/// <exception cref="System.IO.IOException"/>
private void ValidateRequest(ServletContext context, Configuration conf, HttpServletRequest
request, HttpServletResponse response, FSImage nnImage, string theirStorageInfoString
)
{
if (UserGroupInformation.IsSecurityEnabled() && !IsValidRequestor(context, request
.GetUserPrincipal().GetName(), conf))
{
string errorMsg = "Only Namenode, Secondary Namenode, and administrators may access "
+ "this servlet";
response.SendError(HttpServletResponse.ScForbidden, errorMsg);
Log.Warn("Received non-NN/SNN/administrator request for image or edits from " + request
.GetUserPrincipal().GetName() + " at " + request.GetRemoteHost());
throw new IOException(errorMsg);
}
string myStorageInfoString = nnImage.GetStorage().ToColonSeparatedString();
if (theirStorageInfoString != null && !myStorageInfoString.Equals(theirStorageInfoString
))
{
string errorMsg = "This namenode has storage info " + myStorageInfoString + " but the secondary expected "
+ theirStorageInfoString;
response.SendError(HttpServletResponse.ScForbidden, errorMsg);
Log.Warn("Received an invalid request file transfer request " + "from a secondary with storage info "
+ theirStorageInfoString);
throw new IOException(errorMsg);
}
}
/// <exception cref="System.IO.IOException"/>
private bool CheckRequestorOrSendError(Configuration conf, HttpServletRequest request
, HttpServletResponse response)
{
if (UserGroupInformation.IsSecurityEnabled() && !IsValidRequestor(request, conf))
{
response.SendError(HttpServletResponse.ScForbidden, "Only Namenode and another JournalNode may access this servlet"
);
Log.Warn("Received non-NN/JN request for edits from " + request.GetRemoteHost());
return(false);
}
return(true);
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Javax.Servlet.ServletException"/>
protected override void DoFilter(FilterChain filterChain, HttpServletRequest request
, HttpServletResponse response)
{
bool requestCompleted = false;
UserGroupInformation ugi = null;
AuthenticationToken authToken = (AuthenticationToken)request.GetUserPrincipal();
if (authToken != null && authToken != AuthenticationToken.Anonymous)
{
// if the request was authenticated because of a delegation token,
// then we ignore proxyuser (this is the same as the RPC behavior).
ugi = (UserGroupInformation)request.GetAttribute(DelegationTokenAuthenticationHandler
.DelegationTokenUgiAttribute);
if (ugi == null)
{
string realUser = request.GetUserPrincipal().GetName();
ugi = UserGroupInformation.CreateRemoteUser(realUser, handlerAuthMethod);
string doAsUser = GetDoAs(request);
if (doAsUser != null)
{
ugi = UserGroupInformation.CreateProxyUser(doAsUser, ugi);
try
{
ProxyUsers.Authorize(ugi, request.GetRemoteHost());
}
catch (AuthorizationException ex)
{
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, ex);
requestCompleted = true;
}
}
}
UgiTl.Set(ugi);
}
if (!requestCompleted)
{
UserGroupInformation ugiF = ugi;
try
{
request = new _HttpServletRequestWrapper_269(this, ugiF, request);
base.DoFilter(filterChain, request, response);
}
finally
{
UgiTl.Remove();
}
}
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
request, HttpServletResponse response)
{
bool requestContinues = true;
string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.OpParam);
op = (op != null) ? StringUtils.ToUpperCase(op) : null;
if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
{
DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
.ValueOf(op);
if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
{
bool doManagement;
if (dtOp.RequiresKerberosCredentials() && token == null)
{
token = Authenticate(request, response);
if (token == null)
{
requestContinues = false;
doManagement = false;
}
else
{
doManagement = true;
}
}
else
{
doManagement = true;
}
if (doManagement)
{
UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
(token.GetUserName()) : null;
// Create the proxy user if doAsUser exists
string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
if (requestUgi != null && doAsUser != null)
{
requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
try
{
ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
}
catch (AuthorizationException ex)
{
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, ex);
return(false);
}
}
IDictionary map = null;
switch (dtOp)
{
case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.RenewerParam);
try
{
Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
requestUgi, renewer);
map = DelegationTokenToJSON(dToken);
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToRenew == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToRenew);
long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
map = new Hashtable();
map["long"] = expirationTime;
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
{
string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToCancel == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToCancel);
tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
: null);
}
catch (IOException)
{
response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
);
requestContinues = false;
}
}
break;
}
}
if (requestContinues)
{
response.SetStatus(HttpServletResponse.ScOk);
if (map != null)
{
response.SetContentType(MediaType.ApplicationJson);
TextWriter writer = response.GetWriter();
ObjectMapper jsonMapper = new ObjectMapper();
jsonMapper.WriteValue(writer, map);
writer.Write(Enter);
writer.Flush();
}
requestContinues = false;
}
}
}
else
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
+ "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
requestContinues = false;
}
}
return(requestContinues);
}