You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by sn...@apache.org on 2021/06/12 13:19:11 UTC
[hadoop] branch trunk updated: YARN-10816. Avoid doing delegation
token ops when yarn.timeline-service.http-authentication.type=simple.
Contributed by Tarun Parimi
This is an automated email from the ASF dual-hosted git repository.
snemeth pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new f0bdc42 YARN-10816. Avoid doing delegation token ops when yarn.timeline-service.http-authentication.type=simple. Contributed by Tarun Parimi
f0bdc42 is described below
commit f0bdc422aa7093f5a5c1e3cc5c9fa57f4c1205d5
Author: Szilard Nemeth <sn...@apache.org>
AuthorDate: Sat Jun 12 15:18:41 2021 +0200
YARN-10816. Avoid doing delegation token ops when yarn.timeline-service.http-authentication.type=simple. Contributed by Tarun Parimi
---
.../yarn/client/api/impl/TimelineClientImpl.java | 25 ++++++++++++++
.../yarn/client/api/impl/TestTimelineClient.java | 39 ++++++++++++++++++++++
2 files changed, 64 insertions(+)
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
index 07b41c3..eda38c5 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
@@ -29,6 +29,7 @@ import org.apache.commons.cli.GnuParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Options;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hadoop.classification.InterfaceAudience.Private;
@@ -88,6 +89,7 @@ public class TimelineClientImpl extends TimelineClient {
private TimelineWriter timelineWriter;
private String timelineServiceAddress;
+ private String authType;
@Private
@VisibleForTesting
@@ -128,6 +130,12 @@ public class TimelineClientImpl extends TimelineClient {
conf.get(YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_ADDRESS);
}
+
+ String defaultAuth = UserGroupInformation.isSecurityEnabled() ?
+ KerberosAuthenticationHandler.TYPE :
+ PseudoAuthenticationHandler.TYPE;
+ authType = conf.get(YarnConfiguration.TIMELINE_HTTP_AUTH_TYPE,
+ defaultAuth);
LOG.info("Timeline service address: " + getTimelineServiceAddress());
super.serviceInit(conf);
}
@@ -193,6 +201,12 @@ public class TimelineClientImpl extends TimelineClient {
@Override
public Token<TimelineDelegationTokenIdentifier> getDelegationToken(
final String renewer) throws IOException, YarnException {
+ if(authType.equals(PseudoAuthenticationHandler.TYPE)) {
+ LOG.info("Skipping get timeline delegation token since authType="
+ + PseudoAuthenticationHandler.TYPE);
+ // Null tokens are ignored by YarnClient so this is safe
+ return null;
+ }
PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>>
getDTAction =
new PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>>() {
@@ -219,6 +233,12 @@ public class TimelineClientImpl extends TimelineClient {
public long renewDelegationToken(
final Token<TimelineDelegationTokenIdentifier> timelineDT)
throws IOException, YarnException {
+ if(authType.equals(PseudoAuthenticationHandler.TYPE)) {
+ LOG.info("Skipping renew timeline delegation token since authType="
+ + PseudoAuthenticationHandler.TYPE);
+ // RM will skip renew if expirytime less than 0
+ return -1;
+ }
final boolean isTokenServiceAddrEmpty =
timelineDT.getService().toString().isEmpty();
final String scheme = isTokenServiceAddrEmpty ? null
@@ -257,6 +277,11 @@ public class TimelineClientImpl extends TimelineClient {
public void cancelDelegationToken(
final Token<TimelineDelegationTokenIdentifier> timelineDT)
throws IOException, YarnException {
+ if(authType.equals(PseudoAuthenticationHandler.TYPE)) {
+ LOG.info("Skipping cancel timeline delegation token since authType="
+ + PseudoAuthenticationHandler.TYPE);
+ return;
+ }
final boolean isTokenServiceAddrEmpty =
timelineDT.getService().toString().isEmpty();
final String scheme = isTokenServiceAddrEmpty ? null
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java
index 4d9c320..e7110dd 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java
@@ -22,6 +22,7 @@ import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.when;
import static org.mockito.Mockito.verify;
@@ -316,6 +317,44 @@ public class TestTimelineClient {
}
}
+ /**
+ * Test actual delegation token operations are not carried out when
+ * simple auth is configured for timeline.
+ * @throws Exception
+ */
+ @Test
+ public void testDelegationTokenDisabledOnSimpleAuth() throws Exception {
+ YarnConfiguration conf = new YarnConfiguration();
+ conf.setBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED, true);
+ conf.set(YarnConfiguration.TIMELINE_HTTP_AUTH_TYPE, "simple");
+ UserGroupInformation.setConfiguration(conf);
+
+ TimelineClientImpl tClient = createTimelineClient(conf);
+ TimelineConnector spyConnector = spy(tClient.connector);
+ tClient.connector = spyConnector;
+ try {
+ // try getting a delegation token
+ Token<TimelineDelegationTokenIdentifier> identifierToken =
+ tClient.getDelegationToken(
+ UserGroupInformation.getCurrentUser().getShortUserName());
+ // Get a null token when using simple auth
+ Assert.assertNull(identifierToken);
+
+ // try renew a delegation token
+ Token<TimelineDelegationTokenIdentifier> dummyToken = new Token<>();
+ long renewTime = tClient.renewDelegationToken(dummyToken);
+ // Get invalid expiration time so that RM skips renewal
+ Assert.assertEquals(renewTime, -1);
+
+ // try cancel a delegation token
+ tClient.cancelDelegationToken(dummyToken);
+ // Shouldn't try to cancel and connect to authURL
+ verify(spyConnector, never()).getDelegationTokenAuthenticatedURL();
+ } finally {
+ tClient.stop();
+ }
+ }
+
private static void assertFail() {
Assert.fail("Exception expected! "
+ "Timeline server should be off to run this test.");
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org