You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-commits@hadoop.apache.org by jl...@apache.org on 2013/08/24 03:25:18 UTC
svn commit: r1517099 - in
/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project: ./
hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/
hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/ja...
Author: jlowe
Date: Sat Aug 24 01:25:17 2013
New Revision: 1517099
URL: http://svn.apache.org/r1517099
Log:
svn merge -c 1517097 to revert MAPREDUCE-5475 and YARN-707
Modified:
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java
Modified: hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt?rev=1517099&r1=1517098&r2=1517099&view=diff
==============================================================================
--- hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt (original)
+++ hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt Sat Aug 24 01:25:17 2013
@@ -10,8 +10,6 @@ Release 2.1.1-beta - UNRELEASED
YARN-589. Expose a REST API for monitoring the fair scheduler (Sandy Ryza).
- YARN-707. Add user info in the YARN ClientToken (vinodkv via jlowe)
-
OPTIMIZATIONS
BUG FIXES
Modified: hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java?rev=1517099&r1=1517098&r2=1517099&view=diff
==============================================================================
--- hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java (original)
+++ hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java Sat Aug 24 01:25:17 2013
@@ -39,7 +39,6 @@ public class ClientToAMTokenIdentifier e
public static final Text KIND_NAME = new Text("YARN_CLIENT_TOKEN");
private ApplicationAttemptId applicationAttemptId;
- private Text applicationSubmitter = new Text();
// TODO: Add more information in the tokenID such that it is not
// transferrable, more secure etc.
@@ -47,27 +46,21 @@ public class ClientToAMTokenIdentifier e
public ClientToAMTokenIdentifier() {
}
- public ClientToAMTokenIdentifier(ApplicationAttemptId id, String appSubmitter) {
+ public ClientToAMTokenIdentifier(ApplicationAttemptId id) {
this();
this.applicationAttemptId = id;
- this.applicationSubmitter = new Text(appSubmitter);
}
public ApplicationAttemptId getApplicationAttemptID() {
return this.applicationAttemptId;
}
- public String getApplicationSubmitter() {
- return this.applicationSubmitter.toString();
- }
-
@Override
public void write(DataOutput out) throws IOException {
out.writeLong(this.applicationAttemptId.getApplicationId()
.getClusterTimestamp());
out.writeInt(this.applicationAttemptId.getApplicationId().getId());
out.writeInt(this.applicationAttemptId.getAttemptId());
- this.applicationSubmitter.write(out);
}
@Override
@@ -75,7 +68,6 @@ public class ClientToAMTokenIdentifier e
this.applicationAttemptId =
ApplicationAttemptId.newInstance(
ApplicationId.newInstance(in.readLong(), in.readInt()), in.readInt());
- this.applicationSubmitter.readFields(in);
}
@Override
@@ -85,11 +77,10 @@ public class ClientToAMTokenIdentifier e
@Override
public UserGroupInformation getUser() {
- if (this.applicationSubmitter == null) {
+ if (this.applicationAttemptId == null) {
return null;
}
- return UserGroupInformation.createRemoteUser(this.applicationSubmitter
- .toString());
+ return UserGroupInformation.createRemoteUser(this.applicationAttemptId.toString());
}
@InterfaceAudience.Private
Modified: hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java?rev=1517099&r1=1517098&r2=1517099&view=diff
==============================================================================
--- hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java (original)
+++ hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java Sat Aug 24 01:25:17 2013
@@ -722,7 +722,7 @@ public class RMAppAttemptImpl implements
// create clientToAMToken
appAttempt.clientToAMToken =
new Token<ClientToAMTokenIdentifier>(new ClientToAMTokenIdentifier(
- appAttempt.applicationAttemptId, appAttempt.user),
+ appAttempt.applicationAttemptId),
appAttempt.rmContext.getClientToAMTokenSecretManager());
}
Modified: hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java?rev=1517099&r1=1517098&r2=1517099&view=diff
==============================================================================
--- hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java (original)
+++ hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java Sat Aug 24 01:25:17 2013
@@ -367,7 +367,7 @@ public class TestRMStateStore {
appToken.setService(new Text("appToken service"));
ClientToAMTokenIdentifier clientToAMTokenId =
- new ClientToAMTokenIdentifier(attemptId, "user");
+ new ClientToAMTokenIdentifier(attemptId);
clientToAMTokenMgr.registerApplication(attemptId);
Token<ClientToAMTokenIdentifier> clientToAMToken =
new Token<ClientToAMTokenIdentifier>(clientToAMTokenId, clientToAMTokenMgr);
Modified: hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java?rev=1517099&r1=1517098&r2=1517099&view=diff
==============================================================================
--- hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java (original)
+++ hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java Sat Aug 24 01:25:17 2013
@@ -115,6 +115,7 @@ public class TestClientToAMTokens {
private final byte[] secretKey;
private InetSocketAddress address;
private boolean pinged = false;
+ private ClientToAMTokenSecretManager secretManager;
public CustomAM(ApplicationAttemptId appId, byte[] secretKey) {
super("CustomAM");
@@ -131,14 +132,12 @@ public class TestClientToAMTokens {
protected void serviceStart() throws Exception {
Configuration conf = getConfig();
+ secretManager = new ClientToAMTokenSecretManager(this.appAttemptId, secretKey);
Server server;
try {
server =
- new RPC.Builder(conf)
- .setProtocol(CustomProtocol.class)
- .setNumHandlers(1)
- .setSecretManager(
- new ClientToAMTokenSecretManager(this.appAttemptId, secretKey))
+ new RPC.Builder(conf).setProtocol(CustomProtocol.class)
+ .setNumHandlers(1).setSecretManager(secretManager)
.setInstance(this).build();
} catch (Exception e) {
throw new YarnRuntimeException(e);
@@ -147,10 +146,14 @@ public class TestClientToAMTokens {
this.address = NetUtils.getConnectAddress(server);
super.serviceStart();
}
+
+ public ClientToAMTokenSecretManager getClientToAMTokenSecretManager() {
+ return this.secretManager;
+ }
}
@Test
- public void testClientToAMTokenss() throws Exception {
+ public void testClientToAMs() throws Exception {
final Configuration conf = new Configuration();
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
@@ -201,7 +204,7 @@ public class TestClientToAMTokens {
GetApplicationReportResponse reportResponse =
rm.getClientRMService().getApplicationReport(request);
ApplicationReport appReport = reportResponse.getApplicationReport();
- org.apache.hadoop.yarn.api.records.Token originalClientToAMToken =
+ org.apache.hadoop.yarn.api.records.Token clientToAMToken =
appReport.getClientToAMToken();
ApplicationAttemptId appAttempt = app.getCurrentAppAttempt().getAppAttemptId();
@@ -256,47 +259,17 @@ public class TestClientToAMTokens {
Assert.assertFalse(am.pinged);
}
+ // Verify denial for a malicious user
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
Token<ClientToAMTokenIdentifier> token =
- ConverterUtils.convertFromYarn(originalClientToAMToken, am.address);
-
- // Verify denial for a malicious user with tampered ID
- verifyTokenWithTamperedID(conf, am, token);
-
- // Verify denial for a malicious user with tampered user-name
- verifyTokenWithTamperedUserName(conf, am, token);
+ ConverterUtils.convertFromYarn(clientToAMToken, am.address);
- // Now for an authenticated user
- verifyValidToken(conf, am, token);
- }
-
- private void verifyTokenWithTamperedID(final Configuration conf,
- final CustomAM am, Token<ClientToAMTokenIdentifier> token)
- throws IOException {
// Malicious user, messes with appId
- UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
ClientToAMTokenIdentifier maliciousID =
new ClientToAMTokenIdentifier(BuilderUtils.newApplicationAttemptId(
- BuilderUtils.newApplicationId(am.appAttemptId.getApplicationId()
- .getClusterTimestamp(), 42), 43), UserGroupInformation
- .getCurrentUser().getShortUserName());
+ BuilderUtils.newApplicationId(app.getApplicationId()
+ .getClusterTimestamp(), 42), 43));
- verifyTamperedToken(conf, am, token, ugi, maliciousID);
- }
-
- private void verifyTokenWithTamperedUserName(final Configuration conf,
- final CustomAM am, Token<ClientToAMTokenIdentifier> token)
- throws IOException {
- // Malicious user, messes with appId
- UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
- ClientToAMTokenIdentifier maliciousID =
- new ClientToAMTokenIdentifier(am.appAttemptId, "evilOrc");
-
- verifyTamperedToken(conf, am, token, ugi, maliciousID);
- }
-
- private void verifyTamperedToken(final Configuration conf, final CustomAM am,
- Token<ClientToAMTokenIdentifier> token, UserGroupInformation ugi,
- ClientToAMTokenIdentifier maliciousID) {
Token<ClientToAMTokenIdentifier> maliciousToken =
new Token<ClientToAMTokenIdentifier>(maliciousID.getBytes(),
token.getPassword(), token.getKind(),
@@ -336,12 +309,8 @@ public class TestClientToAMTokens {
+ "Mismatched response."));
Assert.assertFalse(am.pinged);
}
- }
- private void verifyValidToken(final Configuration conf, final CustomAM am,
- Token<ClientToAMTokenIdentifier> token) throws IOException,
- InterruptedException {
- UserGroupInformation ugi;
+ // Now for an authenticated user
ugi = UserGroupInformation.createRemoteUser("me");
ugi.addToken(token);
@@ -357,4 +326,5 @@ public class TestClientToAMTokens {
}
});
}
+
}