Package org.apache.hadoop.yarn.server.nodemanager.security

Class NMContainerTokenSecretManager

java.lang.Object
org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.ContainerTokenIdentifier>
org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
org.apache.hadoop.yarn.server.nodemanager.security.NMContainerTokenSecretManager
public class NMContainerTokenSecretManager extends org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
The NM maintains only two master-keys. The current key that RM knows and the key from the previous rolling-interval.

  • Nested Class Summary

    Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

    org.apache.hadoop.security.token.SecretManager.InvalidToken

  • Field Summary

    Fields inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

    containerTokenExpiryInterval, currentMasterKey, readLock, readWriteLock, serialNo, writeLock

  • Constructor Summary

    Constructors
    Constructor
    Description
    NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)
     
    NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf, NMStateStoreService stateStore)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier containerTokenIdentifier)
    Container will be remembered based on expiration time of the container token used for starting the container.
    void
    recover()
     
    protected void
    removeAnyContainerTokenIfExpired()
     
    byte[]
    retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier)
    Override of this is to validate ContainerTokens generated by using different MasterKeys.
    void
    setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)
    Used by NodeManagers to create a token-secret-manager with the key obtained from the RM.
    void
    setNodeId(org.apache.hadoop.yarn.api.records.NodeId nodeId)
     
    void
    startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)
    Container start has gone through.

    Methods inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

    createIdentifier, createNewMasterKey, createPassword, getCurrentKey, retrievePasswordInternal

    Methods inherited from class org.apache.hadoop.security.token.SecretManager

    checkAvailableForRead, createPassword, createSecretKey, generateSecret, retriableRetrievePassword, update, validateSecretKeyLength

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • NMContainerTokenSecretManager

      public NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)

    • NMContainerTokenSecretManager

      public NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf, NMStateStoreService stateStore)

  • Method Details

    • recover

      public void recover() throws IOException
      Throws:
      IOException

    • setMasterKey

      @Private public void setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)
      Used by NodeManagers to create a token-secret-manager with the key obtained from the RM. This can happen during registration or when the RM rolls the master-key and signals the NM.
      Parameters:
      masterKeyRecord -

    • retrievePassword

      public byte[] retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken
      Override of this is to validate ContainerTokens generated by using different MasterKeys.
      Overrides:
      retrievePassword in class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
      Throws:
      org.apache.hadoop.security.token.SecretManager.InvalidToken

    • startContainerSuccessful

      public void startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)
      Container start has gone through. We need to store the containerId in order to block future container start requests with same container token. This container token needs to be saved till its container token expires.

    • removeAnyContainerTokenIfExpired

      protected void removeAnyContainerTokenIfExpired()

    • isValidStartContainerRequest

      public boolean isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier containerTokenIdentifier)
      Container will be remembered based on expiration time of the container token used for starting the container. It is safe to use expiration time as there is one to many mapping between expiration time and containerId.
      Returns:
      true if the current token identifier is not present in cache.

    • setNodeId

      public void setNodeId(org.apache.hadoop.yarn.api.records.NodeId nodeId)