NMContainerTokenSecretManager (hadoop-yarn-server-nodemanager 2.0.6-alpha API)

java.lang.Object
- org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.ContainerTokenIdentifier>
- - org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
  - - org.apache.hadoop.yarn.server.nodemanager.security.NMContainerTokenSecretManager

public class NMContainerTokenSecretManager
extends org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

The NM maintains only two master-keys. The current key that RM knows and the key from the previous rolling-interval.

Nested Class Summary
- Nested classes/interfaces inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
  org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager.MasterKeyData
- Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager
  org.apache.hadoop.security.token.SecretManager.InvalidToken

Field Summary
- Fields inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
  containerTokenExpiryInterval, currentMasterKey, readLock, readWriteLock, writeLock

Constructor Summary

Constructors
Constructor and Description

NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)

Constructors
Constructor and Description
`NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)`

Method Summary

Methods
Modifier and Type	Method and Description
`void`	`appFinished(org.apache.hadoop.yarn.api.records.ApplicationId appId)`
`boolean`	`isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)` Ensure the startContainer call is not using an older cached key.
`byte[]`	`retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier)` Override of this is to validate ContainerTokens generated by using different `MasterKey`s.
`void`	`setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)` Used by NodeManagers to create a token-secret-manager with the key obtained from the RM.
`void`	`startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)` Container start has gone through.

Methods inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
createContainerToken, createIdentifier, createNewMasterKey, createPassword, getCurrentKey, retrievePasswordInternal

Methods inherited from class org.apache.hadoop.security.token.SecretManager
checkAvailableForRead, createPassword, createSecretKey, generateSecret

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - NMContainerTokenSecretManager
```
public NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)
```
- Method Detail
  - setMasterKey
```
@InterfaceAudience.Private
public void setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)
```
    Used by NodeManagers to create a token-secret-manager with the key obtained from the RM. This can happen during registration or when the RM rolls the master-key and signals the NM.
    
    Parameters:
    masterKeyRecord -
  - retrievePassword
```
public byte[] retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier)
                        throws org.apache.hadoop.security.token.SecretManager.InvalidToken
```
    Override of this is to validate ContainerTokens generated by using different MasterKeys.
    
    Overrides:
    
    retrievePassword in class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
    
    Throws:
    
    org.apache.hadoop.security.token.SecretManager.InvalidToken
  - startContainerSuccessful
```
public void startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)
```
    Container start has gone through. Store the corresponding keys so that stopContainer() and getContainerStatus() can be authenticated long after the container-start went through.
  - isValidStartContainerRequest
```
public boolean isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)
```
    Ensure the startContainer call is not using an older cached key. Will return false once startContainerSuccessful is called. Does not check the actual key being current since that is verified by the security layer via retrievePassword.
  - appFinished
```
public void appFinished(org.apache.hadoop.yarn.api.records.ApplicationId appId)
```

Class NMContainerTokenSecretManager

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

Field Summary

Fields inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

Constructor Summary

Method Summary

Methods inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

Methods inherited from class org.apache.hadoop.security.token.SecretManager

Methods inherited from class java.lang.Object

Constructor Detail

NMContainerTokenSecretManager

Method Detail

setMasterKey

retrievePassword

startContainerSuccessful

isValidStartContainerRequest

appFinished