/// <exception cref="System.Exception"/>
public virtual void TestUGIAuthMethodInRealUser()
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation proxyUgi = UserGroupInformation.CreateProxyUser("proxy", ugi
);
UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod
.Kerberos;
ugi.SetAuthenticationMethod(am);
Assert.Equal(am, ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
proxyUgi.GetAuthenticationMethod());
Assert.Equal(am, UserGroupInformation.GetRealAuthenticationMethod
(proxyUgi));
proxyUgi.DoAs(new _PrivilegedExceptionAction_690(am));
UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.GetSubject());
proxyUgi2.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Proxy
);
Assert.Equal(proxyUgi, proxyUgi2);
// Equality should work if authMethod is null
UserGroupInformation realugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation proxyUgi3 = UserGroupInformation.CreateProxyUser("proxyAnother"
, realugi);
UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.GetSubject());
Assert.Equal(proxyUgi3, proxyUgi4);
}
/// <exception cref="System.Exception"/>
public virtual void TestValidProxyUser()
{
UserGroupInformation ugi = UserGroupInformation.CreateProxyUser("u1", UserGroupInformation
.GetLoginUser());
ugi.DoAs(new _PrivilegedExceptionAction_135(this));
}
/// <exception cref="System.Exception"/>
public virtual void ___testInvalidProxyUser()
{
UserGroupInformation ugi = UserGroupInformation.CreateProxyUser("u2", UserGroupInformation
.GetLoginUser());
ugi.DoAs(new _PrivilegedExceptionAction_147(this));
}
public virtual void TestProxyUserConfiguration()
{
MockRM rm = null;
try
{
rm = new MockRM(conf);
rm.Start();
// wait for web server starting
Sharpen.Thread.Sleep(10000);
UserGroupInformation proxyUser = UserGroupInformation.CreateProxyUser(BarUser.GetShortUserName
(), FooUser);
try
{
ProxyUsers.GetDefaultImpersonationProvider().Authorize(proxyUser, ipAddress);
}
catch (AuthorizationException)
{
// Exception is not expected
NUnit.Framework.Assert.Fail();
}
}
finally
{
if (rm != null)
{
rm.Stop();
rm.Close();
}
}
}
/// <summary>
/// Get
/// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/>
/// and possibly the delegation token out of
/// the request.
/// </summary>
/// <param name="context">the ServletContext that is serving this request.</param>
/// <param name="request">the http request</param>
/// <param name="conf">configuration</param>
/// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param>
/// <param name="tryUgiParameter">Should it try the ugi parameter?</param>
/// <returns>a new user from the request</returns>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token
/// </exception>
/// <exception cref="System.IO.IOException"/>
public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest
request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod
, bool tryUgiParameter)
{
UserGroupInformation ugi = null;
string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter);
string doAsUserFromQuery = request.GetParameter(DoAsParam.Name);
string remoteUser;
if (UserGroupInformation.IsSecurityEnabled())
{
remoteUser = request.GetRemoteUser();
string tokenString = request.GetParameter(DelegationParameterName);
if (tokenString != null)
{
// Token-based connections need only verify the effective user, and
// disallow proxying to different user. Proxy authorization checks
// are not required since the checks apply to issuing a token.
ugi = GetTokenUGI(context, request, tokenString, conf);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery);
}
else
{
if (remoteUser == null)
{
throw new IOException("Security enabled but user not authenticated by filter");
}
}
}
else
{
// Security's not on, pull from url or use default web user
remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery;
}
// not specified in request
if (ugi == null)
{
// security is off, or there's no token
ugi = UserGroupInformation.CreateRemoteUser(remoteUser);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
if (UserGroupInformation.IsSecurityEnabled())
{
// This is not necessarily true, could have been auth'ed by user-facing
// filter
ugi.SetAuthenticationMethod(secureAuthMethod);
}
if (doAsUserFromQuery != null)
{
// create and attempt to authorize a proxy user
ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi);
ProxyUsers.Authorize(ugi, GetRemoteAddr(request));
}
}
if (Log.IsDebugEnabled())
{
Log.Debug("getUGI is returning: " + ugi.GetShortUserName());
}
return(ugi);
}
public virtual void TestOperationDoAs()
{
CreateHttpFSServer();
UserGroupInformation ugi = UserGroupInformation.CreateProxyUser(HadoopUsersConfTestHelper
.GetHadoopUsers()[0], UserGroupInformation.GetCurrentUser());
ugi.DoAs(new _PrivilegedExceptionAction_928(this));
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestSecureProxyAuthParamsInUrl()
{
Configuration conf = new Configuration();
// fake turning on security so api thinks it should use tokens
SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
, conf);
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");
ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos);
ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
UserGroupInformation.SetLoginUser(ugi);
WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
Path fsPath = new Path("/");
string tokenString = webhdfs.GetDelegationToken().EncodeToUrlString();
// send real+effective
Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(),
new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi
.GetShortUserName()).ToString() }, getTokenUrl);
// send real+effective
Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString(
), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, renewTokenUrl);
// send token
Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send token
Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
DelegationParam(tokenString).ToString() }, fileStatusUrl);
// wipe out internal token to simulate auth always required
webhdfs.SetDelegationToken(null);
// send real+effective
cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam
(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send real+effective
fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
()).ToString() }, fileStatusUrl);
}
/// <exception cref="System.Exception"/>
public virtual void TestEqualsWithRealUser()
{
UserGroupInformation realUgi1 = UserGroupInformation.CreateUserForTesting("RealUser"
, GroupNames);
UserGroupInformation proxyUgi1 = UserGroupInformation.CreateProxyUser(UserName, realUgi1
);
UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi1.GetSubject());
UserGroupInformation remoteUgi = UserGroupInformation.CreateRemoteUser(UserName);
Assert.Equal(proxyUgi1, proxyUgi2);
NUnit.Framework.Assert.IsFalse(remoteUgi.Equals(proxyUgi1));
}
public virtual void TestCreateProxyUser()
{
// ensure that doAs works correctly
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUser(ProxyUserName
, realUserUgi);
UserGroupInformation curUGI = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_122
());
Assert.Equal(ProxyUserName + " (auth:PROXY) via " + RealUserName
+ " (auth:SIMPLE)", curUGI.ToString());
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Javax.Servlet.ServletException"/>
protected override void DoFilter(FilterChain filterChain, HttpServletRequest request
, HttpServletResponse response)
{
bool requestCompleted = false;
UserGroupInformation ugi = null;
AuthenticationToken authToken = (AuthenticationToken)request.GetUserPrincipal();
if (authToken != null && authToken != AuthenticationToken.Anonymous)
{
// if the request was authenticated because of a delegation token,
// then we ignore proxyuser (this is the same as the RPC behavior).
ugi = (UserGroupInformation)request.GetAttribute(DelegationTokenAuthenticationHandler
.DelegationTokenUgiAttribute);
if (ugi == null)
{
string realUser = request.GetUserPrincipal().GetName();
ugi = UserGroupInformation.CreateRemoteUser(realUser, handlerAuthMethod);
string doAsUser = GetDoAs(request);
if (doAsUser != null)
{
ugi = UserGroupInformation.CreateProxyUser(doAsUser, ugi);
try
{
ProxyUsers.Authorize(ugi, request.GetRemoteHost());
}
catch (AuthorizationException ex)
{
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, ex);
requestCompleted = true;
}
}
}
UgiTl.Set(ugi);
}
if (!requestCompleted)
{
UserGroupInformation ugiF = ugi;
try
{
request = new _HttpServletRequestWrapper_269(this, ugiF, request);
base.DoFilter(filterChain, request, response);
}
finally
{
UgiTl.Remove();
}
}
}
public virtual void TestGetRealAuthenticationMethod()
{
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("user1");
ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Simple);
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetRealAuthenticationMethod());
ugi = UserGroupInformation.CreateProxyUser("user2", ugi);
Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetRealAuthenticationMethod());
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestSimpleProxyAuthParamsInUrl()
{
Configuration conf = new Configuration();
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");
ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
UserGroupInformation.SetLoginUser(ugi);
WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
Path fsPath = new Path("/");
// send real+effective
Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
()).ToString() }, fileStatusUrl);
}
/// <summary>This method uses the currentUser, and real user to create a proxy</summary>
/// <param name="effectiveUser">The user who is being proxied by the real user</param>
/// <param name="realUser">The actual user who does the command</param>
/// <returns>Proxy UserGroupInformation</returns>
/// <exception cref="System.IO.IOException">If proxying fails</exception>
internal virtual UserGroupInformation GetUserGroupInformation(string effectiveUser
, UserGroupInformation realUser)
{
Preconditions.CheckNotNull(effectiveUser);
Preconditions.CheckNotNull(realUser);
realUser.CheckTGTAndReloginFromKeytab();
UserGroupInformation ugi = UserGroupInformation.CreateProxyUser(effectiveUser, realUser
);
if (Log.IsDebugEnabled())
{
Log.Debug(string.Format("Created ugi:" + " %s for username: %s", ugi, effectiveUser
));
}
return(ugi);
}
/// <exception cref="System.Exception"/>
private void TestDelegationTokenWithinDoAs(Type fileSystemClass, bool proxyUser)
{
Configuration conf = new Configuration();
conf.Set("hadoop.security.authentication", "kerberos");
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation.LoginUserFromKeytab("client", "/Users/tucu/tucu.keytab");
UserGroupInformation ugi = UserGroupInformation.GetLoginUser();
if (proxyUser)
{
ugi = UserGroupInformation.CreateProxyUser("foo", ugi);
}
conf = new Configuration();
UserGroupInformation.SetConfiguration(conf);
ugi.DoAs(new _PrivilegedExceptionAction_248(this, fileSystemClass));
}
/// <summary>Get the username encoded in the token identifier</summary>
/// <returns>the username or owner</returns>
public override UserGroupInformation GetUser()
{
if ((owner == null) || (owner.ToString().IsEmpty()))
{
return(null);
}
UserGroupInformation realUgi;
UserGroupInformation ugi;
if ((realUser == null) || (realUser.ToString().IsEmpty()) || realUser.Equals(owner
))
{
ugi = realUgi = UserGroupInformation.CreateRemoteUser(owner.ToString());
}
else
{
realUgi = UserGroupInformation.CreateRemoteUser(realUser.ToString());
ugi = UserGroupInformation.CreateProxyUser(owner.ToString(), realUgi);
}
realUgi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Token);
return(ugi);
}
/// <exception cref="System.IO.IOException"/>
internal virtual UserGroupInformation Ugi()
{
if (UserGroupInformation.IsSecurityEnabled())
{
return(TokenUGI());
}
string usernameFromQuery = @params.UserName();
string doAsUserFromQuery = @params.DoAsUser();
string remoteUser = usernameFromQuery == null?JspHelper.GetDefaultWebUserName(@params
.Conf()) : usernameFromQuery;
// not specified in
// request
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(remoteUser);
JspHelper.CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
if (doAsUserFromQuery != null)
{
// create and attempt to authorize a proxy user
ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi);
}
return(ugi);
}
public static UserGroupInformation GetUgi(IpcConnectionContextProtos.UserInformationProto
userInfo)
{
UserGroupInformation ugi = null;
string effectiveUser = userInfo.HasEffectiveUser() ? userInfo.GetEffectiveUser() :
null;
string realUser = userInfo.HasRealUser() ? userInfo.GetRealUser() : null;
if (effectiveUser != null)
{
if (realUser != null)
{
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(realUser
);
ugi = UserGroupInformation.CreateProxyUser(effectiveUser, realUserUgi);
}
else
{
ugi = UserGroupInformation.CreateRemoteUser(effectiveUser);
}
}
return(ugi);
}
/// <exception cref="System.IO.IOException"/>
protected internal virtual UserGroupInformation GetUGI(string user)
{
return(UserGroupInformation.CreateProxyUser(user, UserGroupInformation.GetLoginUser
()));
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
request, HttpServletResponse response)
{
bool requestContinues = true;
string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.OpParam);
op = (op != null) ? StringUtils.ToUpperCase(op) : null;
if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
{
DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
.ValueOf(op);
if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
{
bool doManagement;
if (dtOp.RequiresKerberosCredentials() && token == null)
{
token = Authenticate(request, response);
if (token == null)
{
requestContinues = false;
doManagement = false;
}
else
{
doManagement = true;
}
}
else
{
doManagement = true;
}
if (doManagement)
{
UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
(token.GetUserName()) : null;
// Create the proxy user if doAsUser exists
string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
if (requestUgi != null && doAsUser != null)
{
requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
try
{
ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
}
catch (AuthorizationException ex)
{
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, ex);
return(false);
}
}
IDictionary map = null;
switch (dtOp)
{
case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.RenewerParam);
try
{
Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
requestUgi, renewer);
map = DelegationTokenToJSON(dToken);
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToRenew == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToRenew);
long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
map = new Hashtable();
map["long"] = expirationTime;
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
{
string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToCancel == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToCancel);
tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
: null);
}
catch (IOException)
{
response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
);
requestContinues = false;
}
}
break;
}
}
if (requestContinues)
{
response.SetStatus(HttpServletResponse.ScOk);
if (map != null)
{
response.SetContentType(MediaType.ApplicationJson);
TextWriter writer = response.GetWriter();
ObjectMapper jsonMapper = new ObjectMapper();
jsonMapper.WriteValue(writer, map);
writer.Write(Enter);
writer.Flush();
}
requestContinues = false;
}
}
}
else
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
+ "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
requestContinues = false;
}
}
return(requestContinues);
}
public virtual void TestDelegationTokenOperations()
{
TimelineClient httpUserClient = KerberosTestUtils.DoAs(HttpUser + "/localhost", new
_Callable_221(this));
UserGroupInformation httpUser = KerberosTestUtils.DoAs(HttpUser + "/localhost", new
_Callable_228());
// Let HTTP user to get the delegation for itself
Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> token =
httpUserClient.GetDelegationToken(httpUser.GetShortUserName());
NUnit.Framework.Assert.IsNotNull(token);
TimelineDelegationTokenIdentifier tDT = token.DecodeIdentifier();
NUnit.Framework.Assert.IsNotNull(tDT);
NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetOwner());
// Renew token
NUnit.Framework.Assert.IsFalse(token.GetService().ToString().IsEmpty());
// Renew the token from the token service address
long renewTime1 = httpUserClient.RenewDelegationToken(token);
Sharpen.Thread.Sleep(100);
token.SetService(new Text());
NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty());
// If the token service address is not avaiable, it still can be renewed
// from the configured address
long renewTime2 = httpUserClient.RenewDelegationToken(token);
NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2);
// Cancel token
NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty());
// If the token service address is not avaiable, it still can be canceled
// from the configured address
httpUserClient.CancelDelegationToken(token);
// Renew should not be successful because the token is canceled
try
{
httpUserClient.RenewDelegationToken(token);
NUnit.Framework.Assert.Fail();
}
catch (Exception e)
{
NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token"
));
}
// Let HTTP user to get the delegation token for FOO user
UserGroupInformation fooUgi = UserGroupInformation.CreateProxyUser(FooUser, httpUser
);
TimelineClient fooUserClient = fooUgi.DoAs(new _PrivilegedExceptionAction_272(this
));
token = fooUserClient.GetDelegationToken(httpUser.GetShortUserName());
NUnit.Framework.Assert.IsNotNull(token);
tDT = token.DecodeIdentifier();
NUnit.Framework.Assert.IsNotNull(tDT);
NUnit.Framework.Assert.AreEqual(new Text(FooUser), tDT.GetOwner());
NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetRealUser());
// Renew token as the renewer
Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> tokenToRenew
= token;
renewTime1 = httpUserClient.RenewDelegationToken(tokenToRenew);
renewTime2 = httpUserClient.RenewDelegationToken(tokenToRenew);
NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2);
// Cancel token
NUnit.Framework.Assert.IsFalse(tokenToRenew.GetService().ToString().IsEmpty());
// Cancel the token from the token service address
fooUserClient.CancelDelegationToken(tokenToRenew);
// Renew should not be successful because the token is canceled
try
{
httpUserClient.RenewDelegationToken(tokenToRenew);
NUnit.Framework.Assert.Fail();
}
catch (Exception e)
{
NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token"
));
}
// Let HTTP user to get the delegation token for BAR user
UserGroupInformation barUgi = UserGroupInformation.CreateProxyUser(BarUser, httpUser
);
TimelineClient barUserClient = barUgi.DoAs(new _PrivilegedExceptionAction_309(this
));
try
{
barUserClient.GetDelegationToken(httpUser.GetShortUserName());
NUnit.Framework.Assert.Fail();
}
catch (Exception e)
{
NUnit.Framework.Assert.IsTrue(e.InnerException is AuthorizationException || e.InnerException
is AuthenticationException);
}
}
