/// <exception cref="System.IO.IOException"/> public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest request) { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); // Verify that the connection is kerberos authenticated if (!this.IsAllowedDelegationTokenOp()) { throw new IOException("Delegation Token can be issued only with kerberos authentication" ); } GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse >(); string user = ugi.GetUserName(); Text owner = new Text(user); Text realUser = null; if (ugi.GetRealUser() != null) { realUser = new Text(ugi.GetRealUser().GetUserName()); } MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner , new Text(request.GetRenewer()), realUser); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier , this._enclosing.jhsDTSecretManager); Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken .GetPassword(), realJHSToken.GetService().ToString()); response.SetDelegationToken(mrDToken); return(response); }
/// <exception cref="System.Exception"/> public virtual void TestGetHSDelegationToken() { try { Configuration conf = new Configuration(); // Setup mock service IPEndPoint mockRmAddress = new IPEndPoint("localhost", 4444); Text rmTokenSevice = SecurityUtil.BuildTokenService(mockRmAddress); IPEndPoint mockHsAddress = new IPEndPoint("localhost", 9200); Text hsTokenSevice = SecurityUtil.BuildTokenService(mockHsAddress); // Setup mock rm token RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(new Text("owner"), new Text("renewer"), new Text("real")); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(new byte[0], new byte[0], tokenIdentifier.GetKind( ), rmTokenSevice); token.SetKind(RMDelegationTokenIdentifier.KindName); // Setup mock history token Org.Apache.Hadoop.Yarn.Api.Records.Token historyToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(new byte[0], MRDelegationTokenIdentifier.KindName.ToString(), new byte [0], hsTokenSevice.ToString()); GetDelegationTokenResponse getDtResponse = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetDelegationTokenResponse>(); getDtResponse.SetDelegationToken(historyToken); // mock services MRClientProtocol mockHsProxy = Org.Mockito.Mockito.Mock <MRClientProtocol>(); Org.Mockito.Mockito.DoReturn(mockHsAddress).When(mockHsProxy).GetConnectAddress(); Org.Mockito.Mockito.DoReturn(getDtResponse).When(mockHsProxy).GetDelegationToken( Matchers.Any <GetDelegationTokenRequest>()); ResourceMgrDelegate rmDelegate = Org.Mockito.Mockito.Mock <ResourceMgrDelegate>(); Org.Mockito.Mockito.DoReturn(rmTokenSevice).When(rmDelegate).GetRMDelegationTokenService (); ClientCache clientCache = Org.Mockito.Mockito.Mock <ClientCache>(); Org.Mockito.Mockito.DoReturn(mockHsProxy).When(clientCache).GetInitializedHSProxy (); Credentials creds = new Credentials(); YARNRunner yarnRunner = new YARNRunner(conf, rmDelegate, clientCache); // No HS token if no RM token yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); // No HS token if RM token, but secirity disabled. creds.AddToken(new Text("rmdt"), token); yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); creds = new Credentials(); // No HS token if no RM token, security enabled yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); // HS token if RM token present, security enabled creds.AddToken(new Text("rmdt"), token); yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); // No additional call to get HS token if RM and HS token present yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); } finally { // Back to defaults. UserGroupInformation.SetConfiguration(new Configuration()); } }