public virtual void TestDelegationTokenSelector()
{
TestDelegationToken.TestDelegationTokenSecretManager dtSecretManager = new TestDelegationToken.TestDelegationTokenSecretManager
(24 * 60 * 60 * 1000, 10 * 1000, 1 * 1000, 3600000);
try
{
dtSecretManager.StartThreads();
AbstractDelegationTokenSelector ds = new AbstractDelegationTokenSelector <TestDelegationToken.TestDelegationTokenIdentifier
>(Kind);
//Creates a collection of tokens
Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier
> token1 = GenerateDelegationToken(dtSecretManager, "SomeUser1", "JobTracker");
token1.SetService(new Text("MY-SERVICE1"));
Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier
> token2 = GenerateDelegationToken(dtSecretManager, "SomeUser2", "JobTracker");
token2.SetService(new Text("MY-SERVICE2"));
IList <Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier
> > tokens = new AList <Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier
> >();
tokens.AddItem(token1);
tokens.AddItem(token2);
//try to select a token with a given service name (created earlier)
Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier
> t = ds.SelectToken(new Text("MY-SERVICE1"), tokens);
Assert.Equal(t, token1);
}
finally
{
dtSecretManager.StopThreads();
}
}
> GenerateAMRMToken(ApplicationAttemptId attemptId, AMRMTokenSecretManager appTokenMgr
)
{
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> appToken = appTokenMgr
.CreateAndGetAMRMToken(attemptId);
appToken.SetService(new Text("appToken service"));
return(appToken);
}
/// <exception cref="System.IO.IOException"/>
private void UpdateAMRMToken(Token token)
{
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = new Org.Apache.Hadoop.Security.Token.Token
<AMRMTokenIdentifier>(((byte[])token.GetIdentifier().Array()), ((byte[])token.GetPassword
().Array()), new Text(token.GetKind()), new Text(token.GetService()));
UserGroupInformation currentUGI = UserGroupInformation.GetCurrentUser();
currentUGI.AddToken(amrmToken);
amrmToken.SetService(ClientRMProxy.GetAMRMTokenService(GetConfig()));
}
> DelegationToken()
{
string delegation = Param(DelegationParam.Name);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
token.DecodeFromUrlString(delegation);
URI nnUri = URI.Create(HdfsConstants.HdfsUriScheme + "://" + NamenodeId());
bool isLogical = HAUtil.IsLogicalUri(conf, nnUri);
if (isLogical)
{
token.SetService(HAUtil.BuildTokenServiceForLogicalUri(nnUri, HdfsConstants.HdfsUriScheme
));
}
else
{
token.SetService(SecurityUtil.BuildTokenService(nnUri));
}
return(token);
}
/// <exception cref="System.IO.IOException"/>
private void UpdateAMRMToken(Token token)
{
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = new Org.Apache.Hadoop.Security.Token.Token
<AMRMTokenIdentifier>(((byte[])token.GetIdentifier().Array()), ((byte[])token.GetPassword
().Array()), new Text(token.GetKind()), new Text(token.GetService()));
// Preserve the token service sent by the RM when adding the token
// to ensure we replace the previous token setup by the RM.
// Afterwards we can update the service address for the RPC layer.
UserGroupInformation currentUGI = UserGroupInformation.GetCurrentUser();
currentUGI.AddToken(amrmToken);
amrmToken.SetService(ClientRMProxy.GetAMRMTokenService(GetConfig()));
}
public virtual void Initialize()
{
StartHACluster(0, false, false, true);
attemptId = this.cluster.CreateFakeApplicationAttemptId();
amClient = ClientRMProxy.CreateRMProxy <ApplicationMasterProtocol>(this.conf);
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> appToken = this.cluster
.GetResourceManager().GetRMContext().GetAMRMTokenSecretManager().CreateAndGetAMRMToken
(attemptId);
appToken.SetService(ClientRMProxy.GetAMRMTokenService(conf));
UserGroupInformation.SetLoginUser(UserGroupInformation.CreateRemoteUser(UserGroupInformation
.GetCurrentUser().GetUserName()));
UserGroupInformation.GetCurrentUser().AddToken(appToken);
SyncToken(appToken);
}
/// <summary>Test token serialization</summary>
/// <exception cref="System.IO.IOException"/>
public virtual void TestTokenSerialization()
{
// Get a token
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> sourceToken = new Org.Apache.Hadoop.Security.Token.Token
<TokenIdentifier>();
sourceToken.SetService(new Text("service"));
// Write it to an output buffer
DataOutputBuffer @out = new DataOutputBuffer();
sourceToken.Write(@out);
// Read the token back
DataInputBuffer @in = new DataInputBuffer();
@in.Reset(@out.GetData(), @out.GetLength());
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> destToken = new Org.Apache.Hadoop.Security.Token.Token
<TokenIdentifier>();
destToken.ReadFields(@in);
Assert.True(CheckEqual(sourceToken, destToken));
}
public virtual void TestDelegationTokenOperations()
{
TimelineClient httpUserClient = KerberosTestUtils.DoAs(HttpUser + "/localhost", new
_Callable_221(this));
UserGroupInformation httpUser = KerberosTestUtils.DoAs(HttpUser + "/localhost", new
_Callable_228());
// Let HTTP user to get the delegation for itself
Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> token =
httpUserClient.GetDelegationToken(httpUser.GetShortUserName());
NUnit.Framework.Assert.IsNotNull(token);
TimelineDelegationTokenIdentifier tDT = token.DecodeIdentifier();
NUnit.Framework.Assert.IsNotNull(tDT);
NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetOwner());
// Renew token
NUnit.Framework.Assert.IsFalse(token.GetService().ToString().IsEmpty());
// Renew the token from the token service address
long renewTime1 = httpUserClient.RenewDelegationToken(token);
Sharpen.Thread.Sleep(100);
token.SetService(new Text());
NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty());
// If the token service address is not avaiable, it still can be renewed
// from the configured address
long renewTime2 = httpUserClient.RenewDelegationToken(token);
NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2);
// Cancel token
NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty());
// If the token service address is not avaiable, it still can be canceled
// from the configured address
httpUserClient.CancelDelegationToken(token);
// Renew should not be successful because the token is canceled
try
{
httpUserClient.RenewDelegationToken(token);
NUnit.Framework.Assert.Fail();
}
catch (Exception e)
{
NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token"
));
}
// Let HTTP user to get the delegation token for FOO user
UserGroupInformation fooUgi = UserGroupInformation.CreateProxyUser(FooUser, httpUser
);
TimelineClient fooUserClient = fooUgi.DoAs(new _PrivilegedExceptionAction_272(this
));
token = fooUserClient.GetDelegationToken(httpUser.GetShortUserName());
NUnit.Framework.Assert.IsNotNull(token);
tDT = token.DecodeIdentifier();
NUnit.Framework.Assert.IsNotNull(tDT);
NUnit.Framework.Assert.AreEqual(new Text(FooUser), tDT.GetOwner());
NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetRealUser());
// Renew token as the renewer
Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> tokenToRenew
= token;
renewTime1 = httpUserClient.RenewDelegationToken(tokenToRenew);
renewTime2 = httpUserClient.RenewDelegationToken(tokenToRenew);
NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2);
// Cancel token
NUnit.Framework.Assert.IsFalse(tokenToRenew.GetService().ToString().IsEmpty());
// Cancel the token from the token service address
fooUserClient.CancelDelegationToken(tokenToRenew);
// Renew should not be successful because the token is canceled
try
{
httpUserClient.RenewDelegationToken(tokenToRenew);
NUnit.Framework.Assert.Fail();
}
catch (Exception e)
{
NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token"
));
}
// Let HTTP user to get the delegation token for BAR user
UserGroupInformation barUgi = UserGroupInformation.CreateProxyUser(BarUser, httpUser
);
TimelineClient barUserClient = barUgi.DoAs(new _PrivilegedExceptionAction_309(this
));
try
{
barUserClient.GetDelegationToken(httpUser.GetShortUserName());
NUnit.Framework.Assert.Fail();
}
catch (Exception e)
{
NUnit.Framework.Assert.IsTrue(e.InnerException is AuthorizationException || e.InnerException
is AuthenticationException);
}
}
