org.apache.hadoop.yarn.security.NMTokenIdentifier Java Examples

@Override
protected byte[] createPassword(NMTokenIdentifier identifier) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("creating password for "
        + identifier.getApplicationAttemptId() + " for user "
        + identifier.getApplicationSubmitter() + " to run on NM "
        + identifier.getNodeId());
  }
  readLock.lock();
  try {
    return createPassword(identifier.getBytes(),
        currentMasterKey.getSecretKey());
  } finally {
    readLock.unlock();
  }
}
 

@Private
@VisibleForTesting
protected ContainerManagementProtocol newProxy(final YarnRPC rpc,
    String containerManagerBindAddr, ContainerId containerId, Token token)
    throws InvalidToken {

  if (token == null) {
    throw new InvalidToken("No NMToken sent for "
        + containerManagerBindAddr);
  }
  
  final InetSocketAddress cmAddr =
      NetUtils.createSocketAddr(containerManagerBindAddr);
  LOG.info("Opening proxy : " + containerManagerBindAddr);
  // the user in createRemoteUser in this context has to be ContainerID
  UserGroupInformation user =
      UserGroupInformation.createRemoteUser(containerId
          .getApplicationAttemptId().toString());

  org.apache.hadoop.security.token.Token<NMTokenIdentifier> nmToken =
      ConverterUtils.convertFromYarn(token, cmAddr);
  user.addToken(nmToken);

  return NMProxy.createNMProxy(conf, ContainerManagementProtocol.class,
    user, rpc, cmAddr);
}
 

private StartContainersResponse startContainer(Context context,
    final ContainerManagerImpl cm, ContainerId cid,
    ContainerLaunchContext clc, LogAggregationContext logAggregationContext)
        throws Exception {
  UserGroupInformation user = UserGroupInformation.createRemoteUser(
      cid.getApplicationAttemptId().toString());
  StartContainerRequest scReq = StartContainerRequest.newInstance(
      clc, TestContainerManager.createContainerToken(cid, 0,
          context.getNodeId(), user.getShortUserName(),
          context.getContainerTokenSecretManager(), logAggregationContext));
  final List<StartContainerRequest> scReqList =
      new ArrayList<StartContainerRequest>();
  scReqList.add(scReq);
  NMTokenIdentifier nmToken = new NMTokenIdentifier(
      cid.getApplicationAttemptId(), context.getNodeId(),
      user.getShortUserName(),
      context.getNMTokenSecretManager().getCurrentKey().getKeyId());
  user.addTokenIdentifier(nmToken);
  return user.doAs(new PrivilegedExceptionAction<StartContainersResponse>() {
    @Override
    public StartContainersResponse run() throws Exception {
      return cm.startContainers(
          StartContainersRequest.newInstance(scReqList));
    }
  });
}
 

private ContainerStatus getContainerStatusInternal(ContainerId containerID,
    NMTokenIdentifier nmTokenIdentifier) throws YarnException {
  String containerIDStr = containerID.toString();
  Container container = this.context.getContainers().get(containerID);

  LOG.info("Getting container-status for " + containerIDStr);
  authorizeGetAndStopContainerRequest(containerID, container, false,
    nmTokenIdentifier);

  if (container == null) {
    if (nodeStatusUpdater.isContainerRecentlyStopped(containerID)) {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " was recently stopped on node manager.");
    } else {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " is not handled by this NodeManager");
    }
  }
  ContainerStatus containerStatus = container.cloneAndGetContainerStatus();
  LOG.info("Returning " + containerStatus);
  return containerStatus;
}
 

/**
 * Get a list of container statuses running on this NodeManager
 */
@Override
public GetContainerStatusesResponse getContainerStatuses(
    GetContainerStatusesRequest request) throws YarnException, IOException {

  List<ContainerStatus> succeededRequests = new ArrayList<ContainerStatus>();
  Map<ContainerId, SerializedException> failedRequests =
      new HashMap<ContainerId, SerializedException>();
  UserGroupInformation remoteUgi = getRemoteUgi();
  NMTokenIdentifier identifier = selectNMTokenIdentifier(remoteUgi);
  for (ContainerId id : request.getContainerIds()) {
    try {
      ContainerStatus status = getContainerStatusInternal(id, identifier);
      succeededRequests.add(status);
    } catch (YarnException e) {
      failedRequests.put(id, SerializedException.newInstance(e));
    }
  }
  return GetContainerStatusesResponse.newInstance(succeededRequests,
    failedRequests);
}
 

/**
 * Stop a list of containers running on this NodeManager.
 */
@Override
public StopContainersResponse stopContainers(StopContainersRequest requests)
    throws YarnException, IOException {

  List<ContainerId> succeededRequests = new ArrayList<ContainerId>();
  Map<ContainerId, SerializedException> failedRequests =
      new HashMap<ContainerId, SerializedException>();
  UserGroupInformation remoteUgi = getRemoteUgi();
  NMTokenIdentifier identifier = selectNMTokenIdentifier(remoteUgi);
  for (ContainerId id : requests.getContainerIds()) {
    try {
      stopContainerInternal(identifier, id);
      succeededRequests.add(id);
    } catch (YarnException e) {
      failedRequests.put(id, SerializedException.newInstance(e));
    }
  }
  return StopContainersResponse
    .newInstance(succeededRequests, failedRequests);
}
 

@Override
protected byte[] createPassword(NMTokenIdentifier identifier) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("creating password for "
        + identifier.getApplicationAttemptId() + " for user "
        + identifier.getApplicationSubmitter() + " to run on NM "
        + identifier.getNodeId());
  }
  readLock.lock();
  try {
    return createPassword(identifier.getBytes(),
        currentMasterKey.getSecretKey());
  } finally {
    readLock.unlock();
  }
}
 

@Private
@VisibleForTesting
protected ContainerManagementProtocol newProxy(final YarnRPC rpc,
    String containerManagerBindAddr, ContainerId containerId, Token token)
    throws InvalidToken {

  if (token == null) {
    throw new InvalidToken("No NMToken sent for "
        + containerManagerBindAddr);
  }
  
  final InetSocketAddress cmAddr =
      NetUtils.createSocketAddr(containerManagerBindAddr);
  LOG.info("Opening proxy : " + containerManagerBindAddr);
  // the user in createRemoteUser in this context has to be ContainerID
  UserGroupInformation user =
      UserGroupInformation.createRemoteUser(containerId
          .getApplicationAttemptId().toString());

  org.apache.hadoop.security.token.Token<NMTokenIdentifier> nmToken =
      ConverterUtils.convertFromYarn(token, cmAddr);
  user.addToken(nmToken);

  return NMProxy.createNMProxy(conf, ContainerManagementProtocol.class,
    user, rpc, cmAddr);
}
 

private StartContainersResponse startContainer(Context context,
    final ContainerManagerImpl cm, ContainerId cid,
    ContainerLaunchContext clc, LogAggregationContext logAggregationContext)
        throws Exception {
  UserGroupInformation user = UserGroupInformation.createRemoteUser(
      cid.getApplicationAttemptId().toString());
  StartContainerRequest scReq = StartContainerRequest.newInstance(
      clc, TestContainerManager.createContainerToken(cid, 0,
          context.getNodeId(), user.getShortUserName(),
          context.getContainerTokenSecretManager(), logAggregationContext));
  final List<StartContainerRequest> scReqList =
      new ArrayList<StartContainerRequest>();
  scReqList.add(scReq);
  NMTokenIdentifier nmToken = new NMTokenIdentifier(
      cid.getApplicationAttemptId(), context.getNodeId(),
      user.getShortUserName(),
      context.getNMTokenSecretManager().getCurrentKey().getKeyId());
  user.addTokenIdentifier(nmToken);
  return user.doAs(new PrivilegedExceptionAction<StartContainersResponse>() {
    @Override
    public StartContainersResponse run() throws Exception {
      return cm.startContainers(
          StartContainersRequest.newInstance(scReqList));
    }
  });
}
 

private ContainerStatus getContainerStatusInternal(ContainerId containerID,
    NMTokenIdentifier nmTokenIdentifier) throws YarnException {
  String containerIDStr = containerID.toString();
  Container container = this.context.getContainers().get(containerID);

  LOG.info("Getting container-status for " + containerIDStr);
  authorizeGetAndStopContainerRequest(containerID, container, false,
    nmTokenIdentifier);

  if (container == null) {
    if (nodeStatusUpdater.isContainerRecentlyStopped(containerID)) {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " was recently stopped on node manager.");
    } else {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " is not handled by this NodeManager");
    }
  }
  ContainerStatus containerStatus = container.cloneAndGetContainerStatus();
  LOG.info("Returning " + containerStatus);
  return containerStatus;
}
 

/**
 * Get a list of container statuses running on this NodeManager
 */
@Override
public GetContainerStatusesResponse getContainerStatuses(
    GetContainerStatusesRequest request) throws YarnException, IOException {

  List<ContainerStatus> succeededRequests = new ArrayList<ContainerStatus>();
  Map<ContainerId, SerializedException> failedRequests =
      new HashMap<ContainerId, SerializedException>();
  UserGroupInformation remoteUgi = getRemoteUgi();
  NMTokenIdentifier identifier = selectNMTokenIdentifier(remoteUgi);
  for (ContainerId id : request.getContainerIds()) {
    try {
      ContainerStatus status = getContainerStatusInternal(id, identifier);
      succeededRequests.add(status);
    } catch (YarnException e) {
      failedRequests.put(id, SerializedException.newInstance(e));
    }
  }
  return GetContainerStatusesResponse.newInstance(succeededRequests,
    failedRequests);
}
 

/**
 * Stop a list of containers running on this NodeManager.
 */
@Override
public StopContainersResponse stopContainers(StopContainersRequest requests)
    throws YarnException, IOException {

  List<ContainerId> succeededRequests = new ArrayList<ContainerId>();
  Map<ContainerId, SerializedException> failedRequests =
      new HashMap<ContainerId, SerializedException>();
  UserGroupInformation remoteUgi = getRemoteUgi();
  NMTokenIdentifier identifier = selectNMTokenIdentifier(remoteUgi);
  for (ContainerId id : requests.getContainerIds()) {
    try {
      stopContainerInternal(identifier, id);
      succeededRequests.add(id);
    } catch (YarnException e) {
      failedRequests.put(id, SerializedException.newInstance(e));
    }
  }
  return StopContainersResponse
    .newInstance(succeededRequests, failedRequests);
}
 

public NMTokenIdentifierNewForTest(NMTokenIdentifier tokenIdentifier, 
    String message) {
  builder = NMTokenIdentifierNewProto.newBuilder();
  builder.setAppAttemptId(tokenIdentifier.getProto().getAppAttemptId());
  builder.setNodeId(tokenIdentifier.getProto().getNodeId());
  builder.setAppSubmitter(tokenIdentifier.getApplicationSubmitter());
  builder.setKeyId(tokenIdentifier.getKeyId());
  builder.setMessage(message);
  proto = builder.build();
  builder = null;
}
 

@Override
public byte[] retrievePassword(NMTokenIdentifier identifier)
    throws org.apache.hadoop.security.token.SecretManager.InvalidToken {
  readLock.lock();
  try {
    return retrivePasswordInternal(identifier, currentMasterKey);
  } finally {
    readLock.unlock();
  }
}
 

@Override
protected UserGroupInformation getRemoteUgi() throws YarnException {
  ApplicationId appId = ApplicationId.newInstance(0, 0);
  ApplicationAttemptId appAttemptId =
      ApplicationAttemptId.newInstance(appId, 1);
  UserGroupInformation ugi =
      UserGroupInformation.createRemoteUser(appAttemptId.toString());
  ugi.addTokenIdentifier(new NMTokenIdentifier(appAttemptId, getContext()
    .getNodeId(), "testuser", getContext().getNMTokenSecretManager().getCurrentKey()
    .getKeyId()));
  return ugi;
}
 

@Override
protected ContainerManagerImpl
    createContainerManager(DeletionService delSrvc) {
  return new ContainerManagerImpl(context, exec, delSrvc, nodeStatusUpdater,
    metrics, new ApplicationACLsManager(conf), dirsHandler) {
    @Override
    public void
        setBlockNewContainerRequests(boolean blockNewContainerRequests) {
      // do nothing
    }

    @Override
    protected UserGroupInformation getRemoteUgi() throws YarnException {
      ApplicationId appId = ApplicationId.newInstance(0, 0);
      ApplicationAttemptId appAttemptId =
          ApplicationAttemptId.newInstance(appId, 1);
      UserGroupInformation ugi =
          UserGroupInformation.createRemoteUser(appAttemptId.toString());
      ugi.addTokenIdentifier(new NMTokenIdentifier(appAttemptId, context
        .getNodeId(), user, context.getNMTokenSecretManager().getCurrentKey()
        .getKeyId()));
      return ugi;
    }

    @Override
    protected void authorizeGetAndStopContainerRequest(ContainerId containerId,
        Container container, boolean stopRequest, NMTokenIdentifier identifier) throws YarnException {
      if(container == null || container.getUser().equals("Fail")){
        throw new YarnException("Reject this container");
      }
    }
  };
}
 

protected byte[] retrivePasswordInternal(NMTokenIdentifier identifier,
    MasterKeyData masterKey) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("creating password for "
        + identifier.getApplicationAttemptId() + " for user "
        + identifier.getApplicationSubmitter() + " to run on NM "
        + identifier.getNodeId());
  }
  return createPassword(identifier.getBytes(), masterKey.getSecretKey());
}
 

@Private
@VisibleForTesting
protected void authorizeGetAndStopContainerRequest(ContainerId containerId,
    Container container, boolean stopRequest, NMTokenIdentifier identifier)
    throws YarnException {
  /*
   * For get/stop container status; we need to verify that 1) User (NMToken)
   * application attempt only has started container. 2) Requested containerId
   * belongs to the same application attempt (NMToken) which was used. (Note:-
   * This will prevent user in knowing another application's containers).
   */
  ApplicationId nmTokenAppId =
      identifier.getApplicationAttemptId().getApplicationId();
  
  if ((!nmTokenAppId.equals(containerId.getApplicationAttemptId().getApplicationId()))
      || (container != null && !nmTokenAppId.equals(container
          .getContainerId().getApplicationAttemptId().getApplicationId()))) {
    if (stopRequest) {
      LOG.warn(identifier.getApplicationAttemptId()
          + " attempted to stop non-application container : "
          + container.getContainerId());
      NMAuditLogger.logFailure("UnknownUser", AuditConstants.STOP_CONTAINER,
        "ContainerManagerImpl", "Trying to stop unknown container!",
        nmTokenAppId, container.getContainerId());
    } else {
      LOG.warn(identifier.getApplicationAttemptId()
          + " attempted to get status for non-application container : "
          + container.getContainerId());
    }
  }
}
 

public static Token newInstance(byte[] password,
    NMTokenIdentifier identifier) {
  NodeId nodeId = identifier.getNodeId();
  // RPC layer client expects ip:port as service for tokens
  InetSocketAddress addr =
      NetUtils.createSocketAddrForHost(nodeId.getHost(), nodeId.getPort());
  Token nmToken =
      Token.newInstance(identifier.getBytes(),
        NMTokenIdentifier.KIND.toString(), password, SecurityUtil
          .buildTokenService(addr).toString());
  return nmToken;
}
 

@SuppressWarnings("unchecked")
private void stopContainerInternal(NMTokenIdentifier nmTokenIdentifier,
    ContainerId containerID) throws YarnException, IOException {
  String containerIDStr = containerID.toString();
  Container container = this.context.getContainers().get(containerID);
  LOG.info("Stopping container with container Id: " + containerIDStr);
  authorizeGetAndStopContainerRequest(containerID, container, true,
    nmTokenIdentifier);

  if (container == null) {
    if (!nodeStatusUpdater.isContainerRecentlyStopped(containerID)) {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " is not handled by this NodeManager");
    }
  } else {
    context.getNMStateStore().storeContainerKilled(containerID);
    dispatcher.getEventHandler().handle(
      new ContainerKillEvent(containerID,
          ContainerExitStatus.KILLED_BY_APPMASTER,
          "Container killed by the ApplicationMaster."));

    NMAuditLogger.logSuccess(container.getUser(),    
      AuditConstants.STOP_CONTAINER, "ContainerManageImpl", containerID
        .getApplicationAttemptId().getApplicationId(), containerID);

    // TODO: Move this code to appropriate place once kill_container is
    // implemented.
    nodeStatusUpdater.sendOutofBandHeartBeat();
  }
}
 

public NMTokenIdentifierNewForTest(NMTokenIdentifier tokenIdentifier, 
    String message) {
  builder = NMTokenIdentifierNewProto.newBuilder();
  builder.setAppAttemptId(tokenIdentifier.getProto().getAppAttemptId());
  builder.setNodeId(tokenIdentifier.getProto().getNodeId());
  builder.setAppSubmitter(tokenIdentifier.getApplicationSubmitter());
  builder.setKeyId(tokenIdentifier.getKeyId());
  builder.setMessage(message);
  proto = builder.build();
  builder = null;
}
 

@Private
@VisibleForTesting
protected void updateNMTokenIdentifier(NMTokenIdentifier nmTokenIdentifier)
    throws InvalidToken {
  context.getNMTokenSecretManager().appAttemptStartContainer(
    nmTokenIdentifier);
}
 

protected void authorizeUser(UserGroupInformation remoteUgi,
    NMTokenIdentifier nmTokenIdentifier) throws YarnException {
  if (!remoteUgi.getUserName().equals(
    nmTokenIdentifier.getApplicationAttemptId().toString())) {
    throw RPCUtil.getRemoteException("Expected applicationAttemptId: "
        + remoteUgi.getUserName() + "Found: "
        + nmTokenIdentifier.getApplicationAttemptId());
  }
}
 

/**
 * This will be called by startContainer. It will add the master key into
 * the cache used for starting this container. This should be called before
 * validating the startContainer request.
 */
public synchronized void appAttemptStartContainer(
    NMTokenIdentifier identifier)
    throws org.apache.hadoop.security.token.SecretManager.InvalidToken {
  ApplicationAttemptId appAttemptId = identifier.getApplicationAttemptId();
  if (!appToAppAttemptMap.containsKey(appAttemptId.getApplicationId())) {
    // First application attempt for the given application
    appToAppAttemptMap.put(appAttemptId.getApplicationId(),
      new ArrayList<ApplicationAttemptId>());
  }
  MasterKeyData oldKey = oldMasterKeys.get(appAttemptId);

  if (oldKey == null) {
    // This is a new application attempt.
    appToAppAttemptMap.get(appAttemptId.getApplicationId()).add(appAttemptId);
  }
  if (oldKey == null
      || oldKey.getMasterKey().getKeyId() != identifier.getKeyId()) {
    // Update key only if it is modified.
    LOG.debug("NMToken key updated for application attempt : "
        + identifier.getApplicationAttemptId().toString());
    if (identifier.getKeyId() == currentMasterKey.getMasterKey()
      .getKeyId()) {
      updateAppAttemptKey(appAttemptId, currentMasterKey);
    } else if (previousMasterKey != null
        && identifier.getKeyId() == previousMasterKey.getMasterKey()
          .getKeyId()) {
      updateAppAttemptKey(appAttemptId, previousMasterKey);
    } else {
      throw new InvalidToken(
        "Older NMToken should not be used while starting the container.");
    }
  }
}
 

/**
 * This method will be used to verify NMTokens generated by different master
 * keys.
 */
@Override
public synchronized byte[] retrievePassword(NMTokenIdentifier identifier)
    throws InvalidToken {
  int keyId = identifier.getKeyId();
  ApplicationAttemptId appAttemptId = identifier.getApplicationAttemptId();

  /*
   * MasterKey used for retrieving password will be as follows. 1) By default
   * older saved master key will be used. 2) If identifier's master key id
   * matches that of previous master key id then previous key will be used. 3)
   * If identifier's master key id matches that of current master key id then
   * current key will be used.
   */
  MasterKeyData oldMasterKey = oldMasterKeys.get(appAttemptId);
  MasterKeyData masterKeyToUse = oldMasterKey;
  if (previousMasterKey != null
      && keyId == previousMasterKey.getMasterKey().getKeyId()) {
    masterKeyToUse = previousMasterKey;
  } else if (keyId == currentMasterKey.getMasterKey().getKeyId()) {
    masterKeyToUse = currentMasterKey;
  }
  
  if (nodeId != null && !identifier.getNodeId().equals(nodeId)) {
    throw new InvalidToken("Given NMToken for application : "
        + appAttemptId.toString() + " is not valid for current node manager."
        + "expected : " + nodeId.toString() + " found : "
        + identifier.getNodeId().toString());
  }
  
  if (masterKeyToUse != null) {
    byte[] password = retrivePasswordInternal(identifier, masterKeyToUse);
    LOG.debug("NMToken password retrieved successfully!!");
    return password;
  }

  throw new InvalidToken("Given NMToken for application : "
      + appAttemptId.toString() + " seems to have been generated illegally.");
}
 

public static Token newInstance(byte[] password,
    NMTokenIdentifier identifier) {
  NodeId nodeId = identifier.getNodeId();
  // RPC layer client expects ip:port as service for tokens
  InetSocketAddress addr =
      NetUtils.createSocketAddrForHost(nodeId.getHost(), nodeId.getPort());
  Token nmToken =
      Token.newInstance(identifier.getBytes(),
        NMTokenIdentifier.KIND.toString(), password, SecurityUtil
          .buildTokenService(addr).toString());
  return nmToken;
}
 

protected void authorizeUser(UserGroupInformation remoteUgi,
    NMTokenIdentifier nmTokenIdentifier) throws YarnException {
  if (!remoteUgi.getUserName().equals(
    nmTokenIdentifier.getApplicationAttemptId().toString())) {
    throw RPCUtil.getRemoteException("Expected applicationAttemptId: "
        + remoteUgi.getUserName() + "Found: "
        + nmTokenIdentifier.getApplicationAttemptId());
  }
}
 

@SuppressWarnings("unchecked")
private void stopContainerInternal(NMTokenIdentifier nmTokenIdentifier,
    ContainerId containerID) throws YarnException, IOException {
  String containerIDStr = containerID.toString();
  Container container = this.context.getContainers().get(containerID);
  LOG.info("Stopping container with container Id: " + containerIDStr);
  authorizeGetAndStopContainerRequest(containerID, container, true,
    nmTokenIdentifier);

  if (container == null) {
    if (!nodeStatusUpdater.isContainerRecentlyStopped(containerID)) {
      throw RPCUtil.getRemoteException("Container " + containerIDStr
        + " is not handled by this NodeManager");
    }
  } else {
    context.getNMStateStore().storeContainerKilled(containerID);
    dispatcher.getEventHandler().handle(
      new ContainerKillEvent(containerID,
          ContainerExitStatus.KILLED_BY_APPMASTER,
          "Container killed by the ApplicationMaster."));

    NMAuditLogger.logSuccess(container.getUser(),    
      AuditConstants.STOP_CONTAINER, "ContainerManageImpl", containerID
        .getApplicationAttemptId().getApplicationId(), containerID);

    // TODO: Move this code to appropriate place once kill_container is
    // implemented.
    nodeStatusUpdater.sendOutofBandHeartBeat();
  }
}
 

@Private
@VisibleForTesting
protected void updateNMTokenIdentifier(NMTokenIdentifier nmTokenIdentifier)
    throws InvalidToken {
  context.getNMTokenSecretManager().appAttemptStartContainer(
    nmTokenIdentifier);
}
 

@Private
@VisibleForTesting
protected void authorizeGetAndStopContainerRequest(ContainerId containerId,
    Container container, boolean stopRequest, NMTokenIdentifier identifier)
    throws YarnException {
  /*
   * For get/stop container status; we need to verify that 1) User (NMToken)
   * application attempt only has started container. 2) Requested containerId
   * belongs to the same application attempt (NMToken) which was used. (Note:-
   * This will prevent user in knowing another application's containers).
   */
  ApplicationId nmTokenAppId =
      identifier.getApplicationAttemptId().getApplicationId();
  
  if ((!nmTokenAppId.equals(containerId.getApplicationAttemptId().getApplicationId()))
      || (container != null && !nmTokenAppId.equals(container
          .getContainerId().getApplicationAttemptId().getApplicationId()))) {
    if (stopRequest) {
      LOG.warn(identifier.getApplicationAttemptId()
          + " attempted to stop non-application container : "
          + container.getContainerId());
      NMAuditLogger.logFailure("UnknownUser", AuditConstants.STOP_CONTAINER,
        "ContainerManagerImpl", "Trying to stop unknown container!",
        nmTokenAppId, container.getContainerId());
    } else {
      LOG.warn(identifier.getApplicationAttemptId()
          + " attempted to get status for non-application container : "
          + container.getContainerId());
    }
  }
}