NMContainerTokenSecretManager (Apache Hadoop YARN NodeManager 3.4.1.0-eep-940 API)

java.lang.Object
- org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.ContainerTokenIdentifier>
- - org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
  - - org.apache.hadoop.yarn.server.nodemanager.security.NMContainerTokenSecretManager

public class NMContainerTokenSecretManager
extends org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

The NM maintains only two master-keys. The current key that RM knows and the key from the previous rolling-interval.

Nested Class Summary
- Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager
  org.apache.hadoop.security.token.SecretManager.InvalidToken

Field Summary
- Fields inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
  containerTokenExpiryInterval, currentMasterKey, readLock, readWriteLock, serialNo, writeLock

Constructor Summary

Constructors
Constructor	Description
`NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)`
`NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf, NMStateStoreService stateStore)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`boolean`	`isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier containerTokenIdentifier)`	Container will be remembered based on expiration time of the container token used for starting the container.
`void`	`recover()`
`protected void`	`removeAnyContainerTokenIfExpired()`
`byte[]`	`retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier)`	Override of this is to validate ContainerTokens generated by using different `MasterKey`s.
`void`	`setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)`	Used by NodeManagers to create a token-secret-manager with the key obtained from the RM.
`void`	`setNodeId(org.apache.hadoop.yarn.api.records.NodeId nodeId)`
`void`	`startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)`	Container start has gone through.

Methods inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
createIdentifier, createNewMasterKey, createPassword, getCurrentKey, retrievePasswordInternal

Methods inherited from class org.apache.hadoop.security.token.SecretManager
checkAvailableForRead, createPassword, createSecretKey, generateSecret, retriableRetrievePassword

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - NMContainerTokenSecretManager
```
public NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)
```
  - NMContainerTokenSecretManager
```
public NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf,
                                     NMStateStoreService stateStore)
```
- Method Detail
  - recover
```
public void recover()
             throws java.io.IOException
```
    Throws:
    
    java.io.IOException
  - setMasterKey
```
@Private
public void setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)
```
    Used by NodeManagers to create a token-secret-manager with the key obtained from the RM. This can happen during registration or when the RM rolls the master-key and signals the NM.
    
    Parameters:
    
    masterKeyRecord -
  - retrievePassword
```
public byte[] retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier)
                        throws org.apache.hadoop.security.token.SecretManager.InvalidToken
```
    Override of this is to validate ContainerTokens generated by using different MasterKeys.
    
    Overrides:
    
    retrievePassword in class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
    
    Throws:
    
    org.apache.hadoop.security.token.SecretManager.InvalidToken
  - startContainerSuccessful
```
public void startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)
```
    Container start has gone through. We need to store the containerId in order to block future container start requests with same container token. This container token needs to be saved till its container token expires.
  - removeAnyContainerTokenIfExpired
```
protected void removeAnyContainerTokenIfExpired()
```
  - isValidStartContainerRequest
```
public boolean isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier containerTokenIdentifier)
```
    Container will be remembered based on expiration time of the container token used for starting the container. It is safe to use expiration time as there is one to many mapping between expiration time and containerId.
    
    Returns:
    
    true if the current token identifier is not present in cache.
  - setNodeId
```
public void setNodeId(org.apache.hadoop.yarn.api.records.NodeId nodeId)
```

Class NMContainerTokenSecretManager

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

Field Summary

Fields inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

Constructor Summary

Method Summary

Methods inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

Methods inherited from class org.apache.hadoop.security.token.SecretManager

Methods inherited from class java.lang.Object

Constructor Detail

NMContainerTokenSecretManager

NMContainerTokenSecretManager

Method Detail

recover

setMasterKey

retrievePassword

startContainerSuccessful

removeAnyContainerTokenIfExpired

isValidStartContainerRequest

setNodeId