Exemple #1
0
        public virtual void TestExternalDelegationTokenSecretManager()
        {
            TestWebDelegationToken.DummyDelegationTokenSecretManager secretMgr = new TestWebDelegationToken.DummyDelegationTokenSecretManager
                                                                                     ();
            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
                              0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
                               "/bar");
            try
            {
                secretMgr.StartThreads();
                context.SetAttribute(DelegationTokenAuthenticationFilter.DelegationTokenSecretManagerAttr
                                     , secretMgr);
                jetty.Start();
                Uri authURL = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                aUrl.GetDelegationToken(authURL, token, FooUser);
                NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
                Assert.Equal(new Text("fooKind"), token.GetDelegationToken().GetKind
                                 ());
            }
            finally
            {
                jetty.Stop();
                secretMgr.StopThreads();
            }
        }
Exemple #2
0
        public virtual void TestHttpUGI()
        {
            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.PseudoDTAFilter)
                                               ), "/*", 0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UGIServlet)),
                               "/bar");
            try
            {
                jetty.Start();
                Uri url = new Uri(GetJettyURL() + "/foo/bar");
                UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(FooUser);
                ugi.DoAs(new _PrivilegedExceptionAction_938(url));
            }
            finally
            {
                // user foo
                // user ok-user via proxyuser foo
                jetty.Stop();
            }
        }
Exemple #3
0
        /// <exception cref="System.Exception"/>
        private void TestKerberosDelegationTokenAuthenticator(bool doAs)
        {
            string doAsUser = doAs ? OkUser : null;
            // setting hadoop security to kerberos
            Configuration conf = new Configuration();

            conf.Set("hadoop.security.authentication", "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            FilePath testDir = new FilePath("target/" + UUID.RandomUUID().ToString());

            Assert.True(testDir.Mkdirs());
            MiniKdc kdc = new MiniKdc(MiniKdc.CreateConf(), testDir);

            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.KDTAFilter)), "/*"
                              , 0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
                               "/bar");
            try
            {
                kdc.Start();
                FilePath keytabFile = new FilePath(testDir, "test.keytab");
                kdc.CreatePrincipal(keytabFile, "client", "HTTP/localhost");
                TestWebDelegationToken.KDTAFilter.keytabFile = keytabFile.GetAbsolutePath();
                jetty.Start();
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                Uri url = new Uri(GetJettyURL() + "/foo/bar");
                try
                {
                    aUrl.GetDelegationToken(url, token, FooUser, doAsUser);
                    NUnit.Framework.Assert.Fail();
                }
                catch (AuthenticationException ex)
                {
                    Assert.True(ex.Message.Contains("GSSException"));
                }
                DoAsKerberosUser("client", keytabFile.GetAbsolutePath(), new _Callable_778(aUrl,
                                                                                           url, token, doAs, doAsUser));
            }
            finally
            {
                // Make sure the token belongs to the right owner
                jetty.Stop();
                kdc.Stop();
            }
        }
Exemple #4
0
        public virtual void TestProxyUser()
        {
            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.PseudoDTAFilter)
                                               ), "/*", 0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
                               "/bar");
            try
            {
                jetty.Start();
                Uri url = new Uri(GetJettyURL() + "/foo/bar");
                // proxyuser using raw HTTP, verifying doAs is case insensitive
                string strUrl = string.Format("%s?user.name=%s&doas=%s", url.ToExternalForm(), FooUser
                                              , OkUser);
                HttpURLConnection conn = (HttpURLConnection) new Uri(strUrl).OpenConnection();
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());
                Assert.Equal(1, ret.Count);
                Assert.Equal(OkUser, ret[0]);
                strUrl = string.Format("%s?user.name=%s&DOAS=%s", url.ToExternalForm(), FooUser,
                                       OkUser);
                conn = (HttpURLConnection) new Uri(strUrl).OpenConnection();
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                ret = IOUtils.ReadLines(conn.GetInputStream());
                Assert.Equal(1, ret.Count);
                Assert.Equal(OkUser, ret[0]);
                UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(FooUser);
                ugi.DoAs(new _PrivilegedExceptionAction_858(url));
            }
            finally
            {
                // proxyuser using authentication handler authentication
                // unauthorized proxy user using authentication handler authentication
                // proxy using delegation token authentication
                // requests using delegation token as auth do not honor doAs
                jetty.Stop();
            }
        }
Exemple #5
0
        // we are, also, implicitly testing  KerberosDelegationTokenAuthenticator
        // fallback here
        /// <exception cref="System.Exception"/>
        private void TestDelegationTokenAuthenticatedURLWithNoDT(Type filterClass)
        {
            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(filterClass), "/*", 0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
                               "/bar");
            try
            {
                jetty.Start();
                Uri url = new Uri(GetJettyURL() + "/foo/bar");
                UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(FooUser);
                ugi.DoAs(new _PrivilegedExceptionAction_543(url));
            }
            finally
            {
                jetty.Stop();
            }
        }
Exemple #6
0
        /// <exception cref="System.Exception"/>
        private void TestDelegationTokenAuthenticatorCalls(bool useQS)
        {
            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
                              0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
                               "/bar");
            try
            {
                jetty.Start();
                Uri nonAuthURL = new Uri(GetJettyURL() + "/foo/bar");
                Uri authURL    = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
                Uri authURL2   = new Uri(GetJettyURL() + "/foo/bar?authenticated=bar");
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                aUrl.SetUseQueryStringForDelegationToken(useQS);
                try
                {
                    aUrl.GetDelegationToken(nonAuthURL, token, FooUser);
                    NUnit.Framework.Assert.Fail();
                }
                catch (Exception ex)
                {
                    Assert.True(ex.Message.Contains("401"));
                }
                aUrl.GetDelegationToken(authURL, token, FooUser);
                NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
                Assert.Equal(new Text("token-kind"), token.GetDelegationToken(
                                 ).GetKind());
                aUrl.RenewDelegationToken(authURL, token);
                try
                {
                    aUrl.RenewDelegationToken(nonAuthURL, token);
                    NUnit.Framework.Assert.Fail();
                }
                catch (Exception ex)
                {
                    Assert.True(ex.Message.Contains("401"));
                }
                aUrl.GetDelegationToken(authURL, token, FooUser);
                try
                {
                    aUrl.RenewDelegationToken(authURL2, token);
                    NUnit.Framework.Assert.Fail();
                }
                catch (Exception ex)
                {
                    Assert.True(ex.Message.Contains("403"));
                }
                aUrl.GetDelegationToken(authURL, token, FooUser);
                aUrl.CancelDelegationToken(authURL, token);
                aUrl.GetDelegationToken(authURL, token, FooUser);
                aUrl.CancelDelegationToken(nonAuthURL, token);
                aUrl.GetDelegationToken(authURL, token, FooUser);
                try
                {
                    aUrl.RenewDelegationToken(nonAuthURL, token);
                }
                catch (Exception ex)
                {
                    Assert.True(ex.Message.Contains("401"));
                }
                aUrl.GetDelegationToken(authURL, token, "foo");
                UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
                ugi.AddToken(token.GetDelegationToken());
                ugi.DoAs(new _PrivilegedExceptionAction_412(aUrl, nonAuthURL, useQS));
            }
            finally
            {
                jetty.Stop();
            }
        }
Exemple #7
0
        public virtual void TestRawHttpCalls()
        {
            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
                              0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
                               "/bar");
            try
            {
                jetty.Start();
                Uri nonAuthURL = new Uri(GetJettyURL() + "/foo/bar");
                Uri authURL    = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
                // unauthenticated access to URL
                HttpURLConnection conn = (HttpURLConnection)nonAuthURL.OpenConnection();
                Assert.Equal(HttpURLConnection.HttpUnauthorized, conn.GetResponseCode
                                 ());
                // authenticated access to URL
                conn = (HttpURLConnection)authURL.OpenConnection();
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                // unauthenticated access to get delegation token
                Uri url = new Uri(nonAuthURL.ToExternalForm() + "?op=GETDELEGATIONTOKEN");
                conn = (HttpURLConnection)url.OpenConnection();
                Assert.Equal(HttpURLConnection.HttpUnauthorized, conn.GetResponseCode
                                 ());
                // authenticated access to get delegation token
                url  = new Uri(authURL.ToExternalForm() + "&op=GETDELEGATIONTOKEN&renewer=foo");
                conn = (HttpURLConnection)url.OpenConnection();
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                ObjectMapper mapper = new ObjectMapper();
                IDictionary  map    = mapper.ReadValue <IDictionary>(conn.GetInputStream());
                string       dt     = (string)((IDictionary)map["Token"])["urlString"];
                NUnit.Framework.Assert.IsNotNull(dt);
                // delegation token access to URL
                url  = new Uri(nonAuthURL.ToExternalForm() + "?delegation=" + dt);
                conn = (HttpURLConnection)url.OpenConnection();
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                // delegation token and authenticated access to URL
                url  = new Uri(authURL.ToExternalForm() + "&delegation=" + dt);
                conn = (HttpURLConnection)url.OpenConnection();
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                // renewew delegation token, unauthenticated access to URL
                url = new Uri(nonAuthURL.ToExternalForm() + "?op=RENEWDELEGATIONTOKEN&token=" + dt
                              );
                conn = (HttpURLConnection)url.OpenConnection();
                conn.SetRequestMethod("PUT");
                Assert.Equal(HttpURLConnection.HttpUnauthorized, conn.GetResponseCode
                                 ());
                // renewew delegation token, authenticated access to URL
                url  = new Uri(authURL.ToExternalForm() + "&op=RENEWDELEGATIONTOKEN&token=" + dt);
                conn = (HttpURLConnection)url.OpenConnection();
                conn.SetRequestMethod("PUT");
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                // renewew delegation token, authenticated access to URL, not renewer
                url = new Uri(GetJettyURL() + "/foo/bar?authenticated=bar&op=RENEWDELEGATIONTOKEN&token="
                              + dt);
                conn = (HttpURLConnection)url.OpenConnection();
                conn.SetRequestMethod("PUT");
                Assert.Equal(HttpURLConnection.HttpForbidden, conn.GetResponseCode
                                 ());
                // cancel delegation token, nonauthenticated access to URL
                url = new Uri(nonAuthURL.ToExternalForm() + "?op=CANCELDELEGATIONTOKEN&token=" +
                              dt);
                conn = (HttpURLConnection)url.OpenConnection();
                conn.SetRequestMethod("PUT");
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                // cancel canceled delegation token, nonauthenticated access to URL
                url = new Uri(nonAuthURL.ToExternalForm() + "?op=CANCELDELEGATIONTOKEN&token=" +
                              dt);
                conn = (HttpURLConnection)url.OpenConnection();
                conn.SetRequestMethod("PUT");
                Assert.Equal(HttpURLConnection.HttpNotFound, conn.GetResponseCode
                                 ());
                // get new delegation token
                url  = new Uri(authURL.ToExternalForm() + "&op=GETDELEGATIONTOKEN&renewer=foo");
                conn = (HttpURLConnection)url.OpenConnection();
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                mapper = new ObjectMapper();
                map    = mapper.ReadValue <IDictionary>(conn.GetInputStream());
                dt     = (string)((IDictionary)map["Token"])["urlString"];
                NUnit.Framework.Assert.IsNotNull(dt);
                // cancel delegation token, authenticated access to URL
                url  = new Uri(authURL.ToExternalForm() + "&op=CANCELDELEGATIONTOKEN&token=" + dt);
                conn = (HttpURLConnection)url.OpenConnection();
                conn.SetRequestMethod("PUT");
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
            }
            finally
            {
                jetty.Stop();
            }
        }
Exemple #8
0
        /// <exception cref="System.Exception"/>
        public virtual void Start()
        {
            ClassLoader cl = Thread.CurrentThread().GetContextClassLoader();

            Runtime.SetProperty(KMSConfiguration.KmsConfigDir, kmsConfDir);
            FilePath aclsFile = new FilePath(kmsConfDir, "kms-acls.xml");

            if (!aclsFile.Exists())
            {
                InputStream  @is = cl.GetResourceAsStream("mini-kms-acls-default.xml");
                OutputStream os  = new FileOutputStream(aclsFile);
                IOUtils.Copy(@is, os);
                @is.Close();
                os.Close();
            }
            FilePath coreFile = new FilePath(kmsConfDir, "core-site.xml");

            if (!coreFile.Exists())
            {
                Configuration core   = new Configuration();
                TextWriter    writer = new FileWriter(coreFile);
                core.WriteXml(writer);
                writer.Close();
            }
            FilePath kmsFile = new FilePath(kmsConfDir, "kms-site.xml");

            if (!kmsFile.Exists())
            {
                Configuration kms = new Configuration(false);
                kms.Set(KMSConfiguration.KeyProviderUri, "jceks://file@" + new Path(kmsConfDir, "kms.keystore"
                                                                                    ).ToUri());
                kms.Set("hadoop.kms.authentication.type", "simple");
                TextWriter writer = new FileWriter(kmsFile);
                kms.WriteXml(writer);
                writer.Close();
            }
            Runtime.SetProperty("log4j.configuration", log4jConfFile);
            jetty = CreateJettyServer(keyStore, keyStorePassword, inPort);
            // we need to do a special handling for MiniKMS to work when in a dir and
            // when in a JAR in the classpath thanks to Jetty way of handling of webapps
            // when they are in the a DIR, WAR or JAR.
            Uri webXmlUrl = cl.GetResource("kms-webapp/WEB-INF/web.xml");

            if (webXmlUrl == null)
            {
                throw new RuntimeException("Could not find kms-webapp/ dir in test classpath");
            }
            bool   webXmlInJar = webXmlUrl.AbsolutePath.Contains(".jar!/");
            string webappPath;

            if (webXmlInJar)
            {
                FilePath webInf = new FilePath("target/" + UUID.RandomUUID().ToString() + "/kms-webapp/WEB-INF"
                                               );
                webInf.Mkdirs();
                new FilePath(webInf, "web.xml").Delete();
                InputStream  @is = cl.GetResourceAsStream("kms-webapp/WEB-INF/web.xml");
                OutputStream os  = new FileOutputStream(new FilePath(webInf, "web.xml"));
                IOUtils.Copy(@is, os);
                @is.Close();
                os.Close();
                webappPath = webInf.GetParentFile().GetAbsolutePath();
            }
            else
            {
                webappPath = cl.GetResource("kms-webapp").AbsolutePath;
            }
            WebAppContext context = new WebAppContext(webappPath, "/kms");

            if (webXmlInJar)
            {
                context.SetClassLoader(cl);
            }
            jetty.AddHandler(context);
            jetty.Start();
            kmsURL = new Uri(GetJettyURL(jetty), "kms");
        }