YARN-9708. Yarn Router Support DelegationToken.

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/pom.xml

@@ -196,6 +196,9 @@
                 <additionalProtoPathElement>
                   ${basedir}/../../hadoop-yarn-api/src/main/proto
                 </additionalProtoPathElement>
+                <additionalProtoPathElement>
+                  ${basedir}/../../hadoop-yarn-common/src/main/proto
+                </additionalProtoPathElement>
               </additionalProtoPathElements>
             </configuration>
           </execution>

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/federation/store/FederationDelegationTokenStateStore.java

@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.yarn.server.federation.store;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.server.federation.store.records.*;
+
+@InterfaceAudience.Private
+@InterfaceStability.Unstable
+public interface FederationDelegationTokenStateStore {
+
+  StoreNewMasterKeyResponse storeNewMasterKey(StoreNewMasterKeyRequest request) throws Exception;
+
+  RemoveStoredMasterKeyResponse removeStoredMasterKey(RemoveStoredMasterKeyRequest request)
+      throws Exception;
+
+  RouterStoreNewTokenResponse storeNewToken(RouterStoreNewTokenRequest request) throws Exception;
+}

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/federation/store/FederationStateStore.java

@@ -31,7 +31,8 @@
  */
 public interface FederationStateStore extends
     FederationApplicationHomeSubClusterStore, FederationMembershipStateStore,
-    FederationPolicyStore, FederationReservationHomeSubClusterStore {
+    FederationPolicyStore, FederationReservationHomeSubClusterStore,
+    FederationDelegationTokenStateStore {
 
   /**
    * Initialize the FederationStore.

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/federation/store/impl/MemoryFederationStateStore.java

@@ -17,15 +17,20 @@
 
 package org.apache.hadoop.yarn.server.federation.store.impl;
 
+import java.io.IOException;
+import java.nio.ByteBuffer;
 import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Set;
 import java.util.TimeZone;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.token.delegation.DelegationKey;
+import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ReservationId;
 import org.apache.hadoop.yarn.exceptions.YarnException;
@@ -66,7 +71,16 @@
 import org.apache.hadoop.yarn.server.federation.store.records.GetReservationHomeSubClusterRequest;
 import org.apache.hadoop.yarn.server.federation.store.records.GetReservationsHomeSubClusterResponse;
 import org.apache.hadoop.yarn.server.federation.store.records.GetReservationsHomeSubClusterRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.RemoveStoredMasterKeyResponse;
+import org.apache.hadoop.yarn.server.federation.store.records.RemoveStoredMasterKeyRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.StoreNewMasterKeyResponse;
+import org.apache.hadoop.yarn.server.federation.store.records.StoreNewMasterKeyRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.RouterStoreNewTokenRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.RouterStoreNewTokenResponse;
 import org.apache.hadoop.yarn.server.federation.store.records.ReservationHomeSubCluster;
+import org.apache.hadoop.yarn.server.federation.store.records.RouterRMDTSecretManagerState;
+import org.apache.hadoop.yarn.server.federation.store.records.RouterMasterKey;
+import org.apache.hadoop.yarn.server.federation.store.records.RouterStoreToken;
 import org.apache.hadoop.yarn.server.federation.store.utils.FederationApplicationHomeSubClusterStoreInputValidator;
 import org.apache.hadoop.yarn.server.federation.store.utils.FederationReservationHomeSubClusterStoreInputValidator;
 import org.apache.hadoop.yarn.server.federation.store.utils.FederationMembershipStateStoreInputValidator;
@@ -86,6 +100,7 @@ public class MemoryFederationStateStore implements FederationStateStore {
   private Map<ApplicationId, SubClusterId> applications;
   private Map<ReservationId, SubClusterId> reservations;
   private Map<String, SubClusterPolicyConfiguration> policies;
+  private RouterRMDTSecretManagerState routerRMSecretManagerState;
 
   private final MonotonicClock clock = new MonotonicClock();
 
@@ -98,6 +113,7 @@ public void init(Configuration conf) {
     applications = new ConcurrentHashMap<ApplicationId, SubClusterId>();
     reservations = new ConcurrentHashMap<ReservationId, SubClusterId>();
     policies = new ConcurrentHashMap<String, SubClusterPolicyConfiguration>();
+    routerRMSecretManagerState = new RouterRMDTSecretManagerState();
   }
 
   @Override
@@ -365,4 +381,74 @@ public GetReservationsHomeSubClusterResponse getReservationsHomeSubCluster(
 
     return GetReservationsHomeSubClusterResponse.newInstance(result);
   }
+
+  @Override
+  public StoreNewMasterKeyResponse storeNewMasterKey(
+      StoreNewMasterKeyRequest request) throws Exception {
+
+    // Restore the DelegationKey from the request
+    RouterMasterKey masterKey = request.getRouterMasterKey();
+    ByteBuffer keyByteBuf = masterKey.getKeyBytes();
+    byte[] keyBytes = new byte[keyByteBuf.remaining()];
+    keyByteBuf.get(keyBytes);
+    DelegationKey delegationKey =
+        new DelegationKey(masterKey.getKeyId(), masterKey.getExpiryDate(), keyBytes);
+
+    Set<DelegationKey> rmDTMasterKeyState = routerRMSecretManagerState.getMasterKeyState();
+    if (rmDTMasterKeyState.contains(delegationKey)) {
+      LOG.info("Error storing info for RMDTMasterKey with keyID: {}.", delegationKey.getKeyId());
+      throw new IOException("RMDTMasterKey with keyID: " +
+          delegationKey.getKeyId() + " is already stored");
+    }
+
+    routerRMSecretManagerState.getMasterKeyState().add(delegationKey);
+    LOG.info("Store Router-RMDT master key with key id: {}. Currently rmDTMasterKeyState size: {}",
+        delegationKey.getKeyId(), rmDTMasterKeyState.size());
+
+    return StoreNewMasterKeyResponse.newInstance(masterKey);
+  }
+
+  @Override
+  public RemoveStoredMasterKeyResponse removeStoredMasterKey(
+      RemoveStoredMasterKeyRequest request) throws Exception {
+
+    // Restore the DelegationKey from the request
+    RouterMasterKey masterKey = request.getRouterMasterKey();
+    ByteBuffer keyByteBuf = masterKey.getKeyBytes();
+    byte[] keyBytes = new byte[keyByteBuf.remaining()];
+    keyByteBuf.get(keyBytes);
+    DelegationKey delegationKey =
+        new DelegationKey(masterKey.getKeyId(), masterKey.getExpiryDate(), keyBytes);
+
+    LOG.info("Remove Router-RMDT master key with key id: {}.", delegationKey.getKeyId());
+    Set<DelegationKey> rmDTMasterKeyState = routerRMSecretManagerState.getMasterKeyState();
+    rmDTMasterKeyState.remove(delegationKey);
+
+    return RemoveStoredMasterKeyResponse.newInstance(masterKey);
+  }
+
+  @Override
+  public RouterStoreNewTokenResponse storeNewToken(
+      RouterStoreNewTokenRequest request) throws Exception {
+    RouterStoreToken storeToken = request.getRouterStoreToken();
+    RMDelegationTokenIdentifier tokenIdentifier = storeToken.getTokenIdentifier();
+    Long renewDate = storeToken.getRenewDate();
+    storeOrUpdateRouterRMDT(tokenIdentifier, renewDate, false);
+    return RouterStoreNewTokenResponse.newInstance(storeToken);
+  }
+
+  private void storeOrUpdateRouterRMDT(RMDelegationTokenIdentifier rmDTIdentifier,
+      Long renewDate, boolean isUpdate) throws Exception {
+    Map<RMDelegationTokenIdentifier, Long> rmDTState = routerRMSecretManagerState.getTokenState();
+    if (rmDTState.containsKey(rmDTIdentifier)) {
+      LOG.info("Error storing info for RMDelegationToken: {}.", rmDTIdentifier);
+      throw new IOException("RMDelegationToken: " + rmDTIdentifier + "is already stored.");
+    }
+    rmDTState.put(rmDTIdentifier, renewDate);
+    if(!isUpdate) {
+      routerRMSecretManagerState.setDtSequenceNumber(rmDTIdentifier.getSequenceNumber());
+    }
+    LOG.info("Store RM-RMDT with sequence number {}.", rmDTIdentifier.getSequenceNumber());
+  }
+
 }

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/federation/store/impl/SQLFederationStateStore.java

@@ -74,6 +74,12 @@
 import org.apache.hadoop.yarn.server.federation.store.records.GetReservationHomeSubClusterRequest;
 import org.apache.hadoop.yarn.server.federation.store.records.GetReservationsHomeSubClusterResponse;
 import org.apache.hadoop.yarn.server.federation.store.records.GetReservationsHomeSubClusterRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.RemoveStoredMasterKeyResponse;
+import org.apache.hadoop.yarn.server.federation.store.records.RemoveStoredMasterKeyRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.StoreNewMasterKeyResponse;
+import org.apache.hadoop.yarn.server.federation.store.records.StoreNewMasterKeyRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.RouterStoreNewTokenRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.RouterStoreNewTokenResponse;
 import org.apache.hadoop.yarn.server.federation.store.utils.FederationApplicationHomeSubClusterStoreInputValidator;
 import org.apache.hadoop.yarn.server.federation.store.utils.FederationMembershipStateStoreInputValidator;
 import org.apache.hadoop.yarn.server.federation.store.utils.FederationPolicyStoreInputValidator;
@@ -1027,4 +1033,22 @@ public GetReservationsHomeSubClusterResponse getReservationsHomeSubCluster(
       GetReservationsHomeSubClusterRequest request) throws YarnException {
     throw new NotImplementedException("Code is not implemented");
   }
+
+  @Override
+  public StoreNewMasterKeyResponse storeNewMasterKey(
+      StoreNewMasterKeyRequest request) throws Exception{
+    throw new NotImplementedException("Code is not implemented");
+  }
+
+  @Override
+  public RemoveStoredMasterKeyResponse removeStoredMasterKey(
+      RemoveStoredMasterKeyRequest request) throws Exception {
+    throw new NotImplementedException("Code is not implemented");
+  }
+
+  @Override
+  public RouterStoreNewTokenResponse storeNewToken(
+      RouterStoreNewTokenRequest request) throws Exception {
+    throw new NotImplementedException("Code is not implemented");
+  }
 }

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/federation/store/impl/ZookeeperFederationStateStore.java

@@ -79,6 +79,12 @@
 import org.apache.hadoop.yarn.server.federation.store.utils.FederationMembershipStateStoreInputValidator;
 import org.apache.hadoop.yarn.server.federation.store.utils.FederationPolicyStoreInputValidator;
 import org.apache.hadoop.yarn.server.federation.store.utils.FederationStateStoreUtils;
+import org.apache.hadoop.yarn.server.federation.store.records.RemoveStoredMasterKeyResponse;
+import org.apache.hadoop.yarn.server.federation.store.records.RemoveStoredMasterKeyRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.StoreNewMasterKeyResponse;
+import org.apache.hadoop.yarn.server.federation.store.records.StoreNewMasterKeyRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.RouterStoreNewTokenRequest;
+import org.apache.hadoop.yarn.server.federation.store.records.RouterStoreNewTokenResponse;
 import org.apache.hadoop.yarn.server.records.Version;
 import org.apache.zookeeper.data.ACL;
 import org.slf4j.Logger;
@@ -662,4 +668,22 @@ public GetReservationsHomeSubClusterResponse getReservationsHomeSubCluster(
       GetReservationsHomeSubClusterRequest request) throws YarnException {
     throw new NotImplementedException("Code is not implemented");
   }
+
+  @Override
+  public StoreNewMasterKeyResponse storeNewMasterKey(
+      StoreNewMasterKeyRequest request) throws Exception{
+    throw new NotImplementedException("Code is not implemented");
+  }
+
+  @Override
+  public RemoveStoredMasterKeyResponse removeStoredMasterKey(
+      RemoveStoredMasterKeyRequest request) throws Exception {
+    throw new NotImplementedException("Code is not implemented");
+  }
+
+  @Override
+  public RouterStoreNewTokenResponse storeNewToken(
+      RouterStoreNewTokenRequest request) throws Exception {
+    throw new NotImplementedException("Code is not implemented");
+  }
 }

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/federation/store/records/GetRouterDelegationTokenRequest.java

@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.federation.store.records;
+
+import org.apache.hadoop.classification.InterfaceAudience.Public;
+import org.apache.hadoop.classification.InterfaceStability.Stable;
+import org.apache.hadoop.yarn.util.Records;
+
+/**
+ * The request issued by the client to get a delegation token from
+ * the {@code ResourceManager}.
+ * for more information.
+ */
+@Public
+@Stable
+public abstract class GetRouterDelegationTokenRequest {
+
+  @Public
+  @Stable
+  public static GetRouterDelegationTokenRequest newInstance(String renewer) {
+    GetRouterDelegationTokenRequest request =
+        Records.newRecord(GetRouterDelegationTokenRequest.class);
+    request.setRenewer(renewer);
+    return request;
+  }
+
+  @Public
+  @Stable
+  public abstract String getRenewer();
+
+  @Public
+  @Stable
+  public abstract void setRenewer(String renewer);
+}

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/federation/store/records/GetRouterDelegationTokenResponse.java

@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.federation.store.records;
+
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceAudience.Public;
+import org.apache.hadoop.classification.InterfaceStability.Stable;
+import org.apache.hadoop.classification.InterfaceStability.Unstable;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
+import org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest;
+import org.apache.hadoop.yarn.api.records.Token;
+import org.apache.hadoop.yarn.util.Records;
+
+
+/**
+ * Response to a {@link GetDelegationTokenRequest} request
+ * from the client. The response contains the token that 
+ * can be used by the containers to talk to  ClientRMService.
+ *
+ */
+@Public
+@Stable
+public abstract class GetRouterDelegationTokenResponse {
+
+  @Private
+  @Unstable
+  public static GetRouterDelegationTokenResponse newInstance(Token rmDTToken) {
+    GetRouterDelegationTokenResponse response =
+        Records.newRecord(GetRouterDelegationTokenResponse.class);
+    response.setRMDelegationToken(rmDTToken);
+    return response;
+  }
+
+  /**
+   * The Delegation tokens have a identifier which maps to
+   * {@link AbstractDelegationTokenIdentifier}.
+   * @return the delegation tokens
+   */
+  @Public
+  @Stable
+  public abstract Token getRMDelegationToken();
+
+  @Private
+  @Unstable
+  public abstract void setRMDelegationToken(Token rmDTToken);
+}