Beispiel #1
0
        /// <summary>
        /// Authenticates a request looking for the <code>delegation</code>
        /// query-string parameter and verifying it is a valid token.
        /// </summary>
        /// <remarks>
        /// Authenticates a request looking for the <code>delegation</code>
        /// query-string parameter and verifying it is a valid token. If there is not
        /// <code>delegation</code> query-string parameter, it delegates the
        /// authentication to the
        /// <see cref="Org.Apache.Hadoop.Security.Authentication.Server.KerberosAuthenticationHandler
        ///     "/>
        /// unless it is
        /// disabled.
        /// </remarks>
        /// <param name="request">the HTTP client request.</param>
        /// <param name="response">the HTTP client response.</param>
        /// <returns>the authentication token for the authenticated request.</returns>
        /// <exception cref="System.IO.IOException">thrown if an IO error occurred.</exception>
        /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
        ///     ">thrown if the authentication failed.</exception>
        public override AuthenticationToken Authenticate(HttpServletRequest request, HttpServletResponse
                                                         response)
        {
            AuthenticationToken token;
            string delegationParam = GetDelegationToken(request);

            if (delegationParam != null)
            {
                try
                {
                    Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
                                                                                                    Org.Apache.Hadoop.Security.Token.Token();
                    dt.DecodeFromUrlString(delegationParam);
                    UserGroupInformation ugi = tokenManager.VerifyToken(dt);
                    string shortName         = ugi.GetShortUserName();
                    // creating a ephemeral token
                    token = new AuthenticationToken(shortName, ugi.GetUserName(), GetType());
                    token.SetExpires(0);
                    request.SetAttribute(DelegationTokenUgiAttribute, ugi);
                }
                catch (Exception ex)
                {
                    token = null;
                    HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
                                                                      , new AuthenticationException(ex));
                }
            }
            else
            {
                token = authHandler.Authenticate(request, response);
            }
            return(token);
        }
Beispiel #2
0
        /// <exception cref="System.IO.IOException"/>
        private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest
                                                        request, string tokenString, Configuration conf)
        {
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                       <DelegationTokenIdentifier>();
            token.DecodeFromUrlString(tokenString);
            IPEndPoint serviceAddress = GetNNServiceAddress(context, request);

            if (serviceAddress != null)
            {
                SecurityUtil.SetTokenService(token, serviceAddress);
                token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
            }
            ByteArrayInputStream      buf = new ByteArrayInputStream(token.GetIdentifier());
            DataInputStream           @in = new DataInputStream(buf);
            DelegationTokenIdentifier id  = new DelegationTokenIdentifier();

            id.ReadFields(@in);
            if (context != null)
            {
                NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
                if (nn != null)
                {
                    // Verify the token.
                    nn.GetNamesystem().VerifyToken(id, token.GetPassword());
                }
            }
            UserGroupInformation ugi = id.GetUser();

            ugi.AddToken(token);
            return(ugi);
        }
            /// <exception cref="System.Exception"/>
            public Void Call()
            {
                string token   = string.Empty;
                string owner   = string.Empty;
                string renewer = "renewer";
                string body    = "{\"renewer\":\"" + renewer + "\"}";
                Uri    url     = new Uri("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2"
                                         );
                HttpURLConnection conn = (HttpURLConnection)url.OpenConnection();

                Org.Apache.Hadoop.Yarn.Server.Resourcemanager.Webapp.TestRMWebServicesDelegationTokenAuthentication
                .SetupConn(conn, "POST", MediaType.ApplicationJson, body);
                InputStream response = conn.GetInputStream();

                NUnit.Framework.Assert.AreEqual(ClientResponse.Status.Ok.GetStatusCode(), conn.GetResponseCode
                                                    ());
                BufferedReader reader = null;

                try
                {
                    reader = new BufferedReader(new InputStreamReader(response, "UTF8"));
                    for (string line; (line = reader.ReadLine()) != null;)
                    {
                        JSONObject obj = new JSONObject(line);
                        if (obj.Has("token"))
                        {
                            token = obj.GetString("token");
                        }
                        if (obj.Has("owner"))
                        {
                            owner = obj.GetString("owner");
                        }
                    }
                }
                finally
                {
                    IOUtils.CloseQuietly(reader);
                    IOUtils.CloseQuietly(response);
                }
                NUnit.Framework.Assert.AreEqual("client2", owner);
                Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> realToken = new
                                                                                                 Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>();
                realToken.DecodeFromUrlString(token);
                NUnit.Framework.Assert.AreEqual("client2", realToken.DecodeIdentifier().GetOwner(
                                                    ).ToString());
                return(null);
            }
Beispiel #4
0
        /// <exception cref="Javax.Servlet.ServletException"/>
        /// <exception cref="System.IO.IOException"/>
        protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
        {
            UserGroupInformation ugi;
            ServletContext       context = GetServletContext();
            Configuration        conf    = NameNodeHttpServer.GetConfFromContext(context);

            try
            {
                ugi = GetUGI(req, conf);
            }
            catch (IOException ioe)
            {
                Log.Info("Request for token received with no authentication from " + req.GetRemoteAddr
                             (), ioe);
                resp.SendError(HttpServletResponse.ScForbidden, "Unable to identify or authenticate user"
                               );
                return;
            }
            NameNode nn          = NameNodeHttpServer.GetNameNodeFromContext(context);
            string   tokenString = req.GetParameter(Token);

            if (tokenString == null)
            {
                resp.SendError(HttpServletResponse.ScMultipleChoices, "Token to renew not specified"
                               );
            }
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                       <DelegationTokenIdentifier>();
            token.DecodeFromUrlString(tokenString);
            try
            {
                long        result = ugi.DoAs(new _PrivilegedExceptionAction_73(nn, token));
                PrintWriter os     = new PrintWriter(new OutputStreamWriter(resp.GetOutputStream(), Charsets
                                                                            .Utf8));
                os.WriteLine(result);
                os.Close();
            }
            catch (Exception e)
            {
                // transfer exception over the http
                string exceptionClass = e.GetType().FullName;
                string exceptionMsg   = e.GetLocalizedMessage();
                string strException   = exceptionClass + ";" + exceptionMsg;
                Log.Info("Exception while renewing token. Re-throwing. s=" + strException, e);
                resp.SendError(HttpServletResponse.ScInternalServerError, strException);
            }
        }
Beispiel #5
0
                                                                 > DelegationToken()
        {
            string delegation = Param(DelegationParam.Name);

            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                       <DelegationTokenIdentifier>();
            token.DecodeFromUrlString(delegation);
            URI  nnUri     = URI.Create(HdfsConstants.HdfsUriScheme + "://" + NamenodeId());
            bool isLogical = HAUtil.IsLogicalUri(conf, nnUri);

            if (isLogical)
            {
                token.SetService(HAUtil.BuildTokenServiceForLogicalUri(nnUri, HdfsConstants.HdfsUriScheme
                                                                       ));
            }
            else
            {
                token.SetService(SecurityUtil.BuildTokenService(nnUri));
            }
            return(token);
        }
Beispiel #6
0
 /// <exception cref="System.Exception"/>
 public static void TestEncodeWritable()
 {
     string[] values = new string[] { string.Empty, "a", "bb", "ccc", "dddd", "eeeee",
                                      "ffffff", "ggggggg", "hhhhhhhh", "iiiiiiiii", "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM"
                                      + "NOPQRSTUVWXYZ01234567890!@#$%^&*()-=_+[]{}|;':,./<>?" };
     Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> orig;
     Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> copy =
         new Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier>();
     // ensure that for each string the input and output values match
     for (int i = 0; i < values.Length; ++i)
     {
         string val = values[i];
         System.Console.Out.WriteLine("Input = " + val);
         orig = new Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier
                                                            >(Runtime.GetBytesForString(val), Runtime.GetBytesForString(val)
                                                              , new Text(val), new Text(val));
         string encode = orig.EncodeToUrlString();
         copy.DecodeFromUrlString(encode);
         Assert.Equal(orig, copy);
         CheckUrlSafe(encode);
     }
 }
Beispiel #7
0
        /// <exception cref="Javax.Servlet.ServletException"/>
        /// <exception cref="System.IO.IOException"/>
        protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
        {
            UserGroupInformation ugi;
            ServletContext       context = GetServletContext();
            Configuration        conf    = NameNodeHttpServer.GetConfFromContext(context);

            try
            {
                ugi = GetUGI(req, conf);
            }
            catch (IOException ioe)
            {
                Log.Info("Request for token received with no authentication from " + req.GetRemoteAddr
                             (), ioe);
                resp.SendError(HttpServletResponse.ScForbidden, "Unable to identify or authenticate user"
                               );
                return;
            }
            NameNode nn          = NameNodeHttpServer.GetNameNodeFromContext(context);
            string   tokenString = req.GetParameter(Token);

            if (tokenString == null)
            {
                resp.SendError(HttpServletResponse.ScMultipleChoices, "Token to renew not specified"
                               );
            }
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                       <DelegationTokenIdentifier>();
            token.DecodeFromUrlString(tokenString);
            try
            {
                ugi.DoAs(new _PrivilegedExceptionAction_70(nn, token));
            }
            catch (Exception e)
            {
                Log.Info("Exception while cancelling token. Re-throwing. ", e);
                resp.SendError(HttpServletResponse.ScInternalServerError, e.Message);
            }
        }
Beispiel #8
0
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
        ///     "/>
        public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
                                                 request, HttpServletResponse response)
        {
            bool   requestContinues = true;
            string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                  .OpParam);

            op = (op != null) ? StringUtils.ToUpperCase(op) : null;
            if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
            {
                DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
                                                                             .ValueOf(op);
                if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
                {
                    bool doManagement;
                    if (dtOp.RequiresKerberosCredentials() && token == null)
                    {
                        token = Authenticate(request, response);
                        if (token == null)
                        {
                            requestContinues = false;
                            doManagement     = false;
                        }
                        else
                        {
                            doManagement = true;
                        }
                    }
                    else
                    {
                        doManagement = true;
                    }
                    if (doManagement)
                    {
                        UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
                                                              (token.GetUserName()) : null;
                        // Create the proxy user if doAsUser exists
                        string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
                        if (requestUgi != null && doAsUser != null)
                        {
                            requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
                            try
                            {
                                ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
                            }
                            catch (AuthorizationException ex)
                            {
                                HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
                                                                                  , ex);
                                return(false);
                            }
                        }
                        IDictionary map = null;
                        switch (dtOp)
                        {
                        case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
                        {
                            if (requestUgi == null)
                            {
                                throw new InvalidOperationException("request UGI cannot be NULL");
                            }
                            string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                       .RenewerParam);
                            try
                            {
                                Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
                                    requestUgi, renewer);
                                map = DelegationTokenToJSON(dToken);
                            }
                            catch (IOException ex)
                            {
                                throw new AuthenticationException(ex.ToString(), ex);
                            }
                            break;
                        }

                        case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
                        {
                            if (requestUgi == null)
                            {
                                throw new InvalidOperationException("request UGI cannot be NULL");
                            }
                            string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                            .TokenParam);
                            if (tokenToRenew == null)
                            {
                                response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
                                                                                                          , dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
                                requestContinues = false;
                            }
                            else
                            {
                                Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
                                                                                                                Org.Apache.Hadoop.Security.Token.Token();
                                try
                                {
                                    dt.DecodeFromUrlString(tokenToRenew);
                                    long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
                                    map         = new Hashtable();
                                    map["long"] = expirationTime;
                                }
                                catch (IOException ex)
                                {
                                    throw new AuthenticationException(ex.ToString(), ex);
                                }
                            }
                            break;
                        }

                        case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
                        {
                            string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                             .TokenParam);
                            if (tokenToCancel == null)
                            {
                                response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
                                                                                                          , dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
                                requestContinues = false;
                            }
                            else
                            {
                                Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
                                                                                                                Org.Apache.Hadoop.Security.Token.Token();
                                try
                                {
                                    dt.DecodeFromUrlString(tokenToCancel);
                                    tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
                                                                                         : null);
                                }
                                catch (IOException)
                                {
                                    response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
                                                       );
                                    requestContinues = false;
                                }
                            }
                            break;
                        }
                        }
                        if (requestContinues)
                        {
                            response.SetStatus(HttpServletResponse.ScOk);
                            if (map != null)
                            {
                                response.SetContentType(MediaType.ApplicationJson);
                                TextWriter   writer     = response.GetWriter();
                                ObjectMapper jsonMapper = new ObjectMapper();
                                jsonMapper.WriteValue(writer, map);
                                writer.Write(Enter);
                                writer.Flush();
                            }
                            requestContinues = false;
                        }
                    }
                }
                else
                {
                    response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
                                                                                              + "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
                    requestContinues = false;
                }
            }
            return(requestContinues);
        }