public virtual void TestCancelTokenSingleManager()
{
for (int i = 0; i < TestRetries; i++)
{
DelegationTokenManager tm1 = null;
string connectString = zkServer.GetConnectString();
Configuration conf = GetSecretConf(connectString);
tm1 = new DelegationTokenManager(conf, new Text("foo"));
tm1.Init();
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = (Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)tm1.CreateToken(UserGroupInformation.GetCurrentUser(
), "foo");
NUnit.Framework.Assert.IsNotNull(token);
tm1.CancelToken(token, "foo");
try
{
VerifyTokenFail(tm1, token);
NUnit.Framework.Assert.Fail("Expected InvalidToken");
}
catch (SecretManager.InvalidToken it)
{
Runtime.PrintStackTrace(it);
}
VerifyDestroy(tm1, conf);
}
}
public virtual void TestStopThreads()
{
DelegationTokenManager tm1 = null;
string connectString = zkServer.GetConnectString();
// let's make the update interval short and the shutdown interval
// comparatively longer, so if the update thread runs after shutdown,
// it will cause an error.
long updateIntervalSeconds = 1;
long shutdownTimeoutMillis = updateIntervalSeconds * 1000 * 5;
Configuration conf = GetSecretConf(connectString);
conf.SetLong(DelegationTokenManager.UpdateInterval, updateIntervalSeconds);
conf.SetLong(DelegationTokenManager.RemovalScanInterval, updateIntervalSeconds);
conf.SetLong(DelegationTokenManager.RenewInterval, updateIntervalSeconds);
conf.SetLong(ZKDelegationTokenSecretManager.ZkDtsmZkShutdownTimeout, shutdownTimeoutMillis
);
tm1 = new DelegationTokenManager(conf, new Text("foo"));
tm1.Init();
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = (Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)tm1.CreateToken(UserGroupInformation.GetCurrentUser(
), "foo");
NUnit.Framework.Assert.IsNotNull(token);
AbstractDelegationTokenSecretManager sm = tm1.GetDelegationTokenSecretManager();
ZKDelegationTokenSecretManager zksm = (ZKDelegationTokenSecretManager)sm;
ExecutorService es = zksm.GetListenerThreadPool();
es.Submit(new _Callable_300(shutdownTimeoutMillis));
// force this to be shutdownNow
tm1.Destroy();
}
/// <summary>Convert a token object to a Json string.</summary>
/// <exception cref="System.IO.IOException"/>
public static string ToJsonString <_T0>(Org.Apache.Hadoop.Security.Token.Token <_T0
> token)
where _T0 : TokenIdentifier
{
return(ToJsonString(typeof(Org.Apache.Hadoop.Security.Token.Token), ToJsonMap(token
)));
}
public virtual void TestInitWithUGIToken()
{
Configuration conf = new Configuration();
TestTokenAspect.DummyFs fs = Org.Mockito.Mockito.Spy(new TestTokenAspect.DummyFs(
));
Org.Mockito.Mockito.DoReturn(null).When(fs).GetDelegationToken(Matchers.AnyString
());
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<TokenIdentifier>(new byte[0], new byte[0], TestTokenAspect.DummyFs.TokenKind, new
Text("127.0.0.1:1234"));
fs.ugi.AddToken(token);
fs.ugi.AddToken(new Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier>(new byte
[0], new byte[0], new Text("Other token"), new Text("127.0.0.1:8021")));
NUnit.Framework.Assert.AreEqual("wrong tokens in user", 2, fs.ugi.GetTokens().Count
);
fs.emulateSecurityEnabled = true;
fs.Initialize(new URI("dummyfs://127.0.0.1:1234"), conf);
fs.tokenAspect.EnsureTokenInitialized();
// Select a token from ugi (not from the remote host), store it but don't
// renew it
Org.Mockito.Mockito.Verify(fs).SetDelegationToken(token);
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString
());
NUnit.Framework.Assert.IsNull(Whitebox.GetInternalState(fs.tokenAspect, "dtRenewer"
));
NUnit.Framework.Assert.IsNull(Whitebox.GetInternalState(fs.tokenAspect, "action")
);
}
/// <exception cref="System.Exception"/>
private void TestGetToken(string renewer, Text expectedTokenKind)
{
DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation
.Getdelegationtoken;
HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();
HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString());
Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod());
AuthenticationToken token = Org.Mockito.Mockito.Mock <AuthenticationToken>();
Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user");
Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(new PrintWriter(new StringWriter
()));
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
));
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.RenewerParam
+ "=" + renewer);
Org.Mockito.Mockito.Reset(response);
Org.Mockito.Mockito.Reset(token);
Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user");
StringWriter writer = new StringWriter();
PrintWriter pwriter = new PrintWriter(writer);
Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(pwriter);
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
));
if (renewer == null)
{
Org.Mockito.Mockito.Verify(token).GetUserName();
}
else
{
Org.Mockito.Mockito.Verify(token).GetUserName();
}
Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk);
Org.Mockito.Mockito.Verify(response).SetContentType(MediaType.ApplicationJson);
pwriter.Close();
string responseOutput = writer.ToString();
string tokenLabel = DelegationTokenAuthenticator.DelegationTokenJson;
Assert.True(responseOutput.Contains(tokenLabel));
Assert.True(responseOutput.Contains(DelegationTokenAuthenticator
.DelegationTokenUrlStringJson));
ObjectMapper jsonMapper = new ObjectMapper();
IDictionary json = jsonMapper.ReadValue <IDictionary>(responseOutput);
json = (IDictionary)json[tokenLabel];
string tokenStr;
tokenStr = (string)json[DelegationTokenAuthenticator.DelegationTokenUrlStringJson
];
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dt = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
dt.DecodeFromUrlString(tokenStr);
handler.GetTokenManager().VerifyToken(dt);
Assert.Equal(expectedTokenKind, dt.GetKind());
}
public _PrivilegedExceptionAction_230(TestDelegationToken _enclosing, Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier> token, UserGroupInformation longUgi)
{
this._enclosing = _enclosing;
this.token = token;
this.longUgi = longUgi;
}
public virtual void TestCachedInitialization()
{
Configuration conf = new Configuration();
TestTokenAspect.DummyFs fs = Org.Mockito.Mockito.Spy(new TestTokenAspect.DummyFs(
));
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<TokenIdentifier>(new byte[0], new byte[0], TestTokenAspect.DummyFs.TokenKind, new
Text("127.0.0.1:1234"));
Org.Mockito.Mockito.DoReturn(token).When(fs).GetDelegationToken(Matchers.AnyString
());
Org.Mockito.Mockito.DoReturn(token).When(fs).GetRenewToken();
fs.emulateSecurityEnabled = true;
fs.Initialize(new URI("dummyfs://127.0.0.1:1234"), conf);
fs.tokenAspect.EnsureTokenInitialized();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(null
);
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(token
);
// For the second iteration, the token should be cached.
fs.tokenAspect.EnsureTokenInitialized();
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(null
);
Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(token
);
}
public virtual void TestBlockTokenRpcLeak()
{
Configuration conf = new Configuration();
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
Assume.AssumeTrue(FdDir.Exists());
BlockTokenSecretManager sm = new BlockTokenSecretManager(blockKeyUpdateInterval,
blockTokenLifetime, 0, "fake-pool", null);
Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token = sm.GenerateToken
(block3, EnumSet.AllOf <BlockTokenSecretManager.AccessMode>());
Server server = CreateMockDatanode(sm, token, conf);
server.Start();
IPEndPoint addr = NetUtils.GetConnectAddress(server);
DatanodeID fakeDnId = DFSTestUtil.GetLocalDatanodeID(addr.Port);
ExtendedBlock b = new ExtendedBlock("fake-pool", new Org.Apache.Hadoop.Hdfs.Protocol.Block
(12345L));
LocatedBlock fakeBlock = new LocatedBlock(b, new DatanodeInfo[0]);
fakeBlock.SetBlockToken(token);
// Create another RPC proxy with the same configuration - this will never
// attempt to connect anywhere -- but it causes the refcount on the
// RPC "Client" object to stay above 0 such that RPC.stopProxy doesn't
// actually close the TCP connections to the real target DN.
ClientDatanodeProtocol proxyToNoWhere = RPC.GetProxy <ClientDatanodeProtocol>(ClientDatanodeProtocol
.versionID, new IPEndPoint("1.1.1.1", 1), UserGroupInformation.CreateRemoteUser(
"junk"), conf, NetUtils.GetDefaultSocketFactory(conf));
ClientDatanodeProtocol proxy = null;
int fdsAtStart = CountOpenFileDescriptors();
try
{
long endTime = Time.Now() + 3000;
while (Time.Now() < endTime)
{
proxy = DFSUtil.CreateClientDatanodeProtocolProxy(fakeDnId, conf, 1000, false, fakeBlock
);
NUnit.Framework.Assert.AreEqual(block3.GetBlockId(), proxy.GetReplicaVisibleLength
(block3));
if (proxy != null)
{
RPC.StopProxy(proxy);
}
Log.Info("Num open fds:" + CountOpenFileDescriptors());
}
int fdsAtEnd = CountOpenFileDescriptors();
if (fdsAtEnd - fdsAtStart > 50)
{
NUnit.Framework.Assert.Fail("Leaked " + (fdsAtEnd - fdsAtStart) + " fds!");
}
}
finally
{
server.Stop();
}
RPC.StopProxy(proxyToNoWhere);
}
> CreateAndSetAMRMToken()
{
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = this.rmContext
.GetAMRMTokenSecretManager().CreateAndGetAMRMToken(application.GetAppAttemptId()
);
((RMAppAttemptImpl)application).SetAMRMToken(amrmToken);
return(amrmToken);
}
private static Org.Apache.Hadoop.Yarn.Api.Records.Token ConvertToProtoToken <_T0>(
Org.Apache.Hadoop.Security.Token.Token <_T0> token)
where _T0 : TokenIdentifier
{
return(Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance(token.GetIdentifier()
, token.GetKind().ToString(), token.GetPassword(), token.GetService().ToString()
));
}
/// <exception cref="System.IO.IOException"/>
public override Org.Apache.Hadoop.Security.Token.Token <object> GetDelegationToken
(string renewer)
{
Org.Apache.Hadoop.Security.Token.Token <object> token = new Org.Apache.Hadoop.Security.Token.Token
<TokenIdentifier>();
token.SetService(new Text(GetCanonicalServiceName()));
return(token);
}
public _PrivilegedExceptionAction_477(TestDelegationTokensWithHA.TokenTestAction
action, Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token,
Configuration conf)
{
this.action = action;
this.token = token;
this.conf = conf;
}
/// <exception cref="System.Exception"/>
public Org.Apache.Hadoop.Security.Token.Token <object> Answer(InvocationOnMock invocation
)
{
Org.Apache.Hadoop.Security.Token.Token <object> token = new Org.Apache.Hadoop.Security.Token.Token
<TokenIdentifier>();
token.SetService(service);
return(token);
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
private void VerifyValidToken(Configuration conf, TestClientToAMTokens.CustomAM am
, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
{
UserGroupInformation ugi;
ugi = UserGroupInformation.CreateRemoteUser("me");
ugi.AddToken(token);
ugi.DoAs(new _PrivilegedExceptionAction_406(am, conf));
}
/// <exception cref="System.IO.IOException"/>
private void VerifyServiceInToken(ServletContext context, HttpServletRequest request
, string expected)
{
UserGroupInformation ugi = JspHelper.GetUGI(context, request, conf);
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> tokenInUgi = ugi.GetTokens
().GetEnumerator().Next();
NUnit.Framework.Assert.AreEqual(expected, tokenInUgi.GetService().ToString());
}
/// <summary>check if a token is expired.</summary>
/// <remarks>
/// check if a token is expired. for unit test only. return true when token is
/// expired, false otherwise
/// </remarks>
/// <exception cref="System.IO.IOException"/>
internal static bool IsTokenExpired(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier
> token)
{
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
long expiryDate = WritableUtils.ReadVLong(@in);
return(IsExpired(expiryDate));
}
/// <exception cref="System.Exception"/>
public Org.Apache.Hadoop.Security.Token.Token <object> Answer(InvocationOnMock invocation
)
{
Org.Apache.Hadoop.Security.Token.Token <object> token = new Org.Apache.Hadoop.Security.Token.Token
<TokenIdentifier>();
token.SetService(new Text(service));
token.SetKind(new Text("token" + this.unique++));
return(token);
}
/// <summary>
/// Returns an authenticated
/// <see cref="HttpURLConnection"/>
/// . If the Delegation
/// Token is present, it will be used taking precedence over the configured
/// <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
/// the request will be done on behalf of the specified <code>doAs</code> user.
/// </summary>
/// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param>
/// <param name="token">the authentication token being used for the user.</param>
/// <param name="doAs">
/// user to do the the request on behalf of, if NULL the request is
/// as self.
/// </param>
/// <returns>
/// an authenticated
/// <see cref="HttpURLConnection"/>
/// .
/// </returns>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// ">if an authentication exception occurred.</exception>
public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token
token, string doAs)
{
Preconditions.CheckNotNull(url, "url");
Preconditions.CheckNotNull(token, "token");
IDictionary <string, string> extraParams = new Dictionary <string, string>();
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> dToken = null;
// if we have valid auth token, it takes precedence over a delegation token
// and we don't even look for one.
if (!token.IsSet())
{
// delegation token
Credentials creds = UserGroupInformation.GetCurrentUser().GetCredentials();
if (!creds.GetAllTokens().IsEmpty())
{
IPEndPoint serviceAddr = new IPEndPoint(url.GetHost(), url.Port);
Text service = SecurityUtil.BuildTokenService(serviceAddr);
dToken = creds.GetToken(service);
if (dToken != null)
{
if (UseQueryStringForDelegationToken())
{
// delegation token will go in the query string, injecting it
extraParams[KerberosDelegationTokenAuthenticator.DelegationParam] = dToken.EncodeToUrlString
();
}
else
{
// delegation token will go as request header, setting it in the
// auth-token to ensure no authentication handshake is triggered
// (if we have a delegation token, we are authenticated)
// the delegation token header is injected in the connection request
// at the end of this method.
token.delegationToken = (Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier
>)dToken;
}
}
}
}
// proxyuser
if (doAs != null)
{
extraParams[DoAs] = URLEncoder.Encode(doAs, "UTF-8");
}
url = AugmentURL(url, extraParams);
HttpURLConnection conn = base.OpenConnection(url, token);
if (!token.IsSet() && !UseQueryStringForDelegationToken() && dToken != null)
{
// injecting the delegation token header in the connection request
conn.SetRequestProperty(DelegationTokenAuthenticator.DelegationTokenHeader, dToken
.EncodeToUrlString());
}
return(conn);
}
// To avoid using cached client
/// <exception cref="System.Exception"/>
public virtual void TestAMRMMasterKeysUpdate()
{
AtomicReference <AMRMTokenSecretManager> spySecretMgrRef = new AtomicReference <AMRMTokenSecretManager
>();
MockRM rm = new _MockRM_349(this, spySecretMgrRef, conf);
// Skip the login.
rm.Start();
MockNM nm = rm.RegisterNode("127.0.0.1:1234", 8000);
RMApp app = rm.SubmitApp(200);
MockAM am = MockRM.LaunchAndRegisterAM(app, rm, nm);
AMRMTokenSecretManager spySecretMgr = spySecretMgrRef.Get();
// Do allocate. Should not update AMRMToken
AllocateResponse response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<AllocateRequest>());
NUnit.Framework.Assert.IsNull(response.GetAMRMToken());
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> oldToken = rm.GetRMContext
().GetRMApps()[app.GetApplicationId()].GetRMAppAttempt(am.GetApplicationAttemptId
()).GetAMRMToken();
// roll over the master key
// Do allocate again. the AM should get the latest AMRMToken
rm.GetRMContext().GetAMRMTokenSecretManager().RollMasterKey();
response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest
>());
NUnit.Framework.Assert.IsNotNull(response.GetAMRMToken());
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = ConverterUtils
.ConvertFromYarn(response.GetAMRMToken(), new Text(response.GetAMRMToken().GetService
()));
NUnit.Framework.Assert.AreEqual(amrmToken.DecodeIdentifier().GetKeyId(), rm.GetRMContext
().GetAMRMTokenSecretManager().GetMasterKey().GetMasterKey().GetKeyId());
// Do allocate again with the same old token and verify the RM sends
// back the last generated token instead of generating it again.
Org.Mockito.Mockito.Reset(spySecretMgr);
UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting(am.GetApplicationAttemptId
().ToString(), new string[0]);
ugi.AddTokenIdentifier(oldToken.DecodeIdentifier());
response = am.DoAllocateAs(ugi, Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest
>());
NUnit.Framework.Assert.IsNotNull(response.GetAMRMToken());
Org.Mockito.Mockito.Verify(spySecretMgr, Org.Mockito.Mockito.Never()).CreateAndGetAMRMToken
(Matchers.IsA <ApplicationAttemptId>());
// Do allocate again with the updated token and verify we do not
// receive a new token to use.
response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest
>());
NUnit.Framework.Assert.IsNull(response.GetAMRMToken());
// Activate the next master key. Since there is new master key generated
// in AMRMTokenSecretManager. The AMRMToken will not get updated for AM
rm.GetRMContext().GetAMRMTokenSecretManager().ActivateNextMasterKey();
response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest
>());
NUnit.Framework.Assert.IsNull(response.GetAMRMToken());
rm.Stop();
}
private bool CheckService <_T0>(Text service, Org.Apache.Hadoop.Security.Token.Token
<_T0> token)
where _T0 : TokenIdentifier
{
if (service == null || token.GetService() == null)
{
return(false);
}
return(token.GetService().ToString().Contains(service.ToString()));
}
/// <exception cref="System.IO.IOException"/>
private string GetTokenOwner <_T0>(Org.Apache.Hadoop.Security.Token.Token <_T0> token
)
where _T0 : TokenIdentifier
{
// webhdfs doesn't register properly with the class loader
Org.Apache.Hadoop.Security.Token.Token <object> clone = new Org.Apache.Hadoop.Security.Token.Token
(token);
clone.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
return(clone.DecodeIdentifier().GetUser().GetUserName());
}
/// <exception cref="System.IO.IOException"/>
private void VerifyTokenWithTamperedUserName(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
{
// Malicious user, messes with appId
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("me");
ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(am.appAttemptId
, "evilOrc");
VerifyTamperedToken(conf, am, token, ugi, maliciousID);
}
/// <summary>Add the job token of a job to cache</summary>
/// <param name="jobId">the job that owns the token</param>
/// <param name="token">the job token</param>
public virtual void AddTokenForJob(string jobId, Org.Apache.Hadoop.Security.Token.Token
<JobTokenIdentifier> token)
{
SecretKey tokenSecret = CreateSecretKey(token.GetPassword());
lock (currentJobTokens)
{
currentJobTokens[jobId] = tokenSecret;
}
}
public virtual void SetDelegationToken <T>(Org.Apache.Hadoop.Security.Token.Token <
T> token)
where T : TokenIdentifier
{
lock (this)
{
renewToken = token;
delegationToken = new Org.Apache.Hadoop.Security.Token.Token <T>(token);
delegationToken.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
}
}
/// <exception cref="System.IO.IOException"/>
private BlockTokenIdentifier GenerateTokenId(BlockTokenSecretManager sm, ExtendedBlock
block, EnumSet <BlockTokenSecretManager.AccessMode> accessModes)
{
Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token = sm.GenerateToken
(block, accessModes);
BlockTokenIdentifier id = sm.CreateIdentifier();
id.ReadFields(new DataInputStream(new ByteArrayInputStream(token.GetIdentifier())
));
return(id);
}
public virtual void TestValidateResourceBlacklistRequest()
{
TestAMAuthorization.MyContainerManager containerManager = new TestAMAuthorization.MyContainerManager
();
TestAMAuthorization.MockRMWithAMS rm = new TestAMAuthorization.MockRMWithAMS(new
YarnConfiguration(), containerManager);
rm.Start();
MockNM nm1 = rm.RegisterNode("localhost:1234", 5120);
IDictionary <ApplicationAccessType, string> acls = new Dictionary <ApplicationAccessType
, string>(2);
acls[ApplicationAccessType.ViewApp] = "*";
RMApp app = rm.SubmitApp(1024, "appname", "appuser", acls);
nm1.NodeHeartbeat(true);
RMAppAttempt attempt = app.GetCurrentAppAttempt();
ApplicationAttemptId applicationAttemptId = attempt.GetAppAttemptId();
WaitForLaunchedState(attempt);
// Create a client to the RM.
Configuration conf = rm.GetConfig();
YarnRPC rpc = YarnRPC.Create(conf);
UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(applicationAttemptId
.ToString());
Credentials credentials = containerManager.GetContainerCredentials();
IPEndPoint rmBindAddress = rm.GetApplicationMasterService().GetBindAddress();
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> amRMToken = TestAMAuthorization.MockRMWithAMS
.SetupAndReturnAMRMToken(rmBindAddress, credentials.GetAllTokens());
currentUser.AddToken(amRMToken);
ApplicationMasterProtocol client = currentUser.DoAs(new _PrivilegedAction_626(rpc
, rmBindAddress, conf));
RegisterApplicationMasterRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<RegisterApplicationMasterRequest>();
client.RegisterApplicationMaster(request);
ResourceBlacklistRequest blacklistRequest = ResourceBlacklistRequest.NewInstance(
Sharpen.Collections.SingletonList(ResourceRequest.Any), null);
AllocateRequest allocateRequest = AllocateRequest.NewInstance(0, 0.0f, null, null
, blacklistRequest);
bool error = false;
try
{
client.Allocate(allocateRequest);
}
catch (InvalidResourceBlacklistRequestException)
{
error = true;
}
rm.Stop();
NUnit.Framework.Assert.IsTrue("Didn't not catch InvalidResourceBlacklistRequestException"
, error);
}
/// <exception cref="System.Exception"/>
public virtual void TestHAUtilClonesDelegationTokens()
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
(fs, "JobTracker");
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test");
URI haUri = new URI("hdfs://my-ha-uri/");
token.SetService(HAUtil.BuildTokenServiceForLogicalUri(haUri, HdfsConstants.HdfsUriScheme
));
ugi.AddToken(token);
ICollection <IPEndPoint> nnAddrs = new HashSet <IPEndPoint>();
nnAddrs.AddItem(new IPEndPoint("localhost", nn0.GetNameNodeAddress().Port));
nnAddrs.AddItem(new IPEndPoint("localhost", nn1.GetNameNodeAddress().Port));
HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs);
ICollection <Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> > tokens = ugi
.GetTokens();
NUnit.Framework.Assert.AreEqual(3, tokens.Count);
Log.Info("Tokens:\n" + Joiner.On("\n").Join(tokens));
DelegationTokenSelector dts = new DelegationTokenSelector();
// check that the token selected for one of the physical IPC addresses
// matches the one we received
foreach (IPEndPoint addr in nnAddrs)
{
Text ipcDtService = SecurityUtil.BuildTokenService(addr);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken
(ipcDtService, ugi.GetTokens());
NUnit.Framework.Assert.IsNotNull(token2);
Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier());
Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword());
}
// switch to host-based tokens, shouldn't match existing tokens
SecurityUtilTestHelper.SetTokenServiceUseIp(false);
foreach (IPEndPoint addr_1 in nnAddrs)
{
Text ipcDtService = SecurityUtil.BuildTokenService(addr_1);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken
(ipcDtService, ugi.GetTokens());
NUnit.Framework.Assert.IsNull(token2);
}
// reclone the tokens, and see if they match now
HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs);
foreach (IPEndPoint addr_2 in nnAddrs)
{
Text ipcDtService = SecurityUtil.BuildTokenService(addr_2);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken
(ipcDtService, ugi.GetTokens());
NUnit.Framework.Assert.IsNotNull(token2);
Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier());
Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword());
}
}
private void CheckToken(Credentials creds, params Org.Apache.Hadoop.Security.Token.Token
<object>[] tokens)
{
NUnit.Framework.Assert.AreEqual(tokens.Length, creds.GetAllTokens().Count);
foreach (Org.Apache.Hadoop.Security.Token.Token <object> token in tokens)
{
Org.Apache.Hadoop.Security.Token.Token <object> credsToken = creds.GetToken(token.
GetService());
NUnit.Framework.Assert.IsTrue(credsToken != null);
NUnit.Framework.Assert.AreEqual(token, credsToken);
}
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public override Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> GetAMRMToken
(ApplicationId appId)
{
Org.Apache.Hadoop.Yarn.Api.Records.Token token = GetApplicationReport(appId).GetAMRMToken
();
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = null;
if (token != null)
{
amrmToken = ConverterUtils.ConvertFromYarn(token, (Text)null);
}
return(amrmToken);
}
/// <exception cref="System.IO.IOException"/>
private void VerifyTokenWithTamperedID(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
{
// Malicious user, messes with appId
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("me");
ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(BuilderUtils
.NewApplicationAttemptId(BuilderUtils.NewApplicationId(am.appAttemptId.GetApplicationId
().GetClusterTimestamp(), 42), 43), UserGroupInformation.GetCurrentUser().GetShortUserName
());
VerifyTamperedToken(conf, am, token, ugi, maliciousID);
}
