public virtual void TestDelegationTokenSelector() { TestDelegationToken.TestDelegationTokenSecretManager dtSecretManager = new TestDelegationToken.TestDelegationTokenSecretManager (24 * 60 * 60 * 1000, 10 * 1000, 1 * 1000, 3600000); try { dtSecretManager.StartThreads(); AbstractDelegationTokenSelector ds = new AbstractDelegationTokenSelector <TestDelegationToken.TestDelegationTokenIdentifier >(Kind); //Creates a collection of tokens Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier > token1 = GenerateDelegationToken(dtSecretManager, "SomeUser1", "JobTracker"); token1.SetService(new Text("MY-SERVICE1")); Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier > token2 = GenerateDelegationToken(dtSecretManager, "SomeUser2", "JobTracker"); token2.SetService(new Text("MY-SERVICE2")); IList <Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier > > tokens = new AList <Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier > >(); tokens.AddItem(token1); tokens.AddItem(token2); //try to select a token with a given service name (created earlier) Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier > t = ds.SelectToken(new Text("MY-SERVICE1"), tokens); Assert.Equal(t, token1); } finally { dtSecretManager.StopThreads(); } }
> GenerateAMRMToken(ApplicationAttemptId attemptId, AMRMTokenSecretManager appTokenMgr ) { Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> appToken = appTokenMgr .CreateAndGetAMRMToken(attemptId); appToken.SetService(new Text("appToken service")); return(appToken); }
/// <exception cref="System.IO.IOException"/> private void UpdateAMRMToken(Token token) { Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = new Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier>(((byte[])token.GetIdentifier().Array()), ((byte[])token.GetPassword ().Array()), new Text(token.GetKind()), new Text(token.GetService())); UserGroupInformation currentUGI = UserGroupInformation.GetCurrentUser(); currentUGI.AddToken(amrmToken); amrmToken.SetService(ClientRMProxy.GetAMRMTokenService(GetConfig())); }
> DelegationToken() { string delegation = Param(DelegationParam.Name); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>(); token.DecodeFromUrlString(delegation); URI nnUri = URI.Create(HdfsConstants.HdfsUriScheme + "://" + NamenodeId()); bool isLogical = HAUtil.IsLogicalUri(conf, nnUri); if (isLogical) { token.SetService(HAUtil.BuildTokenServiceForLogicalUri(nnUri, HdfsConstants.HdfsUriScheme )); } else { token.SetService(SecurityUtil.BuildTokenService(nnUri)); } return(token); }
/// <exception cref="System.IO.IOException"/> private void UpdateAMRMToken(Token token) { Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = new Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier>(((byte[])token.GetIdentifier().Array()), ((byte[])token.GetPassword ().Array()), new Text(token.GetKind()), new Text(token.GetService())); // Preserve the token service sent by the RM when adding the token // to ensure we replace the previous token setup by the RM. // Afterwards we can update the service address for the RPC layer. UserGroupInformation currentUGI = UserGroupInformation.GetCurrentUser(); currentUGI.AddToken(amrmToken); amrmToken.SetService(ClientRMProxy.GetAMRMTokenService(GetConfig())); }
public virtual void Initialize() { StartHACluster(0, false, false, true); attemptId = this.cluster.CreateFakeApplicationAttemptId(); amClient = ClientRMProxy.CreateRMProxy <ApplicationMasterProtocol>(this.conf); Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> appToken = this.cluster .GetResourceManager().GetRMContext().GetAMRMTokenSecretManager().CreateAndGetAMRMToken (attemptId); appToken.SetService(ClientRMProxy.GetAMRMTokenService(conf)); UserGroupInformation.SetLoginUser(UserGroupInformation.CreateRemoteUser(UserGroupInformation .GetCurrentUser().GetUserName())); UserGroupInformation.GetCurrentUser().AddToken(appToken); SyncToken(appToken); }
/// <summary>Test token serialization</summary> /// <exception cref="System.IO.IOException"/> public virtual void TestTokenSerialization() { // Get a token Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> sourceToken = new Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier>(); sourceToken.SetService(new Text("service")); // Write it to an output buffer DataOutputBuffer @out = new DataOutputBuffer(); sourceToken.Write(@out); // Read the token back DataInputBuffer @in = new DataInputBuffer(); @in.Reset(@out.GetData(), @out.GetLength()); Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> destToken = new Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier>(); destToken.ReadFields(@in); Assert.True(CheckEqual(sourceToken, destToken)); }
public virtual void TestDelegationTokenOperations() { TimelineClient httpUserClient = KerberosTestUtils.DoAs(HttpUser + "/localhost", new _Callable_221(this)); UserGroupInformation httpUser = KerberosTestUtils.DoAs(HttpUser + "/localhost", new _Callable_228()); // Let HTTP user to get the delegation for itself Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> token = httpUserClient.GetDelegationToken(httpUser.GetShortUserName()); NUnit.Framework.Assert.IsNotNull(token); TimelineDelegationTokenIdentifier tDT = token.DecodeIdentifier(); NUnit.Framework.Assert.IsNotNull(tDT); NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetOwner()); // Renew token NUnit.Framework.Assert.IsFalse(token.GetService().ToString().IsEmpty()); // Renew the token from the token service address long renewTime1 = httpUserClient.RenewDelegationToken(token); Sharpen.Thread.Sleep(100); token.SetService(new Text()); NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty()); // If the token service address is not avaiable, it still can be renewed // from the configured address long renewTime2 = httpUserClient.RenewDelegationToken(token); NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2); // Cancel token NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty()); // If the token service address is not avaiable, it still can be canceled // from the configured address httpUserClient.CancelDelegationToken(token); // Renew should not be successful because the token is canceled try { httpUserClient.RenewDelegationToken(token); NUnit.Framework.Assert.Fail(); } catch (Exception e) { NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token" )); } // Let HTTP user to get the delegation token for FOO user UserGroupInformation fooUgi = UserGroupInformation.CreateProxyUser(FooUser, httpUser ); TimelineClient fooUserClient = fooUgi.DoAs(new _PrivilegedExceptionAction_272(this )); token = fooUserClient.GetDelegationToken(httpUser.GetShortUserName()); NUnit.Framework.Assert.IsNotNull(token); tDT = token.DecodeIdentifier(); NUnit.Framework.Assert.IsNotNull(tDT); NUnit.Framework.Assert.AreEqual(new Text(FooUser), tDT.GetOwner()); NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetRealUser()); // Renew token as the renewer Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> tokenToRenew = token; renewTime1 = httpUserClient.RenewDelegationToken(tokenToRenew); renewTime2 = httpUserClient.RenewDelegationToken(tokenToRenew); NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2); // Cancel token NUnit.Framework.Assert.IsFalse(tokenToRenew.GetService().ToString().IsEmpty()); // Cancel the token from the token service address fooUserClient.CancelDelegationToken(tokenToRenew); // Renew should not be successful because the token is canceled try { httpUserClient.RenewDelegationToken(tokenToRenew); NUnit.Framework.Assert.Fail(); } catch (Exception e) { NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token" )); } // Let HTTP user to get the delegation token for BAR user UserGroupInformation barUgi = UserGroupInformation.CreateProxyUser(BarUser, httpUser ); TimelineClient barUserClient = barUgi.DoAs(new _PrivilegedExceptionAction_309(this )); try { barUserClient.GetDelegationToken(httpUser.GetShortUserName()); NUnit.Framework.Assert.Fail(); } catch (Exception e) { NUnit.Framework.Assert.IsTrue(e.InnerException is AuthorizationException || e.InnerException is AuthenticationException); } }