goiri commented on code in PR #4712:
URL: https://github.com/apache/hadoop/pull/4712#discussion_r939547883
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/Router.java:
##########
@@ -195,4 +197,12 @@ public static void main(String[] argv) {
System.exit(-1);
}
}
+
+ public RouterClientRMService getClientRMProxyService() {
Review Comment:
VisibleForTesting?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
+ private static File routerKeytab;
+ private static File kdcWorkDir;
+ private static Properties kdcConf;
+
+ private Router router = null;
+
+ private static Configuration conf;
+
+ private List<SubClusterId> subClusters;
+
+ private final static int NUM_SUBCLUSTER = 4;
+
+ private static ConcurrentHashMap<SubClusterId, MockRM> mockRMs =
+ new ConcurrentHashMap<>();
+
+ @BeforeClass
+ public static void beforeSecureRouterTestClass() throws Exception {
+
+ // Sets up the KDC and Principals.
+ setupKDCAndPrincipals();
+
+ // Init YarnConfiguration
+ conf = new YarnConfiguration();
+ conf.set(YarnConfiguration.ROUTER_BIND_HOST, "0.0.0.0");
+ conf.set(YarnConfiguration.ROUTER_CLIENTRM_INTERCEPTOR_CLASS_PIPELINE,
+ CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR);
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
KERBEROS);
+ conf.set(YarnConfiguration.ROUTER_PRINCIPAL, ROUTER_LOCALHOST_REALM);
+ conf.set(YarnConfiguration.ROUTER_KEYTAB, routerKeytab.getAbsolutePath());
+ }
+
+ /**
+ * Sets up the KDC and Principals.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupKDCAndPrincipals() throws Exception {
+ // set up the KDC
+ File target = new File(System.getProperty("test.dir", "target"));
+ kdcWorkDir = new File(target, "kdc");
+ kdcWorkDir.mkdirs();
+ if (!kdcWorkDir.mkdirs()) {
+ Assert.assertTrue(kdcWorkDir.isDirectory());
+ }
+ kdcConf = MiniKdc.createConf();
+ kdcConf.setProperty(MiniKdc.DEBUG, "true");
+ kdc = new MiniKdc(kdcConf, kdcWorkDir);
+ kdc.start();
+
+ routerKeytab = createKeytab(ROUTER, "router.keytab");
+ }
+
+ /**
+ * Initialize RM in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupSecureMockRM() throws Exception {
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
Review Comment:
We keep doing this. Can we create a newInstance taking integer?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
Review Comment:
Why do we make this static?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
Review Comment:
Do we need to make everything static?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java:
##########
@@ -4107,6 +4107,12 @@ public static boolean isAclEnabled(Configuration conf) {
public static final long DEFAULT_ROUTER_WEBAPP_READ_TIMEOUT =
TimeUnit.SECONDS.toMillis(30);
+ /** The Kerberos keytab for the yarn router.*/
+ public static final String ROUTER_KEYTAB = ROUTER_PREFIX + "keytab";
Review Comment:
Should we add some documentation on how to set this up?
Is there an md file?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
+ private static File routerKeytab;
+ private static File kdcWorkDir;
+ private static Properties kdcConf;
+
+ private Router router = null;
+
+ private static Configuration conf;
+
+ private List<SubClusterId> subClusters;
+
+ private final static int NUM_SUBCLUSTER = 4;
+
+ private static ConcurrentHashMap<SubClusterId, MockRM> mockRMs =
+ new ConcurrentHashMap<>();
+
+ @BeforeClass
+ public static void beforeSecureRouterTestClass() throws Exception {
+
+ // Sets up the KDC and Principals.
+ setupKDCAndPrincipals();
+
+ // Init YarnConfiguration
+ conf = new YarnConfiguration();
+ conf.set(YarnConfiguration.ROUTER_BIND_HOST, "0.0.0.0");
+ conf.set(YarnConfiguration.ROUTER_CLIENTRM_INTERCEPTOR_CLASS_PIPELINE,
+ CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR);
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
KERBEROS);
+ conf.set(YarnConfiguration.ROUTER_PRINCIPAL, ROUTER_LOCALHOST_REALM);
+ conf.set(YarnConfiguration.ROUTER_KEYTAB, routerKeytab.getAbsolutePath());
+ }
+
+ /**
+ * Sets up the KDC and Principals.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupKDCAndPrincipals() throws Exception {
+ // set up the KDC
+ File target = new File(System.getProperty("test.dir", "target"));
+ kdcWorkDir = new File(target, "kdc");
+ kdcWorkDir.mkdirs();
+ if (!kdcWorkDir.mkdirs()) {
+ Assert.assertTrue(kdcWorkDir.isDirectory());
+ }
+ kdcConf = MiniKdc.createConf();
+ kdcConf.setProperty(MiniKdc.DEBUG, "true");
+ kdc = new MiniKdc(kdcConf, kdcWorkDir);
+ kdc.start();
+
+ routerKeytab = createKeytab(ROUTER, "router.keytab");
+ }
+
+ /**
+ * Initialize RM in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupSecureMockRM() throws Exception {
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
+ if (mockRMs.containsKey(sc)) {
+ continue;
+ }
+ MockRM mockRM = new TestRMRestart.TestSecurityMockRM(conf);
+ mockRM.start();
+ mockRM.registerNode("127.0.0.1:1234", 8 * 1024, 4);
+ mockRMs.put(sc, mockRM);
+ }
+ }
+
+ /**
+ * Create the keytab for the given principal, includes
+ * raw principal and $principal/localhost.
+ *
+ * @param principal principal short name.
+ * @param filename filename of keytab.
+ * @return file of keytab.
+ * @throws Exception an error occurred.
+ */
+ public static File createKeytab(String principal, String filename) throws
Exception {
+ Assert.assertTrue("empty principal", StringUtils.isNotBlank(principal));
+ Assert.assertTrue("empty host", StringUtils.isNotBlank(filename));
+ Assert.assertNotNull("Null KDC", kdc);
+ File keytab = new File(kdcWorkDir, filename);
+ kdc.createPrincipal(keytab,
+ principal,
+ principal + "/localhost",
+ principal + "/127.0.0.1");
+ return keytab;
+ }
+
+ /**
+ * Start the router in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public synchronized void startSecureRouter(Boolean initRM) throws Exception {
+ Assert.assertNull("Router is already running", router);
+ UserGroupInformation.setConfiguration(conf);
+ router = new Router();
+ router.init(conf);
+ router.start();
+
+ if (initRM) {
+
+ setupSecureMockRM();
+
+ RouterClientRMService rmService = router.getClientRMProxyService();
+ RouterClientRMService.RequestInterceptorChainWrapper wrapper =
rmService.getInterceptorChain();
+ FederationClientInterceptor interceptor = (FederationClientInterceptor)
wrapper.getRootInterceptor();
+ FederationStateStoreFacade stateStoreFacade =
interceptor.getFederationFacade();
+ FederationStateStore stateStore = stateStoreFacade.getStateStore();
+ FederationStateStoreTestUtil stateStoreUtil = new
FederationStateStoreTestUtil(stateStore);
+ subClusters = new ArrayList<>();
+
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
+ stateStoreUtil.registerSubCluster(sc);
+ subClusters.add(sc);
+ }
+
+ Map<SubClusterId, ApplicationClientProtocol> clientRMProxies =
+ interceptor.getClientRMProxies();
+ for (Map.Entry<SubClusterId, MockRM> entry : mockRMs.entrySet()) {
+ SubClusterId keySubClusterId = entry.getKey();
+ if (clientRMProxies.containsKey(keySubClusterId)) {
+ continue;
+ }
+ MockRM mockRM = entry.getValue();
+ clientRMProxies.put(keySubClusterId, mockRM.getClientRMService());
+ }
+
+ MockRM firstRM =
mockRMs.entrySet().stream().findFirst().get().getValue();
+ RouterRMAdminService routerRMAdminService =
router.getRmAdminProxyService();
+ RouterRMAdminService.RequestInterceptorChainWrapper rmAdminChainWrapper =
Review Comment:
We had to expose a lot of these methods for the tests.
Is there a better way? Some mock or test class extension?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/RouterClientRMService.java:
##########
@@ -616,4 +616,8 @@ protected void finalize() {
rootInterceptor.shutdown();
}
}
+
+ public Map<String, RequestInterceptorChainWrapper> getUserPipelineMap() {
Review Comment:
VisibleForTesting?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
+ private static File routerKeytab;
+ private static File kdcWorkDir;
+ private static Properties kdcConf;
+
+ private Router router = null;
+
+ private static Configuration conf;
+
+ private List<SubClusterId> subClusters;
+
+ private final static int NUM_SUBCLUSTER = 4;
+
+ private static ConcurrentHashMap<SubClusterId, MockRM> mockRMs =
+ new ConcurrentHashMap<>();
+
+ @BeforeClass
+ public static void beforeSecureRouterTestClass() throws Exception {
+
+ // Sets up the KDC and Principals.
+ setupKDCAndPrincipals();
+
+ // Init YarnConfiguration
+ conf = new YarnConfiguration();
+ conf.set(YarnConfiguration.ROUTER_BIND_HOST, "0.0.0.0");
+ conf.set(YarnConfiguration.ROUTER_CLIENTRM_INTERCEPTOR_CLASS_PIPELINE,
+ CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR);
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
KERBEROS);
+ conf.set(YarnConfiguration.ROUTER_PRINCIPAL, ROUTER_LOCALHOST_REALM);
+ conf.set(YarnConfiguration.ROUTER_KEYTAB, routerKeytab.getAbsolutePath());
+ }
+
+ /**
+ * Sets up the KDC and Principals.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupKDCAndPrincipals() throws Exception {
+ // set up the KDC
+ File target = new File(System.getProperty("test.dir", "target"));
+ kdcWorkDir = new File(target, "kdc");
+ kdcWorkDir.mkdirs();
+ if (!kdcWorkDir.mkdirs()) {
+ Assert.assertTrue(kdcWorkDir.isDirectory());
+ }
+ kdcConf = MiniKdc.createConf();
+ kdcConf.setProperty(MiniKdc.DEBUG, "true");
+ kdc = new MiniKdc(kdcConf, kdcWorkDir);
+ kdc.start();
+
+ routerKeytab = createKeytab(ROUTER, "router.keytab");
+ }
+
+ /**
+ * Initialize RM in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupSecureMockRM() throws Exception {
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
+ if (mockRMs.containsKey(sc)) {
+ continue;
+ }
+ MockRM mockRM = new TestRMRestart.TestSecurityMockRM(conf);
+ mockRM.start();
+ mockRM.registerNode("127.0.0.1:1234", 8 * 1024, 4);
Review Comment:
extract into memory and cpu named vars.
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
+
+ public static final String KERBEROS = "kerberos";
+
+ private static MiniKdc kdc;
+ private static File routerKeytab;
+ private static File kdcWorkDir;
+ private static Properties kdcConf;
+
+ private Router router = null;
+
+ private static Configuration conf;
+
+ private List<SubClusterId> subClusters;
+
+ private final static int NUM_SUBCLUSTER = 4;
+
+ private static ConcurrentHashMap<SubClusterId, MockRM> mockRMs =
+ new ConcurrentHashMap<>();
+
+ @BeforeClass
+ public static void beforeSecureRouterTestClass() throws Exception {
+
+ // Sets up the KDC and Principals.
+ setupKDCAndPrincipals();
+
+ // Init YarnConfiguration
+ conf = new YarnConfiguration();
+ conf.set(YarnConfiguration.ROUTER_BIND_HOST, "0.0.0.0");
+ conf.set(YarnConfiguration.ROUTER_CLIENTRM_INTERCEPTOR_CLASS_PIPELINE,
+ CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR);
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
KERBEROS);
+ conf.set(YarnConfiguration.ROUTER_PRINCIPAL, ROUTER_LOCALHOST_REALM);
+ conf.set(YarnConfiguration.ROUTER_KEYTAB, routerKeytab.getAbsolutePath());
+ }
+
+ /**
+ * Sets up the KDC and Principals.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupKDCAndPrincipals() throws Exception {
+ // set up the KDC
+ File target = new File(System.getProperty("test.dir", "target"));
+ kdcWorkDir = new File(target, "kdc");
+ kdcWorkDir.mkdirs();
+ if (!kdcWorkDir.mkdirs()) {
+ Assert.assertTrue(kdcWorkDir.isDirectory());
+ }
+ kdcConf = MiniKdc.createConf();
+ kdcConf.setProperty(MiniKdc.DEBUG, "true");
+ kdc = new MiniKdc(kdcConf, kdcWorkDir);
+ kdc.start();
+
+ routerKeytab = createKeytab(ROUTER, "router.keytab");
+ }
+
+ /**
+ * Initialize RM in safe mode.
+ *
+ * @throws Exception an error occurred.
+ */
+ public static void setupSecureMockRM() throws Exception {
+ for (int i = 0; i < NUM_SUBCLUSTER; i++) {
+ SubClusterId sc = SubClusterId.newInstance(Integer.toString(i));
+ if (mockRMs.containsKey(sc)) {
+ continue;
+ }
+ MockRM mockRM = new TestRMRestart.TestSecurityMockRM(conf);
+ mockRM.start();
+ mockRM.registerNode("127.0.0.1:1234", 8 * 1024, 4);
+ mockRMs.put(sc, mockRM);
+ }
+ }
+
+ /**
+ * Create the keytab for the given principal, includes
+ * raw principal and $principal/localhost.
+ *
+ * @param principal principal short name.
+ * @param filename filename of keytab.
+ * @return file of keytab.
+ * @throws Exception an error occurred.
+ */
+ public static File createKeytab(String principal, String filename) throws
Exception {
+ Assert.assertTrue("empty principal", StringUtils.isNotBlank(principal));
Review Comment:
Let's statically import the asserts
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
Review Comment:
Are we going to use this abstract test in more places?
##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/secure/AbstractSecureRouterTest.java:
##########
@@ -0,0 +1,265 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.yarn.server.router.secure;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.federation.store.FederationStateStore;
+import org.apache.hadoop.yarn.server.federation.store.records.SubClusterId;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreFacade;
+import
org.apache.hadoop.yarn.server.federation.utils.FederationStateStoreTestUtil;
+import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
+import org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart;
+import org.apache.hadoop.yarn.server.router.Router;
+import
org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor;
+import org.apache.hadoop.yarn.server.router.clientrm.RouterClientRMService;
+import
org.apache.hadoop.yarn.server.router.rmadmin.DefaultRMAdminRequestInterceptor;
+import org.apache.hadoop.yarn.server.router.rmadmin.RouterRMAdminService;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AbstractSecureRouterTest {
+
+ public static final String REALM = "EXAMPLE.COM";
+
+ public static final String ROUTER = "router";
+ public static final String LOCALHOST = "localhost";
+ public static final String IP127001 = "127.0.0.1";
+ public static final String ROUTER_LOCALHOST = "router/" + LOCALHOST;
+ public static final String ROUTER_127001 = "router/" + IP127001;
+ public static final String ROUTER_REALM = "router@" + REALM;
+ public static final String ROUTER_LOCALHOST_REALM = ROUTER_LOCALHOST + "@" +
REALM;
+
+ private static final Logger LOG =
LoggerFactory.getLogger(AbstractSecureRouterTest.class);
+
+ public static final Configuration CONF;
+
+ static {
+ CONF = new Configuration();
+ CONF.set("hadoop.security.authentication", "kerberos");
+ CONF.setBoolean("hadoop.security.authorization", true);
+ }
+
+ public static final String SUN_SECURITY_KRB5_DEBUG =
"sun.security.krb5.debug";
+
+ public static final String CLIENT_RM_FEDERATION_CLIENT_INTERCEPTOR =
+
"org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor";
Review Comment:
Can we do something like FederationClientInterceptor.class.toString()?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
