private org.apache.hadoop.yarn.api.records.Token getDelegationToken( final UserGroupInformation loggedInUser, final ApplicationClientProtocol clientRMService, final String renewerString) throws IOException, InterruptedException { org.apache.hadoop.yarn.api.records.Token token = loggedInUser .doAs(new PrivilegedExceptionAction<org.apache.hadoop.yarn.api.records.Token>() { @Override public org.apache.hadoop.yarn.api.records.Token run() throws YarnException, IOException { GetDelegationTokenRequest request = Records .newRecord(GetDelegationTokenRequest.class); request.setRenewer(renewerString); return clientRMService.getDelegationToken(request) .getRMDelegationToken(); } }); return token; }
@Override public GetDelegationTokenResponse getDelegationToken( GetDelegationTokenRequest request) throws YarnException, IOException { GetDelegationTokenRequestProto requestProto = ((GetDelegationTokenRequestPBImpl) request).getProto(); try { return new GetDelegationTokenResponsePBImpl(proxy.getDelegationToken( null, requestProto)); } catch (ServiceException e) { RPCUtil.unwrapAndThrowException(e); return null; } }
private Response createDelegationToken(DelegationToken tokenData, HttpServletRequest hsr, UserGroupInformation callerUGI) throws AuthorizationException, IOException, InterruptedException, Exception { final String renewer = tokenData.getRenewer(); GetDelegationTokenResponse resp; try { resp = callerUGI .doAs(new PrivilegedExceptionAction<GetDelegationTokenResponse>() { @Override public GetDelegationTokenResponse run() throws IOException, YarnException { GetDelegationTokenRequest createReq = GetDelegationTokenRequest.newInstance(renewer); return rm.getClientRMService().getDelegationToken(createReq); } }); } catch (Exception e) { LOG.info("Create delegation token request failed", e); throw e; } Token<RMDelegationTokenIdentifier> tk = new Token<RMDelegationTokenIdentifier>(resp.getRMDelegationToken() .getIdentifier().array(), resp.getRMDelegationToken().getPassword() .array(), new Text(resp.getRMDelegationToken().getKind()), new Text( resp.getRMDelegationToken().getService())); RMDelegationTokenIdentifier identifier = tk.decodeIdentifier(); long currentExpiration = rm.getRMContext().getRMDelegationTokenSecretManager() .getRenewDate(identifier); DelegationToken respToken = new DelegationToken(tk.encodeToUrlString(), renewer, identifier .getOwner().toString(), tk.getKind().toString(), currentExpiration, identifier.getMaxDate()); return Response.status(Status.OK).entity(respToken).build(); }
@Test (timeout = 60000) public void testAppSubmissionWithOldDelegationTokenAfterRMRestart() throws Exception { conf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS, 2); conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); conf.set(YarnConfiguration.RM_ADDRESS, "localhost:8032"); UserGroupInformation.setConfiguration(conf); MemoryRMStateStore memStore = new MemoryRMStateStore(); memStore.init(conf); MockRM rm1 = new TestSecurityMockRM(conf, memStore); rm1.start(); GetDelegationTokenRequest request1 = GetDelegationTokenRequest.newInstance("renewer1"); UserGroupInformation.getCurrentUser().setAuthenticationMethod( AuthMethod.KERBEROS); GetDelegationTokenResponse response1 = rm1.getClientRMService().getDelegationToken(request1); Token<RMDelegationTokenIdentifier> token1 = ConverterUtils.convertFromYarn(response1.getRMDelegationToken(), rmAddr); // start new RM MockRM rm2 = new TestSecurityMockRM(conf, memStore); rm2.start(); // submit an app with the old delegation token got from previous RM. Credentials ts = new Credentials(); ts.addToken(token1.getService(), token1); RMApp app = rm2.submitApp(200, "name", "user", new HashMap<ApplicationAccessType, String>(), false, "default", 1, ts); rm2.waitForState(app.getApplicationId(), RMAppState.ACCEPTED); }
@Override public Token getRMDelegationToken(Text renewer) throws YarnException, IOException { /* get the token from RM */ GetDelegationTokenRequest rmDTRequest = Records.newRecord(GetDelegationTokenRequest.class); rmDTRequest.setRenewer(renewer.toString()); GetDelegationTokenResponse response = rmClient.getDelegationToken(rmDTRequest); return response.getRMDelegationToken(); }
@Override public GetDelegationTokenResponse getDelegationToken( GetDelegationTokenRequest request) throws YarnException { resetStartFailoverFlag(true); // make sure failover has been triggered Assert.assertTrue(waittingForFailOver()); return GetDelegationTokenResponse.newInstance(createFakeToken()); }
@Override public GetDelegationTokenResponse getDelegationToken( GetDelegationTokenRequest request) throws YarnException { try { // Verify that the connection is kerberos authenticated if (!isAllowedDelegationTokenOp()) { throw new IOException( "Delegation Token can be issued only with kerberos authentication"); } GetDelegationTokenResponse response = recordFactory.newRecordInstance(GetDelegationTokenResponse.class); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); Text owner = new Text(ugi.getUserName()); Text realUser = null; if (ugi.getRealUser() != null) { realUser = new Text(ugi.getRealUser().getUserName()); } RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(owner, new Text(request.getRenewer()), realUser); Token<RMDelegationTokenIdentifier> realRMDTtoken = new Token<RMDelegationTokenIdentifier>(tokenIdentifier, this.rmDTSecretManager); response.setRMDelegationToken( BuilderUtils.newDelegationToken( realRMDTtoken.getIdentifier(), realRMDTtoken.getKind().toString(), realRMDTtoken.getPassword(), realRMDTtoken.getService().toString() )); return response; } catch(IOException io) { throw RPCUtil.getRemoteException(io); } }
@Test public void testClusterGetDelegationToken() throws Exception { Configuration conf = new Configuration(false); Cluster cluster = null; try { conf = new Configuration(); conf.set(MRConfig.FRAMEWORK_NAME, MRConfig.YARN_FRAMEWORK_NAME); cluster = new Cluster(conf); YARNRunner yrunner = (YARNRunner) cluster.getClient(); GetDelegationTokenResponse getDTResponse = recordFactory.newRecordInstance(GetDelegationTokenResponse.class); org.apache.hadoop.yarn.api.records.Token rmDTToken = recordFactory.newRecordInstance( org.apache.hadoop.yarn.api.records.Token.class); rmDTToken.setIdentifier(ByteBuffer.wrap(new byte[2])); rmDTToken.setKind("Testclusterkind"); rmDTToken.setPassword(ByteBuffer.wrap("testcluster".getBytes())); rmDTToken.setService("0.0.0.0:8032"); getDTResponse.setRMDelegationToken(rmDTToken); final ApplicationClientProtocol cRMProtocol = mock(ApplicationClientProtocol.class); when(cRMProtocol.getDelegationToken(any( GetDelegationTokenRequest.class))).thenReturn(getDTResponse); ResourceMgrDelegate rmgrDelegate = new ResourceMgrDelegate( new YarnConfiguration(conf)) { @Override protected void serviceStart() throws Exception { assertTrue(this.client instanceof YarnClientImpl); ((YarnClientImpl) this.client).setRMClient(cRMProtocol); } }; yrunner.setResourceMgrDelegate(rmgrDelegate); Token t = cluster.getDelegationToken(new Text(" ")); assertTrue("Token kind is instead " + t.getKind().toString(), "Testclusterkind".equals(t.getKind().toString())); } finally { if (cluster != null) { cluster.close(); } } }