| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.hadoop.yarn.server.resourcemanager.security; |
| |
| import java.util.HashSet; |
| import java.util.Iterator; |
| import java.util.Timer; |
| import java.util.TimerTask; |
| import java.util.concurrent.ConcurrentHashMap; |
| |
| import org.apache.commons.logging.Log; |
| import org.apache.commons.logging.LogFactory; |
| import org.apache.hadoop.classification.InterfaceAudience.Private; |
| import org.apache.hadoop.conf.Configuration; |
| import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; |
| import org.apache.hadoop.yarn.api.records.Container; |
| import org.apache.hadoop.yarn.api.records.NMToken; |
| import org.apache.hadoop.yarn.api.records.NodeId; |
| import org.apache.hadoop.yarn.api.records.Token; |
| import org.apache.hadoop.yarn.conf.YarnConfiguration; |
| import org.apache.hadoop.yarn.server.api.records.MasterKey; |
| import org.apache.hadoop.yarn.server.security.BaseNMTokenSecretManager; |
| import org.apache.hadoop.yarn.server.security.MasterKeyData; |
| |
| import com.google.common.annotations.VisibleForTesting; |
| |
| |
| public class NMTokenSecretManagerInRM extends BaseNMTokenSecretManager { |
| |
| private static Log LOG = LogFactory |
| .getLog(NMTokenSecretManagerInRM.class); |
| |
| private MasterKeyData nextMasterKey; |
| private Configuration conf; |
| |
| private final Timer timer; |
| private final long rollingInterval; |
| private final long activationDelay; |
| private final ConcurrentHashMap<ApplicationAttemptId, HashSet<NodeId>> appAttemptToNodeKeyMap; |
| |
| public NMTokenSecretManagerInRM(Configuration conf) { |
| this.conf = conf; |
| timer = new Timer(); |
| rollingInterval = this.conf.getLong( |
| YarnConfiguration.RM_NMTOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS, |
| YarnConfiguration.DEFAULT_RM_NMTOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS) |
| * 1000; |
| // Add an activation delay. This is to address the following race: RM may |
| // roll over master-key, scheduling may happen at some point of time, an |
| // NMToken created with a password generated off new master key, but NM |
| // might not have come again to RM to update the shared secret: so AM has a |
| // valid password generated off new secret but NM doesn't know about the |
| // secret yet. |
| // Adding delay = 1.5 * expiry interval makes sure that all active NMs get |
| // the updated shared-key. |
| this.activationDelay = |
| (long) (conf.getLong(YarnConfiguration.RM_NM_EXPIRY_INTERVAL_MS, |
| YarnConfiguration.DEFAULT_RM_NM_EXPIRY_INTERVAL_MS) * 1.5); |
| LOG.info("NMTokenKeyRollingInterval: " + this.rollingInterval |
| + "ms and NMTokenKeyActivationDelay: " + this.activationDelay |
| + "ms"); |
| if (rollingInterval <= activationDelay * 2) { |
| throw new IllegalArgumentException( |
| YarnConfiguration.RM_NMTOKEN_MASTER_KEY_ROLLING_INTERVAL_SECS |
| + " should be more than 3 X " |
| + YarnConfiguration.RM_NM_EXPIRY_INTERVAL_MS); |
| } |
| appAttemptToNodeKeyMap = |
| new ConcurrentHashMap<ApplicationAttemptId, HashSet<NodeId>>(); |
| } |
| |
| /** |
| * Creates a new master-key and sets it as the primary. |
| */ |
| @Private |
| public void rollMasterKey() { |
| super.writeLock.lock(); |
| try { |
| LOG.info("Rolling master-key for nm-tokens"); |
| if (this.currentMasterKey == null) { // Setting up for the first time. |
| this.currentMasterKey = createNewMasterKey(); |
| } else { |
| this.nextMasterKey = createNewMasterKey(); |
| LOG.info("Going to activate master-key with key-id " |
| + this.nextMasterKey.getMasterKey().getKeyId() + " in " |
| + this.activationDelay + "ms"); |
| this.timer.schedule(new NextKeyActivator(), this.activationDelay); |
| } |
| } finally { |
| super.writeLock.unlock(); |
| } |
| } |
| |
| @Private |
| public MasterKey getNextKey() { |
| super.readLock.lock(); |
| try { |
| if (this.nextMasterKey == null) { |
| return null; |
| } else { |
| return this.nextMasterKey.getMasterKey(); |
| } |
| } finally { |
| super.readLock.unlock(); |
| } |
| } |
| |
| /** |
| * Activate the new master-key |
| */ |
| @Private |
| public void activateNextMasterKey() { |
| super.writeLock.lock(); |
| try { |
| LOG.info("Activating next master key with id: " |
| + this.nextMasterKey.getMasterKey().getKeyId()); |
| this.currentMasterKey = this.nextMasterKey; |
| this.nextMasterKey = null; |
| clearApplicationNMTokenKeys(); |
| } finally { |
| super.writeLock.unlock(); |
| } |
| } |
| |
| public void clearNodeSetForAttempt(ApplicationAttemptId attemptId) { |
| super.writeLock.lock(); |
| try { |
| HashSet<NodeId> nodeSet = this.appAttemptToNodeKeyMap.get(attemptId); |
| if (nodeSet != null) { |
| LOG.info("Clear node set for " + attemptId); |
| nodeSet.clear(); |
| } |
| } finally { |
| super.writeLock.unlock(); |
| } |
| } |
| |
| private void clearApplicationNMTokenKeys() { |
| // We should clear all node entries from this set. |
| // TODO : Once we have per node master key then it will change to only |
| // remove specific node from it. |
| Iterator<HashSet<NodeId>> nodeSetI = |
| this.appAttemptToNodeKeyMap.values().iterator(); |
| while (nodeSetI.hasNext()) { |
| nodeSetI.next().clear(); |
| } |
| } |
| |
| public void start() { |
| rollMasterKey(); |
| this.timer.scheduleAtFixedRate(new MasterKeyRoller(), rollingInterval, |
| rollingInterval); |
| } |
| |
| public void stop() { |
| this.timer.cancel(); |
| } |
| |
| private class MasterKeyRoller extends TimerTask { |
| @Override |
| public void run() { |
| rollMasterKey(); |
| } |
| } |
| |
| private class NextKeyActivator extends TimerTask { |
| @Override |
| public void run() { |
| // Activation will happen after an absolute time interval. It will be good |
| // if we can force activation after an NM updates and acknowledges a |
| // roll-over. But that is only possible when we move to per-NM keys. TODO: |
| activateNextMasterKey(); |
| } |
| } |
| |
| public NMToken createAndGetNMToken(String applicationSubmitter, |
| ApplicationAttemptId appAttemptId, Container container) { |
| try { |
| this.writeLock.lock(); |
| HashSet<NodeId> nodeSet = this.appAttemptToNodeKeyMap.get(appAttemptId); |
| NMToken nmToken = null; |
| if (nodeSet != null) { |
| if (!nodeSet.contains(container.getNodeId())) { |
| LOG.info("Sending NMToken for nodeId : " + container.getNodeId() |
| + " for container : " + container.getId()); |
| Token token = |
| createNMToken(container.getId().getApplicationAttemptId(), |
| container.getNodeId(), applicationSubmitter); |
| nmToken = NMToken.newInstance(container.getNodeId(), token); |
| nodeSet.add(container.getNodeId()); |
| } |
| } |
| return nmToken; |
| } finally { |
| this.writeLock.unlock(); |
| } |
| } |
| |
| public void registerApplicationAttempt(ApplicationAttemptId appAttemptId) { |
| try { |
| this.writeLock.lock(); |
| this.appAttemptToNodeKeyMap.put(appAttemptId, new HashSet<NodeId>()); |
| } finally { |
| this.writeLock.unlock(); |
| } |
| } |
| |
| @Private |
| @VisibleForTesting |
| public boolean isApplicationAttemptRegistered( |
| ApplicationAttemptId appAttemptId) { |
| try { |
| this.readLock.lock(); |
| return this.appAttemptToNodeKeyMap.containsKey(appAttemptId); |
| } finally { |
| this.readLock.unlock(); |
| } |
| } |
| |
| @Private |
| @VisibleForTesting |
| public boolean isApplicationAttemptNMTokenPresent( |
| ApplicationAttemptId appAttemptId, NodeId nodeId) { |
| try { |
| this.readLock.lock(); |
| HashSet<NodeId> nodes = this.appAttemptToNodeKeyMap.get(appAttemptId); |
| if (nodes != null && nodes.contains(nodeId)) { |
| return true; |
| } else { |
| return false; |
| } |
| } finally { |
| this.readLock.unlock(); |
| } |
| } |
| |
| public void unregisterApplicationAttempt(ApplicationAttemptId appAttemptId) { |
| try { |
| this.writeLock.lock(); |
| this.appAttemptToNodeKeyMap.remove(appAttemptId); |
| } finally { |
| this.writeLock.unlock(); |
| } |
| } |
| |
| /** |
| * This is to be called when NodeManager reconnects or goes down. This will |
| * remove if NMTokens if present for any running application from cache. |
| * @param nodeId |
| */ |
| public void removeNodeKey(NodeId nodeId) { |
| try { |
| this.writeLock.lock(); |
| Iterator<HashSet<NodeId>> appNodeKeySetIterator = |
| this.appAttemptToNodeKeyMap.values().iterator(); |
| while (appNodeKeySetIterator.hasNext()) { |
| appNodeKeySetIterator.next().remove(nodeId); |
| } |
| } finally { |
| this.writeLock.unlock(); |
| } |
| } |
| } |