/// <summary>
/// Expect connect timeout on a URL that requires auth, because the connection
/// backlog is consumed.
/// </summary>
/// <exception cref="System.Exception"/>
public virtual void TestAuthUrlConnectTimeout()
{
ConsumeConnectionBacklog();
try
{
fs.GetDelegationToken("renewer");
NUnit.Framework.Assert.Fail("expected timeout");
}
catch (SocketTimeoutException e)
{
NUnit.Framework.Assert.AreEqual("connect timed out", e.Message);
}
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestSecureProxyAuthParamsInUrl()
{
Configuration conf = new Configuration();
// fake turning on security so api thinks it should use tokens
SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
, conf);
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");
ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos);
ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
UserGroupInformation.SetLoginUser(ugi);
WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
Path fsPath = new Path("/");
string tokenString = webhdfs.GetDelegationToken().EncodeToUrlString();
// send real+effective
Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(),
new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi
.GetShortUserName()).ToString() }, getTokenUrl);
// send real+effective
Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString(
), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, renewTokenUrl);
// send token
Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send token
Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
DelegationParam(tokenString).ToString() }, fileStatusUrl);
// wipe out internal token to simulate auth always required
webhdfs.SetDelegationToken(null);
// send real+effective
cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam
(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send real+effective
fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
()).ToString() }, fileStatusUrl);
}
public virtual void TestSetTokenServiceAndKind()
{
MiniDFSCluster cluster = null;
try
{
Configuration clusterConf = new HdfsConfiguration(conf);
SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Simple
, clusterConf);
clusterConf.SetBoolean(DFSConfigKeys.DfsNamenodeDelegationTokenAlwaysUseKey, true
);
// trick the NN into thinking s[ecurity is enabled w/o it trying
// to login from a keytab
UserGroupInformation.SetConfiguration(clusterConf);
cluster = new MiniDFSCluster.Builder(clusterConf).NumDataNodes(0).Build();
cluster.WaitActive();
SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
, clusterConf);
WebHdfsFileSystem fs = WebHdfsTestUtil.GetWebHdfsFileSystem(clusterConf, "webhdfs"
);
Whitebox.SetInternalState(fs, "canRefreshDelegationToken", true);
URLConnectionFactory factory = new _URLConnectionFactory_268(new _ConnectionConfigurator_262
());
Whitebox.SetInternalState(fs, "connectionFactory", factory);
Org.Apache.Hadoop.Security.Token.Token <object> token1 = fs.GetDelegationToken();
NUnit.Framework.Assert.AreEqual(new Text("bar"), token1.GetKind());
HttpOpParam.OP op = GetOpParam.OP.Getdelegationtoken;
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = new _FsPathResponseRunner_281
(op, null, new RenewerParam(null)).Run();
NUnit.Framework.Assert.AreEqual(new Text("bar"), token2.GetKind());
NUnit.Framework.Assert.AreEqual(new Text("foo"), token2.GetService());
}
finally
{
if (cluster != null)
{
cluster.Shutdown();
}
}
}
/// <exception cref="System.Exception"/>
private void ValidateLazyTokenFetch(Configuration clusterConf)
{
string testUser = "******";
UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting(testUser, new
string[] { "supergroup" });
WebHdfsFileSystem fs = ugi.DoAs(new _PrivilegedExceptionAction_304(this, clusterConf
));
// verify token ops don't get a token
NUnit.Framework.Assert.IsNull(fs.GetRenewToken());
Org.Apache.Hadoop.Security.Token.Token <object> token = ((Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)fs.GetDelegationToken(null));
fs.RenewDelegationToken(token);
fs.CancelDelegationToken(token);
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
NUnit.Framework.Assert.IsNull(fs.GetRenewToken());
Org.Mockito.Mockito.Reset(fs);
// verify first non-token op gets a token
Path p = new Path("/f");
fs.Create(p, (short)1).Close();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
token = fs.GetRenewToken();
NUnit.Framework.Assert.IsNotNull(token);
NUnit.Framework.Assert.AreEqual(testUser, GetTokenOwner(token));
NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind());
Org.Mockito.Mockito.Reset(fs);
// verify prior token is reused
fs.GetFileStatus(p);
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
Org.Apache.Hadoop.Security.Token.Token <object> token2 = fs.GetRenewToken();
NUnit.Framework.Assert.IsNotNull(token2);
NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind());
NUnit.Framework.Assert.AreSame(token, token2);
Org.Mockito.Mockito.Reset(fs);
// verify renew of expired token fails w/o getting a new token
token = fs.GetRenewToken();
fs.CancelDelegationToken(token);
try
{
fs.RenewDelegationToken(token);
NUnit.Framework.Assert.Fail("should have failed");
}
catch (SecretManager.InvalidToken)
{
}
catch (Exception ex)
{
NUnit.Framework.Assert.Fail("wrong exception:" + ex);
}
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
token2 = fs.GetRenewToken();
NUnit.Framework.Assert.IsNotNull(token2);
NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind());
NUnit.Framework.Assert.AreSame(token, token2);
Org.Mockito.Mockito.Reset(fs);
// verify cancel of expired token fails w/o getting a new token
try
{
fs.CancelDelegationToken(token);
NUnit.Framework.Assert.Fail("should have failed");
}
catch (SecretManager.InvalidToken)
{
}
catch (Exception ex)
{
NUnit.Framework.Assert.Fail("wrong exception:" + ex);
}
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
token2 = fs.GetRenewToken();
NUnit.Framework.Assert.IsNotNull(token2);
NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind());
NUnit.Framework.Assert.AreSame(token, token2);
Org.Mockito.Mockito.Reset(fs);
// verify an expired token is replaced with a new token
fs.Open(p).Close();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(2)).GetDelegationToken();
// first bad, then good
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(null
);
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
token2 = fs.GetRenewToken();
NUnit.Framework.Assert.IsNotNull(token2);
NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind());
NUnit.Framework.Assert.AreNotSame(token, token2);
NUnit.Framework.Assert.AreEqual(testUser, GetTokenOwner(token2));
Org.Mockito.Mockito.Reset(fs);
// verify with open because it's a little different in how it
// opens connections
fs.CancelDelegationToken(fs.GetRenewToken());
InputStream @is = fs.Open(p);
@is.Read();
@is.Close();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(2)).GetDelegationToken();
// first bad, then good
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(null
);
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
token2 = fs.GetRenewToken();
NUnit.Framework.Assert.IsNotNull(token2);
NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind());
NUnit.Framework.Assert.AreNotSame(token, token2);
NUnit.Framework.Assert.AreEqual(testUser, GetTokenOwner(token2));
Org.Mockito.Mockito.Reset(fs);
// verify fs close cancels the token
fs.Close();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).CancelDelegationToken
(Matchers.Eq(token2));
// add a token to ugi for a new fs, verify it uses that token
token = ((Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)fs.GetDelegationToken
(null));
ugi.AddToken(token);
fs = ugi.DoAs(new _PrivilegedExceptionAction_426(this, clusterConf));
NUnit.Framework.Assert.IsNull(fs.GetRenewToken());
fs.GetFileStatus(new Path("/"));
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(Matchers.Eq
(token));
token2 = fs.GetRenewToken();
NUnit.Framework.Assert.IsNotNull(token2);
NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind());
NUnit.Framework.Assert.AreSame(token, token2);
Org.Mockito.Mockito.Reset(fs);
// verify it reuses the prior ugi token
fs.GetFileStatus(new Path("/"));
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
token2 = fs.GetRenewToken();
NUnit.Framework.Assert.IsNotNull(token2);
NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind());
NUnit.Framework.Assert.AreSame(token, token2);
Org.Mockito.Mockito.Reset(fs);
// verify an expired ugi token is NOT replaced with a new token
fs.CancelDelegationToken(token);
for (int i = 0; i < 2; i++)
{
try
{
fs.GetFileStatus(new Path("/"));
NUnit.Framework.Assert.Fail("didn't fail");
}
catch (SecretManager.InvalidToken)
{
}
catch (Exception ex)
{
NUnit.Framework.Assert.Fail("wrong exception:" + ex);
}
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
token2 = fs.GetRenewToken();
NUnit.Framework.Assert.IsNotNull(token2);
NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind());
NUnit.Framework.Assert.AreSame(token, token2);
Org.Mockito.Mockito.Reset(fs);
}
// verify fs close does NOT cancel the ugi token
fs.Close();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken
();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any
<Org.Apache.Hadoop.Security.Token.Token>());
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).CancelDelegationToken
(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>());
}
public virtual void TestSecureHAToken()
{
Configuration conf = DFSTestUtil.NewHAConfiguration(LogicalName);
conf.SetBoolean(DFSConfigKeys.DfsNamenodeDelegationTokenAlwaysUseKey, true);
MiniDFSCluster cluster = null;
WebHdfsFileSystem fs = null;
try
{
cluster = new MiniDFSCluster.Builder(conf).NnTopology(topo).NumDataNodes(0).Build
();
HATestUtil.SetFailoverConfigurations(cluster, conf, LogicalName);
cluster.WaitActive();
fs = Org.Mockito.Mockito.Spy((WebHdfsFileSystem)FileSystem.Get(WebhdfsUri, conf));
FileSystemTestHelper.AddFileSystemForTesting(WebhdfsUri, conf, fs);
cluster.TransitionToActive(0);
Org.Apache.Hadoop.Security.Token.Token <object> token = ((Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)fs.GetDelegationToken(null));
cluster.ShutdownNameNode(0);
cluster.TransitionToActive(1);
token.Renew(conf);
token.Cancel(conf);
Org.Mockito.Mockito.Verify(fs).RenewDelegationToken(token);
Org.Mockito.Mockito.Verify(fs).CancelDelegationToken(token);
}
finally
{
IOUtils.Cleanup(null, fs);
if (cluster != null)
{
cluster.Shutdown();
}
}
}
