예제 #1
0
        /// <exception cref="System.IO.IOException"/>
        private string GetDelegationToken(HttpServletRequest request)
        {
            string dToken = request.GetHeader(DelegationTokenAuthenticator.DelegationTokenHeader
                                              );

            if (dToken == null)
            {
                dToken = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator.
                                                   DelegationParam);
            }
            return(dToken);
        }
예제 #2
0
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
        ///     "/>
        public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
                                                 request, HttpServletResponse response)
        {
            bool   requestContinues = true;
            string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                  .OpParam);

            op = (op != null) ? StringUtils.ToUpperCase(op) : null;
            if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
            {
                DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
                                                                             .ValueOf(op);
                if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
                {
                    bool doManagement;
                    if (dtOp.RequiresKerberosCredentials() && token == null)
                    {
                        token = Authenticate(request, response);
                        if (token == null)
                        {
                            requestContinues = false;
                            doManagement     = false;
                        }
                        else
                        {
                            doManagement = true;
                        }
                    }
                    else
                    {
                        doManagement = true;
                    }
                    if (doManagement)
                    {
                        UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
                                                              (token.GetUserName()) : null;
                        // Create the proxy user if doAsUser exists
                        string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
                        if (requestUgi != null && doAsUser != null)
                        {
                            requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
                            try
                            {
                                ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
                            }
                            catch (AuthorizationException ex)
                            {
                                HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
                                                                                  , ex);
                                return(false);
                            }
                        }
                        IDictionary map = null;
                        switch (dtOp)
                        {
                        case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
                        {
                            if (requestUgi == null)
                            {
                                throw new InvalidOperationException("request UGI cannot be NULL");
                            }
                            string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                       .RenewerParam);
                            try
                            {
                                Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
                                    requestUgi, renewer);
                                map = DelegationTokenToJSON(dToken);
                            }
                            catch (IOException ex)
                            {
                                throw new AuthenticationException(ex.ToString(), ex);
                            }
                            break;
                        }

                        case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
                        {
                            if (requestUgi == null)
                            {
                                throw new InvalidOperationException("request UGI cannot be NULL");
                            }
                            string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                            .TokenParam);
                            if (tokenToRenew == null)
                            {
                                response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
                                                                                                          , dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
                                requestContinues = false;
                            }
                            else
                            {
                                Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
                                                                                                                Org.Apache.Hadoop.Security.Token.Token();
                                try
                                {
                                    dt.DecodeFromUrlString(tokenToRenew);
                                    long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
                                    map         = new Hashtable();
                                    map["long"] = expirationTime;
                                }
                                catch (IOException ex)
                                {
                                    throw new AuthenticationException(ex.ToString(), ex);
                                }
                            }
                            break;
                        }

                        case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
                        {
                            string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                             .TokenParam);
                            if (tokenToCancel == null)
                            {
                                response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
                                                                                                          , dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
                                requestContinues = false;
                            }
                            else
                            {
                                Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
                                                                                                                Org.Apache.Hadoop.Security.Token.Token();
                                try
                                {
                                    dt.DecodeFromUrlString(tokenToCancel);
                                    tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
                                                                                         : null);
                                }
                                catch (IOException)
                                {
                                    response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
                                                       );
                                    requestContinues = false;
                                }
                            }
                            break;
                        }
                        }
                        if (requestContinues)
                        {
                            response.SetStatus(HttpServletResponse.ScOk);
                            if (map != null)
                            {
                                response.SetContentType(MediaType.ApplicationJson);
                                TextWriter   writer     = response.GetWriter();
                                ObjectMapper jsonMapper = new ObjectMapper();
                                jsonMapper.WriteValue(writer, map);
                                writer.Write(Enter);
                                writer.Flush();
                            }
                            requestContinues = false;
                        }
                    }
                }
                else
                {
                    response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
                                                                                              + "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
                    requestContinues = false;
                }
            }
            return(requestContinues);
        }