Esempio n. 1
0
        public virtual void Mdc()
        {
            HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();

            Org.Mockito.Mockito.When(request.GetUserPrincipal()).ThenReturn(null);
            Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn("METHOD");
            Org.Mockito.Mockito.When(request.GetPathInfo()).ThenReturn("/pathinfo");
            ServletResponse response = Org.Mockito.Mockito.Mock <ServletResponse>();
            AtomicBoolean   invoked  = new AtomicBoolean();
            FilterChain     chain    = new _FilterChain_55(invoked);

            MDC.Clear();
            Filter filter = new MDCFilter();

            filter.Init(null);
            filter.DoFilter(request, response, chain);
            NUnit.Framework.Assert.IsTrue(invoked.Get());
            NUnit.Framework.Assert.IsNull(MDC.Get("hostname"));
            NUnit.Framework.Assert.IsNull(MDC.Get("user"));
            NUnit.Framework.Assert.IsNull(MDC.Get("method"));
            NUnit.Framework.Assert.IsNull(MDC.Get("path"));
            Org.Mockito.Mockito.When(request.GetUserPrincipal()).ThenReturn(new _Principal_78
                                                                                ());
            invoked.Set(false);
            chain = new _FilterChain_86(invoked);
            filter.DoFilter(request, response, chain);
            NUnit.Framework.Assert.IsTrue(invoked.Get());
            HostnameFilter.HostnameTl.Set("HOST");
            invoked.Set(false);
            chain = new _FilterChain_103(invoked);
            filter.DoFilter(request, response, chain);
            NUnit.Framework.Assert.IsTrue(invoked.Get());
            HostnameFilter.HostnameTl.Remove();
            filter.Destroy();
        }
Esempio n. 2
0
        /// <exception cref="Javax.Servlet.ServletException"/>
        /// <exception cref="System.IO.IOException"/>
        protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
        {
            resp.SetContentType("text/plain");
            resp.SetStatus(HttpServletResponse.ScOk);
            string user      = req.GetRemoteUser();
            string principal = (req.GetUserPrincipal() != null) ? req.GetUserPrincipal().GetName
                                   () : null;
            TextWriter writer = resp.GetWriter();

            writer.Write(MessageFormat.Format("You are: user[{0}] principal[{1}]\n", user, principal
                                              ));
        }
Esempio n. 3
0
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="Javax.Servlet.ServletException"/>
        protected override void DoFilter(FilterChain filterChain, HttpServletRequest request
                                         , HttpServletResponse response)
        {
            bool requestCompleted          = false;
            UserGroupInformation ugi       = null;
            AuthenticationToken  authToken = (AuthenticationToken)request.GetUserPrincipal();

            if (authToken != null && authToken != AuthenticationToken.Anonymous)
            {
                // if the request was authenticated because of a delegation token,
                // then we ignore proxyuser (this is the same as the RPC behavior).
                ugi = (UserGroupInformation)request.GetAttribute(DelegationTokenAuthenticationHandler
                                                                 .DelegationTokenUgiAttribute);
                if (ugi == null)
                {
                    string realUser = request.GetUserPrincipal().GetName();
                    ugi = UserGroupInformation.CreateRemoteUser(realUser, handlerAuthMethod);
                    string doAsUser = GetDoAs(request);
                    if (doAsUser != null)
                    {
                        ugi = UserGroupInformation.CreateProxyUser(doAsUser, ugi);
                        try
                        {
                            ProxyUsers.Authorize(ugi, request.GetRemoteHost());
                        }
                        catch (AuthorizationException ex)
                        {
                            HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
                                                                              , ex);
                            requestCompleted = true;
                        }
                    }
                }
                UgiTl.Set(ugi);
            }
            if (!requestCompleted)
            {
                UserGroupInformation ugiF = ugi;
                try
                {
                    request = new _HttpServletRequestWrapper_269(this, ugiF, request);
                    base.DoFilter(filterChain, request, response);
                }
                finally
                {
                    UgiTl.Remove();
                }
            }
        }
        /// <exception cref="Javax.Servlet.ServletException"/>
        /// <exception cref="System.IO.IOException"/>
        protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
        {
            UserGroupInformation ugi;
            ServletContext       context = GetServletContext();
            Configuration        conf    = NameNodeHttpServer.GetConfFromContext(context);

            try
            {
                ugi = GetUGI(req, conf);
            }
            catch (IOException ioe)
            {
                Log.Info("Request for token received with no authentication from " + req.GetRemoteAddr
                             (), ioe);
                resp.SendError(HttpServletResponse.ScForbidden, "Unable to identify or authenticate user"
                               );
                return;
            }
            Log.Info("Sending token: {" + ugi.GetUserName() + "," + req.GetRemoteAddr() + "}"
                     );
            NameNode         nn           = NameNodeHttpServer.GetNameNodeFromContext(context);
            string           renewer      = req.GetParameter(Renewer);
            string           renewerFinal = (renewer == null) ? req.GetUserPrincipal().GetName() : renewer;
            DataOutputStream dos          = null;

            try
            {
                dos = new DataOutputStream(resp.GetOutputStream());
                DataOutputStream dosFinal = dos;
                // for doAs block
                ugi.DoAs(new _PrivilegedExceptionAction_69(nn, ugi, renewerFinal, dosFinal));
            }
            catch (Exception e)
            {
                Log.Info("Exception while sending token. Re-throwing ", e);
                resp.SendError(HttpServletResponse.ScInternalServerError);
            }
            finally
            {
                if (dos != null)
                {
                    dos.Close();
                }
            }
        }
        /// <exception cref="System.IO.IOException"/>
        protected internal virtual bool IsValidRequestor(HttpServletRequest request, Configuration
                                                         conf)
        {
            string remotePrincipal = request.GetUserPrincipal().GetName();
            string remoteShortName = request.GetRemoteUser();

            if (remotePrincipal == null)
            {
                // This really shouldn't happen...
                Log.Warn("Received null remoteUser while authorizing access to " + "GetJournalEditServlet"
                         );
                return(false);
            }
            if (Log.IsDebugEnabled())
            {
                Log.Debug("Validating request made by " + remotePrincipal + " / " + remoteShortName
                          + ". This user is: " + UserGroupInformation.GetLoginUser());
            }
            ICollection <string> validRequestors = new HashSet <string>();

            Sharpen.Collections.AddAll(validRequestors, DFSUtil.GetAllNnPrincipals(conf));
            try
            {
                validRequestors.AddItem(SecurityUtil.GetServerPrincipal(conf.Get(DFSConfigKeys.DfsSecondaryNamenodeKerberosPrincipalKey
                                                                                 ), SecondaryNameNode.GetHttpAddress(conf).GetHostName()));
            }
            catch (Exception e)
            {
                // Don't halt if SecondaryNameNode principal could not be added.
                Log.Debug("SecondaryNameNode principal could not be added", e);
                string msg = string.Format("SecondaryNameNode principal not considered, %s = %s, %s = %s"
                                           , DFSConfigKeys.DfsSecondaryNamenodeKerberosPrincipalKey, conf.Get(DFSConfigKeys
                                                                                                              .DfsSecondaryNamenodeKerberosPrincipalKey), DFSConfigKeys.DfsNamenodeSecondaryHttpAddressKey
                                           , conf.Get(DFSConfigKeys.DfsNamenodeSecondaryHttpAddressKey, DFSConfigKeys.DfsNamenodeSecondaryHttpAddressDefault
                                                      ));
                Log.Warn(msg);
            }
            // Check the full principal name of all the configured valid requestors.
            foreach (string v in validRequestors)
            {
                if (Log.IsDebugEnabled())
                {
                    Log.Debug("isValidRequestor is comparing to valid requestor: " + v);
                }
                if (v != null && v.Equals(remotePrincipal))
                {
                    if (Log.IsDebugEnabled())
                    {
                        Log.Debug("isValidRequestor is allowing: " + remotePrincipal);
                    }
                    return(true);
                }
            }
            // Additionally, we compare the short name of the requestor to this JN's
            // username, because we want to allow requests from other JNs during
            // recovery, but we can't enumerate the full list of JNs.
            if (remoteShortName.Equals(UserGroupInformation.GetLoginUser().GetShortUserName()
                                       ))
            {
                if (Log.IsDebugEnabled())
                {
                    Log.Debug("isValidRequestor is allowing other JN principal: " + remotePrincipal);
                }
                return(true);
            }
            if (Log.IsDebugEnabled())
            {
                Log.Debug("isValidRequestor is rejecting: " + remotePrincipal);
            }
            return(false);
        }
Esempio n. 6
0
        /// <exception cref="System.IO.IOException"/>
        private void ValidateRequest(ServletContext context, Configuration conf, HttpServletRequest
                                     request, HttpServletResponse response, FSImage nnImage, string theirStorageInfoString
                                     )
        {
            if (UserGroupInformation.IsSecurityEnabled() && !IsValidRequestor(context, request
                                                                              .GetUserPrincipal().GetName(), conf))
            {
                string errorMsg = "Only Namenode, Secondary Namenode, and administrators may access "
                                  + "this servlet";
                response.SendError(HttpServletResponse.ScForbidden, errorMsg);
                Log.Warn("Received non-NN/SNN/administrator request for image or edits from " + request
                         .GetUserPrincipal().GetName() + " at " + request.GetRemoteHost());
                throw new IOException(errorMsg);
            }
            string myStorageInfoString = nnImage.GetStorage().ToColonSeparatedString();

            if (theirStorageInfoString != null && !myStorageInfoString.Equals(theirStorageInfoString
                                                                              ))
            {
                string errorMsg = "This namenode has storage info " + myStorageInfoString + " but the secondary expected "
                                  + theirStorageInfoString;
                response.SendError(HttpServletResponse.ScForbidden, errorMsg);
                Log.Warn("Received an invalid request file transfer request " + "from a secondary with storage info "
                         + theirStorageInfoString);
                throw new IOException(errorMsg);
            }
        }
Esempio n. 7
0
 /// <exception cref="Javax.Servlet.ServletException"/>
 /// <exception cref="System.IO.IOException"/>
 protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
 {
     resp.SetStatus(HttpServletResponse.ScOk);
     resp.GetWriter().Write(req.GetUserPrincipal().GetName());
 }