NMContainerTokenSecretManager (hadoop-yarn-server-nodemanager 2.1.1-beta API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.apache.hadoop.yarn.server.nodemanager.security
Class NMContainerTokenSecretManager

java.lang.Object
  org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.yarn.security.ContainerTokenIdentifier>
      org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
          org.apache.hadoop.yarn.server.nodemanager.security.NMContainerTokenSecretManager

public class NMContainerTokenSecretManager
extends org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
extends org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

The NM maintains only two master-keys. The current key that RM knows and the key from the previous rolling-interval.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager
`org.apache.hadoop.security.token.SecretManager.InvalidToken`

Field Summary

Fields inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
`containerTokenExpiryInterval, currentMasterKey, readLock, readWriteLock, writeLock`

Constructor Summary
`NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)`

Method Summary
`boolean`	`isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier containerTokenIdentifier)` Container will be remembered based on expiration time of the container token used for starting the container.
`protected void`	`removeAnyContainerTokenIfExpired()`
`byte[]`	`retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier)` Override of this is to validate ContainerTokens generated by using different `MasterKey`s.
`void`	`setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)` Used by NodeManagers to create a token-secret-manager with the key obtained from the RM.
`void`	`setNodeId(org.apache.hadoop.yarn.api.records.NodeId nodeId)`
`void`	`startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)` Container start has gone through.

Methods inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager
`createIdentifier, createNewMasterKey, createPassword, getCurrentKey, retrievePasswordInternal`

Methods inherited from class org.apache.hadoop.security.token.SecretManager
`checkAvailableForRead, createPassword, createSecretKey, generateSecret`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

NMContainerTokenSecretManager

public NMContainerTokenSecretManager(org.apache.hadoop.conf.Configuration conf)

Method Detail

setMasterKey

@InterfaceAudience.Private
public void setMasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey masterKeyRecord)

Used by NodeManagers to create a token-secret-manager with the key obtained from the RM. This can happen during registration or when the RM rolls the master-key and signals the NM.

Parameters:: masterKeyRecord -

retrievePassword

public byte[] retrievePassword(org.apache.hadoop.yarn.security.ContainerTokenIdentifier identifier)
                        throws org.apache.hadoop.security.token.SecretManager.InvalidToken

Override of this is to validate ContainerTokens generated by using different MasterKeys.

Overrides:: retrievePassword in class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

Throws:: org.apache.hadoop.security.token.SecretManager.InvalidToken

startContainerSuccessful

public void startContainerSuccessful(org.apache.hadoop.yarn.security.ContainerTokenIdentifier tokenId)

Container start has gone through. We need to store the containerId in order to block future container start requests with same container token. This container token needs to be saved till its container token expires.

removeAnyContainerTokenIfExpired

protected void removeAnyContainerTokenIfExpired()

isValidStartContainerRequest

public boolean isValidStartContainerRequest(org.apache.hadoop.yarn.security.ContainerTokenIdentifier containerTokenIdentifier)

Container will be remembered based on expiration time of the container token used for starting the container. It is safe to use expiration time as there is one to many mapping between expiration time and containerId.

Returns:: true if the current token identifier is not present in cache.

setNodeId

public void setNodeId(org.apache.hadoop.yarn.api.records.NodeId nodeId)