Author: jlowe
Date: Fri Aug 23 22:22:38 2013
New Revision: 1517078
URL: http://svn.apache.org/r1517078
Log:
svn merge -c 1517073 FIXES: YARN-707. Add user info in the YARN ClientToken.
Contributed by Vinod Kumar Vavilapalli
Modified:
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java
Modified: hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt?rev=1517078&r1=1517077&r2=1517078&view=diff
==============================================================================
--- hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt
(original)
+++ hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/CHANGES.txt Fri
Aug 23 22:22:38 2013
@@ -10,6 +10,8 @@ Release 2.1.1-beta - UNRELEASED
YARN-589. Expose a REST API for monitoring the fair scheduler (Sandy Ryza).
+ YARN-707. Add user info in the YARN ClientToken (vinodkv via jlowe)
+
OPTIMIZATIONS
BUG FIXES
Modified:
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java?rev=1517078&r1=1517077&r2=1517078&view=diff
==============================================================================
---
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java
(original)
+++
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/client/ClientToAMTokenIdentifier.java
Fri Aug 23 22:22:38 2013
@@ -39,6 +39,7 @@ public class ClientToAMTokenIdentifier e
public static final Text KIND_NAME = new Text("YARN_CLIENT_TOKEN");
private ApplicationAttemptId applicationAttemptId;
+ private Text applicationSubmitter = new Text();
// TODO: Add more information in the tokenID such that it is not
// transferrable, more secure etc.
@@ -46,21 +47,27 @@ public class ClientToAMTokenIdentifier e
public ClientToAMTokenIdentifier() {
}
- public ClientToAMTokenIdentifier(ApplicationAttemptId id) {
+ public ClientToAMTokenIdentifier(ApplicationAttemptId id, String
appSubmitter) {
this();
this.applicationAttemptId = id;
+ this.applicationSubmitter = new Text(appSubmitter);
}
public ApplicationAttemptId getApplicationAttemptID() {
return this.applicationAttemptId;
}
+ public String getApplicationSubmitter() {
+ return this.applicationSubmitter.toString();
+ }
+
@Override
public void write(DataOutput out) throws IOException {
out.writeLong(this.applicationAttemptId.getApplicationId()
.getClusterTimestamp());
out.writeInt(this.applicationAttemptId.getApplicationId().getId());
out.writeInt(this.applicationAttemptId.getAttemptId());
+ this.applicationSubmitter.write(out);
}
@Override
@@ -68,6 +75,7 @@ public class ClientToAMTokenIdentifier e
this.applicationAttemptId =
ApplicationAttemptId.newInstance(
ApplicationId.newInstance(in.readLong(), in.readInt()),
in.readInt());
+ this.applicationSubmitter.readFields(in);
}
@Override
@@ -77,10 +85,11 @@ public class ClientToAMTokenIdentifier e
@Override
public UserGroupInformation getUser() {
- if (this.applicationAttemptId == null) {
+ if (this.applicationSubmitter == null) {
return null;
}
- return
UserGroupInformation.createRemoteUser(this.applicationAttemptId.toString());
+ return UserGroupInformation.createRemoteUser(this.applicationSubmitter
+ .toString());
}
@InterfaceAudience.Private
Modified:
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java?rev=1517078&r1=1517077&r2=1517078&view=diff
==============================================================================
---
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
(original)
+++
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java
Fri Aug 23 22:22:38 2013
@@ -722,7 +722,7 @@ public class RMAppAttemptImpl implements
// create clientToAMToken
appAttempt.clientToAMToken =
new Token<ClientToAMTokenIdentifier>(new ClientToAMTokenIdentifier(
- appAttempt.applicationAttemptId),
+ appAttempt.applicationAttemptId, appAttempt.user),
appAttempt.rmContext.getClientToAMTokenSecretManager());
}
Modified:
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java?rev=1517078&r1=1517077&r2=1517078&view=diff
==============================================================================
---
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java
(original)
+++
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/TestRMStateStore.java
Fri Aug 23 22:22:38 2013
@@ -367,7 +367,7 @@ public class TestRMStateStore {
appToken.setService(new Text("appToken service"));
ClientToAMTokenIdentifier clientToAMTokenId =
- new ClientToAMTokenIdentifier(attemptId);
+ new ClientToAMTokenIdentifier(attemptId, "user");
clientToAMTokenMgr.registerApplication(attemptId);
Token<ClientToAMTokenIdentifier> clientToAMToken =
new Token<ClientToAMTokenIdentifier>(clientToAMTokenId,
clientToAMTokenMgr);
Modified:
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java?rev=1517078&r1=1517077&r2=1517078&view=diff
==============================================================================
---
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java
(original)
+++
hadoop/common/branches/branch-2.1-beta/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.java
Fri Aug 23 22:22:38 2013
@@ -115,7 +115,6 @@ public class TestClientToAMTokens {
private final byte[] secretKey;
private InetSocketAddress address;
private boolean pinged = false;
- private ClientToAMTokenSecretManager secretManager;
public CustomAM(ApplicationAttemptId appId, byte[] secretKey) {
super("CustomAM");
@@ -132,12 +131,14 @@ public class TestClientToAMTokens {
protected void serviceStart() throws Exception {
Configuration conf = getConfig();
- secretManager = new ClientToAMTokenSecretManager(this.appAttemptId,
secretKey);
Server server;
try {
server =
- new RPC.Builder(conf).setProtocol(CustomProtocol.class)
- .setNumHandlers(1).setSecretManager(secretManager)
+ new RPC.Builder(conf)
+ .setProtocol(CustomProtocol.class)
+ .setNumHandlers(1)
+ .setSecretManager(
+ new ClientToAMTokenSecretManager(this.appAttemptId, secretKey))
.setInstance(this).build();
} catch (Exception e) {
throw new YarnRuntimeException(e);
@@ -146,14 +147,10 @@ public class TestClientToAMTokens {
this.address = NetUtils.getConnectAddress(server);
super.serviceStart();
}
-
- public ClientToAMTokenSecretManager getClientToAMTokenSecretManager() {
- return this.secretManager;
- }
}
@Test
- public void testClientToAMs() throws Exception {
+ public void testClientToAMTokenss() throws Exception {
final Configuration conf = new Configuration();
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
@@ -204,7 +201,7 @@ public class TestClientToAMTokens {
GetApplicationReportResponse reportResponse =
rm.getClientRMService().getApplicationReport(request);
ApplicationReport appReport = reportResponse.getApplicationReport();
- org.apache.hadoop.yarn.api.records.Token clientToAMToken =
+ org.apache.hadoop.yarn.api.records.Token originalClientToAMToken =
appReport.getClientToAMToken();
ApplicationAttemptId appAttempt =
app.getCurrentAppAttempt().getAppAttemptId();
@@ -259,17 +256,47 @@ public class TestClientToAMTokens {
Assert.assertFalse(am.pinged);
}
- // Verify denial for a malicious user
- UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
Token<ClientToAMTokenIdentifier> token =
- ConverterUtils.convertFromYarn(clientToAMToken, am.address);
+ ConverterUtils.convertFromYarn(originalClientToAMToken, am.address);
+
+ // Verify denial for a malicious user with tampered ID
+ verifyTokenWithTamperedID(conf, am, token);
+
+ // Verify denial for a malicious user with tampered user-name
+ verifyTokenWithTamperedUserName(conf, am, token);
+ // Now for an authenticated user
+ verifyValidToken(conf, am, token);
+ }
+
+ private void verifyTokenWithTamperedID(final Configuration conf,
+ final CustomAM am, Token<ClientToAMTokenIdentifier> token)
+ throws IOException {
// Malicious user, messes with appId
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
ClientToAMTokenIdentifier maliciousID =
new ClientToAMTokenIdentifier(BuilderUtils.newApplicationAttemptId(
- BuilderUtils.newApplicationId(app.getApplicationId()
- .getClusterTimestamp(), 42), 43));
+ BuilderUtils.newApplicationId(am.appAttemptId.getApplicationId()
+ .getClusterTimestamp(), 42), 43), UserGroupInformation
+ .getCurrentUser().getShortUserName());
+ verifyTamperedToken(conf, am, token, ugi, maliciousID);
+ }
+
+ private void verifyTokenWithTamperedUserName(final Configuration conf,
+ final CustomAM am, Token<ClientToAMTokenIdentifier> token)
+ throws IOException {
+ // Malicious user, messes with appId
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
+ ClientToAMTokenIdentifier maliciousID =
+ new ClientToAMTokenIdentifier(am.appAttemptId, "evilOrc");
+
+ verifyTamperedToken(conf, am, token, ugi, maliciousID);
+ }
+
+ private void verifyTamperedToken(final Configuration conf, final CustomAM am,
+ Token<ClientToAMTokenIdentifier> token, UserGroupInformation ugi,
+ ClientToAMTokenIdentifier maliciousID) {
Token<ClientToAMTokenIdentifier> maliciousToken =
new Token<ClientToAMTokenIdentifier>(maliciousID.getBytes(),
token.getPassword(), token.getKind(),
@@ -309,8 +336,12 @@ public class TestClientToAMTokens {
+ "Mismatched response."));
Assert.assertFalse(am.pinged);
}
+ }
- // Now for an authenticated user
+ private void verifyValidToken(final Configuration conf, final CustomAM am,
+ Token<ClientToAMTokenIdentifier> token) throws IOException,
+ InterruptedException {
+ UserGroupInformation ugi;
ugi = UserGroupInformation.createRemoteUser("me");
ugi.addToken(token);
@@ -326,5 +357,4 @@ public class TestClientToAMTokens {
}
});
}
-
}
