hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-tests/src/test/java/org/apache/hadoop/yarn/server/TestRMNMSecretKeys.java - hadoop - Git at Google

 /**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

 package org.apache.hadoop.yarn.server;

 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.FileChannel;
 import java.nio.charset.StandardCharsets;
 import java.util.UUID;

 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.event.Dispatcher;
 import org.apache.hadoop.yarn.event.DrainDispatcher;
 import org.apache.hadoop.yarn.server.api.protocolrecords.NodeHeartbeatResponse;
 import org.apache.hadoop.yarn.server.api.protocolrecords.RegisterNodeManagerResponse;
 import org.apache.hadoop.yarn.server.api.records.MasterKey;
 import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
 import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
 import org.junit.Test;

 public class TestRMNMSecretKeys {
   private static final String KRB5_CONF = "java.security.krb5.conf";
   private static final File KRB5_CONF_ROOT_DIR = new File(
       System.getProperty("test.build.dir", "target/test-dir"),
           UUID.randomUUID().toString());

   @BeforeClass
   public static void setup() throws IOException {
     KRB5_CONF_ROOT_DIR.mkdir();
     File krb5ConfFile = new File(KRB5_CONF_ROOT_DIR, "krb5.conf");
     krb5ConfFile.createNewFile();
     String content = "[libdefaults]\n" +
         "    default_realm = APACHE.ORG\n" +
         "    udp_preference_limit = 1\n"+
         "    extra_addresses = 127.0.0.1\n" +
         "[realms]\n" +
         "    APACHE.ORG = {\n" +
         "        admin_server = localhost:88\n" +
         "        kdc = localhost:88\n}\n" +
         "[domain_realm]\n" +
         "    localhost = APACHE.ORG";
     writeFile(content, krb5ConfFile);
     System.setProperty(KRB5_CONF, krb5ConfFile.getAbsolutePath());
   }

   private static void writeFile(String content, File file) throws IOException {
     FileOutputStream outputStream = new FileOutputStream(file);
     FileChannel fc = outputStream.getChannel();

     ByteBuffer buffer =
         ByteBuffer.wrap(content.getBytes(StandardCharsets.UTF_8));
     fc.write(buffer);
     outputStream.close();
   }

   @AfterClass
   public static void tearDown() throws IOException {
     KRB5_CONF_ROOT_DIR.delete();
   }

   @Test(timeout = 1000000)
   public void testNMUpdation() throws Exception {
     YarnConfiguration conf = new YarnConfiguration();
     // validating RM NM keys for Unsecured environment
     validateRMNMKeyExchange(conf);

     // validating RM NM keys for secured environment
     conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
         "kerberos");
     UserGroupInformation.setConfiguration(conf);
     validateRMNMKeyExchange(conf);
   }

   private void validateRMNMKeyExchange(YarnConfiguration conf) throws Exception {
     // Default rolling and activation intervals are large enough, no need to
     // intervene
     final DrainDispatcher dispatcher = new DrainDispatcher();
     ResourceManager rm = new ResourceManager() {

       @Override
       protected void doSecureLogin() throws IOException {
         // Do nothing.
       }

       @Override
       protected Dispatcher createDispatcher() {
         return dispatcher;
       }
       @Override
       protected void startWepApp() {
         // Don't need it, skip.
       }
     };
     rm.init(conf);
     rm.start();

     // Testing ContainerToken and NMToken
     String containerToken = "Container Token : ";
     String nmToken = "NM Token : ";

     MockNM nm = new MockNM("host:1234", 3072, rm.getResourceTrackerService());
     RegisterNodeManagerResponse registrationResponse = nm.registerNode();

     MasterKey containerTokenMasterKey =
         registrationResponse.getContainerTokenMasterKey();
     Assert.assertNotNull(containerToken
         + "Registration should cause a key-update!", containerTokenMasterKey);
     MasterKey nmTokenMasterKey = registrationResponse.getNMTokenMasterKey();
     Assert.assertNotNull(nmToken
         + "Registration should cause a key-update!", nmTokenMasterKey);

     dispatcher.await();

     NodeHeartbeatResponse response = nm.nodeHeartbeat(true);
     Assert.assertNull(containerToken +
         "First heartbeat after registration shouldn't get any key updates!",
         response.getContainerTokenMasterKey());
     Assert.assertNull(nmToken +
         "First heartbeat after registration shouldn't get any key updates!",
         response.getNMTokenMasterKey());
     dispatcher.await();

     response = nm.nodeHeartbeat(true);
     Assert.assertNull(containerToken +
         "Even second heartbeat after registration shouldn't get any key updates!",
         response.getContainerTokenMasterKey());
     Assert.assertNull(nmToken +
         "Even second heartbeat after registration shouldn't get any key updates!",
         response.getContainerTokenMasterKey());

     dispatcher.await();

     // Let's force a roll-over
     rm.getRMContext().getContainerTokenSecretManager().rollMasterKey();
     rm.getRMContext().getNMTokenSecretManager().rollMasterKey();

     // Heartbeats after roll-over and before activation should be fine.
     response = nm.nodeHeartbeat(true);
     Assert.assertNotNull(containerToken +
         "Heartbeats after roll-over and before activation should not err out.",
         response.getContainerTokenMasterKey());
     Assert.assertNotNull(nmToken +
         "Heartbeats after roll-over and before activation should not err out.",
         response.getNMTokenMasterKey());

     Assert.assertEquals(containerToken +
         "Roll-over should have incremented the key-id only by one!",
         containerTokenMasterKey.getKeyId() + 1,
         response.getContainerTokenMasterKey().getKeyId());
     Assert.assertEquals(nmToken +
         "Roll-over should have incremented the key-id only by one!",
         nmTokenMasterKey.getKeyId() + 1,
         response.getNMTokenMasterKey().getKeyId());
     dispatcher.await();

     response = nm.nodeHeartbeat(true);
     Assert.assertNull(containerToken +
         "Second heartbeat after roll-over shouldn't get any key updates!",
         response.getContainerTokenMasterKey());
     Assert.assertNull(nmToken +
         "Second heartbeat after roll-over shouldn't get any key updates!",
         response.getNMTokenMasterKey());
     dispatcher.await();

     // Let's force activation
     rm.getRMContext().getContainerTokenSecretManager().activateNextMasterKey();
     rm.getRMContext().getNMTokenSecretManager().activateNextMasterKey();

     response = nm.nodeHeartbeat(true);
     Assert.assertNull(containerToken
         + "Activation shouldn't cause any key updates!",
         response.getContainerTokenMasterKey());
     Assert.assertNull(nmToken
         + "Activation shouldn't cause any key updates!",
         response.getNMTokenMasterKey());
     dispatcher.await();

     response = nm.nodeHeartbeat(true);
     Assert.assertNull(containerToken +
         "Even second heartbeat after activation shouldn't get any key updates!",
         response.getContainerTokenMasterKey());
     Assert.assertNull(nmToken +
         "Even second heartbeat after activation shouldn't get any key updates!",
         response.getNMTokenMasterKey());
     dispatcher.await();

     rm.stop();
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.yarn.server;

	import java.io.File;
	import java.io.FileOutputStream;
	import java.io.IOException;
	import java.nio.ByteBuffer;
	import java.nio.channels.FileChannel;
	import java.nio.charset.StandardCharsets;
	import java.util.UUID;

	import org.junit.AfterClass;
	import org.junit.Assert;
	import org.junit.BeforeClass;
	import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.hadoop.yarn.conf.YarnConfiguration;
	import org.apache.hadoop.yarn.event.Dispatcher;
	import org.apache.hadoop.yarn.event.DrainDispatcher;
	import org.apache.hadoop.yarn.server.api.protocolrecords.NodeHeartbeatResponse;
	import org.apache.hadoop.yarn.server.api.protocolrecords.RegisterNodeManagerResponse;
	import org.apache.hadoop.yarn.server.api.records.MasterKey;
	import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
	import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
	import org.junit.Test;

	public class TestRMNMSecretKeys {
	private static final String KRB5_CONF = "java.security.krb5.conf";
	private static final File KRB5_CONF_ROOT_DIR = new File(
	System.getProperty("test.build.dir", "target/test-dir"),
	UUID.randomUUID().toString());

	@BeforeClass
	public static void setup() throws IOException {
	KRB5_CONF_ROOT_DIR.mkdir();
	File krb5ConfFile = new File(KRB5_CONF_ROOT_DIR, "krb5.conf");
	krb5ConfFile.createNewFile();
	String content = "[libdefaults]\n" +
	" default_realm = APACHE.ORG\n" +
	" udp_preference_limit = 1\n"+
	" extra_addresses = 127.0.0.1\n" +
	"[realms]\n" +
	" APACHE.ORG = {\n" +
	" admin_server = localhost:88\n" +
	" kdc = localhost:88\n}\n" +
	"[domain_realm]\n" +
	" localhost = APACHE.ORG";
	writeFile(content, krb5ConfFile);
	System.setProperty(KRB5_CONF, krb5ConfFile.getAbsolutePath());
	}

	private static void writeFile(String content, File file) throws IOException {
	FileOutputStream outputStream = new FileOutputStream(file);
	FileChannel fc = outputStream.getChannel();

	ByteBuffer buffer =
	ByteBuffer.wrap(content.getBytes(StandardCharsets.UTF_8));
	fc.write(buffer);
	outputStream.close();
	}

	@AfterClass
	public static void tearDown() throws IOException {
	KRB5_CONF_ROOT_DIR.delete();
	}

	@Test(timeout = 1000000)
	public void testNMUpdation() throws Exception {
	YarnConfiguration conf = new YarnConfiguration();
	// validating RM NM keys for Unsecured environment
	validateRMNMKeyExchange(conf);

	// validating RM NM keys for secured environment
	conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
	"kerberos");
	UserGroupInformation.setConfiguration(conf);
	validateRMNMKeyExchange(conf);
	}

	private void validateRMNMKeyExchange(YarnConfiguration conf) throws Exception {
	// Default rolling and activation intervals are large enough, no need to
	// intervene
	final DrainDispatcher dispatcher = new DrainDispatcher();
	ResourceManager rm = new ResourceManager() {

	@Override
	protected void doSecureLogin() throws IOException {
	// Do nothing.
	}

	@Override
	protected Dispatcher createDispatcher() {
	return dispatcher;
	}
	@Override
	protected void startWepApp() {
	// Don't need it, skip.
	}
	};
	rm.init(conf);
	rm.start();

	// Testing ContainerToken and NMToken
	String containerToken = "Container Token : ";
	String nmToken = "NM Token : ";

	MockNM nm = new MockNM("host:1234", 3072, rm.getResourceTrackerService());
	RegisterNodeManagerResponse registrationResponse = nm.registerNode();

	MasterKey containerTokenMasterKey =
	registrationResponse.getContainerTokenMasterKey();
	Assert.assertNotNull(containerToken
	+ "Registration should cause a key-update!", containerTokenMasterKey);
	MasterKey nmTokenMasterKey = registrationResponse.getNMTokenMasterKey();
	Assert.assertNotNull(nmToken
	+ "Registration should cause a key-update!", nmTokenMasterKey);

	dispatcher.await();

	NodeHeartbeatResponse response = nm.nodeHeartbeat(true);
	Assert.assertNull(containerToken +
	"First heartbeat after registration shouldn't get any key updates!",
	response.getContainerTokenMasterKey());
	Assert.assertNull(nmToken +
	"First heartbeat after registration shouldn't get any key updates!",
	response.getNMTokenMasterKey());
	dispatcher.await();

	response = nm.nodeHeartbeat(true);
	Assert.assertNull(containerToken +
	"Even second heartbeat after registration shouldn't get any key updates!",
	response.getContainerTokenMasterKey());
	Assert.assertNull(nmToken +
	"Even second heartbeat after registration shouldn't get any key updates!",
	response.getContainerTokenMasterKey());

	dispatcher.await();

	// Let's force a roll-over
	rm.getRMContext().getContainerTokenSecretManager().rollMasterKey();
	rm.getRMContext().getNMTokenSecretManager().rollMasterKey();

	// Heartbeats after roll-over and before activation should be fine.
	response = nm.nodeHeartbeat(true);
	Assert.assertNotNull(containerToken +
	"Heartbeats after roll-over and before activation should not err out.",
	response.getContainerTokenMasterKey());
	Assert.assertNotNull(nmToken +
	"Heartbeats after roll-over and before activation should not err out.",
	response.getNMTokenMasterKey());

	Assert.assertEquals(containerToken +
	"Roll-over should have incremented the key-id only by one!",
	containerTokenMasterKey.getKeyId() + 1,
	response.getContainerTokenMasterKey().getKeyId());
	Assert.assertEquals(nmToken +
	"Roll-over should have incremented the key-id only by one!",
	nmTokenMasterKey.getKeyId() + 1,
	response.getNMTokenMasterKey().getKeyId());
	dispatcher.await();

	response = nm.nodeHeartbeat(true);
	Assert.assertNull(containerToken +
	"Second heartbeat after roll-over shouldn't get any key updates!",
	response.getContainerTokenMasterKey());
	Assert.assertNull(nmToken +
	"Second heartbeat after roll-over shouldn't get any key updates!",
	response.getNMTokenMasterKey());
	dispatcher.await();

	// Let's force activation
	rm.getRMContext().getContainerTokenSecretManager().activateNextMasterKey();
	rm.getRMContext().getNMTokenSecretManager().activateNextMasterKey();

	response = nm.nodeHeartbeat(true);
	Assert.assertNull(containerToken
	+ "Activation shouldn't cause any key updates!",
	response.getContainerTokenMasterKey());
	Assert.assertNull(nmToken
	+ "Activation shouldn't cause any key updates!",
	response.getNMTokenMasterKey());
	dispatcher.await();

	response = nm.nodeHeartbeat(true);
	Assert.assertNull(containerToken +
	"Even second heartbeat after activation shouldn't get any key updates!",
	response.getContainerTokenMasterKey());
	Assert.assertNull(nmToken +
	"Even second heartbeat after activation shouldn't get any key updates!",
	response.getNMTokenMasterKey());
	dispatcher.await();

	rm.stop();
	}
	}