public virtual void TestSimpleAuth()
{
rm.Start();
// ensure users can access web pages
// this should work for secure and non-secure clusters
Uri url = new Uri("http://localhost:8088/cluster");
HttpURLConnection conn = (HttpURLConnection)url.OpenConnection();
try
{
conn.GetInputStream();
NUnit.Framework.Assert.AreEqual(ClientResponse.Status.Ok.GetStatusCode(), conn.GetResponseCode
());
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("Fetching url failed");
}
if (UserGroupInformation.IsSecurityEnabled())
{
TestAnonymousKerberosUser();
}
else
{
TestAnonymousSimpleUser();
}
rm.Stop();
}
/// <exception cref="System.IO.IOException"/>
private void ValidateRequest(ServletContext context, Configuration conf, HttpServletRequest
request, HttpServletResponse response, FSImage nnImage, string theirStorageInfoString
)
{
if (UserGroupInformation.IsSecurityEnabled() && !IsValidRequestor(context, request
.GetUserPrincipal().GetName(), conf))
{
string errorMsg = "Only Namenode, Secondary Namenode, and administrators may access "
+ "this servlet";
response.SendError(HttpServletResponse.ScForbidden, errorMsg);
Log.Warn("Received non-NN/SNN/administrator request for image or edits from " + request
.GetUserPrincipal().GetName() + " at " + request.GetRemoteHost());
throw new IOException(errorMsg);
}
string myStorageInfoString = nnImage.GetStorage().ToColonSeparatedString();
if (theirStorageInfoString != null && !myStorageInfoString.Equals(theirStorageInfoString
))
{
string errorMsg = "This namenode has storage info " + myStorageInfoString + " but the secondary expected "
+ theirStorageInfoString;
response.SendError(HttpServletResponse.ScForbidden, errorMsg);
Log.Warn("Received an invalid request file transfer request " + "from a secondary with storage info "
+ theirStorageInfoString);
throw new IOException(errorMsg);
}
}
static TransferFsImage()
{
Configuration conf = new Configuration();
connectionFactory = URLConnectionFactory.NewDefaultURLConnectionFactory(conf);
isSpnegoEnabled = UserGroupInformation.IsSecurityEnabled();
}
/// <summary>
/// Get
/// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/>
/// and possibly the delegation token out of
/// the request.
/// </summary>
/// <param name="context">the ServletContext that is serving this request.</param>
/// <param name="request">the http request</param>
/// <param name="conf">configuration</param>
/// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param>
/// <param name="tryUgiParameter">Should it try the ugi parameter?</param>
/// <returns>a new user from the request</returns>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token
/// </exception>
/// <exception cref="System.IO.IOException"/>
public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest
request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod
, bool tryUgiParameter)
{
UserGroupInformation ugi = null;
string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter);
string doAsUserFromQuery = request.GetParameter(DoAsParam.Name);
string remoteUser;
if (UserGroupInformation.IsSecurityEnabled())
{
remoteUser = request.GetRemoteUser();
string tokenString = request.GetParameter(DelegationParameterName);
if (tokenString != null)
{
// Token-based connections need only verify the effective user, and
// disallow proxying to different user. Proxy authorization checks
// are not required since the checks apply to issuing a token.
ugi = GetTokenUGI(context, request, tokenString, conf);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery);
}
else
{
if (remoteUser == null)
{
throw new IOException("Security enabled but user not authenticated by filter");
}
}
}
else
{
// Security's not on, pull from url or use default web user
remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery;
}
// not specified in request
if (ugi == null)
{
// security is off, or there's no token
ugi = UserGroupInformation.CreateRemoteUser(remoteUser);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
if (UserGroupInformation.IsSecurityEnabled())
{
// This is not necessarily true, could have been auth'ed by user-facing
// filter
ugi.SetAuthenticationMethod(secureAuthMethod);
}
if (doAsUserFromQuery != null)
{
// create and attempt to authorize a proxy user
ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi);
ProxyUsers.Authorize(ugi, GetRemoteAddr(request));
}
}
if (Log.IsDebugEnabled())
{
Log.Debug("getUGI is returning: " + ugi.GetShortUserName());
}
return(ugi);
}
/// <summary>Create a redirection URL</summary>
/// <exception cref="System.IO.IOException"/>
private Uri CreateRedirectURL(UserGroupInformation ugi, DatanodeID host, HttpServletRequest
request, NameNode nn)
{
string hostname = host is DatanodeInfo?host.GetHostName() : host.GetIpAddr();
string scheme = request.GetScheme();
int port = host.GetInfoPort();
if ("https".Equals(scheme))
{
int portObject = (int)GetServletContext().GetAttribute(DFSConfigKeys.DfsDatanodeHttpsPortKey
);
if (portObject != null)
{
port = portObject;
}
}
string encodedPath = ServletUtil.GetRawPath(request, "/fileChecksum");
string dtParam = string.Empty;
if (UserGroupInformation.IsSecurityEnabled())
{
string tokenString = ugi.GetTokens().GetEnumerator().Next().EncodeToUrlString();
dtParam = JspHelper.GetDelegationTokenUrlParam(tokenString);
}
string addr = nn.GetNameNodeAddressHostPortString();
string addrParam = JspHelper.GetUrlParam(JspHelper.NamenodeAddress, addr);
return(new Uri(scheme, hostname, port, "/getFileChecksum" + encodedPath + '?' + "ugi="
+ ServletUtil.EncodeQueryValue(ugi.GetShortUserName()) + dtParam + addrParam));
}
/// <summary>Receives SASL negotiation from a peer on behalf of a server.</summary>
/// <param name="peer">connection peer</param>
/// <param name="underlyingOut">connection output stream</param>
/// <param name="underlyingIn">connection input stream</param>
/// <?/>
/// <param name="datanodeId">ID of DataNode accepting connection</param>
/// <returns>new pair of streams, wrapped after SASL negotiation</returns>
/// <exception cref="System.IO.IOException">for any error</exception>
public virtual IOStreamPair Receive(Peer peer, OutputStream underlyingOut, InputStream
underlyingIn, int xferPort, DatanodeID datanodeId)
{
if (dnConf.GetEncryptDataTransfer())
{
Log.Debug("SASL server doing encrypted handshake for peer = {}, datanodeId = {}",
peer, datanodeId);
return(GetEncryptedStreams(peer, underlyingOut, underlyingIn));
}
else
{
if (!UserGroupInformation.IsSecurityEnabled())
{
Log.Debug("SASL server skipping handshake in unsecured configuration for " + "peer = {}, datanodeId = {}"
, peer, datanodeId);
return(new IOStreamPair(underlyingIn, underlyingOut));
}
else
{
if (SecurityUtil.IsPrivilegedPort(xferPort))
{
Log.Debug("SASL server skipping handshake in secured configuration for " + "peer = {}, datanodeId = {}"
, peer, datanodeId);
return(new IOStreamPair(underlyingIn, underlyingOut));
}
else
{
if (dnConf.GetSaslPropsResolver() != null)
{
Log.Debug("SASL server doing general handshake for peer = {}, datanodeId = {}", peer
, datanodeId);
return(GetSaslStreams(peer, underlyingOut, underlyingIn));
}
else
{
if (dnConf.GetIgnoreSecurePortsForTesting())
{
// It's a secured cluster using non-privileged ports, but no SASL. The
// only way this can happen is if the DataNode has
// ignore.secure.ports.for.testing configured, so this is a rare edge case.
Log.Debug("SASL server skipping handshake in secured configuration with no SASL "
+ "protection configured for peer = {}, datanodeId = {}", peer, datanodeId);
return(new IOStreamPair(underlyingIn, underlyingOut));
}
else
{
// The error message here intentionally does not mention
// ignore.secure.ports.for.testing. That's intended for dev use only.
// This code path is not expected to execute ever, because DataNode startup
// checks for invalid configuration and aborts.
throw new IOException(string.Format("Cannot create a secured " + "connection if DataNode listens on unprivileged port (%d) and no "
+ "protection is defined in configuration property %s.", datanodeId.GetXferPort
(), DFSConfigKeys.DfsDataTransferProtectionKey));
}
}
}
}
}
}
//
// The main work loop
//
public virtual void DoWork()
{
//
// Poll the Namenode (once every checkpointCheckPeriod seconds) to find the
// number of transactions in the edit log that haven't yet been checkpointed.
//
long period = checkpointConf.GetCheckPeriod();
int maxRetries = checkpointConf.GetMaxRetriesOnMergeError();
while (shouldRun)
{
try
{
Sharpen.Thread.Sleep(1000 * period);
}
catch (Exception)
{
}
// do nothing
if (!shouldRun)
{
break;
}
try
{
// We may have lost our ticket since last checkpoint, log in again, just in case
if (UserGroupInformation.IsSecurityEnabled())
{
UserGroupInformation.GetCurrentUser().CheckTGTAndReloginFromKeytab();
}
long now = Time.MonotonicNow();
if (ShouldCheckpointBasedOnCount() || now >= lastCheckpointTime + 1000 * checkpointConf
.GetPeriod())
{
DoCheckpoint();
lastCheckpointTime = now;
}
}
catch (IOException e)
{
Log.Error("Exception in doCheckpoint", e);
Sharpen.Runtime.PrintStackTrace(e);
// Prevent a huge number of edits from being created due to
// unrecoverable conditions and endless retries.
if (checkpointImage.GetMergeErrorCount() > maxRetries)
{
Log.Fatal("Merging failed " + checkpointImage.GetMergeErrorCount() + " times.");
ExitUtil.Terminate(1);
}
}
catch (Exception e)
{
Log.Fatal("Throwable Exception in doCheckpoint", e);
Sharpen.Runtime.PrintStackTrace(e);
ExitUtil.Terminate(1, e);
}
}
}
/// <summary>
/// Open the given File for random read access, verifying the expected user/
/// group constraints if security is enabled.
/// </summary>
/// <remarks>
/// Open the given File for random read access, verifying the expected user/
/// group constraints if security is enabled.
/// Note that this function provides no additional security checks if hadoop
/// security is disabled, since doing the checks would be too expensive when
/// native libraries are not available.
/// </remarks>
/// <param name="f">file that we are trying to open</param>
/// <param name="mode">mode in which we want to open the random access file</param>
/// <param name="expectedOwner">the expected user owner for the file</param>
/// <param name="expectedGroup">the expected group owner for the file</param>
/// <exception cref="System.IO.IOException">
/// if an IO error occurred or if the user/group does
/// not match when security is enabled.
/// </exception>
public static RandomAccessFile OpenForRandomRead(FilePath f, string mode, string
expectedOwner, string expectedGroup)
{
if (!UserGroupInformation.IsSecurityEnabled())
{
return(new RandomAccessFile(f, mode));
}
return(ForceSecureOpenForRandomRead(f, mode, expectedOwner, expectedGroup));
}
/// <summary>
/// Open the given File for read access, verifying the expected user/group
/// constraints if security is enabled.
/// </summary>
/// <remarks>
/// Open the given File for read access, verifying the expected user/group
/// constraints if security is enabled.
/// Note that this function provides no additional checks if Hadoop
/// security is disabled, since doing the checks would be too expensive
/// when native libraries are not available.
/// </remarks>
/// <param name="f">the file that we are trying to open</param>
/// <param name="expectedOwner">the expected user owner for the file</param>
/// <param name="expectedGroup">the expected group owner for the file</param>
/// <exception cref="System.IO.IOException">
/// if an IO Error occurred, or security is enabled and
/// the user/group does not match
/// </exception>
public static FileInputStream OpenForRead(FilePath f, string expectedOwner, string
expectedGroup)
{
if (!UserGroupInformation.IsSecurityEnabled())
{
return(new FileInputStream(f));
}
return(ForceSecureOpenForRead(f, expectedOwner, expectedGroup));
}
/// <summary>
/// Opens the
/// <see cref="Org.Apache.Hadoop.FS.FSDataInputStream"/>
/// on the requested file on local file
/// system, verifying the expected user/group constraints if security is
/// enabled.
/// </summary>
/// <param name="file">absolute path of the file</param>
/// <param name="expectedOwner">the expected user owner for the file</param>
/// <param name="expectedGroup">the expected group owner for the file</param>
/// <exception cref="System.IO.IOException">
/// if an IO Error occurred or the user/group does not
/// match if security is enabled
/// </exception>
public static FSDataInputStream OpenFSDataInputStream(FilePath file, string expectedOwner
, string expectedGroup)
{
if (!UserGroupInformation.IsSecurityEnabled())
{
return(rawFilesystem.Open(new Path(file.GetAbsolutePath())));
}
return(ForceSecureOpenFSDataInputStream(file, expectedOwner, expectedGroup));
}
/// <summary>
/// Convenience method to obtain delegation tokens from namenodes
/// corresponding to the paths passed.
/// </summary>
/// <param name="credentials"/>
/// <param name="ps">array of paths</param>
/// <param name="conf">configuration</param>
/// <exception cref="System.IO.IOException"/>
public static void ObtainTokensForNamenodes(Credentials credentials, Path[] ps, Configuration
conf)
{
if (!UserGroupInformation.IsSecurityEnabled())
{
return;
}
ObtainTokensForNamenodesInternal(credentials, ps, conf);
}
internal virtual void VerifyUsernamePattern(string user)
{
if (!UserGroupInformation.IsSecurityEnabled() && !nonsecureLocalUserPattern.Matcher
(user).Matches())
{
throw new ArgumentException("Invalid user name '" + user + "'," + " it must match '"
+ nonsecureLocalUserPattern.Pattern() + "'");
}
}
/// <exception cref="System.IO.IOException"/>
public DFSck(Configuration conf, TextWriter @out)
: base(conf)
{
this.ugi = UserGroupInformation.GetCurrentUser();
this.@out = @out;
this.connectionFactory = URLConnectionFactory.NewDefaultURLConnectionFactory(conf
);
this.isSpnegoEnabled = UserGroupInformation.IsSecurityEnabled();
}
public static SecureDataNodeStarter.SecureResources GetSecureResources(Configuration
conf)
{
HttpConfig.Policy policy = DFSUtil.GetHttpPolicy(conf);
bool isSecure = UserGroupInformation.IsSecurityEnabled();
// Obtain secure port for data streaming to datanode
IPEndPoint streamingAddr = DataNode.GetStreamingAddr(conf);
int socketWriteTimeout = conf.GetInt(DFSConfigKeys.DfsDatanodeSocketWriteTimeoutKey
, HdfsServerConstants.WriteTimeout);
Socket ss = (socketWriteTimeout > 0) ? ServerSocketChannel.Open().Socket() : new
Socket();
ss.Bind(streamingAddr, 0);
// Check that we got the port we need
if (ss.GetLocalPort() != streamingAddr.Port)
{
throw new RuntimeException("Unable to bind on specified streaming port in secure "
+ "context. Needed " + streamingAddr.Port + ", got " + ss.GetLocalPort());
}
if (!SecurityUtil.IsPrivilegedPort(ss.GetLocalPort()) && isSecure)
{
throw new RuntimeException("Cannot start secure datanode with unprivileged RPC ports"
);
}
System.Console.Error.WriteLine("Opened streaming server at " + streamingAddr);
// Bind a port for the web server. The code intends to bind HTTP server to
// privileged port only, as the client can authenticate the server using
// certificates if they are communicating through SSL.
ServerSocketChannel httpChannel;
if (policy.IsHttpEnabled())
{
httpChannel = ServerSocketChannel.Open();
IPEndPoint infoSocAddr = DataNode.GetInfoAddr(conf);
httpChannel.Socket().Bind(infoSocAddr);
IPEndPoint localAddr = (IPEndPoint)httpChannel.Socket().LocalEndPoint;
if (localAddr.Port != infoSocAddr.Port)
{
throw new RuntimeException("Unable to bind on specified info port in secure " + "context. Needed "
+ streamingAddr.Port + ", got " + ss.GetLocalPort());
}
System.Console.Error.WriteLine("Successfully obtained privileged resources (streaming port = "
+ ss + " ) (http listener port = " + localAddr.Port + ")");
if (localAddr.Port > 1023 && isSecure)
{
throw new RuntimeException("Cannot start secure datanode with unprivileged HTTP ports"
);
}
System.Console.Error.WriteLine("Opened info server at " + infoSocAddr);
}
else
{
httpChannel = null;
}
return(new SecureDataNodeStarter.SecureResources(ss, httpChannel));
}
/// <summary>Sends client SASL negotiation if required.</summary>
/// <remarks>
/// Sends client SASL negotiation if required. Determines the correct type of
/// SASL handshake based on configuration.
/// </remarks>
/// <param name="addr">connection address</param>
/// <param name="underlyingOut">connection output stream</param>
/// <param name="underlyingIn">connection input stream</param>
/// <param name="encryptionKey">for an encrypted SASL handshake</param>
/// <param name="accessToken">connection block access token</param>
/// <param name="datanodeId">ID of destination DataNode</param>
/// <returns>new pair of streams, wrapped after SASL negotiation</returns>
/// <exception cref="System.IO.IOException">for any error</exception>
private IOStreamPair Send(IPAddress addr, OutputStream underlyingOut, InputStream
underlyingIn, DataEncryptionKey encryptionKey, Org.Apache.Hadoop.Security.Token.Token
<BlockTokenIdentifier> accessToken, DatanodeID datanodeId)
{
if (encryptionKey != null)
{
Log.Debug("SASL client doing encrypted handshake for addr = {}, datanodeId = {}",
addr, datanodeId);
return(GetEncryptedStreams(underlyingOut, underlyingIn, encryptionKey));
}
else
{
if (!UserGroupInformation.IsSecurityEnabled())
{
Log.Debug("SASL client skipping handshake in unsecured configuration for " + "addr = {}, datanodeId = {}"
, addr, datanodeId);
return(null);
}
else
{
if (SecurityUtil.IsPrivilegedPort(datanodeId.GetXferPort()))
{
Log.Debug("SASL client skipping handshake in secured configuration with " + "privileged port for addr = {}, datanodeId = {}"
, addr, datanodeId);
return(null);
}
else
{
if (fallbackToSimpleAuth != null && fallbackToSimpleAuth.Get())
{
Log.Debug("SASL client skipping handshake in secured configuration with " + "unsecured cluster for addr = {}, datanodeId = {}"
, addr, datanodeId);
return(null);
}
else
{
if (saslPropsResolver != null)
{
Log.Debug("SASL client doing general handshake for addr = {}, datanodeId = {}", addr
, datanodeId);
return(GetSaslStreams(addr, underlyingOut, underlyingIn, accessToken, datanodeId));
}
else
{
// It's a secured cluster using non-privileged ports, but no SASL. The
// only way this can happen is if the DataNode has
// ignore.secure.ports.for.testing configured, so this is a rare edge case.
Log.Debug("SASL client skipping handshake in secured configuration with no SASL "
+ "protection configured for addr = {}, datanodeId = {}", addr, datanodeId);
return(null);
}
}
}
}
}
}
/// <exception cref="System.IO.IOException"/>
private void InjectToken()
{
if (UserGroupInformation.IsSecurityEnabled())
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = @params
.DelegationToken();
token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
ugi.AddToken(token);
}
}
internal virtual string GetRunAsUser(string user)
{
if (UserGroupInformation.IsSecurityEnabled() || !containerLimitUsers)
{
return(user);
}
else
{
return(nonsecureLocalUser);
}
}
/// <exception cref="System.IO.IOException"/>
private bool CheckRequestorOrSendError(Configuration conf, HttpServletRequest request
, HttpServletResponse response)
{
if (UserGroupInformation.IsSecurityEnabled() && !IsValidRequestor(request, conf))
{
response.SendError(HttpServletResponse.ScForbidden, "Only Namenode and another JournalNode may access this servlet"
);
Log.Warn("Received non-NN/JN request for edits from " + request.GetRemoteHost());
return(false);
}
return(true);
}
/// <exception cref="System.Exception"/>
protected override void ServiceStart()
{
if (UserGroupInformation.IsSecurityEnabled())
{
loginUGI = UserGroupInformation.GetLoginUser();
}
else
{
loginUGI = UserGroupInformation.GetCurrentUser();
}
clientRpcServer.Start();
}
public virtual void TestAuthorizedAccess()
{
TestAMAuthorization.MyContainerManager containerManager = new TestAMAuthorization.MyContainerManager
();
rm = new TestAMAuthorization.MockRMWithAMS(conf, containerManager);
rm.Start();
MockNM nm1 = rm.RegisterNode("localhost:1234", 5120);
IDictionary <ApplicationAccessType, string> acls = new Dictionary <ApplicationAccessType
, string>(2);
acls[ApplicationAccessType.ViewApp] = "*";
RMApp app = rm.SubmitApp(1024, "appname", "appuser", acls);
nm1.NodeHeartbeat(true);
int waitCount = 0;
while (containerManager.containerTokens == null && waitCount++ < 20)
{
Log.Info("Waiting for AM Launch to happen..");
Sharpen.Thread.Sleep(1000);
}
NUnit.Framework.Assert.IsNotNull(containerManager.containerTokens);
RMAppAttempt attempt = app.GetCurrentAppAttempt();
ApplicationAttemptId applicationAttemptId = attempt.GetAppAttemptId();
WaitForLaunchedState(attempt);
// Create a client to the RM.
Configuration conf = rm.GetConfig();
YarnRPC rpc = YarnRPC.Create(conf);
UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(applicationAttemptId
.ToString());
Credentials credentials = containerManager.GetContainerCredentials();
IPEndPoint rmBindAddress = rm.GetApplicationMasterService().GetBindAddress();
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> amRMToken = TestAMAuthorization.MockRMWithAMS
.SetupAndReturnAMRMToken(rmBindAddress, credentials.GetAllTokens());
currentUser.AddToken(amRMToken);
ApplicationMasterProtocol client = currentUser.DoAs(new _PrivilegedAction_206(this
, rpc, conf));
RegisterApplicationMasterRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<RegisterApplicationMasterRequest>();
RegisterApplicationMasterResponse response = client.RegisterApplicationMaster(request
);
NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey());
if (UserGroupInformation.IsSecurityEnabled())
{
NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array
()).Length > 0);
}
NUnit.Framework.Assert.AreEqual("Register response has bad ACLs", "*", response.GetApplicationACLs
()[ApplicationAccessType.ViewApp]);
}
/// <exception cref="System.IO.IOException"/>
public override void Initialize(URI name, Configuration conf)
{
base.Initialize(name, conf);
SetConf(conf);
this.uri = URI.Create(name.GetScheme() + "://" + name.GetAuthority());
tokenAspect = new TokenAspect <TestTokenAspect.DummyFs>(this, SecurityUtil.BuildTokenService
(uri), TokenKind);
if (emulateSecurityEnabled || UserGroupInformation.IsSecurityEnabled())
{
tokenAspect.InitDelegationToken(ugi);
}
}
/// <summary>
/// Get a protocol proxy that contains a proxy connection to a remote server
/// and a set of methods that are supported by the server
/// </summary>
/// <param name="protocol">protocol</param>
/// <param name="clientVersion">client's version</param>
/// <param name="addr">server address</param>
/// <param name="ticket">security ticket</param>
/// <param name="conf">configuration</param>
/// <param name="factory">socket factory</param>
/// <param name="rpcTimeout">max time for each rpc; 0 means no timeout</param>
/// <param name="connectionRetryPolicy">retry policy</param>
/// <param name="fallbackToSimpleAuth">
/// set to true or false during calls to indicate if
/// a secure client falls back to simple auth
/// </param>
/// <returns>the proxy</returns>
/// <exception cref="System.IO.IOException">if any error occurs</exception>
public static ProtocolProxy <T> GetProtocolProxy <T>(long clientVersion, IPEndPoint
addr, UserGroupInformation ticket, Configuration conf, SocketFactory factory, int
rpcTimeout, RetryPolicy connectionRetryPolicy, AtomicBoolean fallbackToSimpleAuth
)
{
System.Type protocol = typeof(T);
if (UserGroupInformation.IsSecurityEnabled())
{
SaslRpcServer.Init(conf);
}
return(GetProtocolEngine(protocol, conf).GetProxy(protocol, clientVersion, addr,
ticket, conf, factory, rpcTimeout, connectionRetryPolicy, fallbackToSimpleAuth));
}
/// <exception cref="System.IO.IOException"/>
private bool IsAllowedDelegationTokenOp()
{
if (UserGroupInformation.IsSecurityEnabled())
{
return(EnumSet.Of(UserGroupInformation.AuthenticationMethod.Kerberos, UserGroupInformation.AuthenticationMethod
.KerberosSsl, UserGroupInformation.AuthenticationMethod.Certificate).Contains(UserGroupInformation
.GetCurrentUser().GetRealAuthenticationMethod()));
}
else
{
return(true);
}
}
/// <summary>Returns the url parameter for the given token string.</summary>
/// <param name="tokenString"/>
/// <returns>url parameter</returns>
public static string GetDelegationTokenUrlParam(string tokenString)
{
if (tokenString == null)
{
return(string.Empty);
}
if (UserGroupInformation.IsSecurityEnabled())
{
return(SetDelegation + tokenString);
}
else
{
return(string.Empty);
}
}
/// <exception cref="System.Exception"/>
protected override void ServiceInit(Configuration conf)
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation realUgi = ugi.GetRealUser();
if (realUgi != null)
{
authUgi = realUgi;
doAsUser = ugi.GetShortUserName();
}
else
{
authUgi = ugi;
doAsUser = null;
}
ClientConfig cc = new DefaultClientConfig();
cc.GetClasses().AddItem(typeof(YarnJacksonJaxbJsonProvider));
connConfigurator = NewConnConfigurator(conf);
if (UserGroupInformation.IsSecurityEnabled())
{
authenticator = new KerberosDelegationTokenAuthenticator();
}
else
{
authenticator = new PseudoDelegationTokenAuthenticator();
}
authenticator.SetConnectionConfigurator(connConfigurator);
token = new DelegationTokenAuthenticatedURL.Token();
connectionRetry = new TimelineClientImpl.TimelineClientConnectionRetry(conf);
client = new Com.Sun.Jersey.Api.Client.Client(new URLConnectionClientHandler(new
TimelineClientImpl.TimelineURLConnectionFactory(this)), cc);
TimelineClientImpl.TimelineJerseyRetryFilter retryFilter = new TimelineClientImpl.TimelineJerseyRetryFilter
(this);
client.AddFilter(retryFilter);
if (YarnConfiguration.UseHttps(conf))
{
resURI = URI.Create(Joiner.Join("https://", conf.Get(YarnConfiguration.TimelineServiceWebappHttpsAddress
, YarnConfiguration.DefaultTimelineServiceWebappHttpsAddress), ResourceUriStr));
}
else
{
resURI = URI.Create(Joiner.Join("http://", conf.Get(YarnConfiguration.TimelineServiceWebappAddress
, YarnConfiguration.DefaultTimelineServiceWebappAddress), ResourceUriStr));
}
Log.Info("Timeline service address: " + resURI);
base.ServiceInit(conf);
}
public override string ToString()
{
if (ugi == null)
{
return("(null ugi)");
}
StringBuilder builder = new StringBuilder();
builder.Append(ugi.GetUserName()).Append(": ");
builder.Append(ugi.ToString());
builder.Append(" hasKerberosCredentials=").Append(ugi.HasKerberosCredentials());
builder.Append(" isFromKeytab=").Append(ugi.IsFromKeytab());
builder.Append(" kerberos is enabled in Hadoop =").Append(UserGroupInformation.IsSecurityEnabled
());
return(builder.ToString());
}
/// <summary>
/// Returns the filter configuration properties,
/// including the ones prefixed with
/// <see cref="ConfPrefix"/>
/// .
/// The prefix is removed from the returned property names.
/// </summary>
/// <param name="prefix">parameter not used.</param>
/// <param name="config">parameter contains the initialization values.</param>
/// <returns>Hadoop-Auth configuration properties.</returns>
/// <exception cref="Javax.Servlet.ServletException"></exception>
protected override Properties GetConfiguration(string prefix, FilterConfig config
)
{
Properties p = base.GetConfiguration(ConfPrefix, config);
// set authentication type
p.SetProperty(AuthType, UserGroupInformation.IsSecurityEnabled() ? KerberosAuthenticationHandler
.Type : PseudoAuthenticationHandler.Type);
// if not set, enable anonymous for pseudo authentication
if (p.GetProperty(PseudoAuthenticationHandler.AnonymousAllowed) == null)
{
p.SetProperty(PseudoAuthenticationHandler.AnonymousAllowed, "true");
}
//set cookie path
p.SetProperty(CookiePath, "/");
return(p);
}
public virtual void TestUGILogin()
{
UserGroupInformation ugi = LoginUGI(Zookeeper, keytab_zk);
RegistrySecurity.UgiInfo ugiInfo = new RegistrySecurity.UgiInfo(ugi);
Log.Info("logged in as: {}", ugiInfo);
NUnit.Framework.Assert.IsTrue("security is not enabled: " + ugiInfo, UserGroupInformation
.IsSecurityEnabled());
NUnit.Framework.Assert.IsTrue("login is keytab based: " + ugiInfo, ugi.IsFromKeytab
());
// now we are here, build a SASL ACL
ACL acl = ugi.DoAs(new _PrivilegedExceptionAction_202());
NUnit.Framework.Assert.AreEqual(ZookeeperRealm, acl.GetId().GetId());
NUnit.Framework.Assert.AreEqual(ZookeeperConfigOptions.SchemeSasl, acl.GetId().GetScheme
());
registrySecurity.AddSystemACL(acl);
}
/// <exception cref="System.IO.IOException"/>
protected internal virtual string AddDelegationTokenParam(string query)
{
string tokenString = null;
if (UserGroupInformation.IsSecurityEnabled())
{
lock (this)
{
tokenAspect.EnsureTokenInitialized();
if (delegationToken != null)
{
tokenString = delegationToken.EncodeToUrlString();
return(query + JspHelper.GetDelegationTokenUrlParam(tokenString));
}
}
}
return(query);
}
public static void Login(Configuration conf, string keytabFileKey, string userNameKey
, string hostname)
{
if (!UserGroupInformation.IsSecurityEnabled())
{
return;
}
string keytabFilename = conf.Get(keytabFileKey);
if (keytabFilename == null || keytabFilename.Length == 0)
{
throw new IOException("Running in secure mode, but config doesn't have a keytab");
}
string principalConfig = conf.Get(userNameKey, Runtime.GetProperty("user.name"));
string principalName = SecurityUtil.GetServerPrincipal(principalConfig, hostname);
UserGroupInformation.LoginUserFromKeytab(principalName, keytabFilename);
}
