Package org.apache.hadoop.yarn.server.nodemanager.security

Class NMTokenSecretManagerInNM

java.lang.Object
org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.NMTokenIdentifier>
org.apache.hadoop.yarn.server.security.BaseNMTokenSecretManager
org.apache.hadoop.yarn.server.nodemanager.security.NMTokenSecretManagerInNM
public class NMTokenSecretManagerInNM extends org.apache.hadoop.yarn.server.security.BaseNMTokenSecretManager

  • Nested Class Summary

    Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

    org.apache.hadoop.security.token.SecretManager.InvalidToken

  • Field Summary

    Fields inherited from class org.apache.hadoop.yarn.server.security.BaseNMTokenSecretManager

    currentMasterKey, readLock, readWriteLock, serialNo, writeLock

  • Constructor Summary

    Constructors
    Constructor
    Description
    NMTokenSecretManagerInNM()
     
    NMTokenSecretManagerInNM(NMStateStoreService stateStore)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    appAttemptStartContainer(org.apache.hadoop.yarn.security.NMTokenIdentifier identifier)
    This will be called by startContainer.
    void
    appFinished(org.apache.hadoop.yarn.api.records.ApplicationId appId)
     
    org.apache.hadoop.yarn.api.records.NMToken
    generateNMToken(String applicationSubmitter, org.apache.hadoop.yarn.api.records.Container container)
    Used by the Distributed Scheduler framework to generate NMTokens
    org.apache.hadoop.yarn.api.records.NodeId
    getNodeId()
     
    boolean
    isAppAttemptNMTokenKeyPresent(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)
     
    void
    recover()
     
    byte[]
    retrievePassword(org.apache.hadoop.yarn.security.NMTokenIdentifier identifier)
    This method will be used to verify NMTokens generated by different master keys.
    void
    setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKey)
    Used by NodeManagers to create a token-secret-manager with the key obtained from the RM.
    void
    setNodeId(org.apache.hadoop.yarn.api.records.NodeId nodeId)
     

    Methods inherited from class org.apache.hadoop.yarn.server.security.BaseNMTokenSecretManager

    createIdentifier, createNewMasterKey, createNMToken, createPassword, getCurrentKey, newInstance, retrivePasswordInternal

    Methods inherited from class org.apache.hadoop.security.token.SecretManager

    checkAvailableForRead, createPassword, createSecretKey, generateSecret, retriableRetrievePassword, update, validateSecretKeyLength

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • NMTokenSecretManagerInNM

      public NMTokenSecretManagerInNM()

    • NMTokenSecretManagerInNM

      public NMTokenSecretManagerInNM(NMStateStoreService stateStore)

  • Method Details

    • recover

      public void recover() throws IOException
      Throws:
      IOException

    • setMasterKey

      @Private public void setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKey)
      Used by NodeManagers to create a token-secret-manager with the key obtained from the RM. This can happen during registration or when the RM rolls the master-key and signal the NM.

    • retrievePassword

      public byte[] retrievePassword(org.apache.hadoop.yarn.security.NMTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken
      This method will be used to verify NMTokens generated by different master keys.
      Overrides:
      retrievePassword in class org.apache.hadoop.yarn.server.security.BaseNMTokenSecretManager
      Throws:
      org.apache.hadoop.security.token.SecretManager.InvalidToken

    • appFinished

      public void appFinished(org.apache.hadoop.yarn.api.records.ApplicationId appId)

    • appAttemptStartContainer

      public void appAttemptStartContainer(org.apache.hadoop.yarn.security.NMTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken
      This will be called by startContainer. It will add the master key into the cache used for starting this container. This should be called before validating the startContainer request.
      Throws:
      org.apache.hadoop.security.token.SecretManager.InvalidToken

    • setNodeId

      public void setNodeId(org.apache.hadoop.yarn.api.records.NodeId nodeId)

    • isAppAttemptNMTokenKeyPresent

      @Private @VisibleForTesting public boolean isAppAttemptNMTokenKeyPresent(org.apache.hadoop.yarn.api.records.ApplicationAttemptId appAttemptId)

    • getNodeId

      @Private @VisibleForTesting public org.apache.hadoop.yarn.api.records.NodeId getNodeId()

    • generateNMToken

      public org.apache.hadoop.yarn.api.records.NMToken generateNMToken(String applicationSubmitter, org.apache.hadoop.yarn.api.records.Container container)
      Used by the Distributed Scheduler framework to generate NMTokens
      Parameters:
      applicationSubmitter -
      container -
      Returns:
      NMToken