public virtual void TestExternalDelegationTokenSecretManager()
{
TestWebDelegationToken.DummyDelegationTokenSecretManager secretMgr = new TestWebDelegationToken.DummyDelegationTokenSecretManager
();
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
"/bar");
try
{
secretMgr.StartThreads();
context.SetAttribute(DelegationTokenAuthenticationFilter.DelegationTokenSecretManagerAttr
, secretMgr);
jetty.Start();
Uri authURL = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
aUrl.GetDelegationToken(authURL, token, FooUser);
NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
Assert.Equal(new Text("fooKind"), token.GetDelegationToken().GetKind
());
}
finally
{
jetty.Stop();
secretMgr.StopThreads();
}
}
public virtual void TestHttpUGI()
{
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.PseudoDTAFilter)
), "/*", 0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UGIServlet)),
"/bar");
try
{
jetty.Start();
Uri url = new Uri(GetJettyURL() + "/foo/bar");
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(FooUser);
ugi.DoAs(new _PrivilegedExceptionAction_938(url));
}
finally
{
// user foo
// user ok-user via proxyuser foo
jetty.Stop();
}
}
/// <exception cref="System.Exception"/>
private void TestKerberosDelegationTokenAuthenticator(bool doAs)
{
string doAsUser = doAs ? OkUser : null;
// setting hadoop security to kerberos
Configuration conf = new Configuration();
conf.Set("hadoop.security.authentication", "kerberos");
UserGroupInformation.SetConfiguration(conf);
FilePath testDir = new FilePath("target/" + UUID.RandomUUID().ToString());
Assert.True(testDir.Mkdirs());
MiniKdc kdc = new MiniKdc(MiniKdc.CreateConf(), testDir);
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.KDTAFilter)), "/*"
, 0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
"/bar");
try
{
kdc.Start();
FilePath keytabFile = new FilePath(testDir, "test.keytab");
kdc.CreatePrincipal(keytabFile, "client", "HTTP/localhost");
TestWebDelegationToken.KDTAFilter.keytabFile = keytabFile.GetAbsolutePath();
jetty.Start();
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
Uri url = new Uri(GetJettyURL() + "/foo/bar");
try
{
aUrl.GetDelegationToken(url, token, FooUser, doAsUser);
NUnit.Framework.Assert.Fail();
}
catch (AuthenticationException ex)
{
Assert.True(ex.Message.Contains("GSSException"));
}
DoAsKerberosUser("client", keytabFile.GetAbsolutePath(), new _Callable_778(aUrl,
url, token, doAs, doAsUser));
}
finally
{
// Make sure the token belongs to the right owner
jetty.Stop();
kdc.Stop();
}
}
private static Uri GetJettyURL(Org.Mortbay.Jetty.Server server)
{
bool ssl = server.GetConnectors()[0].GetType() == typeof(SslSocketConnectorSecure
);
try
{
string scheme = (ssl) ? "https" : "http";
return(new Uri(scheme + "://" + server.GetConnectors()[0].GetHost() + ":" + server
.GetConnectors()[0].GetPort()));
}
catch (UriFormatException ex)
{
throw new RuntimeException("It should never happen, " + ex.Message, ex);
}
}
public virtual void Stop()
{
if (jetty != null && jetty.IsRunning())
{
try
{
jetty.Stop();
jetty = null;
}
catch (Exception ex)
{
throw new RuntimeException("Could not stop MiniKMS embedded Jetty, " + ex.Message
, ex);
}
}
}
public virtual void TestProxyUser()
{
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.PseudoDTAFilter)
), "/*", 0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
"/bar");
try
{
jetty.Start();
Uri url = new Uri(GetJettyURL() + "/foo/bar");
// proxyuser using raw HTTP, verifying doAs is case insensitive
string strUrl = string.Format("%s?user.name=%s&doas=%s", url.ToExternalForm(), FooUser
, OkUser);
HttpURLConnection conn = (HttpURLConnection) new Uri(strUrl).OpenConnection();
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());
Assert.Equal(1, ret.Count);
Assert.Equal(OkUser, ret[0]);
strUrl = string.Format("%s?user.name=%s&DOAS=%s", url.ToExternalForm(), FooUser,
OkUser);
conn = (HttpURLConnection) new Uri(strUrl).OpenConnection();
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
ret = IOUtils.ReadLines(conn.GetInputStream());
Assert.Equal(1, ret.Count);
Assert.Equal(OkUser, ret[0]);
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(FooUser);
ugi.DoAs(new _PrivilegedExceptionAction_858(url));
}
finally
{
// proxyuser using authentication handler authentication
// unauthorized proxy user using authentication handler authentication
// proxy using delegation token authentication
// requests using delegation token as auth do not honor doAs
jetty.Stop();
}
}
// we are, also, implicitly testing KerberosDelegationTokenAuthenticator
// fallback here
/// <exception cref="System.Exception"/>
private void TestDelegationTokenAuthenticatedURLWithNoDT(Type filterClass)
{
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(filterClass), "/*", 0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
"/bar");
try
{
jetty.Start();
Uri url = new Uri(GetJettyURL() + "/foo/bar");
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(FooUser);
ugi.DoAs(new _PrivilegedExceptionAction_543(url));
}
finally
{
jetty.Stop();
}
}
private static Org.Mortbay.Jetty.Server CreateJettyServer(string keyStore, string
password, int inPort)
{
try
{
bool ssl = keyStore != null;
IPAddress localhost = Extensions.GetAddressByName("localhost");
string host = "localhost";
Socket ss = Extensions.CreateServerSocket((inPort < 0) ? 0 : inPort, 50,
localhost);
int port = ss.GetLocalPort();
ss.Close();
Org.Mortbay.Jetty.Server server = new Org.Mortbay.Jetty.Server(0);
if (!ssl)
{
server.GetConnectors()[0].SetHost(host);
server.GetConnectors()[0].SetPort(port);
}
else
{
SslSocketConnector c = new SslSocketConnectorSecure();
c.SetHost(host);
c.SetPort(port);
c.SetNeedClientAuth(false);
c.SetKeystore(keyStore);
c.SetKeystoreType("jks");
c.SetKeyPassword(password);
server.SetConnectors(new Connector[] { c });
}
return(server);
}
catch (Exception ex)
{
throw new RuntimeException("Could not start embedded servlet container, " + ex.Message
, ex);
}
}
/// <exception cref="System.Exception"/>
private void TestDelegationTokenAuthenticatorCalls(bool useQS)
{
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
"/bar");
try
{
jetty.Start();
Uri nonAuthURL = new Uri(GetJettyURL() + "/foo/bar");
Uri authURL = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
Uri authURL2 = new Uri(GetJettyURL() + "/foo/bar?authenticated=bar");
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
aUrl.SetUseQueryStringForDelegationToken(useQS);
try
{
aUrl.GetDelegationToken(nonAuthURL, token, FooUser);
NUnit.Framework.Assert.Fail();
}
catch (Exception ex)
{
Assert.True(ex.Message.Contains("401"));
}
aUrl.GetDelegationToken(authURL, token, FooUser);
NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
Assert.Equal(new Text("token-kind"), token.GetDelegationToken(
).GetKind());
aUrl.RenewDelegationToken(authURL, token);
try
{
aUrl.RenewDelegationToken(nonAuthURL, token);
NUnit.Framework.Assert.Fail();
}
catch (Exception ex)
{
Assert.True(ex.Message.Contains("401"));
}
aUrl.GetDelegationToken(authURL, token, FooUser);
try
{
aUrl.RenewDelegationToken(authURL2, token);
NUnit.Framework.Assert.Fail();
}
catch (Exception ex)
{
Assert.True(ex.Message.Contains("403"));
}
aUrl.GetDelegationToken(authURL, token, FooUser);
aUrl.CancelDelegationToken(authURL, token);
aUrl.GetDelegationToken(authURL, token, FooUser);
aUrl.CancelDelegationToken(nonAuthURL, token);
aUrl.GetDelegationToken(authURL, token, FooUser);
try
{
aUrl.RenewDelegationToken(nonAuthURL, token);
}
catch (Exception ex)
{
Assert.True(ex.Message.Contains("401"));
}
aUrl.GetDelegationToken(authURL, token, "foo");
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
ugi.AddToken(token.GetDelegationToken());
ugi.DoAs(new _PrivilegedExceptionAction_412(aUrl, nonAuthURL, useQS));
}
finally
{
jetty.Stop();
}
}
public virtual void TestRawHttpCalls()
{
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
"/bar");
try
{
jetty.Start();
Uri nonAuthURL = new Uri(GetJettyURL() + "/foo/bar");
Uri authURL = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
// unauthenticated access to URL
HttpURLConnection conn = (HttpURLConnection)nonAuthURL.OpenConnection();
Assert.Equal(HttpURLConnection.HttpUnauthorized, conn.GetResponseCode
());
// authenticated access to URL
conn = (HttpURLConnection)authURL.OpenConnection();
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
// unauthenticated access to get delegation token
Uri url = new Uri(nonAuthURL.ToExternalForm() + "?op=GETDELEGATIONTOKEN");
conn = (HttpURLConnection)url.OpenConnection();
Assert.Equal(HttpURLConnection.HttpUnauthorized, conn.GetResponseCode
());
// authenticated access to get delegation token
url = new Uri(authURL.ToExternalForm() + "&op=GETDELEGATIONTOKEN&renewer=foo");
conn = (HttpURLConnection)url.OpenConnection();
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
ObjectMapper mapper = new ObjectMapper();
IDictionary map = mapper.ReadValue <IDictionary>(conn.GetInputStream());
string dt = (string)((IDictionary)map["Token"])["urlString"];
NUnit.Framework.Assert.IsNotNull(dt);
// delegation token access to URL
url = new Uri(nonAuthURL.ToExternalForm() + "?delegation=" + dt);
conn = (HttpURLConnection)url.OpenConnection();
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
// delegation token and authenticated access to URL
url = new Uri(authURL.ToExternalForm() + "&delegation=" + dt);
conn = (HttpURLConnection)url.OpenConnection();
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
// renewew delegation token, unauthenticated access to URL
url = new Uri(nonAuthURL.ToExternalForm() + "?op=RENEWDELEGATIONTOKEN&token=" + dt
);
conn = (HttpURLConnection)url.OpenConnection();
conn.SetRequestMethod("PUT");
Assert.Equal(HttpURLConnection.HttpUnauthorized, conn.GetResponseCode
());
// renewew delegation token, authenticated access to URL
url = new Uri(authURL.ToExternalForm() + "&op=RENEWDELEGATIONTOKEN&token=" + dt);
conn = (HttpURLConnection)url.OpenConnection();
conn.SetRequestMethod("PUT");
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
// renewew delegation token, authenticated access to URL, not renewer
url = new Uri(GetJettyURL() + "/foo/bar?authenticated=bar&op=RENEWDELEGATIONTOKEN&token="
+ dt);
conn = (HttpURLConnection)url.OpenConnection();
conn.SetRequestMethod("PUT");
Assert.Equal(HttpURLConnection.HttpForbidden, conn.GetResponseCode
());
// cancel delegation token, nonauthenticated access to URL
url = new Uri(nonAuthURL.ToExternalForm() + "?op=CANCELDELEGATIONTOKEN&token=" +
dt);
conn = (HttpURLConnection)url.OpenConnection();
conn.SetRequestMethod("PUT");
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
// cancel canceled delegation token, nonauthenticated access to URL
url = new Uri(nonAuthURL.ToExternalForm() + "?op=CANCELDELEGATIONTOKEN&token=" +
dt);
conn = (HttpURLConnection)url.OpenConnection();
conn.SetRequestMethod("PUT");
Assert.Equal(HttpURLConnection.HttpNotFound, conn.GetResponseCode
());
// get new delegation token
url = new Uri(authURL.ToExternalForm() + "&op=GETDELEGATIONTOKEN&renewer=foo");
conn = (HttpURLConnection)url.OpenConnection();
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
mapper = new ObjectMapper();
map = mapper.ReadValue <IDictionary>(conn.GetInputStream());
dt = (string)((IDictionary)map["Token"])["urlString"];
NUnit.Framework.Assert.IsNotNull(dt);
// cancel delegation token, authenticated access to URL
url = new Uri(authURL.ToExternalForm() + "&op=CANCELDELEGATIONTOKEN&token=" + dt);
conn = (HttpURLConnection)url.OpenConnection();
conn.SetRequestMethod("PUT");
Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
}
finally
{
jetty.Stop();
}
}
/// <exception cref="System.Exception"/>
public virtual void Start()
{
ClassLoader cl = Thread.CurrentThread().GetContextClassLoader();
Runtime.SetProperty(KMSConfiguration.KmsConfigDir, kmsConfDir);
FilePath aclsFile = new FilePath(kmsConfDir, "kms-acls.xml");
if (!aclsFile.Exists())
{
InputStream @is = cl.GetResourceAsStream("mini-kms-acls-default.xml");
OutputStream os = new FileOutputStream(aclsFile);
IOUtils.Copy(@is, os);
@is.Close();
os.Close();
}
FilePath coreFile = new FilePath(kmsConfDir, "core-site.xml");
if (!coreFile.Exists())
{
Configuration core = new Configuration();
TextWriter writer = new FileWriter(coreFile);
core.WriteXml(writer);
writer.Close();
}
FilePath kmsFile = new FilePath(kmsConfDir, "kms-site.xml");
if (!kmsFile.Exists())
{
Configuration kms = new Configuration(false);
kms.Set(KMSConfiguration.KeyProviderUri, "jceks://file@" + new Path(kmsConfDir, "kms.keystore"
).ToUri());
kms.Set("hadoop.kms.authentication.type", "simple");
TextWriter writer = new FileWriter(kmsFile);
kms.WriteXml(writer);
writer.Close();
}
Runtime.SetProperty("log4j.configuration", log4jConfFile);
jetty = CreateJettyServer(keyStore, keyStorePassword, inPort);
// we need to do a special handling for MiniKMS to work when in a dir and
// when in a JAR in the classpath thanks to Jetty way of handling of webapps
// when they are in the a DIR, WAR or JAR.
Uri webXmlUrl = cl.GetResource("kms-webapp/WEB-INF/web.xml");
if (webXmlUrl == null)
{
throw new RuntimeException("Could not find kms-webapp/ dir in test classpath");
}
bool webXmlInJar = webXmlUrl.AbsolutePath.Contains(".jar!/");
string webappPath;
if (webXmlInJar)
{
FilePath webInf = new FilePath("target/" + UUID.RandomUUID().ToString() + "/kms-webapp/WEB-INF"
);
webInf.Mkdirs();
new FilePath(webInf, "web.xml").Delete();
InputStream @is = cl.GetResourceAsStream("kms-webapp/WEB-INF/web.xml");
OutputStream os = new FileOutputStream(new FilePath(webInf, "web.xml"));
IOUtils.Copy(@is, os);
@is.Close();
os.Close();
webappPath = webInf.GetParentFile().GetAbsolutePath();
}
else
{
webappPath = cl.GetResource("kms-webapp").AbsolutePath;
}
WebAppContext context = new WebAppContext(webappPath, "/kms");
if (webXmlInJar)
{
context.SetClassLoader(cl);
}
jetty.AddHandler(context);
jetty.Start();
kmsURL = new Uri(GetJettyURL(jetty), "kms");
}
