diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/RegisterApplicationMasterResponsePBImpl.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/RegisterApplicationMasterResponsePBImpl.java index e2962e3..75ce200 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/RegisterApplicationMasterResponsePBImpl.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/api/protocolrecords/impl/pb/RegisterApplicationMasterResponsePBImpl.java @@ -211,6 +211,7 @@ public void setApplicationACLs( @Override public void setClientToAMTokenMasterKey(ByteBuffer key) { if (key == null) { + builder.clearClientToAmTokenMasterKey(); return; } maybeInitBuilder(); @@ -219,6 +220,7 @@ public void setClientToAMTokenMasterKey(ByteBuffer key) { @Override public ByteBuffer getClientToAMTokenMasterKey() { + maybeInitBuilder(); ByteBuffer key = ByteBuffer.wrap(builder.getClientToAmTokenMasterKey().toByteArray()); return key; diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ContainerLocalizer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ContainerLocalizer.java index 97b55e2..5e5bb62 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ContainerLocalizer.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ContainerLocalizer.java @@ -64,7 +64,6 @@ import org.apache.hadoop.yarn.server.nodemanager.api.protocolrecords.LocalizerStatus; import org.apache.hadoop.yarn.server.nodemanager.api.protocolrecords.ResourceStatusType; import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.security.LocalizerTokenIdentifier; -import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.security.LocalizerTokenSecretManager; import org.apache.hadoop.yarn.server.utils.YarnServerBuilderUtils; import org.apache.hadoop.yarn.util.ConverterUtils; import org.apache.hadoop.yarn.util.FSDownload; @@ -141,12 +140,7 @@ public int runLocalization(final InetSocketAddress nmAddr) // create localizer context UserGroupInformation remoteUser = UserGroupInformation.createRemoteUser(user); - LocalizerTokenSecretManager secretManager = - new LocalizerTokenSecretManager(); - LocalizerTokenIdentifier id = secretManager.createIdentifier(); - Token localizerToken = - new Token(id, secretManager); - remoteUser.addToken(localizerToken); + remoteUser.addToken(creds.getToken(LocalizerTokenIdentifier.KIND)); final LocalizationProtocol nodeManager = remoteUser.doAs(new PrivilegedAction() { @Override diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java index cfd809f..3324ddc 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/localizer/ResourceLocalizationService.java @@ -108,6 +108,7 @@ import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.event.ResourceLocalizedEvent; import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.event.ResourceReleaseEvent; import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.event.ResourceRequestEvent; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.security.LocalizerTokenIdentifier; import org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.security.LocalizerTokenSecretManager; import org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider; import org.apache.hadoop.yarn.server.nodemanager.util.NodeManagerBuilderUtils; @@ -135,6 +136,7 @@ private LocalizerTracker localizerTracker; private RecordFactory recordFactory; private final ScheduledExecutorService cacheCleanup; + private LocalizerTokenSecretManager secretManager; private LocalResourcesTracker publicRsrc; @@ -267,9 +269,8 @@ LocalizerTracker createLocalizerTracker(Configuration conf) { Server createServer() { Configuration conf = getConfig(); YarnRPC rpc = YarnRPC.create(conf); - LocalizerTokenSecretManager secretManager = null; if (UserGroupInformation.isSecurityEnabled()) { - secretManager = new LocalizerTokenSecretManager(); + secretManager = new LocalizerTokenSecretManager(); } Server server = rpc.getServer(LocalizationProtocol.class, this, @@ -1017,6 +1018,12 @@ private void writeCredentials(Path nmPrivateCTokensPath) LOG.debug(tk.getService() + " : " + tk.encodeToUrlString()); } } + if (UserGroupInformation.isSecurityEnabled()) { + LocalizerTokenIdentifier id = secretManager.createIdentifier(); + Token localizerToken = + new Token(id, secretManager); + credentials.addToken(id.getKind(), localizerToken); + } credentials.writeTokenStorageToStream(tokenOut); } finally { if (tokenOut != null) { diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestAMAuthorization.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestAMAuthorization.java index c70f809..3f79d39 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestAMAuthorization.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestAMAuthorization.java @@ -168,6 +168,9 @@ public ApplicationMasterProtocol run() { request.setApplicationAttemptId(applicationAttemptId); RegisterApplicationMasterResponse response = client.registerApplicationMaster(request); + Assert.assertNotNull(response.getClientToAMTokenMasterKey()); + Assert + .assertTrue(response.getClientToAMTokenMasterKey().array().length > 0); Assert.assertEquals("Register response has bad ACLs", "*", response.getApplicationACLs().get(ApplicationAccessType.VIEW_APP)); @@ -216,6 +219,7 @@ public ApplicationMasterProtocol run() { serviceAddr, conf); } }); + RegisterApplicationMasterRequest request = Records .newRecord(RegisterApplicationMasterRequest.class); request.setApplicationAttemptId(applicationAttemptId);