/// <summary>
/// Authenticates a request looking for the <code>delegation</code>
/// query-string parameter and verifying it is a valid token.
/// </summary>
/// <remarks>
/// Authenticates a request looking for the <code>delegation</code>
/// query-string parameter and verifying it is a valid token. If there is not
/// <code>delegation</code> query-string parameter, it delegates the
/// authentication to the
/// <see cref="Org.Apache.Hadoop.Security.Authentication.Server.KerberosAuthenticationHandler
/// "/>
/// unless it is
/// disabled.
/// </remarks>
/// <param name="request">the HTTP client request.</param>
/// <param name="response">the HTTP client response.</param>
/// <returns>the authentication token for the authenticated request.</returns>
/// <exception cref="System.IO.IOException">thrown if an IO error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// ">thrown if the authentication failed.</exception>
public override AuthenticationToken Authenticate(HttpServletRequest request, HttpServletResponse
response)
{
AuthenticationToken token;
string delegationParam = GetDelegationToken(request);
if (delegationParam != null)
{
try
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
dt.DecodeFromUrlString(delegationParam);
UserGroupInformation ugi = tokenManager.VerifyToken(dt);
string shortName = ugi.GetShortUserName();
// creating a ephemeral token
token = new AuthenticationToken(shortName, ugi.GetUserName(), GetType());
token.SetExpires(0);
request.SetAttribute(DelegationTokenUgiAttribute, ugi);
}
catch (Exception ex)
{
token = null;
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, new AuthenticationException(ex));
}
}
else
{
token = authHandler.Authenticate(request, response);
}
return(token);
}
/// <exception cref="System.IO.IOException"/>
private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest
request, string tokenString, Configuration conf)
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
token.DecodeFromUrlString(tokenString);
IPEndPoint serviceAddress = GetNNServiceAddress(context, request);
if (serviceAddress != null)
{
SecurityUtil.SetTokenService(token, serviceAddress);
token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
}
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.ReadFields(@in);
if (context != null)
{
NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
if (nn != null)
{
// Verify the token.
nn.GetNamesystem().VerifyToken(id, token.GetPassword());
}
}
UserGroupInformation ugi = id.GetUser();
ugi.AddToken(token);
return(ugi);
}
/// <exception cref="System.Exception"/>
public Void Call()
{
string token = string.Empty;
string owner = string.Empty;
string renewer = "renewer";
string body = "{\"renewer\":\"" + renewer + "\"}";
Uri url = new Uri("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2"
);
HttpURLConnection conn = (HttpURLConnection)url.OpenConnection();
Org.Apache.Hadoop.Yarn.Server.Resourcemanager.Webapp.TestRMWebServicesDelegationTokenAuthentication
.SetupConn(conn, "POST", MediaType.ApplicationJson, body);
InputStream response = conn.GetInputStream();
NUnit.Framework.Assert.AreEqual(ClientResponse.Status.Ok.GetStatusCode(), conn.GetResponseCode
());
BufferedReader reader = null;
try
{
reader = new BufferedReader(new InputStreamReader(response, "UTF8"));
for (string line; (line = reader.ReadLine()) != null;)
{
JSONObject obj = new JSONObject(line);
if (obj.Has("token"))
{
token = obj.GetString("token");
}
if (obj.Has("owner"))
{
owner = obj.GetString("owner");
}
}
}
finally
{
IOUtils.CloseQuietly(reader);
IOUtils.CloseQuietly(response);
}
NUnit.Framework.Assert.AreEqual("client2", owner);
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> realToken = new
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>();
realToken.DecodeFromUrlString(token);
NUnit.Framework.Assert.AreEqual("client2", realToken.DecodeIdentifier().GetOwner(
).ToString());
return(null);
}
/// <exception cref="Javax.Servlet.ServletException"/>
/// <exception cref="System.IO.IOException"/>
protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
{
UserGroupInformation ugi;
ServletContext context = GetServletContext();
Configuration conf = NameNodeHttpServer.GetConfFromContext(context);
try
{
ugi = GetUGI(req, conf);
}
catch (IOException ioe)
{
Log.Info("Request for token received with no authentication from " + req.GetRemoteAddr
(), ioe);
resp.SendError(HttpServletResponse.ScForbidden, "Unable to identify or authenticate user"
);
return;
}
NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
string tokenString = req.GetParameter(Token);
if (tokenString == null)
{
resp.SendError(HttpServletResponse.ScMultipleChoices, "Token to renew not specified"
);
}
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
token.DecodeFromUrlString(tokenString);
try
{
long result = ugi.DoAs(new _PrivilegedExceptionAction_73(nn, token));
PrintWriter os = new PrintWriter(new OutputStreamWriter(resp.GetOutputStream(), Charsets
.Utf8));
os.WriteLine(result);
os.Close();
}
catch (Exception e)
{
// transfer exception over the http
string exceptionClass = e.GetType().FullName;
string exceptionMsg = e.GetLocalizedMessage();
string strException = exceptionClass + ";" + exceptionMsg;
Log.Info("Exception while renewing token. Re-throwing. s=" + strException, e);
resp.SendError(HttpServletResponse.ScInternalServerError, strException);
}
}
> DelegationToken()
{
string delegation = Param(DelegationParam.Name);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
token.DecodeFromUrlString(delegation);
URI nnUri = URI.Create(HdfsConstants.HdfsUriScheme + "://" + NamenodeId());
bool isLogical = HAUtil.IsLogicalUri(conf, nnUri);
if (isLogical)
{
token.SetService(HAUtil.BuildTokenServiceForLogicalUri(nnUri, HdfsConstants.HdfsUriScheme
));
}
else
{
token.SetService(SecurityUtil.BuildTokenService(nnUri));
}
return(token);
}
/// <exception cref="System.Exception"/>
public static void TestEncodeWritable()
{
string[] values = new string[] { string.Empty, "a", "bb", "ccc", "dddd", "eeeee",
"ffffff", "ggggggg", "hhhhhhhh", "iiiiiiiii", "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM"
+ "NOPQRSTUVWXYZ01234567890!@#$%^&*()-=_+[]{}|;':,./<>?" };
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> orig;
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> copy =
new Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier>();
// ensure that for each string the input and output values match
for (int i = 0; i < values.Length; ++i)
{
string val = values[i];
System.Console.Out.WriteLine("Input = " + val);
orig = new Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier
>(Runtime.GetBytesForString(val), Runtime.GetBytesForString(val)
, new Text(val), new Text(val));
string encode = orig.EncodeToUrlString();
copy.DecodeFromUrlString(encode);
Assert.Equal(orig, copy);
CheckUrlSafe(encode);
}
}
/// <exception cref="Javax.Servlet.ServletException"/>
/// <exception cref="System.IO.IOException"/>
protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
{
UserGroupInformation ugi;
ServletContext context = GetServletContext();
Configuration conf = NameNodeHttpServer.GetConfFromContext(context);
try
{
ugi = GetUGI(req, conf);
}
catch (IOException ioe)
{
Log.Info("Request for token received with no authentication from " + req.GetRemoteAddr
(), ioe);
resp.SendError(HttpServletResponse.ScForbidden, "Unable to identify or authenticate user"
);
return;
}
NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
string tokenString = req.GetParameter(Token);
if (tokenString == null)
{
resp.SendError(HttpServletResponse.ScMultipleChoices, "Token to renew not specified"
);
}
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
token.DecodeFromUrlString(tokenString);
try
{
ugi.DoAs(new _PrivilegedExceptionAction_70(nn, token));
}
catch (Exception e)
{
Log.Info("Exception while cancelling token. Re-throwing. ", e);
resp.SendError(HttpServletResponse.ScInternalServerError, e.Message);
}
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
request, HttpServletResponse response)
{
bool requestContinues = true;
string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.OpParam);
op = (op != null) ? StringUtils.ToUpperCase(op) : null;
if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
{
DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
.ValueOf(op);
if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
{
bool doManagement;
if (dtOp.RequiresKerberosCredentials() && token == null)
{
token = Authenticate(request, response);
if (token == null)
{
requestContinues = false;
doManagement = false;
}
else
{
doManagement = true;
}
}
else
{
doManagement = true;
}
if (doManagement)
{
UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
(token.GetUserName()) : null;
// Create the proxy user if doAsUser exists
string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
if (requestUgi != null && doAsUser != null)
{
requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
try
{
ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
}
catch (AuthorizationException ex)
{
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, ex);
return(false);
}
}
IDictionary map = null;
switch (dtOp)
{
case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.RenewerParam);
try
{
Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
requestUgi, renewer);
map = DelegationTokenToJSON(dToken);
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToRenew == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToRenew);
long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
map = new Hashtable();
map["long"] = expirationTime;
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
{
string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToCancel == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToCancel);
tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
: null);
}
catch (IOException)
{
response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
);
requestContinues = false;
}
}
break;
}
}
if (requestContinues)
{
response.SetStatus(HttpServletResponse.ScOk);
if (map != null)
{
response.SetContentType(MediaType.ApplicationJson);
TextWriter writer = response.GetWriter();
ObjectMapper jsonMapper = new ObjectMapper();
jsonMapper.WriteValue(writer, map);
writer.Write(Enter);
writer.Flush();
}
requestContinues = false;
}
}
}
else
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
+ "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
requestContinues = false;
}
}
return(requestContinues);
}
