/// <summary> /// Expect connect timeout on a URL that requires auth, because the connection /// backlog is consumed. /// </summary> /// <exception cref="System.Exception"/> public virtual void TestAuthUrlConnectTimeout() { ConsumeConnectionBacklog(); try { fs.GetDelegationToken("renewer"); NUnit.Framework.Assert.Fail("expected timeout"); } catch (SocketTimeoutException e) { NUnit.Framework.Assert.AreEqual("connect timed out", e.Message); } }
/// <exception cref="System.IO.IOException"/> public virtual void TestSecureProxyAuthParamsInUrl() { Configuration conf = new Configuration(); // fake turning on security so api thinks it should use tokens SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos , conf); UserGroupInformation.SetConfiguration(conf); UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user"); ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos); ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi); UserGroupInformation.SetLoginUser(ugi); WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf); Path fsPath = new Path("/"); string tokenString = webhdfs.GetDelegationToken().EncodeToUrlString(); // send real+effective Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi .GetShortUserName()).ToString() }, getTokenUrl); // send real+effective Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new TokenArgumentParam(tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString( ), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, renewTokenUrl); // send token Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam(tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, cancelTokenUrl); // send token Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new DelegationParam(tokenString).ToString() }, fileStatusUrl); // wipe out internal token to simulate auth always required webhdfs.SetDelegationToken(null); // send real+effective cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam (tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, cancelTokenUrl); // send real+effective fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName ()).ToString() }, fileStatusUrl); }
public virtual void TestSetTokenServiceAndKind() { MiniDFSCluster cluster = null; try { Configuration clusterConf = new HdfsConfiguration(conf); SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Simple , clusterConf); clusterConf.SetBoolean(DFSConfigKeys.DfsNamenodeDelegationTokenAlwaysUseKey, true ); // trick the NN into thinking s[ecurity is enabled w/o it trying // to login from a keytab UserGroupInformation.SetConfiguration(clusterConf); cluster = new MiniDFSCluster.Builder(clusterConf).NumDataNodes(0).Build(); cluster.WaitActive(); SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos , clusterConf); WebHdfsFileSystem fs = WebHdfsTestUtil.GetWebHdfsFileSystem(clusterConf, "webhdfs" ); Whitebox.SetInternalState(fs, "canRefreshDelegationToken", true); URLConnectionFactory factory = new _URLConnectionFactory_268(new _ConnectionConfigurator_262 ()); Whitebox.SetInternalState(fs, "connectionFactory", factory); Org.Apache.Hadoop.Security.Token.Token <object> token1 = fs.GetDelegationToken(); NUnit.Framework.Assert.AreEqual(new Text("bar"), token1.GetKind()); HttpOpParam.OP op = GetOpParam.OP.Getdelegationtoken; Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = new _FsPathResponseRunner_281 (op, null, new RenewerParam(null)).Run(); NUnit.Framework.Assert.AreEqual(new Text("bar"), token2.GetKind()); NUnit.Framework.Assert.AreEqual(new Text("foo"), token2.GetService()); } finally { if (cluster != null) { cluster.Shutdown(); } } }
/// <exception cref="System.Exception"/> private void ValidateLazyTokenFetch(Configuration clusterConf) { string testUser = "******"; UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting(testUser, new string[] { "supergroup" }); WebHdfsFileSystem fs = ugi.DoAs(new _PrivilegedExceptionAction_304(this, clusterConf )); // verify token ops don't get a token NUnit.Framework.Assert.IsNull(fs.GetRenewToken()); Org.Apache.Hadoop.Security.Token.Token <object> token = ((Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)fs.GetDelegationToken(null)); fs.RenewDelegationToken(token); fs.CancelDelegationToken(token); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); NUnit.Framework.Assert.IsNull(fs.GetRenewToken()); Org.Mockito.Mockito.Reset(fs); // verify first non-token op gets a token Path p = new Path("/f"); fs.Create(p, (short)1).Close(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); token = fs.GetRenewToken(); NUnit.Framework.Assert.IsNotNull(token); NUnit.Framework.Assert.AreEqual(testUser, GetTokenOwner(token)); NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind()); Org.Mockito.Mockito.Reset(fs); // verify prior token is reused fs.GetFileStatus(p); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); Org.Apache.Hadoop.Security.Token.Token <object> token2 = fs.GetRenewToken(); NUnit.Framework.Assert.IsNotNull(token2); NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind()); NUnit.Framework.Assert.AreSame(token, token2); Org.Mockito.Mockito.Reset(fs); // verify renew of expired token fails w/o getting a new token token = fs.GetRenewToken(); fs.CancelDelegationToken(token); try { fs.RenewDelegationToken(token); NUnit.Framework.Assert.Fail("should have failed"); } catch (SecretManager.InvalidToken) { } catch (Exception ex) { NUnit.Framework.Assert.Fail("wrong exception:" + ex); } Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); token2 = fs.GetRenewToken(); NUnit.Framework.Assert.IsNotNull(token2); NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind()); NUnit.Framework.Assert.AreSame(token, token2); Org.Mockito.Mockito.Reset(fs); // verify cancel of expired token fails w/o getting a new token try { fs.CancelDelegationToken(token); NUnit.Framework.Assert.Fail("should have failed"); } catch (SecretManager.InvalidToken) { } catch (Exception ex) { NUnit.Framework.Assert.Fail("wrong exception:" + ex); } Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); token2 = fs.GetRenewToken(); NUnit.Framework.Assert.IsNotNull(token2); NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind()); NUnit.Framework.Assert.AreSame(token, token2); Org.Mockito.Mockito.Reset(fs); // verify an expired token is replaced with a new token fs.Open(p).Close(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(2)).GetDelegationToken(); // first bad, then good Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(null ); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); token2 = fs.GetRenewToken(); NUnit.Framework.Assert.IsNotNull(token2); NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind()); NUnit.Framework.Assert.AreNotSame(token, token2); NUnit.Framework.Assert.AreEqual(testUser, GetTokenOwner(token2)); Org.Mockito.Mockito.Reset(fs); // verify with open because it's a little different in how it // opens connections fs.CancelDelegationToken(fs.GetRenewToken()); InputStream @is = fs.Open(p); @is.Read(); @is.Close(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(2)).GetDelegationToken(); // first bad, then good Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(null ); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); token2 = fs.GetRenewToken(); NUnit.Framework.Assert.IsNotNull(token2); NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind()); NUnit.Framework.Assert.AreNotSame(token, token2); NUnit.Framework.Assert.AreEqual(testUser, GetTokenOwner(token2)); Org.Mockito.Mockito.Reset(fs); // verify fs close cancels the token fs.Close(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).CancelDelegationToken (Matchers.Eq(token2)); // add a token to ugi for a new fs, verify it uses that token token = ((Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)fs.GetDelegationToken (null)); ugi.AddToken(token); fs = ugi.DoAs(new _PrivilegedExceptionAction_426(this, clusterConf)); NUnit.Framework.Assert.IsNull(fs.GetRenewToken()); fs.GetFileStatus(new Path("/")); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(Matchers.Eq (token)); token2 = fs.GetRenewToken(); NUnit.Framework.Assert.IsNotNull(token2); NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind()); NUnit.Framework.Assert.AreSame(token, token2); Org.Mockito.Mockito.Reset(fs); // verify it reuses the prior ugi token fs.GetFileStatus(new Path("/")); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); token2 = fs.GetRenewToken(); NUnit.Framework.Assert.IsNotNull(token2); NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind()); NUnit.Framework.Assert.AreSame(token, token2); Org.Mockito.Mockito.Reset(fs); // verify an expired ugi token is NOT replaced with a new token fs.CancelDelegationToken(token); for (int i = 0; i < 2; i++) { try { fs.GetFileStatus(new Path("/")); NUnit.Framework.Assert.Fail("didn't fail"); } catch (SecretManager.InvalidToken) { } catch (Exception ex) { NUnit.Framework.Assert.Fail("wrong exception:" + ex); } Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); token2 = fs.GetRenewToken(); NUnit.Framework.Assert.IsNotNull(token2); NUnit.Framework.Assert.AreEqual(fs.GetTokenKind(), token.GetKind()); NUnit.Framework.Assert.AreSame(token, token2); Org.Mockito.Mockito.Reset(fs); } // verify fs close does NOT cancel the ugi token fs.Close(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).ReplaceExpiredDelegationToken (); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).SetDelegationToken(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).CancelDelegationToken (Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>()); }
public virtual void TestSecureHAToken() { Configuration conf = DFSTestUtil.NewHAConfiguration(LogicalName); conf.SetBoolean(DFSConfigKeys.DfsNamenodeDelegationTokenAlwaysUseKey, true); MiniDFSCluster cluster = null; WebHdfsFileSystem fs = null; try { cluster = new MiniDFSCluster.Builder(conf).NnTopology(topo).NumDataNodes(0).Build (); HATestUtil.SetFailoverConfigurations(cluster, conf, LogicalName); cluster.WaitActive(); fs = Org.Mockito.Mockito.Spy((WebHdfsFileSystem)FileSystem.Get(WebhdfsUri, conf)); FileSystemTestHelper.AddFileSystemForTesting(WebhdfsUri, conf, fs); cluster.TransitionToActive(0); Org.Apache.Hadoop.Security.Token.Token <object> token = ((Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)fs.GetDelegationToken(null)); cluster.ShutdownNameNode(0); cluster.TransitionToActive(1); token.Renew(conf); token.Cancel(conf); Org.Mockito.Mockito.Verify(fs).RenewDelegationToken(token); Org.Mockito.Mockito.Verify(fs).CancelDelegationToken(token); } finally { IOUtils.Cleanup(null, fs); if (cluster != null) { cluster.Shutdown(); } } }