/// <exception cref="System.Exception"/>
public virtual void TestUGIAuthMethodInRealUser()
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation proxyUgi = UserGroupInformation.CreateProxyUser("proxy", ugi
);
UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod
.Kerberos;
ugi.SetAuthenticationMethod(am);
Assert.Equal(am, ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
proxyUgi.GetAuthenticationMethod());
Assert.Equal(am, UserGroupInformation.GetRealAuthenticationMethod
(proxyUgi));
proxyUgi.DoAs(new _PrivilegedExceptionAction_690(am));
UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.GetSubject());
proxyUgi2.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Proxy
);
Assert.Equal(proxyUgi, proxyUgi2);
// Equality should work if authMethod is null
UserGroupInformation realugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation proxyUgi3 = UserGroupInformation.CreateProxyUser("proxyAnother"
, realugi);
UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.GetSubject());
Assert.Equal(proxyUgi3, proxyUgi4);
}
/// <summary>
/// Get
/// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/>
/// and possibly the delegation token out of
/// the request.
/// </summary>
/// <param name="context">the ServletContext that is serving this request.</param>
/// <param name="request">the http request</param>
/// <param name="conf">configuration</param>
/// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param>
/// <param name="tryUgiParameter">Should it try the ugi parameter?</param>
/// <returns>a new user from the request</returns>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token
/// </exception>
/// <exception cref="System.IO.IOException"/>
public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest
request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod
, bool tryUgiParameter)
{
UserGroupInformation ugi = null;
string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter);
string doAsUserFromQuery = request.GetParameter(DoAsParam.Name);
string remoteUser;
if (UserGroupInformation.IsSecurityEnabled())
{
remoteUser = request.GetRemoteUser();
string tokenString = request.GetParameter(DelegationParameterName);
if (tokenString != null)
{
// Token-based connections need only verify the effective user, and
// disallow proxying to different user. Proxy authorization checks
// are not required since the checks apply to issuing a token.
ugi = GetTokenUGI(context, request, tokenString, conf);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery);
}
else
{
if (remoteUser == null)
{
throw new IOException("Security enabled but user not authenticated by filter");
}
}
}
else
{
// Security's not on, pull from url or use default web user
remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery;
}
// not specified in request
if (ugi == null)
{
// security is off, or there's no token
ugi = UserGroupInformation.CreateRemoteUser(remoteUser);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
if (UserGroupInformation.IsSecurityEnabled())
{
// This is not necessarily true, could have been auth'ed by user-facing
// filter
ugi.SetAuthenticationMethod(secureAuthMethod);
}
if (doAsUserFromQuery != null)
{
// create and attempt to authorize a proxy user
ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi);
ProxyUsers.Authorize(ugi, GetRemoteAddr(request));
}
}
if (Log.IsDebugEnabled())
{
Log.Debug("getUGI is returning: " + ugi.GetShortUserName());
}
return(ugi);
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestSecureProxyAuthParamsInUrl()
{
Configuration conf = new Configuration();
// fake turning on security so api thinks it should use tokens
SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
, conf);
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");
ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos);
ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
UserGroupInformation.SetLoginUser(ugi);
WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
Path fsPath = new Path("/");
string tokenString = webhdfs.GetDelegationToken().EncodeToUrlString();
// send real+effective
Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(),
new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi
.GetShortUserName()).ToString() }, getTokenUrl);
// send real+effective
Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString(
), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, renewTokenUrl);
// send token
Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send token
Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
DelegationParam(tokenString).ToString() }, fileStatusUrl);
// wipe out internal token to simulate auth always required
webhdfs.SetDelegationToken(null);
// send real+effective
cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam
(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send real+effective
fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
()).ToString() }, fileStatusUrl);
}
/// <exception cref="System.Exception"/>
public virtual void TestUGIAuthMethod()
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod
.Kerberos;
ugi.SetAuthenticationMethod(am);
Assert.Equal(am, ugi.GetAuthenticationMethod());
ugi.DoAs(new _PrivilegedExceptionAction_668(am));
}
/// <exception cref="System.Exception"/>
public virtual void TestTestAuthMethod()
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
// verify the reverse mappings works
foreach (UserGroupInformation.AuthenticationMethod am in UserGroupInformation.AuthenticationMethod
.Values())
{
if (am.GetAuthMethod() != null)
{
ugi.SetAuthenticationMethod(am.GetAuthMethod());
Assert.Equal(am, ugi.GetAuthenticationMethod());
}
}
}
public virtual void TestGetRealAuthenticationMethod()
{
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("user1");
ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Simple);
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetRealAuthenticationMethod());
ugi = UserGroupInformation.CreateProxyUser("user2", ugi);
Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetRealAuthenticationMethod());
}
public virtual void TestGetUserGroupInformationSecure()
{
string userName = "******";
string currentUser = "******";
NfsConfiguration conf = new NfsConfiguration();
UserGroupInformation currentUserUgi = UserGroupInformation.CreateRemoteUser(currentUser
);
currentUserUgi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.
Kerberos);
UserGroupInformation.SetLoginUser(currentUserUgi);
DFSClientCache cache = new DFSClientCache(conf);
UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
);
Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
.Proxy));
}
public virtual void TestDelegationToken()
{
YarnConfiguration conf = new YarnConfiguration();
conf.Set(YarnConfiguration.RmPrincipal, "testuser/[email protected]");
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ResourceScheduler scheduler = CreateMockScheduler(conf);
long initialInterval = 10000l;
long maxLifetime = 20000l;
long renewInterval = 10000l;
RMDelegationTokenSecretManager rmDtSecretManager = CreateRMDelegationTokenSecretManager
(initialInterval, maxLifetime, renewInterval);
rmDtSecretManager.StartThreads();
Log.Info("Creating DelegationTokenSecretManager with initialInterval: " + initialInterval
+ ", maxLifetime: " + maxLifetime + ", renewInterval: " + renewInterval);
ClientRMService clientRMService = new TestClientRMTokens.ClientRMServiceForTest(this
, conf, scheduler, rmDtSecretManager);
clientRMService.Init(conf);
clientRMService.Start();
ApplicationClientProtocol clientRMWithDT = null;
try
{
// Create a user for the renewr and fake the authentication-method
UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**"
);
NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName());
// Default realm is APACHE.ORG
loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
);
Token token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
long tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser1", conf);
GetNewApplicationRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <
GetNewApplicationRequest>();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Renew after 50% of token age.
while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2)
{
Sharpen.Thread.Sleep(500l);
}
long nextExpTime = RenewDelegationToken(loggedInUser, clientRMService, token);
long renewalTime = Runtime.CurrentTimeMillis();
Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime);
// Wait for first expiry, but before renewed expiry.
while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime.
CurrentTimeMillis() < nextExpTime)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
// Valid token because of renewal.
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Wait for expiry.
while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid");
// Token should have expired.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token");
}
catch (Exception e)
{
NUnit.Framework.Assert.AreEqual(typeof(SecretManager.InvalidToken).FullName, e.GetType
().FullName);
NUnit.Framework.Assert.IsTrue(e.Message.Contains("is expired"));
}
// Test cancellation
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
CancelDelegationToken(loggedInUser, clientRMService, token);
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
// Creating a new connection.
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis());
// Verify cancellation worked.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token"
);
}
catch (IOException)
{
}
catch (YarnException)
{
}
// Test new version token
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
byte[] tokenIdentifierContent = ((byte[])token.GetIdentifier().Array());
RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier();
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
tokenIdentifier.ReadFields(dib);
// Construct new version RMDelegationTokenIdentifier with additional field
RMDelegationTokenIdentifierForTest newVersionTokenIdentifier = new RMDelegationTokenIdentifierForTest
(tokenIdentifier, "message");
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> newRMDTtoken =
new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(newVersionTokenIdentifier
, rmDtSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token newToken = BuilderUtils.NewDelegationToken
(newRMDTtoken.GetIdentifier(), newRMDTtoken.GetKind().ToString(), newRMDTtoken.GetPassword
(), newRMDTtoken.GetService().ToString());
// Now try talking to RMService using the new version delegation token
clientRMWithDT = GetClientRMProtocolWithDT(newToken, clientRMService.GetBindAddress
(), "loginuser3", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
}
finally
{
rmDtSecretManager.StopThreads();
// TODO PRECOMMIT Close proxies.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
}
}
}
public virtual void TestDelegationToken()
{
Logger rootLogger = LogManager.GetRootLogger();
rootLogger.SetLevel(Level.Debug);
YarnConfiguration conf = new YarnConfiguration(new JobConf());
// Just a random principle
conf.Set(JHAdminConfig.MrHistoryPrincipal, "RandomOrc/[email protected]");
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
long initialInterval = 10000l;
long maxLifetime = 20000l;
long renewInterval = 10000l;
JobHistoryServer jobHistoryServer = null;
MRClientProtocol clientUsingDT = null;
long tokenFetchTime;
try
{
jobHistoryServer = new _JobHistoryServer_87(initialInterval, maxLifetime, renewInterval
);
// no keytab based login
// Don't need it, skip.;
// final JobHistoryServer jobHistoryServer = jhServer;
jobHistoryServer.Init(conf);
jobHistoryServer.Start();
MRClientProtocol hsService = jobHistoryServer.GetClientService().GetClientHandler
();
// Fake the authentication-method
UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**"
);
NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName());
// Default realm is APACHE.ORG
loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
);
Token token = GetDelegationToken(loggedInUser, hsService, loggedInUser.GetShortUserName
());
tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to JHS using the delegation token
clientUsingDT = GetMRClientProtocol(token, jobHistoryServer.GetClientService().GetBindAddress
(), "TheDarkLord", conf);
GetJobReportRequest jobReportRequest = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetJobReportRequest>();
jobReportRequest.SetJobId(MRBuilderUtils.NewJobId(123456, 1, 1));
try
{
clientUsingDT.GetJobReport(jobReportRequest);
}
catch (IOException e)
{
NUnit.Framework.Assert.AreEqual("Unknown job job_123456_0001", e.Message);
}
// Renew after 50% of token age.
while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2)
{
Sharpen.Thread.Sleep(500l);
}
long nextExpTime = RenewDelegationToken(loggedInUser, hsService, token);
long renewalTime = Runtime.CurrentTimeMillis();
Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime);
// Wait for first expiry, but before renewed expiry.
while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime.
CurrentTimeMillis() < nextExpTime)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
// Valid token because of renewal.
try
{
clientUsingDT.GetJobReport(jobReportRequest);
}
catch (IOException e)
{
NUnit.Framework.Assert.AreEqual("Unknown job job_123456_0001", e.Message);
}
// Wait for expiry.
while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid");
// Token should have expired.
try
{
clientUsingDT.GetJobReport(jobReportRequest);
NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token");
}
catch (IOException e)
{
NUnit.Framework.Assert.IsTrue(e.InnerException.Message.Contains("is expired"));
}
// Test cancellation
// Stop the existing proxy, start another.
if (clientUsingDT != null)
{
// RPC.stopProxy(clientUsingDT);
clientUsingDT = null;
}
token = GetDelegationToken(loggedInUser, hsService, loggedInUser.GetShortUserName
());
tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to HSService using the delegation token
clientUsingDT = GetMRClientProtocol(token, jobHistoryServer.GetClientService().GetBindAddress
(), "loginuser2", conf);
try
{
clientUsingDT.GetJobReport(jobReportRequest);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
CancelDelegationToken(loggedInUser, hsService, token);
// Testing the token with different renewer to cancel the token
Token tokenWithDifferentRenewer = GetDelegationToken(loggedInUser, hsService, "yarn"
);
CancelDelegationToken(loggedInUser, hsService, tokenWithDifferentRenewer);
if (clientUsingDT != null)
{
// RPC.stopProxy(clientUsingDT);
clientUsingDT = null;
}
// Creating a new connection.
clientUsingDT = GetMRClientProtocol(token, jobHistoryServer.GetClientService().GetBindAddress
(), "loginuser2", conf);
Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis());
// Verify cancellation worked.
try
{
clientUsingDT.GetJobReport(jobReportRequest);
NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token"
);
}
catch (IOException)
{
}
}
finally
{
jobHistoryServer.Stop();
}
}
