Examples of org.apache.hadoop.yarn.security.ContainerTokenIdentifier

• org.apache.hadoop.yarn.security.ContainerTokenIdentifier
  TokenIdentifier for a container. Encodes {@link ContainerId}, {@link Resource} needed by the container and the target NMs host-address.

  private Token createNewContainerToken(ContainerId contId,
      String containerManagerAddr) {
    long currentTime = System.currentTimeMillis();
    return MRApp.newContainerToken(NodeId.newInstance("127.0.0.1",
        1234), "password".getBytes(), new ContainerTokenIdentifier(
        contId, containerManagerAddr, "user",
        Resource.newInstance(1024, 1),
        currentTime + 10000L, 123, currentTime, Priority.newInstance(0), 0));
  }

    byte[] identifierBytes = containerToken.getIdentifier().array();

    DataInputBuffer di = new DataInputBuffer();
    di.reset(identifierBytes, identifierBytes.length);

    ContainerTokenIdentifier dummyIdentifier = new ContainerTokenIdentifier();
    dummyIdentifier.readFields(di);

    // Malice user modifies the resource amount
    Resource modifiedResource = BuilderUtils.newResource(2048);
    ContainerTokenIdentifier modifiedIdentifier =
        new ContainerTokenIdentifier(dummyIdentifier.getContainerID(),
          dummyIdentifier.getNmHostAddress(), "testUser", modifiedResource,
          Long.MAX_VALUE, dummyIdentifier.getMasterKeyId());
    Token<ContainerTokenIdentifier> modifiedToken = new Token<ContainerTokenIdentifier>(
        modifiedIdentifier.getBytes(), containerToken.getPassword().array(),
        new Text(containerToken.getKind()), new Text(containerToken
            .getService()));
    maliceUser.addToken(modifiedToken);
    maliceUser.doAs(new PrivilegedAction<Void>() {
      @Override

    ContainerToken containerToken = allocatedContainer.getContainerToken();

    byte[] identifierBytes = containerToken.getIdentifier().array();
    DataInputBuffer di = new DataInputBuffer();
    di.reset(identifierBytes, identifierBytes.length);
    final ContainerTokenIdentifier tokenId = new ContainerTokenIdentifier();
    tokenId.readFields(di);

    Token<ContainerTokenIdentifier> token = new Token<ContainerTokenIdentifier>(
        identifierBytes, containerToken.getPassword().array(), new Text(
            containerToken.getKind()), new Text(containerToken.getService()));

    unauthorizedUser.addToken(token);
    ContainerManager client =
        unauthorizedUser.doAs(new PrivilegedAction<ContainerManager>() {
      @Override
      public ContainerManager run() {
        ContainerManager client = (ContainerManager) yarnRPC.getProxy(
            ContainerManager.class, NetUtils
                .createSocketAddr(allocatedContainer.getNodeId().toString()),
            conf);

        LOG.info("Going to contact NM:  unauthorized request");

        callWithIllegalContainerID(client, tokenId);
        callWithIllegalResource(client, tokenId);
        callWithIllegalUserName(client, tokenId);

        return client;
      }
    });

    // ///////// End of testing for illegal containerIDs, illegal Resources and
    // illegal users

    /////////// Test calls with expired tokens
    RPC.stopProxy(client);
    unauthorizedUser = UserGroupInformation
        .createRemoteUser(containerID.toString());

    RMContainerTokenSecretManager containerTokenSecreteManager =
      resourceManager.getRMContainerTokenSecretManager();
    final ContainerTokenIdentifier newTokenId =
        new ContainerTokenIdentifier(tokenId.getContainerID(),
          tokenId.getNmHostAddress(), "testUser", tokenId.getResource(),
          System.currentTimeMillis() - 1,
          containerTokenSecreteManager.getCurrentKey().getKeyId());
    byte[] passowrd =
        containerTokenSecreteManager.createPassword(
            newTokenId);
    // Create a valid token by using the key from the RM.
    token = new Token<ContainerTokenIdentifier>(
        newTokenId.getBytes(), passowrd, new Text(
            containerToken.getKind()), new Text(containerToken.getService()));

    unauthorizedUser.addToken(token);
    unauthorizedUser.doAs(new PrivilegedAction<Void>() {
      @Override
      public Void run() {
        ContainerManager client = (ContainerManager) yarnRPC.getProxy(
            ContainerManager.class, NetUtils
                .createSocketAddr(allocatedContainer.getNodeId().toString()),
            conf);

        LOG.info("Going to contact NM with expired token");
        ContainerLaunchContext context = createContainerLaunchContextForTest(newTokenId);
        StartContainerRequest request = Records.newRecord(StartContainerRequest.class);
        request.setContainerLaunchContext(context);

        //Calling startContainer with an expired token.
        try {
          client.startContainer(request);
          fail("Connection initiation with expired "
              + "token is expected to fail.");
        } catch (Throwable t) {
          LOG.info("Got exception : ", t);
          Assert.assertTrue(t.getMessage().contains(
                  "This token is expired. current time is"));
        }

        // Try stopping a container - should not get an expiry error.
        StopContainerRequest stopRequest = Records.newRecord(StopContainerRequest.class);
        stopRequest.setContainerId(newTokenId.getContainerID());
        try {
          client.stopContainer(stopRequest);
        } catch (Throwable t) {
          fail("Stop Container call should have succeeded");
        }

  // currently sets only the required id, but iterate through anyways just to
  // be sure.
  private ContainerTokenIdentifier selectContainerTokenIdentifier(
      UserGroupInformation remoteUgi) {
    Set<TokenIdentifier> tokenIdentifiers = remoteUgi.getTokenIdentifiers();
    ContainerTokenIdentifier resultId = null;
    for (TokenIdentifier id : tokenIdentifiers) {
      if (id instanceof ContainerTokenIdentifier) {
        resultId = (ContainerTokenIdentifier) id;
        break;
      }

        LOG.debug("Number of TokenIdentifiers in the UGI from RPC: "
            + remoteUgi.getTokenIdentifiers().size());
      }

      // Get the tokenId from the remote user ugi
      ContainerTokenIdentifier tokenId =
          selectContainerTokenIdentifier(remoteUgi);

      if (tokenId == null) {
        unauthorized = true;
        messageBuilder
            .append("\nContainerTokenIdentifier cannot be null! Null found for "
                + containerIDStr);
      } else {

        // Is the container coming in with correct user-name?
        if (!tokenId.getApplicationSubmitter().equals(launchContext.getUser())) {
          unauthorized = true;
          messageBuilder.append("\n Expected user-name "
              + tokenId.getApplicationSubmitter() + " but found "
              + launchContext.getUser());
        }

        // Is the container being relaunched? Or RPC layer let startCall with
        //  tokens generated off old-secret through?
        if (!this.context.getContainerTokenSecretManager()
          .isValidStartContainerRequest(tokenId)) {
          unauthorized = true;
          messageBuilder.append("\n Attempt to relaunch the same " +
              "container with id " + containerIDStr + ".");
        }

        // Ensure the token is not expired.
        // Token expiry is not checked for stopContainer/getContainerStatus
        if (tokenId.getExpiryTimeStamp() < System.currentTimeMillis()) {
          unauthorized = true;
          messageBuilder.append("\nThis token is expired. current time is "
              + System.currentTimeMillis() + " found "
              + tokenId.getExpiryTimeStamp());
        }

        Resource resource = tokenId.getResource();
        if (!resource.equals(launchContext.getResource())) {
          unauthorized = true;
          messageBuilder.append("\nExpected resource " + resource
              + " but found " + launchContext.getResource());
        }

    // TODO: Validate the request
    dispatcher.getEventHandler().handle(
        new ApplicationContainerInitEvent(container));
    if (UserGroupInformation.isSecurityEnabled()) {
      ContainerTokenIdentifier tokenId =
          selectContainerTokenIdentifier(remoteUgi);
      this.context.getContainerTokenSecretManager().startContainerSuccessful(
        tokenId);
    }

          refEq(new AuxServicesEvent(
              AuxServicesEventType.APPLICATION_STOP, wa.appId)));

      wa.appResourcesCleanedup();
      for (Container container : wa.containers) {
        ContainerTokenIdentifier identifier =
            wa.getContainerTokenIdentifier(container.getContainerId());
        waitForContainerTokenToExpire(identifier);
        Assert.assertTrue(wa.context.getContainerTokenSecretManager()
          .isValidStartContainerRequest(identifier));
      }

          refEq(new ApplicationLocalizationEvent(
              LocalizationEventType.DESTROY_APPLICATION_RESOURCES, wa.app)));

      wa.appResourcesCleanedup();
      for ( Container container : wa.containers) {
        ContainerTokenIdentifier identifier =
            wa.getContainerTokenIdentifier(container.getContainerId());
        waitForContainerTokenToExpire(identifier);
        Assert.assertTrue(wa.context.getContainerTokenSecretManager()
          .isValidStartContainerRequest(identifier));
      }

        ContainerLaunchContext launchContext = recordFactory
            .newRecordInstance(ContainerLaunchContext.class);
        Resource resource = BuilderUtils.newResource(2, 1);
        long currentTime = System.currentTimeMillis();
        String user = "testUser";
        ContainerTokenIdentifier containerToken = BuilderUtils
            .newContainerTokenIdentifier(BuilderUtils.newContainerToken(
                firstContainerID, InetAddress.getByName("localhost")
                    .getCanonicalHostName(), 1234, user, resource,
                currentTime + 10000, 123, "password".getBytes(), currentTime));
        Container container =
            new ContainerImpl(conf, mockDispatcher, launchContext, null,
              mockMetrics, containerToken);
        this.context.getContainers().put(firstContainerID, container);
      } else if (heartBeatID == 2) {
        // Checks on the RM end
        Assert.assertEquals("Number of applications should only be one!", 1,
            nodeStatus.getContainersStatuses().size());
        Assert.assertEquals("Number of container for the app should be one!",
            1, appToContainers.get(appId1).size());

        // Checks on the NM end
        ConcurrentMap<ContainerId, Container> activeContainers =
            this.context.getContainers();
        Assert.assertEquals(1, activeContainers.size());

        // Give another container to the NM.
        ApplicationAttemptId appAttemptID =
            ApplicationAttemptId.newInstance(appId2, 0);
        ContainerId secondContainerID =
            ContainerId.newInstance(appAttemptID, heartBeatID);
        ContainerLaunchContext launchContext = recordFactory
            .newRecordInstance(ContainerLaunchContext.class);
        long currentTime = System.currentTimeMillis();
        String user = "testUser";
        Resource resource = BuilderUtils.newResource(3, 1);
        ContainerTokenIdentifier containerToken = BuilderUtils
            .newContainerTokenIdentifier(BuilderUtils.newContainerToken(
                secondContainerID, InetAddress.getByName("localhost")
                    .getCanonicalHostName(), 1234, user, resource,
                currentTime + 10000, 123, "password".getBytes(), currentTime));
        Container container =

    launch.call();
  }

  protected Token createContainerToken(ContainerId cId) throws InvalidToken {
    Resource r = BuilderUtils.newResource(1024, 1);
    ContainerTokenIdentifier containerTokenIdentifier =
        new ContainerTokenIdentifier(cId, context.getNodeId().toString(), user,
          r, System.currentTimeMillis() + 10000L, 123, DUMMY_RM_IDENTIFIER);
    Token containerToken =
        BuilderUtils.newContainerToken(
          context.getNodeId(),
          context.getContainerTokenSecretManager().retrievePassword(