/// <exception cref="System.Exception"/>
public Void Run()
{
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
HttpURLConnection conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser
);
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());
Assert.Equal(1, ret.Count);
Assert.Equal(TestWebDelegationToken.OkUser, ret[0]);
conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.FailUser);
Assert.Equal(HttpURLConnection.HttpForbidden, conn.GetResponseCode
());
aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser);
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
ugi.AddToken(token.GetDelegationToken());
token = new DelegationTokenAuthenticatedURL.Token();
conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser);
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
ret = IOUtils.ReadLines(conn.GetInputStream());
Assert.Equal(1, ret.Count);
Assert.Equal(TestWebDelegationToken.FooUser, ret[0]);
return(null);
}
public virtual void TestExternalDelegationTokenSecretManager()
{
TestWebDelegationToken.DummyDelegationTokenSecretManager secretMgr = new TestWebDelegationToken.DummyDelegationTokenSecretManager
();
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
"/bar");
try
{
secretMgr.StartThreads();
context.SetAttribute(DelegationTokenAuthenticationFilter.DelegationTokenSecretManagerAttr
, secretMgr);
jetty.Start();
Uri authURL = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
aUrl.GetDelegationToken(authURL, token, FooUser);
NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
Assert.Equal(new Text("fooKind"), token.GetDelegationToken().GetKind
());
}
finally
{
jetty.Stop();
secretMgr.StopThreads();
}
}
public _Callable_778(DelegationTokenAuthenticatedURL aUrl, Uri url, DelegationTokenAuthenticatedURL.Token
token, bool doAs, string doAsUser)
{
this.aUrl = aUrl;
this.url = url;
this.token = token;
this.doAs = doAs;
this.doAsUser = doAsUser;
}
/// <summary>
/// Returns an authenticated
/// <see cref="HttpURLConnection"/>
/// . If the Delegation
/// Token is present, it will be used taking precedence over the configured
/// <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
/// the request will be done on behalf of the specified <code>doAs</code> user.
/// </summary>
/// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param>
/// <param name="token">the authentication token being used for the user.</param>
/// <param name="doAs">
/// user to do the the request on behalf of, if NULL the request is
/// as self.
/// </param>
/// <returns>
/// an authenticated
/// <see cref="HttpURLConnection"/>
/// .
/// </returns>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// ">if an authentication exception occurred.</exception>
public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token
token, string doAs)
{
Preconditions.CheckNotNull(url, "url");
Preconditions.CheckNotNull(token, "token");
IDictionary <string, string> extraParams = new Dictionary <string, string>();
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> dToken = null;
// if we have valid auth token, it takes precedence over a delegation token
// and we don't even look for one.
if (!token.IsSet())
{
// delegation token
Credentials creds = UserGroupInformation.GetCurrentUser().GetCredentials();
if (!creds.GetAllTokens().IsEmpty())
{
IPEndPoint serviceAddr = new IPEndPoint(url.GetHost(), url.Port);
Text service = SecurityUtil.BuildTokenService(serviceAddr);
dToken = creds.GetToken(service);
if (dToken != null)
{
if (UseQueryStringForDelegationToken())
{
// delegation token will go in the query string, injecting it
extraParams[KerberosDelegationTokenAuthenticator.DelegationParam] = dToken.EncodeToUrlString
();
}
else
{
// delegation token will go as request header, setting it in the
// auth-token to ensure no authentication handshake is triggered
// (if we have a delegation token, we are authenticated)
// the delegation token header is injected in the connection request
// at the end of this method.
token.delegationToken = (Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier
>)dToken;
}
}
}
}
// proxyuser
if (doAs != null)
{
extraParams[DoAs] = URLEncoder.Encode(doAs, "UTF-8");
}
url = AugmentURL(url, extraParams);
HttpURLConnection conn = base.OpenConnection(url, token);
if (!token.IsSet() && !UseQueryStringForDelegationToken() && dToken != null)
{
// injecting the delegation token header in the connection request
conn.SetRequestProperty(DelegationTokenAuthenticator.DelegationTokenHeader, dToken
.EncodeToUrlString());
}
return(conn);
}
/// <exception cref="System.Exception"/>
private void TestKerberosDelegationTokenAuthenticator(bool doAs)
{
string doAsUser = doAs ? OkUser : null;
// setting hadoop security to kerberos
Configuration conf = new Configuration();
conf.Set("hadoop.security.authentication", "kerberos");
UserGroupInformation.SetConfiguration(conf);
FilePath testDir = new FilePath("target/" + UUID.RandomUUID().ToString());
Assert.True(testDir.Mkdirs());
MiniKdc kdc = new MiniKdc(MiniKdc.CreateConf(), testDir);
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.KDTAFilter)), "/*"
, 0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
"/bar");
try
{
kdc.Start();
FilePath keytabFile = new FilePath(testDir, "test.keytab");
kdc.CreatePrincipal(keytabFile, "client", "HTTP/localhost");
TestWebDelegationToken.KDTAFilter.keytabFile = keytabFile.GetAbsolutePath();
jetty.Start();
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
Uri url = new Uri(GetJettyURL() + "/foo/bar");
try
{
aUrl.GetDelegationToken(url, token, FooUser, doAsUser);
NUnit.Framework.Assert.Fail();
}
catch (AuthenticationException ex)
{
Assert.True(ex.Message.Contains("GSSException"));
}
DoAsKerberosUser("client", keytabFile.GetAbsolutePath(), new _Callable_778(aUrl,
url, token, doAs, doAsUser));
}
finally
{
// Make sure the token belongs to the right owner
jetty.Stop();
kdc.Stop();
}
}
/// <summary>Cancels a delegation token from the server end-point.</summary>
/// <remarks>
/// Cancels a delegation token from the server end-point. It does not require
/// being authenticated by the configured <code>Authenticator</code>.
/// </remarks>
/// <param name="url">
/// the URL to cancel the delegation token from. Only HTTP/S URLs
/// are supported.
/// </param>
/// <param name="token">the authentication token with the Delegation Token to cancel.
/// </param>
/// <param name="doAsUser">the user to do as, which will be the token owner.</param>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
public virtual void CancelDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token
token, string doAsUser)
{
Preconditions.CheckNotNull(url, "url");
Preconditions.CheckNotNull(token, "token");
Preconditions.CheckNotNull(token.delegationToken, "No delegation token available"
);
try
{
((KerberosDelegationTokenAuthenticator)GetAuthenticator()).CancelDelegationToken(
url, token, token.delegationToken, doAsUser);
}
finally
{
token.delegationToken = null;
}
}
/// <summary>
/// Renews a delegation token from the server end-point using the
/// configured <code>Authenticator</code> for authentication.
/// </summary>
/// <param name="url">
/// the URL to renew the delegation token from. Only HTTP/S URLs are
/// supported.
/// </param>
/// <param name="token">the authentication token with the Delegation Token to renew.</param>
/// <param name="doAsUser">the user to do as, which will be the token owner.</param>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// ">if an authentication exception occurred.</exception>
public virtual long RenewDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token
token, string doAsUser)
{
Preconditions.CheckNotNull(url, "url");
Preconditions.CheckNotNull(token, "token");
Preconditions.CheckNotNull(token.delegationToken, "No delegation token available"
);
try
{
return(((KerberosDelegationTokenAuthenticator)GetAuthenticator()).RenewDelegationToken
(url, token, token.delegationToken, doAsUser));
}
catch (IOException ex)
{
token.delegationToken = null;
throw;
}
}
/// <exception cref="System.Exception"/>
public Void Run()
{
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
HttpURLConnection conn = aUrl.OpenConnection(url, token);
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());
Assert.Equal(1, ret.Count);
Assert.Equal(TestWebDelegationToken.FooUser, ret[0]);
aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser);
NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
Assert.Equal(new Text("token-kind"), token.GetDelegationToken(
).GetKind());
return(null);
}
/// <exception cref="System.Exception"/>
public Void Run()
{
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
HttpURLConnection conn = aUrl.OpenConnection(url, token);
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());
Assert.Equal(1, ret.Count);
Assert.Equal("remoteuser="******":ugi=" + TestWebDelegationToken.FooUser, ret[0]);
conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser);
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
ret = IOUtils.ReadLines(conn.GetInputStream());
Assert.Equal(1, ret.Count);
Assert.Equal("realugi=" + TestWebDelegationToken.FooUser + ":remoteuser="******":ugi=" + TestWebDelegationToken.OkUser, ret[
0]);
return(null);
}
/// <exception cref="System.Exception"/>
public Void Run()
{
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
HttpURLConnection conn = aUrl.OpenConnection(url, token);
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());
Assert.Equal(1, ret.Count);
Assert.Equal(TestWebDelegationToken.FooUser, ret[0]);
try
{
aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser);
NUnit.Framework.Assert.Fail();
}
catch (AuthenticationException ex)
{
Assert.True(ex.Message.Contains("delegation token operation"));
}
return(null);
}
/// <summary>Cancels a delegation token from the server end-point.</summary>
/// <remarks>
/// Cancels a delegation token from the server end-point. It does not require
/// being authenticated by the configured <code>Authenticator</code>.
/// </remarks>
/// <param name="url">
/// the URL to cancel the delegation token from. Only HTTP/S URLs
/// are supported.
/// </param>
/// <param name="token">the authentication token with the Delegation Token to cancel.
/// </param>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
public virtual void CancelDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token
token)
{
CancelDelegationToken(url, token, null);
}
/// <summary>
/// Renews a delegation token from the server end-point using the
/// configured <code>Authenticator</code> for authentication.
/// </summary>
/// <param name="url">
/// the URL to renew the delegation token from. Only HTTP/S URLs are
/// supported.
/// </param>
/// <param name="token">the authentication token with the Delegation Token to renew.</param>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// ">if an authentication exception occurred.</exception>
public virtual long RenewDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token
token)
{
return(RenewDelegationToken(url, token, null));
}
> GetDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token, string
renewer, string doAsUser)
{
Preconditions.CheckNotNull(url, "url");
Preconditions.CheckNotNull(token, "token");
try
{
token.delegationToken = ((KerberosDelegationTokenAuthenticator)GetAuthenticator()
).GetDelegationToken(url, token, renewer, doAsUser);
return(token.delegationToken);
}
catch (IOException ex)
{
token.delegationToken = null;
throw;
}
}
> GetDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token, string
renewer)
{
return(GetDelegationToken(url, token, renewer, null));
}
/// <summary>
/// Returns an authenticated
/// <see cref="HttpURLConnection"/>
/// . If the Delegation
/// Token is present, it will be used taking precedence over the configured
/// <code>Authenticator</code>.
/// </summary>
/// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param>
/// <param name="token">the authentication token being used for the user.</param>
/// <returns>
/// an authenticated
/// <see cref="HttpURLConnection"/>
/// .
/// </returns>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// ">if an authentication exception occurred.</exception>
public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token
token)
{
return(OpenConnection(url, token, null));
}
/// <exception cref="System.Exception"/>
private void TestDelegationTokenAuthenticatorCalls(bool useQS)
{
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
"/bar");
try
{
jetty.Start();
Uri nonAuthURL = new Uri(GetJettyURL() + "/foo/bar");
Uri authURL = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
Uri authURL2 = new Uri(GetJettyURL() + "/foo/bar?authenticated=bar");
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
aUrl.SetUseQueryStringForDelegationToken(useQS);
try
{
aUrl.GetDelegationToken(nonAuthURL, token, FooUser);
NUnit.Framework.Assert.Fail();
}
catch (Exception ex)
{
Assert.True(ex.Message.Contains("401"));
}
aUrl.GetDelegationToken(authURL, token, FooUser);
NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
Assert.Equal(new Text("token-kind"), token.GetDelegationToken(
).GetKind());
aUrl.RenewDelegationToken(authURL, token);
try
{
aUrl.RenewDelegationToken(nonAuthURL, token);
NUnit.Framework.Assert.Fail();
}
catch (Exception ex)
{
Assert.True(ex.Message.Contains("401"));
}
aUrl.GetDelegationToken(authURL, token, FooUser);
try
{
aUrl.RenewDelegationToken(authURL2, token);
NUnit.Framework.Assert.Fail();
}
catch (Exception ex)
{
Assert.True(ex.Message.Contains("403"));
}
aUrl.GetDelegationToken(authURL, token, FooUser);
aUrl.CancelDelegationToken(authURL, token);
aUrl.GetDelegationToken(authURL, token, FooUser);
aUrl.CancelDelegationToken(nonAuthURL, token);
aUrl.GetDelegationToken(authURL, token, FooUser);
try
{
aUrl.RenewDelegationToken(nonAuthURL, token);
}
catch (Exception ex)
{
Assert.True(ex.Message.Contains("401"));
}
aUrl.GetDelegationToken(authURL, token, "foo");
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
ugi.AddToken(token.GetDelegationToken());
ugi.DoAs(new _PrivilegedExceptionAction_412(aUrl, nonAuthURL, useQS));
}
finally
{
jetty.Stop();
}
}
