public virtual void TestGetUgi() { conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/"); HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>(); ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>(); string user = "******"; Text userText = new Text(user); DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(userText, userText , null); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>(dtId, new TestJspHelper.DummySecretManager(0, 0, 0, 0)); string tokenString = token.EncodeToUrlString(); Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName)) .ThenReturn(tokenString); Org.Mockito.Mockito.When(request.GetRemoteUser()).ThenReturn(user); //Test attribute in the url to be used as service in the token. Org.Mockito.Mockito.When(request.GetParameter(JspHelper.NamenodeAddress)).ThenReturn ("1.1.1.1:1111"); conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); VerifyServiceInToken(context, request, "1.1.1.1:1111"); //Test attribute name.node.address //Set the nnaddr url parameter to null. Org.Mockito.Mockito.When(request.GetParameter(JspHelper.NamenodeAddress)).ThenReturn (null); IPEndPoint addr = new IPEndPoint("localhost", 2222); Org.Mockito.Mockito.When(context.GetAttribute(NameNodeHttpServer.NamenodeAddressAttributeKey )).ThenReturn(addr); VerifyServiceInToken(context, request, addr.Address.GetHostAddress() + ":2222"); //Test service already set in the token token.SetService(new Text("3.3.3.3:3333")); tokenString = token.EncodeToUrlString(); //Set the name.node.address attribute in Servlet context to null Org.Mockito.Mockito.When(context.GetAttribute(NameNodeHttpServer.NamenodeAddressAttributeKey )).ThenReturn(null); Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName)) .ThenReturn(tokenString); VerifyServiceInToken(context, request, "3.3.3.3:3333"); }
/// <exception cref="System.IO.IOException"/> private static IDictionary <string, object> ToJsonMap <_T0>(Org.Apache.Hadoop.Security.Token.Token <_T0> token) where _T0 : TokenIdentifier { if (token == null) { return(null); } IDictionary <string, object> m = new SortedDictionary <string, object>(); m["urlString"] = token.EncodeToUrlString(); return(m); }
/// <exception cref="System.Exception"/> private void TestRenewToken() { DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation .Renewdelegationtoken; HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>(); HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>(); Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator .OpParam + "=" + op.ToString()); Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod()); NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response )); Org.Mockito.Mockito.Verify(response).SetStatus(Org.Mockito.Mockito.Eq(HttpServletResponse .ScUnauthorized)); Org.Mockito.Mockito.Verify(response).SetHeader(Org.Mockito.Mockito.Eq(KerberosAuthenticator .WwwAuthenticate), Org.Mockito.Mockito.Eq("mock")); Org.Mockito.Mockito.Reset(response); AuthenticationToken token = Org.Mockito.Mockito.Mock <AuthenticationToken>(); Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user"); NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response )); Org.Mockito.Mockito.Verify(response).SendError(Org.Mockito.Mockito.Eq(HttpServletResponse .ScBadRequest), Org.Mockito.Mockito.Contains("requires the parameter [token]")); Org.Mockito.Mockito.Reset(response); StringWriter writer = new StringWriter(); PrintWriter pwriter = new PrintWriter(writer); Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(pwriter); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dToken = (Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation .GetCurrentUser(), "user"); Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator .OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.TokenParam + "=" + dToken.EncodeToUrlString()); NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response )); Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk); pwriter.Close(); Assert.True(writer.ToString().Contains("long")); handler.GetTokenManager().VerifyToken(dToken); }
/// <exception cref="System.Exception"/> private void TestCancelToken() { DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation .Canceldelegationtoken; HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>(); HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>(); Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator .OpParam + "=" + op.ToString()); Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod()); NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response )); Org.Mockito.Mockito.Verify(response).SendError(Org.Mockito.Mockito.Eq(HttpServletResponse .ScBadRequest), Org.Mockito.Mockito.Contains("requires the parameter [token]")); Org.Mockito.Mockito.Reset(response); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = (Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation .GetCurrentUser(), "foo"); Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator .OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.TokenParam + "=" + token.EncodeToUrlString()); NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response )); Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk); try { handler.GetTokenManager().VerifyToken(token); NUnit.Framework.Assert.Fail(); } catch (SecretManager.InvalidToken) { } catch { //NOP NUnit.Framework.Assert.Fail(); } }
/// <exception cref="System.IO.IOException"/> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// "/> private IDictionary DoDelegationTokenOperation <_T0>(Uri url, AuthenticatedURL.Token token, DelegationTokenAuthenticator.DelegationTokenOperation operation, string renewer, Org.Apache.Hadoop.Security.Token.Token <_T0> dToken, bool hasResponse, string doAsUser) where _T0 : TokenIdentifier { IDictionary ret = null; IDictionary <string, string> @params = new Dictionary <string, string>(); @params[OpParam] = operation.ToString(); if (renewer != null) { @params[RenewerParam] = renewer; } if (dToken != null) { @params[TokenParam] = dToken.EncodeToUrlString(); } // proxyuser if (doAsUser != null) { @params[DelegationTokenAuthenticatedURL.DoAs] = URLEncoder.Encode(doAsUser, "UTF-8" ); } string urlStr = url.ToExternalForm(); StringBuilder sb = new StringBuilder(urlStr); string separator = (urlStr.Contains("?")) ? "&" : "?"; foreach (KeyValuePair <string, string> entry in @params) { sb.Append(separator).Append(entry.Key).Append("=").Append(URLEncoder.Encode(entry .Value, "UTF8")); separator = "&"; } url = new Uri(sb.ToString()); AuthenticatedURL aUrl = new AuthenticatedURL(this, connConfigurator); HttpURLConnection conn = aUrl.OpenConnection(url, token); conn.SetRequestMethod(operation.GetHttpMethod()); HttpExceptionUtils.ValidateResponse(conn, HttpURLConnection.HttpOk); if (hasResponse) { string contentType = conn.GetHeaderField(ContentType); contentType = (contentType != null) ? StringUtils.ToLowerCase(contentType) : null; if (contentType != null && contentType.Contains(ApplicationJsonMime)) { try { ObjectMapper mapper = new ObjectMapper(); ret = mapper.ReadValue <IDictionary>(conn.GetInputStream()); } catch (Exception ex) { throw new AuthenticationException(string.Format("'%s' did not handle the '%s' delegation token operation: %s" , url.GetAuthority(), operation, ex.Message), ex); } } else { throw new AuthenticationException(string.Format("'%s' did not " + "respond with JSON to the '%s' delegation token operation" , url.GetAuthority(), operation)); } } return(ret); }
/// <summary> /// Returns an authenticated /// <see cref="HttpURLConnection"/> /// . If the Delegation /// Token is present, it will be used taking precedence over the configured /// <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL, /// the request will be done on behalf of the specified <code>doAs</code> user. /// </summary> /// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param> /// <param name="token">the authentication token being used for the user.</param> /// <param name="doAs"> /// user to do the the request on behalf of, if NULL the request is /// as self. /// </param> /// <returns> /// an authenticated /// <see cref="HttpURLConnection"/> /// . /// </returns> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// ">if an authentication exception occurred.</exception> public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token token, string doAs) { Preconditions.CheckNotNull(url, "url"); Preconditions.CheckNotNull(token, "token"); IDictionary <string, string> extraParams = new Dictionary <string, string>(); Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> dToken = null; // if we have valid auth token, it takes precedence over a delegation token // and we don't even look for one. if (!token.IsSet()) { // delegation token Credentials creds = UserGroupInformation.GetCurrentUser().GetCredentials(); if (!creds.GetAllTokens().IsEmpty()) { IPEndPoint serviceAddr = new IPEndPoint(url.GetHost(), url.Port); Text service = SecurityUtil.BuildTokenService(serviceAddr); dToken = creds.GetToken(service); if (dToken != null) { if (UseQueryStringForDelegationToken()) { // delegation token will go in the query string, injecting it extraParams[KerberosDelegationTokenAuthenticator.DelegationParam] = dToken.EncodeToUrlString (); } else { // delegation token will go as request header, setting it in the // auth-token to ensure no authentication handshake is triggered // (if we have a delegation token, we are authenticated) // the delegation token header is injected in the connection request // at the end of this method. token.delegationToken = (Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier >)dToken; } } } } // proxyuser if (doAs != null) { extraParams[DoAs] = URLEncoder.Encode(doAs, "UTF-8"); } url = AugmentURL(url, extraParams); HttpURLConnection conn = base.OpenConnection(url, token); if (!token.IsSet() && !UseQueryStringForDelegationToken() && dToken != null) { // injecting the delegation token header in the connection request conn.SetRequestProperty(DelegationTokenAuthenticator.DelegationTokenHeader, dToken .EncodeToUrlString()); } return(conn); }
public virtual void TestGetUgiFromToken() { conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/"); ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>(); string realUser = "******"; string user = "******"; conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); UserGroupInformation ugi; HttpServletRequest request; Text ownerText = new Text(user); DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(ownerText, ownerText , new Text(realUser)); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>(dtId, new TestJspHelper.DummySecretManager(0, 0, 0, 0)); string tokenString = token.EncodeToUrlString(); // token with no auth-ed user request = GetMockRequest(null, null, null); Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName)) .ThenReturn(tokenString); ugi = JspHelper.GetUGI(context, request, conf); NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser()); NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser); NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user); CheckUgiFromToken(ugi); // token with auth-ed user request = GetMockRequest(realUser, null, null); Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName)) .ThenReturn(tokenString); ugi = JspHelper.GetUGI(context, request, conf); NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser()); NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser); NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user); CheckUgiFromToken(ugi); // completely different user, token trumps auth request = GetMockRequest("rogue", null, null); Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName)) .ThenReturn(tokenString); ugi = JspHelper.GetUGI(context, request, conf); NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser()); NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser); NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user); CheckUgiFromToken(ugi); // expected case request = GetMockRequest(null, user, null); Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName)) .ThenReturn(tokenString); ugi = JspHelper.GetUGI(context, request, conf); NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser()); NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser); NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user); CheckUgiFromToken(ugi); // can't proxy with a token! request = GetMockRequest(null, null, "rogue"); Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName)) .ThenReturn(tokenString); try { JspHelper.GetUGI(context, request, conf); NUnit.Framework.Assert.Fail("bad request allowed"); } catch (IOException ioe) { NUnit.Framework.Assert.AreEqual("Usernames not matched: name=rogue != expected=" + user, ioe.Message); } // can't proxy with a token! request = GetMockRequest(null, user, "rogue"); Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName)) .ThenReturn(tokenString); try { JspHelper.GetUGI(context, request, conf); NUnit.Framework.Assert.Fail("bad request allowed"); } catch (IOException ioe) { NUnit.Framework.Assert.AreEqual("Usernames not matched: name=rogue != expected=" + user, ioe.Message); } }
/// <exception cref="System.Exception"/> private void TestValidDelegationTokenHeader() { HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>(); HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>(); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dToken = (Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation .GetCurrentUser(), "user"); Org.Mockito.Mockito.When(request.GetHeader(Org.Mockito.Mockito.Eq(DelegationTokenAuthenticator .DelegationTokenHeader))).ThenReturn(dToken.EncodeToUrlString()); AuthenticationToken token = handler.Authenticate(request, response); Assert.Equal(UserGroupInformation.GetCurrentUser().GetShortUserName (), token.GetUserName()); Assert.Equal(0, token.GetExpires()); Assert.Equal(handler.GetType(), token.GetType()); Assert.True(token.IsExpired()); }