/// <exception cref="System.Exception"/> private void TokenGenerationAndVerification(BlockTokenSecretManager master, BlockTokenSecretManager slave) { // single-mode tokens foreach (BlockTokenSecretManager.AccessMode mode in BlockTokenSecretManager.AccessMode .Values()) { // generated by master Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token1 = master.GenerateToken (block1, EnumSet.Of(mode)); master.CheckAccess(token1, null, block1, mode); slave.CheckAccess(token1, null, block1, mode); // generated by slave Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token2 = slave.GenerateToken (block2, EnumSet.Of(mode)); master.CheckAccess(token2, null, block2, mode); slave.CheckAccess(token2, null, block2, mode); } // multi-mode tokens Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> mtoken = master.GenerateToken (block3, EnumSet.AllOf <BlockTokenSecretManager.AccessMode>()); foreach (BlockTokenSecretManager.AccessMode mode_1 in BlockTokenSecretManager.AccessMode .Values()) { master.CheckAccess(mtoken, null, block3, mode_1); slave.CheckAccess(mtoken, null, block3, mode_1); } }
/// <summary> /// Add a block pool Id and corresponding /// <see cref="BlockTokenSecretManager"/> /// to map /// </summary> /// <param name="bpid">block pool Id</param> /// <param name="secretMgr"> /// /// <see cref="BlockTokenSecretManager"/> /// </param> public virtual void AddBlockPool(string bpid, BlockTokenSecretManager secretMgr) { lock (this) { map[bpid] = secretMgr; } }
public virtual void TestBlockTokenRpcLeak() { Configuration conf = new Configuration(); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); Assume.AssumeTrue(FdDir.Exists()); BlockTokenSecretManager sm = new BlockTokenSecretManager(blockKeyUpdateInterval, blockTokenLifetime, 0, "fake-pool", null); Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token = sm.GenerateToken (block3, EnumSet.AllOf <BlockTokenSecretManager.AccessMode>()); Server server = CreateMockDatanode(sm, token, conf); server.Start(); IPEndPoint addr = NetUtils.GetConnectAddress(server); DatanodeID fakeDnId = DFSTestUtil.GetLocalDatanodeID(addr.Port); ExtendedBlock b = new ExtendedBlock("fake-pool", new Org.Apache.Hadoop.Hdfs.Protocol.Block (12345L)); LocatedBlock fakeBlock = new LocatedBlock(b, new DatanodeInfo[0]); fakeBlock.SetBlockToken(token); // Create another RPC proxy with the same configuration - this will never // attempt to connect anywhere -- but it causes the refcount on the // RPC "Client" object to stay above 0 such that RPC.stopProxy doesn't // actually close the TCP connections to the real target DN. ClientDatanodeProtocol proxyToNoWhere = RPC.GetProxy <ClientDatanodeProtocol>(ClientDatanodeProtocol .versionID, new IPEndPoint("1.1.1.1", 1), UserGroupInformation.CreateRemoteUser( "junk"), conf, NetUtils.GetDefaultSocketFactory(conf)); ClientDatanodeProtocol proxy = null; int fdsAtStart = CountOpenFileDescriptors(); try { long endTime = Time.Now() + 3000; while (Time.Now() < endTime) { proxy = DFSUtil.CreateClientDatanodeProtocolProxy(fakeDnId, conf, 1000, false, fakeBlock ); NUnit.Framework.Assert.AreEqual(block3.GetBlockId(), proxy.GetReplicaVisibleLength (block3)); if (proxy != null) { RPC.StopProxy(proxy); } Log.Info("Num open fds:" + CountOpenFileDescriptors()); } int fdsAtEnd = CountOpenFileDescriptors(); if (fdsAtEnd - fdsAtStart > 50) { NUnit.Framework.Assert.Fail("Leaked " + (fdsAtEnd - fdsAtStart) + " fds!"); } } finally { server.Stop(); } RPC.StopProxy(proxyToNoWhere); }
/// <exception cref="System.IO.IOException"/> private BlockTokenIdentifier GenerateTokenId(BlockTokenSecretManager sm, ExtendedBlock block, EnumSet <BlockTokenSecretManager.AccessMode> accessModes) { Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token = sm.GenerateToken (block, accessModes); BlockTokenIdentifier id = sm.CreateIdentifier(); id.ReadFields(new DataInputStream(new ByteArrayInputStream(token.GetIdentifier()) )); return(id); }
internal virtual BlockTokenSecretManager Get(string bpid) { lock (this) { BlockTokenSecretManager secretMgr = map[bpid]; if (secretMgr == null) { throw new ArgumentException("Block pool " + bpid + " is not found"); } return(secretMgr); } }
public virtual void TestWritable() { TestWritable.TestWritable(new BlockTokenIdentifier()); BlockTokenSecretManager sm = new BlockTokenSecretManager(blockKeyUpdateInterval, blockTokenLifetime, 0, "fake-pool", null); TestWritable.TestWritable(GenerateTokenId(sm, block1, EnumSet.AllOf <BlockTokenSecretManager.AccessMode >())); TestWritable.TestWritable(GenerateTokenId(sm, block2, EnumSet.Of(BlockTokenSecretManager.AccessMode .Write))); TestWritable.TestWritable(GenerateTokenId(sm, block3, EnumSet.NoneOf <BlockTokenSecretManager.AccessMode >())); }
public virtual void TestBlockTokenSecretManager() { BlockTokenSecretManager masterHandler = new BlockTokenSecretManager(blockKeyUpdateInterval , blockTokenLifetime, 0, "fake-pool", null); BlockTokenSecretManager slaveHandler = new BlockTokenSecretManager(blockKeyUpdateInterval , blockTokenLifetime, "fake-pool", null); ExportedBlockKeys keys = masterHandler.ExportKeys(); slaveHandler.AddKeys(keys); TokenGenerationAndVerification(masterHandler, slaveHandler); // key updating masterHandler.UpdateKeys(); TokenGenerationAndVerification(masterHandler, slaveHandler); keys = masterHandler.ExportKeys(); slaveHandler.AddKeys(keys); TokenGenerationAndVerification(masterHandler, slaveHandler); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="Com.Google.Protobuf.ServiceException"/> private static Server CreateMockDatanode(BlockTokenSecretManager sm, Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token, Configuration conf) { ClientDatanodeProtocolPB mockDN = Org.Mockito.Mockito.Mock <ClientDatanodeProtocolPB >(); BlockTokenIdentifier id = sm.CreateIdentifier(); id.ReadFields(new DataInputStream(new ByteArrayInputStream(token.GetIdentifier()) )); Org.Mockito.Mockito.DoAnswer(new TestBlockToken.GetLengthAnswer(sm, id)).When(mockDN ).GetReplicaVisibleLength(Matchers.Any <RpcController>(), Matchers.Any <ClientDatanodeProtocolProtos.GetReplicaVisibleLengthRequestProto >()); RPC.SetProtocolEngine(conf, typeof(ClientDatanodeProtocolPB), typeof(ProtobufRpcEngine )); BlockingService service = ClientDatanodeProtocolProtos.ClientDatanodeProtocolService .NewReflectiveBlockingService(mockDN); return(new RPC.Builder(conf).SetProtocol(typeof(ClientDatanodeProtocolPB)).SetInstance (service).SetBindAddress(Address).SetPort(0).SetNumHandlers(5).SetVerbose(true). SetSecretManager(sm).Build()); }
public virtual void TestBlockTokenRpc() { Configuration conf = new Configuration(); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); BlockTokenSecretManager sm = new BlockTokenSecretManager(blockKeyUpdateInterval, blockTokenLifetime, 0, "fake-pool", null); Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token = sm.GenerateToken (block3, EnumSet.AllOf <BlockTokenSecretManager.AccessMode>()); Server server = CreateMockDatanode(sm, token, conf); server.Start(); IPEndPoint addr = NetUtils.GetConnectAddress(server); UserGroupInformation ticket = UserGroupInformation.CreateRemoteUser(block3.ToString ()); ticket.AddToken(token); ClientDatanodeProtocol proxy = null; try { proxy = DFSUtil.CreateClientDatanodeProtocolProxy(addr, ticket, conf, NetUtils.GetDefaultSocketFactory (conf)); NUnit.Framework.Assert.AreEqual(block3.GetBlockId(), proxy.GetReplicaVisibleLength (block3)); } finally { server.Stop(); if (proxy != null) { RPC.StopProxy(proxy); } } }
public virtual void TestBlockPoolTokenSecretManager() { BlockPoolTokenSecretManager bpMgr = new BlockPoolTokenSecretManager(); // Test BlockPoolSecretManager with upto 10 block pools for (int i = 0; i < 10; i++) { string bpid = Sharpen.Extensions.ToString(i); BlockTokenSecretManager masterHandler = new BlockTokenSecretManager(blockKeyUpdateInterval , blockTokenLifetime, 0, "fake-pool", null); BlockTokenSecretManager slaveHandler = new BlockTokenSecretManager(blockKeyUpdateInterval , blockTokenLifetime, "fake-pool", null); bpMgr.AddBlockPool(bpid, slaveHandler); ExportedBlockKeys keys = masterHandler.ExportKeys(); bpMgr.AddKeys(bpid, keys); TokenGenerationAndVerification(masterHandler, bpMgr.Get(bpid)); // Test key updating masterHandler.UpdateKeys(); TokenGenerationAndVerification(masterHandler, bpMgr.Get(bpid)); keys = masterHandler.ExportKeys(); bpMgr.AddKeys(bpid, keys); TokenGenerationAndVerification(masterHandler, bpMgr.Get(bpid)); } }
/// <summary>set access token lifetime.</summary> public static void SetBlockTokenLifetime(BlockTokenSecretManager handler, long tokenLifetime ) { handler.SetTokenLifetime(tokenLifetime); }
/// <summary>check if an access token is expired.</summary> /// <remarks> /// check if an access token is expired. return true when token is expired, /// false otherwise /// </remarks> /// <exception cref="System.IO.IOException"/> public static bool IsBlockTokenExpired(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier > token) { return(BlockTokenSecretManager.IsTokenExpired(token)); }
public GetLengthAnswer(BlockTokenSecretManager sm, BlockTokenIdentifier ident) { this.sm = sm; this.ident = ident; }