/// <exception cref="System.IO.IOException"/> private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest request, string tokenString, Configuration conf) { Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>(); token.DecodeFromUrlString(tokenString); IPEndPoint serviceAddress = GetNNServiceAddress(context, request); if (serviceAddress != null) { SecurityUtil.SetTokenService(token, serviceAddress); token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind); } ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier()); DataInputStream @in = new DataInputStream(buf); DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.ReadFields(@in); if (context != null) { NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context); if (nn != null) { // Verify the token. nn.GetNamesystem().VerifyToken(id, token.GetPassword()); } } UserGroupInformation ugi = id.GetUser(); ugi.AddToken(token); return(ugi); }
/// <exception cref="System.IO.IOException"/> public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest request) { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); // Verify that the connection is kerberos authenticated if (!this.IsAllowedDelegationTokenOp()) { throw new IOException("Delegation Token can be issued only with kerberos authentication" ); } GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse >(); string user = ugi.GetUserName(); Text owner = new Text(user); Text realUser = null; if (ugi.GetRealUser() != null) { realUser = new Text(ugi.GetRealUser().GetUserName()); } MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner , new Text(request.GetRenewer()), realUser); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier , this._enclosing.jhsDTSecretManager); Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken .GetPassword(), realJHSToken.GetService().ToString()); response.SetDelegationToken(mrDToken); return(response); }
internal static bool CheckEqual(Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier > a, Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> b) { return(Arrays.Equals(a.GetIdentifier(), b.GetIdentifier()) && Arrays.Equals(a.GetPassword (), b.GetPassword()) && IsEqual(a.GetKind(), b.GetKind()) && IsEqual(a.GetService (), b.GetService())); }
/// <exception cref="System.IO.IOException"/> public override TokenIdent CancelToken(Org.Apache.Hadoop.Security.Token.Token <TokenIdent > token, string canceller) { lock (this) { ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier()); DataInputStream @in = new DataInputStream(buf); TokenIdent id = CreateIdentifier(); id.ReadFields(@in); try { if (!currentTokens.Contains(id)) { // See if token can be retrieved and placed in currentTokens GetTokenInfo(id); } return(base.CancelToken(token, canceller)); } catch (Exception e) { Log.Error("Exception while checking if token exist !!", e); return(id); } } }
private void Compare(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> expected, Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> actual) { NUnit.Framework.Assert.IsTrue(Arrays.Equals(expected.GetIdentifier(), actual.GetIdentifier ())); NUnit.Framework.Assert.IsTrue(Arrays.Equals(expected.GetPassword(), actual.GetPassword ())); NUnit.Framework.Assert.AreEqual(expected.GetKind(), actual.GetKind()); NUnit.Framework.Assert.AreEqual(expected.GetService(), actual.GetService()); }
/// <exception cref="System.IO.IOException"/> private static DelegationTokenIdentifier DecodeToken(Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token, Text tokenKind) { ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier()); DataInputStream dis = new DataInputStream(buf); DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind); id.ReadFields(dis); dis.Close(); return(id); }
/// <exception cref="System.IO.IOException"/> private UserGroupInformation TokenUGI() { Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = @params .DelegationToken(); ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier()); DataInputStream @in = new DataInputStream(buf); DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.ReadFields(@in); UserGroupInformation ugi = id.GetUser(); ugi.AddToken(token); return(ugi); }
public virtual void TestDelegationTokenSecretManager() { TestDelegationToken.TestDelegationTokenSecretManager dtSecretManager = new TestDelegationToken.TestDelegationTokenSecretManager (24 * 60 * 60 * 1000, 3 * 1000, 1 * 1000, 3600000); try { dtSecretManager.StartThreads(); Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier > token = GenerateDelegationToken(dtSecretManager, "SomeUser", "JobTracker"); Assert.True(dtSecretManager.isStoreNewTokenCalled); // Fake renewer should not be able to renew ShouldThrow(new _PrivilegedExceptionAction_272(dtSecretManager, token), typeof(AccessControlException )); long time = dtSecretManager.RenewToken(token, "JobTracker"); Assert.True(dtSecretManager.isUpdateStoredTokenCalled); Assert.True("renew time is in future", time > Time.Now()); TestDelegationToken.TestDelegationTokenIdentifier identifier = new TestDelegationToken.TestDelegationTokenIdentifier (); byte[] tokenId = token.GetIdentifier(); identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId))); Assert.True(null != dtSecretManager.RetrievePassword(identifier )); Log.Info("Sleep to expire the token"); Thread.Sleep(2000); //Token should be expired try { dtSecretManager.RetrievePassword(identifier); //Should not come here NUnit.Framework.Assert.Fail("Token should have expired"); } catch (SecretManager.InvalidToken) { } //Success dtSecretManager.RenewToken(token, "JobTracker"); Log.Info("Sleep beyond the max lifetime"); Thread.Sleep(2000); ShouldThrow(new _PrivilegedExceptionAction_302(dtSecretManager, token), typeof(SecretManager.InvalidToken )); } finally { dtSecretManager.StopThreads(); } }
public virtual void ExpectedTokenIsRetrievedFromHttp() { bootstrap = StartHttpServer(httpPort, testToken, serviceUrl); DelegationTokenFetcher.Main(new string[] { "-webservice=" + serviceUrl, tokenFile }); Path p = new Path(fileSys.GetWorkingDirectory(), tokenFile); Credentials creds = Credentials.ReadTokenStorageFile(p, conf); IEnumerator <Org.Apache.Hadoop.Security.Token.Token <object> > itr = creds.GetAllTokens ().GetEnumerator(); NUnit.Framework.Assert.IsTrue("token not exist error", itr.HasNext()); Org.Apache.Hadoop.Security.Token.Token <object> fetchedToken = itr.Next(); Assert.AssertArrayEquals("token wrong identifier error", testToken.GetIdentifier( ), fetchedToken.GetIdentifier()); Assert.AssertArrayEquals("token wrong password error", testToken.GetPassword(), fetchedToken .GetPassword()); if (assertionError != null) { throw assertionError; } }
/// <exception cref="System.Exception"/> public virtual void TestRollMasterKey() { TestDelegationToken.TestDelegationTokenSecretManager dtSecretManager = new TestDelegationToken.TestDelegationTokenSecretManager (800, 800, 1 * 1000, 3600000); try { dtSecretManager.StartThreads(); //generate a token and store the password Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier > token = GenerateDelegationToken(dtSecretManager, "SomeUser", "JobTracker"); byte[] oldPasswd = token.GetPassword(); //store the length of the keys list int prevNumKeys = dtSecretManager.GetAllKeys().Length; dtSecretManager.RollMasterKey(); Assert.True(dtSecretManager.isStoreNewMasterKeyCalled); //after rolling, the length of the keys list must increase int currNumKeys = dtSecretManager.GetAllKeys().Length; Assert.Equal((currNumKeys - prevNumKeys) >= 1, true); //after rolling, the token that was generated earlier must //still be valid (retrievePassword will fail if the token //is not valid) ByteArrayInputStream bi = new ByteArrayInputStream(token.GetIdentifier()); TestDelegationToken.TestDelegationTokenIdentifier identifier = dtSecretManager.CreateIdentifier (); identifier.ReadFields(new DataInputStream(bi)); byte[] newPasswd = dtSecretManager.RetrievePassword(identifier); //compare the passwords Assert.Equal(oldPasswd, newPasswd); // wait for keys to expire while (!dtSecretManager.isRemoveStoredMasterKeyCalled) { Thread.Sleep(200); } } finally { dtSecretManager.StopThreads(); } }
/// <exception cref="System.IO.IOException"/> private void RecordJobShuffleInfo(JobID jobId, string user, Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> jobToken) { if (stateDb != null) { SecurityProtos.TokenProto tokenProto = ((SecurityProtos.TokenProto)SecurityProtos.TokenProto .NewBuilder().SetIdentifier(ByteString.CopyFrom(jobToken.GetIdentifier())).SetPassword (ByteString.CopyFrom(jobToken.GetPassword())).SetKind(jobToken.GetKind().ToString ()).SetService(jobToken.GetService().ToString()).Build()); ShuffleHandlerRecoveryProtos.JobShuffleInfoProto proto = ((ShuffleHandlerRecoveryProtos.JobShuffleInfoProto )ShuffleHandlerRecoveryProtos.JobShuffleInfoProto.NewBuilder().SetUser(user).SetJobToken (tokenProto).Build()); try { stateDb.Put(JniDBFactory.Bytes(jobId.ToString()), proto.ToByteArray()); } catch (DBException e) { throw new IOException("Error storing " + jobId, e); } } AddJobToken(jobId, user, jobToken); }
/// <summary> /// Builds the client's user name for the general-purpose handshake, consisting /// of the base64-encoded serialized block access token identifier. /// </summary> /// <remarks> /// Builds the client's user name for the general-purpose handshake, consisting /// of the base64-encoded serialized block access token identifier. Note that /// this includes only the token identifier, not the token itself, which would /// include the password. The password is a shared secret, and we must not /// write it on the network during the SASL authentication exchange. /// </remarks> /// <param name="blockToken">for block access</param> /// <returns>SASL user name</returns> private static string BuildUserName(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier > blockToken) { return(new string(Base64.EncodeBase64(blockToken.GetIdentifier(), false), Charsets .Utf8)); }