/// <exception cref="System.Exception"/>
public virtual void TestNameRules()
{
KerberosName kn = new KerberosName(KerberosTestUtils.GetServerPrincipal());
Assert.Equal(KerberosTestUtils.GetRealm(), kn.GetRealm());
//destroy handler created in setUp()
handler.Destroy();
KerberosName.SetRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT");
handler = GetNewAuthenticationHandler();
Properties props = GetDefaultProperties();
props.SetProperty(KerberosAuthenticationHandler.NameRules, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"
);
try
{
handler.Init(props);
}
catch (Exception)
{
}
kn = new KerberosName("bar@BAR");
Assert.Equal("bar", kn.GetShortName());
kn = new KerberosName("bar@FOO");
try
{
kn.GetShortName();
NUnit.Framework.Assert.Fail();
}
catch (Exception)
{
}
}
internal virtual string GetServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth
authType)
{
KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf);
Log.Debug("Get kerberos info proto:" + protocol + " info:" + krbInfo);
if (krbInfo == null)
{
// protocol has no support for kerberos
return(null);
}
string serverKey = krbInfo.ServerPrincipal();
if (serverKey == null)
{
throw new ArgumentException("Can't obtain server Kerberos config key from protocol="
+ protocol.GetCanonicalName());
}
// construct server advertised principal for comparision
string serverPrincipal = new KerberosPrincipal(authType.GetProtocol() + "/" + authType
.GetServerId(), KerberosPrincipal.KrbNtSrvHst).GetName();
bool isPrincipalValid = false;
// use the pattern if defined
string serverKeyPattern = conf.Get(serverKey + ".pattern");
if (serverKeyPattern != null && !serverKeyPattern.IsEmpty())
{
Pattern pattern = GlobPattern.Compile(serverKeyPattern);
isPrincipalValid = pattern.Matcher(serverPrincipal).Matches();
}
else
{
// check that the server advertised principal matches our conf
string confPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(serverKey), serverAddr
.Address);
if (Log.IsDebugEnabled())
{
Log.Debug("getting serverKey: " + serverKey + " conf value: " + conf.Get(serverKey
) + " principal: " + confPrincipal);
}
if (confPrincipal == null || confPrincipal.IsEmpty())
{
throw new ArgumentException("Failed to specify server's Kerberos principal name");
}
KerberosName name = new KerberosName(confPrincipal);
if (name.GetHostName() == null)
{
throw new ArgumentException("Kerberos principal name does NOT have the expected hostname part: "
+ confPrincipal);
}
isPrincipalValid = serverPrincipal.Equals(confPrincipal);
}
if (!isPrincipalValid)
{
throw new ArgumentException("Server has invalid Kerberos principal: " + serverPrincipal
);
}
return(serverPrincipal);
}
public virtual void TestKerberosRulesValid()
{
NUnit.Framework.Assert.IsTrue("!KerberosName.hasRulesBeenSet()", KerberosName.HasRulesBeenSet
());
string rules = KerberosName.GetRules();
NUnit.Framework.Assert.AreEqual(kerberosRule, rules);
Log.Info(rules);
}
/// <exception cref="System.Exception"/>
public AuthenticationToken Run()
{
AuthenticationToken token = null;
GSSContext gssContext = null;
GSSCredential gssCreds = null;
try
{
gssCreds = this._enclosing.gssManager.CreateCredential(this._enclosing.gssManager
.CreateName(KerberosUtil.GetServicePrincipal("HTTP", serverName), KerberosUtil.GetOidInstance
("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.IndefiniteLifetime, new Oid[] { KerberosUtil
.GetOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID"
) }, GSSCredential.AcceptOnly);
gssContext = this._enclosing.gssManager.CreateContext(gssCreds);
byte[] serverToken = gssContext.AcceptSecContext(clientToken, 0, clientToken.Length
);
if (serverToken != null && serverToken.Length > 0)
{
string authenticate = base64.EncodeToString(serverToken);
response.SetHeader(KerberosAuthenticator.WwwAuthenticate, KerberosAuthenticator.Negotiate
+ " " + authenticate);
}
if (!gssContext.IsEstablished())
{
response.SetStatus(HttpServletResponse.ScUnauthorized);
KerberosAuthenticationHandler.Log.Trace("SPNEGO in progress");
}
else
{
string clientPrincipal = gssContext.GetSrcName().ToString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
string userName = kerberosName.GetShortName();
token = new AuthenticationToken(userName, clientPrincipal, this._enclosing.GetType
());
response.SetStatus(HttpServletResponse.ScOk);
KerberosAuthenticationHandler.Log.Trace("SPNEGO completed for principal [{}]", clientPrincipal
);
}
}
finally
{
if (gssContext != null)
{
gssContext.Dispose();
}
if (gssCreds != null)
{
gssCreds.Dispose();
}
}
return(token);
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestEnsureInitWithRules()
{
string rules = "RULE:[1:RULE1]";
// trigger implicit init, rules should init
UserGroupInformation.Reset();
NUnit.Framework.Assert.IsFalse(KerberosName.HasRulesBeenSet());
UserGroupInformation.CreateUserForTesting("someone", new string[0]);
Assert.True(KerberosName.HasRulesBeenSet());
// set a rule, trigger implicit init, rule should not change
UserGroupInformation.Reset();
KerberosName.SetRules(rules);
Assert.True(KerberosName.HasRulesBeenSet());
Assert.Equal(rules, KerberosName.GetRules());
UserGroupInformation.CreateUserForTesting("someone", new string[0]);
Assert.Equal(rules, KerberosName.GetRules());
}
public virtual void TestIsValidRequestor()
{
Configuration conf = new HdfsConfiguration();
KerberosName.SetRules("RULE:[1:$1]\nRULE:[2:$1]");
// Set up generic HA configs.
conf.Set(DFSConfigKeys.DfsNameservices, "ns1");
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsHaNamenodesKeyPrefix, "ns1"), "nn1,nn2"
);
// Set up NN1 HA configs.
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeRpcAddressKey, "ns1", "nn1"
), "host1:1234");
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, "ns1"
, "nn1"), "hdfs/[email protected]");
// Set up NN2 HA configs.
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeRpcAddressKey, "ns1", "nn2"
), "host2:1234");
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, "ns1"
, "nn2"), "hdfs/[email protected]");
// Initialize this conf object as though we're running on NN1.
NameNode.InitializeGenericKeys(conf, "ns1", "nn1");
AccessControlList acls = Org.Mockito.Mockito.Mock <AccessControlList>();
Org.Mockito.Mockito.When(acls.IsUserAllowed(Org.Mockito.Mockito.Any <UserGroupInformation
>())).ThenReturn(false);
ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>();
Org.Mockito.Mockito.When(context.GetAttribute(HttpServer2.AdminsAcl)).ThenReturn(
acls);
// Make sure that NN2 is considered a valid fsimage/edits requestor.
NUnit.Framework.Assert.IsTrue(ImageServlet.IsValidRequestor(context, "hdfs/[email protected]"
, conf));
// Mark atm as an admin.
Org.Mockito.Mockito.When(acls.IsUserAllowed(Org.Mockito.Mockito.ArgThat(new _ArgumentMatcher_76
()))).ThenReturn(true);
// Make sure that NN2 is still considered a valid requestor.
NUnit.Framework.Assert.IsTrue(ImageServlet.IsValidRequestor(context, "hdfs/[email protected]"
, conf));
// Make sure an admin is considered a valid requestor.
NUnit.Framework.Assert.IsTrue(ImageServlet.IsValidRequestor(context, "*****@*****.**"
, conf));
// Make sure other users are *not* considered valid requestors.
NUnit.Framework.Assert.IsFalse(ImageServlet.IsValidRequestor(context, "*****@*****.**"
, conf));
}
/// <summary>Expected user name should be a short name.</summary>
/// <exception cref="System.IO.IOException"/>
public static void CheckUsername(string expected, string name)
{
if (expected == null && name != null)
{
throw new IOException("Usernames not matched: expecting null but name=" + name);
}
if (name == null)
{
//name is optional, null is okay
return;
}
KerberosName u = new KerberosName(name);
string shortName = u.GetShortName();
if (!shortName.Equals(expected))
{
throw new IOException("Usernames not matched: name=" + shortName + " != expected="
+ expected);
}
}
public virtual void TestSetConfigWithRules()
{
string[] rules = new string[] { "RULE:[1:TEST1]", "RULE:[1:TEST2]", "RULE:[1:TEST3]" };
// explicitly set a rule
UserGroupInformation.Reset();
NUnit.Framework.Assert.IsFalse(KerberosName.HasRulesBeenSet());
KerberosName.SetRules(rules[0]);
Assert.True(KerberosName.HasRulesBeenSet());
Assert.Equal(rules[0], KerberosName.GetRules());
// implicit init should honor rules already being set
UserGroupInformation.CreateUserForTesting("someone", new string[0]);
Assert.Equal(rules[0], KerberosName.GetRules());
// set conf, should override
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthToLocal, rules[1]);
UserGroupInformation.SetConfiguration(conf);
Assert.Equal(rules[1], KerberosName.GetRules());
// set conf, should again override
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthToLocal, rules[2]);
UserGroupInformation.SetConfiguration(conf);
Assert.Equal(rules[2], KerberosName.GetRules());
// implicit init should honor rules already being set
UserGroupInformation.CreateUserForTesting("someone", new string[0]);
Assert.Equal(rules[2], KerberosName.GetRules());
}
//
/// <summary>Init hadoop security by setting up the UGI config</summary>
public static void InitHadoopSecurity()
{
UserGroupInformation.SetConfiguration(Conf);
KerberosName.SetRules(kerberosRule);
}
/// <summary>Initializes the authentication handler instance.</summary>
/// <remarks>
/// Initializes the authentication handler instance.
/// <p>
/// It creates a Kerberos context using the principal and keytab specified in the configuration.
/// <p>
/// This method is invoked by the
/// <see cref="AuthenticationFilter.Init(Javax.Servlet.FilterConfig)"/>
/// method.
/// </remarks>
/// <param name="config">configuration properties to initialize the handler.</param>
/// <exception cref="Javax.Servlet.ServletException">thrown if the handler could not be initialized.
/// </exception>
public override void Init(Properties config)
{
try
{
string principal = config.GetProperty(Principal);
if (principal == null || principal.Trim().Length == 0)
{
throw new ServletException("Principal not defined in configuration");
}
keytab = config.GetProperty(Keytab, keytab);
if (keytab == null || keytab.Trim().Length == 0)
{
throw new ServletException("Keytab not defined in configuration");
}
if (!new FilePath(keytab).Exists())
{
throw new ServletException("Keytab does not exist: " + keytab);
}
// use all SPNEGO principals in the keytab if a principal isn't
// specifically configured
string[] spnegoPrincipals;
if (principal.Equals("*"))
{
spnegoPrincipals = KerberosUtil.GetPrincipalNames(keytab, Pattern.Compile
("HTTP/.*"));
if (spnegoPrincipals.Length == 0)
{
throw new ServletException("Principals do not exist in the keytab");
}
}
else
{
spnegoPrincipals = new string[] { principal };
}
string nameRules = config.GetProperty(NameRules, null);
if (nameRules != null)
{
KerberosName.SetRules(nameRules);
}
foreach (string spnegoPrincipal in spnegoPrincipals)
{
Log.Info("Login using keytab {}, for principal {}", keytab, spnegoPrincipal);
KerberosAuthenticationHandler.KerberosConfiguration kerberosConfiguration = new KerberosAuthenticationHandler.KerberosConfiguration
(keytab, spnegoPrincipal);
LoginContext loginContext = new LoginContext(string.Empty, serverSubject, null, kerberosConfiguration
);
try
{
loginContext.Login();
}
catch (LoginException le)
{
Log.Warn("Failed to login as [{}]", spnegoPrincipal, le);
throw new AuthenticationException(le);
}
loginContexts.AddItem(loginContext);
}
try
{
gssManager = Subject.DoAs(serverSubject, new _PrivilegedExceptionAction_229());
}
catch (PrivilegedActionException ex)
{
throw ex.GetException();
}
}
catch (Exception ex)
{
throw new ServletException(ex);
}
}
public virtual void TestRecovery()
{
Configuration conf = new Configuration();
HistoryServerStateStoreService store = new HistoryServerMemStateStoreService();
store.Init(conf);
store.Start();
TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest mgr =
new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest(store
);
mgr.StartThreads();
MRDelegationTokenIdentifier tokenId1 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
), new Text("tokenRenewer"), new Text("tokenUser"));
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token1 = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId1, mgr
);
MRDelegationTokenIdentifier tokenId2 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
), new Text("tokenRenewer"), new Text("tokenUser"));
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token2 = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId2, mgr
);
DelegationKey[] keys = mgr.GetAllKeys();
long tokenRenewDate1 = mgr.GetAllTokens()[tokenId1].GetRenewDate();
long tokenRenewDate2 = mgr.GetAllTokens()[tokenId2].GetRenewDate();
mgr.StopThreads();
mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest
(store);
mgr.Recover(store.LoadState());
IList <DelegationKey> recoveredKeys = Arrays.AsList(mgr.GetAllKeys());
foreach (DelegationKey key in keys)
{
NUnit.Framework.Assert.IsTrue("key missing after recovery", recoveredKeys.Contains
(key));
}
NUnit.Framework.Assert.IsTrue("token1 missing", mgr.GetAllTokens().Contains(tokenId1
));
NUnit.Framework.Assert.AreEqual("token1 renew date", tokenRenewDate1, mgr.GetAllTokens
()[tokenId1].GetRenewDate());
NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2
));
NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens
()[tokenId2].GetRenewDate());
mgr.StartThreads();
mgr.VerifyToken(tokenId1, token1.GetPassword());
mgr.VerifyToken(tokenId2, token2.GetPassword());
MRDelegationTokenIdentifier tokenId3 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
), new Text("tokenRenewer"), new Text("tokenUser"));
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token3 = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId3, mgr
);
NUnit.Framework.Assert.AreEqual("sequence number restore", tokenId2.GetSequenceNumber
() + 1, tokenId3.GetSequenceNumber());
mgr.CancelToken(token1, "tokenOwner");
// Testing with full principal name
MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(new Text
("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"), new Text("tokenUser"
));
KerberosName.SetRules("RULE:[1:$1]\nRULE:[2:$1]");
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> tokenFull = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdFull,
mgr);
// Negative test
try
{
mgr.CancelToken(tokenFull, "tokenOwner");
}
catch (AccessControlException ace)
{
NUnit.Framework.Assert.IsTrue(ace.Message.Contains("is not authorized to cancel the token"
));
}
// Succeed to cancel with full principal
mgr.CancelToken(tokenFull, tokenIdFull.GetOwner().ToString());
long tokenRenewDate3 = mgr.GetAllTokens()[tokenId3].GetRenewDate();
mgr.StopThreads();
mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest
(store);
mgr.Recover(store.LoadState());
NUnit.Framework.Assert.IsFalse("token1 should be missing", mgr.GetAllTokens().Contains
(tokenId1));
NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2
));
NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens
()[tokenId2].GetRenewDate());
NUnit.Framework.Assert.IsTrue("token3 missing", mgr.GetAllTokens().Contains(tokenId3
));
NUnit.Framework.Assert.AreEqual("token3 renew date", tokenRenewDate3, mgr.GetAllTokens
()[tokenId3].GetRenewDate());
mgr.StartThreads();
mgr.VerifyToken(tokenId2, token2.GetPassword());
mgr.VerifyToken(tokenId3, token3.GetPassword());
mgr.StopThreads();
}
