SLIDER-782: run IPC tests against remote AM provided cluster is insecure
Project: http://git-wip-us.apache.org/repos/asf/incubator-slider/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-slider/commit/ef6fb9e3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-slider/tree/ef6fb9e3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-slider/diff/ef6fb9e3 Branch: refs/heads/develop Commit: ef6fb9e3b83aceca3403a2c30773f92a1ae23e1c Parents: 4124489 Author: Steve Loughran <ste...@apache.org> Authored: Fri Feb 13 16:53:52 2015 +0000 Committer: Steve Loughran <ste...@apache.org> Committed: Fri Feb 13 16:53:52 2015 +0000 ---------------------------------------------------------------------- .../slider/client/SliderYarnClientImpl.java | 1 - .../slider/server/appmaster/rpc/RpcBinder.java | 33 ++++++++++++++++++-- .../funtest/lifecycle/AgentWebPagesIT.groovy | 32 ++++++++++++++++++- 3 files changed, 61 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/ef6fb9e3/slider-core/src/main/java/org/apache/slider/client/SliderYarnClientImpl.java ---------------------------------------------------------------------- diff --git a/slider-core/src/main/java/org/apache/slider/client/SliderYarnClientImpl.java b/slider-core/src/main/java/org/apache/slider/client/SliderYarnClientImpl.java index 209169b..3b7a65c 100644 --- a/slider-core/src/main/java/org/apache/slider/client/SliderYarnClientImpl.java +++ b/slider-core/src/main/java/org/apache/slider/client/SliderYarnClientImpl.java @@ -73,7 +73,6 @@ public class SliderYarnClientImpl extends YarnClientImpl { return rmClient; } - /** * List Slider <i>running</i>instances belonging to a specific user. * @deprecated use {@link #listDeployedInstances(String)} http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/ef6fb9e3/slider-core/src/main/java/org/apache/slider/server/appmaster/rpc/RpcBinder.java ---------------------------------------------------------------------- diff --git a/slider-core/src/main/java/org/apache/slider/server/appmaster/rpc/RpcBinder.java b/slider-core/src/main/java/org/apache/slider/server/appmaster/rpc/RpcBinder.java index 9cc612e..9381b76 100644 --- a/slider-core/src/main/java/org/apache/slider/server/appmaster/rpc/RpcBinder.java +++ b/slider-core/src/main/java/org/apache/slider/server/appmaster/rpc/RpcBinder.java @@ -18,6 +18,7 @@ package org.apache.slider.server.appmaster.rpc; +import com.google.common.base.Preconditions; import com.google.protobuf.BlockingService; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.io.retry.RetryPolicy; @@ -248,10 +249,36 @@ public class RpcBinder { String host = application.getHost(); int port = application.getRpcPort(); + org.apache.hadoop.yarn.api.records.Token clientToAMToken = + application.getClientToAMToken(); + return createProxy(conf, host, port, clientToAMToken, rpcTimeout); + } + + /** + * + * @param conf config to use + * @param host hosname + * @param port port + * @param clientToAMToken auth token: only used in a secure cluster. + * converted via {@link ConverterUtils#convertFromYarn(org.apache.hadoop.yarn.api.records.Token, InetSocketAddress)} + * @param rpcTimeout timeout in RPC operations + * @return the proxy + * @throws SliderException + * @throws IOException + * @throws InterruptedException + */ + public static SliderClusterProtocol createProxy(final Configuration conf, + String host, + int port, + org.apache.hadoop.yarn.api.records.Token clientToAMToken, + final int rpcTimeout) throws + SliderException, + IOException, + InterruptedException { String address = host + ":" + port; if (SliderUtils.isUnset(host) || 0 == port) { throw new SliderException(SliderExitCodes.EXIT_CONNECTIVITY_PROBLEM, - "Slider instance " + application.getName() + "Slider instance " + " isn't providing a valid address for the" + " Slider RPC protocol: " + address); } @@ -265,8 +292,8 @@ public class RpcBinder { log.debug("Connecting to {}", serviceAddr); if (UserGroupInformation.isSecurityEnabled()) { - org.apache.hadoop.yarn.api.records.Token clientToAMToken = - application.getClientToAMToken(); + Preconditions.checkArgument(clientToAMToken != null, + "Null clientToAMToken"); Token<ClientToAMTokenIdentifier> token = ConverterUtils.convertFromYarn(clientToAMToken, serviceAddr); newUgi.addToken(token); http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/ef6fb9e3/slider-funtest/src/test/groovy/org/apache/slider/funtest/lifecycle/AgentWebPagesIT.groovy ---------------------------------------------------------------------- diff --git a/slider-funtest/src/test/groovy/org/apache/slider/funtest/lifecycle/AgentWebPagesIT.groovy b/slider-funtest/src/test/groovy/org/apache/slider/funtest/lifecycle/AgentWebPagesIT.groovy index bb82a86..f1e61f3 100644 --- a/slider-funtest/src/test/groovy/org/apache/slider/funtest/lifecycle/AgentWebPagesIT.groovy +++ b/slider-funtest/src/test/groovy/org/apache/slider/funtest/lifecycle/AgentWebPagesIT.groovy @@ -23,12 +23,16 @@ import groovy.transform.CompileStatic import groovy.util.logging.Slf4j import org.apache.hadoop.registry.client.api.RegistryOperations import org.apache.hadoop.security.UserGroupInformation +import org.apache.hadoop.yarn.api.ApplicationClientProtocol +import org.apache.hadoop.yarn.client.ClientRMProxy import org.apache.hadoop.yarn.webapp.ForbiddenException +import org.apache.slider.agent.rest.IpcApiClientTestDelegates import org.apache.slider.agent.rest.JerseyTestDelegates import org.apache.slider.agent.rest.AbstractRestTestDelegate import org.apache.slider.agent.rest.LowLevelRestTestDelegates import org.apache.slider.agent.rest.RestAPIClientTestDelegates import org.apache.slider.client.SliderClient +import org.apache.slider.client.ipc.SliderApplicationIpcClient import org.apache.slider.client.rest.RestClientFactory import org.apache.slider.common.SliderExitCodes import org.apache.slider.common.SliderKeys @@ -39,6 +43,7 @@ import org.apache.slider.common.tools.ConfigHelper import org.apache.slider.funtest.framework.AgentCommandTestBase import org.apache.slider.funtest.framework.FuntestProperties import org.apache.slider.funtest.framework.SliderShell +import org.apache.slider.server.appmaster.rpc.RpcBinder import org.junit.After import org.junit.Before import org.junit.Test @@ -179,7 +184,32 @@ public class AgentWebPagesIT extends AgentCommandTestBase if (proxyComplexVerbs) { sliderApplicationApi.ping("registry located") } - + + + // maybe execute IPC operations. + // these are skipped when security is enabled, until + // there's some code set up to do the tokens properly + if (!UserGroupInformation.isSecurityEnabled()) { + describe("IPC equivalent operations") +/* + def rmClient = ClientRMProxy.createRMProxy(conf, + ApplicationClientProtocol.class); +*/ + def sliderClusterProtocol = + RpcBinder.createProxy(conf, + report.host, + report.rpcPort, + null, + 1000) + SliderApplicationIpcClient ipcClient = + new SliderApplicationIpcClient(sliderClusterProtocol) + IpcApiClientTestDelegates ipcDelegates = + new IpcApiClientTestDelegates(ipcClient) + ipcDelegates.testSuiteAll() + } else { + describe( "skipping IPC API operations against secure cluster") + } + // finally, stop the AM if (directComplexVerbs) { describe "Stopping AM via REST API"