/// <exception cref="System.IO.IOException"/>
private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest
request, string tokenString, Configuration conf)
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
token.DecodeFromUrlString(tokenString);
IPEndPoint serviceAddress = GetNNServiceAddress(context, request);
if (serviceAddress != null)
{
SecurityUtil.SetTokenService(token, serviceAddress);
token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
}
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.ReadFields(@in);
if (context != null)
{
NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
if (nn != null)
{
// Verify the token.
nn.GetNamesystem().VerifyToken(id, token.GetPassword());
}
}
UserGroupInformation ugi = id.GetUser();
ugi.AddToken(token);
return(ugi);
}
/// <exception cref="System.IO.IOException"/>
public virtual UserGroupInformation VerifyToken <_T0>(Org.Apache.Hadoop.Security.Token.Token
<_T0> token)
where _T0 : AbstractDelegationTokenIdentifier
{
AbstractDelegationTokenIdentifier id = secretManager.DecodeTokenIdentifier(token);
secretManager.VerifyToken(id, token.GetPassword());
return(id.GetUser());
}
private void Compare(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier>
expected, Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> actual)
{
NUnit.Framework.Assert.IsTrue(Arrays.Equals(expected.GetIdentifier(), actual.GetIdentifier
()));
NUnit.Framework.Assert.IsTrue(Arrays.Equals(expected.GetPassword(), actual.GetPassword
()));
NUnit.Framework.Assert.AreEqual(expected.GetKind(), actual.GetKind());
NUnit.Framework.Assert.AreEqual(expected.GetService(), actual.GetService());
}
/// <exception cref="System.IO.IOException"/>
private static void ConfigureTask(JobConf job, Task task, Credentials credentials
, Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> jt)
{
job.SetCredentials(credentials);
ApplicationAttemptId appAttemptId = ConverterUtils.ToContainerId(Runtime.Getenv(ApplicationConstants.Environment
.ContainerId.ToString())).GetApplicationAttemptId();
Log.Debug("APPLICATION_ATTEMPT_ID: " + appAttemptId);
// Set it in conf, so as to be able to be used the the OutputCommitter.
job.SetInt(MRJobConfig.ApplicationAttemptId, appAttemptId.GetAttemptId());
// set tcp nodelay
job.SetBoolean("ipc.client.tcpnodelay", true);
job.SetClass(MRConfig.TaskLocalOutputClass, typeof(YarnOutputFiles), typeof(MapOutputFile
));
// set the jobToken and shuffle secrets into task
task.SetJobTokenSecret(JobTokenSecretManager.CreateSecretKey(jt.GetPassword()));
byte[] shuffleSecret = TokenCache.GetShuffleSecretKey(credentials);
if (shuffleSecret == null)
{
Log.Warn("Shuffle secret missing from task credentials." + " Using job token secret as shuffle secret."
);
shuffleSecret = jt.GetPassword();
}
task.SetShuffleSecret(JobTokenSecretManager.CreateSecretKey(shuffleSecret));
// setup the child's MRConfig.LOCAL_DIR.
ConfigureLocalDirs(task, job);
// setup the child's attempt directories
// Do the task-type specific localization
task.LocalizeConfiguration(job);
// Set up the DistributedCache related configs
MRApps.SetupDistributedCacheLocal(job);
// Overwrite the localized task jobconf which is linked to in the current
// work-dir.
Path localTaskFile = new Path(MRJobConfig.JobConfFile);
WriteLocalJobFile(localTaskFile, job);
task.SetJobFile(localTaskFile.ToString());
task.SetConf(job);
}
/// <exception cref="System.Exception"/>
public virtual void TestRollMasterKey()
{
TestDelegationToken.TestDelegationTokenSecretManager dtSecretManager = new TestDelegationToken.TestDelegationTokenSecretManager
(800, 800, 1 * 1000, 3600000);
try
{
dtSecretManager.StartThreads();
//generate a token and store the password
Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier
> token = GenerateDelegationToken(dtSecretManager, "SomeUser", "JobTracker");
byte[] oldPasswd = token.GetPassword();
//store the length of the keys list
int prevNumKeys = dtSecretManager.GetAllKeys().Length;
dtSecretManager.RollMasterKey();
Assert.True(dtSecretManager.isStoreNewMasterKeyCalled);
//after rolling, the length of the keys list must increase
int currNumKeys = dtSecretManager.GetAllKeys().Length;
Assert.Equal((currNumKeys - prevNumKeys) >= 1, true);
//after rolling, the token that was generated earlier must
//still be valid (retrievePassword will fail if the token
//is not valid)
ByteArrayInputStream bi = new ByteArrayInputStream(token.GetIdentifier());
TestDelegationToken.TestDelegationTokenIdentifier identifier = dtSecretManager.CreateIdentifier
();
identifier.ReadFields(new DataInputStream(bi));
byte[] newPasswd = dtSecretManager.RetrievePassword(identifier);
//compare the passwords
Assert.Equal(oldPasswd, newPasswd);
// wait for keys to expire
while (!dtSecretManager.isRemoveStoredMasterKeyCalled)
{
Thread.Sleep(200);
}
}
finally
{
dtSecretManager.StopThreads();
}
}
/// <exception cref="System.IO.IOException"/>
private void RecordJobShuffleInfo(JobID jobId, string user, Org.Apache.Hadoop.Security.Token.Token
<JobTokenIdentifier> jobToken)
{
if (stateDb != null)
{
SecurityProtos.TokenProto tokenProto = ((SecurityProtos.TokenProto)SecurityProtos.TokenProto
.NewBuilder().SetIdentifier(ByteString.CopyFrom(jobToken.GetIdentifier())).SetPassword
(ByteString.CopyFrom(jobToken.GetPassword())).SetKind(jobToken.GetKind().ToString
()).SetService(jobToken.GetService().ToString()).Build());
ShuffleHandlerRecoveryProtos.JobShuffleInfoProto proto = ((ShuffleHandlerRecoveryProtos.JobShuffleInfoProto
)ShuffleHandlerRecoveryProtos.JobShuffleInfoProto.NewBuilder().SetUser(user).SetJobToken
(tokenProto).Build());
try
{
stateDb.Put(JniDBFactory.Bytes(jobId.ToString()), proto.ToByteArray());
}
catch (DBException e)
{
throw new IOException("Error storing " + jobId, e);
}
}
AddJobToken(jobId, user, jobToken);
}
/// <summary>Start the child process to handle the task for us.</summary>
/// <param name="conf">the task's configuration</param>
/// <param name="recordReader">the fake record reader to update progress with</param>
/// <param name="output">the collector to send output to</param>
/// <param name="reporter">the reporter for the task</param>
/// <param name="outputKeyClass">the class of the output keys</param>
/// <param name="outputValueClass">the class of the output values</param>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
internal Application(JobConf conf, RecordReader <FloatWritable, NullWritable> recordReader
, OutputCollector <K2, V2> output, Reporter reporter, Type outputKeyClass, Type outputValueClass
)
{
serverSocket = Sharpen.Extensions.CreateServerSocket(0);
IDictionary <string, string> env = new Dictionary <string, string>();
// add TMPDIR environment variable with the value of java.io.tmpdir
env["TMPDIR"] = Runtime.GetProperty("java.io.tmpdir");
env[Submitter.Port] = Sharpen.Extensions.ToString(serverSocket.GetLocalPort());
//Add token to the environment if security is enabled
Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> jobToken = TokenCache.
GetJobToken(conf.GetCredentials());
// This password is used as shared secret key between this application and
// child pipes process
byte[] password = jobToken.GetPassword();
string localPasswordFile = new FilePath(".") + Path.Separator + "jobTokenPassword";
WritePasswordToLocalFile(localPasswordFile, password, conf);
env["hadoop.pipes.shared.secret.location"] = localPasswordFile;
IList <string> cmd = new AList <string>();
string interpretor = conf.Get(Submitter.Interpretor);
if (interpretor != null)
{
cmd.AddItem(interpretor);
}
string executable = DistributedCache.GetLocalCacheFiles(conf)[0].ToString();
if (!FileUtil.CanExecute(new FilePath(executable)))
{
// LinuxTaskController sets +x permissions on all distcache files already.
// In case of DefaultTaskController, set permissions here.
FileUtil.Chmod(executable, "u+x");
}
cmd.AddItem(executable);
// wrap the command in a stdout/stderr capture
// we are starting map/reduce task of the pipes job. this is not a cleanup
// attempt.
TaskAttemptID taskid = ((TaskAttemptID)TaskAttemptID.ForName(conf.Get(MRJobConfig
.TaskAttemptId)));
FilePath stdout = TaskLog.GetTaskLogFile(taskid, false, TaskLog.LogName.Stdout);
FilePath stderr = TaskLog.GetTaskLogFile(taskid, false, TaskLog.LogName.Stderr);
long logLength = TaskLog.GetTaskLogLength(conf);
cmd = TaskLog.CaptureOutAndError(null, cmd, stdout, stderr, logLength, false);
process = RunClient(cmd, env);
clientSocket = serverSocket.Accept();
string challenge = GetSecurityChallenge();
string digestToSend = CreateDigest(password, challenge);
string digestExpected = CreateDigest(password, digestToSend);
handler = new OutputHandler <K2, V2>(output, reporter, recordReader, digestExpected
);
K2 outputKey = (K2)ReflectionUtils.NewInstance(outputKeyClass, conf);
V2 outputValue = (V2)ReflectionUtils.NewInstance(outputValueClass, conf);
downlink = new BinaryProtocol <K1, V1, K2, V2>(clientSocket, handler, outputKey, outputValue
, conf);
downlink.Authenticate(digestToSend, challenge);
WaitForAuthentication();
Log.Debug("Authentication succeeded");
downlink.Start();
downlink.SetJobConf(conf);
}
/// <exception cref="System.IO.IOException"/>
public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest
request)
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
// Verify that the connection is kerberos authenticated
if (!this.IsAllowedDelegationTokenOp())
{
throw new IOException("Delegation Token can be issued only with kerberos authentication"
);
}
GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse
>();
string user = ugi.GetUserName();
Text owner = new Text(user);
Text realUser = null;
if (ugi.GetRealUser() != null)
{
realUser = new Text(ugi.GetRealUser().GetUserName());
}
MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner
, new Text(request.GetRenewer()), realUser);
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken =
new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier
, this._enclosing.jhsDTSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken
.GetPassword(), realJHSToken.GetService().ToString());
response.SetDelegationToken(mrDToken);
return(response);
}
/// <exception cref="System.Exception"/>
public LocatedBlocks Answer(InvocationOnMock arg0)
{
LocatedBlocks locatedBlocks = (LocatedBlocks)arg0.CallRealMethod();
foreach (LocatedBlock lb in locatedBlocks.GetLocatedBlocks())
{
Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token = lb.GetBlockToken
();
BlockTokenIdentifier id = lb.GetBlockToken().DecodeIdentifier();
id.SetExpiryDate(Time.Now() + 10);
Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> newToken = new Org.Apache.Hadoop.Security.Token.Token
<BlockTokenIdentifier>(id.GetBytes(), token.GetPassword(), token.GetKind(), token
.GetService());
lb.SetBlockToken(newToken);
}
return(locatedBlocks);
}
internal static bool CheckEqual(Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier
> a, Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> b)
{
return(Arrays.Equals(a.GetIdentifier(), b.GetIdentifier()) && Arrays.Equals(a.GetPassword
(), b.GetPassword()) && IsEqual(a.GetKind(), b.GetKind()) && IsEqual(a.GetService
(), b.GetService()));
}
/// <summary>
/// Calculates the password on the client side for the general-purpose
/// handshake.
/// </summary>
/// <remarks>
/// Calculates the password on the client side for the general-purpose
/// handshake. The password consists of the block access token's password.
/// </remarks>
/// <param name="blockToken">for block access</param>
/// <returns>SASL password</returns>
private char[] BuildClientPassword(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier
> blockToken)
{
return(new string(Base64.EncodeBase64(blockToken.GetPassword(), false), Charsets.
Utf8).ToCharArray());
}
public virtual void ExpectedTokenIsRetrievedFromHttp()
{
bootstrap = StartHttpServer(httpPort, testToken, serviceUrl);
DelegationTokenFetcher.Main(new string[] { "-webservice=" + serviceUrl, tokenFile });
Path p = new Path(fileSys.GetWorkingDirectory(), tokenFile);
Credentials creds = Credentials.ReadTokenStorageFile(p, conf);
IEnumerator <Org.Apache.Hadoop.Security.Token.Token <object> > itr = creds.GetAllTokens
().GetEnumerator();
NUnit.Framework.Assert.IsTrue("token not exist error", itr.HasNext());
Org.Apache.Hadoop.Security.Token.Token <object> fetchedToken = itr.Next();
Assert.AssertArrayEquals("token wrong identifier error", testToken.GetIdentifier(
), fetchedToken.GetIdentifier());
Assert.AssertArrayEquals("token wrong password error", testToken.GetPassword(), fetchedToken
.GetPassword());
if (assertionError != null)
{
throw assertionError;
}
}
public virtual void TestRecovery()
{
Configuration conf = new Configuration();
HistoryServerStateStoreService store = new HistoryServerMemStateStoreService();
store.Init(conf);
store.Start();
TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest mgr =
new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest(store
);
mgr.StartThreads();
MRDelegationTokenIdentifier tokenId1 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
), new Text("tokenRenewer"), new Text("tokenUser"));
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token1 = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId1, mgr
);
MRDelegationTokenIdentifier tokenId2 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
), new Text("tokenRenewer"), new Text("tokenUser"));
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token2 = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId2, mgr
);
DelegationKey[] keys = mgr.GetAllKeys();
long tokenRenewDate1 = mgr.GetAllTokens()[tokenId1].GetRenewDate();
long tokenRenewDate2 = mgr.GetAllTokens()[tokenId2].GetRenewDate();
mgr.StopThreads();
mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest
(store);
mgr.Recover(store.LoadState());
IList <DelegationKey> recoveredKeys = Arrays.AsList(mgr.GetAllKeys());
foreach (DelegationKey key in keys)
{
NUnit.Framework.Assert.IsTrue("key missing after recovery", recoveredKeys.Contains
(key));
}
NUnit.Framework.Assert.IsTrue("token1 missing", mgr.GetAllTokens().Contains(tokenId1
));
NUnit.Framework.Assert.AreEqual("token1 renew date", tokenRenewDate1, mgr.GetAllTokens
()[tokenId1].GetRenewDate());
NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2
));
NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens
()[tokenId2].GetRenewDate());
mgr.StartThreads();
mgr.VerifyToken(tokenId1, token1.GetPassword());
mgr.VerifyToken(tokenId2, token2.GetPassword());
MRDelegationTokenIdentifier tokenId3 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
), new Text("tokenRenewer"), new Text("tokenUser"));
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token3 = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId3, mgr
);
NUnit.Framework.Assert.AreEqual("sequence number restore", tokenId2.GetSequenceNumber
() + 1, tokenId3.GetSequenceNumber());
mgr.CancelToken(token1, "tokenOwner");
// Testing with full principal name
MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(new Text
("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"), new Text("tokenUser"
));
KerberosName.SetRules("RULE:[1:$1]\nRULE:[2:$1]");
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> tokenFull = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdFull,
mgr);
// Negative test
try
{
mgr.CancelToken(tokenFull, "tokenOwner");
}
catch (AccessControlException ace)
{
NUnit.Framework.Assert.IsTrue(ace.Message.Contains("is not authorized to cancel the token"
));
}
// Succeed to cancel with full principal
mgr.CancelToken(tokenFull, tokenIdFull.GetOwner().ToString());
long tokenRenewDate3 = mgr.GetAllTokens()[tokenId3].GetRenewDate();
mgr.StopThreads();
mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest
(store);
mgr.Recover(store.LoadState());
NUnit.Framework.Assert.IsFalse("token1 should be missing", mgr.GetAllTokens().Contains
(tokenId1));
NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2
));
NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens
()[tokenId2].GetRenewDate());
NUnit.Framework.Assert.IsTrue("token3 missing", mgr.GetAllTokens().Contains(tokenId3
));
NUnit.Framework.Assert.AreEqual("token3 renew date", tokenRenewDate3, mgr.GetAllTokens
()[tokenId3].GetRenewDate());
mgr.StartThreads();
mgr.VerifyToken(tokenId2, token2.GetPassword());
mgr.VerifyToken(tokenId3, token3.GetPassword());
mgr.StopThreads();
}
