private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager, Configuration conf) { AuthenticationMethod confAuthenticationMethod = SecurityUtil.getAuthenticationMethod(conf); List<AuthMethod> authMethods = new ArrayList<AuthMethod>(); if (confAuthenticationMethod == AuthenticationMethod.TOKEN) { if (secretManager == null) { throw new IllegalArgumentException(AuthenticationMethod.TOKEN + " authentication requires a secret manager"); } } else if (secretManager != null) { LOG.debug(AuthenticationMethod.TOKEN + " authentication enabled for secret manager"); // most preferred, go to the front of the line! authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod()); } authMethods.add(confAuthenticationMethod.getAuthMethod()); LOG.debug("Server accepts auth methods:" + authMethods); return authMethods; }
protected static RPC.Server setupTestServer(Configuration serverConf, int numHandlers, SecretManager<?> serverSm) throws IOException { RPC.Builder builder = newServerBuilder(serverConf); if (numHandlers > 0) { builder.setNumHandlers(numHandlers); } if (serverSm != null) { builder.setSecretManager(serverSm); } return setupTestServer(builder); }
@Test(timeout = 15000) public void testAllocateOnHA() throws YarnException, IOException, InterruptedException { AllocateRequest request = AllocateRequest.newInstance(0, 50f, new ArrayList<ResourceRequest>(), new ArrayList<ContainerId>(), ResourceBlacklistRequest.newInstance(new ArrayList<String>(), new ArrayList<String>())); int nbTry = 0; AllocateResponse response = null; while (nbTry < 10) { try { response = amClient.allocate(request); break; } catch (IOException ex) { if (!(ex instanceof SecretManager.InvalidToken)) { throw ex; } } Thread.sleep(200); nbTry++; } Assert.assertEquals(response, this.cluster.createFakeAllocateResponse()); }
public static <T extends TokenIdentifier> T getIdentifier(String id, SecretManager<T> secretManager) throws InvalidToken { byte[] tokenId = decodeIdentifier(id); T tokenIdentifier = secretManager.createIdentifier(); try { tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream( tokenId))); } catch (IOException e) { throw (InvalidToken) new InvalidToken( "Can't de-serialize tokenIdentifier").initCause(e); } return tokenIdentifier; }
@Override public RPC.Server getServer(Class<?> protocolClass, Object protocolImpl, String bindAddress, int port, int numHandlers, int numReaders, int queueSizePerHandler, boolean verbose, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, String portRangeConfig) throws IOException { return new Server(protocolClass, protocolImpl, conf, bindAddress, port, numHandlers, numReaders, queueSizePerHandler, verbose, secretManager, portRangeConfig); }
protected Server(String bindAddress, int port, Class<? extends Writable> rpcRequestClass, int handlerCount, int numReaders, int queueSizePerHandler, Configuration conf, String serverName, SecretManager<? extends TokenIdentifier> secretManager) throws IOException { this(bindAddress, port, rpcRequestClass, handlerCount, numReaders, queueSizePerHandler, conf, serverName, secretManager, null); }
@Override public RPC.Server getServer(Class<?> protocol, Object protocolImpl, String bindAddress, int port, int numHandlers, int numReaders, int queueSizePerHandler, boolean verbose, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, String portRangeConfig) throws IOException { return new Server(protocol, protocolImpl, conf, bindAddress, port, numHandlers, numReaders, queueSizePerHandler, verbose, secretManager, portRangeConfig); }
/** * Construct an RPC server. * * @param protocolClass the class of protocol * @param protocolImpl the protocolImpl whose methods will be called * @param conf the configuration to use * @param bindAddress the address to bind on to listen for connection * @param port the port to listen for connections on * @param numHandlers the number of method handler threads to run * @param verbose whether each call should be logged * @param portRangeConfig A config parameter that can be used to restrict * the range of ports used when port is 0 (an ephemeral port) */ public Server(Class<?> protocolClass, Object protocolImpl, Configuration conf, String bindAddress, int port, int numHandlers, int numReaders, int queueSizePerHandler, boolean verbose, SecretManager<? extends TokenIdentifier> secretManager, String portRangeConfig) throws IOException { super(bindAddress, port, null, numHandlers, numReaders, queueSizePerHandler, conf, classNameBase(protocolImpl .getClass().getName()), secretManager, portRangeConfig); this.verbose = verbose; registerProtocolAndImpl(RPC.RpcKind.RPC_PROTOCOL_BUFFER, protocolClass, protocolImpl); }
protected Server(String bindAddress, int port, Class<? extends Writable> paramClass, int handlerCount, int numReaders, int queueSizePerHandler, Configuration conf, String serverName, SecretManager<? extends TokenIdentifier> secretManager, String portRangeConfig) throws IOException { super(bindAddress, port, paramClass, handlerCount, numReaders, queueSizePerHandler, conf, serverName, secretManager, portRangeConfig); initProtocolMetaInfo(conf); }
private void verifyTokenFailWithRetry(DelegationTokenManager tm, Token<DelegationTokenIdentifier> token, int retryCount) throws IOException, InterruptedException { try { tm.verifyToken(token); } catch (SecretManager.InvalidToken er) { throw er; } if (retryCount > 0) { Thread.sleep(RETRY_WAIT); verifyTokenFailWithRetry(tm, token, retryCount - 1); } }
@Override public org.apache.hadoop.ipc.RPC.Server getServer( Class<?> protocol, Object instance, String bindAddress, int port, int numHandlers, int numReaders, int queueSizePerHandler, boolean verbose, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, String portRangeConfig) throws IOException { return null; }
public ClientToAMTokenSecretManager( ApplicationAttemptId applicationAttemptID, byte[] key) { super(); if (key != null) { this.masterKey = SecretManager.createSecretKey(key); } else { this.masterKey = null; } }
@Private @Override public byte[] retrievePassword(ClientToAMTokenIdentifier identifier) throws SecretManager.InvalidToken { SecretKey masterKey = getMasterKey(identifier.getApplicationAttemptID()); if (masterKey == null) { throw new SecretManager.InvalidToken("Illegal client-token!"); } return createPassword(identifier.getBytes(), masterKey); }
private Server createServer(Class<?> pbProtocol, InetSocketAddress addr, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, int numHandlers, BlockingService blockingService, String portRangeConfig) throws IOException { RPC.setProtocolEngine(conf, pbProtocol, ProtobufRpcEngine.class); RPC.Server server = new RPC.Builder(conf).setProtocol(pbProtocol) .setInstance(blockingService).setBindAddress(addr.getHostName()) .setPort(addr.getPort()).setNumHandlers(numHandlers).setVerbose(false) .setSecretManager(secretManager).setPortRangeConfig(portRangeConfig) .build(); LOG.info("Adding protocol "+pbProtocol.getCanonicalName()+" to the server"); server.addProtocol(RPC.RpcKind.RPC_PROTOCOL_BUFFER, pbProtocol, blockingService); return server; }
@Override public Server getServer(Class protocol, Object instance, InetSocketAddress addr, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, int numHandlers, String portRangeConfig) { LOG.debug("Creating a HadoopYarnProtoRpc server for protocol " + protocol + " with " + numHandlers + " handlers"); return RpcFactoryProvider.getServerFactory(conf).getServer(protocol, instance, addr, conf, secretManager, numHandlers, portRangeConfig); }
public Server getServer(Class protocol, Object instance, InetSocketAddress addr, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, int numHandlers) { return getServer(protocol, instance, addr, conf, secretManager, numHandlers, null); }
@Override public byte[] retrievePassword(NMTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken { readLock.lock(); try { return retrivePasswordInternal(identifier, currentMasterKey); } finally { readLock.unlock(); } }
@Override public byte[] retrievePassword(ContainerTokenIdentifier identifier) throws SecretManager.InvalidToken { this.readLock.lock(); try { return retrievePasswordInternal(identifier, this.currentMasterKey); } finally { this.readLock.unlock(); } }
protected byte[] retrievePasswordInternal(ContainerTokenIdentifier identifier, MasterKeyData masterKey) throws org.apache.hadoop.security.token.SecretManager.InvalidToken { if (LOG.isDebugEnabled()) { LOG.debug("Retrieving password for " + identifier.getContainerID() + " for user " + identifier.getUser() + " to be run on NM " + identifier.getNmHostAddress()); } return createPassword(identifier.getBytes(), masterKey.getSecretKey()); }
/** * Override of this is to validate ContainerTokens generated by using * different {@link MasterKey}s. */ @Override public synchronized byte[] retrievePassword( ContainerTokenIdentifier identifier) throws SecretManager.InvalidToken { int keyId = identifier.getMasterKeyId(); MasterKeyData masterKeyToUse = null; if (this.previousMasterKey != null && keyId == this.previousMasterKey.getMasterKey().getKeyId()) { // A container-launch has come in with a token generated off the last // master-key masterKeyToUse = this.previousMasterKey; } else if (keyId == super.currentMasterKey.getMasterKey().getKeyId()) { // A container-launch has come in with a token generated off the current // master-key masterKeyToUse = super.currentMasterKey; } if (nodeHostAddr != null && !identifier.getNmHostAddress().equals(nodeHostAddr)) { // Valid container token used for incorrect node. throw new SecretManager.InvalidToken("Given Container " + identifier.getContainerID().toString() + " identifier is not valid for current Node manager. Expected : " + nodeHostAddr + " Found : " + identifier.getNmHostAddress()); } if (masterKeyToUse != null) { return retrievePasswordInternal(identifier, masterKeyToUse); } // Invalid request. Like startContainer() with token generated off // old-master-keys. throw new SecretManager.InvalidToken("Given Container " + identifier.getContainerID().toString() + " seems to have an illegally generated token."); }
@Override public Server getServer(Class protocol, Object instance, InetSocketAddress addr, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, int numHandlers, String portRangeConfig) { throw new RuntimeException("getServer"); }
@Override public org.apache.hadoop.ipc.RPC.Server getServer(Class<?> protocol, Object instance, String bindAddress, int port, int numHandlers, int numReaders, int queueSizePerHandler, boolean verbose, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, String portRangeConfig) throws IOException { return null; }
public static <T extends TokenIdentifier> T getIdentifier(String id, SecretManager<T> secretManager) throws InvalidToken { byte[] tokenId = SaslUtil.decodeIdentifier(id); T tokenIdentifier = secretManager.createIdentifier(); try { tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream( tokenId))); } catch (IOException e) { throw (InvalidToken) new InvalidToken( "Can't de-serialize tokenIdentifier").initCause(e); } return tokenIdentifier; }
@Override public void start(CoprocessorEnvironment env) { // if running at region if (env instanceof RegionCoprocessorEnvironment) { RegionCoprocessorEnvironment regionEnv = (RegionCoprocessorEnvironment)env; RpcServerInterface server = regionEnv.getRegionServerServices().getRpcServer(); SecretManager<?> mgr = ((RpcServer)server).getSecretManager(); if (mgr instanceof AuthenticationTokenSecretManager) { secretManager = (AuthenticationTokenSecretManager)mgr; } } }
