Package org.apache.hadoop.yarn.server.resourcemanager.security

Class AMRMTokenSecretManager

java.lang.Object

org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>

org.apache.hadoop.yarn.server.resourcemanager.security.AMRMTokenSecretManager

public class AMRMTokenSecretManager
extends org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>

AMRM-tokens are per ApplicationAttempt. If users redistribute their tokens, it is their headache, god save them. I mean you are not supposed to distribute keys to your vault, right? Anyways, ResourceManager saves each token locally in memory till application finishes and to a store for restart, so no need to remember master-keys even after rolling them.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

org.apache.hadoop.security.token.SecretManager.InvalidToken

Constructor Summary

Constructors

Constructor	Description
AMRMTokenSecretManager(org.apache.hadoop.conf.Configuration conf, RMContext rmContext)	Create an AMRMTokenSecretManager.

Method Summary

Modifier and Type	Method	Description
void	activateNextMasterKey()
void	addPersistedPassword(org.apache.hadoop.security.token.Token<org.apache.hadoop.yarn.security.AMRMTokenIdentifier> token)	Populate persisted password of AMRMToken back to AMRMTokenSecretManager.
void	applicationMasterFinished(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)
org.apache.hadoop.security.token.Token<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>	createAndGetAMRMToken(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)
org.apache.hadoop.yarn.security.AMRMTokenIdentifier	createIdentifier()	Creates an empty TokenId to be used for de-serializing an AMRMTokenIdentifier by the RPC layer.
org.apache.hadoop.yarn.server.security.MasterKeyData	createNewMasterKey()
protected byte[]	createPassword(org.apache.hadoop.yarn.security.AMRMTokenIdentifier identifier)
org.apache.hadoop.yarn.server.security.MasterKeyData	getCurrnetMasterKeyData()
org.apache.hadoop.yarn.server.security.MasterKeyData	getMasterKey()
org.apache.hadoop.yarn.server.security.MasterKeyData	getNextMasterKeyData()
void	recover(RMStateStore.RMState state)
byte[]	retrievePassword(org.apache.hadoop.yarn.security.AMRMTokenIdentifier identifier)	Retrieve the password for the given AMRMTokenIdentifier.
void	start()
void	stop()

Methods inherited from class org.apache.hadoop.security.token.SecretManager

checkAvailableForRead, createPassword, createSecretKey, generateSecret, retriableRetrievePassword, update

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AMRMTokenSecretManager

public AMRMTokenSecretManager(org.apache.hadoop.conf.Configuration conf,
                              RMContext rmContext)

Create an AMRMTokenSecretManager.

Parameters:

conf - configuration.

rmContext - rm context.

Method Detail

start

public void start()

stop

public void stop()

applicationMasterFinished

public void applicationMasterFinished(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)

activateNextMasterKey

public void activateNextMasterKey()

createNewMasterKey

@Private
@VisibleForTesting
public org.apache.hadoop.yarn.server.security.MasterKeyData createNewMasterKey()

createAndGetAMRMToken

public org.apache.hadoop.security.token.Token<org.apache.hadoop.yarn.security.AMRMTokenIdentifier> createAndGetAMRMToken(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)

getMasterKey

@VisibleForTesting
public org.apache.hadoop.yarn.server.security.MasterKeyData getMasterKey()

addPersistedPassword

public void addPersistedPassword(org.apache.hadoop.security.token.Token<org.apache.hadoop.yarn.security.AMRMTokenIdentifier> token)
                          throws java.io.IOException

Populate persisted password of AMRMToken back to AMRMTokenSecretManager.

Parameters:

token - AMRMTokenIdentifier.

Throws:

java.io.IOException - an I/O exception has occurred.

retrievePassword

public byte[] retrievePassword(org.apache.hadoop.yarn.security.AMRMTokenIdentifier identifier)
                        throws org.apache.hadoop.security.token.SecretManager.InvalidToken

Retrieve the password for the given AMRMTokenIdentifier. Used by RPC layer to validate a remote AMRMTokenIdentifier.

Specified by:

retrievePassword in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>

Throws:

org.apache.hadoop.security.token.SecretManager.InvalidToken

createIdentifier

public org.apache.hadoop.yarn.security.AMRMTokenIdentifier createIdentifier()

Creates an empty TokenId to be used for de-serializing an AMRMTokenIdentifier by the RPC layer.

Specified by:

createIdentifier in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>

getCurrnetMasterKeyData

@Private
@VisibleForTesting
public org.apache.hadoop.yarn.server.security.MasterKeyData getCurrnetMasterKeyData()

getNextMasterKeyData

@Private
@VisibleForTesting
public org.apache.hadoop.yarn.server.security.MasterKeyData getNextMasterKeyData()

createPassword

@Private
protected byte[] createPassword(org.apache.hadoop.yarn.security.AMRMTokenIdentifier identifier)

Specified by:

createPassword in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>

recover

public void recover(RMStateStore.RMState state)