NMContainerTokenSecretManager (hadoop-yarn-server-nodemanager 0.23.7 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.apache.hadoop.yarn.server.nodemanager.security
Class NMContainerTokenSecretManager

java.lang.Object
  org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.ContainerTokenIdentifier>
      org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
          org.apache.hadoop.yarn.server.nodemanager.security.NMContainerTokenSecretManager

public class NMContainerTokenSecretManager
extends org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
extends org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

The NM maintains only two master-keys. The current key that RM knows and the key from the previous rolling-interval.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
`org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager.MasterKeyData`

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager
`org.apache.hadoop.security.token.SecretManager.InvalidToken`

Field Summary

Fields inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
`containerTokenExpiryInterval, currentMasterKey, readLock, readWriteLock, writeLock`

Constructor Summary
`NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)`

Method Summary
`void`	`appFinished(org.apache.hadoop.yarn.api.records.ApplicationId appId)`
`boolean`	`isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)` Ensure the startContainer call is not using an older cached key.
`byte[]`	`retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier)` Override of this is to validate ContainerTokens generated by using different `MasterKey`s.
`void`	`setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)` Used by NodeManagers to create a token-secret-manager with the key obtained from the RM.
`void`	`startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)` Container start has gone through.

Methods inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
`createContainerToken, createIdentifier, createNewMasterKey, createPassword, getCurrentKey, retrievePasswordInternal`

Methods inherited from class org.apache.hadoop.security.token.SecretManager
`createPassword, createSecretKey, generateSecret`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

NMContainerTokenSecretManager

public NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)

Method Detail

setMasterKey

@InterfaceAudience.Private
public void setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)

Used by NodeManagers to create a token-secret-manager with the key obtained from the RM. This can happen during registration or when the RM rolls the master-key and signals the NM.

Parameters:: masterKeyRecord -

retrievePassword

public byte[] retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier)
                        throws org.apache.hadoop.security.token.SecretManager.InvalidToken

Override of this is to validate ContainerTokens generated by using different MasterKeys.

Overrides:: retrievePassword in class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

Throws:: org.apache.hadoop.security.token.SecretManager.InvalidToken

startContainerSuccessful

public void startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)

Container start has gone through. Store the corresponding keys so that stopContainer() and getContainerStatus() can be authenticated long after the container-start went through.

isValidStartContainerRequest

public boolean isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)

Ensure the startContainer call is not using an older cached key. Will return false once startContainerSuccessful is called. Does not check the actual key being current since that is verified by the security layer via retrievePassword.

appFinished

public void appFinished(org.apache.hadoop.yarn.api.records.ApplicationId appId)