public _PrivilegedExceptionAction_135(DelegationTokenAuthenticatedURL aUrl, Uri url1
, DelegationTokenAuthenticatedURL.Token token)
{
this.aUrl = aUrl;
this.url1 = url1;
this.token = token;
}
/// <exception cref="System.IO.IOException"/>
public KMSClientProvider(URI uri, Configuration conf)
: base(conf)
{
kmsUrl = CreateServiceURL(ExtractKMSPath(uri));
if (Runtime.EqualsIgnoreCase("https", new Uri(kmsUrl).Scheme))
{
sslFactory = new SSLFactory(SSLFactory.Mode.Client, conf);
try
{
sslFactory.Init();
}
catch (GeneralSecurityException ex)
{
throw new IOException(ex);
}
}
int timeout = conf.GetInt(TimeoutAttr, DefaultTimeout);
authRetry = conf.GetInt(AuthRetry, DefaultAuthRetry);
configurator = new KMSClientProvider.TimeoutConnConfigurator(timeout, sslFactory);
encKeyVersionQueue = new ValueQueue <KeyProviderCryptoExtension.EncryptedKeyVersion
>(conf.GetInt(CommonConfigurationKeysPublic.KmsClientEncKeyCacheSize, CommonConfigurationKeysPublic
.KmsClientEncKeyCacheSizeDefault), conf.GetFloat(CommonConfigurationKeysPublic.KmsClientEncKeyCacheLowWatermark
, CommonConfigurationKeysPublic.KmsClientEncKeyCacheLowWatermarkDefault), conf.GetInt
(CommonConfigurationKeysPublic.KmsClientEncKeyCacheExpiryMs, CommonConfigurationKeysPublic
.KmsClientEncKeyCacheExpiryDefault), conf.GetInt(CommonConfigurationKeysPublic.KmsClientEncKeyCacheNumRefillThreads
, CommonConfigurationKeysPublic.KmsClientEncKeyCacheNumRefillThreadsDefault), new
KMSClientProvider.EncryptedQueueRefiller(this));
authToken = new DelegationTokenAuthenticatedURL.Token();
actualUgi = (UserGroupInformation.GetCurrentUser().GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod
.Proxy) ? UserGroupInformation.GetCurrentUser().GetRealUser() : UserGroupInformation
.GetCurrentUser();
}
/// <exception cref="System.Exception"/>
public object Run()
{
DelegationTokenAuthenticatedURL.Token emptyToken = new DelegationTokenAuthenticatedURL.Token
();
HttpURLConnection conn = aUrl.OpenConnection(url2, emptyToken);
Assert.Equal(HttpURLConnection.HttpForbidden, conn.GetResponseCode
());
return(null);
}
public virtual void TestMultipleKMSInstancesWithZKSigner()
{
FilePath testDir = TestKMS.GetTestDir();
Configuration conf = CreateBaseKMSConf(testDir);
TestingServer zkServer = new TestingServer();
zkServer.Start();
MiniKMS kms1 = null;
MiniKMS kms2 = null;
conf.Set(KMSAuthenticationFilter.ConfigPrefix + AuthenticationFilter.SignerSecretProvider
, "zookeeper");
conf.Set(KMSAuthenticationFilter.ConfigPrefix + ZKSignerSecretProvider.ZookeeperConnectionString
, zkServer.GetConnectString());
conf.Set(KMSAuthenticationFilter.ConfigPrefix + ZKSignerSecretProvider.ZookeeperPath
, "/secret");
TestKMS.WriteConf(testDir, conf);
try
{
kms1 = new MiniKMS.Builder().SetKmsConfDir(testDir).SetLog4jConfFile("log4j.properties"
).Build();
kms1.Start();
kms2 = new MiniKMS.Builder().SetKmsConfDir(testDir).SetLog4jConfFile("log4j.properties"
).Build();
kms2.Start();
Uri url1 = new Uri(kms1.GetKMSUrl().ToExternalForm() + KMSRESTConstants.ServiceVersion
+ "/" + KMSRESTConstants.KeysNamesResource);
Uri url2 = new Uri(kms2.GetKMSUrl().ToExternalForm() + KMSRESTConstants.ServiceVersion
+ "/" + KMSRESTConstants.KeysNamesResource);
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
UserGroupInformation ugiFoo = UserGroupInformation.CreateUserForTesting("foo", new
string[] { "gfoo" });
UserGroupInformation ugiBar = UserGroupInformation.CreateUserForTesting("bar", new
string[] { "gBar" });
ugiFoo.DoAs(new _PrivilegedExceptionAction_135(aUrl, url1, token));
ugiBar.DoAs(new _PrivilegedExceptionAction_145(aUrl, url2, token));
ugiBar.DoAs(new _PrivilegedExceptionAction_155(aUrl, url2));
}
finally
{
if (kms2 != null)
{
kms2.Stop();
}
if (kms1 != null)
{
kms1.Stop();
}
zkServer.Stop();
}
}
/// <exception cref="System.Exception"/>
protected override void ServiceInit(Configuration conf)
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation realUgi = ugi.GetRealUser();
if (realUgi != null)
{
authUgi = realUgi;
doAsUser = ugi.GetShortUserName();
}
else
{
authUgi = ugi;
doAsUser = null;
}
ClientConfig cc = new DefaultClientConfig();
cc.GetClasses().AddItem(typeof(YarnJacksonJaxbJsonProvider));
connConfigurator = NewConnConfigurator(conf);
if (UserGroupInformation.IsSecurityEnabled())
{
authenticator = new KerberosDelegationTokenAuthenticator();
}
else
{
authenticator = new PseudoDelegationTokenAuthenticator();
}
authenticator.SetConnectionConfigurator(connConfigurator);
token = new DelegationTokenAuthenticatedURL.Token();
connectionRetry = new TimelineClientImpl.TimelineClientConnectionRetry(conf);
client = new Com.Sun.Jersey.Api.Client.Client(new URLConnectionClientHandler(new
TimelineClientImpl.TimelineURLConnectionFactory(this)), cc);
TimelineClientImpl.TimelineJerseyRetryFilter retryFilter = new TimelineClientImpl.TimelineJerseyRetryFilter
(this);
client.AddFilter(retryFilter);
if (YarnConfiguration.UseHttps(conf))
{
resURI = URI.Create(Joiner.Join("https://", conf.Get(YarnConfiguration.TimelineServiceWebappHttpsAddress
, YarnConfiguration.DefaultTimelineServiceWebappHttpsAddress), ResourceUriStr));
}
else
{
resURI = URI.Create(Joiner.Join("http://", conf.Get(YarnConfiguration.TimelineServiceWebappAddress
, YarnConfiguration.DefaultTimelineServiceWebappAddress), ResourceUriStr));
}
Log.Info("Timeline service address: " + resURI);
base.ServiceInit(conf);
}
/// <exception cref="System.IO.IOException"/>
private T Call <T>(HttpURLConnection conn, IDictionary jsonOutput, int expectedResponse
, int authRetryCount)
{
System.Type klass = typeof(T);
T ret = null;
try
{
if (jsonOutput != null)
{
WriteJson(jsonOutput, conn.GetOutputStream());
}
}
catch (IOException ex)
{
conn.GetInputStream().Close();
throw;
}
if ((conn.GetResponseCode() == HttpURLConnection.HttpForbidden && (conn.GetResponseMessage
().Equals(AnonymousRequestsDisallowed) || conn.GetResponseMessage().Contains(InvalidSignature
))) || conn.GetResponseCode() == HttpURLConnection.HttpUnauthorized)
{
// Ideally, this should happen only when there is an Authentication
// failure. Unfortunately, the AuthenticationFilter returns 403 when it
// cannot authenticate (Since a 401 requires Server to send
// WWW-Authenticate header as well)..
this.authToken = new DelegationTokenAuthenticatedURL.Token();
if (authRetryCount > 0)
{
string contentType = conn.GetRequestProperty(ContentType);
string requestMethod = conn.GetRequestMethod();
Uri url = conn.GetURL();
conn = CreateConnection(url, requestMethod);
conn.SetRequestProperty(ContentType, contentType);
return(Call(conn, jsonOutput, expectedResponse, klass, authRetryCount - 1));
}
}
try
{
AuthenticatedURL.ExtractToken(conn, authToken);
}
catch (AuthenticationException)
{
}
// Ignore the AuthExceptions.. since we are just using the method to
// extract and set the authToken.. (Workaround till we actually fix
// AuthenticatedURL properly to set authToken post initialization)
HttpExceptionUtils.ValidateResponse(conn, expectedResponse);
if (Runtime.EqualsIgnoreCase(ApplicationJsonMime, conn.GetContentType()) &&
klass != null)
{
ObjectMapper mapper = new ObjectMapper();
InputStream @is = null;
try
{
@is = conn.GetInputStream();
ret = mapper.ReadValue(@is, klass);
}
catch (IOException ex)
{
if (@is != null)
{
@is.Close();
}
throw;
}
finally
{
if (@is != null)
{
@is.Close();
}
}
}
return(ret);
}
