diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ClientToken.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ClientToken.java
new file mode 100644
index 0000000000..92c4d9eb5d
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/ClientToken.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.api.records;
+
+import org.apache.hadoop.classification.InterfaceAudience.Public;
+import org.apache.hadoop.classification.InterfaceStability.Stable;
+
+/**
+ *
+ * ClientToken
is the security token used by the AMs to verify
+ * authenticity of any client
.
+ *
+ *
+ *
+ * The ResourceManager
, provides a secure token (via
+ * {@link ApplicationReport#getClientToken()}) which is verified by the
+ * ApplicationMaster when the client directly talks to an AM.
+ *
+ *
+ */
+@Public
+@Stable
+public interface ClientToken extends Token {}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/Token.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/Token.java
new file mode 100644
index 0000000000..addc234e03
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/Token.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.api.records;
+
+import java.nio.ByteBuffer;
+
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+import org.apache.hadoop.classification.InterfaceAudience.Public;
+import org.apache.hadoop.classification.InterfaceStability.Stable;
+
+/**
+ * Token
is the security entity used by the framework
+ * to verify authenticity of any resource.
+ */
+@Public
+@Stable
+public interface Token {
+ /**
+ * Get the token identifier.
+ * @return token identifier
+ */
+ @Public
+ @Stable
+ ByteBuffer getIdentifier();
+
+ @Private
+ @Stable
+ void setIdentifier(ByteBuffer identifier);
+
+ /**
+ * Get the token password
+ * @return token password
+ */
+ @Public
+ @Stable
+ ByteBuffer getPassword();
+
+ @Private
+ @Stable
+ void setPassword(ByteBuffer password);
+
+ /**
+ * Get the token kind.
+ * @return token kind
+ */
+ @Public
+ @Stable
+ String getKind();
+
+ @Private
+ @Stable
+ void setKind(String kind);
+
+ /**
+ * Get the service to which the token is allocated.
+ * @return service to which the token is allocated
+ */
+ @Public
+ @Stable
+ String getService();
+
+ @Private
+ @Stable
+ void setService(String service);
+
+}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ClientTokenPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ClientTokenPBImpl.java
new file mode 100644
index 0000000000..6f5c52857e
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/ClientTokenPBImpl.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.api.records.impl.pb;
+
+import org.apache.hadoop.security.proto.SecurityProtos.TokenProto;
+import org.apache.hadoop.yarn.api.records.ClientToken;
+
+public class ClientTokenPBImpl extends TokenPBImpl implements ClientToken {
+
+ public ClientTokenPBImpl() {
+ super();
+ }
+
+ public ClientTokenPBImpl(TokenProto p) {
+ super(p);
+ }
+}
\ No newline at end of file
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/TokenPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/TokenPBImpl.java
new file mode 100644
index 0000000000..fe304e03ad
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/impl/pb/TokenPBImpl.java
@@ -0,0 +1,165 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.api.records.impl.pb;
+
+import java.nio.ByteBuffer;
+
+import org.apache.hadoop.security.proto.SecurityProtos.TokenProto;
+import org.apache.hadoop.security.proto.SecurityProtos.TokenProtoOrBuilder;
+import org.apache.hadoop.yarn.api.records.ProtoBase;
+import org.apache.hadoop.yarn.api.records.Token;
+
+public class TokenPBImpl extends ProtoBase implements
+ Token {
+ private TokenProto proto = TokenProto.getDefaultInstance();
+ private TokenProto.Builder builder = null;
+ private boolean viaProto = false;
+
+ private ByteBuffer identifier;
+ private ByteBuffer password;
+
+ public TokenPBImpl() {
+ builder = TokenProto.newBuilder();
+ }
+
+ public TokenPBImpl(TokenProto proto) {
+ this.proto = proto;
+ viaProto = true;
+ }
+
+ public synchronized TokenProto getProto() {
+ mergeLocalToProto();
+ proto = viaProto ? proto : builder.build();
+ viaProto = true;
+ return proto;
+ }
+
+ private synchronized void mergeLocalToBuilder() {
+ if (this.identifier != null) {
+ builder.setIdentifier(convertToProtoFormat(this.identifier));
+ }
+ if (this.password != null) {
+ builder.setPassword(convertToProtoFormat(this.password));
+ }
+ }
+
+ private synchronized void mergeLocalToProto() {
+ if (viaProto)
+ maybeInitBuilder();
+ mergeLocalToBuilder();
+ proto = builder.build();
+ viaProto = true;
+ }
+
+ private synchronized void maybeInitBuilder() {
+ if (viaProto || builder == null) {
+ builder = TokenProto.newBuilder(proto);
+ }
+ viaProto = false;
+ }
+
+ @Override
+ public synchronized ByteBuffer getIdentifier() {
+ TokenProtoOrBuilder p = viaProto ? proto : builder;
+ if (this.identifier != null) {
+ return this.identifier;
+ }
+ if (!p.hasIdentifier()) {
+ return null;
+ }
+ this.identifier = convertFromProtoFormat(p.getIdentifier());
+ return this.identifier;
+ }
+
+ @Override
+ public synchronized void setIdentifier(ByteBuffer identifier) {
+ maybeInitBuilder();
+ if (identifier == null)
+ builder.clearIdentifier();
+ this.identifier = identifier;
+ }
+
+ @Override
+ public synchronized ByteBuffer getPassword() {
+ TokenProtoOrBuilder p = viaProto ? proto : builder;
+ if (this.password != null) {
+ return this.password;
+ }
+ if (!p.hasPassword()) {
+ return null;
+ }
+ this.password = convertFromProtoFormat(p.getPassword());
+ return this.password;
+ }
+
+ @Override
+ public synchronized void setPassword(ByteBuffer password) {
+ maybeInitBuilder();
+ if (password == null)
+ builder.clearPassword();
+ this.password = password;
+ }
+
+ @Override
+ public synchronized String getKind() {
+ TokenProtoOrBuilder p = viaProto ? proto : builder;
+ if (!p.hasKind()) {
+ return null;
+ }
+ return (p.getKind());
+ }
+
+ @Override
+ public synchronized void setKind(String kind) {
+ maybeInitBuilder();
+ if (kind == null) {
+ builder.clearKind();
+ return;
+ }
+ builder.setKind((kind));
+ }
+
+ @Override
+ public synchronized String getService() {
+ TokenProtoOrBuilder p = viaProto ? proto : builder;
+ if (!p.hasService()) {
+ return null;
+ }
+ return (p.getService());
+ }
+
+ @Override
+ public synchronized void setService(String service) {
+ maybeInitBuilder();
+ if (service == null) {
+ builder.clearService();
+ return;
+ }
+ builder.setService((service));
+ }
+
+ @Override
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
+ sb.append("Token { ");
+ sb.append("kind: ").append(getKind()).append(", ");
+ sb.append("service: ").append(getService()).append(" }");
+ return sb.toString();
+ }
+}