/// <exception cref="System.Exception"/> public virtual void TestUGIAuthMethodInRealUser() { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation proxyUgi = UserGroupInformation.CreateProxyUser("proxy", ugi ); UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod .Kerberos; ugi.SetAuthenticationMethod(am); Assert.Equal(am, ugi.GetAuthenticationMethod()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy, proxyUgi.GetAuthenticationMethod()); Assert.Equal(am, UserGroupInformation.GetRealAuthenticationMethod (proxyUgi)); proxyUgi.DoAs(new _PrivilegedExceptionAction_690(am)); UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.GetSubject()); proxyUgi2.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Proxy ); Assert.Equal(proxyUgi, proxyUgi2); // Equality should work if authMethod is null UserGroupInformation realugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation proxyUgi3 = UserGroupInformation.CreateProxyUser("proxyAnother" , realugi); UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.GetSubject()); Assert.Equal(proxyUgi3, proxyUgi4); }
/// <summary> /// Get /// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/> /// and possibly the delegation token out of /// the request. /// </summary> /// <param name="context">the ServletContext that is serving this request.</param> /// <param name="request">the http request</param> /// <param name="conf">configuration</param> /// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param> /// <param name="tryUgiParameter">Should it try the ugi parameter?</param> /// <returns>a new user from the request</returns> /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token /// </exception> /// <exception cref="System.IO.IOException"/> public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod , bool tryUgiParameter) { UserGroupInformation ugi = null; string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter); string doAsUserFromQuery = request.GetParameter(DoAsParam.Name); string remoteUser; if (UserGroupInformation.IsSecurityEnabled()) { remoteUser = request.GetRemoteUser(); string tokenString = request.GetParameter(DelegationParameterName); if (tokenString != null) { // Token-based connections need only verify the effective user, and // disallow proxying to different user. Proxy authorization checks // are not required since the checks apply to issuing a token. ugi = GetTokenUGI(context, request, tokenString, conf); CheckUsername(ugi.GetShortUserName(), usernameFromQuery); CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery); } else { if (remoteUser == null) { throw new IOException("Security enabled but user not authenticated by filter"); } } } else { // Security's not on, pull from url or use default web user remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery; } // not specified in request if (ugi == null) { // security is off, or there's no token ugi = UserGroupInformation.CreateRemoteUser(remoteUser); CheckUsername(ugi.GetShortUserName(), usernameFromQuery); if (UserGroupInformation.IsSecurityEnabled()) { // This is not necessarily true, could have been auth'ed by user-facing // filter ugi.SetAuthenticationMethod(secureAuthMethod); } if (doAsUserFromQuery != null) { // create and attempt to authorize a proxy user ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi); ProxyUsers.Authorize(ugi, GetRemoteAddr(request)); } } if (Log.IsDebugEnabled()) { Log.Debug("getUGI is returning: " + ugi.GetShortUserName()); } return(ugi); }
/// <exception cref="System.IO.IOException"/> public virtual void TestSecureProxyAuthParamsInUrl() { Configuration conf = new Configuration(); // fake turning on security so api thinks it should use tokens SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos , conf); UserGroupInformation.SetConfiguration(conf); UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user"); ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos); ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi); UserGroupInformation.SetLoginUser(ugi); WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf); Path fsPath = new Path("/"); string tokenString = webhdfs.GetDelegationToken().EncodeToUrlString(); // send real+effective Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi .GetShortUserName()).ToString() }, getTokenUrl); // send real+effective Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new TokenArgumentParam(tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString( ), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, renewTokenUrl); // send token Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam(tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, cancelTokenUrl); // send token Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new DelegationParam(tokenString).ToString() }, fileStatusUrl); // wipe out internal token to simulate auth always required webhdfs.SetDelegationToken(null); // send real+effective cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam (tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, cancelTokenUrl); // send real+effective fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName ()).ToString() }, fileStatusUrl); }
/// <exception cref="System.Exception"/> public virtual void TestUGIAuthMethod() { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod .Kerberos; ugi.SetAuthenticationMethod(am); Assert.Equal(am, ugi.GetAuthenticationMethod()); ugi.DoAs(new _PrivilegedExceptionAction_668(am)); }
/// <exception cref="System.Exception"/> public virtual void TestTestAuthMethod() { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); // verify the reverse mappings works foreach (UserGroupInformation.AuthenticationMethod am in UserGroupInformation.AuthenticationMethod .Values()) { if (am.GetAuthMethod() != null) { ugi.SetAuthenticationMethod(am.GetAuthMethod()); Assert.Equal(am, ugi.GetAuthenticationMethod()); } } }
public virtual void TestGetRealAuthenticationMethod() { UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("user1"); ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Simple); Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple, ugi.GetAuthenticationMethod()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple, ugi.GetRealAuthenticationMethod()); ugi = UserGroupInformation.CreateProxyUser("user2", ugi); Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy, ugi.GetAuthenticationMethod()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple, ugi.GetRealAuthenticationMethod()); }
public virtual void TestGetUserGroupInformationSecure() { string userName = "******"; string currentUser = "******"; NfsConfiguration conf = new NfsConfiguration(); UserGroupInformation currentUserUgi = UserGroupInformation.CreateRemoteUser(currentUser ); currentUserUgi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod. Kerberos); UserGroupInformation.SetLoginUser(currentUserUgi); DFSClientCache cache = new DFSClientCache(conf); UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi ); Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName)); Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi)); Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod .Proxy)); }
public virtual void TestDelegationToken() { YarnConfiguration conf = new YarnConfiguration(); conf.Set(YarnConfiguration.RmPrincipal, "testuser/[email protected]"); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); ResourceScheduler scheduler = CreateMockScheduler(conf); long initialInterval = 10000l; long maxLifetime = 20000l; long renewInterval = 10000l; RMDelegationTokenSecretManager rmDtSecretManager = CreateRMDelegationTokenSecretManager (initialInterval, maxLifetime, renewInterval); rmDtSecretManager.StartThreads(); Log.Info("Creating DelegationTokenSecretManager with initialInterval: " + initialInterval + ", maxLifetime: " + maxLifetime + ", renewInterval: " + renewInterval); ClientRMService clientRMService = new TestClientRMTokens.ClientRMServiceForTest(this , conf, scheduler, rmDtSecretManager); clientRMService.Init(conf); clientRMService.Start(); ApplicationClientProtocol clientRMWithDT = null; try { // Create a user for the renewr and fake the authentication-method UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**" ); NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName()); // Default realm is APACHE.ORG loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos ); Token token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); long tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to RMService using the delegation token clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser1", conf); GetNewApplicationRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord < GetNewApplicationRequest>(); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } // Renew after 50% of token age. while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2) { Sharpen.Thread.Sleep(500l); } long nextExpTime = RenewDelegationToken(loggedInUser, clientRMService, token); long renewalTime = Runtime.CurrentTimeMillis(); Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime); // Wait for first expiry, but before renewed expiry. while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime. CurrentTimeMillis() < nextExpTime) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); // Valid token because of renewal. try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } // Wait for expiry. while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid"); // Token should have expired. try { clientRMWithDT.GetNewApplication(request); NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token"); } catch (Exception e) { NUnit.Framework.Assert.AreEqual(typeof(SecretManager.InvalidToken).FullName, e.GetType ().FullName); NUnit.Framework.Assert.IsTrue(e.Message.Contains("is expired")); } // Test cancellation // Stop the existing proxy, start another. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to RMService using the delegation token clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser2", conf); request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest> (); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } CancelDelegationToken(loggedInUser, clientRMService, token); if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } // Creating a new connection. clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser2", conf); Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis()); // Verify cancellation worked. try { clientRMWithDT.GetNewApplication(request); NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token" ); } catch (IOException) { } catch (YarnException) { } // Test new version token // Stop the existing proxy, start another. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); byte[] tokenIdentifierContent = ((byte[])token.GetIdentifier().Array()); RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length); tokenIdentifier.ReadFields(dib); // Construct new version RMDelegationTokenIdentifier with additional field RMDelegationTokenIdentifierForTest newVersionTokenIdentifier = new RMDelegationTokenIdentifierForTest (tokenIdentifier, "message"); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> newRMDTtoken = new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(newVersionTokenIdentifier , rmDtSecretManager); Org.Apache.Hadoop.Yarn.Api.Records.Token newToken = BuilderUtils.NewDelegationToken (newRMDTtoken.GetIdentifier(), newRMDTtoken.GetKind().ToString(), newRMDTtoken.GetPassword (), newRMDTtoken.GetService().ToString()); // Now try talking to RMService using the new version delegation token clientRMWithDT = GetClientRMProtocolWithDT(newToken, clientRMService.GetBindAddress (), "loginuser3", conf); request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest> (); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } } finally { rmDtSecretManager.StopThreads(); // TODO PRECOMMIT Close proxies. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); } } }
public virtual void TestDelegationToken() { Logger rootLogger = LogManager.GetRootLogger(); rootLogger.SetLevel(Level.Debug); YarnConfiguration conf = new YarnConfiguration(new JobConf()); // Just a random principle conf.Set(JHAdminConfig.MrHistoryPrincipal, "RandomOrc/[email protected]"); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); long initialInterval = 10000l; long maxLifetime = 20000l; long renewInterval = 10000l; JobHistoryServer jobHistoryServer = null; MRClientProtocol clientUsingDT = null; long tokenFetchTime; try { jobHistoryServer = new _JobHistoryServer_87(initialInterval, maxLifetime, renewInterval ); // no keytab based login // Don't need it, skip.; // final JobHistoryServer jobHistoryServer = jhServer; jobHistoryServer.Init(conf); jobHistoryServer.Start(); MRClientProtocol hsService = jobHistoryServer.GetClientService().GetClientHandler (); // Fake the authentication-method UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**" ); NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName()); // Default realm is APACHE.ORG loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos ); Token token = GetDelegationToken(loggedInUser, hsService, loggedInUser.GetShortUserName ()); tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to JHS using the delegation token clientUsingDT = GetMRClientProtocol(token, jobHistoryServer.GetClientService().GetBindAddress (), "TheDarkLord", conf); GetJobReportRequest jobReportRequest = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetJobReportRequest>(); jobReportRequest.SetJobId(MRBuilderUtils.NewJobId(123456, 1, 1)); try { clientUsingDT.GetJobReport(jobReportRequest); } catch (IOException e) { NUnit.Framework.Assert.AreEqual("Unknown job job_123456_0001", e.Message); } // Renew after 50% of token age. while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2) { Sharpen.Thread.Sleep(500l); } long nextExpTime = RenewDelegationToken(loggedInUser, hsService, token); long renewalTime = Runtime.CurrentTimeMillis(); Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime); // Wait for first expiry, but before renewed expiry. while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime. CurrentTimeMillis() < nextExpTime) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); // Valid token because of renewal. try { clientUsingDT.GetJobReport(jobReportRequest); } catch (IOException e) { NUnit.Framework.Assert.AreEqual("Unknown job job_123456_0001", e.Message); } // Wait for expiry. while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid"); // Token should have expired. try { clientUsingDT.GetJobReport(jobReportRequest); NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token"); } catch (IOException e) { NUnit.Framework.Assert.IsTrue(e.InnerException.Message.Contains("is expired")); } // Test cancellation // Stop the existing proxy, start another. if (clientUsingDT != null) { // RPC.stopProxy(clientUsingDT); clientUsingDT = null; } token = GetDelegationToken(loggedInUser, hsService, loggedInUser.GetShortUserName ()); tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to HSService using the delegation token clientUsingDT = GetMRClientProtocol(token, jobHistoryServer.GetClientService().GetBindAddress (), "loginuser2", conf); try { clientUsingDT.GetJobReport(jobReportRequest); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } CancelDelegationToken(loggedInUser, hsService, token); // Testing the token with different renewer to cancel the token Token tokenWithDifferentRenewer = GetDelegationToken(loggedInUser, hsService, "yarn" ); CancelDelegationToken(loggedInUser, hsService, tokenWithDifferentRenewer); if (clientUsingDT != null) { // RPC.stopProxy(clientUsingDT); clientUsingDT = null; } // Creating a new connection. clientUsingDT = GetMRClientProtocol(token, jobHistoryServer.GetClientService().GetBindAddress (), "loginuser2", conf); Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis()); // Verify cancellation worked. try { clientUsingDT.GetJobReport(jobReportRequest); NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token" ); } catch (IOException) { } } finally { jobHistoryServer.Stop(); } }