@Override public CancelDelegationTokenResponse cancelDelegationToken( CancelDelegationTokenRequest request) throws IOException { if (!isAllowedDelegationTokenOp()) { throw new IOException( "Delegation Token can be cancelled only with kerberos authentication"); } org.apache.hadoop.yarn.api.records.Token protoToken = request.getDelegationToken(); Token<MRDelegationTokenIdentifier> token = new Token<MRDelegationTokenIdentifier>( protoToken.getIdentifier().array(), protoToken.getPassword() .array(), new Text(protoToken.getKind()), new Text( protoToken.getService())); String user = UserGroupInformation.getCurrentUser().getUserName(); jhsDTSecretManager.cancelToken(token, user); return Records.newRecord(CancelDelegationTokenResponse.class); }
@Override public GetDelegationTokenResponse getDelegationToken( GetDelegationTokenRequest request) throws IOException { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); // Verify that the connection is kerberos authenticated if (!isAllowedDelegationTokenOp()) { throw new IOException( "Delegation Token can be issued only with kerberos authentication"); } GetDelegationTokenResponse response = recordFactory.newRecordInstance( GetDelegationTokenResponse.class); String user = ugi.getUserName(); Text owner = new Text(user); Text realUser = null; if (ugi.getRealUser() != null) { realUser = new Text(ugi.getRealUser().getUserName()); } MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner, new Text( request.getRenewer()), realUser); Token<MRDelegationTokenIdentifier> realJHSToken = new Token<MRDelegationTokenIdentifier>(tokenIdentifier, jhsDTSecretManager); org.apache.hadoop.yarn.api.records.Token mrDToken = org.apache.hadoop.yarn.api.records.Token.newInstance( realJHSToken.getIdentifier(), realJHSToken.getKind().toString(), realJHSToken.getPassword(), realJHSToken.getService().toString()); response.setDelegationToken(mrDToken); return response; }
private Token<RMDelegationTokenIdentifier> getRMHAToken(org.apache.hadoop.yarn.api.records.Token rmDelegationToken) { // Build a list of service addresses to form the service name ArrayList<String> services = new ArrayList<>(); for (String rmId : ConfigUtils.getRMHAIds(conf)) { LOG.info("Yarn Resource Manager id: {}", rmId); // Set RM_ID to get the corresponding RM_ADDRESS services.add(SecurityUtil.buildTokenService(getRMHAAddress(rmId)).toString()); } Text rmTokenService = new Text(Joiner.on(',').join(services)); return new Token<>( rmDelegationToken.getIdentifier().array(), rmDelegationToken.getPassword().array(), new Text(rmDelegationToken.getKind()), rmTokenService); }
Token currentToken = rcs.getStartRequest().getContainerToken(); Token updatedToken = Token .newInstance(tokenIdentifierProto.toByteArray(), ContainerTokenIdentifier.KIND.toString(), currentToken.getPassword().array(), currentToken.getService()); rcs.startRequest.setContainerToken(updatedToken); rcs.capability = new ResourcePBImpl(tokenIdentifierProto.getResource());
public static <T extends Token> T newToken(Class<T> tokenClass, byte[] identifier, String kind, byte[] password, String service) { T token = recordFactory.newRecordInstance(tokenClass); token.setIdentifier(ByteBuffer.wrap(identifier)); token.setKind(kind); token.setPassword(ByteBuffer.wrap(password)); token.setService(service); return token; }
&& !proxy.token.getIdentifier().equals( nmTokenCache.getToken(containerManagerBindAddr).getIdentifier())) { LOG.info("Refreshing proxy as NMToken got updated for node : " + containerManagerBindAddr);
@Test public void testResourceIncreaseContext() { byte[] identifier = new byte[] { 1, 2, 3, 4 }; Token token = Token.newInstance(identifier, "", "".getBytes(), ""); ContainerId containerId = ContainerId .newContainerId(ApplicationAttemptId.newInstance( ApplicationId.newInstance(1234, 3), 3), 7); Resource resource = Resource.newInstance(1023, 3); ContainerResourceIncrease ctx = ContainerResourceIncrease.newInstance( containerId, resource, token); // get proto and recover to ctx ContainerResourceIncreaseProto proto = ((ContainerResourceIncreasePBImpl) ctx).getProto(); ctx = new ContainerResourceIncreasePBImpl(proto); // check values Assert.assertEquals(ctx.getCapability(), resource); Assert.assertEquals(ctx.getContainerId(), containerId); Assert.assertTrue(Arrays.equals(ctx.getContainerToken().getIdentifier() .array(), identifier)); }
protected ContainerTokenIdentifier verifyAndGetContainerTokenIdentifier( org.apache.hadoop.yarn.api.records.Token token, ContainerTokenIdentifier containerTokenIdentifier) throws YarnException, InvalidToken { byte[] password = context.getContainerTokenSecretManager().retrievePassword( containerTokenIdentifier); byte[] tokenPass = token.getPassword().array(); if (password == null || tokenPass == null || !Arrays.equals(password, tokenPass)) { throw new InvalidToken( "Invalid container token used for starting container on : " + context.getNodeId().toString()); } return containerTokenIdentifier; }
response.getAMRMToken().getService()));
public static <T extends Token> T newToken(Class<T> tokenClass, byte[] identifier, String kind, byte[] password, String service) { T token = recordFactory.newRecordInstance(tokenClass); token.setIdentifier(ByteBuffer.wrap(identifier)); token.setKind(kind); token.setPassword(ByteBuffer.wrap(password)); token.setService(service); return token; }
&& !proxy.token.getIdentifier().equals( nmTokenCache.getToken(containerManagerBindAddr).getIdentifier())) { LOG.info("Refreshing proxy as NMToken got updated for node : " + containerManagerBindAddr);
protected ContainerTokenIdentifier verifyAndGetContainerTokenIdentifier( org.apache.hadoop.yarn.api.records.Token token, ContainerTokenIdentifier containerTokenIdentifier) throws YarnException, InvalidToken { byte[] password = context.getContainerTokenSecretManager().retrievePassword( containerTokenIdentifier); byte[] tokenPass = token.getPassword().array(); if (password == null || tokenPass == null || !Arrays.equals(password, tokenPass)) { throw new InvalidToken( "Invalid container token used for starting container on : " + context.getNodeId().toString()); } return containerTokenIdentifier; }
response.getAMRMToken().getService()));
@Override public RenewDelegationTokenResponse renewDelegationToken( RenewDelegationTokenRequest request) throws IOException { if (!isAllowedDelegationTokenOp()) { throw new IOException( "Delegation Token can be renewed only with kerberos authentication"); } org.apache.hadoop.yarn.api.records.Token protoToken = request.getDelegationToken(); Token<MRDelegationTokenIdentifier> token = new Token<MRDelegationTokenIdentifier>( protoToken.getIdentifier().array(), protoToken.getPassword() .array(), new Text(protoToken.getKind()), new Text( protoToken.getService())); String user = UserGroupInformation.getCurrentUser().getShortUserName(); long nextExpTime = jhsDTSecretManager.renewToken(token, user); RenewDelegationTokenResponse renewResponse = Records .newRecord(RenewDelegationTokenResponse.class); renewResponse.setNextExpirationTime(nextExpTime); return renewResponse; }
private static org.apache.hadoop.yarn.api.records.Token convertToProtoToken(Token<?> token) { return org.apache.hadoop.yarn.api.records.Token.newInstance( token.getIdentifier(), token.getKind().toString(), token.getPassword(), token.getService().toString()); } }
public static <T extends Token> T newToken(Class<T> tokenClass, byte[] identifier, String kind, byte[] password, String service) { T token = recordFactory.newRecordInstance(tokenClass); token.setIdentifier(ByteBuffer.wrap(identifier)); token.setKind(kind); token.setPassword(ByteBuffer.wrap(password)); token.setService(service); return token; }
private ContainerTokenIdentifier getContainerTokenIdentifierFromToken( Token containerToken) throws IOException { ContainerTokenIdentifier containerTokenIdentifier; containerTokenIdentifier = new ContainerTokenIdentifier(); byte[] tokenIdentifierContent = containerToken.getIdentifier().array(); DataInputBuffer dib = new DataInputBuffer(); dib.reset(tokenIdentifierContent, tokenIdentifierContent.length); containerTokenIdentifier.readFields(dib); return containerTokenIdentifier; }
protected ContainerTokenIdentifier verifyAndGetContainerTokenIdentifier( org.apache.hadoop.yarn.api.records.Token token, ContainerTokenIdentifier containerTokenIdentifier) throws YarnException, InvalidToken { byte[] password = context.getContainerTokenSecretManager().retrievePassword( containerTokenIdentifier); byte[] tokenPass = token.getPassword().array(); if (password == null || tokenPass == null || !Arrays.equals(password, tokenPass)) { throw new InvalidToken( "Invalid container token used for starting container on : " + context.getNodeId().toString()); } return containerTokenIdentifier; }
public static ContainerTokenIdentifier newContainerTokenIdentifier( Token containerToken) throws IOException { org.apache.hadoop.security.token.Token<ContainerTokenIdentifier> token = new org.apache.hadoop.security.token.Token<ContainerTokenIdentifier>( containerToken.getIdentifier() .array(), containerToken.getPassword().array(), new Text( containerToken.getKind()), new Text(containerToken.getService())); return token.decodeIdentifier(); }
private static org.apache.hadoop.yarn.api.records.Token convertToProtoToken(Token<?> token) { return org.apache.hadoop.yarn.api.records.Token.newInstance( token.getIdentifier(), token.getKind().toString(), token.getPassword(), token.getService().toString()); } }