/// <exception cref="System.IO.IOException"/> private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest request, string tokenString, Configuration conf) { Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>(); token.DecodeFromUrlString(tokenString); IPEndPoint serviceAddress = GetNNServiceAddress(context, request); if (serviceAddress != null) { SecurityUtil.SetTokenService(token, serviceAddress); token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind); } ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier()); DataInputStream @in = new DataInputStream(buf); DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.ReadFields(@in); if (context != null) { NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context); if (nn != null) { // Verify the token. nn.GetNamesystem().VerifyToken(id, token.GetPassword()); } } UserGroupInformation ugi = id.GetUser(); ugi.AddToken(token); return(ugi); }
/// <exception cref="System.Exception"/> private void CheckTokenIdentifier <_T0>(UserGroupInformation ugi, Org.Apache.Hadoop.Security.Token.Token <_T0> token) where _T0 : TokenIdentifier { NUnit.Framework.Assert.IsNotNull(token); // should be able to use token.decodeIdentifier() but webhdfs isn't // registered with the service loader for token decoding DelegationTokenIdentifier identifier = new DelegationTokenIdentifier(); byte[] tokenId = token.GetIdentifier(); DataInputStream @in = new DataInputStream(new ByteArrayInputStream(tokenId)); try { identifier.ReadFields(@in); } finally { @in.Close(); } NUnit.Framework.Assert.IsNotNull(identifier); Log.Info("A valid token should have non-null password, and should be renewed successfully" ); NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier )); dtSecretManager.RenewToken((Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier >)token, "JobTracker"); ugi.DoAs(new _PrivilegedExceptionAction_309(this, token)); }
/// <exception cref="System.IO.IOException"/> private UserGroupInformation TokenUGI() { Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = @params .DelegationToken(); ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier()); DataInputStream @in = new DataInputStream(buf); DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.ReadFields(@in); UserGroupInformation ugi = id.GetUser(); ugi.AddToken(token); return(ugi); }
/// <summary>Process the Delegation Token related section in fsimage.</summary> /// <param name="in">DataInputStream to process</param> /// <param name="v">Visitor to walk over records</param> /// <exception cref="System.IO.IOException"/> private void ProcessDelegationTokens(DataInputStream @in, ImageVisitor v) { v.Visit(ImageVisitor.ImageElement.CurrentDelegationKeyId, @in.ReadInt()); int numDKeys = @in.ReadInt(); v.VisitEnclosingElement(ImageVisitor.ImageElement.DelegationKeys, ImageVisitor.ImageElement .NumDelegationKeys, numDKeys); for (int i = 0; i < numDKeys; i++) { DelegationKey key = new DelegationKey(); key.ReadFields(@in); v.Visit(ImageVisitor.ImageElement.DelegationKey, key.ToString()); } v.LeaveEnclosingElement(); v.Visit(ImageVisitor.ImageElement.DelegationTokenSequenceNumber, @in.ReadInt()); int numDTokens = @in.ReadInt(); v.VisitEnclosingElement(ImageVisitor.ImageElement.DelegationTokens, ImageVisitor.ImageElement .NumDelegationTokens, numDTokens); for (int i_1 = 0; i_1 < numDTokens; i_1++) { DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.ReadFields(@in); long expiryTime = @in.ReadLong(); v.VisitEnclosingElement(ImageVisitor.ImageElement.DelegationTokenIdentifier); v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierKind, id.GetKind().ToString ()); v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierSeqno, id.GetSequenceNumber ()); v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierOwner, id.GetOwner().ToString ()); v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierRenewer, id.GetRenewer ().ToString()); v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierRealuser, id.GetRealUser ().ToString()); v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierIssueDate, id.GetIssueDate ()); v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierMaxDate, id.GetMaxDate ()); v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierExpiryTime, expiryTime ); v.Visit(ImageVisitor.ImageElement.DelegationTokenIdentifierMasterKeyId, id.GetMasterKeyId ()); v.LeaveEnclosingElement(); } // DELEGATION_TOKEN_IDENTIFIER v.LeaveEnclosingElement(); }
/// <exception cref="System.IO.IOException"/> public virtual void TestDelegationTokenWithRealUser() { try { Org.Apache.Hadoop.Security.Token.Token <object>[] tokens = proxyUgi.DoAs(new _PrivilegedExceptionAction_131 ()); DelegationTokenIdentifier identifier = new DelegationTokenIdentifier(); byte[] tokenId = tokens[0].GetIdentifier(); identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId))); NUnit.Framework.Assert.AreEqual(identifier.GetUser().GetUserName(), ProxyUser); NUnit.Framework.Assert.AreEqual(identifier.GetUser().GetRealUser().GetUserName(), RealUser); } catch (Exception) { } }
public virtual void TestDelegationTokenSecretManager() { Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GenerateDelegationToken ("SomeUser", "JobTracker"); // Fake renewer should not be able to renew try { dtSecretManager.RenewToken(token, "FakeRenewer"); NUnit.Framework.Assert.Fail("should have failed"); } catch (AccessControlException) { } // PASS dtSecretManager.RenewToken(token, "JobTracker"); DelegationTokenIdentifier identifier = new DelegationTokenIdentifier(); byte[] tokenId = token.GetIdentifier(); identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId))); NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier )); Log.Info("Sleep to expire the token"); Sharpen.Thread.Sleep(6000); //Token should be expired try { dtSecretManager.RetrievePassword(identifier); //Should not come here NUnit.Framework.Assert.Fail("Token should have expired"); } catch (SecretManager.InvalidToken) { } //Success dtSecretManager.RenewToken(token, "JobTracker"); Log.Info("Sleep beyond the max lifetime"); Sharpen.Thread.Sleep(5000); try { dtSecretManager.RenewToken(token, "JobTracker"); NUnit.Framework.Assert.Fail("should have been expired"); } catch (SecretManager.InvalidToken) { } }
/// <exception cref="System.Exception"/> public virtual void TestDelegationTokenDFSApi() { Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken (fs, "JobTracker"); DelegationTokenIdentifier identifier = new DelegationTokenIdentifier(); byte[] tokenId = token.GetIdentifier(); identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId))); // Ensure that it's present in the NN's secret manager and can // be renewed directly from there. Log.Info("A valid token should have non-null password, " + "and should be renewed successfully" ); NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier )); dtSecretManager.RenewToken(token, "JobTracker"); // Use the client conf with the failover info present to check // renewal. Configuration clientConf = dfs.GetConf(); DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew ); // Using a configuration that doesn't have the logical nameservice // configured should result in a reasonable error message. Configuration emptyConf = new Configuration(); try { DoRenewOrCancel(token, emptyConf, TestDelegationTokensWithHA.TokenTestAction.Renew ); NUnit.Framework.Assert.Fail("Did not throw trying to renew with an empty conf!"); } catch (IOException ioe) { GenericTestUtils.AssertExceptionContains("Unable to map logical nameservice URI", ioe); } // Ensure that the token can be renewed again after a failover. cluster.TransitionToStandby(0); cluster.TransitionToActive(1); DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew ); DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Cancel ); }
/// <summary> /// Test if StandbyException can be thrown from StandbyNN, when it's requested for /// password. /// </summary> /// <remarks> /// Test if StandbyException can be thrown from StandbyNN, when it's requested for /// password. (HDFS-6475). With StandbyException, the client can failover to try /// activeNN. /// </remarks> /// <exception cref="System.Exception"/> public virtual void TestDelegationTokenStandbyNNAppearFirst() { // make nn0 the standby NN, and nn1 the active NN cluster.TransitionToStandby(0); cluster.TransitionToActive(1); DelegationTokenSecretManager stSecretManager = NameNodeAdapter.GetDtSecretManager (nn1.GetNamesystem()); // create token Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken (fs, "JobTracker"); DelegationTokenIdentifier identifier = new DelegationTokenIdentifier(); byte[] tokenId = token.GetIdentifier(); identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId))); NUnit.Framework.Assert.IsTrue(null != stSecretManager.RetrievePassword(identifier )); UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("JobTracker"); ugi.AddToken(token); ugi.DoAs(new _PrivilegedExceptionAction_406(identifier)); }
/// <summary> /// Test if correct exception (StandbyException or RetriableException) can be /// thrown during the NN failover. /// </summary> /// <exception cref="System.Exception"/> public virtual void TestDelegationTokenDuringNNFailover() { EditLogTailer editLogTailer = nn1.GetNamesystem().GetEditLogTailer(); // stop the editLogTailer of nn1 editLogTailer.Stop(); Configuration conf = (Configuration)Whitebox.GetInternalState(editLogTailer, "conf" ); nn1.GetNamesystem().SetEditLogTailerForTests(new TestDelegationTokensWithHA.EditLogTailerForTest (this, nn1.GetNamesystem(), conf)); // create token Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken (fs, "JobTracker"); DelegationTokenIdentifier identifier = new DelegationTokenIdentifier(); byte[] tokenId = token.GetIdentifier(); identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId))); // Ensure that it's present in the nn0 secret manager and can // be renewed directly from there. Log.Info("A valid token should have non-null password, " + "and should be renewed successfully" ); NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier )); dtSecretManager.RenewToken(token, "JobTracker"); // transition nn0 to standby cluster.TransitionToStandby(0); try { cluster.GetNameNodeRpc(0).RenewDelegationToken(token); NUnit.Framework.Assert.Fail("StandbyException is expected since nn0 is in standby state" ); } catch (StandbyException e) { GenericTestUtils.AssertExceptionContains(HAServiceProtocol.HAServiceState.Standby .ToString(), e); } new _Thread_220().Start(); Sharpen.Thread.Sleep(1000); try { nn1.GetNamesystem().VerifyToken(token.DecodeIdentifier(), token.GetPassword()); NUnit.Framework.Assert.Fail("RetriableException/StandbyException is expected since nn1 is in transition" ); } catch (IOException e) { NUnit.Framework.Assert.IsTrue(e is StandbyException || e is RetriableException); Log.Info("Got expected exception", e); } catchup = true; lock (this) { Sharpen.Runtime.NotifyAll(this); } Configuration clientConf = dfs.GetConf(); DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew ); DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Cancel ); }