/// <exception cref="System.IO.IOException"/>
public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest
request)
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
// Verify that the connection is kerberos authenticated
if (!this.IsAllowedDelegationTokenOp())
{
throw new IOException("Delegation Token can be issued only with kerberos authentication"
);
}
GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse
>();
string user = ugi.GetUserName();
Text owner = new Text(user);
Text realUser = null;
if (ugi.GetRealUser() != null)
{
realUser = new Text(ugi.GetRealUser().GetUserName());
}
MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner
, new Text(request.GetRenewer()), realUser);
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken =
new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier
, this._enclosing.jhsDTSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken
.GetPassword(), realJHSToken.GetService().ToString());
response.SetDelegationToken(mrDToken);
return(response);
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestSecureProxyAuthParamsInUrl()
{
Configuration conf = new Configuration();
// fake turning on security so api thinks it should use tokens
SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
, conf);
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");
ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos);
ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
UserGroupInformation.SetLoginUser(ugi);
WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
Path fsPath = new Path("/");
string tokenString = webhdfs.GetDelegationToken().EncodeToUrlString();
// send real+effective
Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(),
new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi
.GetShortUserName()).ToString() }, getTokenUrl);
// send real+effective
Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString(
), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, renewTokenUrl);
// send token
Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send token
Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
DelegationParam(tokenString).ToString() }, fileStatusUrl);
// wipe out internal token to simulate auth always required
webhdfs.SetDelegationToken(null);
// send real+effective
cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam
(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send real+effective
fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
()).ToString() }, fileStatusUrl);
}
private void CheckUgiFromToken(UserGroupInformation ugi)
{
if (ugi.GetRealUser() != null)
{
NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Proxy,
ugi.GetAuthenticationMethod());
NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token,
ugi.GetRealUser().GetAuthenticationMethod());
}
else
{
NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token,
ugi.GetAuthenticationMethod());
}
}
public virtual void TestRefreshSuperUserGroups()
{
UserGroupInformation ugi = Org.Mockito.Mockito.Mock <UserGroupInformation>();
UserGroupInformation superUser = Org.Mockito.Mockito.Mock <UserGroupInformation>();
Org.Mockito.Mockito.When(ugi.GetRealUser()).ThenReturn(superUser);
Org.Mockito.Mockito.When(superUser.GetShortUserName()).ThenReturn("superuser");
Org.Mockito.Mockito.When(superUser.GetUserName()).ThenReturn("superuser");
Org.Mockito.Mockito.When(ugi.GetGroupNames()).ThenReturn(new string[] { "group3" }
);
Org.Mockito.Mockito.When(ugi.GetUserName()).ThenReturn("regularUser");
// Set super user groups not to include groups of regularUser
conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2");
conf.Set("hadoop.proxyuser.superuser.hosts", "127.0.0.1");
string[] args = new string[1];
args[0] = "-refreshSuperUserGroupsConfiguration";
hsAdminClient.Run(args);
Exception th = null;
try
{
ProxyUsers.Authorize(ugi, "127.0.0.1");
}
catch (Exception e)
{
th = e;
}
// Exception should be thrown
NUnit.Framework.Assert.IsTrue(th is AuthorizationException);
// Now add regularUser group to superuser group but not execute
// refreshSuperUserGroupMapping
conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2,group3");
// Again,lets run ProxyUsers.authorize and see if regularUser can be
// impersonated
// resetting th
th = null;
try
{
ProxyUsers.Authorize(ugi, "127.0.0.1");
}
catch (Exception e)
{
th = e;
}
// Exception should be thrown again since we didn't refresh the configs
NUnit.Framework.Assert.IsTrue(th is AuthorizationException);
// Lets refresh the config by running refreshSuperUserGroupsConfiguration
hsAdminClient.Run(args);
th = null;
try
{
ProxyUsers.Authorize(ugi, "127.0.0.1");
}
catch (Exception e)
{
th = e;
}
// No exception thrown since regularUser can be impersonated.
NUnit.Framework.Assert.IsNull("Unexpected exception thrown: " + th, th);
}
public virtual void TestProxyUserFromEnvironment()
{
string proxyUser = "******";
Runtime.SetProperty(UserGroupInformation.HadoopProxyUser, proxyUser);
UserGroupInformation ugi = UserGroupInformation.GetLoginUser();
Assert.Equal(proxyUser, ugi.GetUserName());
UserGroupInformation realUgi = ugi.GetRealUser();
NUnit.Framework.Assert.IsNotNull(realUgi);
// get the expected real user name
SystemProcess pp = Runtime.GetRuntime().Exec("whoami");
BufferedReader br = new BufferedReader(new InputStreamReader(pp.GetInputStream())
);
string realUser = br.ReadLine().Trim();
// On Windows domain joined machine, whoami returns the username
// in the DOMAIN\\username format, so we trim the domain part before
// the comparison. We don't have to special case for Windows
// given that Unix systems do not allow slashes in usernames.
int backslashIndex = realUser.IndexOf('\\');
if (backslashIndex != -1)
{
realUser = Runtime.Substring(realUser, backslashIndex + 1);
}
Assert.Equal(realUser, realUgi.GetUserName());
}
/// <summary>
/// This method creates the connection context using exactly the same logic
/// as the old connection context as was done for writable where
/// the effective and real users are set based on the auth method.
/// </summary>
public static IpcConnectionContextProtos.IpcConnectionContextProto MakeIpcConnectionContext
(string protocol, UserGroupInformation ugi, SaslRpcServer.AuthMethod authMethod)
{
IpcConnectionContextProtos.IpcConnectionContextProto.Builder result = IpcConnectionContextProtos.IpcConnectionContextProto
.NewBuilder();
if (protocol != null)
{
result.SetProtocol(protocol);
}
IpcConnectionContextProtos.UserInformationProto.Builder ugiProto = IpcConnectionContextProtos.UserInformationProto
.NewBuilder();
if (ugi != null)
{
/*
* In the connection context we send only additional user info that
* is not derived from the authentication done during connection setup.
*/
if (authMethod == SaslRpcServer.AuthMethod.Kerberos)
{
// Real user was established as part of the connection.
// Send effective user only.
ugiProto.SetEffectiveUser(ugi.GetUserName());
}
else
{
if (authMethod == SaslRpcServer.AuthMethod.Token)
{
}
else
{
// With token, the connection itself establishes
// both real and effective user. Hence send none in header.
// Simple authentication
// No user info is established as part of the connection.
// Send both effective user and real user
ugiProto.SetEffectiveUser(ugi.GetUserName());
if (ugi.GetRealUser() != null)
{
ugiProto.SetRealUser(ugi.GetRealUser().GetUserName());
}
}
}
}
result.SetUserInfo(ugiProto);
return((IpcConnectionContextProtos.IpcConnectionContextProto)result.Build());
}
public virtual void TestGetUserWithOwnerAndReal()
{
Text owner = new Text("owner");
Text realUser = new Text("realUser");
TestDelegationToken.TestDelegationTokenIdentifier ident = new TestDelegationToken.TestDelegationTokenIdentifier
(owner, null, realUser);
UserGroupInformation ugi = ident.GetUser();
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.IsNull(ugi.GetRealUser().GetRealUser());
Assert.Equal("owner", ugi.GetUserName());
Assert.Equal("realUser", ugi.GetRealUser().GetUserName());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Token,
ugi.GetRealUser().GetAuthenticationMethod());
}
> CreateToken(UserGroupInformation ugi, string renewer)
{
renewer = (renewer == null) ? ugi.GetShortUserName() : renewer;
string user = ugi.GetUserName();
Text owner = new Text(user);
Text realUser = null;
if (ugi.GetRealUser() != null)
{
realUser = new Text(ugi.GetRealUser().GetUserName());
}
AbstractDelegationTokenIdentifier tokenIdentifier = (AbstractDelegationTokenIdentifier
)secretManager.CreateIdentifier();
tokenIdentifier.SetOwner(owner);
tokenIdentifier.SetRenewer(new Text(renewer));
tokenIdentifier.SetRealUser(realUser);
return(new Org.Apache.Hadoop.Security.Token.Token(tokenIdentifier, secretManager));
}
/// <summary>
/// Authorize a user (superuser) to impersonate another user (user1) if the
/// superuser belongs to the group "sudo_user1" .
/// </summary>
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/>
public virtual void Authorize(UserGroupInformation user, string remoteAddress)
{
UserGroupInformation superUser = user.GetRealUser();
string sudoGroupName = "sudo_" + user.GetShortUserName();
if (!Arrays.AsList(superUser.GetGroupNames()).Contains(sudoGroupName))
{
throw new AuthorizationException("User: "******" is not allowed to impersonate "
+ user.GetUserName());
}
}
/// <summary>Log details about the current Hadoop user at INFO.</summary>
/// <remarks>
/// Log details about the current Hadoop user at INFO.
/// Robust against IOEs when trying to get the current user
/// </remarks>
public virtual void LogCurrentHadoopUser()
{
try
{
UserGroupInformation currentUser = UserGroupInformation.GetCurrentUser();
Log.Info("Current user = {}", currentUser);
UserGroupInformation realUser = currentUser.GetRealUser();
Log.Info("Real User = {}", realUser);
}
catch (IOException e)
{
Log.Warn("Failed to get current user {}, {}", e);
}
}
/// <exception cref="System.Exception"/>
protected override void ServiceInit(Configuration conf)
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation realUgi = ugi.GetRealUser();
if (realUgi != null)
{
authUgi = realUgi;
doAsUser = ugi.GetShortUserName();
}
else
{
authUgi = ugi;
doAsUser = null;
}
ClientConfig cc = new DefaultClientConfig();
cc.GetClasses().AddItem(typeof(YarnJacksonJaxbJsonProvider));
connConfigurator = NewConnConfigurator(conf);
if (UserGroupInformation.IsSecurityEnabled())
{
authenticator = new KerberosDelegationTokenAuthenticator();
}
else
{
authenticator = new PseudoDelegationTokenAuthenticator();
}
authenticator.SetConnectionConfigurator(connConfigurator);
token = new DelegationTokenAuthenticatedURL.Token();
connectionRetry = new TimelineClientImpl.TimelineClientConnectionRetry(conf);
client = new Com.Sun.Jersey.Api.Client.Client(new URLConnectionClientHandler(new
TimelineClientImpl.TimelineURLConnectionFactory(this)), cc);
TimelineClientImpl.TimelineJerseyRetryFilter retryFilter = new TimelineClientImpl.TimelineJerseyRetryFilter
(this);
client.AddFilter(retryFilter);
if (YarnConfiguration.UseHttps(conf))
{
resURI = URI.Create(Joiner.Join("https://", conf.Get(YarnConfiguration.TimelineServiceWebappHttpsAddress
, YarnConfiguration.DefaultTimelineServiceWebappHttpsAddress), ResourceUriStr));
}
else
{
resURI = URI.Create(Joiner.Join("http://", conf.Get(YarnConfiguration.TimelineServiceWebappAddress
, YarnConfiguration.DefaultTimelineServiceWebappAddress), ResourceUriStr));
}
Log.Info("Timeline service address: " + resURI);
base.ServiceInit(conf);
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestSimpleProxyAuthParamsInUrl()
{
Configuration conf = new Configuration();
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");
ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
UserGroupInformation.SetLoginUser(ugi);
WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
Path fsPath = new Path("/");
// send real+effective
Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
()).ToString() }, fileStatusUrl);
}
public virtual void TestGetUserGroupInformation()
{
string userName = "******";
string currentUser = "******";
UserGroupInformation currentUserUgi = UserGroupInformation.CreateUserForTesting(currentUser
, new string[0]);
NfsConfiguration conf = new NfsConfiguration();
conf.Set(FileSystem.FsDefaultNameKey, "hdfs://localhost");
DFSClientCache cache = new DFSClientCache(conf);
UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
);
Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
.Proxy));
}
public virtual void TestGetUserGroupInformationSecure()
{
string userName = "******";
string currentUser = "******";
NfsConfiguration conf = new NfsConfiguration();
UserGroupInformation currentUserUgi = UserGroupInformation.CreateRemoteUser(currentUser
);
currentUserUgi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.
Kerberos);
UserGroupInformation.SetLoginUser(currentUserUgi);
DFSClientCache cache = new DFSClientCache(conf);
UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
);
Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
.Proxy));
}
/// <exception cref="Javax.Servlet.ServletException"/>
/// <exception cref="System.IO.IOException"/>
protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
{
UserGroupInformation ugi = HttpUserGroupInformation.Get();
if (ugi != null)
{
string ret = "remoteuser="******":ugi=" + ugi.GetShortUserName
();
if (ugi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.Proxy)
{
ret = "realugi=" + ugi.GetRealUser().GetShortUserName() + ":" + ret;
}
resp.SetStatus(HttpServletResponse.ScOk);
resp.GetWriter().Write(ret);
}
else
{
resp.SetStatus(HttpServletResponse.ScInternalServerError);
}
}
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/>
public virtual void Authorize(UserGroupInformation user, string remoteAddress)
{
UserGroupInformation realUser = user.GetRealUser();
if (realUser == null)
{
return;
}
AccessControlList acl = proxyUserAcl[configPrefix + realUser.GetShortUserName()];
if (acl == null || !acl.IsUserAllowed(user))
{
throw new AuthorizationException("User: "******" is not allowed to impersonate "
+ user.GetUserName());
}
MachineList MachineList = proxyHosts[GetProxySuperuserIpConfKey(realUser.GetShortUserName
())];
if (MachineList == null || !MachineList.Includes(remoteAddress))
{
throw new AuthorizationException("Unauthorized connection for super-user: "******" from IP " + remoteAddress);
}
}
public virtual void TestRefreshSuperUserGroupsConfiguration()
{
string SuperUser = "******";
string[] GroupNames1 = new string[] { "gr1", "gr2" };
string[] GroupNames2 = new string[] { "gr3", "gr4" };
//keys in conf
string userKeyGroups = DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(SuperUser);
string userKeyHosts = DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(SuperUser);
config.Set(userKeyGroups, "gr3,gr4,gr5");
// superuser can proxy for this group
config.Set(userKeyHosts, "127.0.0.1");
ProxyUsers.RefreshSuperUserGroupsConfiguration(config);
UserGroupInformation ugi1 = Org.Mockito.Mockito.Mock <UserGroupInformation>();
UserGroupInformation ugi2 = Org.Mockito.Mockito.Mock <UserGroupInformation>();
UserGroupInformation suUgi = Org.Mockito.Mockito.Mock <UserGroupInformation>();
Org.Mockito.Mockito.When(ugi1.GetRealUser()).ThenReturn(suUgi);
Org.Mockito.Mockito.When(ugi2.GetRealUser()).ThenReturn(suUgi);
Org.Mockito.Mockito.When(suUgi.GetShortUserName()).ThenReturn(SuperUser);
// super user
Org.Mockito.Mockito.When(suUgi.GetUserName()).ThenReturn(SuperUser + "L");
// super user
Org.Mockito.Mockito.When(ugi1.GetShortUserName()).ThenReturn("user1");
Org.Mockito.Mockito.When(ugi2.GetShortUserName()).ThenReturn("user2");
Org.Mockito.Mockito.When(ugi1.GetUserName()).ThenReturn("userL1");
Org.Mockito.Mockito.When(ugi2.GetUserName()).ThenReturn("userL2");
// set groups for users
Org.Mockito.Mockito.When(ugi1.GetGroupNames()).ThenReturn(GroupNames1);
Org.Mockito.Mockito.When(ugi2.GetGroupNames()).ThenReturn(GroupNames2);
// check before
try
{
ProxyUsers.Authorize(ugi1, "127.0.0.1");
NUnit.Framework.Assert.Fail("first auth for " + ugi1.GetShortUserName() + " should've failed "
);
}
catch (AuthorizationException)
{
// expected
System.Console.Error.WriteLine("auth for " + ugi1.GetUserName() + " failed");
}
try
{
ProxyUsers.Authorize(ugi2, "127.0.0.1");
System.Console.Error.WriteLine("auth for " + ugi2.GetUserName() + " succeeded");
}
catch (AuthorizationException e)
{
// expected
NUnit.Framework.Assert.Fail("first auth for " + ugi2.GetShortUserName() + " should've succeeded: "
+ e.GetLocalizedMessage());
}
// refresh will look at configuration on the server side
// add additional resource with the new value
// so the server side will pick it up
string rsrc = "testGroupMappingRefresh_rsrc.xml";
AddNewConfigResource(rsrc, userKeyGroups, "gr2", userKeyHosts, "127.0.0.1");
DFSAdmin admin = new DFSAdmin(config);
string[] args = new string[] { "-refreshSuperUserGroupsConfiguration" };
admin.Run(args);
try
{
ProxyUsers.Authorize(ugi2, "127.0.0.1");
NUnit.Framework.Assert.Fail("second auth for " + ugi2.GetShortUserName() + " should've failed "
);
}
catch (AuthorizationException)
{
// expected
System.Console.Error.WriteLine("auth for " + ugi2.GetUserName() + " failed");
}
try
{
ProxyUsers.Authorize(ugi1, "127.0.0.1");
System.Console.Error.WriteLine("auth for " + ugi1.GetUserName() + " succeeded");
}
catch (AuthorizationException e)
{
// expected
NUnit.Framework.Assert.Fail("second auth for " + ugi1.GetShortUserName() + " should've succeeded: "
+ e.GetLocalizedMessage());
}
}
