public virtual void TestGetUgi()
{
conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/");
HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();
ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>();
string user = "******";
Text userText = new Text(user);
DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(userText, userText
, null);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>(dtId, new TestJspHelper.DummySecretManager(0, 0, 0,
0));
string tokenString = token.EncodeToUrlString();
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
Org.Mockito.Mockito.When(request.GetRemoteUser()).ThenReturn(user);
//Test attribute in the url to be used as service in the token.
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.NamenodeAddress)).ThenReturn
("1.1.1.1:1111");
conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
VerifyServiceInToken(context, request, "1.1.1.1:1111");
//Test attribute name.node.address
//Set the nnaddr url parameter to null.
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.NamenodeAddress)).ThenReturn
(null);
IPEndPoint addr = new IPEndPoint("localhost", 2222);
Org.Mockito.Mockito.When(context.GetAttribute(NameNodeHttpServer.NamenodeAddressAttributeKey
)).ThenReturn(addr);
VerifyServiceInToken(context, request, addr.Address.GetHostAddress() + ":2222");
//Test service already set in the token
token.SetService(new Text("3.3.3.3:3333"));
tokenString = token.EncodeToUrlString();
//Set the name.node.address attribute in Servlet context to null
Org.Mockito.Mockito.When(context.GetAttribute(NameNodeHttpServer.NamenodeAddressAttributeKey
)).ThenReturn(null);
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
VerifyServiceInToken(context, request, "3.3.3.3:3333");
}
/// <exception cref="System.IO.IOException"/>
private static IDictionary <string, object> ToJsonMap <_T0>(Org.Apache.Hadoop.Security.Token.Token
<_T0> token)
where _T0 : TokenIdentifier
{
if (token == null)
{
return(null);
}
IDictionary <string, object> m = new SortedDictionary <string, object>();
m["urlString"] = token.EncodeToUrlString();
return(m);
}
/// <exception cref="System.Exception"/>
private void TestRenewToken()
{
DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation
.Renewdelegationtoken;
HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();
HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString());
Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod());
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response
));
Org.Mockito.Mockito.Verify(response).SetStatus(Org.Mockito.Mockito.Eq(HttpServletResponse
.ScUnauthorized));
Org.Mockito.Mockito.Verify(response).SetHeader(Org.Mockito.Mockito.Eq(KerberosAuthenticator
.WwwAuthenticate), Org.Mockito.Mockito.Eq("mock"));
Org.Mockito.Mockito.Reset(response);
AuthenticationToken token = Org.Mockito.Mockito.Mock <AuthenticationToken>();
Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user");
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
));
Org.Mockito.Mockito.Verify(response).SendError(Org.Mockito.Mockito.Eq(HttpServletResponse
.ScBadRequest), Org.Mockito.Mockito.Contains("requires the parameter [token]"));
Org.Mockito.Mockito.Reset(response);
StringWriter writer = new StringWriter();
PrintWriter pwriter = new PrintWriter(writer);
Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(pwriter);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dToken = (Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation
.GetCurrentUser(), "user");
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.TokenParam +
"=" + dToken.EncodeToUrlString());
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
));
Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk);
pwriter.Close();
Assert.True(writer.ToString().Contains("long"));
handler.GetTokenManager().VerifyToken(dToken);
}
/// <exception cref="System.Exception"/>
private void TestCancelToken()
{
DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation
.Canceldelegationtoken;
HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();
HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString());
Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod());
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response
));
Org.Mockito.Mockito.Verify(response).SendError(Org.Mockito.Mockito.Eq(HttpServletResponse
.ScBadRequest), Org.Mockito.Mockito.Contains("requires the parameter [token]"));
Org.Mockito.Mockito.Reset(response);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = (Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation
.GetCurrentUser(), "foo");
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.TokenParam +
"=" + token.EncodeToUrlString());
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response
));
Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk);
try
{
handler.GetTokenManager().VerifyToken(token);
NUnit.Framework.Assert.Fail();
}
catch (SecretManager.InvalidToken)
{
}
catch
{
//NOP
NUnit.Framework.Assert.Fail();
}
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
private IDictionary DoDelegationTokenOperation <_T0>(Uri url, AuthenticatedURL.Token
token, DelegationTokenAuthenticator.DelegationTokenOperation operation, string
renewer, Org.Apache.Hadoop.Security.Token.Token <_T0> dToken, bool hasResponse, string
doAsUser)
where _T0 : TokenIdentifier
{
IDictionary ret = null;
IDictionary <string, string> @params = new Dictionary <string, string>();
@params[OpParam] = operation.ToString();
if (renewer != null)
{
@params[RenewerParam] = renewer;
}
if (dToken != null)
{
@params[TokenParam] = dToken.EncodeToUrlString();
}
// proxyuser
if (doAsUser != null)
{
@params[DelegationTokenAuthenticatedURL.DoAs] = URLEncoder.Encode(doAsUser, "UTF-8"
);
}
string urlStr = url.ToExternalForm();
StringBuilder sb = new StringBuilder(urlStr);
string separator = (urlStr.Contains("?")) ? "&" : "?";
foreach (KeyValuePair <string, string> entry in @params)
{
sb.Append(separator).Append(entry.Key).Append("=").Append(URLEncoder.Encode(entry
.Value, "UTF8"));
separator = "&";
}
url = new Uri(sb.ToString());
AuthenticatedURL aUrl = new AuthenticatedURL(this, connConfigurator);
HttpURLConnection conn = aUrl.OpenConnection(url, token);
conn.SetRequestMethod(operation.GetHttpMethod());
HttpExceptionUtils.ValidateResponse(conn, HttpURLConnection.HttpOk);
if (hasResponse)
{
string contentType = conn.GetHeaderField(ContentType);
contentType = (contentType != null) ? StringUtils.ToLowerCase(contentType) : null;
if (contentType != null && contentType.Contains(ApplicationJsonMime))
{
try
{
ObjectMapper mapper = new ObjectMapper();
ret = mapper.ReadValue <IDictionary>(conn.GetInputStream());
}
catch (Exception ex)
{
throw new AuthenticationException(string.Format("'%s' did not handle the '%s' delegation token operation: %s"
, url.GetAuthority(), operation, ex.Message), ex);
}
}
else
{
throw new AuthenticationException(string.Format("'%s' did not " + "respond with JSON to the '%s' delegation token operation"
, url.GetAuthority(), operation));
}
}
return(ret);
}
/// <summary>
/// Returns an authenticated
/// <see cref="HttpURLConnection"/>
/// . If the Delegation
/// Token is present, it will be used taking precedence over the configured
/// <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
/// the request will be done on behalf of the specified <code>doAs</code> user.
/// </summary>
/// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param>
/// <param name="token">the authentication token being used for the user.</param>
/// <param name="doAs">
/// user to do the the request on behalf of, if NULL the request is
/// as self.
/// </param>
/// <returns>
/// an authenticated
/// <see cref="HttpURLConnection"/>
/// .
/// </returns>
/// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// ">if an authentication exception occurred.</exception>
public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token
token, string doAs)
{
Preconditions.CheckNotNull(url, "url");
Preconditions.CheckNotNull(token, "token");
IDictionary <string, string> extraParams = new Dictionary <string, string>();
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> dToken = null;
// if we have valid auth token, it takes precedence over a delegation token
// and we don't even look for one.
if (!token.IsSet())
{
// delegation token
Credentials creds = UserGroupInformation.GetCurrentUser().GetCredentials();
if (!creds.GetAllTokens().IsEmpty())
{
IPEndPoint serviceAddr = new IPEndPoint(url.GetHost(), url.Port);
Text service = SecurityUtil.BuildTokenService(serviceAddr);
dToken = creds.GetToken(service);
if (dToken != null)
{
if (UseQueryStringForDelegationToken())
{
// delegation token will go in the query string, injecting it
extraParams[KerberosDelegationTokenAuthenticator.DelegationParam] = dToken.EncodeToUrlString
();
}
else
{
// delegation token will go as request header, setting it in the
// auth-token to ensure no authentication handshake is triggered
// (if we have a delegation token, we are authenticated)
// the delegation token header is injected in the connection request
// at the end of this method.
token.delegationToken = (Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier
>)dToken;
}
}
}
}
// proxyuser
if (doAs != null)
{
extraParams[DoAs] = URLEncoder.Encode(doAs, "UTF-8");
}
url = AugmentURL(url, extraParams);
HttpURLConnection conn = base.OpenConnection(url, token);
if (!token.IsSet() && !UseQueryStringForDelegationToken() && dToken != null)
{
// injecting the delegation token header in the connection request
conn.SetRequestProperty(DelegationTokenAuthenticator.DelegationTokenHeader, dToken
.EncodeToUrlString());
}
return(conn);
}
public virtual void TestGetUgiFromToken()
{
conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/");
ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>();
string realUser = "******";
string user = "******";
conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi;
HttpServletRequest request;
Text ownerText = new Text(user);
DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(ownerText, ownerText
, new Text(realUser));
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>(dtId, new TestJspHelper.DummySecretManager(0, 0, 0,
0));
string tokenString = token.EncodeToUrlString();
// token with no auth-ed user
request = GetMockRequest(null, null, null);
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromToken(ugi);
// token with auth-ed user
request = GetMockRequest(realUser, null, null);
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromToken(ugi);
// completely different user, token trumps auth
request = GetMockRequest("rogue", null, null);
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromToken(ugi);
// expected case
request = GetMockRequest(null, user, null);
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromToken(ugi);
// can't proxy with a token!
request = GetMockRequest(null, null, "rogue");
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Usernames not matched: name=rogue != expected="
+ user, ioe.Message);
}
// can't proxy with a token!
request = GetMockRequest(null, user, "rogue");
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Usernames not matched: name=rogue != expected="
+ user, ioe.Message);
}
}
/// <exception cref="System.Exception"/>
private void TestValidDelegationTokenHeader()
{
HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();
HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dToken = (Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation
.GetCurrentUser(), "user");
Org.Mockito.Mockito.When(request.GetHeader(Org.Mockito.Mockito.Eq(DelegationTokenAuthenticator
.DelegationTokenHeader))).ThenReturn(dToken.EncodeToUrlString());
AuthenticationToken token = handler.Authenticate(request, response);
Assert.Equal(UserGroupInformation.GetCurrentUser().GetShortUserName
(), token.GetUserName());
Assert.Equal(0, token.GetExpires());
Assert.Equal(handler.GetType(), token.GetType());
Assert.True(token.IsExpired());
}
