Ejemplo n.º 1
0
        /// <exception cref="System.IO.IOException"/>
        private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest
                                                        request, string tokenString, Configuration conf)
        {
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                       <DelegationTokenIdentifier>();
            token.DecodeFromUrlString(tokenString);
            IPEndPoint serviceAddress = GetNNServiceAddress(context, request);

            if (serviceAddress != null)
            {
                SecurityUtil.SetTokenService(token, serviceAddress);
                token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
            }
            ByteArrayInputStream      buf = new ByteArrayInputStream(token.GetIdentifier());
            DataInputStream           @in = new DataInputStream(buf);
            DelegationTokenIdentifier id  = new DelegationTokenIdentifier();

            id.ReadFields(@in);
            if (context != null)
            {
                NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
                if (nn != null)
                {
                    // Verify the token.
                    nn.GetNamesystem().VerifyToken(id, token.GetPassword());
                }
            }
            UserGroupInformation ugi = id.GetUser();

            ugi.AddToken(token);
            return(ugi);
        }
Ejemplo n.º 2
0
        /// <exception cref="System.Exception"/>
        private void CheckTokenIdentifier <_T0>(UserGroupInformation ugi, Org.Apache.Hadoop.Security.Token.Token
                                                <_T0> token)
            where _T0 : TokenIdentifier
        {
            NUnit.Framework.Assert.IsNotNull(token);
            // should be able to use token.decodeIdentifier() but webhdfs isn't
            // registered with the service loader for token decoding
            DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();

            byte[]          tokenId = token.GetIdentifier();
            DataInputStream @in     = new DataInputStream(new ByteArrayInputStream(tokenId));

            try
            {
                identifier.ReadFields(@in);
            }
            finally
            {
                @in.Close();
            }
            NUnit.Framework.Assert.IsNotNull(identifier);
            Log.Info("A valid token should have non-null password, and should be renewed successfully"
                     );
            NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier
                                                                                   ));
            dtSecretManager.RenewToken((Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier
                                                                                >)token, "JobTracker");
            ugi.DoAs(new _PrivilegedExceptionAction_309(this, token));
        }
Ejemplo n.º 3
0
        /// <exception cref="System.IO.IOException"/>
        private UserGroupInformation TokenUGI()
        {
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = @params
                                                                                       .DelegationToken();
            ByteArrayInputStream      buf = new ByteArrayInputStream(token.GetIdentifier());
            DataInputStream           @in = new DataInputStream(buf);
            DelegationTokenIdentifier id  = new DelegationTokenIdentifier();

            id.ReadFields(@in);
            UserGroupInformation ugi = id.GetUser();

            ugi.AddToken(token);
            return(ugi);
        }
Ejemplo n.º 4
0
        /// <summary>Process the Delegation Token related section in fsimage.</summary>
        /// <param name="in">DataInputStream to process</param>
        /// <param name="v">Visitor to walk over records</param>
        /// <exception cref="System.IO.IOException"/>
        private void ProcessDelegationTokens(DataInputStream @in, ImageVisitor v)
        {
            v.Visit(ImageVisitor.ImageElement.CurrentDelegationKeyId, @in.ReadInt());
            int numDKeys = @in.ReadInt();

            v.VisitEnclosingElement(ImageVisitor.ImageElement.DelegationKeys, ImageVisitor.ImageElement
                                    .NumDelegationKeys, numDKeys);
            for (int i = 0; i < numDKeys; i++)
            {
                DelegationKey key = new DelegationKey();
                key.ReadFields(@in);
                v.Visit(ImageVisitor.ImageElement.DelegationKey, key.ToString());
            }
            v.LeaveEnclosingElement();
            v.Visit(ImageVisitor.ImageElement.DelegationTokenSequenceNumber, @in.ReadInt());
            int numDTokens = @in.ReadInt();

            v.VisitEnclosingElement(ImageVisitor.ImageElement.DelegationTokens, ImageVisitor.ImageElement
                                    .NumDelegationTokens, numDTokens);
            for (int i_1 = 0; i_1 < numDTokens; i_1++)
            {
                DelegationTokenIdentifier id = new DelegationTokenIdentifier();
                id.ReadFields(@in);
                long expiryTime = @in.ReadLong();
                v.VisitEnclosingElement(ImageVisitor.ImageElement.DelegationTokenIdentifier);
                v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierKind, id.GetKind().ToString
                            ());
                v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierSeqno, id.GetSequenceNumber
                            ());
                v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierOwner, id.GetOwner().ToString
                            ());
                v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierRenewer, id.GetRenewer
                            ().ToString());
                v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierRealuser, id.GetRealUser
                            ().ToString());
                v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierIssueDate, id.GetIssueDate
                            ());
                v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierMaxDate, id.GetMaxDate
                            ());
                v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierExpiryTime, expiryTime
                        );
                v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierMasterKeyId, id.GetMasterKeyId
                            ());
                v.LeaveEnclosingElement();
            }
            // DELEGATION_TOKEN_IDENTIFIER
            v.LeaveEnclosingElement();
        }
 /// <exception cref="System.IO.IOException"/>
 public virtual void TestDelegationTokenWithRealUser()
 {
     try
     {
         Org.Apache.Hadoop.Security.Token.Token <object>[] tokens = proxyUgi.DoAs(new _PrivilegedExceptionAction_131
                                                                                      ());
         DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
         byte[] tokenId = tokens[0].GetIdentifier();
         identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
         NUnit.Framework.Assert.AreEqual(identifier.GetUser().GetUserName(), ProxyUser);
         NUnit.Framework.Assert.AreEqual(identifier.GetUser().GetRealUser().GetUserName(),
                                         RealUser);
     }
     catch (Exception)
     {
     }
 }
Ejemplo n.º 6
0
        public virtual void TestDelegationTokenSecretManager()
        {
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GenerateDelegationToken
                                                                                           ("SomeUser", "JobTracker");
            // Fake renewer should not be able to renew
            try
            {
                dtSecretManager.RenewToken(token, "FakeRenewer");
                NUnit.Framework.Assert.Fail("should have failed");
            }
            catch (AccessControlException)
            {
            }
            // PASS
            dtSecretManager.RenewToken(token, "JobTracker");
            DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();

            byte[] tokenId = token.GetIdentifier();
            identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
            NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier
                                                                                   ));
            Log.Info("Sleep to expire the token");
            Sharpen.Thread.Sleep(6000);
            //Token should be expired
            try
            {
                dtSecretManager.RetrievePassword(identifier);
                //Should not come here
                NUnit.Framework.Assert.Fail("Token should have expired");
            }
            catch (SecretManager.InvalidToken)
            {
            }
            //Success
            dtSecretManager.RenewToken(token, "JobTracker");
            Log.Info("Sleep beyond the max lifetime");
            Sharpen.Thread.Sleep(5000);
            try
            {
                dtSecretManager.RenewToken(token, "JobTracker");
                NUnit.Framework.Assert.Fail("should have been expired");
            }
            catch (SecretManager.InvalidToken)
            {
            }
        }
        /// <exception cref="System.Exception"/>
        public virtual void TestDelegationTokenDFSApi()
        {
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
                                                                                           (fs, "JobTracker");
            DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();

            byte[] tokenId = token.GetIdentifier();
            identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
            // Ensure that it's present in the NN's secret manager and can
            // be renewed directly from there.
            Log.Info("A valid token should have non-null password, " + "and should be renewed successfully"
                     );
            NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier
                                                                                   ));
            dtSecretManager.RenewToken(token, "JobTracker");
            // Use the client conf with the failover info present to check
            // renewal.
            Configuration clientConf = dfs.GetConf();

            DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew
                            );
            // Using a configuration that doesn't have the logical nameservice
            // configured should result in a reasonable error message.
            Configuration emptyConf = new Configuration();

            try
            {
                DoRenewOrCancel(token, emptyConf, TestDelegationTokensWithHA.TokenTestAction.Renew
                                );
                NUnit.Framework.Assert.Fail("Did not throw trying to renew with an empty conf!");
            }
            catch (IOException ioe)
            {
                GenericTestUtils.AssertExceptionContains("Unable to map logical nameservice URI",
                                                         ioe);
            }
            // Ensure that the token can be renewed again after a failover.
            cluster.TransitionToStandby(0);
            cluster.TransitionToActive(1);
            DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew
                            );
            DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Cancel
                            );
        }
        /// <summary>
        /// Test if StandbyException can be thrown from StandbyNN, when it's requested for
        /// password.
        /// </summary>
        /// <remarks>
        /// Test if StandbyException can be thrown from StandbyNN, when it's requested for
        /// password. (HDFS-6475). With StandbyException, the client can failover to try
        /// activeNN.
        /// </remarks>
        /// <exception cref="System.Exception"/>
        public virtual void TestDelegationTokenStandbyNNAppearFirst()
        {
            // make nn0 the standby NN, and nn1 the active NN
            cluster.TransitionToStandby(0);
            cluster.TransitionToActive(1);
            DelegationTokenSecretManager stSecretManager = NameNodeAdapter.GetDtSecretManager
                                                               (nn1.GetNamesystem());

            // create token
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
                                                                                           (fs, "JobTracker");
            DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();

            byte[] tokenId = token.GetIdentifier();
            identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
            NUnit.Framework.Assert.IsTrue(null != stSecretManager.RetrievePassword(identifier
                                                                                   ));
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("JobTracker");

            ugi.AddToken(token);
            ugi.DoAs(new _PrivilegedExceptionAction_406(identifier));
        }
        /// <summary>
        /// Test if correct exception (StandbyException or RetriableException) can be
        /// thrown during the NN failover.
        /// </summary>
        /// <exception cref="System.Exception"/>
        public virtual void TestDelegationTokenDuringNNFailover()
        {
            EditLogTailer editLogTailer = nn1.GetNamesystem().GetEditLogTailer();

            // stop the editLogTailer of nn1
            editLogTailer.Stop();
            Configuration conf = (Configuration)Whitebox.GetInternalState(editLogTailer, "conf"
                                                                          );

            nn1.GetNamesystem().SetEditLogTailerForTests(new TestDelegationTokensWithHA.EditLogTailerForTest
                                                             (this, nn1.GetNamesystem(), conf));
            // create token
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
                                                                                           (fs, "JobTracker");
            DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();

            byte[] tokenId = token.GetIdentifier();
            identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
            // Ensure that it's present in the nn0 secret manager and can
            // be renewed directly from there.
            Log.Info("A valid token should have non-null password, " + "and should be renewed successfully"
                     );
            NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier
                                                                                   ));
            dtSecretManager.RenewToken(token, "JobTracker");
            // transition nn0 to standby
            cluster.TransitionToStandby(0);
            try
            {
                cluster.GetNameNodeRpc(0).RenewDelegationToken(token);
                NUnit.Framework.Assert.Fail("StandbyException is expected since nn0 is in standby state"
                                            );
            }
            catch (StandbyException e)
            {
                GenericTestUtils.AssertExceptionContains(HAServiceProtocol.HAServiceState.Standby
                                                         .ToString(), e);
            }
            new _Thread_220().Start();
            Sharpen.Thread.Sleep(1000);
            try
            {
                nn1.GetNamesystem().VerifyToken(token.DecodeIdentifier(), token.GetPassword());
                NUnit.Framework.Assert.Fail("RetriableException/StandbyException is expected since nn1 is in transition"
                                            );
            }
            catch (IOException e)
            {
                NUnit.Framework.Assert.IsTrue(e is StandbyException || e is RetriableException);
                Log.Info("Got expected exception", e);
            }
            catchup = true;
            lock (this)
            {
                Sharpen.Runtime.NotifyAll(this);
            }
            Configuration clientConf = dfs.GetConf();

            DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew
                            );
            DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Cancel
                            );
        }