Esempio n. 1
0
        /// <exception cref="System.Exception"/>
        public virtual void TestGetCreds <T>()
            where T : TokenIdentifier
        {
            // from Mockito mocks
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone");
            Text service             = new Text("service");

            Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(service);
            Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t2.GetService()).ThenReturn(new Text("service2"));
            Org.Apache.Hadoop.Security.Token.Token <T> t3 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t3.GetService()).ThenReturn(service);
            // add token to ugi
            ugi.AddToken(t1);
            ugi.AddToken(t2);
            CheckTokens(ugi, t1, t2);
            Credentials creds = ugi.GetCredentials();

            creds.AddToken(t3.GetService(), t3);
            NUnit.Framework.Assert.AreSame(t3, creds.GetToken(service));
            // check that ugi wasn't modified
            CheckTokens(ugi, t1, t2);
        }
Esempio n. 2
0
        /// <exception cref="System.Exception"/>
        public virtual void TestUGITokens <T>()
            where T : TokenIdentifier
        {
            // from Mockito mocks
            UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting("TheDoctor",
                                                                                 new string[] { "TheTARDIS" });

            Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(new Text("t1"));
            Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t2.GetService()).ThenReturn(new Text("t2"));
            Credentials creds = new Credentials();

            byte[] secretKey  = new byte[] {  };
            Text   secretName = new Text("shhh");

            creds.AddSecretKey(secretName, secretKey);
            ugi.AddToken(t1);
            ugi.AddToken(t2);
            ugi.AddCredentials(creds);
            ICollection <Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> > z = ugi.GetTokens
                                                                                            ();

            Assert.True(z.Contains(t1));
            Assert.True(z.Contains(t2));
            Assert.Equal(2, z.Count);
            Credentials ugiCreds = ugi.GetCredentials();

            NUnit.Framework.Assert.AreSame(secretKey, ugiCreds.GetSecretKey(secretName));
            Assert.Equal(1, ugiCreds.NumberOfSecretKeys());
            try
            {
                z.Remove(t1);
                NUnit.Framework.Assert.Fail("Shouldn't be able to modify token collection from UGI"
                                            );
            }
            catch (NotSupportedException)
            {
            }
            // Can't modify tokens
            // ensure that the tokens are passed through doAs
            ICollection <Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> > otherSet = ugi
                                                                                               .DoAs(new _PrivilegedExceptionAction_612());

            Assert.True(otherSet.Contains(t1));
            Assert.True(otherSet.Contains(t2));
        }
Esempio n. 3
0
        public virtual void TestTokenBySuperUser()
        {
            TestSaslRPC.TestTokenSecretManager sm = new TestSaslRPC.TestTokenSecretManager();
            Configuration newConf = new Configuration(masterConf);

            SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
                                                 , newConf);
            UserGroupInformation.SetConfiguration(newConf);
            Server server = new RPC.Builder(newConf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol
                                                                        )).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address)
                            .SetPort(0).SetNumHandlers(5).SetVerbose(true).SetSecretManager(sm).Build();

            server.Start();
            UserGroupInformation current = UserGroupInformation.CreateUserForTesting(RealUserName
                                                                                     , GroupNames);

            RefreshConf(newConf);
            IPEndPoint addr = NetUtils.GetConnectAddress(server);

            TestSaslRPC.TestTokenIdentifier tokenId = new TestSaslRPC.TestTokenIdentifier(new
                                                                                          Org.Apache.Hadoop.IO.Text(current.GetUserName()), new Org.Apache.Hadoop.IO.Text(
                                                                                              "SomeSuperUser"));
            Org.Apache.Hadoop.Security.Token.Token <TestSaslRPC.TestTokenIdentifier> token = new
                                                                                             Org.Apache.Hadoop.Security.Token.Token <TestSaslRPC.TestTokenIdentifier>(tokenId,
                                                                                                                                                                      sm);
            SecurityUtil.SetTokenService(token, addr);
            current.AddToken(token);
            string retVal = current.DoAs(new _PrivilegedExceptionAction_509(this, addr, newConf
                                                                            , server));
            string expected = RealUserName + " (auth:TOKEN) via SomeSuperUser (auth:SIMPLE)";

            Assert.Equal(retVal + "!=" + expected, expected, retVal);
        }
Esempio n. 4
0
            /// <exception cref="System.Exception"/>
            public Void Run()
            {
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                HttpURLConnection conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser
                                                             );

                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());

                Assert.Equal(1, ret.Count);
                Assert.Equal(TestWebDelegationToken.OkUser, ret[0]);
                conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.FailUser);
                Assert.Equal(HttpURLConnection.HttpForbidden, conn.GetResponseCode
                                 ());
                aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser);
                UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();

                ugi.AddToken(token.GetDelegationToken());
                token = new DelegationTokenAuthenticatedURL.Token();
                conn  = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser);
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                ret = IOUtils.ReadLines(conn.GetInputStream());
                Assert.Equal(1, ret.Count);
                Assert.Equal(TestWebDelegationToken.FooUser, ret[0]);
                return(null);
            }
Esempio n. 5
0
        /// <exception cref="System.IO.IOException"/>
        internal static ClientDatanodeProtocolPB CreateClientDatanodeProtocolProxy(DatanodeID
                                                                                   datanodeid, Configuration conf, int socketTimeout, bool connectToDnViaHostname,
                                                                                   LocatedBlock locatedBlock)
        {
            string     dnAddr = datanodeid.GetIpcAddr(connectToDnViaHostname);
            IPEndPoint addr   = NetUtils.CreateSocketAddr(dnAddr);

            if (Log.IsDebugEnabled())
            {
                Log.Debug("Connecting to datanode " + dnAddr + " addr=" + addr);
            }
            // Since we're creating a new UserGroupInformation here, we know that no
            // future RPC proxies will be able to re-use the same connection. And
            // usages of this proxy tend to be one-off calls.
            //
            // This is a temporary fix: callers should really achieve this by using
            // RPC.stopProxy() on the resulting object, but this is currently not
            // working in trunk. See the discussion on HDFS-1965.
            Configuration confWithNoIpcIdle = new Configuration(conf);

            confWithNoIpcIdle.SetInt(CommonConfigurationKeysPublic.IpcClientConnectionMaxidletimeKey
                                     , 0);
            UserGroupInformation ticket = UserGroupInformation.CreateRemoteUser(locatedBlock.
                                                                                GetBlock().GetLocalBlock().ToString());

            ticket.AddToken(locatedBlock.GetBlockToken());
            return(CreateClientDatanodeProtocolProxy(addr, ticket, confWithNoIpcIdle, NetUtils
                                                     .GetDefaultSocketFactory(conf), socketTimeout));
        }
Esempio n. 6
0
        /// <summary>
        /// Locate a delegation token associated with the given HA cluster URI, and if
        /// one is found, clone it to also represent the underlying namenode address.
        /// </summary>
        /// <param name="ugi">the UGI to modify</param>
        /// <param name="haUri">the logical URI for the cluster</param>
        /// <param name="nnAddrs">
        /// collection of NNs in the cluster to which the token
        /// applies
        /// </param>
        public static void CloneDelegationTokenForLogicalUri(UserGroupInformation ugi, URI
                                                             haUri, ICollection <IPEndPoint> nnAddrs)
        {
            // this cloning logic is only used by hdfs
            Text haService = Org.Apache.Hadoop.Hdfs.HAUtil.BuildTokenServiceForLogicalUri(haUri
                                                                                          , HdfsConstants.HdfsUriScheme);

            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> haToken = tokenSelector
                                                                                         .SelectToken(haService, ugi.GetTokens());
            if (haToken != null)
            {
                foreach (IPEndPoint singleNNAddr in nnAddrs)
                {
                    // this is a minor hack to prevent physical HA tokens from being
                    // exposed to the user via UGI.getCredentials(), otherwise these
                    // cloned tokens may be inadvertently propagated to jobs
                    Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> specificToken =
                        new Token.PrivateToken <DelegationTokenIdentifier>(haToken);
                    SecurityUtil.SetTokenService(specificToken, singleNNAddr);
                    Text alias = new Text(BuildTokenServicePrefixForLogicalUri(HdfsConstants.HdfsUriScheme
                                                                               ) + "//" + specificToken.GetService());
                    ugi.AddToken(alias, specificToken);
                    Log.Debug("Mapped HA service delegation token for logical URI " + haUri + " to namenode "
                              + singleNNAddr);
                }
            }
            else
            {
                Log.Debug("No HA service delegation token found for logical URI " + haUri);
            }
        }
Esempio n. 7
0
        /// <exception cref="System.IO.IOException"/>
        private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest
                                                        request, string tokenString, Configuration conf)
        {
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                       <DelegationTokenIdentifier>();
            token.DecodeFromUrlString(tokenString);
            IPEndPoint serviceAddress = GetNNServiceAddress(context, request);

            if (serviceAddress != null)
            {
                SecurityUtil.SetTokenService(token, serviceAddress);
                token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
            }
            ByteArrayInputStream      buf = new ByteArrayInputStream(token.GetIdentifier());
            DataInputStream           @in = new DataInputStream(buf);
            DelegationTokenIdentifier id  = new DelegationTokenIdentifier();

            id.ReadFields(@in);
            if (context != null)
            {
                NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
                if (nn != null)
                {
                    // Verify the token.
                    nn.GetNamesystem().VerifyToken(id, token.GetPassword());
                }
            }
            UserGroupInformation ugi = id.GetUser();

            ugi.AddToken(token);
            return(ugi);
        }
        public virtual void TestCacheForUgi <T>()
            where T : TokenIdentifier
        {
            Configuration conf = new Configuration();

            conf.Set("fs.cachedfile.impl", FileSystem.GetFileSystemClass("file", null).FullName
                     );
            UserGroupInformation ugiA = UserGroupInformation.CreateRemoteUser("foo");
            UserGroupInformation ugiB = UserGroupInformation.CreateRemoteUser("bar");
            FileSystem           fsA  = ugiA.DoAs(new _PrivilegedExceptionAction_171(conf));
            FileSystem           fsA1 = ugiA.DoAs(new _PrivilegedExceptionAction_177(conf));

            //Since the UGIs are the same, we should have the same filesystem for both
            NUnit.Framework.Assert.AreSame(fsA, fsA1);
            FileSystem fsB = ugiB.DoAs(new _PrivilegedExceptionAction_186(conf));

            //Since the UGIs are different, we should end up with different filesystems
            //corresponding to the two UGIs
            NUnit.Framework.Assert.AreNotSame(fsA, fsB);
            Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            UserGroupInformation ugiA2 = UserGroupInformation.CreateRemoteUser("foo");

            fsA = ugiA2.DoAs(new _PrivilegedExceptionAction_199(conf));
            // Although the users in the UGI are same, they have different subjects
            // and so are different.
            NUnit.Framework.Assert.AreNotSame(fsA, fsA1);
            ugiA.AddToken(t1);
            fsA = ugiA.DoAs(new _PrivilegedExceptionAction_211(conf));
            // Make sure that different UGI's with the same subject lead to the same
            // file system.
            NUnit.Framework.Assert.AreSame(fsA, fsA1);
        }
        public virtual void TestJobTokenRpc()
        {
            TaskUmbilicalProtocol mockTT = Org.Mockito.Mockito.Mock <TaskUmbilicalProtocol>();

            Org.Mockito.Mockito.DoReturn(TaskUmbilicalProtocol.versionID).When(mockTT).GetProtocolVersion
                (Matchers.AnyString(), Matchers.AnyLong());
            Org.Mockito.Mockito.DoReturn(ProtocolSignature.GetProtocolSignature(mockTT, typeof(
                                                                                    TaskUmbilicalProtocol).FullName, TaskUmbilicalProtocol.versionID, 0)).When(mockTT
                                                                                                                                                               ).GetProtocolSignature(Matchers.AnyString(), Matchers.AnyLong(), Matchers.AnyInt
                                                                                                                                                                                          ());
            JobTokenSecretManager sm = new JobTokenSecretManager();
            Server server            = new RPC.Builder(conf).SetProtocol(typeof(TaskUmbilicalProtocol)).
                                       SetInstance(mockTT).SetBindAddress(Address).SetPort(0).SetNumHandlers(5).SetVerbose
                                           (true).SetSecretManager(sm).Build();

            server.Start();
            UserGroupInformation current = UserGroupInformation.GetCurrentUser();
            IPEndPoint           addr    = NetUtils.GetConnectAddress(server);
            string             jobId     = current.GetUserName();
            JobTokenIdentifier tokenId   = new JobTokenIdentifier(new Text(jobId));

            Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                <JobTokenIdentifier>(tokenId, sm);
            sm.AddTokenForJob(jobId, token);
            SecurityUtil.SetTokenService(token, addr);
            Log.Info("Service address for token is " + token.GetService());
            current.AddToken(token);
            current.DoAs(new _PrivilegedExceptionAction_110(addr, server));
        }
        public virtual void TestDelegationTokenRpc()
        {
            ClientProtocol mockNN           = Org.Mockito.Mockito.Mock <ClientProtocol>();
            FSNamesystem   mockNameSys      = Org.Mockito.Mockito.Mock <FSNamesystem>();
            DelegationTokenSecretManager sm = new DelegationTokenSecretManager(DFSConfigKeys.
                                                                               DfsNamenodeDelegationKeyUpdateIntervalDefault, DFSConfigKeys.DfsNamenodeDelegationKeyUpdateIntervalDefault
                                                                               , DFSConfigKeys.DfsNamenodeDelegationTokenMaxLifetimeDefault, 3600000, mockNameSys
                                                                               );

            sm.StartThreads();
            Org.Apache.Hadoop.Ipc.Server server = new RPC.Builder(conf).SetProtocol(typeof(ClientProtocol
                                                                                           )).SetInstance(mockNN).SetBindAddress(Address).SetPort(0).SetNumHandlers(5).SetVerbose
                                                      (true).SetSecretManager(sm).Build();
            server.Start();
            UserGroupInformation current = UserGroupInformation.GetCurrentUser();
            IPEndPoint           addr    = NetUtils.GetConnectAddress(server);
            string user  = current.GetUserName();
            Text   owner = new Text(user);
            DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null
                                                                           );

            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                       <DelegationTokenIdentifier>(dtId, sm);
            SecurityUtil.SetTokenService(token, addr);
            Log.Info("Service for token is " + token.GetService());
            current.AddToken(token);
            current.DoAs(new _PrivilegedExceptionAction_100(addr, server));
        }
Esempio n. 11
0
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
        public static void StartContainer(NodeManager nm, ContainerId cId, FileContext localFS
                                          , FilePath scriptFileDir, FilePath processStartFile)
        {
            FilePath scriptFile = CreateUnhaltingScriptFile(cId, scriptFileDir, processStartFile
                                                            );
            ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext
                                                                                             >();
            NodeId nodeId = BuilderUtils.NewNodeId(Sharpen.Extensions.GetAddressByName("localhost"
                                                                                       ).ToString(), 12345);
            URL localResourceUri = ConverterUtils.GetYarnUrlFromPath(localFS.MakeQualified(new
                                                                                           Path(scriptFile.GetAbsolutePath())));
            LocalResource localResource = recordFactory.NewRecordInstance <LocalResource>();

            localResource.SetResource(localResourceUri);
            localResource.SetSize(-1);
            localResource.SetVisibility(LocalResourceVisibility.Application);
            localResource.SetType(LocalResourceType.File);
            localResource.SetTimestamp(scriptFile.LastModified());
            string destinationFile = "dest_file";
            IDictionary <string, LocalResource> localResources = new Dictionary <string, LocalResource
                                                                                 >();

            localResources[destinationFile] = localResource;
            containerLaunchContext.SetLocalResources(localResources);
            IList <string> commands = Arrays.AsList(Shell.GetRunScriptCommand(scriptFile));

            containerLaunchContext.SetCommands(commands);
            IPEndPoint containerManagerBindAddress = NetUtils.CreateSocketAddrForHost("127.0.0.1"
                                                                                      , 12345);
            UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(cId.ToString
                                                                                         ());

            Org.Apache.Hadoop.Security.Token.Token <NMTokenIdentifier> nmToken = ConverterUtils
                                                                                 .ConvertFromYarn(nm.GetNMContext().GetNMTokenSecretManager().CreateNMToken(cId.GetApplicationAttemptId
                                                                                                                                                                (), nodeId, user), containerManagerBindAddress);
            currentUser.AddToken(nmToken);
            ContainerManagementProtocol containerManager = currentUser.DoAs(new _PrivilegedAction_229
                                                                                ());
            StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext
                                                                                , TestContainerManager.CreateContainerToken(cId, 0, nodeId, user, nm.GetNMContext
                                                                                                                                ().GetContainerTokenSecretManager()));
            IList <StartContainerRequest> list = new AList <StartContainerRequest>();

            list.AddItem(scRequest);
            StartContainersRequest allRequests = StartContainersRequest.NewInstance(list);

            containerManager.StartContainers(allRequests);
            IList <ContainerId> containerIds = new AList <ContainerId>();

            containerIds.AddItem(cId);
            GetContainerStatusesRequest request = GetContainerStatusesRequest.NewInstance(containerIds
                                                                                          );
            ContainerStatus containerStatus = containerManager.GetContainerStatuses(request).
                                              GetContainerStatuses()[0];

            NUnit.Framework.Assert.AreEqual(ContainerState.Running, containerStatus.GetState(
                                                ));
        }
Esempio n. 12
0
 /// <exception cref="System.IO.IOException"/>
 private void InjectToken()
 {
     if (UserGroupInformation.IsSecurityEnabled())
     {
         Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = @params
                                                                                    .DelegationToken();
         token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
         ugi.AddToken(token);
     }
 }
Esempio n. 13
0
        /// <exception cref="System.IO.IOException"/>
        private void UpdateAMRMToken(Token token)
        {
            Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = new Org.Apache.Hadoop.Security.Token.Token
                                                                                     <AMRMTokenIdentifier>(((byte[])token.GetIdentifier().Array()), ((byte[])token.GetPassword
                                                                                                                                                         ().Array()), new Text(token.GetKind()), new Text(token.GetService()));
            UserGroupInformation currentUGI = UserGroupInformation.GetCurrentUser();

            currentUGI.AddToken(amrmToken);
            amrmToken.SetService(ClientRMProxy.GetAMRMTokenService(GetConfig()));
        }
        /// <exception cref="System.Exception"/>
        public virtual void TestHAUtilClonesDelegationTokens()
        {
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
                                                                                           (fs, "JobTracker");
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test");
            URI haUri = new URI("hdfs://my-ha-uri/");

            token.SetService(HAUtil.BuildTokenServiceForLogicalUri(haUri, HdfsConstants.HdfsUriScheme
                                                                   ));
            ugi.AddToken(token);
            ICollection <IPEndPoint> nnAddrs = new HashSet <IPEndPoint>();

            nnAddrs.AddItem(new IPEndPoint("localhost", nn0.GetNameNodeAddress().Port));
            nnAddrs.AddItem(new IPEndPoint("localhost", nn1.GetNameNodeAddress().Port));
            HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs);
            ICollection <Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> > tokens = ugi
                                                                                             .GetTokens();

            NUnit.Framework.Assert.AreEqual(3, tokens.Count);
            Log.Info("Tokens:\n" + Joiner.On("\n").Join(tokens));
            DelegationTokenSelector dts = new DelegationTokenSelector();

            // check that the token selected for one of the physical IPC addresses
            // matches the one we received
            foreach (IPEndPoint addr in nnAddrs)
            {
                Text ipcDtService = SecurityUtil.BuildTokenService(addr);
                Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken
                                                                                                (ipcDtService, ugi.GetTokens());
                NUnit.Framework.Assert.IsNotNull(token2);
                Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier());
                Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword());
            }
            // switch to host-based tokens, shouldn't match existing tokens
            SecurityUtilTestHelper.SetTokenServiceUseIp(false);
            foreach (IPEndPoint addr_1 in nnAddrs)
            {
                Text ipcDtService = SecurityUtil.BuildTokenService(addr_1);
                Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken
                                                                                                (ipcDtService, ugi.GetTokens());
                NUnit.Framework.Assert.IsNull(token2);
            }
            // reclone the tokens, and see if they match now
            HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs);
            foreach (IPEndPoint addr_2 in nnAddrs)
            {
                Text ipcDtService = SecurityUtil.BuildTokenService(addr_2);
                Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken
                                                                                                (ipcDtService, ugi.GetTokens());
                NUnit.Framework.Assert.IsNotNull(token2);
                Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier());
                Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword());
            }
        }
Esempio n. 15
0
        public virtual void TestValidateResourceBlacklistRequest()
        {
            TestAMAuthorization.MyContainerManager containerManager = new TestAMAuthorization.MyContainerManager
                                                                          ();
            TestAMAuthorization.MockRMWithAMS rm = new TestAMAuthorization.MockRMWithAMS(new
                                                                                         YarnConfiguration(), containerManager);
            rm.Start();
            MockNM nm1 = rm.RegisterNode("localhost:1234", 5120);
            IDictionary <ApplicationAccessType, string> acls = new Dictionary <ApplicationAccessType
                                                                               , string>(2);

            acls[ApplicationAccessType.ViewApp] = "*";
            RMApp app = rm.SubmitApp(1024, "appname", "appuser", acls);

            nm1.NodeHeartbeat(true);
            RMAppAttempt         attempt = app.GetCurrentAppAttempt();
            ApplicationAttemptId applicationAttemptId = attempt.GetAppAttemptId();

            WaitForLaunchedState(attempt);
            // Create a client to the RM.
            Configuration        conf        = rm.GetConfig();
            YarnRPC              rpc         = YarnRPC.Create(conf);
            UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(applicationAttemptId
                                                                                     .ToString());
            Credentials credentials   = containerManager.GetContainerCredentials();
            IPEndPoint  rmBindAddress = rm.GetApplicationMasterService().GetBindAddress();

            Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> amRMToken = TestAMAuthorization.MockRMWithAMS
                                                                                 .SetupAndReturnAMRMToken(rmBindAddress, credentials.GetAllTokens());
            currentUser.AddToken(amRMToken);
            ApplicationMasterProtocol client = currentUser.DoAs(new _PrivilegedAction_626(rpc
                                                                                          , rmBindAddress, conf));
            RegisterApplicationMasterRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                       <RegisterApplicationMasterRequest>();

            client.RegisterApplicationMaster(request);
            ResourceBlacklistRequest blacklistRequest = ResourceBlacklistRequest.NewInstance(
                Sharpen.Collections.SingletonList(ResourceRequest.Any), null);
            AllocateRequest allocateRequest = AllocateRequest.NewInstance(0, 0.0f, null, null
                                                                          , blacklistRequest);
            bool error = false;

            try
            {
                client.Allocate(allocateRequest);
            }
            catch (InvalidResourceBlacklistRequestException)
            {
                error = true;
            }
            rm.Stop();
            NUnit.Framework.Assert.IsTrue("Didn't not catch InvalidResourceBlacklistRequestException"
                                          , error);
        }
Esempio n. 16
0
        /// <exception cref="System.Exception"/>
        public virtual void TestAddNamedToken <T>()
            where T : TokenIdentifier
        {
            // from Mockito mocks
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone");

            Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Text service1 = new Text("t1");
            Text service2 = new Text("t2");

            Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(service1);
            // add token
            ugi.AddToken(service1, t1);
            NUnit.Framework.Assert.AreSame(t1, ugi.GetCredentials().GetToken(service1));
            // add token with another name
            ugi.AddToken(service2, t1);
            NUnit.Framework.Assert.AreSame(t1, ugi.GetCredentials().GetToken(service1));
            NUnit.Framework.Assert.AreSame(t1, ugi.GetCredentials().GetToken(service2));
        }
Esempio n. 17
0
        public virtual void TestAuthorizedAccess()
        {
            TestAMAuthorization.MyContainerManager containerManager = new TestAMAuthorization.MyContainerManager
                                                                          ();
            rm = new TestAMAuthorization.MockRMWithAMS(conf, containerManager);
            rm.Start();
            MockNM nm1 = rm.RegisterNode("localhost:1234", 5120);
            IDictionary <ApplicationAccessType, string> acls = new Dictionary <ApplicationAccessType
                                                                               , string>(2);

            acls[ApplicationAccessType.ViewApp] = "*";
            RMApp app = rm.SubmitApp(1024, "appname", "appuser", acls);

            nm1.NodeHeartbeat(true);
            int waitCount = 0;

            while (containerManager.containerTokens == null && waitCount++ < 20)
            {
                Log.Info("Waiting for AM Launch to happen..");
                Sharpen.Thread.Sleep(1000);
            }
            NUnit.Framework.Assert.IsNotNull(containerManager.containerTokens);
            RMAppAttempt         attempt = app.GetCurrentAppAttempt();
            ApplicationAttemptId applicationAttemptId = attempt.GetAppAttemptId();

            WaitForLaunchedState(attempt);
            // Create a client to the RM.
            Configuration        conf        = rm.GetConfig();
            YarnRPC              rpc         = YarnRPC.Create(conf);
            UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(applicationAttemptId
                                                                                     .ToString());
            Credentials credentials   = containerManager.GetContainerCredentials();
            IPEndPoint  rmBindAddress = rm.GetApplicationMasterService().GetBindAddress();

            Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> amRMToken = TestAMAuthorization.MockRMWithAMS
                                                                                 .SetupAndReturnAMRMToken(rmBindAddress, credentials.GetAllTokens());
            currentUser.AddToken(amRMToken);
            ApplicationMasterProtocol client = currentUser.DoAs(new _PrivilegedAction_206(this
                                                                                          , rpc, conf));
            RegisterApplicationMasterRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                       <RegisterApplicationMasterRequest>();
            RegisterApplicationMasterResponse response = client.RegisterApplicationMaster(request
                                                                                          );

            NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey());
            if (UserGroupInformation.IsSecurityEnabled())
            {
                NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array
                                                   ()).Length > 0);
            }
            NUnit.Framework.Assert.AreEqual("Register response has bad ACLs", "*", response.GetApplicationACLs
                                                ()[ApplicationAccessType.ViewApp]);
        }
Esempio n. 18
0
        public virtual void TestPrivateTokenExclusion()
        {
            UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();

            TestSaslRPC.TestTokenIdentifier tokenId = new TestSaslRPC.TestTokenIdentifier();
            Org.Apache.Hadoop.Security.Token.Token <TestSaslRPC.TestTokenIdentifier> token = new
                                                                                             Org.Apache.Hadoop.Security.Token.Token <TestSaslRPC.TestTokenIdentifier>(tokenId.
                                                                                                                                                                      GetBytes(), Runtime.GetBytesForString("password"), tokenId.GetKind(), null
                                                                                                                                                                      );
            ugi.AddToken(new Text("regular-token"), token);
            // Now add cloned private token
            ugi.AddToken(new Text("private-token"), new Token.PrivateToken <TestSaslRPC.TestTokenIdentifier
                                                                            >(token));
            ugi.AddToken(new Text("private-token1"), new Token.PrivateToken <TestSaslRPC.TestTokenIdentifier
                                                                             >(token));
            // Ensure only non-private tokens are returned
            ICollection <Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> > tokens = ugi
                                                                                             .GetCredentials().GetAllTokens();

            Assert.Equal(1, tokens.Count);
        }
Esempio n. 19
0
        private MRClientProtocol GetMRClientProtocol(Token token, IPEndPoint hsAddress, string
                                                     user, Configuration conf)
        {
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user);

            ugi.AddToken(ConverterUtils.ConvertFromYarn(token, hsAddress));
            YarnRPC          rpc      = YarnRPC.Create(conf);
            MRClientProtocol hsWithDT = ugi.DoAs(new _PrivilegedAction_288(rpc, hsAddress, conf
                                                                           ));

            return(hsWithDT);
        }
Esempio n. 20
0
        /// <exception cref="System.Exception"/>
        public virtual void TestAddToken <T>()
            where T : TokenIdentifier
        {
            // from Mockito mocks
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone");

            Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Apache.Hadoop.Security.Token.Token <T> t3 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            // add token to ugi
            ugi.AddToken(t1);
            CheckTokens(ugi, t1);
            // replace token t1 with t2 - with same key (null)
            ugi.AddToken(t2);
            CheckTokens(ugi, t2);
            // change t1 service and add token
            Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(new Text("t1"));
            ugi.AddToken(t1);
            CheckTokens(ugi, t1, t2);
            // overwrite t1 token with t3 - same key (!null)
            Org.Mockito.Mockito.When(t3.GetService()).ThenReturn(new Text("t1"));
            ugi.AddToken(t3);
            CheckTokens(ugi, t2, t3);
            // just try to re-add with new name
            Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(new Text("t1.1"));
            ugi.AddToken(t1);
            CheckTokens(ugi, t1, t2, t3);
            // just try to re-add with new name again
            ugi.AddToken(t1);
            CheckTokens(ugi, t1, t2, t3);
        }
Esempio n. 21
0
        /// <exception cref="System.IO.IOException"/>
        private void UpdateAMRMToken(Token token)
        {
            Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = new Org.Apache.Hadoop.Security.Token.Token
                                                                                     <AMRMTokenIdentifier>(((byte[])token.GetIdentifier().Array()), ((byte[])token.GetPassword
                                                                                                                                                         ().Array()), new Text(token.GetKind()), new Text(token.GetService()));
            // Preserve the token service sent by the RM when adding the token
            // to ensure we replace the previous token setup by the RM.
            // Afterwards we can update the service address for the RPC layer.
            UserGroupInformation currentUGI = UserGroupInformation.GetCurrentUser();

            currentUGI.AddToken(amrmToken);
            amrmToken.SetService(ClientRMProxy.GetAMRMTokenService(GetConfig()));
        }
Esempio n. 22
0
        /// <exception cref="System.IO.IOException"/>
        private UserGroupInformation TokenUGI()
        {
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = @params
                                                                                       .DelegationToken();
            ByteArrayInputStream      buf = new ByteArrayInputStream(token.GetIdentifier());
            DataInputStream           @in = new DataInputStream(buf);
            DelegationTokenIdentifier id  = new DelegationTokenIdentifier();

            id.ReadFields(@in);
            UserGroupInformation ugi = id.GetUser();

            ugi.AddToken(token);
            return(ugi);
        }
Esempio n. 23
0
        public virtual void TestAMRMTokenUpdate()
        {
            Configuration        conf      = new Configuration();
            ApplicationAttemptId attemptId = ApplicationAttemptId.NewInstance(ApplicationId.NewInstance
                                                                                  (1, 1), 1);
            AMRMTokenIdentifier oldTokenId = new AMRMTokenIdentifier(attemptId, 1);
            AMRMTokenIdentifier newTokenId = new AMRMTokenIdentifier(attemptId, 2);

            Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> oldToken = new Org.Apache.Hadoop.Security.Token.Token
                                                                                    <AMRMTokenIdentifier>(oldTokenId.GetBytes(), Sharpen.Runtime.GetBytesForString("oldpassword"
                                                                                                                                                                   ), oldTokenId.GetKind(), new Text());
            Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> newToken = new Org.Apache.Hadoop.Security.Token.Token
                                                                                    <AMRMTokenIdentifier>(newTokenId.GetBytes(), Sharpen.Runtime.GetBytesForString("newpassword"
                                                                                                                                                                   ), newTokenId.GetKind(), new Text());
            TestLocalContainerAllocator.MockScheduler scheduler = new TestLocalContainerAllocator.MockScheduler
                                                                      ();
            scheduler.amToken = newToken;
            LocalContainerAllocator lca = new TestLocalContainerAllocator.StubbedLocalContainerAllocator
                                              (scheduler);

            lca.Init(conf);
            lca.Start();
            UserGroupInformation testUgi = UserGroupInformation.CreateUserForTesting("someuser"
                                                                                     , new string[0]);

            testUgi.AddToken(oldToken);
            testUgi.DoAs(new _PrivilegedExceptionAction_144(lca));
            lca.Close();
            // verify there is only one AMRM token in the UGI and it matches the
            // updated token from the RM
            int tokenCount = 0;

            Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> ugiToken = null;
            foreach (Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> token in testUgi
                     .GetTokens())
            {
                if (AMRMTokenIdentifier.KindName.Equals(token.GetKind()))
                {
                    ugiToken = token;
                    ++tokenCount;
                }
            }
            NUnit.Framework.Assert.AreEqual("too many AMRM tokens", 1, tokenCount);
            Assert.AssertArrayEquals("token identifier not updated", newToken.GetIdentifier()
                                     , ugiToken.GetIdentifier());
            Assert.AssertArrayEquals("token password not updated", newToken.GetPassword(), ugiToken
                                     .GetPassword());
            NUnit.Framework.Assert.AreEqual("AMRM token service not updated", new Text(ClientRMProxy
                                                                                       .GetAMRMTokenService(conf)), ugiToken.GetService());
        }
Esempio n. 24
0
        private ApplicationClientProtocol GetClientRMProtocolWithDT(Org.Apache.Hadoop.Yarn.Api.Records.Token
                                                                    token, IPEndPoint rmAddress, string user, Configuration conf)
        {
            // Maybe consider converting to Hadoop token, serialize de-serialize etc
            // before trying to renew the token.
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user);

            ugi.AddToken(ConverterUtils.ConvertFromYarn(token, rmAddress));
            YarnRPC rpc = YarnRPC.Create(conf);
            ApplicationClientProtocol clientRMWithDT = ugi.DoAs(new _PrivilegedAction_464(rpc
                                                                                          , rmAddress, conf));

            return(clientRMWithDT);
        }
Esempio n. 25
0
        protected internal virtual ContainerManagementProtocol GetContainerManagementProtocolProxy
            (YarnRPC rpc, Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken, NodeId nodeId, string
            user)
        {
            ContainerManagementProtocol proxy;
            UserGroupInformation        ugi = UserGroupInformation.CreateRemoteUser(user);
            IPEndPoint addr = NetUtils.CreateSocketAddr(nodeId.GetHost(), nodeId.GetPort());

            if (nmToken != null)
            {
                ugi.AddToken(ConverterUtils.ConvertFromYarn(nmToken, addr));
            }
            proxy = NMProxy.CreateNMProxy <ContainerManagementProtocol>(conf, ugi, rpc, addr);
            return(proxy);
        }
Esempio n. 26
0
        // Protected. For tests.
        protected internal virtual ContainerManagementProtocol GetContainerMgrProxy(ContainerId
                                                                                    containerId)
        {
            NodeId     node = masterContainer.GetNodeId();
            IPEndPoint containerManagerConnectAddress = NetUtils.CreateSocketAddrForHost(node
                                                                                         .GetHost(), node.GetPort());
            YarnRPC rpc = GetYarnRPC();
            UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(containerId
                                                                                     .GetApplicationAttemptId().ToString());
            string user = rmContext.GetRMApps()[containerId.GetApplicationAttemptId().GetApplicationId
                                                    ()].GetUser();
            Token token = rmContext.GetNMTokenSecretManager().CreateNMToken(containerId.GetApplicationAttemptId
                                                                                (), node, user);

            currentUser.AddToken(ConverterUtils.ConvertFromYarn(token, containerManagerConnectAddress
                                                                ));
            return(NMProxy.CreateNMProxy <ContainerManagementProtocol>(conf, currentUser, rpc,
                                                                       containerManagerConnectAddress));
        }
Esempio n. 27
0
 /// <exception cref="System.IO.IOException"/>
 private WebHdfsFileSystem GetWebHdfsFileSystem(UserGroupInformation ugi, Configuration
                                                conf)
 {
     if (UserGroupInformation.IsSecurityEnabled())
     {
         DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(ugi.GetUserName
                                                                                     ()), null, null);
         FSNamesystem namesystem = Org.Mockito.Mockito.Mock <FSNamesystem>();
         DelegationTokenSecretManager dtSecretManager = new DelegationTokenSecretManager(86400000
                                                                                         , 86400000, 86400000, 86400000, namesystem);
         dtSecretManager.StartThreads();
         Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                    <DelegationTokenIdentifier>(dtId, dtSecretManager);
         SecurityUtil.SetTokenService(token, NetUtils.CreateSocketAddr(uri.GetAuthority())
                                      );
         token.SetKind(WebHdfsFileSystem.TokenKind);
         ugi.AddToken(token);
     }
     return((WebHdfsFileSystem)FileSystem.Get(uri, conf));
 }
Esempio n. 28
0
            protected internal virtual ContainerManagementProtocol NewProxy(YarnRPC rpc, string
                                                                            containerManagerBindAddr, ContainerId containerId, Token token)
            {
                if (token == null)
                {
                    throw new SecretManager.InvalidToken("No NMToken sent for " + containerManagerBindAddr
                                                         );
                }
                IPEndPoint cmAddr = NetUtils.CreateSocketAddr(containerManagerBindAddr);

                ContainerManagementProtocolProxy.Log.Info("Opening proxy : " + containerManagerBindAddr
                                                          );
                // the user in createRemoteUser in this context has to be ContainerID
                UserGroupInformation user = UserGroupInformation.CreateRemoteUser(containerId.GetApplicationAttemptId
                                                                                      ().ToString());

                Org.Apache.Hadoop.Security.Token.Token <NMTokenIdentifier> nmToken = ConverterUtils
                                                                                     .ConvertFromYarn(token, cmAddr);
                user.AddToken(nmToken);
                return(NMProxy.CreateNMProxy <ContainerManagementProtocol>(this._enclosing.conf, user
                                                                           , rpc, cmAddr));
            }
        /// <summary>
        /// Test if StandbyException can be thrown from StandbyNN, when it's requested for
        /// password.
        /// </summary>
        /// <remarks>
        /// Test if StandbyException can be thrown from StandbyNN, when it's requested for
        /// password. (HDFS-6475). With StandbyException, the client can failover to try
        /// activeNN.
        /// </remarks>
        /// <exception cref="System.Exception"/>
        public virtual void TestDelegationTokenStandbyNNAppearFirst()
        {
            // make nn0 the standby NN, and nn1 the active NN
            cluster.TransitionToStandby(0);
            cluster.TransitionToActive(1);
            DelegationTokenSecretManager stSecretManager = NameNodeAdapter.GetDtSecretManager
                                                               (nn1.GetNamesystem());

            // create token
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
                                                                                           (fs, "JobTracker");
            DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();

            byte[] tokenId = token.GetIdentifier();
            identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
            NUnit.Framework.Assert.IsTrue(null != stSecretManager.RetrievePassword(identifier
                                                                                   ));
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("JobTracker");

            ugi.AddToken(token);
            ugi.DoAs(new _PrivilegedExceptionAction_406(identifier));
        }
Esempio n. 30
0
        /// <exception cref="System.Exception"/>
        public virtual void TestNMProxyRetry()
        {
            containerManager.Start();
            containerManager.SetBlockNewContainerRequests(false);
            StartContainersRequest allRequests = Records.NewRecord <StartContainersRequest>();
            ApplicationId          appId       = ApplicationId.NewInstance(1, 1);
            ApplicationAttemptId   attemptId   = ApplicationAttemptId.NewInstance(appId, 1);
            Token nmToken = context.GetNMTokenSecretManager().CreateNMToken(attemptId, context
                                                                            .GetNodeId(), user);
            IPEndPoint address = conf.GetSocketAddr(YarnConfiguration.NmBindHost, YarnConfiguration
                                                    .NmAddress, YarnConfiguration.DefaultNmAddress, YarnConfiguration.DefaultNmPort);

            Org.Apache.Hadoop.Security.Token.Token <NMTokenIdentifier> token = ConverterUtils.
                                                                               ConvertFromYarn(nmToken, SecurityUtil.BuildTokenService(address));
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user);

            ugi.AddToken(token);
            ContainerManagementProtocol proxy = NMProxy.CreateNMProxy <ContainerManagementProtocol
                                                                       >(conf, ugi, YarnRPC.Create(conf), address);

            retryCount = 0;
            shouldThrowNMNotYetReadyException = false;
            proxy.StartContainers(allRequests);
            NUnit.Framework.Assert.AreEqual(5, retryCount);
            retryCount = 0;
            shouldThrowNMNotYetReadyException = false;
            proxy.StopContainers(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <StopContainersRequest
                                                                                >());
            NUnit.Framework.Assert.AreEqual(5, retryCount);
            retryCount = 0;
            shouldThrowNMNotYetReadyException = false;
            proxy.GetContainerStatuses(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetContainerStatusesRequest
                                                                                      >());
            NUnit.Framework.Assert.AreEqual(5, retryCount);
            retryCount = 0;
            shouldThrowNMNotYetReadyException = true;
            proxy.StartContainers(allRequests);
            NUnit.Framework.Assert.AreEqual(5, retryCount);
        }