YARN-3834. Scrub debug logging of tokens during resource localization. Contributed by Chris Nauroth
This commit is contained in:
parent
c7d022b66f
commit
6c7a9d502a
@ -312,6 +312,9 @@ Release 2.8.0 - UNRELEASED
|
||||
YARN-3148. Allow CORS related headers to passthrough in WebAppProxyServlet.
|
||||
(Varun Saxena via devaraj)
|
||||
|
||||
YARN-3834. Scrub debug logging of tokens during resource localization.
|
||||
(Chris Nauroth via xgong)
|
||||
|
||||
OPTIMIZATIONS
|
||||
|
||||
YARN-3339. TestDockerContainerExecutor should pull a single image and not
|
||||
|
@ -51,6 +51,7 @@
|
||||
import java.util.concurrent.ThreadFactory;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
import org.apache.commons.codec.digest.DigestUtils;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.apache.hadoop.classification.InterfaceAudience.Private;
|
||||
@ -1208,7 +1209,7 @@ private void writeCredentials(Path nmPrivateCTokensPath)
|
||||
if (LOG.isDebugEnabled()) {
|
||||
for (Token<? extends TokenIdentifier> tk : credentials
|
||||
.getAllTokens()) {
|
||||
LOG.debug(tk.getService() + " : " + tk.encodeToUrlString());
|
||||
LOG.debug(tk + " : " + buildTokenFingerprint(tk));
|
||||
}
|
||||
}
|
||||
if (UserGroupInformation.isSecurityEnabled()) {
|
||||
@ -1228,6 +1229,32 @@ private void writeCredentials(Path nmPrivateCTokensPath)
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a fingerprint of a token. The fingerprint is suitable for use in
|
||||
* logging, because it cannot be used to determine the secret. The
|
||||
* fingerprint is built using the first 10 bytes of a SHA-256 hash of the
|
||||
* string encoding of the token. The returned string contains the hex
|
||||
* representation of each byte, delimited by a space.
|
||||
*
|
||||
* @param tk token
|
||||
* @return token fingerprint
|
||||
* @throws IOException if there is an I/O error
|
||||
*/
|
||||
@VisibleForTesting
|
||||
static String buildTokenFingerprint(Token<? extends TokenIdentifier> tk)
|
||||
throws IOException {
|
||||
char[] digest = DigestUtils.sha256Hex(tk.encodeToUrlString()).toCharArray();
|
||||
StringBuilder fingerprint = new StringBuilder();
|
||||
for (int i = 0; i < 10; ++i) {
|
||||
if (i > 0) {
|
||||
fingerprint.append(' ');
|
||||
}
|
||||
fingerprint.append(digest[2 * i]);
|
||||
fingerprint.append(digest[2 * i + 1]);
|
||||
}
|
||||
return fingerprint.toString();
|
||||
}
|
||||
|
||||
static class CacheCleanup extends Thread {
|
||||
|
||||
private final Dispatcher dispatcher;
|
||||
|
@ -2035,7 +2035,7 @@ private static LocalResource getPrivateMockedResource(Random r) {
|
||||
}
|
||||
|
||||
private static Container getMockContainer(ApplicationId appId, int id,
|
||||
String user) {
|
||||
String user) throws IOException {
|
||||
Container c = mock(Container.class);
|
||||
ApplicationAttemptId appAttemptId =
|
||||
BuilderUtils.newApplicationAttemptId(appId, 1);
|
||||
@ -2043,7 +2043,13 @@ private static Container getMockContainer(ApplicationId appId, int id,
|
||||
when(c.getUser()).thenReturn(user);
|
||||
when(c.getContainerId()).thenReturn(cId);
|
||||
Credentials creds = new Credentials();
|
||||
creds.addToken(new Text("tok" + id), getToken(id));
|
||||
Token<? extends TokenIdentifier> tk = getToken(id);
|
||||
String fingerprint = ResourceLocalizationService.buildTokenFingerprint(tk);
|
||||
assertNotNull(fingerprint);
|
||||
assertTrue(
|
||||
"Expected token fingerprint of 10 hex bytes delimited by space.",
|
||||
fingerprint.matches("^(([0-9a-f]){2} ){9}([0-9a-f]){2}$"));
|
||||
creds.addToken(new Text("tok" + id), tk);
|
||||
when(c.getCredentials()).thenReturn(creds);
|
||||
when(c.toString()).thenReturn(cId.toString());
|
||||
return c;
|
||||
|
Loading…
Reference in New Issue
Block a user