hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.hadoop.yarn.server.resourcemanager.security;

 import static org.mockito.Mockito.isA;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;

 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.security.PrivilegedAction;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.concurrent.atomic.AtomicReference;

 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.yarn.api.ApplicationMasterProtocol;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.FinishApplicationMasterRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterRequest;
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 import org.apache.hadoop.yarn.api.records.ContainerState;
 import org.apache.hadoop.yarn.api.records.ContainerStatus;
 import org.apache.hadoop.yarn.api.records.FinalApplicationStatus;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
 import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
 import org.apache.hadoop.yarn.server.resourcemanager.MockAM;
 import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
 import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
 import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
 import org.apache.hadoop.yarn.server.resourcemanager.RMSecretManagerService;
 import org.apache.hadoop.yarn.server.resourcemanager.TestAMAuthorization.MockRMWithAMS;
 import org.apache.hadoop.yarn.server.resourcemanager.TestAMAuthorization.MyContainerManager;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
 import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptContainerFinishedEvent;
 import org.apache.hadoop.yarn.server.security.MasterKeyData;
 import org.apache.hadoop.yarn.server.utils.BuilderUtils;
 import org.apache.hadoop.yarn.util.ConverterUtils;
 import org.apache.hadoop.yarn.util.Records;
 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 import org.junit.runners.Parameterized.Parameters;

 @RunWith(Parameterized.class)
 public class TestAMRMTokens {

   private static final Log LOG = LogFactory.getLog(TestAMRMTokens.class);

   private final Configuration conf;
   private static final int maxWaitAttempts = 50;
   private static final int rolling_interval_sec = 13;
   private static final long am_expire_ms = 4000;

   @Parameters
   public static Collection<Object[]> configs() {
     Configuration conf = new Configuration();
     Configuration confWithSecurity = new Configuration();
     confWithSecurity.set(
       CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
     return Arrays.asList(new Object[][] {{ conf }, { confWithSecurity } });
   }

   public TestAMRMTokens(Configuration conf) {
     this.conf = conf;
     UserGroupInformation.setConfiguration(conf);
   }

   /**
    * Validate that application tokens are unusable after the
    * application-finishes.
    *
    * @throws Exception
    */
   @SuppressWarnings("unchecked")
   @Test
   public void testTokenExpiry() throws Exception {
     conf.setLong(
         YarnConfiguration.RM_AMRM_TOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS,
         YarnConfiguration.
             DEFAULT_RM_AMRM_TOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS);
     conf.setLong(YarnConfiguration.RM_AM_EXPIRY_INTERVAL_MS,
         YarnConfiguration.DEFAULT_RM_AM_EXPIRY_INTERVAL_MS);
     conf.set(YarnConfiguration.RM_SCHEDULER_ADDRESS,
         "0.0.0.0:0");

     MyContainerManager containerManager = new MyContainerManager();
     final MockRMWithAMS rm =
         new MockRMWithAMS(conf, containerManager);
     rm.start();

     final Configuration conf = rm.getConfig();
     final YarnRPC rpc = YarnRPC.create(conf);
     ApplicationMasterProtocol rmClient = null;

     try {
       MockNM nm1 = rm.registerNode("localhost:1234", 5120);

       RMApp app = rm.submitApp(1024);

       nm1.nodeHeartbeat(true);

       int waitCount = 0;
       while (containerManager.containerTokens == null && waitCount++ < 20) {
         LOG.info("Waiting for AM Launch to happen..");
         Thread.sleep(1000);
       }
       Assert.assertNotNull(containerManager.containerTokens);

       RMAppAttempt attempt = app.getCurrentAppAttempt();
       ApplicationAttemptId applicationAttemptId = attempt.getAppAttemptId();

       // Create a client to the RM.
       UserGroupInformation currentUser =
           UserGroupInformation
             .createRemoteUser(applicationAttemptId.toString());
       Credentials credentials = containerManager.getContainerCredentials();
       final InetSocketAddress rmBindAddress =
           rm.getApplicationMasterService().getBindAddress();
       Token<? extends TokenIdentifier> amRMToken =
           MockRMWithAMS.setupAndReturnAMRMToken(rmBindAddress,
             credentials.getAllTokens());
       currentUser.addToken(amRMToken);
       rmClient = createRMClient(rm, conf, rpc, currentUser);

       RegisterApplicationMasterRequest request =
           Records.newRecord(RegisterApplicationMasterRequest.class);
       rmClient.registerApplicationMaster(request);

       FinishApplicationMasterRequest finishAMRequest =
           Records.newRecord(FinishApplicationMasterRequest.class);
       finishAMRequest
         .setFinalApplicationStatus(FinalApplicationStatus.SUCCEEDED);
       finishAMRequest.setDiagnostics("diagnostics");
       finishAMRequest.setTrackingUrl("url");
       rmClient.finishApplicationMaster(finishAMRequest);

       // Send RMAppAttemptEventType.CONTAINER_FINISHED to transit RMAppAttempt
       // from Finishing state to Finished State. Both AMRMToken and
       // ClientToAMToken will be removed.
       ContainerStatus containerStatus =
           BuilderUtils.newContainerStatus(attempt.getMasterContainer().getId(),
               ContainerState.COMPLETE,
               "AM Container Finished", 0,
               attempt.getMasterContainer().getResource());
       rm.getRMContext()
           .getDispatcher()
           .getEventHandler()
           .handle(
               new RMAppAttemptContainerFinishedEvent(applicationAttemptId,
                   containerStatus, nm1.getNodeId()));

       // Make sure the RMAppAttempt is at Finished State.
       // Both AMRMToken and ClientToAMToken have been removed.
       int count = 0;
       while (attempt.getState() != RMAppAttemptState.FINISHED
           && count < maxWaitAttempts) {
         Thread.sleep(100);
         count++;
       }
       Assert.assertTrue(attempt.getState() == RMAppAttemptState.FINISHED);

       // Now simulate trying to allocate. RPC call itself should throw auth
       // exception.
       rpc.stopProxy(rmClient, conf); // To avoid using cached client
       rmClient = createRMClient(rm, conf, rpc, currentUser);
       AllocateRequest allocateRequest =
           Records.newRecord(AllocateRequest.class);
       try {
         rmClient.allocate(allocateRequest);
         Assert.fail("You got to be kidding me! "
             + "Using App tokens after app-finish should fail!");
       } catch (Throwable t) {
         LOG.info("Exception found is ", t);
         // The exception will still have the earlier appAttemptId as it picks it
         // up from the token.
         Assert.assertTrue(t.getCause().getMessage().contains(
           applicationAttemptId.toString()
           + " not found in AMRMTokenSecretManager."));
       }

     } finally {
       rm.stop();
       if (rmClient != null) {
         rpc.stopProxy(rmClient, conf); // To avoid using cached client
       }
     }
   }

   /**
    * Validate master-key-roll-over and that tokens are usable even after
    * master-key-roll-over.
    *
    * @throws Exception
    */
   @Test
   public void testMasterKeyRollOver() throws Exception {

     conf.setLong(
       YarnConfiguration.RM_AMRM_TOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS,
       rolling_interval_sec);
     conf.setLong(YarnConfiguration.RM_AM_EXPIRY_INTERVAL_MS, am_expire_ms);
     conf.set(YarnConfiguration.RM_SCHEDULER_ADDRESS,
         "0.0.0.0:0");
     MyContainerManager containerManager = new MyContainerManager();
     final MockRMWithAMS rm =
         new MockRMWithAMS(conf, containerManager);
     rm.start();
     Long startTime = System.currentTimeMillis();
     final Configuration conf = rm.getConfig();
     final YarnRPC rpc = YarnRPC.create(conf);
     ApplicationMasterProtocol rmClient = null;
     AMRMTokenSecretManager appTokenSecretManager =
         rm.getRMContext().getAMRMTokenSecretManager();
     MasterKeyData oldKey = appTokenSecretManager.getMasterKey();
     Assert.assertNotNull(oldKey);
     try {
       MockNM nm1 = rm.registerNode("localhost:1234", 5120);

       RMApp app = rm.submitApp(1024);

       nm1.nodeHeartbeat(true);

       int waitCount = 0;
       while (containerManager.containerTokens == null && waitCount++ < maxWaitAttempts) {
         LOG.info("Waiting for AM Launch to happen..");
         Thread.sleep(1000);
       }
       Assert.assertNotNull(containerManager.containerTokens);

       RMAppAttempt attempt = app.getCurrentAppAttempt();
       ApplicationAttemptId applicationAttemptId = attempt.getAppAttemptId();

       // Create a client to the RM.
       UserGroupInformation currentUser =
           UserGroupInformation
             .createRemoteUser(applicationAttemptId.toString());
       Credentials credentials = containerManager.getContainerCredentials();
       final InetSocketAddress rmBindAddress =
           rm.getApplicationMasterService().getBindAddress();
       Token<? extends TokenIdentifier> amRMToken =
           MockRMWithAMS.setupAndReturnAMRMToken(rmBindAddress,
             credentials.getAllTokens());
       currentUser.addToken(amRMToken);
       rmClient = createRMClient(rm, conf, rpc, currentUser);

       RegisterApplicationMasterRequest request =
           Records.newRecord(RegisterApplicationMasterRequest.class);
       rmClient.registerApplicationMaster(request);

       // One allocate call.
       AllocateRequest allocateRequest =
           Records.newRecord(AllocateRequest.class);
       Assert.assertTrue(
           rmClient.allocate(allocateRequest).getAMCommand() == null);

       // Wait for enough time and make sure the roll_over happens
       // At mean time, the old AMRMToken should continue to work
       while(System.currentTimeMillis() - startTime < rolling_interval_sec*1000) {
         rmClient.allocate(allocateRequest);
         Thread.sleep(500);
       }

       MasterKeyData newKey = appTokenSecretManager.getMasterKey();
       Assert.assertNotNull(newKey);
       Assert.assertFalse("Master key should have changed!",
         oldKey.equals(newKey));

       // Another allocate call with old AMRMToken. Should continue to work.
       rpc.stopProxy(rmClient, conf); // To avoid using cached client
       rmClient = createRMClient(rm, conf, rpc, currentUser);
       Assert
         .assertTrue(rmClient.allocate(allocateRequest).getAMCommand() == null);

       waitCount = 0;
       while(waitCount++ <= maxWaitAttempts) {
         if (appTokenSecretManager.getCurrnetMasterKeyData() != oldKey) {
           break;
         }
         try {
           rmClient.allocate(allocateRequest);
         } catch (Exception ex) {
           break;
         }
         Thread.sleep(200);
       }
       // active the nextMasterKey, and replace the currentMasterKey
       Assert.assertTrue(appTokenSecretManager.getCurrnetMasterKeyData().equals(newKey));
       Assert.assertTrue(appTokenSecretManager.getMasterKey().equals(newKey));
       Assert.assertTrue(appTokenSecretManager.getNextMasterKeyData() == null);

       // Create a new Token
       Token<AMRMTokenIdentifier> newToken =
           appTokenSecretManager.createAndGetAMRMToken(applicationAttemptId);
       SecurityUtil.setTokenService(newToken, rmBindAddress);
       currentUser.addToken(newToken);
       // Another allocate call. Should continue to work.
       rpc.stopProxy(rmClient, conf); // To avoid using cached client
       rmClient = createRMClient(rm, conf, rpc, currentUser);
       allocateRequest = Records.newRecord(AllocateRequest.class);
       Assert
         .assertTrue(rmClient.allocate(allocateRequest).getAMCommand() == null);

       // Should not work by using the old AMRMToken.
       rpc.stopProxy(rmClient, conf); // To avoid using cached client
       try {
         currentUser.addToken(amRMToken);
         rmClient = createRMClient(rm, conf, rpc, currentUser);
         allocateRequest = Records.newRecord(AllocateRequest.class);
         Assert
           .assertTrue(rmClient.allocate(allocateRequest).getAMCommand() == null);
         Assert.fail("The old Token should not work");
       } catch (Exception ex) {
         // expect exception
       }
     } finally {
       rm.stop();
       if (rmClient != null) {
         rpc.stopProxy(rmClient, conf); // To avoid using cached client
       }
     }
   }

   @Test (timeout = 20000)
   public void testAMRMMasterKeysUpdate() throws Exception {
     final AtomicReference<AMRMTokenSecretManager> spySecretMgrRef =
         new AtomicReference<AMRMTokenSecretManager>();
     MockRM rm = new MockRM(conf) {
       @Override
       protected void doSecureLogin() throws IOException {
         // Skip the login.
       }

       @Override
       protected RMSecretManagerService createRMSecretManagerService() {
         return new RMSecretManagerService(conf, rmContext) {
           @Override
           protected AMRMTokenSecretManager createAMRMTokenSecretManager(
               Configuration conf, RMContext rmContext) {
             AMRMTokenSecretManager spySecretMgr = spy(
                 super.createAMRMTokenSecretManager(conf, rmContext));
             spySecretMgrRef.set(spySecretMgr);
             return spySecretMgr;
           }
         };
       }
     };
     rm.start();
     MockNM nm = rm.registerNode("127.0.0.1:1234", 8000);
     RMApp app = rm.submitApp(200);
     MockAM am = MockRM.launchAndRegisterAM(app, rm, nm);
     AMRMTokenSecretManager spySecretMgr = spySecretMgrRef.get();
     // Do allocate. Should not update AMRMToken
     AllocateResponse response =
         am.allocate(Records.newRecord(AllocateRequest.class));
     Assert.assertNull(response.getAMRMToken());
     Token<AMRMTokenIdentifier> oldToken = rm.getRMContext().getRMApps()
         .get(app.getApplicationId())
         .getRMAppAttempt(am.getApplicationAttemptId()).getAMRMToken();

     // roll over the master key
     // Do allocate again. the AM should get the latest AMRMToken
     rm.getRMContext().getAMRMTokenSecretManager().rollMasterKey();
     response = am.allocate(Records.newRecord(AllocateRequest.class));
     Assert.assertNotNull(response.getAMRMToken());

     Token<AMRMTokenIdentifier> amrmToken =
         ConverterUtils.convertFromYarn(response.getAMRMToken(), new Text(
           response.getAMRMToken().getService()));

     Assert.assertEquals(amrmToken.decodeIdentifier().getKeyId(), rm
       .getRMContext().getAMRMTokenSecretManager().getMasterKey().getMasterKey()
       .getKeyId());

     // Do allocate again with the same old token and verify the RM sends
     // back the last generated token instead of generating it again.
     reset(spySecretMgr);
     UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
         am.getApplicationAttemptId().toString(), new String[0]);
     ugi.addTokenIdentifier(oldToken.decodeIdentifier());
     response = am.doAllocateAs(ugi, Records.newRecord(AllocateRequest.class));
     Assert.assertNotNull(response.getAMRMToken());
     verify(spySecretMgr, never()).createAndGetAMRMToken(isA(ApplicationAttemptId.class));

     // Do allocate again with the updated token and verify we do not
     // receive a new token to use.
     response = am.allocate(Records.newRecord(AllocateRequest.class));
     Assert.assertNull(response.getAMRMToken());

     // Activate the next master key. Since there is new master key generated
     // in AMRMTokenSecretManager. The AMRMToken will not get updated for AM
     rm.getRMContext().getAMRMTokenSecretManager().activateNextMasterKey();
     response = am.allocate(Records.newRecord(AllocateRequest.class));
     Assert.assertNull(response.getAMRMToken());
     rm.stop();
   }

   private ApplicationMasterProtocol createRMClient(final MockRM rm,
       final Configuration conf, final YarnRPC rpc,
       UserGroupInformation currentUser) {
     return currentUser.doAs(new PrivilegedAction<ApplicationMasterProtocol>() {
       @Override
       public ApplicationMasterProtocol run() {
         return (ApplicationMasterProtocol) rpc.getProxy(ApplicationMasterProtocol.class, rm
           .getApplicationMasterService().getBindAddress(), conf);
       }
     });
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.yarn.server.resourcemanager.security;

	import static org.mockito.Mockito.isA;
	import static org.mockito.Mockito.never;
	import static org.mockito.Mockito.reset;
	import static org.mockito.Mockito.spy;
	import static org.mockito.Mockito.verify;

	import java.io.IOException;
	import java.net.InetSocketAddress;
	import java.security.PrivilegedAction;
	import java.util.Arrays;
	import java.util.Collection;
	import java.util.concurrent.atomic.AtomicReference;

	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
	import org.apache.hadoop.io.Text;
	import org.apache.hadoop.security.Credentials;
	import org.apache.hadoop.security.SecurityUtil;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.hadoop.security.token.Token;
	import org.apache.hadoop.security.token.TokenIdentifier;
	import org.apache.hadoop.yarn.api.ApplicationMasterProtocol;
	import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
	import org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse;
	import org.apache.hadoop.yarn.api.protocolrecords.FinishApplicationMasterRequest;
	import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterRequest;
	import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
	import org.apache.hadoop.yarn.api.records.ContainerState;
	import org.apache.hadoop.yarn.api.records.ContainerStatus;
	import org.apache.hadoop.yarn.api.records.FinalApplicationStatus;
	import org.apache.hadoop.yarn.conf.YarnConfiguration;
	import org.apache.hadoop.yarn.ipc.YarnRPC;
	import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
	import org.apache.hadoop.yarn.server.resourcemanager.MockAM;
	import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
	import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
	import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
	import org.apache.hadoop.yarn.server.resourcemanager.RMSecretManagerService;
	import org.apache.hadoop.yarn.server.resourcemanager.TestAMAuthorization.MockRMWithAMS;
	import org.apache.hadoop.yarn.server.resourcemanager.TestAMAuthorization.MyContainerManager;
	import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
	import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
	import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
	import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptContainerFinishedEvent;
	import org.apache.hadoop.yarn.server.security.MasterKeyData;
	import org.apache.hadoop.yarn.server.utils.BuilderUtils;
	import org.apache.hadoop.yarn.util.ConverterUtils;
	import org.apache.hadoop.yarn.util.Records;
	import org.junit.Assert;
	import org.junit.Test;
	import org.junit.runner.RunWith;
	import org.junit.runners.Parameterized;
	import org.junit.runners.Parameterized.Parameters;

	@RunWith(Parameterized.class)
	public class TestAMRMTokens {

	private static final Log LOG = LogFactory.getLog(TestAMRMTokens.class);

	private final Configuration conf;
	private static final int maxWaitAttempts = 50;
	private static final int rolling_interval_sec = 13;
	private static final long am_expire_ms = 4000;

	@Parameters
	public static Collection<Object[]> configs() {
	Configuration conf = new Configuration();
	Configuration confWithSecurity = new Configuration();
	confWithSecurity.set(
	CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
	return Arrays.asList(new Object[][] {{ conf }, { confWithSecurity } });
	}

	public TestAMRMTokens(Configuration conf) {
	this.conf = conf;
	UserGroupInformation.setConfiguration(conf);
	}

	/**
	* Validate that application tokens are unusable after the
	* application-finishes.
	*
	* @throws Exception
	*/
	@SuppressWarnings("unchecked")
	@Test
	public void testTokenExpiry() throws Exception {
	conf.setLong(
	YarnConfiguration.RM_AMRM_TOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS,
	YarnConfiguration.
	DEFAULT_RM_AMRM_TOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS);
	conf.setLong(YarnConfiguration.RM_AM_EXPIRY_INTERVAL_MS,
	YarnConfiguration.DEFAULT_RM_AM_EXPIRY_INTERVAL_MS);
	conf.set(YarnConfiguration.RM_SCHEDULER_ADDRESS,
	"0.0.0.0:0");

	MyContainerManager containerManager = new MyContainerManager();
	final MockRMWithAMS rm =
	new MockRMWithAMS(conf, containerManager);
	rm.start();

	final Configuration conf = rm.getConfig();
	final YarnRPC rpc = YarnRPC.create(conf);
	ApplicationMasterProtocol rmClient = null;

	try {
	MockNM nm1 = rm.registerNode("localhost:1234", 5120);

	RMApp app = rm.submitApp(1024);

	nm1.nodeHeartbeat(true);

	int waitCount = 0;
	while (containerManager.containerTokens == null && waitCount++ < 20) {
	LOG.info("Waiting for AM Launch to happen..");
	Thread.sleep(1000);
	}
	Assert.assertNotNull(containerManager.containerTokens);

	RMAppAttempt attempt = app.getCurrentAppAttempt();
	ApplicationAttemptId applicationAttemptId = attempt.getAppAttemptId();

	// Create a client to the RM.
	UserGroupInformation currentUser =
	UserGroupInformation
	.createRemoteUser(applicationAttemptId.toString());
	Credentials credentials = containerManager.getContainerCredentials();
	final InetSocketAddress rmBindAddress =
	rm.getApplicationMasterService().getBindAddress();
	Token<? extends TokenIdentifier> amRMToken =
	MockRMWithAMS.setupAndReturnAMRMToken(rmBindAddress,
	credentials.getAllTokens());
	currentUser.addToken(amRMToken);
	rmClient = createRMClient(rm, conf, rpc, currentUser);

	RegisterApplicationMasterRequest request =
	Records.newRecord(RegisterApplicationMasterRequest.class);
	rmClient.registerApplicationMaster(request);

	FinishApplicationMasterRequest finishAMRequest =
	Records.newRecord(FinishApplicationMasterRequest.class);
	finishAMRequest
	.setFinalApplicationStatus(FinalApplicationStatus.SUCCEEDED);
	finishAMRequest.setDiagnostics("diagnostics");
	finishAMRequest.setTrackingUrl("url");
	rmClient.finishApplicationMaster(finishAMRequest);

	// Send RMAppAttemptEventType.CONTAINER_FINISHED to transit RMAppAttempt
	// from Finishing state to Finished State. Both AMRMToken and
	// ClientToAMToken will be removed.
	ContainerStatus containerStatus =
	BuilderUtils.newContainerStatus(attempt.getMasterContainer().getId(),
	ContainerState.COMPLETE,
	"AM Container Finished", 0,
	attempt.getMasterContainer().getResource());
	rm.getRMContext()
	.getDispatcher()
	.getEventHandler()
	.handle(
	new RMAppAttemptContainerFinishedEvent(applicationAttemptId,
	containerStatus, nm1.getNodeId()));

	// Make sure the RMAppAttempt is at Finished State.
	// Both AMRMToken and ClientToAMToken have been removed.
	int count = 0;
	while (attempt.getState() != RMAppAttemptState.FINISHED
	&& count < maxWaitAttempts) {
	Thread.sleep(100);
	count++;
	}
	Assert.assertTrue(attempt.getState() == RMAppAttemptState.FINISHED);

	// Now simulate trying to allocate. RPC call itself should throw auth
	// exception.
	rpc.stopProxy(rmClient, conf); // To avoid using cached client
	rmClient = createRMClient(rm, conf, rpc, currentUser);
	AllocateRequest allocateRequest =
	Records.newRecord(AllocateRequest.class);
	try {
	rmClient.allocate(allocateRequest);
	Assert.fail("You got to be kidding me! "
	+ "Using App tokens after app-finish should fail!");
	} catch (Throwable t) {
	LOG.info("Exception found is ", t);
	// The exception will still have the earlier appAttemptId as it picks it
	// up from the token.
	Assert.assertTrue(t.getCause().getMessage().contains(
	applicationAttemptId.toString()
	+ " not found in AMRMTokenSecretManager."));
	}

	} finally {
	rm.stop();
	if (rmClient != null) {
	rpc.stopProxy(rmClient, conf); // To avoid using cached client
	}
	}
	}

	/**
	* Validate master-key-roll-over and that tokens are usable even after
	* master-key-roll-over.
	*
	* @throws Exception
	*/
	@Test
	public void testMasterKeyRollOver() throws Exception {

	conf.setLong(
	YarnConfiguration.RM_AMRM_TOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS,
	rolling_interval_sec);
	conf.setLong(YarnConfiguration.RM_AM_EXPIRY_INTERVAL_MS, am_expire_ms);
	conf.set(YarnConfiguration.RM_SCHEDULER_ADDRESS,
	"0.0.0.0:0");
	MyContainerManager containerManager = new MyContainerManager();
	final MockRMWithAMS rm =
	new MockRMWithAMS(conf, containerManager);
	rm.start();
	Long startTime = System.currentTimeMillis();
	final Configuration conf = rm.getConfig();
	final YarnRPC rpc = YarnRPC.create(conf);
	ApplicationMasterProtocol rmClient = null;
	AMRMTokenSecretManager appTokenSecretManager =
	rm.getRMContext().getAMRMTokenSecretManager();
	MasterKeyData oldKey = appTokenSecretManager.getMasterKey();
	Assert.assertNotNull(oldKey);
	try {
	MockNM nm1 = rm.registerNode("localhost:1234", 5120);

	RMApp app = rm.submitApp(1024);

	nm1.nodeHeartbeat(true);

	int waitCount = 0;
	while (containerManager.containerTokens == null && waitCount++ < maxWaitAttempts) {
	LOG.info("Waiting for AM Launch to happen..");
	Thread.sleep(1000);
	}
	Assert.assertNotNull(containerManager.containerTokens);

	RMAppAttempt attempt = app.getCurrentAppAttempt();
	ApplicationAttemptId applicationAttemptId = attempt.getAppAttemptId();

	// Create a client to the RM.
	UserGroupInformation currentUser =
	UserGroupInformation
	.createRemoteUser(applicationAttemptId.toString());
	Credentials credentials = containerManager.getContainerCredentials();
	final InetSocketAddress rmBindAddress =
	rm.getApplicationMasterService().getBindAddress();
	Token<? extends TokenIdentifier> amRMToken =
	MockRMWithAMS.setupAndReturnAMRMToken(rmBindAddress,
	credentials.getAllTokens());
	currentUser.addToken(amRMToken);
	rmClient = createRMClient(rm, conf, rpc, currentUser);

	RegisterApplicationMasterRequest request =
	Records.newRecord(RegisterApplicationMasterRequest.class);
	rmClient.registerApplicationMaster(request);

	// One allocate call.
	AllocateRequest allocateRequest =
	Records.newRecord(AllocateRequest.class);
	Assert.assertTrue(
	rmClient.allocate(allocateRequest).getAMCommand() == null);

	// Wait for enough time and make sure the roll_over happens
	// At mean time, the old AMRMToken should continue to work
	while(System.currentTimeMillis() - startTime < rolling_interval_sec*1000) {
	rmClient.allocate(allocateRequest);
	Thread.sleep(500);
	}

	MasterKeyData newKey = appTokenSecretManager.getMasterKey();
	Assert.assertNotNull(newKey);
	Assert.assertFalse("Master key should have changed!",
	oldKey.equals(newKey));

	// Another allocate call with old AMRMToken. Should continue to work.
	rpc.stopProxy(rmClient, conf); // To avoid using cached client
	rmClient = createRMClient(rm, conf, rpc, currentUser);
	Assert
	.assertTrue(rmClient.allocate(allocateRequest).getAMCommand() == null);

	waitCount = 0;
	while(waitCount++ <= maxWaitAttempts) {
	if (appTokenSecretManager.getCurrnetMasterKeyData() != oldKey) {
	break;
	}
	try {
	rmClient.allocate(allocateRequest);
	} catch (Exception ex) {
	break;
	}
	Thread.sleep(200);
	}
	// active the nextMasterKey, and replace the currentMasterKey
	Assert.assertTrue(appTokenSecretManager.getCurrnetMasterKeyData().equals(newKey));
	Assert.assertTrue(appTokenSecretManager.getMasterKey().equals(newKey));
	Assert.assertTrue(appTokenSecretManager.getNextMasterKeyData() == null);

	// Create a new Token
	Token<AMRMTokenIdentifier> newToken =
	appTokenSecretManager.createAndGetAMRMToken(applicationAttemptId);
	SecurityUtil.setTokenService(newToken, rmBindAddress);
	currentUser.addToken(newToken);
	// Another allocate call. Should continue to work.
	rpc.stopProxy(rmClient, conf); // To avoid using cached client
	rmClient = createRMClient(rm, conf, rpc, currentUser);
	allocateRequest = Records.newRecord(AllocateRequest.class);
	Assert
	.assertTrue(rmClient.allocate(allocateRequest).getAMCommand() == null);

	// Should not work by using the old AMRMToken.
	rpc.stopProxy(rmClient, conf); // To avoid using cached client
	try {
	currentUser.addToken(amRMToken);
	rmClient = createRMClient(rm, conf, rpc, currentUser);
	allocateRequest = Records.newRecord(AllocateRequest.class);
	Assert
	.assertTrue(rmClient.allocate(allocateRequest).getAMCommand() == null);
	Assert.fail("The old Token should not work");
	} catch (Exception ex) {
	// expect exception
	}
	} finally {
	rm.stop();
	if (rmClient != null) {
	rpc.stopProxy(rmClient, conf); // To avoid using cached client
	}
	}
	}

	@Test (timeout = 20000)
	public void testAMRMMasterKeysUpdate() throws Exception {
	final AtomicReference<AMRMTokenSecretManager> spySecretMgrRef =
	new AtomicReference<AMRMTokenSecretManager>();
	MockRM rm = new MockRM(conf) {
	@Override
	protected void doSecureLogin() throws IOException {
	// Skip the login.
	}

	@Override
	protected RMSecretManagerService createRMSecretManagerService() {
	return new RMSecretManagerService(conf, rmContext) {
	@Override
	protected AMRMTokenSecretManager createAMRMTokenSecretManager(
	Configuration conf, RMContext rmContext) {
	AMRMTokenSecretManager spySecretMgr = spy(
	super.createAMRMTokenSecretManager(conf, rmContext));
	spySecretMgrRef.set(spySecretMgr);
	return spySecretMgr;
	}
	};
	}
	};
	rm.start();
	MockNM nm = rm.registerNode("127.0.0.1:1234", 8000);
	RMApp app = rm.submitApp(200);
	MockAM am = MockRM.launchAndRegisterAM(app, rm, nm);
	AMRMTokenSecretManager spySecretMgr = spySecretMgrRef.get();
	// Do allocate. Should not update AMRMToken
	AllocateResponse response =
	am.allocate(Records.newRecord(AllocateRequest.class));
	Assert.assertNull(response.getAMRMToken());
	Token<AMRMTokenIdentifier> oldToken = rm.getRMContext().getRMApps()
	.get(app.getApplicationId())
	.getRMAppAttempt(am.getApplicationAttemptId()).getAMRMToken();

	// roll over the master key
	// Do allocate again. the AM should get the latest AMRMToken
	rm.getRMContext().getAMRMTokenSecretManager().rollMasterKey();
	response = am.allocate(Records.newRecord(AllocateRequest.class));
	Assert.assertNotNull(response.getAMRMToken());

	Token<AMRMTokenIdentifier> amrmToken =
	ConverterUtils.convertFromYarn(response.getAMRMToken(), new Text(
	response.getAMRMToken().getService()));

	Assert.assertEquals(amrmToken.decodeIdentifier().getKeyId(), rm
	.getRMContext().getAMRMTokenSecretManager().getMasterKey().getMasterKey()
	.getKeyId());

	// Do allocate again with the same old token and verify the RM sends
	// back the last generated token instead of generating it again.
	reset(spySecretMgr);
	UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
	am.getApplicationAttemptId().toString(), new String[0]);
	ugi.addTokenIdentifier(oldToken.decodeIdentifier());
	response = am.doAllocateAs(ugi, Records.newRecord(AllocateRequest.class));
	Assert.assertNotNull(response.getAMRMToken());
	verify(spySecretMgr, never()).createAndGetAMRMToken(isA(ApplicationAttemptId.class));

	// Do allocate again with the updated token and verify we do not
	// receive a new token to use.
	response = am.allocate(Records.newRecord(AllocateRequest.class));
	Assert.assertNull(response.getAMRMToken());

	// Activate the next master key. Since there is new master key generated
	// in AMRMTokenSecretManager. The AMRMToken will not get updated for AM
	rm.getRMContext().getAMRMTokenSecretManager().activateNextMasterKey();
	response = am.allocate(Records.newRecord(AllocateRequest.class));
	Assert.assertNull(response.getAMRMToken());
	rm.stop();
	}

	private ApplicationMasterProtocol createRMClient(final MockRM rm,
	final Configuration conf, final YarnRPC rpc,
	UserGroupInformation currentUser) {
	return currentUser.doAs(new PrivilegedAction<ApplicationMasterProtocol>() {
	@Override
	public ApplicationMasterProtocol run() {
	return (ApplicationMasterProtocol) rpc.getProxy(ApplicationMasterProtocol.class, rm
	.getApplicationMasterService().getBindAddress(), conf);
	}
	});
	}
	}