예제 #1
0
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="System.Exception"/>
        private void VerifyValidToken(Configuration conf, TestClientToAMTokens.CustomAM am
                                      , Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
        {
            UserGroupInformation ugi;

            ugi = UserGroupInformation.CreateRemoteUser("me");
            ugi.AddToken(token);
            ugi.DoAs(new _PrivilegedExceptionAction_406(am, conf));
        }
예제 #2
0
        /// <exception cref="System.IO.IOException"/>
        private void VerifyTokenWithTamperedUserName(Configuration conf, TestClientToAMTokens.CustomAM
                                                     am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
        {
            // Malicious user, messes with appId
            UserGroupInformation      ugi         = UserGroupInformation.CreateRemoteUser("me");
            ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(am.appAttemptId
                                                                                  , "evilOrc");

            VerifyTamperedToken(conf, am, token, ugi, maliciousID);
        }
예제 #3
0
        /// <exception cref="System.IO.IOException"/>
        private void VerifyTokenWithTamperedID(Configuration conf, TestClientToAMTokens.CustomAM
                                               am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
        {
            // Malicious user, messes with appId
            UserGroupInformation      ugi         = UserGroupInformation.CreateRemoteUser("me");
            ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(BuilderUtils
                                                                                  .NewApplicationAttemptId(BuilderUtils.NewApplicationId(am.appAttemptId.GetApplicationId
                                                                                                                                             ().GetClusterTimestamp(), 42), 43), UserGroupInformation.GetCurrentUser().GetShortUserName
                                                                                      ());

            VerifyTamperedToken(conf, am, token, ugi, maliciousID);
        }
예제 #4
0
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="System.Exception"/>
        private void VerifyNewVersionToken(Configuration conf, TestClientToAMTokens.CustomAM
                                           am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token, MockRM
                                           rm)
        {
            UserGroupInformation ugi;

            ugi = UserGroupInformation.CreateRemoteUser("me");
            Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> newToken = new
                                                                                          Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier>(new ClientToAMTokenIdentifierForTest
                                                                                                                                                                 (token.DecodeIdentifier(), "message"), am.GetClientToAMTokenSecretManager());
            newToken.SetService(token.GetService());
            ugi.AddToken(newToken);
            ugi.DoAs(new _PrivilegedExceptionAction_386(am, conf));
        }
예제 #5
0
 private void VerifyTamperedToken(Configuration conf, TestClientToAMTokens.CustomAM
                                  am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token, UserGroupInformation
                                  ugi, ClientToAMTokenIdentifier maliciousID)
 {
     Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> maliciousToken =
         new Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier>(maliciousID
                                                                                .GetBytes(), token.GetPassword(), token.GetKind(), token.GetService());
     ugi.AddToken(maliciousToken);
     try
     {
         ugi.DoAs(new _PrivilegedExceptionAction_338(am, conf));
     }
     catch (Exception e)
     {
         NUnit.Framework.Assert.AreEqual(typeof(RemoteException).FullName, e.GetType().FullName
                                         );
         e = ((RemoteException)e).UnwrapRemoteException();
         NUnit.Framework.Assert.AreEqual(typeof(SaslException).GetCanonicalName(), e.GetType
                                             ().GetCanonicalName());
         NUnit.Framework.Assert.IsTrue(e.Message.Contains("DIGEST-MD5: digest response format violation. "
                                                          + "Mismatched response."));
         NUnit.Framework.Assert.IsFalse(am.pinged);
     }
 }
예제 #6
0
 public _TimerTask_516(TestClientToAMTokens.CustomAM am, ByteBuffer clientMasterKey
                       )
 {
     this.am = am;
     this.clientMasterKey = clientMasterKey;
 }
예제 #7
0
        /// <exception cref="System.Exception"/>
        public virtual void TestClientTokenRace()
        {
            conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
                                                                                     >();
            StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
                                                                             >();

            Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
                                                                       )Matchers.Any())).ThenReturn(mockResponse);
            DrainDispatcher dispatcher = new DrainDispatcher();
            MockRM          rm         = new _MockRMWithCustomAMLauncher_433(dispatcher, conf, containerManager
                                                                             );

            rm.Start();
            // Submit an app
            RMApp app = rm.SubmitApp(1024);
            // Set up a node.
            MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);

            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
            MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
                                       .GetCurrentAppAttempt().GetAppAttemptId());
            UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
                                                                                    ());
            RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_469
                                                                         (mockAM));
            // Get the app-report.
            GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                  <GetApplicationReportRequest>();

            request.SetApplicationId(app.GetApplicationId());
            GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
                                                              (request);
            ApplicationReport appReport = reportResponse.GetApplicationReport();

            Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
                                                                                   ();
            // ClientToAMToken master key should have been received on register
            // application master response.
            ByteBuffer clientMasterKey = response.GetClientToAMTokenMasterKey();

            NUnit.Framework.Assert.IsNotNull(clientMasterKey);
            NUnit.Framework.Assert.IsTrue(((byte[])clientMasterKey.Array()).Length > 0);
            // Start the AM with the correct shared-secret.
            ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
                                                    ();

            NUnit.Framework.Assert.IsNotNull(appAttemptId);
            TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
                                                                                 , null);
            am.Init(conf);
            am.Start();
            // Now the real test!
            // Set up clients to be able to pick up correct tokens.
            SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
                                                      ());
            Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
                                                                                       .ConvertFromYarn(originalClientToAMToken, am.address);
            // Schedule the key to be set after a significant delay
            Timer     timer     = new Timer();
            TimerTask timerTask = new _TimerTask_516(am, clientMasterKey);

            timer.Schedule(timerTask, 250);
            // connect should pause waiting for the master key to arrive
            VerifyValidToken(conf, am, token);
            am.Stop();
            rm.Stop();
        }
예제 #8
0
 public _PrivilegedExceptionAction_406(TestClientToAMTokens.CustomAM am, Configuration
                                       conf)
 {
     this.am   = am;
     this.conf = conf;
 }
예제 #9
0
        public virtual void TestClientToAMTokens()
        {
            conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
                                                                                     >();
            StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
                                                                             >();

            Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
                                                                       )Matchers.Any())).ThenReturn(mockResponse);
            DrainDispatcher dispatcher = new DrainDispatcher();
            MockRM          rm         = new _MockRMWithCustomAMLauncher_192(dispatcher, conf, containerManager
                                                                             );

            rm.Start();
            // Submit an app
            RMApp app = rm.SubmitApp(1024);
            // Set up a node.
            MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);

            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
            MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
                                       .GetCurrentAppAttempt().GetAppAttemptId());
            UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
                                                                                    ());
            RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_229
                                                                         (mockAM));
            // Get the app-report.
            GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                  <GetApplicationReportRequest>();

            request.SetApplicationId(app.GetApplicationId());
            GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
                                                              (request);
            ApplicationReport appReport = reportResponse.GetApplicationReport();

            Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
                                                                                   ();
            // ClientToAMToken master key should have been received on register
            // application master response.
            NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey());
            NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array
                                               ()).Length > 0);
            // Start the AM with the correct shared-secret.
            ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
                                                    ();

            NUnit.Framework.Assert.IsNotNull(appAttemptId);
            TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
                                                                                 , ((byte[])response.GetClientToAMTokenMasterKey().Array()));
            am.Init(conf);
            am.Start();
            // Now the real test!
            // Set up clients to be able to pick up correct tokens.
            SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
                                                      ());
            // Verify denial for unauthenticated user
            try
            {
                TestClientToAMTokens.CustomProtocol client = (TestClientToAMTokens.CustomProtocol
                                                              )RPC.GetProxy <TestClientToAMTokens.CustomProtocol>(1L, am.address, conf);
                client.Ping();
                NUnit.Framework.Assert.Fail("Access by unauthenticated user should fail!!");
            }
            catch (Exception)
            {
                NUnit.Framework.Assert.IsFalse(am.pinged);
            }
            Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
                                                                                       .ConvertFromYarn(originalClientToAMToken, am.address);
            // Verify denial for a malicious user with tampered ID
            VerifyTokenWithTamperedID(conf, am, token);
            // Verify denial for a malicious user with tampered user-name
            VerifyTokenWithTamperedUserName(conf, am, token);
            // Now for an authenticated user
            VerifyValidToken(conf, am, token);
            // Verify for a new version token
            VerifyNewVersionToken(conf, am, token, rm);
            am.Stop();
            rm.Stop();
        }