Package org.apache.hadoop.yarn.server.resourcemanager.security

Class AMRMTokenSecretManager

java.lang.Object
org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>
org.apache.hadoop.yarn.server.resourcemanager.security.AMRMTokenSecretManager
public class AMRMTokenSecretManager extends org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>
AMRM-tokens are per ApplicationAttempt. If users redistribute their tokens, it is their headache, god save them. I mean you are not supposed to distribute keys to your vault, right? Anyways, ResourceManager saves each token locally in memory till application finishes and to a store for restart, so no need to remember master-keys even after rolling them.

  • Nested Class Summary

    Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

    org.apache.hadoop.security.token.SecretManager.InvalidToken

  • Constructor Summary

    Constructors
    Constructor
    Description
    AMRMTokenSecretManager(org.apache.hadoop.conf.Configuration conf, RMContext rmContext)
    Create an AMRMTokenSecretManager.

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    activateNextMasterKey()
     
    void
    addPersistedPassword(org.apache.hadoop.security.token.Token<org.apache.hadoop.yarn.security.AMRMTokenIdentifier> token)
    Populate persisted password of AMRMToken back to AMRMTokenSecretManager.
    void
    applicationMasterFinished(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)
     
    org.apache.hadoop.security.token.Token<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>
    createAndGetAMRMToken(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)
     
    org.apache.hadoop.yarn.security.AMRMTokenIdentifier
    createIdentifier()
    Creates an empty TokenId to be used for de-serializing an AMRMTokenIdentifier by the RPC layer.
    org.apache.hadoop.yarn.server.security.MasterKeyData
    createNewMasterKey()
     
    protected byte[]
    createPassword(org.apache.hadoop.yarn.security.AMRMTokenIdentifier identifier)
     
    org.apache.hadoop.yarn.server.security.MasterKeyData
    getCurrnetMasterKeyData()
     
    org.apache.hadoop.yarn.server.security.MasterKeyData
    getMasterKey()
     
    org.apache.hadoop.yarn.server.security.MasterKeyData
    getNextMasterKeyData()
     
    void
    recover(RMStateStore.RMState state)
     
    byte[]
    retrievePassword(org.apache.hadoop.yarn.security.AMRMTokenIdentifier identifier)
    Retrieve the password for the given AMRMTokenIdentifier.
    void
    start()
     
    void
    stop()
     

    Methods inherited from class org.apache.hadoop.security.token.SecretManager

    checkAvailableForRead, createPassword, createSecretKey, generateSecret, retriableRetrievePassword, update, validateSecretKeyLength

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • AMRMTokenSecretManager

      public AMRMTokenSecretManager(org.apache.hadoop.conf.Configuration conf, RMContext rmContext)
      Create an AMRMTokenSecretManager.
      Parameters:
      conf - configuration.
      rmContext - rm context.

  • Method Details

    • start

      public void start()

    • stop

      public void stop()

    • applicationMasterFinished

      public void applicationMasterFinished(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)

    • activateNextMasterKey

      public void activateNextMasterKey()

    • createNewMasterKey

      @Private @VisibleForTesting public org.apache.hadoop.yarn.server.security.MasterKeyData createNewMasterKey()

    • createAndGetAMRMToken

      public org.apache.hadoop.security.token.Token<org.apache.hadoop.yarn.security.AMRMTokenIdentifier> createAndGetAMRMToken(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)

    • getMasterKey

      @VisibleForTesting public org.apache.hadoop.yarn.server.security.MasterKeyData getMasterKey()

    • addPersistedPassword

      public void addPersistedPassword(org.apache.hadoop.security.token.Token<org.apache.hadoop.yarn.security.AMRMTokenIdentifier> token) throws IOException
      Populate persisted password of AMRMToken back to AMRMTokenSecretManager.
      Parameters:
      token - AMRMTokenIdentifier.
      Throws:
      IOException - an I/O exception has occurred.

    • retrievePassword

      public byte[] retrievePassword(org.apache.hadoop.yarn.security.AMRMTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken
      Retrieve the password for the given AMRMTokenIdentifier. Used by RPC layer to validate a remote AMRMTokenIdentifier.
      Specified by:
      retrievePassword in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>
      Throws:
      org.apache.hadoop.security.token.SecretManager.InvalidToken

    • createIdentifier

      public org.apache.hadoop.yarn.security.AMRMTokenIdentifier createIdentifier()
      Creates an empty TokenId to be used for de-serializing an AMRMTokenIdentifier by the RPC layer.
      Specified by:
      createIdentifier in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>

    • getCurrnetMasterKeyData

      @Private @VisibleForTesting public org.apache.hadoop.yarn.server.security.MasterKeyData getCurrnetMasterKeyData()

    • getNextMasterKeyData

      @Private @VisibleForTesting public org.apache.hadoop.yarn.server.security.MasterKeyData getNextMasterKeyData()

    • createPassword

      @Private protected byte[] createPassword(org.apache.hadoop.yarn.security.AMRMTokenIdentifier identifier)
      Specified by:
      createPassword in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.AMRMTokenIdentifier>

    • recover

      public void recover(RMStateStore.RMState state)