You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-commits@hadoop.apache.org by jl...@apache.org on 2013/08/24 00:11:54 UTC
svn commit: r1517073 - in /hadoop/common/trunk/hadoop-yarn-project: ./
hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/
hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoo...
Author: jlowe
Date: Fri Aug 23 22:11:54 2013
New Revision: 1517073
URL: http://svn.apache.org/r1517073
Log:
YARN-707. Add user info in the YARN ClientToken. Contributed by Vinod Kumar Vavilapalli
Modified:
hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java
hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java
hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java
Modified: hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt?rev=1517073&r1=1517072&r2=1517073&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt (original)
+++ hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt Fri Aug 23 22:11:54 2013
@@ -43,6 +43,8 @@ Release 2.1.1-beta - UNRELEASED
YARN-589. Expose a REST API for monitoring the fair scheduler (Sandy Ryza).
+ YARN-707. Add user info in the YARN ClientToken (vinodkv via jlowe)
+
OPTIMIZATIONS
BUG FIXES
Modified: hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java?rev=1517073&r1=1517072&r2=1517073&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java (original)
+++ hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java Fri Aug 23 22:11:54 2013
@@ -39,6 +39,7 @@ public class ClientToAMTokenIdentifier e
public static final Text KIND_NAME = new Text("YARN_CLIENT_TOKEN");
private ApplicationAttemptId applicationAttemptId;
+ private Text applicationSubmitter = new Text();
// TODO: Add more information in the tokenID such that it is not
// transferrable, more secure etc.
@@ -46,21 +47,27 @@ public class ClientToAMTokenIdentifier e
public ClientToAMTokenIdentifier() {
}
- public ClientToAMTokenIdentifier(ApplicationAttemptId id) {
+ public ClientToAMTokenIdentifier(ApplicationAttemptId id, String appSubmitter) {
this();
this.applicationAttemptId = id;
+ this.applicationSubmitter = new Text(appSubmitter);
}
public ApplicationAttemptId getApplicationAttemptID() {
return this.applicationAttemptId;
}
+ public String getApplicationSubmitter() {
+ return this.applicationSubmitter.toString();
+ }
+
@Override
public void write(DataOutput out) throws IOException {
out.writeLong(this.applicationAttemptId.getApplicationId()
.getClusterTimestamp());
out.writeInt(this.applicationAttemptId.getApplicationId().getId());
out.writeInt(this.applicationAttemptId.getAttemptId());
+ this.applicationSubmitter.write(out);
}
@Override
@@ -68,6 +75,7 @@ public class ClientToAMTokenIdentifier e
this.applicationAttemptId =
ApplicationAttemptId.newInstance(
ApplicationId.newInstance(in.readLong(), in.readInt()), in.readInt());
+ this.applicationSubmitter.readFields(in);
}
@Override
@@ -77,10 +85,11 @@ public class ClientToAMTokenIdentifier e
@Override
public UserGroupInformation getUser() {
- if (this.applicationAttemptId == null) {
+ if (this.applicationSubmitter == null) {
return null;
}
- return UserGroupInformation.createRemoteUser(this.applicationAttemptId.toString());
+ return UserGroupInformation.createRemoteUser(this.applicationSubmitter
+ .toString());
}
@InterfaceAudience.Private
Modified: hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java?rev=1517073&r1=1517072&r2=1517073&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java (original)
+++ hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java Fri Aug 23 22:11:54 2013
@@ -722,7 +722,7 @@ public class RMAppAttemptImpl implements
// create clientToAMToken
appAttempt.clientToAMToken =
new Token<ClientToAMTokenIdentifier>(new ClientToAMTokenIdentifier(
- appAttempt.applicationAttemptId),
+ appAttempt.applicationAttemptId, appAttempt.user),
appAttempt.rmContext.getClientToAMTokenSecretManager());
}
Modified: hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java?rev=1517073&r1=1517072&r2=1517073&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java (original)
+++ hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java Fri Aug 23 22:11:54 2013
@@ -367,7 +367,7 @@ public class TestRMStateStore {
appToken.setService(new Text("appToken service"));
ClientToAMTokenIdentifier clientToAMTokenId =
- new ClientToAMTokenIdentifier(attemptId);
+ new ClientToAMTokenIdentifier(attemptId, "user");
clientToAMTokenMgr.registerApplication(attemptId);
Token<ClientToAMTokenIdentifier> clientToAMToken =
new Token<ClientToAMTokenIdentifier>(clientToAMTokenId, clientToAMTokenMgr);
Modified: hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java?rev=1517073&r1=1517072&r2=1517073&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java (original)
+++ hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java Fri Aug 23 22:11:54 2013
@@ -115,7 +115,6 @@ public class TestClientToAMTokens {
private final byte[] secretKey;
private InetSocketAddress address;
private boolean pinged = false;
- private ClientToAMTokenSecretManager secretManager;
public CustomAM(ApplicationAttemptId appId, byte[] secretKey) {
super("CustomAM");
@@ -132,12 +131,14 @@ public class TestClientToAMTokens {
protected void serviceStart() throws Exception {
Configuration conf = getConfig();
- secretManager = new ClientToAMTokenSecretManager(this.appAttemptId, secretKey);
Server server;
try {
server =
- new RPC.Builder(conf).setProtocol(CustomProtocol.class)
- .setNumHandlers(1).setSecretManager(secretManager)
+ new RPC.Builder(conf)
+ .setProtocol(CustomProtocol.class)
+ .setNumHandlers(1)
+ .setSecretManager(
+ new ClientToAMTokenSecretManager(this.appAttemptId, secretKey))
.setInstance(this).build();
} catch (Exception e) {
throw new YarnRuntimeException(e);
@@ -146,14 +147,10 @@ public class TestClientToAMTokens {
this.address = NetUtils.getConnectAddress(server);
super.serviceStart();
}
-
- public ClientToAMTokenSecretManager getClientToAMTokenSecretManager() {
- return this.secretManager;
- }
}
@Test
- public void testClientToAMs() throws Exception {
+ public void testClientToAMTokenss() throws Exception {
final Configuration conf = new Configuration();
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
@@ -204,7 +201,7 @@ public class TestClientToAMTokens {
GetApplicationReportResponse reportResponse =
rm.getClientRMService().getApplicationReport(request);
ApplicationReport appReport = reportResponse.getApplicationReport();
- org.apache.hadoop.yarn.api.records.Token clientToAMToken =
+ org.apache.hadoop.yarn.api.records.Token originalClientToAMToken =
appReport.getClientToAMToken();
ApplicationAttemptId appAttempt = app.getCurrentAppAttempt().getAppAttemptId();
@@ -259,17 +256,47 @@ public class TestClientToAMTokens {
Assert.assertFalse(am.pinged);
}
- // Verify denial for a malicious user
- UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
Token<ClientToAMTokenIdentifier> token =
- ConverterUtils.convertFromYarn(clientToAMToken, am.address);
+ ConverterUtils.convertFromYarn(originalClientToAMToken, am.address);
+
+ // Verify denial for a malicious user with tampered ID
+ verifyTokenWithTamperedID(conf, am, token);
+
+ // Verify denial for a malicious user with tampered user-name
+ verifyTokenWithTamperedUserName(conf, am, token);
+ // Now for an authenticated user
+ verifyValidToken(conf, am, token);
+ }
+
+ private void verifyTokenWithTamperedID(final Configuration conf,
+ final CustomAM am, Token<ClientToAMTokenIdentifier> token)
+ throws IOException {
// Malicious user, messes with appId
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
ClientToAMTokenIdentifier maliciousID =
new ClientToAMTokenIdentifier(BuilderUtils.newApplicationAttemptId(
- BuilderUtils.newApplicationId(app.getApplicationId()
- .getClusterTimestamp(), 42), 43));
+ BuilderUtils.newApplicationId(am.appAttemptId.getApplicationId()
+ .getClusterTimestamp(), 42), 43), UserGroupInformation
+ .getCurrentUser().getShortUserName());
+ verifyTamperedToken(conf, am, token, ugi, maliciousID);
+ }
+
+ private void verifyTokenWithTamperedUserName(final Configuration conf,
+ final CustomAM am, Token<ClientToAMTokenIdentifier> token)
+ throws IOException {
+ // Malicious user, messes with appId
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
+ ClientToAMTokenIdentifier maliciousID =
+ new ClientToAMTokenIdentifier(am.appAttemptId, "evilOrc");
+
+ verifyTamperedToken(conf, am, token, ugi, maliciousID);
+ }
+
+ private void verifyTamperedToken(final Configuration conf, final CustomAM am,
+ Token<ClientToAMTokenIdentifier> token, UserGroupInformation ugi,
+ ClientToAMTokenIdentifier maliciousID) {
Token<ClientToAMTokenIdentifier> maliciousToken =
new Token<ClientToAMTokenIdentifier>(maliciousID.getBytes(),
token.getPassword(), token.getKind(),
@@ -309,8 +336,12 @@ public class TestClientToAMTokens {
+ "Mismatched response."));
Assert.assertFalse(am.pinged);
}
+ }
- // Now for an authenticated user
+ private void verifyValidToken(final Configuration conf, final CustomAM am,
+ Token<ClientToAMTokenIdentifier> token) throws IOException,
+ InterruptedException {
+ UserGroupInformation ugi;
ugi = UserGroupInformation.createRemoteUser("me");
ugi.addToken(token);
@@ -326,5 +357,4 @@ public class TestClientToAMTokens {
}
});
}
-
}