Beispiel #1
0
        /// <exception cref="System.IO.IOException"/>
        private void ValidateRequest(ServletContext context, Configuration conf, HttpServletRequest
                                     request, HttpServletResponse response, FSImage nnImage, string theirStorageInfoString
                                     )
        {
            if (UserGroupInformation.IsSecurityEnabled() && !IsValidRequestor(context, request
                                                                              .GetUserPrincipal().GetName(), conf))
            {
                string errorMsg = "Only Namenode, Secondary Namenode, and administrators may access "
                                  + "this servlet";
                response.SendError(HttpServletResponse.ScForbidden, errorMsg);
                Log.Warn("Received non-NN/SNN/administrator request for image or edits from " + request
                         .GetUserPrincipal().GetName() + " at " + request.GetRemoteHost());
                throw new IOException(errorMsg);
            }
            string myStorageInfoString = nnImage.GetStorage().ToColonSeparatedString();

            if (theirStorageInfoString != null && !myStorageInfoString.Equals(theirStorageInfoString
                                                                              ))
            {
                string errorMsg = "This namenode has storage info " + myStorageInfoString + " but the secondary expected "
                                  + theirStorageInfoString;
                response.SendError(HttpServletResponse.ScForbidden, errorMsg);
                Log.Warn("Received an invalid request file transfer request " + "from a secondary with storage info "
                         + theirStorageInfoString);
                throw new IOException(errorMsg);
            }
        }
 /// <exception cref="System.IO.IOException"/>
 private bool CheckRequestorOrSendError(Configuration conf, HttpServletRequest request
                                        , HttpServletResponse response)
 {
     if (UserGroupInformation.IsSecurityEnabled() && !IsValidRequestor(request, conf))
     {
         response.SendError(HttpServletResponse.ScForbidden, "Only Namenode and another JournalNode may access this servlet"
                            );
         Log.Warn("Received non-NN/JN request for edits from " + request.GetRemoteHost());
         return(false);
     }
     return(true);
 }
Beispiel #3
0
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="Javax.Servlet.ServletException"/>
        protected override void DoFilter(FilterChain filterChain, HttpServletRequest request
                                         , HttpServletResponse response)
        {
            bool requestCompleted          = false;
            UserGroupInformation ugi       = null;
            AuthenticationToken  authToken = (AuthenticationToken)request.GetUserPrincipal();

            if (authToken != null && authToken != AuthenticationToken.Anonymous)
            {
                // if the request was authenticated because of a delegation token,
                // then we ignore proxyuser (this is the same as the RPC behavior).
                ugi = (UserGroupInformation)request.GetAttribute(DelegationTokenAuthenticationHandler
                                                                 .DelegationTokenUgiAttribute);
                if (ugi == null)
                {
                    string realUser = request.GetUserPrincipal().GetName();
                    ugi = UserGroupInformation.CreateRemoteUser(realUser, handlerAuthMethod);
                    string doAsUser = GetDoAs(request);
                    if (doAsUser != null)
                    {
                        ugi = UserGroupInformation.CreateProxyUser(doAsUser, ugi);
                        try
                        {
                            ProxyUsers.Authorize(ugi, request.GetRemoteHost());
                        }
                        catch (AuthorizationException ex)
                        {
                            HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
                                                                              , ex);
                            requestCompleted = true;
                        }
                    }
                }
                UgiTl.Set(ugi);
            }
            if (!requestCompleted)
            {
                UserGroupInformation ugiF = ugi;
                try
                {
                    request = new _HttpServletRequestWrapper_269(this, ugiF, request);
                    base.DoFilter(filterChain, request, response);
                }
                finally
                {
                    UgiTl.Remove();
                }
            }
        }
Beispiel #4
0
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
        ///     "/>
        public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
                                                 request, HttpServletResponse response)
        {
            bool   requestContinues = true;
            string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                  .OpParam);

            op = (op != null) ? StringUtils.ToUpperCase(op) : null;
            if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
            {
                DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
                                                                             .ValueOf(op);
                if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
                {
                    bool doManagement;
                    if (dtOp.RequiresKerberosCredentials() && token == null)
                    {
                        token = Authenticate(request, response);
                        if (token == null)
                        {
                            requestContinues = false;
                            doManagement     = false;
                        }
                        else
                        {
                            doManagement = true;
                        }
                    }
                    else
                    {
                        doManagement = true;
                    }
                    if (doManagement)
                    {
                        UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
                                                              (token.GetUserName()) : null;
                        // Create the proxy user if doAsUser exists
                        string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
                        if (requestUgi != null && doAsUser != null)
                        {
                            requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
                            try
                            {
                                ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
                            }
                            catch (AuthorizationException ex)
                            {
                                HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
                                                                                  , ex);
                                return(false);
                            }
                        }
                        IDictionary map = null;
                        switch (dtOp)
                        {
                        case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
                        {
                            if (requestUgi == null)
                            {
                                throw new InvalidOperationException("request UGI cannot be NULL");
                            }
                            string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                       .RenewerParam);
                            try
                            {
                                Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
                                    requestUgi, renewer);
                                map = DelegationTokenToJSON(dToken);
                            }
                            catch (IOException ex)
                            {
                                throw new AuthenticationException(ex.ToString(), ex);
                            }
                            break;
                        }

                        case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
                        {
                            if (requestUgi == null)
                            {
                                throw new InvalidOperationException("request UGI cannot be NULL");
                            }
                            string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                            .TokenParam);
                            if (tokenToRenew == null)
                            {
                                response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
                                                                                                          , dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
                                requestContinues = false;
                            }
                            else
                            {
                                Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
                                                                                                                Org.Apache.Hadoop.Security.Token.Token();
                                try
                                {
                                    dt.DecodeFromUrlString(tokenToRenew);
                                    long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
                                    map         = new Hashtable();
                                    map["long"] = expirationTime;
                                }
                                catch (IOException ex)
                                {
                                    throw new AuthenticationException(ex.ToString(), ex);
                                }
                            }
                            break;
                        }

                        case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
                        {
                            string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                             .TokenParam);
                            if (tokenToCancel == null)
                            {
                                response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
                                                                                                          , dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
                                requestContinues = false;
                            }
                            else
                            {
                                Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
                                                                                                                Org.Apache.Hadoop.Security.Token.Token();
                                try
                                {
                                    dt.DecodeFromUrlString(tokenToCancel);
                                    tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
                                                                                         : null);
                                }
                                catch (IOException)
                                {
                                    response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
                                                       );
                                    requestContinues = false;
                                }
                            }
                            break;
                        }
                        }
                        if (requestContinues)
                        {
                            response.SetStatus(HttpServletResponse.ScOk);
                            if (map != null)
                            {
                                response.SetContentType(MediaType.ApplicationJson);
                                TextWriter   writer     = response.GetWriter();
                                ObjectMapper jsonMapper = new ObjectMapper();
                                jsonMapper.WriteValue(writer, map);
                                writer.Write(Enter);
                                writer.Flush();
                            }
                            requestContinues = false;
                        }
                    }
                }
                else
                {
                    response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
                                                                                              + "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
                    requestContinues = false;
                }
            }
            return(requestContinues);
        }