/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
private void VerifyValidToken(Configuration conf, TestClientToAMTokens.CustomAM am
, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
{
UserGroupInformation ugi;
ugi = UserGroupInformation.CreateRemoteUser("me");
ugi.AddToken(token);
ugi.DoAs(new _PrivilegedExceptionAction_406(am, conf));
}
/// <exception cref="System.IO.IOException"/>
private void VerifyTokenWithTamperedUserName(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
{
// Malicious user, messes with appId
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("me");
ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(am.appAttemptId
, "evilOrc");
VerifyTamperedToken(conf, am, token, ugi, maliciousID);
}
/// <exception cref="System.IO.IOException"/>
private void VerifyTokenWithTamperedID(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
{
// Malicious user, messes with appId
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("me");
ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(BuilderUtils
.NewApplicationAttemptId(BuilderUtils.NewApplicationId(am.appAttemptId.GetApplicationId
().GetClusterTimestamp(), 42), 43), UserGroupInformation.GetCurrentUser().GetShortUserName
());
VerifyTamperedToken(conf, am, token, ugi, maliciousID);
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
private void VerifyNewVersionToken(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token, MockRM
rm)
{
UserGroupInformation ugi;
ugi = UserGroupInformation.CreateRemoteUser("me");
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> newToken = new
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier>(new ClientToAMTokenIdentifierForTest
(token.DecodeIdentifier(), "message"), am.GetClientToAMTokenSecretManager());
newToken.SetService(token.GetService());
ugi.AddToken(newToken);
ugi.DoAs(new _PrivilegedExceptionAction_386(am, conf));
}
private void VerifyTamperedToken(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token, UserGroupInformation
ugi, ClientToAMTokenIdentifier maliciousID)
{
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> maliciousToken =
new Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier>(maliciousID
.GetBytes(), token.GetPassword(), token.GetKind(), token.GetService());
ugi.AddToken(maliciousToken);
try
{
ugi.DoAs(new _PrivilegedExceptionAction_338(am, conf));
}
catch (Exception e)
{
NUnit.Framework.Assert.AreEqual(typeof(RemoteException).FullName, e.GetType().FullName
);
e = ((RemoteException)e).UnwrapRemoteException();
NUnit.Framework.Assert.AreEqual(typeof(SaslException).GetCanonicalName(), e.GetType
().GetCanonicalName());
NUnit.Framework.Assert.IsTrue(e.Message.Contains("DIGEST-MD5: digest response format violation. "
+ "Mismatched response."));
NUnit.Framework.Assert.IsFalse(am.pinged);
}
}
public _TimerTask_516(TestClientToAMTokens.CustomAM am, ByteBuffer clientMasterKey
)
{
this.am = am;
this.clientMasterKey = clientMasterKey;
}
/// <exception cref="System.Exception"/>
public virtual void TestClientTokenRace()
{
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
>();
StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
>();
Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
)Matchers.Any())).ThenReturn(mockResponse);
DrainDispatcher dispatcher = new DrainDispatcher();
MockRM rm = new _MockRMWithCustomAMLauncher_433(dispatcher, conf, containerManager
);
rm.Start();
// Submit an app
RMApp app = rm.SubmitApp(1024);
// Set up a node.
MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);
nm1.NodeHeartbeat(true);
dispatcher.Await();
nm1.NodeHeartbeat(true);
dispatcher.Await();
ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
.GetCurrentAppAttempt().GetAppAttemptId());
UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
());
RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_469
(mockAM));
// Get the app-report.
GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetApplicationReportRequest>();
request.SetApplicationId(app.GetApplicationId());
GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
(request);
ApplicationReport appReport = reportResponse.GetApplicationReport();
Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
();
// ClientToAMToken master key should have been received on register
// application master response.
ByteBuffer clientMasterKey = response.GetClientToAMTokenMasterKey();
NUnit.Framework.Assert.IsNotNull(clientMasterKey);
NUnit.Framework.Assert.IsTrue(((byte[])clientMasterKey.Array()).Length > 0);
// Start the AM with the correct shared-secret.
ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
();
NUnit.Framework.Assert.IsNotNull(appAttemptId);
TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
, null);
am.Init(conf);
am.Start();
// Now the real test!
// Set up clients to be able to pick up correct tokens.
SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
());
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
.ConvertFromYarn(originalClientToAMToken, am.address);
// Schedule the key to be set after a significant delay
Timer timer = new Timer();
TimerTask timerTask = new _TimerTask_516(am, clientMasterKey);
timer.Schedule(timerTask, 250);
// connect should pause waiting for the master key to arrive
VerifyValidToken(conf, am, token);
am.Stop();
rm.Stop();
}
public _PrivilegedExceptionAction_406(TestClientToAMTokens.CustomAM am, Configuration
conf)
{
this.am = am;
this.conf = conf;
}
public virtual void TestClientToAMTokens()
{
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
>();
StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
>();
Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
)Matchers.Any())).ThenReturn(mockResponse);
DrainDispatcher dispatcher = new DrainDispatcher();
MockRM rm = new _MockRMWithCustomAMLauncher_192(dispatcher, conf, containerManager
);
rm.Start();
// Submit an app
RMApp app = rm.SubmitApp(1024);
// Set up a node.
MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);
nm1.NodeHeartbeat(true);
dispatcher.Await();
nm1.NodeHeartbeat(true);
dispatcher.Await();
ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
.GetCurrentAppAttempt().GetAppAttemptId());
UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
());
RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_229
(mockAM));
// Get the app-report.
GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetApplicationReportRequest>();
request.SetApplicationId(app.GetApplicationId());
GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
(request);
ApplicationReport appReport = reportResponse.GetApplicationReport();
Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
();
// ClientToAMToken master key should have been received on register
// application master response.
NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey());
NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array
()).Length > 0);
// Start the AM with the correct shared-secret.
ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
();
NUnit.Framework.Assert.IsNotNull(appAttemptId);
TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
, ((byte[])response.GetClientToAMTokenMasterKey().Array()));
am.Init(conf);
am.Start();
// Now the real test!
// Set up clients to be able to pick up correct tokens.
SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
());
// Verify denial for unauthenticated user
try
{
TestClientToAMTokens.CustomProtocol client = (TestClientToAMTokens.CustomProtocol
)RPC.GetProxy <TestClientToAMTokens.CustomProtocol>(1L, am.address, conf);
client.Ping();
NUnit.Framework.Assert.Fail("Access by unauthenticated user should fail!!");
}
catch (Exception)
{
NUnit.Framework.Assert.IsFalse(am.pinged);
}
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
.ConvertFromYarn(originalClientToAMToken, am.address);
// Verify denial for a malicious user with tampered ID
VerifyTokenWithTamperedID(conf, am, token);
// Verify denial for a malicious user with tampered user-name
VerifyTokenWithTamperedUserName(conf, am, token);
// Now for an authenticated user
VerifyValidToken(conf, am, token);
// Verify for a new version token
VerifyNewVersionToken(conf, am, token, rm);
am.Stop();
rm.Stop();
}