/// <exception cref="System.IO.IOException"/>
private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest
request, string tokenString, Configuration conf)
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
token.DecodeFromUrlString(tokenString);
IPEndPoint serviceAddress = GetNNServiceAddress(context, request);
if (serviceAddress != null)
{
SecurityUtil.SetTokenService(token, serviceAddress);
token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
}
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.ReadFields(@in);
if (context != null)
{
NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
if (nn != null)
{
// Verify the token.
nn.GetNamesystem().VerifyToken(id, token.GetPassword());
}
}
UserGroupInformation ugi = id.GetUser();
ugi.AddToken(token);
return(ugi);
}
/// <exception cref="System.Exception"/>
private void CheckTokenIdentifier <_T0>(UserGroupInformation ugi, Org.Apache.Hadoop.Security.Token.Token
<_T0> token)
where _T0 : TokenIdentifier
{
NUnit.Framework.Assert.IsNotNull(token);
// should be able to use token.decodeIdentifier() but webhdfs isn't
// registered with the service loader for token decoding
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = token.GetIdentifier();
DataInputStream @in = new DataInputStream(new ByteArrayInputStream(tokenId));
try
{
identifier.ReadFields(@in);
}
finally
{
@in.Close();
}
NUnit.Framework.Assert.IsNotNull(identifier);
Log.Info("A valid token should have non-null password, and should be renewed successfully"
);
NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier
));
dtSecretManager.RenewToken((Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier
>)token, "JobTracker");
ugi.DoAs(new _PrivilegedExceptionAction_309(this, token));
}
/// <exception cref="System.IO.IOException"/>
private UserGroupInformation TokenUGI()
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = @params
.DelegationToken();
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.ReadFields(@in);
UserGroupInformation ugi = id.GetUser();
ugi.AddToken(token);
return(ugi);
}
/// <summary>Process the Delegation Token related section in fsimage.</summary>
/// <param name="in">DataInputStream to process</param>
/// <param name="v">Visitor to walk over records</param>
/// <exception cref="System.IO.IOException"/>
private void ProcessDelegationTokens(DataInputStream @in, ImageVisitor v)
{
v.Visit(ImageVisitor.ImageElement.CurrentDelegationKeyId, @in.ReadInt());
int numDKeys = @in.ReadInt();
v.VisitEnclosingElement(ImageVisitor.ImageElement.DelegationKeys, ImageVisitor.ImageElement
.NumDelegationKeys, numDKeys);
for (int i = 0; i < numDKeys; i++)
{
DelegationKey key = new DelegationKey();
key.ReadFields(@in);
v.Visit(ImageVisitor.ImageElement.DelegationKey, key.ToString());
}
v.LeaveEnclosingElement();
v.Visit(ImageVisitor.ImageElement.DelegationTokenSequenceNumber, @in.ReadInt());
int numDTokens = @in.ReadInt();
v.VisitEnclosingElement(ImageVisitor.ImageElement.DelegationTokens, ImageVisitor.ImageElement
.NumDelegationTokens, numDTokens);
for (int i_1 = 0; i_1 < numDTokens; i_1++)
{
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.ReadFields(@in);
long expiryTime = @in.ReadLong();
v.VisitEnclosingElement(ImageVisitor.ImageElement.DelegationTokenIdentifier);
v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierKind, id.GetKind().ToString
());
v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierSeqno, id.GetSequenceNumber
());
v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierOwner, id.GetOwner().ToString
());
v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierRenewer, id.GetRenewer
().ToString());
v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierRealuser, id.GetRealUser
().ToString());
v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierIssueDate, id.GetIssueDate
());
v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierMaxDate, id.GetMaxDate
());
v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierExpiryTime, expiryTime
);
v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierMasterKeyId, id.GetMasterKeyId
());
v.LeaveEnclosingElement();
}
// DELEGATION_TOKEN_IDENTIFIER
v.LeaveEnclosingElement();
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestDelegationTokenWithRealUser()
{
try
{
Org.Apache.Hadoop.Security.Token.Token <object>[] tokens = proxyUgi.DoAs(new _PrivilegedExceptionAction_131
());
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = tokens[0].GetIdentifier();
identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
NUnit.Framework.Assert.AreEqual(identifier.GetUser().GetUserName(), ProxyUser);
NUnit.Framework.Assert.AreEqual(identifier.GetUser().GetRealUser().GetUserName(),
RealUser);
}
catch (Exception)
{
}
}
public virtual void TestDelegationTokenSecretManager()
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GenerateDelegationToken
("SomeUser", "JobTracker");
// Fake renewer should not be able to renew
try
{
dtSecretManager.RenewToken(token, "FakeRenewer");
NUnit.Framework.Assert.Fail("should have failed");
}
catch (AccessControlException)
{
}
// PASS
dtSecretManager.RenewToken(token, "JobTracker");
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = token.GetIdentifier();
identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier
));
Log.Info("Sleep to expire the token");
Sharpen.Thread.Sleep(6000);
//Token should be expired
try
{
dtSecretManager.RetrievePassword(identifier);
//Should not come here
NUnit.Framework.Assert.Fail("Token should have expired");
}
catch (SecretManager.InvalidToken)
{
}
//Success
dtSecretManager.RenewToken(token, "JobTracker");
Log.Info("Sleep beyond the max lifetime");
Sharpen.Thread.Sleep(5000);
try
{
dtSecretManager.RenewToken(token, "JobTracker");
NUnit.Framework.Assert.Fail("should have been expired");
}
catch (SecretManager.InvalidToken)
{
}
}
/// <exception cref="System.Exception"/>
public virtual void TestDelegationTokenDFSApi()
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
(fs, "JobTracker");
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = token.GetIdentifier();
identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
// Ensure that it's present in the NN's secret manager and can
// be renewed directly from there.
Log.Info("A valid token should have non-null password, " + "and should be renewed successfully"
);
NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier
));
dtSecretManager.RenewToken(token, "JobTracker");
// Use the client conf with the failover info present to check
// renewal.
Configuration clientConf = dfs.GetConf();
DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew
);
// Using a configuration that doesn't have the logical nameservice
// configured should result in a reasonable error message.
Configuration emptyConf = new Configuration();
try
{
DoRenewOrCancel(token, emptyConf, TestDelegationTokensWithHA.TokenTestAction.Renew
);
NUnit.Framework.Assert.Fail("Did not throw trying to renew with an empty conf!");
}
catch (IOException ioe)
{
GenericTestUtils.AssertExceptionContains("Unable to map logical nameservice URI",
ioe);
}
// Ensure that the token can be renewed again after a failover.
cluster.TransitionToStandby(0);
cluster.TransitionToActive(1);
DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew
);
DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Cancel
);
}
/// <summary>
/// Test if StandbyException can be thrown from StandbyNN, when it's requested for
/// password.
/// </summary>
/// <remarks>
/// Test if StandbyException can be thrown from StandbyNN, when it's requested for
/// password. (HDFS-6475). With StandbyException, the client can failover to try
/// activeNN.
/// </remarks>
/// <exception cref="System.Exception"/>
public virtual void TestDelegationTokenStandbyNNAppearFirst()
{
// make nn0 the standby NN, and nn1 the active NN
cluster.TransitionToStandby(0);
cluster.TransitionToActive(1);
DelegationTokenSecretManager stSecretManager = NameNodeAdapter.GetDtSecretManager
(nn1.GetNamesystem());
// create token
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
(fs, "JobTracker");
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = token.GetIdentifier();
identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
NUnit.Framework.Assert.IsTrue(null != stSecretManager.RetrievePassword(identifier
));
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("JobTracker");
ugi.AddToken(token);
ugi.DoAs(new _PrivilegedExceptionAction_406(identifier));
}
/// <summary>
/// Test if correct exception (StandbyException or RetriableException) can be
/// thrown during the NN failover.
/// </summary>
/// <exception cref="System.Exception"/>
public virtual void TestDelegationTokenDuringNNFailover()
{
EditLogTailer editLogTailer = nn1.GetNamesystem().GetEditLogTailer();
// stop the editLogTailer of nn1
editLogTailer.Stop();
Configuration conf = (Configuration)Whitebox.GetInternalState(editLogTailer, "conf"
);
nn1.GetNamesystem().SetEditLogTailerForTests(new TestDelegationTokensWithHA.EditLogTailerForTest
(this, nn1.GetNamesystem(), conf));
// create token
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
(fs, "JobTracker");
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = token.GetIdentifier();
identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
// Ensure that it's present in the nn0 secret manager and can
// be renewed directly from there.
Log.Info("A valid token should have non-null password, " + "and should be renewed successfully"
);
NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier
));
dtSecretManager.RenewToken(token, "JobTracker");
// transition nn0 to standby
cluster.TransitionToStandby(0);
try
{
cluster.GetNameNodeRpc(0).RenewDelegationToken(token);
NUnit.Framework.Assert.Fail("StandbyException is expected since nn0 is in standby state"
);
}
catch (StandbyException e)
{
GenericTestUtils.AssertExceptionContains(HAServiceProtocol.HAServiceState.Standby
.ToString(), e);
}
new _Thread_220().Start();
Sharpen.Thread.Sleep(1000);
try
{
nn1.GetNamesystem().VerifyToken(token.DecodeIdentifier(), token.GetPassword());
NUnit.Framework.Assert.Fail("RetriableException/StandbyException is expected since nn1 is in transition"
);
}
catch (IOException e)
{
NUnit.Framework.Assert.IsTrue(e is StandbyException || e is RetriableException);
Log.Info("Got expected exception", e);
}
catchup = true;
lock (this)
{
Sharpen.Runtime.NotifyAll(this);
}
Configuration clientConf = dfs.GetConf();
DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew
);
DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Cancel
);
}
