/// <exception cref="System.IO.IOException"/>
private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest
request, string tokenString, Configuration conf)
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
token.DecodeFromUrlString(tokenString);
IPEndPoint serviceAddress = GetNNServiceAddress(context, request);
if (serviceAddress != null)
{
SecurityUtil.SetTokenService(token, serviceAddress);
token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
}
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.ReadFields(@in);
if (context != null)
{
NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
if (nn != null)
{
// Verify the token.
nn.GetNamesystem().VerifyToken(id, token.GetPassword());
}
}
UserGroupInformation ugi = id.GetUser();
ugi.AddToken(token);
return(ugi);
}
/// <exception cref="System.IO.IOException"/>
public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest
request)
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
// Verify that the connection is kerberos authenticated
if (!this.IsAllowedDelegationTokenOp())
{
throw new IOException("Delegation Token can be issued only with kerberos authentication"
);
}
GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse
>();
string user = ugi.GetUserName();
Text owner = new Text(user);
Text realUser = null;
if (ugi.GetRealUser() != null)
{
realUser = new Text(ugi.GetRealUser().GetUserName());
}
MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner
, new Text(request.GetRenewer()), realUser);
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken =
new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier
, this._enclosing.jhsDTSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken
.GetPassword(), realJHSToken.GetService().ToString());
response.SetDelegationToken(mrDToken);
return(response);
}
internal static bool CheckEqual(Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier
> a, Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> b)
{
return(Arrays.Equals(a.GetIdentifier(), b.GetIdentifier()) && Arrays.Equals(a.GetPassword
(), b.GetPassword()) && IsEqual(a.GetKind(), b.GetKind()) && IsEqual(a.GetService
(), b.GetService()));
}
/// <exception cref="System.IO.IOException"/>
public override TokenIdent CancelToken(Org.Apache.Hadoop.Security.Token.Token <TokenIdent
> token, string canceller)
{
lock (this)
{
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
TokenIdent id = CreateIdentifier();
id.ReadFields(@in);
try
{
if (!currentTokens.Contains(id))
{
// See if token can be retrieved and placed in currentTokens
GetTokenInfo(id);
}
return(base.CancelToken(token, canceller));
}
catch (Exception e)
{
Log.Error("Exception while checking if token exist !!", e);
return(id);
}
}
}
private void Compare(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier>
expected, Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> actual)
{
NUnit.Framework.Assert.IsTrue(Arrays.Equals(expected.GetIdentifier(), actual.GetIdentifier
()));
NUnit.Framework.Assert.IsTrue(Arrays.Equals(expected.GetPassword(), actual.GetPassword
()));
NUnit.Framework.Assert.AreEqual(expected.GetKind(), actual.GetKind());
NUnit.Framework.Assert.AreEqual(expected.GetService(), actual.GetService());
}
/// <exception cref="System.IO.IOException"/>
private static DelegationTokenIdentifier DecodeToken(Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier> token, Text tokenKind)
{
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream dis = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind);
id.ReadFields(dis);
dis.Close();
return(id);
}
/// <exception cref="System.IO.IOException"/>
private UserGroupInformation TokenUGI()
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = @params
.DelegationToken();
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.ReadFields(@in);
UserGroupInformation ugi = id.GetUser();
ugi.AddToken(token);
return(ugi);
}
public virtual void TestDelegationTokenSecretManager()
{
TestDelegationToken.TestDelegationTokenSecretManager dtSecretManager = new TestDelegationToken.TestDelegationTokenSecretManager
(24 * 60 * 60 * 1000, 3 * 1000, 1 * 1000, 3600000);
try
{
dtSecretManager.StartThreads();
Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier
> token = GenerateDelegationToken(dtSecretManager, "SomeUser", "JobTracker");
Assert.True(dtSecretManager.isStoreNewTokenCalled);
// Fake renewer should not be able to renew
ShouldThrow(new _PrivilegedExceptionAction_272(dtSecretManager, token), typeof(AccessControlException
));
long time = dtSecretManager.RenewToken(token, "JobTracker");
Assert.True(dtSecretManager.isUpdateStoredTokenCalled);
Assert.True("renew time is in future", time > Time.Now());
TestDelegationToken.TestDelegationTokenIdentifier identifier = new TestDelegationToken.TestDelegationTokenIdentifier
();
byte[] tokenId = token.GetIdentifier();
identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
Assert.True(null != dtSecretManager.RetrievePassword(identifier
));
Log.Info("Sleep to expire the token");
Thread.Sleep(2000);
//Token should be expired
try
{
dtSecretManager.RetrievePassword(identifier);
//Should not come here
NUnit.Framework.Assert.Fail("Token should have expired");
}
catch (SecretManager.InvalidToken)
{
}
//Success
dtSecretManager.RenewToken(token, "JobTracker");
Log.Info("Sleep beyond the max lifetime");
Thread.Sleep(2000);
ShouldThrow(new _PrivilegedExceptionAction_302(dtSecretManager, token), typeof(SecretManager.InvalidToken
));
}
finally
{
dtSecretManager.StopThreads();
}
}
public virtual void ExpectedTokenIsRetrievedFromHttp()
{
bootstrap = StartHttpServer(httpPort, testToken, serviceUrl);
DelegationTokenFetcher.Main(new string[] { "-webservice=" + serviceUrl, tokenFile });
Path p = new Path(fileSys.GetWorkingDirectory(), tokenFile);
Credentials creds = Credentials.ReadTokenStorageFile(p, conf);
IEnumerator <Org.Apache.Hadoop.Security.Token.Token <object> > itr = creds.GetAllTokens
().GetEnumerator();
NUnit.Framework.Assert.IsTrue("token not exist error", itr.HasNext());
Org.Apache.Hadoop.Security.Token.Token <object> fetchedToken = itr.Next();
Assert.AssertArrayEquals("token wrong identifier error", testToken.GetIdentifier(
), fetchedToken.GetIdentifier());
Assert.AssertArrayEquals("token wrong password error", testToken.GetPassword(), fetchedToken
.GetPassword());
if (assertionError != null)
{
throw assertionError;
}
}
/// <exception cref="System.Exception"/>
public virtual void TestRollMasterKey()
{
TestDelegationToken.TestDelegationTokenSecretManager dtSecretManager = new TestDelegationToken.TestDelegationTokenSecretManager
(800, 800, 1 * 1000, 3600000);
try
{
dtSecretManager.StartThreads();
//generate a token and store the password
Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier
> token = GenerateDelegationToken(dtSecretManager, "SomeUser", "JobTracker");
byte[] oldPasswd = token.GetPassword();
//store the length of the keys list
int prevNumKeys = dtSecretManager.GetAllKeys().Length;
dtSecretManager.RollMasterKey();
Assert.True(dtSecretManager.isStoreNewMasterKeyCalled);
//after rolling, the length of the keys list must increase
int currNumKeys = dtSecretManager.GetAllKeys().Length;
Assert.Equal((currNumKeys - prevNumKeys) >= 1, true);
//after rolling, the token that was generated earlier must
//still be valid (retrievePassword will fail if the token
//is not valid)
ByteArrayInputStream bi = new ByteArrayInputStream(token.GetIdentifier());
TestDelegationToken.TestDelegationTokenIdentifier identifier = dtSecretManager.CreateIdentifier
();
identifier.ReadFields(new DataInputStream(bi));
byte[] newPasswd = dtSecretManager.RetrievePassword(identifier);
//compare the passwords
Assert.Equal(oldPasswd, newPasswd);
// wait for keys to expire
while (!dtSecretManager.isRemoveStoredMasterKeyCalled)
{
Thread.Sleep(200);
}
}
finally
{
dtSecretManager.StopThreads();
}
}
/// <exception cref="System.IO.IOException"/>
private void RecordJobShuffleInfo(JobID jobId, string user, Org.Apache.Hadoop.Security.Token.Token
<JobTokenIdentifier> jobToken)
{
if (stateDb != null)
{
SecurityProtos.TokenProto tokenProto = ((SecurityProtos.TokenProto)SecurityProtos.TokenProto
.NewBuilder().SetIdentifier(ByteString.CopyFrom(jobToken.GetIdentifier())).SetPassword
(ByteString.CopyFrom(jobToken.GetPassword())).SetKind(jobToken.GetKind().ToString
()).SetService(jobToken.GetService().ToString()).Build());
ShuffleHandlerRecoveryProtos.JobShuffleInfoProto proto = ((ShuffleHandlerRecoveryProtos.JobShuffleInfoProto
)ShuffleHandlerRecoveryProtos.JobShuffleInfoProto.NewBuilder().SetUser(user).SetJobToken
(tokenProto).Build());
try
{
stateDb.Put(JniDBFactory.Bytes(jobId.ToString()), proto.ToByteArray());
}
catch (DBException e)
{
throw new IOException("Error storing " + jobId, e);
}
}
AddJobToken(jobId, user, jobToken);
}
/// <summary>
/// Builds the client's user name for the general-purpose handshake, consisting
/// of the base64-encoded serialized block access token identifier.
/// </summary>
/// <remarks>
/// Builds the client's user name for the general-purpose handshake, consisting
/// of the base64-encoded serialized block access token identifier. Note that
/// this includes only the token identifier, not the token itself, which would
/// include the password. The password is a shared secret, and we must not
/// write it on the network during the SASL authentication exchange.
/// </remarks>
/// <param name="blockToken">for block access</param>
/// <returns>SASL user name</returns>
private static string BuildUserName(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier
> blockToken)
{
return(new string(Base64.EncodeBase64(blockToken.GetIdentifier(), false), Charsets
.Utf8));
}
