org.apache.hadoop.yarn.server.nodemanager.security

Class NMContainerTokenSecretManager

java.lang.Object

org.apache.hadoop.security.token.SecretManager<ContainerTokenIdentifier>

org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

org.apache.hadoop.yarn.server.nodemanager.security.NMContainerTokenSecretManager

public class NMContainerTokenSecretManager
extends BaseContainerTokenSecretManager

The NM maintains only two master-keys. The current key that RM knows and the key from the previous rolling-interval.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

SecretManager.InvalidToken

Field Summary

Fields inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

containerTokenExpiryInterval, currentMasterKey, readLock, readWriteLock, writeLock

Constructor Summary

Constructors

Constructor and Description
NMContainerTokenSecretManager(Configuration conf)

Method Summary

Methods

Modifier and Type	Method and Description
boolean	isValidStartContainerRequest(ContainerTokenIdentifier containerTokenIdentifier) Container will be remembered based on expiration time of the container token used for starting the container.
protected void	removeAnyContainerTokenIfExpired()
byte[]	retrievePassword(ContainerTokenIdentifier identifier) Override of this is to validate ContainerTokens generated by using different MasterKeys.
void	setMasterKey(MasterKey masterKeyRecord) Used by NodeManagers to create a token-secret-manager with the key obtained from the RM.
void	setNodeId(NodeId nodeId)
void	startContainerSuccessful(ContainerTokenIdentifier tokenId) Container start has gone through.

Methods inherited from class org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager

createIdentifier, createNewMasterKey, createPassword, getCurrentKey, retrievePasswordInternal

Methods inherited from class org.apache.hadoop.security.token.SecretManager

checkAvailableForRead, createPassword, createSecretKey, generateSecret

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

NMContainerTokenSecretManager

public NMContainerTokenSecretManager(Configuration conf)

Method Detail

setMasterKey

@InterfaceAudience.Private
public void setMasterKey(MasterKey masterKeyRecord)

Used by NodeManagers to create a token-secret-manager with the key obtained from the RM. This can happen during registration or when the RM rolls the master-key and signals the NM.

Parameters:

masterKeyRecord -

retrievePassword

public byte[] retrievePassword(ContainerTokenIdentifier identifier)
                        throws SecretManager.InvalidToken

Override of this is to validate ContainerTokens generated by using different MasterKeys.

Overrides:

retrievePassword in class BaseContainerTokenSecretManager

Parameters:

identifier - the identifier to validate

Returns:

the password to use

Throws:

SecretManager.InvalidToken - the token was invalid

startContainerSuccessful

public void startContainerSuccessful(ContainerTokenIdentifier tokenId)

Container start has gone through. We need to store the containerId in order to block future container start requests with same container token. This container token needs to be saved till its container token expires.

removeAnyContainerTokenIfExpired

protected void removeAnyContainerTokenIfExpired()

isValidStartContainerRequest

public boolean isValidStartContainerRequest(ContainerTokenIdentifier containerTokenIdentifier)

Container will be remembered based on expiration time of the container token used for starting the container. It is safe to use expiration time as there is one to many mapping between expiration time and containerId.

Returns:

true if the current token identifier is not present in cache.

setNodeId

public void setNodeId(NodeId nodeId)