Пример #1
0
        /// <exception cref="System.IO.IOException"/>
        private static UserGroupInformation GetTokenUGI(ServletContext context, HttpServletRequest
                                                        request, string tokenString, Configuration conf)
        {
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                       <DelegationTokenIdentifier>();
            token.DecodeFromUrlString(tokenString);
            IPEndPoint serviceAddress = GetNNServiceAddress(context, request);

            if (serviceAddress != null)
            {
                SecurityUtil.SetTokenService(token, serviceAddress);
                token.SetKind(DelegationTokenIdentifier.HdfsDelegationKind);
            }
            ByteArrayInputStream      buf = new ByteArrayInputStream(token.GetIdentifier());
            DataInputStream           @in = new DataInputStream(buf);
            DelegationTokenIdentifier id  = new DelegationTokenIdentifier();

            id.ReadFields(@in);
            if (context != null)
            {
                NameNode nn = NameNodeHttpServer.GetNameNodeFromContext(context);
                if (nn != null)
                {
                    // Verify the token.
                    nn.GetNamesystem().VerifyToken(id, token.GetPassword());
                }
            }
            UserGroupInformation ugi = id.GetUser();

            ugi.AddToken(token);
            return(ugi);
        }
Пример #2
0
        /// <exception cref="System.IO.IOException"/>
        public virtual UserGroupInformation VerifyToken <_T0>(Org.Apache.Hadoop.Security.Token.Token
                                                              <_T0> token)
            where _T0 : AbstractDelegationTokenIdentifier
        {
            AbstractDelegationTokenIdentifier id = secretManager.DecodeTokenIdentifier(token);

            secretManager.VerifyToken(id, token.GetPassword());
            return(id.GetUser());
        }
Пример #3
0
 private void Compare(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier>
                      expected, Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> actual)
 {
     NUnit.Framework.Assert.IsTrue(Arrays.Equals(expected.GetIdentifier(), actual.GetIdentifier
                                                     ()));
     NUnit.Framework.Assert.IsTrue(Arrays.Equals(expected.GetPassword(), actual.GetPassword
                                                     ()));
     NUnit.Framework.Assert.AreEqual(expected.GetKind(), actual.GetKind());
     NUnit.Framework.Assert.AreEqual(expected.GetService(), actual.GetService());
 }
Пример #4
0
        /// <exception cref="System.IO.IOException"/>
        private static void ConfigureTask(JobConf job, Task task, Credentials credentials
                                          , Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> jt)
        {
            job.SetCredentials(credentials);
            ApplicationAttemptId appAttemptId = ConverterUtils.ToContainerId(Runtime.Getenv(ApplicationConstants.Environment
                                                                                            .ContainerId.ToString())).GetApplicationAttemptId();

            Log.Debug("APPLICATION_ATTEMPT_ID: " + appAttemptId);
            // Set it in conf, so as to be able to be used the the OutputCommitter.
            job.SetInt(MRJobConfig.ApplicationAttemptId, appAttemptId.GetAttemptId());
            // set tcp nodelay
            job.SetBoolean("ipc.client.tcpnodelay", true);
            job.SetClass(MRConfig.TaskLocalOutputClass, typeof(YarnOutputFiles), typeof(MapOutputFile
                                                                                        ));
            // set the jobToken and shuffle secrets into task
            task.SetJobTokenSecret(JobTokenSecretManager.CreateSecretKey(jt.GetPassword()));
            byte[] shuffleSecret = TokenCache.GetShuffleSecretKey(credentials);
            if (shuffleSecret == null)
            {
                Log.Warn("Shuffle secret missing from task credentials." + " Using job token secret as shuffle secret."
                         );
                shuffleSecret = jt.GetPassword();
            }
            task.SetShuffleSecret(JobTokenSecretManager.CreateSecretKey(shuffleSecret));
            // setup the child's MRConfig.LOCAL_DIR.
            ConfigureLocalDirs(task, job);
            // setup the child's attempt directories
            // Do the task-type specific localization
            task.LocalizeConfiguration(job);
            // Set up the DistributedCache related configs
            MRApps.SetupDistributedCacheLocal(job);
            // Overwrite the localized task jobconf which is linked to in the current
            // work-dir.
            Path localTaskFile = new Path(MRJobConfig.JobConfFile);

            WriteLocalJobFile(localTaskFile, job);
            task.SetJobFile(localTaskFile.ToString());
            task.SetConf(job);
        }
Пример #5
0
 /// <exception cref="System.Exception"/>
 public virtual void TestRollMasterKey()
 {
     TestDelegationToken.TestDelegationTokenSecretManager dtSecretManager = new TestDelegationToken.TestDelegationTokenSecretManager
                                                                                (800, 800, 1 * 1000, 3600000);
     try
     {
         dtSecretManager.StartThreads();
         //generate a token and store the password
         Org.Apache.Hadoop.Security.Token.Token <TestDelegationToken.TestDelegationTokenIdentifier
                                                 > token = GenerateDelegationToken(dtSecretManager, "SomeUser", "JobTracker");
         byte[] oldPasswd = token.GetPassword();
         //store the length of the keys list
         int prevNumKeys = dtSecretManager.GetAllKeys().Length;
         dtSecretManager.RollMasterKey();
         Assert.True(dtSecretManager.isStoreNewMasterKeyCalled);
         //after rolling, the length of the keys list must increase
         int currNumKeys = dtSecretManager.GetAllKeys().Length;
         Assert.Equal((currNumKeys - prevNumKeys) >= 1, true);
         //after rolling, the token that was generated earlier must
         //still be valid (retrievePassword will fail if the token
         //is not valid)
         ByteArrayInputStream bi = new ByteArrayInputStream(token.GetIdentifier());
         TestDelegationToken.TestDelegationTokenIdentifier identifier = dtSecretManager.CreateIdentifier
                                                                            ();
         identifier.ReadFields(new DataInputStream(bi));
         byte[] newPasswd = dtSecretManager.RetrievePassword(identifier);
         //compare the passwords
         Assert.Equal(oldPasswd, newPasswd);
         // wait for keys to expire
         while (!dtSecretManager.isRemoveStoredMasterKeyCalled)
         {
             Thread.Sleep(200);
         }
     }
     finally
     {
         dtSecretManager.StopThreads();
     }
 }
Пример #6
0
		/// <exception cref="System.IO.IOException"/>
		private void RecordJobShuffleInfo(JobID jobId, string user, Org.Apache.Hadoop.Security.Token.Token
			<JobTokenIdentifier> jobToken)
		{
			if (stateDb != null)
			{
				SecurityProtos.TokenProto tokenProto = ((SecurityProtos.TokenProto)SecurityProtos.TokenProto
					.NewBuilder().SetIdentifier(ByteString.CopyFrom(jobToken.GetIdentifier())).SetPassword
					(ByteString.CopyFrom(jobToken.GetPassword())).SetKind(jobToken.GetKind().ToString
					()).SetService(jobToken.GetService().ToString()).Build());
				ShuffleHandlerRecoveryProtos.JobShuffleInfoProto proto = ((ShuffleHandlerRecoveryProtos.JobShuffleInfoProto
					)ShuffleHandlerRecoveryProtos.JobShuffleInfoProto.NewBuilder().SetUser(user).SetJobToken
					(tokenProto).Build());
				try
				{
					stateDb.Put(JniDBFactory.Bytes(jobId.ToString()), proto.ToByteArray());
				}
				catch (DBException e)
				{
					throw new IOException("Error storing " + jobId, e);
				}
			}
			AddJobToken(jobId, user, jobToken);
		}
Пример #7
0
        /// <summary>Start the child process to handle the task for us.</summary>
        /// <param name="conf">the task's configuration</param>
        /// <param name="recordReader">the fake record reader to update progress with</param>
        /// <param name="output">the collector to send output to</param>
        /// <param name="reporter">the reporter for the task</param>
        /// <param name="outputKeyClass">the class of the output keys</param>
        /// <param name="outputValueClass">the class of the output values</param>
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="System.Exception"/>
        internal Application(JobConf conf, RecordReader <FloatWritable, NullWritable> recordReader
                             , OutputCollector <K2, V2> output, Reporter reporter, Type outputKeyClass, Type outputValueClass
                             )
        {
            serverSocket = Sharpen.Extensions.CreateServerSocket(0);
            IDictionary <string, string> env = new Dictionary <string, string>();

            // add TMPDIR environment variable with the value of java.io.tmpdir
            env["TMPDIR"]       = Runtime.GetProperty("java.io.tmpdir");
            env[Submitter.Port] = Sharpen.Extensions.ToString(serverSocket.GetLocalPort());
            //Add token to the environment if security is enabled
            Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> jobToken = TokenCache.
                                                                                   GetJobToken(conf.GetCredentials());
            // This password is used as shared secret key between this application and
            // child pipes process
            byte[] password          = jobToken.GetPassword();
            string localPasswordFile = new FilePath(".") + Path.Separator + "jobTokenPassword";

            WritePasswordToLocalFile(localPasswordFile, password, conf);
            env["hadoop.pipes.shared.secret.location"] = localPasswordFile;
            IList <string> cmd         = new AList <string>();
            string         interpretor = conf.Get(Submitter.Interpretor);

            if (interpretor != null)
            {
                cmd.AddItem(interpretor);
            }
            string executable = DistributedCache.GetLocalCacheFiles(conf)[0].ToString();

            if (!FileUtil.CanExecute(new FilePath(executable)))
            {
                // LinuxTaskController sets +x permissions on all distcache files already.
                // In case of DefaultTaskController, set permissions here.
                FileUtil.Chmod(executable, "u+x");
            }
            cmd.AddItem(executable);
            // wrap the command in a stdout/stderr capture
            // we are starting map/reduce task of the pipes job. this is not a cleanup
            // attempt.
            TaskAttemptID taskid = ((TaskAttemptID)TaskAttemptID.ForName(conf.Get(MRJobConfig
                                                                                  .TaskAttemptId)));
            FilePath stdout    = TaskLog.GetTaskLogFile(taskid, false, TaskLog.LogName.Stdout);
            FilePath stderr    = TaskLog.GetTaskLogFile(taskid, false, TaskLog.LogName.Stderr);
            long     logLength = TaskLog.GetTaskLogLength(conf);

            cmd          = TaskLog.CaptureOutAndError(null, cmd, stdout, stderr, logLength, false);
            process      = RunClient(cmd, env);
            clientSocket = serverSocket.Accept();
            string challenge      = GetSecurityChallenge();
            string digestToSend   = CreateDigest(password, challenge);
            string digestExpected = CreateDigest(password, digestToSend);

            handler = new OutputHandler <K2, V2>(output, reporter, recordReader, digestExpected
                                                 );
            K2 outputKey   = (K2)ReflectionUtils.NewInstance(outputKeyClass, conf);
            V2 outputValue = (V2)ReflectionUtils.NewInstance(outputValueClass, conf);

            downlink = new BinaryProtocol <K1, V1, K2, V2>(clientSocket, handler, outputKey, outputValue
                                                           , conf);
            downlink.Authenticate(digestToSend, challenge);
            WaitForAuthentication();
            Log.Debug("Authentication succeeded");
            downlink.Start();
            downlink.SetJobConf(conf);
        }
Пример #8
0
            /// <exception cref="System.IO.IOException"/>
            public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest
                                                                         request)
            {
                UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();

                // Verify that the connection is kerberos authenticated
                if (!this.IsAllowedDelegationTokenOp())
                {
                    throw new IOException("Delegation Token can be issued only with kerberos authentication"
                                          );
                }
                GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse
                                                                                            >();
                string user     = ugi.GetUserName();
                Text   owner    = new Text(user);
                Text   realUser = null;

                if (ugi.GetRealUser() != null)
                {
                    realUser = new Text(ugi.GetRealUser().GetUserName());
                }
                MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner
                                                                                              , new Text(request.GetRenewer()), realUser);

                Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken =
                    new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier
                                                                                             , this._enclosing.jhsDTSecretManager);
                Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
                                                                    .NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken
                                                                                 .GetPassword(), realJHSToken.GetService().ToString());
                response.SetDelegationToken(mrDToken);
                return(response);
            }
Пример #9
0
            /// <exception cref="System.Exception"/>
            public LocatedBlocks Answer(InvocationOnMock arg0)
            {
                LocatedBlocks locatedBlocks = (LocatedBlocks)arg0.CallRealMethod();

                foreach (LocatedBlock lb in locatedBlocks.GetLocatedBlocks())
                {
                    Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> token = lb.GetBlockToken
                                                                                              ();
                    BlockTokenIdentifier id = lb.GetBlockToken().DecodeIdentifier();
                    id.SetExpiryDate(Time.Now() + 10);
                    Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier> newToken = new Org.Apache.Hadoop.Security.Token.Token
                                                                                             <BlockTokenIdentifier>(id.GetBytes(), token.GetPassword(), token.GetKind(), token
                                                                                                                    .GetService());
                    lb.SetBlockToken(newToken);
                }
                return(locatedBlocks);
            }
Пример #10
0
 internal static bool CheckEqual(Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier
                                                                         > a, Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> b)
 {
     return(Arrays.Equals(a.GetIdentifier(), b.GetIdentifier()) && Arrays.Equals(a.GetPassword
                                                                                     (), b.GetPassword()) && IsEqual(a.GetKind(), b.GetKind()) && IsEqual(a.GetService
                                                                                                                                                              (), b.GetService()));
 }
Пример #11
0
 /// <summary>
 /// Calculates the password on the client side for the general-purpose
 /// handshake.
 /// </summary>
 /// <remarks>
 /// Calculates the password on the client side for the general-purpose
 /// handshake.  The password consists of the block access token's password.
 /// </remarks>
 /// <param name="blockToken">for block access</param>
 /// <returns>SASL password</returns>
 private char[] BuildClientPassword(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier
                                                                            > blockToken)
 {
     return(new string(Base64.EncodeBase64(blockToken.GetPassword(), false), Charsets.
                       Utf8).ToCharArray());
 }
        public virtual void ExpectedTokenIsRetrievedFromHttp()
        {
            bootstrap = StartHttpServer(httpPort, testToken, serviceUrl);
            DelegationTokenFetcher.Main(new string[] { "-webservice=" + serviceUrl, tokenFile });
            Path        p     = new Path(fileSys.GetWorkingDirectory(), tokenFile);
            Credentials creds = Credentials.ReadTokenStorageFile(p, conf);
            IEnumerator <Org.Apache.Hadoop.Security.Token.Token <object> > itr = creds.GetAllTokens
                                                                                     ().GetEnumerator();

            NUnit.Framework.Assert.IsTrue("token not exist error", itr.HasNext());
            Org.Apache.Hadoop.Security.Token.Token <object> fetchedToken = itr.Next();
            Assert.AssertArrayEquals("token wrong identifier error", testToken.GetIdentifier(
                                         ), fetchedToken.GetIdentifier());
            Assert.AssertArrayEquals("token wrong password error", testToken.GetPassword(), fetchedToken
                                     .GetPassword());
            if (assertionError != null)
            {
                throw assertionError;
            }
        }
        public virtual void TestRecovery()
        {
            Configuration conf = new Configuration();
            HistoryServerStateStoreService store = new HistoryServerMemStateStoreService();

            store.Init(conf);
            store.Start();
            TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest mgr =
                new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest(store
                                                                                               );
            mgr.StartThreads();
            MRDelegationTokenIdentifier tokenId1 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
                                                                                            ), new Text("tokenRenewer"), new Text("tokenUser"));

            Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token1 = new
                                                                                          Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId1, mgr
                                                                                                                                                               );
            MRDelegationTokenIdentifier tokenId2 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
                                                                                            ), new Text("tokenRenewer"), new Text("tokenUser"));

            Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token2 = new
                                                                                          Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId2, mgr
                                                                                                                                                               );
            DelegationKey[] keys            = mgr.GetAllKeys();
            long            tokenRenewDate1 = mgr.GetAllTokens()[tokenId1].GetRenewDate();
            long            tokenRenewDate2 = mgr.GetAllTokens()[tokenId2].GetRenewDate();

            mgr.StopThreads();
            mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest
                      (store);
            mgr.Recover(store.LoadState());
            IList <DelegationKey> recoveredKeys = Arrays.AsList(mgr.GetAllKeys());

            foreach (DelegationKey key in keys)
            {
                NUnit.Framework.Assert.IsTrue("key missing after recovery", recoveredKeys.Contains
                                                  (key));
            }
            NUnit.Framework.Assert.IsTrue("token1 missing", mgr.GetAllTokens().Contains(tokenId1
                                                                                        ));
            NUnit.Framework.Assert.AreEqual("token1 renew date", tokenRenewDate1, mgr.GetAllTokens
                                                ()[tokenId1].GetRenewDate());
            NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2
                                                                                        ));
            NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens
                                                ()[tokenId2].GetRenewDate());
            mgr.StartThreads();
            mgr.VerifyToken(tokenId1, token1.GetPassword());
            mgr.VerifyToken(tokenId2, token2.GetPassword());
            MRDelegationTokenIdentifier tokenId3 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
                                                                                            ), new Text("tokenRenewer"), new Text("tokenUser"));

            Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token3 = new
                                                                                          Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId3, mgr
                                                                                                                                                               );
            NUnit.Framework.Assert.AreEqual("sequence number restore", tokenId2.GetSequenceNumber
                                                () + 1, tokenId3.GetSequenceNumber());
            mgr.CancelToken(token1, "tokenOwner");
            // Testing with full principal name
            MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(new Text
                                                                                          ("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"), new Text("tokenUser"
                                                                                                                                                                 ));

            KerberosName.SetRules("RULE:[1:$1]\nRULE:[2:$1]");
            Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> tokenFull = new
                                                                                             Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdFull,
                                                                                                                                                                  mgr);
            // Negative test
            try
            {
                mgr.CancelToken(tokenFull, "tokenOwner");
            }
            catch (AccessControlException ace)
            {
                NUnit.Framework.Assert.IsTrue(ace.Message.Contains("is not authorized to cancel the token"
                                                                   ));
            }
            // Succeed to cancel with full principal
            mgr.CancelToken(tokenFull, tokenIdFull.GetOwner().ToString());
            long tokenRenewDate3 = mgr.GetAllTokens()[tokenId3].GetRenewDate();

            mgr.StopThreads();
            mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest
                      (store);
            mgr.Recover(store.LoadState());
            NUnit.Framework.Assert.IsFalse("token1 should be missing", mgr.GetAllTokens().Contains
                                               (tokenId1));
            NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2
                                                                                        ));
            NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens
                                                ()[tokenId2].GetRenewDate());
            NUnit.Framework.Assert.IsTrue("token3 missing", mgr.GetAllTokens().Contains(tokenId3
                                                                                        ));
            NUnit.Framework.Assert.AreEqual("token3 renew date", tokenRenewDate3, mgr.GetAllTokens
                                                ()[tokenId3].GetRenewDate());
            mgr.StartThreads();
            mgr.VerifyToken(tokenId2, token2.GetPassword());
            mgr.VerifyToken(tokenId3, token3.GetPassword());
            mgr.StopThreads();
        }