher; import org.apache.hadoop.yarn.event.EventHandler; import org.apache.hadoop.yarn.exceptions.YarnRuntimeException; -import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier; import org.apache.hadoop.yarn.server.resourcemanager.ApplicationMasterService; import org.apache.hadoop.yarn.server.resourcemanager.RMAppManagerEvent; import org.apache.hadoop.yarn.server.resourcemanager.RMAppManagerEventType; @@ -445,7 +445,7 @@ public ApplicationReport createAndGetApplicationReport(boolean allowAccess) { currentApplicationAttemptId = this.currentAttempt.getAppAttemptId(); trackingUrl = this.currentAttempt.getTrackingUrl(); origTrackingUrl = this.currentAttempt.getOriginalTrackingUrl(); - Token attemptClientToken = + Token attemptClientToken = this.currentAttempt.getClientToken(); if (attemptClientToken != null) { clientToken = diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttempt.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttempt.java index b9c7eb2..1453182 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttempt.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttempt.java @@ -32,7 +32,7 @@ import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.event.EventHandler; import org.apache.hadoop.yarn.security.ApplicationTokenIdentifier; -import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier; import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp; /** @@ -94,7 +94,7 @@ * The token required by the clients to talk to the application attempt * @return the token required by the clients to talk to the application attempt */ - Token getClientToken(); + Token getClientToken(); /** * Diagnostics information for the application attempt. diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java index bb2e252..5ed3f9c 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java @@ -63,8 +63,8 @@ import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; import org.apache.hadoop.yarn.security.ApplicationTokenIdentifier; import org.apache.hadoop.yarn.security.ApplicationTokenSelector; -import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier; -import org.apache.hadoop.yarn.security.client.ClientTokenSelector; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenSelector; import org.apache.hadoop.yarn.server.resourcemanager.ApplicationMasterService; import org.apache.hadoop.yarn.server.resourcemanager.RMContext; import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncherEvent; @@ -129,7 +129,7 @@ private final WriteLock writeLock; private final ApplicationAttemptId applicationAttemptId; - private Token clientToken; + private Token clientToken; private final ApplicationSubmissionContext submissionContext; private Token applicationToken = null; @@ -498,7 +498,7 @@ private void setTrackingUrlToRMAppPage() { } @Override - public Token getClientToken() { + public Token getClientToken() { return this.clientToken; } @@ -673,7 +673,7 @@ private void recoverAppAttemptTokens(Credentials appAttemptTokens) { } if (UserGroupInformation.isSecurityEnabled()) { - ClientTokenSelector clientTokenSelector = new ClientTokenSelector(); + ClientToAMTokenSelector clientTokenSelector = new ClientToAMTokenSelector(); this.clientToken = clientTokenSelector.selectToken(new Text(), appAttemptTokens.getAllTokens()); @@ -722,7 +722,7 @@ public void transition(RMAppAttemptImpl appAttempt, // create clientToken appAttempt.clientToken = - new Token(new ClientTokenIdentifier( + new Token(new ClientToAMTokenIdentifier( appAttempt.applicationAttemptId), appAttempt.rmContext.getClientToAMTokenSecretManager()); diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockAM.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockAM.java index e720a3a..70a7a01 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockAM.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockAM.java @@ -28,6 +28,7 @@ import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse; import org.apache.hadoop.yarn.api.protocolrecords.FinishApplicationMasterRequest; import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterRequest; +import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterResponse; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.ContainerId; import org.apache.hadoop.yarn.api.records.FinalApplicationStatus; @@ -49,7 +50,7 @@ private final List requests = new ArrayList(); private final List releases = new ArrayList(); - MockAM(RMContext context, AMRMProtocol amRMProtocol, + public MockAM(RMContext context, AMRMProtocol amRMProtocol, ApplicationAttemptId attemptId) { this.context = context; this.amRMProtocol = amRMProtocol; @@ -77,7 +78,7 @@ public void waitForState(RMAppAttemptState finalState) throws Exception { finalState, attempt.getAppAttemptState()); } - public void registerAppAttempt() throws Exception { + public RegisterApplicationMasterResponse registerAppAttempt() throws Exception { waitForState(RMAppAttemptState.LAUNCHED); responseId = 0; RegisterApplicationMasterRequest req = Records.newRecord(RegisterApplicationMasterRequest.class); @@ -85,7 +86,7 @@ public void registerAppAttempt() throws Exception { req.setHost(""); req.setRpcPort(1); req.setTrackingUrl(""); - amRMProtocol.registerApplicationMaster(req); + return amRMProtocol.registerApplicationMaster(req); } public void addRequests(String[] hosts, int memory, int priority, diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java index c9dd8a2..e0727da 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/MockRM.java @@ -96,7 +96,7 @@ public void waitForState(ApplicationId appId, RMAppState finalState) while (!finalState.equals(app.getState()) && timeoutSecs++ < 40) { System.out.println("App : " + appId + " State is : " + app.getState() + " Waiting for state : " + finalState); - Thread.sleep(1000); + Thread.sleep(2000); } System.out.println("App State is : " + app.getState()); Assert.assertEquals("App state is not correct (timedout)", finalState, diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java index 75b5d9f..7b58728 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java @@ -55,7 +55,7 @@ import org.apache.hadoop.yarn.event.Dispatcher; import org.apache.hadoop.yarn.event.EventHandler; import org.apache.hadoop.yarn.security.ApplicationTokenIdentifier; -import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier; import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.ApplicationAttemptState; import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.ApplicationState; @@ -206,7 +206,7 @@ void storeApp(RMStateStore store, ApplicationId appId, long time) ContainerId storeAttempt(RMStateStore store, ApplicationAttemptId attemptId, String containerIdStr, Token appToken, - Token clientToken, TestDispatcher dispatcher) + Token clientToken, TestDispatcher dispatcher) throws Exception { Container container = new ContainerPBImpl(); @@ -250,7 +250,7 @@ void testRMAppStateStore(RMStateStoreHelper stateStoreHelper) throws Exception { ContainerId containerId1 = storeAttempt(store, attemptId1, "container_1352994193343_0001_01_000001", (Token) (appAttemptToken1.get(0)), - (Token)(appAttemptToken1.get(1)), + (Token)(appAttemptToken1.get(1)), dispatcher); String appAttemptIdStr2 = "appattempt_1352994193343_0001_000002"; @@ -266,7 +266,7 @@ void testRMAppStateStore(RMStateStoreHelper stateStoreHelper) throws Exception { ContainerId containerId2 = storeAttempt(store, attemptId2, "container_1352994193343_0001_02_000001", (Token) (appAttemptToken2.get(0)), - (Token)(appAttemptToken2.get(1)), + (Token)(appAttemptToken2.get(1)), dispatcher); ApplicationAttemptId attemptIdRemoved = ConverterUtils @@ -380,10 +380,10 @@ public void testRMDTSecretManagerStateStore( new Token(appTokenId, appTokenMgr); appToken.setService(new Text("appToken service")); - ClientTokenIdentifier clientTokenId = new ClientTokenIdentifier(attemptId); + ClientToAMTokenIdentifier clientTokenId = new ClientToAMTokenIdentifier(attemptId); clientTokenMgr.registerApplication(attemptId); - Token clientToken = - new Token(clientTokenId, clientTokenMgr); + Token clientToken = + new Token(clientTokenId, clientTokenMgr); clientToken.setService(new Text("clientToken service")); List> tokenPair = new ArrayList>(); tokenPair.add(0, appToken); diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens.java index fd99f5f..5774502 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens.java @@ -23,6 +23,7 @@ import java.io.IOException; import java.lang.annotation.Annotation; import java.net.InetSocketAddress; +import java.security.PrivilegedAction; import java.security.PrivilegedExceptionAction; import javax.security.sasl.SaslException; @@ -50,6 +51,7 @@ import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportResponse; import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusRequest; import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusResponse; +import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterResponse; import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest; import org.apache.hadoop.yarn.api.protocolrecords.StartContainerResponse; import org.apache.hadoop.yarn.api.protocolrecords.StopContainerRequest; @@ -61,13 +63,15 @@ import org.apache.hadoop.yarn.exceptions.YarnException; import org.apache.hadoop.yarn.exceptions.YarnRuntimeException; import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager; -import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier; -import org.apache.hadoop.yarn.security.client.ClientTokenSelector; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier; +import org.apache.hadoop.yarn.security.client.ClientToAMTokenSelector; import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; +import org.apache.hadoop.yarn.server.resourcemanager.MockAM; import org.apache.hadoop.yarn.server.resourcemanager.MockNM; import org.apache.hadoop.yarn.server.resourcemanager.MockRM; import org.apache.hadoop.yarn.server.resourcemanager.MockRMWithCustomAMLauncher; import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp; +import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt; import org.apache.hadoop.yarn.server.utils.BuilderUtils; import org.apache.hadoop.yarn.service.AbstractService; import org.apache.hadoop.yarn.util.ProtoUtils; @@ -97,7 +101,7 @@ public TokenInfo getTokenInfo(Class protocol, Configuration conf) { @Override public Class> value() { - return ClientTokenSelector.class; + return ClientToAMTokenSelector.class; } }; } @@ -112,14 +116,15 @@ public KerberosInfo getKerberosInfo(Class protocol, Configuration conf) { CustomProtocol { private final ApplicationAttemptId appAttemptId; - private final String secretKey; + private final byte[] secretKey; private InetSocketAddress address; private boolean pinged = false; - - public CustomAM(ApplicationAttemptId appId, String secretKeyStr) { + private ClientToAMTokenSecretManager secretManager; + + public CustomAM(ApplicationAttemptId appId, byte[] secretKey) { super("CustomAM"); this.appAttemptId = appId; - this.secretKey = secretKeyStr; + this.secretKey = secretKey; } @Override @@ -131,9 +136,7 @@ public void ping() throws YarnException, IOException { protected void serviceStart() throws Exception { Configuration conf = getConfig(); - ClientToAMTokenSecretManager secretManager = null; - byte[] bytes = Base64.decodeBase64(this.secretKey); - secretManager = new ClientToAMTokenSecretManager(this.appAttemptId, bytes); + secretManager = new ClientToAMTokenSecretManager(this.appAttemptId, secretKey); Server server; try { server = @@ -147,18 +150,17 @@ protected void serviceStart() throws Exception { this.address = NetUtils.getConnectAddress(server); super.serviceStart(); } + + public ClientToAMTokenSecretManager getClientToAMTokenSecretManager() { + return this.secretManager; + } } private static class CustomNM implements ContainerManager { - public String clientTokensSecret; - @Override public StartContainerResponse startContainer(StartContainerRequest request) throws YarnException { - this.clientTokensSecret = - request.getContainerLaunchContext().getEnvironment() - .get(ApplicationConstants.APPLICATION_CLIENT_SECRET_ENV_NAME); return null; } @@ -205,14 +207,32 @@ protected void doSecureLogin() throws IOException { }; rm.start(); - // Submit an app +// DrainDispatcher rmDispatcher = (DrainDispatcher) rm.getRMContext() +// .getDispatcher(); +// +// // Submit an app RMApp app = rm.submitApp(1024); - dispatcher.await(); +// System.out.println("submitted..waiting.."); +// rmDispatcher.await(); +// +// RMAppAttempt appAttempt = app.getCurrentAppAttempt(); // Set up a node. MockNM nm1 = rm.registerNode("localhost:1234", 3072); nm1.nodeHeartbeat(true); dispatcher.await(); + +// System.out.println("sending am launch..waiting.."); +// MockAM am1 = rm.sendAMLaunched(appAttempt.getAppAttemptId()); +// rmDispatcher.await(); +// +// System.out.println("registering app attempt..waiting.."); +// RegisterApplicationMasterResponse response = am1.registerAppAttempt(); +// rmDispatcher.await(); +// dispatcher.await(); + + nm1.nodeHeartbeat(true); + dispatcher.await(); // Get the app-report. GetApplicationReportRequest request = @@ -223,19 +243,35 @@ protected void doSecureLogin() throws IOException { ApplicationReport appReport = reportResponse.getApplicationReport(); org.apache.hadoop.yarn.api.records.Token clientToken = appReport.getClientToken(); - // Wait till AM is 'launched' - int waitTime = 0; - while (containerManager.clientTokensSecret == null && waitTime++ < 20) { - Thread.sleep(1000); - } - Assert.assertNotNull(containerManager.clientTokensSecret); + ApplicationAttemptId appAttempt = app.getCurrentAppAttempt().getAppAttemptId(); + final MockAM mockAM = + new MockAM(rm.getRMContext(), rm.getApplicationMasterService(), + app.getCurrentAppAttempt().getAppAttemptId()); + UserGroupInformation appUgi = + UserGroupInformation.createRemoteUser(appAttempt.toString()); + RegisterApplicationMasterResponse response = + appUgi.doAs(new PrivilegedAction() { + + @Override + public RegisterApplicationMasterResponse run() { + RegisterApplicationMasterResponse response = null; + try { + response = mockAM.registerAppAttempt(); + } catch (Exception e) { + Assert.fail("Exception was not expected"); + } + return response; + } + }); + // Start the AM with the correct shared-secret. ApplicationAttemptId appAttemptId = app.getAppAttempts().keySet().iterator().next(); Assert.assertNotNull(appAttemptId); final CustomAM am = - new CustomAM(appAttemptId, containerManager.clientTokensSecret); + new CustomAM(appAttemptId, response.getClientToAMTokenMasterKey() + .array()); am.init(conf); am.start(); @@ -256,17 +292,17 @@ protected void doSecureLogin() throws IOException { // Verify denial for a malicious user UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me"); - Token token = + Token token = ProtoUtils.convertFromProtoFormat(clientToken, am.address); // Malicious user, messes with appId - ClientTokenIdentifier maliciousID = - new ClientTokenIdentifier(BuilderUtils.newApplicationAttemptId( + ClientToAMTokenIdentifier maliciousID = + new ClientToAMTokenIdentifier(BuilderUtils.newApplicationAttemptId( BuilderUtils.newApplicationId(app.getApplicationId() .getClusterTimestamp(), 42), 43)); - Token maliciousToken = - new Token(maliciousID.getBytes(), + Token maliciousToken = + new Token(maliciousID.getBytes(), token.getPassword(), token.getKind(), token.getService()); ugi.addToken(maliciousToken);