[
https://issues.apache.org/jira/browse/YARN-6539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576259#comment-17576259
]
ASF GitHub Bot commented on YARN-6539:
--------------------------------------
goiri commented on code in PR #4712:
URL: https://github.com/apache/hadoop/pull/4712#discussion_r939547883
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/Router.java:
##########
@@ -195,4 +197,12 @@ public static void main(String[] argv) {
System.exit(-1);
}
}
+
+ public RouterClientRMService getClientRMProxyService() {
Review Comment:
VisibleForTesting?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
+ private static File routerKeytab;
+ private static File kdcWorkDir;
+ private static Properties kdcConf;
+
+ private Router router = null;
+
+ private static Configuration conf;
+
+ private List<SubClusterId> subClusters;
+
+ private final static int NUM_SUBCLUSTER = 4;
+
+ private static ConcurrentHashMap<SubClusterId, MockRM> mockRMs =
+ new ConcurrentHashMap<>();
+
+ @BeforeClass
+ public static void beforeSecureRouterTestClass() throws Exception {
+
+ // Sets up the KDC and Principals.
+ setupKDCAndPrincipals();
+
+ // Init YarnConfiguration
+ conf = new YarnConfiguration();
+ conf.set(YarnConfiguration.ROUTER_BIND_HOST, "0.0.0.0");
+ conf.set(YarnConfiguration.ROUTER_CLIENTRM_INTERCEPTOR_CLASS_PIPELINE,
+ CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR);
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
KERBEROS);
+ conf.set(YarnConfiguration.ROUTER_PRINCIPAL, ROUTER_LOCALHOST_REALM);
+ conf.set(YarnConfiguration.ROUTER_KEYTAB, routerKeytab.getAbsolutePath());
+ }
+
+ /**
+ * Sets up the KDC and Principals.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupKDCAndPrincipals() throws Exception {
+ // set up the KDC
+ File target = new File(System.getProperty("test.dir", "target"));
+ kdcWorkDir = new File(target, "kdc");
+ kdcWorkDir.mkdirs();
+ if (!kdcWorkDir.mkdirs()) {
+ Assert.assertTrue(kdcWorkDir.isDirectory());
+ }
+ kdcConf = MiniKdc.createConf();
+ kdcConf.setProperty(MiniKdc.DEBUG, "true");
+ kdc = new MiniKdc(kdcConf, kdcWorkDir);
+ kdc.start();
+
+ routerKeytab = createKeytab(ROUTER, "router.keytab");
+ }
+
+ /**
+ * Initialize RM in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupSecureMockRM() throws Exception {
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
Review Comment:
We keep doing this. Can we create a newInstance taking integer?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
Review Comment:
Why do we make this static?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
Review Comment:
Do we need to make everything static?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java:
##########
@@ -4107,6 +4107,12 @@ public static boolean isAclEnabled(Configuration conf) {
public static final long DEFAULT_ROUTER_WEBAPP_READ_TIMEOUT =
TimeUnit.SECONDS.toMillis(30);
+ /** The Kerberos keytab for the yarn router.*/
+ public static final String ROUTER_KEYTAB = ROUTER_PREFIX + "keytab";
Review Comment:
Should we add some documentation on how to set this up?
Is there an md file?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
+ private static File routerKeytab;
+ private static File kdcWorkDir;
+ private static Properties kdcConf;
+
+ private Router router = null;
+
+ private static Configuration conf;
+
+ private List<SubClusterId> subClusters;
+
+ private final static int NUM_SUBCLUSTER = 4;
+
+ private static ConcurrentHashMap<SubClusterId, MockRM> mockRMs =
+ new ConcurrentHashMap<>();
+
+ @BeforeClass
+ public static void beforeSecureRouterTestClass() throws Exception {
+
+ // Sets up the KDC and Principals.
+ setupKDCAndPrincipals();
+
+ // Init YarnConfiguration
+ conf = new YarnConfiguration();
+ conf.set(YarnConfiguration.ROUTER_BIND_HOST, "0.0.0.0");
+ conf.set(YarnConfiguration.ROUTER_CLIENTRM_INTERCEPTOR_CLASS_PIPELINE,
+ CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR);
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
KERBEROS);
+ conf.set(YarnConfiguration.ROUTER_PRINCIPAL, ROUTER_LOCALHOST_REALM);
+ conf.set(YarnConfiguration.ROUTER_KEYTAB, routerKeytab.getAbsolutePath());
+ }
+
+ /**
+ * Sets up the KDC and Principals.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupKDCAndPrincipals() throws Exception {
+ // set up the KDC
+ File target = new File(System.getProperty("test.dir", "target"));
+ kdcWorkDir = new File(target, "kdc");
+ kdcWorkDir.mkdirs();
+ if (!kdcWorkDir.mkdirs()) {
+ Assert.assertTrue(kdcWorkDir.isDirectory());
+ }
+ kdcConf = MiniKdc.createConf();
+ kdcConf.setProperty(MiniKdc.DEBUG, "true");
+ kdc = new MiniKdc(kdcConf, kdcWorkDir);
+ kdc.start();
+
+ routerKeytab = createKeytab(ROUTER, "router.keytab");
+ }
+
+ /**
+ * Initialize RM in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupSecureMockRM() throws Exception {
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
+ if (mockRMs.containsKey(sc)) {
+ continue;
+ }
+ MockRM mockRM = new TestRMRestart.TestSecurityMockRM(conf);
+ mockRM.start();
+ mockRM.registerNode("127.0.0.1:1234", 8 * 1024, 4);
+ mockRMs.put(sc, mockRM);
+ }
+ }
+
+ /**
+ * Create the keytab for the given principal, includes
+ * raw principal and $principal/localhost.
+ *
+ * @param principal principal short name.
+ * @param filename filename of keytab.
+ * @return file of keytab.
+ * @throws Exception an error occurred.
+ */
+ public static File createKeytab(String principal, String filename) throws
Exception {
+ Assert.assertTrue("empty principal", StringUtils.isNotBlank(principal));
+ Assert.assertTrue("empty host", StringUtils.isNotBlank(filename));
+ Assert.assertNotNull("Null KDC", kdc);
+ File keytab = new File(kdcWorkDir, filename);
+ kdc.createPrincipal(keytab,
+ principal,
+ principal + "/localhost",
+ principal + "/127.0.0.1");
+ return keytab;
+ }
+
+ /**
+ * Start the router in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public synchronized void startSecureRouter(Boolean initRM) throws Exception {
+ Assert.assertNull("Router is already running", router);
+ UserGroupInformation.setConfiguration(conf);
+ router = new Router();
+ router.init(conf);
+ router.start();
+
+ if (initRM) {
+
+ setupSecureMockRM();
+
+ RouterClientRMService rmService = router.getClientRMProxyService();
+ RouterClientRMService.RequestInterceptorChainWrapper wrapper =
rmService.getInterceptorChain();
+ FederationClientInterceptor interceptor = (FederationClientInterceptor)
wrapper.getRootInterceptor();
+ FederationStateStoreFacade stateStoreFacade =
interceptor.getFederationFacade();
+ FederationStateStore stateStore = stateStoreFacade.getStateStore();
+ FederationStateStoreTestUtil stateStoreUtil = new
FederationStateStoreTestUtil(stateStore);
+ subClusters = new ArrayList<>();
+
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
+ stateStoreUtil.registerSubCluster(sc);
+ subClusters.add(sc);
+ }
+
+ Map<SubClusterId, ApplicationClientProtocol> clientRMProxies =
+ interceptor.getClientRMProxies();
+ for (Map.Entry<SubClusterId, MockRM> entry : mockRMs.entrySet()) {
+ SubClusterId keySubClusterId = entry.getKey();
+ if (clientRMProxies.containsKey(keySubClusterId)) {
+ continue;
+ }
+ MockRM mockRM = entry.getValue();
+ clientRMProxies.put(keySubClusterId, mockRM.getClientRMService());
+ }
+
+ MockRM firstRM =
mockRMs.entrySet().stream().findFirst().get().getValue();
+ RouterRMAdminService routerRMAdminService =
router.getRmAdminProxyService();
+ RouterRMAdminService.RequestInterceptorChainWrapper rmAdminChainWrapper =
Review Comment:
We had to expose a lot of these methods for the tests.
Is there a better way? Some mock or test class extension?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/RouterClientRMService.java:
##########
@@ -616,4 +616,8 @@ protected void finalize() {
rootInterceptor.shutdown();
}
}
+
+ public Map<String, RequestInterceptorChainWrapper> getUserPipelineMap() {
Review Comment:
VisibleForTesting?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
+ private static File routerKeytab;
+ private static File kdcWorkDir;
+ private static Properties kdcConf;
+
+ private Router router = null;
+
+ private static Configuration conf;
+
+ private List<SubClusterId> subClusters;
+
+ private final static int NUM_SUBCLUSTER = 4;
+
+ private static ConcurrentHashMap<SubClusterId, MockRM> mockRMs =
+ new ConcurrentHashMap<>();
+
+ @BeforeClass
+ public static void beforeSecureRouterTestClass() throws Exception {
+
+ // Sets up the KDC and Principals.
+ setupKDCAndPrincipals();
+
+ // Init YarnConfiguration
+ conf = new YarnConfiguration();
+ conf.set(YarnConfiguration.ROUTER_BIND_HOST, "0.0.0.0");
+ conf.set(YarnConfiguration.ROUTER_CLIENTRM_INTERCEPTOR_CLASS_PIPELINE,
+ CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR);
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
KERBEROS);
+ conf.set(YarnConfiguration.ROUTER_PRINCIPAL, ROUTER_LOCALHOST_REALM);
+ conf.set(YarnConfiguration.ROUTER_KEYTAB, routerKeytab.getAbsolutePath());
+ }
+
+ /**
+ * Sets up the KDC and Principals.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupKDCAndPrincipals() throws Exception {
+ // set up the KDC
+ File target = new File(System.getProperty("test.dir", "target"));
+ kdcWorkDir = new File(target, "kdc");
+ kdcWorkDir.mkdirs();
+ if (!kdcWorkDir.mkdirs()) {
+ Assert.assertTrue(kdcWorkDir.isDirectory());
+ }
+ kdcConf = MiniKdc.createConf();
+ kdcConf.setProperty(MiniKdc.DEBUG, "true");
+ kdc = new MiniKdc(kdcConf, kdcWorkDir);
+ kdc.start();
+
+ routerKeytab = createKeytab(ROUTER, "router.keytab");
+ }
+
+ /**
+ * Initialize RM in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupSecureMockRM() throws Exception {
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
+ if (mockRMs.containsKey(sc)) {
+ continue;
+ }
+ MockRM mockRM = new TestRMRestart.TestSecurityMockRM(conf);
+ mockRM.start();
+ mockRM.registerNode("127.0.0.1:1234", 8 * 1024, 4);
Review Comment:
extract into memory and cpu named vars.
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
+ private static File routerKeytab;
+ private static File kdcWorkDir;
+ private static Properties kdcConf;
+
+ private Router router = null;
+
+ private static Configuration conf;
+
+ private List<SubClusterId> subClusters;
+
+ private final static int NUM_SUBCLUSTER = 4;
+
+ private static ConcurrentHashMap<SubClusterId, MockRM> mockRMs =
+ new ConcurrentHashMap<>();
+
+ @BeforeClass
+ public static void beforeSecureRouterTestClass() throws Exception {
+
+ // Sets up the KDC and Principals.
+ setupKDCAndPrincipals();
+
+ // Init YarnConfiguration
+ conf = new YarnConfiguration();
+ conf.set(YarnConfiguration.ROUTER_BIND_HOST, "0.0.0.0");
+ conf.set(YarnConfiguration.ROUTER_CLIENTRM_INTERCEPTOR_CLASS_PIPELINE,
+ CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR);
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
KERBEROS);
+ conf.set(YarnConfiguration.ROUTER_PRINCIPAL, ROUTER_LOCALHOST_REALM);
+ conf.set(YarnConfiguration.ROUTER_KEYTAB, routerKeytab.getAbsolutePath());
+ }
+
+ /**
+ * Sets up the KDC and Principals.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupKDCAndPrincipals() throws Exception {
+ // set up the KDC
+ File target = new File(System.getProperty("test.dir", "target"));
+ kdcWorkDir = new File(target, "kdc");
+ kdcWorkDir.mkdirs();
+ if (!kdcWorkDir.mkdirs()) {
+ Assert.assertTrue(kdcWorkDir.isDirectory());
+ }
+ kdcConf = MiniKdc.createConf();
+ kdcConf.setProperty(MiniKdc.DEBUG, "true");
+ kdc = new MiniKdc(kdcConf, kdcWorkDir);
+ kdc.start();
+
+ routerKeytab = createKeytab(ROUTER, "router.keytab");
+ }
+
+ /**
+ * Initialize RM in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupSecureMockRM() throws Exception {
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
+ if (mockRMs.containsKey(sc)) {
+ continue;
+ }
+ MockRM mockRM = new TestRMRestart.TestSecurityMockRM(conf);
+ mockRM.start();
+ mockRM.registerNode("127.0.0.1:1234", 8 * 1024, 4);
+ mockRMs.put(sc, mockRM);
+ }
+ }
+
+ /**
+ * Create the keytab for the given principal, includes
+ * raw principal and $principal/localhost.
+ *
+ * @param principal principal short name.
+ * @param filename filename of keytab.
+ * @return file of keytab.
+ * @throws Exception an error occurred.
+ */
+ public static File createKeytab(String principal, String filename) throws
Exception {
+ Assert.assertTrue("empty principal", StringUtils.isNotBlank(principal));
Review Comment:
Let's statically import the asserts
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
Review Comment:
Are we going to use this abstract test in more places?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
Review Comment:
Can we do something like FederationClientInterceptor.class.toString()?
> Create SecureLogin inside Router
> --------------------------------
>
> Key: YARN-6539
> URL: https://issues.apache.org/jira/browse/YARN-6539
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Giovanni Matteo Fumarola
> Assignee: Xie YiFan
> Priority: Minor
> Labels: pull-request-available
> Attachments: YARN-6359_1.patch, YARN-6359_2.patch,
> YARN-6539-branch-3.1.0.004.patch, YARN-6539-branch-3.1.0.005.patch,
> YARN-6539.006.patch, YARN-6539.007.patch, YARN-6539.008.patch,
> YARN-6539_3.patch, YARN-6539_4.patch
>
> Time Spent: 5.5h
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
