public virtual void TestCancelTokenSingleManager() { for (int i = 0; i < TestRetries; i++) { DelegationTokenManager tm1 = null; string connectString = zkServer.GetConnectString(); Configuration conf = GetSecretConf(connectString); tm1 = new DelegationTokenManager(conf, new Text("foo")); tm1.Init(); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = (Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)tm1.CreateToken(UserGroupInformation.GetCurrentUser( ), "foo"); NUnit.Framework.Assert.IsNotNull(token); tm1.CancelToken(token, "foo"); try { VerifyTokenFail(tm1, token); NUnit.Framework.Assert.Fail("Expected InvalidToken"); } catch (SecretManager.InvalidToken it) { Runtime.PrintStackTrace(it); } VerifyDestroy(tm1, conf); } }
public virtual void TestStopThreads() { DelegationTokenManager tm1 = null; string connectString = zkServer.GetConnectString(); // let's make the update interval short and the shutdown interval // comparatively longer, so if the update thread runs after shutdown, // it will cause an error. long updateIntervalSeconds = 1; long shutdownTimeoutMillis = updateIntervalSeconds * 1000 * 5; Configuration conf = GetSecretConf(connectString); conf.SetLong(DelegationTokenManager.UpdateInterval, updateIntervalSeconds); conf.SetLong(DelegationTokenManager.RemovalScanInterval, updateIntervalSeconds); conf.SetLong(DelegationTokenManager.RenewInterval, updateIntervalSeconds); conf.SetLong(ZKDelegationTokenSecretManager.ZkDtsmZkShutdownTimeout, shutdownTimeoutMillis ); tm1 = new DelegationTokenManager(conf, new Text("foo")); tm1.Init(); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = (Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)tm1.CreateToken(UserGroupInformation.GetCurrentUser( ), "foo"); NUnit.Framework.Assert.IsNotNull(token); AbstractDelegationTokenSecretManager sm = tm1.GetDelegationTokenSecretManager(); ZKDelegationTokenSecretManager zksm = (ZKDelegationTokenSecretManager)sm; ExecutorService es = zksm.GetListenerThreadPool(); es.Submit(new _Callable_300(shutdownTimeoutMillis)); // force this to be shutdownNow tm1.Destroy(); }
/// <summary>Convert a token object to a Json string.</summary> /// <exception cref="System.IO.IOException"/> public static string ToJsonString <_T0>(Org.Apache.Hadoop.Security.Token.Token <_T0 > token) where _T0 : TokenIdentifier { return(ToJsonString(typeof(Org.Apache.Hadoop.Security.Token.Token), ToJsonMap(token ))); }
public virtual void TestInitWithUGIToken() { Configuration conf = new Configuration(); TestTokenAspect.DummyFs fs = Org.Mockito.Mockito.Spy(new TestTokenAspect.DummyFs( )); Org.Mockito.Mockito.DoReturn(null).When(fs).GetDelegationToken(Matchers.AnyString ()); Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier>(new byte[0], new byte[0], TestTokenAspect.DummyFs.TokenKind, new Text("127.0.0.1:1234")); fs.ugi.AddToken(token); fs.ugi.AddToken(new Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier>(new byte [0], new byte[0], new Text("Other token"), new Text("127.0.0.1:8021"))); NUnit.Framework.Assert.AreEqual("wrong tokens in user", 2, fs.ugi.GetTokens().Count ); fs.emulateSecurityEnabled = true; fs.Initialize(new URI("dummyfs://127.0.0.1:1234"), conf); fs.tokenAspect.EnsureTokenInitialized(); // Select a token from ugi (not from the remote host), store it but don't // renew it Org.Mockito.Mockito.Verify(fs).SetDelegationToken(token); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Never()).GetDelegationToken(Matchers.AnyString ()); NUnit.Framework.Assert.IsNull(Whitebox.GetInternalState(fs.tokenAspect, "dtRenewer" )); NUnit.Framework.Assert.IsNull(Whitebox.GetInternalState(fs.tokenAspect, "action") ); }
/// <exception cref="System.Exception"/> private void TestGetToken(string renewer, Text expectedTokenKind) { DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation .Getdelegationtoken; HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>(); HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>(); Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator .OpParam + "=" + op.ToString()); Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod()); AuthenticationToken token = Org.Mockito.Mockito.Mock <AuthenticationToken>(); Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user"); Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(new PrintWriter(new StringWriter ())); NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response )); Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator .OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.RenewerParam + "=" + renewer); Org.Mockito.Mockito.Reset(response); Org.Mockito.Mockito.Reset(token); Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user"); StringWriter writer = new StringWriter(); PrintWriter pwriter = new PrintWriter(writer); Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(pwriter); NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response )); if (renewer == null) { Org.Mockito.Mockito.Verify(token).GetUserName(); } else { Org.Mockito.Mockito.Verify(token).GetUserName(); } Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk); Org.Mockito.Mockito.Verify(response).SetContentType(MediaType.ApplicationJson); pwriter.Close(); string responseOutput = writer.ToString(); string tokenLabel = DelegationTokenAuthenticator.DelegationTokenJson; Assert.True(responseOutput.Contains(tokenLabel)); Assert.True(responseOutput.Contains(DelegationTokenAuthenticator .DelegationTokenUrlStringJson)); ObjectMapper jsonMapper = new ObjectMapper(); IDictionary json = jsonMapper.ReadValue <IDictionary>(responseOutput); json = (IDictionary)json[tokenLabel]; string tokenStr; tokenStr = (string)json[DelegationTokenAuthenticator.DelegationTokenUrlStringJson ]; Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dt = new Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>(); dt.DecodeFromUrlString(tokenStr); handler.GetTokenManager().VerifyToken(dt); Assert.Equal(expectedTokenKind, dt.GetKind()); }
public _PrivilegedExceptionAction_230(TestDelegationToken _enclosing, Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token, UserGroupInformation longUgi) { this._enclosing = _enclosing; this.token = token; this.longUgi = longUgi; }
public virtual void TestCachedInitialization() { Configuration conf = new Configuration(); TestTokenAspect.DummyFs fs = Org.Mockito.Mockito.Spy(new TestTokenAspect.DummyFs( )); Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier>(new byte[0], new byte[0], TestTokenAspect.DummyFs.TokenKind, new Text("127.0.0.1:1234")); Org.Mockito.Mockito.DoReturn(token).When(fs).GetDelegationToken(Matchers.AnyString ()); Org.Mockito.Mockito.DoReturn(token).When(fs).GetRenewToken(); fs.emulateSecurityEnabled = true; fs.Initialize(new URI("dummyfs://127.0.0.1:1234"), conf); fs.tokenAspect.EnsureTokenInitialized(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(null ); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(token ); // For the second iteration, the token should be cached. fs.tokenAspect.EnsureTokenInitialized(); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).GetDelegationToken(null ); Org.Mockito.Mockito.Verify(fs, Org.Mockito.Mockito.Times(1)).SetDelegationToken(token ); }
public virtual void TestBlockTokenRpcLeak() { Configuration conf = new Configuration(); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); Assume.AssumeTrue(FdDir.Exists()); BlockTokenSecretManager sm = new BlockTokenSecretManager(blockKeyUpdateInterval, blockTokenLifetime, 0, "fake-pool", null); Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token = sm.GenerateToken (block3, EnumSet.AllOf <BlockTokenSecretManager.AccessMode>()); Server server = CreateMockDatanode(sm, token, conf); server.Start(); IPEndPoint addr = NetUtils.GetConnectAddress(server); DatanodeID fakeDnId = DFSTestUtil.GetLocalDatanodeID(addr.Port); ExtendedBlock b = new ExtendedBlock("fake-pool", new Org.Apache.Hadoop.Hdfs.Protocol.Block (12345L)); LocatedBlock fakeBlock = new LocatedBlock(b, new DatanodeInfo[0]); fakeBlock.SetBlockToken(token); // Create another RPC proxy with the same configuration - this will never // attempt to connect anywhere -- but it causes the refcount on the // RPC "Client" object to stay above 0 such that RPC.stopProxy doesn't // actually close the TCP connections to the real target DN. ClientDatanodeProtocol proxyToNoWhere = RPC.GetProxy <ClientDatanodeProtocol>(ClientDatanodeProtocol .versionID, new IPEndPoint("1.1.1.1", 1), UserGroupInformation.CreateRemoteUser( "junk"), conf, NetUtils.GetDefaultSocketFactory(conf)); ClientDatanodeProtocol proxy = null; int fdsAtStart = CountOpenFileDescriptors(); try { long endTime = Time.Now() + 3000; while (Time.Now() < endTime) { proxy = DFSUtil.CreateClientDatanodeProtocolProxy(fakeDnId, conf, 1000, false, fakeBlock ); NUnit.Framework.Assert.AreEqual(block3.GetBlockId(), proxy.GetReplicaVisibleLength (block3)); if (proxy != null) { RPC.StopProxy(proxy); } Log.Info("Num open fds:" + CountOpenFileDescriptors()); } int fdsAtEnd = CountOpenFileDescriptors(); if (fdsAtEnd - fdsAtStart > 50) { NUnit.Framework.Assert.Fail("Leaked " + (fdsAtEnd - fdsAtStart) + " fds!"); } } finally { server.Stop(); } RPC.StopProxy(proxyToNoWhere); }
> CreateAndSetAMRMToken() { Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = this.rmContext .GetAMRMTokenSecretManager().CreateAndGetAMRMToken(application.GetAppAttemptId() ); ((RMAppAttemptImpl)application).SetAMRMToken(amrmToken); return(amrmToken); }
private static Org.Apache.Hadoop.Yarn.Api.Records.Token ConvertToProtoToken <_T0>( Org.Apache.Hadoop.Security.Token.Token <_T0> token) where _T0 : TokenIdentifier { return(Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance(token.GetIdentifier() , token.GetKind().ToString(), token.GetPassword(), token.GetService().ToString() )); }
/// <exception cref="System.IO.IOException"/> public override Org.Apache.Hadoop.Security.Token.Token <object> GetDelegationToken (string renewer) { Org.Apache.Hadoop.Security.Token.Token <object> token = new Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier>(); token.SetService(new Text(GetCanonicalServiceName())); return(token); }
public _PrivilegedExceptionAction_477(TestDelegationTokensWithHA.TokenTestAction action, Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token, Configuration conf) { this.action = action; this.token = token; this.conf = conf; }
/// <exception cref="System.Exception"/> public Org.Apache.Hadoop.Security.Token.Token <object> Answer(InvocationOnMock invocation ) { Org.Apache.Hadoop.Security.Token.Token <object> token = new Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier>(); token.SetService(service); return(token); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> private void VerifyValidToken(Configuration conf, TestClientToAMTokens.CustomAM am , Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token) { UserGroupInformation ugi; ugi = UserGroupInformation.CreateRemoteUser("me"); ugi.AddToken(token); ugi.DoAs(new _PrivilegedExceptionAction_406(am, conf)); }
/// <exception cref="System.IO.IOException"/> private void VerifyServiceInToken(ServletContext context, HttpServletRequest request , string expected) { UserGroupInformation ugi = JspHelper.GetUGI(context, request, conf); Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> tokenInUgi = ugi.GetTokens ().GetEnumerator().Next(); NUnit.Framework.Assert.AreEqual(expected, tokenInUgi.GetService().ToString()); }
/// <summary>check if a token is expired.</summary> /// <remarks> /// check if a token is expired. for unit test only. return true when token is /// expired, false otherwise /// </remarks> /// <exception cref="System.IO.IOException"/> internal static bool IsTokenExpired(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier > token) { ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier()); DataInputStream @in = new DataInputStream(buf); long expiryDate = WritableUtils.ReadVLong(@in); return(IsExpired(expiryDate)); }
/// <exception cref="System.Exception"/> public Org.Apache.Hadoop.Security.Token.Token <object> Answer(InvocationOnMock invocation ) { Org.Apache.Hadoop.Security.Token.Token <object> token = new Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier>(); token.SetService(new Text(service)); token.SetKind(new Text("token" + this.unique++)); return(token); }
/// <summary> /// Returns an authenticated /// <see cref="HttpURLConnection"/> /// . If the Delegation /// Token is present, it will be used taking precedence over the configured /// <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL, /// the request will be done on behalf of the specified <code>doAs</code> user. /// </summary> /// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param> /// <param name="token">the authentication token being used for the user.</param> /// <param name="doAs"> /// user to do the the request on behalf of, if NULL the request is /// as self. /// </param> /// <returns> /// an authenticated /// <see cref="HttpURLConnection"/> /// . /// </returns> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// ">if an authentication exception occurred.</exception> public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token token, string doAs) { Preconditions.CheckNotNull(url, "url"); Preconditions.CheckNotNull(token, "token"); IDictionary <string, string> extraParams = new Dictionary <string, string>(); Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> dToken = null; // if we have valid auth token, it takes precedence over a delegation token // and we don't even look for one. if (!token.IsSet()) { // delegation token Credentials creds = UserGroupInformation.GetCurrentUser().GetCredentials(); if (!creds.GetAllTokens().IsEmpty()) { IPEndPoint serviceAddr = new IPEndPoint(url.GetHost(), url.Port); Text service = SecurityUtil.BuildTokenService(serviceAddr); dToken = creds.GetToken(service); if (dToken != null) { if (UseQueryStringForDelegationToken()) { // delegation token will go in the query string, injecting it extraParams[KerberosDelegationTokenAuthenticator.DelegationParam] = dToken.EncodeToUrlString (); } else { // delegation token will go as request header, setting it in the // auth-token to ensure no authentication handshake is triggered // (if we have a delegation token, we are authenticated) // the delegation token header is injected in the connection request // at the end of this method. token.delegationToken = (Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier >)dToken; } } } } // proxyuser if (doAs != null) { extraParams[DoAs] = URLEncoder.Encode(doAs, "UTF-8"); } url = AugmentURL(url, extraParams); HttpURLConnection conn = base.OpenConnection(url, token); if (!token.IsSet() && !UseQueryStringForDelegationToken() && dToken != null) { // injecting the delegation token header in the connection request conn.SetRequestProperty(DelegationTokenAuthenticator.DelegationTokenHeader, dToken .EncodeToUrlString()); } return(conn); }
// To avoid using cached client /// <exception cref="System.Exception"/> public virtual void TestAMRMMasterKeysUpdate() { AtomicReference <AMRMTokenSecretManager> spySecretMgrRef = new AtomicReference <AMRMTokenSecretManager >(); MockRM rm = new _MockRM_349(this, spySecretMgrRef, conf); // Skip the login. rm.Start(); MockNM nm = rm.RegisterNode("127.0.0.1:1234", 8000); RMApp app = rm.SubmitApp(200); MockAM am = MockRM.LaunchAndRegisterAM(app, rm, nm); AMRMTokenSecretManager spySecretMgr = spySecretMgrRef.Get(); // Do allocate. Should not update AMRMToken AllocateResponse response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest>()); NUnit.Framework.Assert.IsNull(response.GetAMRMToken()); Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> oldToken = rm.GetRMContext ().GetRMApps()[app.GetApplicationId()].GetRMAppAttempt(am.GetApplicationAttemptId ()).GetAMRMToken(); // roll over the master key // Do allocate again. the AM should get the latest AMRMToken rm.GetRMContext().GetAMRMTokenSecretManager().RollMasterKey(); response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest >()); NUnit.Framework.Assert.IsNotNull(response.GetAMRMToken()); Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = ConverterUtils .ConvertFromYarn(response.GetAMRMToken(), new Text(response.GetAMRMToken().GetService ())); NUnit.Framework.Assert.AreEqual(amrmToken.DecodeIdentifier().GetKeyId(), rm.GetRMContext ().GetAMRMTokenSecretManager().GetMasterKey().GetMasterKey().GetKeyId()); // Do allocate again with the same old token and verify the RM sends // back the last generated token instead of generating it again. Org.Mockito.Mockito.Reset(spySecretMgr); UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting(am.GetApplicationAttemptId ().ToString(), new string[0]); ugi.AddTokenIdentifier(oldToken.DecodeIdentifier()); response = am.DoAllocateAs(ugi, Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest >()); NUnit.Framework.Assert.IsNotNull(response.GetAMRMToken()); Org.Mockito.Mockito.Verify(spySecretMgr, Org.Mockito.Mockito.Never()).CreateAndGetAMRMToken (Matchers.IsA <ApplicationAttemptId>()); // Do allocate again with the updated token and verify we do not // receive a new token to use. response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest >()); NUnit.Framework.Assert.IsNull(response.GetAMRMToken()); // Activate the next master key. Since there is new master key generated // in AMRMTokenSecretManager. The AMRMToken will not get updated for AM rm.GetRMContext().GetAMRMTokenSecretManager().ActivateNextMasterKey(); response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest >()); NUnit.Framework.Assert.IsNull(response.GetAMRMToken()); rm.Stop(); }
private bool CheckService <_T0>(Text service, Org.Apache.Hadoop.Security.Token.Token <_T0> token) where _T0 : TokenIdentifier { if (service == null || token.GetService() == null) { return(false); } return(token.GetService().ToString().Contains(service.ToString())); }
/// <exception cref="System.IO.IOException"/> private string GetTokenOwner <_T0>(Org.Apache.Hadoop.Security.Token.Token <_T0> token ) where _T0 : TokenIdentifier { // webhdfs doesn't register properly with the class loader Org.Apache.Hadoop.Security.Token.Token <object> clone = new Org.Apache.Hadoop.Security.Token.Token (token); clone.SetKind(DelegationTokenIdentifier.HdfsDelegationKind); return(clone.DecodeIdentifier().GetUser().GetUserName()); }
/// <exception cref="System.IO.IOException"/> private void VerifyTokenWithTamperedUserName(Configuration conf, TestClientToAMTokens.CustomAM am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token) { // Malicious user, messes with appId UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("me"); ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(am.appAttemptId , "evilOrc"); VerifyTamperedToken(conf, am, token, ugi, maliciousID); }
/// <summary>Add the job token of a job to cache</summary> /// <param name="jobId">the job that owns the token</param> /// <param name="token">the job token</param> public virtual void AddTokenForJob(string jobId, Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> token) { SecretKey tokenSecret = CreateSecretKey(token.GetPassword()); lock (currentJobTokens) { currentJobTokens[jobId] = tokenSecret; } }
public virtual void SetDelegationToken <T>(Org.Apache.Hadoop.Security.Token.Token < T> token) where T : TokenIdentifier { lock (this) { renewToken = token; delegationToken = new Org.Apache.Hadoop.Security.Token.Token <T>(token); delegationToken.SetKind(DelegationTokenIdentifier.HdfsDelegationKind); } }
/// <exception cref="System.IO.IOException"/> private BlockTokenIdentifier GenerateTokenId(BlockTokenSecretManager sm, ExtendedBlock block, EnumSet <BlockTokenSecretManager.AccessMode> accessModes) { Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token = sm.GenerateToken (block, accessModes); BlockTokenIdentifier id = sm.CreateIdentifier(); id.ReadFields(new DataInputStream(new ByteArrayInputStream(token.GetIdentifier()) )); return(id); }
public virtual void TestValidateResourceBlacklistRequest() { TestAMAuthorization.MyContainerManager containerManager = new TestAMAuthorization.MyContainerManager (); TestAMAuthorization.MockRMWithAMS rm = new TestAMAuthorization.MockRMWithAMS(new YarnConfiguration(), containerManager); rm.Start(); MockNM nm1 = rm.RegisterNode("localhost:1234", 5120); IDictionary <ApplicationAccessType, string> acls = new Dictionary <ApplicationAccessType , string>(2); acls[ApplicationAccessType.ViewApp] = "*"; RMApp app = rm.SubmitApp(1024, "appname", "appuser", acls); nm1.NodeHeartbeat(true); RMAppAttempt attempt = app.GetCurrentAppAttempt(); ApplicationAttemptId applicationAttemptId = attempt.GetAppAttemptId(); WaitForLaunchedState(attempt); // Create a client to the RM. Configuration conf = rm.GetConfig(); YarnRPC rpc = YarnRPC.Create(conf); UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(applicationAttemptId .ToString()); Credentials credentials = containerManager.GetContainerCredentials(); IPEndPoint rmBindAddress = rm.GetApplicationMasterService().GetBindAddress(); Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> amRMToken = TestAMAuthorization.MockRMWithAMS .SetupAndReturnAMRMToken(rmBindAddress, credentials.GetAllTokens()); currentUser.AddToken(amRMToken); ApplicationMasterProtocol client = currentUser.DoAs(new _PrivilegedAction_626(rpc , rmBindAddress, conf)); RegisterApplicationMasterRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <RegisterApplicationMasterRequest>(); client.RegisterApplicationMaster(request); ResourceBlacklistRequest blacklistRequest = ResourceBlacklistRequest.NewInstance( Sharpen.Collections.SingletonList(ResourceRequest.Any), null); AllocateRequest allocateRequest = AllocateRequest.NewInstance(0, 0.0f, null, null , blacklistRequest); bool error = false; try { client.Allocate(allocateRequest); } catch (InvalidResourceBlacklistRequestException) { error = true; } rm.Stop(); NUnit.Framework.Assert.IsTrue("Didn't not catch InvalidResourceBlacklistRequestException" , error); }
/// <exception cref="System.Exception"/> public virtual void TestHAUtilClonesDelegationTokens() { Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken (fs, "JobTracker"); UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test"); URI haUri = new URI("hdfs://my-ha-uri/"); token.SetService(HAUtil.BuildTokenServiceForLogicalUri(haUri, HdfsConstants.HdfsUriScheme )); ugi.AddToken(token); ICollection <IPEndPoint> nnAddrs = new HashSet <IPEndPoint>(); nnAddrs.AddItem(new IPEndPoint("localhost", nn0.GetNameNodeAddress().Port)); nnAddrs.AddItem(new IPEndPoint("localhost", nn1.GetNameNodeAddress().Port)); HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs); ICollection <Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> > tokens = ugi .GetTokens(); NUnit.Framework.Assert.AreEqual(3, tokens.Count); Log.Info("Tokens:\n" + Joiner.On("\n").Join(tokens)); DelegationTokenSelector dts = new DelegationTokenSelector(); // check that the token selected for one of the physical IPC addresses // matches the one we received foreach (IPEndPoint addr in nnAddrs) { Text ipcDtService = SecurityUtil.BuildTokenService(addr); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken (ipcDtService, ugi.GetTokens()); NUnit.Framework.Assert.IsNotNull(token2); Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier()); Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword()); } // switch to host-based tokens, shouldn't match existing tokens SecurityUtilTestHelper.SetTokenServiceUseIp(false); foreach (IPEndPoint addr_1 in nnAddrs) { Text ipcDtService = SecurityUtil.BuildTokenService(addr_1); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken (ipcDtService, ugi.GetTokens()); NUnit.Framework.Assert.IsNull(token2); } // reclone the tokens, and see if they match now HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs); foreach (IPEndPoint addr_2 in nnAddrs) { Text ipcDtService = SecurityUtil.BuildTokenService(addr_2); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken (ipcDtService, ugi.GetTokens()); NUnit.Framework.Assert.IsNotNull(token2); Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier()); Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword()); } }
private void CheckToken(Credentials creds, params Org.Apache.Hadoop.Security.Token.Token <object>[] tokens) { NUnit.Framework.Assert.AreEqual(tokens.Length, creds.GetAllTokens().Count); foreach (Org.Apache.Hadoop.Security.Token.Token <object> token in tokens) { Org.Apache.Hadoop.Security.Token.Token <object> credsToken = creds.GetToken(token. GetService()); NUnit.Framework.Assert.IsTrue(credsToken != null); NUnit.Framework.Assert.AreEqual(token, credsToken); } }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> /// <exception cref="System.IO.IOException"/> public override Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> GetAMRMToken (ApplicationId appId) { Org.Apache.Hadoop.Yarn.Api.Records.Token token = GetApplicationReport(appId).GetAMRMToken (); Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = null; if (token != null) { amrmToken = ConverterUtils.ConvertFromYarn(token, (Text)null); } return(amrmToken); }
/// <exception cref="System.IO.IOException"/> private void VerifyTokenWithTamperedID(Configuration conf, TestClientToAMTokens.CustomAM am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token) { // Malicious user, messes with appId UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("me"); ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(BuilderUtils .NewApplicationAttemptId(BuilderUtils.NewApplicationId(am.appAttemptId.GetApplicationId ().GetClusterTimestamp(), 42), 43), UserGroupInformation.GetCurrentUser().GetShortUserName ()); VerifyTamperedToken(conf, am, token, ugi, maliciousID); }