/// <exception cref="System.IO.IOException"/> public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest request) { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); // Verify that the connection is kerberos authenticated if (!this.IsAllowedDelegationTokenOp()) { throw new IOException("Delegation Token can be issued only with kerberos authentication" ); } GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse >(); string user = ugi.GetUserName(); Text owner = new Text(user); Text realUser = null; if (ugi.GetRealUser() != null) { realUser = new Text(ugi.GetRealUser().GetUserName()); } MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner , new Text(request.GetRenewer()), realUser); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier , this._enclosing.jhsDTSecretManager); Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken .GetPassword(), realJHSToken.GetService().ToString()); response.SetDelegationToken(mrDToken); return(response); }
/// <exception cref="System.IO.IOException"/> public virtual void TestSecureProxyAuthParamsInUrl() { Configuration conf = new Configuration(); // fake turning on security so api thinks it should use tokens SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos , conf); UserGroupInformation.SetConfiguration(conf); UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user"); ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos); ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi); UserGroupInformation.SetLoginUser(ugi); WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf); Path fsPath = new Path("/"); string tokenString = webhdfs.GetDelegationToken().EncodeToUrlString(); // send real+effective Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi .GetShortUserName()).ToString() }, getTokenUrl); // send real+effective Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new TokenArgumentParam(tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString( ), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, renewTokenUrl); // send token Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam(tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, cancelTokenUrl); // send token Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new DelegationParam(tokenString).ToString() }, fileStatusUrl); // wipe out internal token to simulate auth always required webhdfs.SetDelegationToken(null); // send real+effective cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam (tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, cancelTokenUrl); // send real+effective fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName ()).ToString() }, fileStatusUrl); }
private void CheckUgiFromToken(UserGroupInformation ugi) { if (ugi.GetRealUser() != null) { NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Proxy, ugi.GetAuthenticationMethod()); NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token, ugi.GetRealUser().GetAuthenticationMethod()); } else { NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token, ugi.GetAuthenticationMethod()); } }
public virtual void TestRefreshSuperUserGroups() { UserGroupInformation ugi = Org.Mockito.Mockito.Mock <UserGroupInformation>(); UserGroupInformation superUser = Org.Mockito.Mockito.Mock <UserGroupInformation>(); Org.Mockito.Mockito.When(ugi.GetRealUser()).ThenReturn(superUser); Org.Mockito.Mockito.When(superUser.GetShortUserName()).ThenReturn("superuser"); Org.Mockito.Mockito.When(superUser.GetUserName()).ThenReturn("superuser"); Org.Mockito.Mockito.When(ugi.GetGroupNames()).ThenReturn(new string[] { "group3" } ); Org.Mockito.Mockito.When(ugi.GetUserName()).ThenReturn("regularUser"); // Set super user groups not to include groups of regularUser conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2"); conf.Set("hadoop.proxyuser.superuser.hosts", "127.0.0.1"); string[] args = new string[1]; args[0] = "-refreshSuperUserGroupsConfiguration"; hsAdminClient.Run(args); Exception th = null; try { ProxyUsers.Authorize(ugi, "127.0.0.1"); } catch (Exception e) { th = e; } // Exception should be thrown NUnit.Framework.Assert.IsTrue(th is AuthorizationException); // Now add regularUser group to superuser group but not execute // refreshSuperUserGroupMapping conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2,group3"); // Again,lets run ProxyUsers.authorize and see if regularUser can be // impersonated // resetting th th = null; try { ProxyUsers.Authorize(ugi, "127.0.0.1"); } catch (Exception e) { th = e; } // Exception should be thrown again since we didn't refresh the configs NUnit.Framework.Assert.IsTrue(th is AuthorizationException); // Lets refresh the config by running refreshSuperUserGroupsConfiguration hsAdminClient.Run(args); th = null; try { ProxyUsers.Authorize(ugi, "127.0.0.1"); } catch (Exception e) { th = e; } // No exception thrown since regularUser can be impersonated. NUnit.Framework.Assert.IsNull("Unexpected exception thrown: " + th, th); }
public virtual void TestProxyUserFromEnvironment() { string proxyUser = "******"; Runtime.SetProperty(UserGroupInformation.HadoopProxyUser, proxyUser); UserGroupInformation ugi = UserGroupInformation.GetLoginUser(); Assert.Equal(proxyUser, ugi.GetUserName()); UserGroupInformation realUgi = ugi.GetRealUser(); NUnit.Framework.Assert.IsNotNull(realUgi); // get the expected real user name SystemProcess pp = Runtime.GetRuntime().Exec("whoami"); BufferedReader br = new BufferedReader(new InputStreamReader(pp.GetInputStream()) ); string realUser = br.ReadLine().Trim(); // On Windows domain joined machine, whoami returns the username // in the DOMAIN\\username format, so we trim the domain part before // the comparison. We don't have to special case for Windows // given that Unix systems do not allow slashes in usernames. int backslashIndex = realUser.IndexOf('\\'); if (backslashIndex != -1) { realUser = Runtime.Substring(realUser, backslashIndex + 1); } Assert.Equal(realUser, realUgi.GetUserName()); }
/// <summary> /// This method creates the connection context using exactly the same logic /// as the old connection context as was done for writable where /// the effective and real users are set based on the auth method. /// </summary> public static IpcConnectionContextProtos.IpcConnectionContextProto MakeIpcConnectionContext (string protocol, UserGroupInformation ugi, SaslRpcServer.AuthMethod authMethod) { IpcConnectionContextProtos.IpcConnectionContextProto.Builder result = IpcConnectionContextProtos.IpcConnectionContextProto .NewBuilder(); if (protocol != null) { result.SetProtocol(protocol); } IpcConnectionContextProtos.UserInformationProto.Builder ugiProto = IpcConnectionContextProtos.UserInformationProto .NewBuilder(); if (ugi != null) { /* * In the connection context we send only additional user info that * is not derived from the authentication done during connection setup. */ if (authMethod == SaslRpcServer.AuthMethod.Kerberos) { // Real user was established as part of the connection. // Send effective user only. ugiProto.SetEffectiveUser(ugi.GetUserName()); } else { if (authMethod == SaslRpcServer.AuthMethod.Token) { } else { // With token, the connection itself establishes // both real and effective user. Hence send none in header. // Simple authentication // No user info is established as part of the connection. // Send both effective user and real user ugiProto.SetEffectiveUser(ugi.GetUserName()); if (ugi.GetRealUser() != null) { ugiProto.SetRealUser(ugi.GetRealUser().GetUserName()); } } } } result.SetUserInfo(ugiProto); return((IpcConnectionContextProtos.IpcConnectionContextProto)result.Build()); }
public virtual void TestGetUserWithOwnerAndReal() { Text owner = new Text("owner"); Text realUser = new Text("realUser"); TestDelegationToken.TestDelegationTokenIdentifier ident = new TestDelegationToken.TestDelegationTokenIdentifier (owner, null, realUser); UserGroupInformation ugi = ident.GetUser(); NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser()); NUnit.Framework.Assert.IsNull(ugi.GetRealUser().GetRealUser()); Assert.Equal("owner", ugi.GetUserName()); Assert.Equal("realUser", ugi.GetRealUser().GetUserName()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy, ugi.GetAuthenticationMethod()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Token, ugi.GetRealUser().GetAuthenticationMethod()); }
> CreateToken(UserGroupInformation ugi, string renewer) { renewer = (renewer == null) ? ugi.GetShortUserName() : renewer; string user = ugi.GetUserName(); Text owner = new Text(user); Text realUser = null; if (ugi.GetRealUser() != null) { realUser = new Text(ugi.GetRealUser().GetUserName()); } AbstractDelegationTokenIdentifier tokenIdentifier = (AbstractDelegationTokenIdentifier )secretManager.CreateIdentifier(); tokenIdentifier.SetOwner(owner); tokenIdentifier.SetRenewer(new Text(renewer)); tokenIdentifier.SetRealUser(realUser); return(new Org.Apache.Hadoop.Security.Token.Token(tokenIdentifier, secretManager)); }
/// <summary> /// Authorize a user (superuser) to impersonate another user (user1) if the /// superuser belongs to the group "sudo_user1" . /// </summary> /// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/> public virtual void Authorize(UserGroupInformation user, string remoteAddress) { UserGroupInformation superUser = user.GetRealUser(); string sudoGroupName = "sudo_" + user.GetShortUserName(); if (!Arrays.AsList(superUser.GetGroupNames()).Contains(sudoGroupName)) { throw new AuthorizationException("User: "******" is not allowed to impersonate " + user.GetUserName()); } }
/// <summary>Log details about the current Hadoop user at INFO.</summary> /// <remarks> /// Log details about the current Hadoop user at INFO. /// Robust against IOEs when trying to get the current user /// </remarks> public virtual void LogCurrentHadoopUser() { try { UserGroupInformation currentUser = UserGroupInformation.GetCurrentUser(); Log.Info("Current user = {}", currentUser); UserGroupInformation realUser = currentUser.GetRealUser(); Log.Info("Real User = {}", realUser); } catch (IOException e) { Log.Warn("Failed to get current user {}, {}", e); } }
/// <exception cref="System.Exception"/> protected override void ServiceInit(Configuration conf) { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation realUgi = ugi.GetRealUser(); if (realUgi != null) { authUgi = realUgi; doAsUser = ugi.GetShortUserName(); } else { authUgi = ugi; doAsUser = null; } ClientConfig cc = new DefaultClientConfig(); cc.GetClasses().AddItem(typeof(YarnJacksonJaxbJsonProvider)); connConfigurator = NewConnConfigurator(conf); if (UserGroupInformation.IsSecurityEnabled()) { authenticator = new KerberosDelegationTokenAuthenticator(); } else { authenticator = new PseudoDelegationTokenAuthenticator(); } authenticator.SetConnectionConfigurator(connConfigurator); token = new DelegationTokenAuthenticatedURL.Token(); connectionRetry = new TimelineClientImpl.TimelineClientConnectionRetry(conf); client = new Com.Sun.Jersey.Api.Client.Client(new URLConnectionClientHandler(new TimelineClientImpl.TimelineURLConnectionFactory(this)), cc); TimelineClientImpl.TimelineJerseyRetryFilter retryFilter = new TimelineClientImpl.TimelineJerseyRetryFilter (this); client.AddFilter(retryFilter); if (YarnConfiguration.UseHttps(conf)) { resURI = URI.Create(Joiner.Join("https://", conf.Get(YarnConfiguration.TimelineServiceWebappHttpsAddress , YarnConfiguration.DefaultTimelineServiceWebappHttpsAddress), ResourceUriStr)); } else { resURI = URI.Create(Joiner.Join("http://", conf.Get(YarnConfiguration.TimelineServiceWebappAddress , YarnConfiguration.DefaultTimelineServiceWebappAddress), ResourceUriStr)); } Log.Info("Timeline service address: " + resURI); base.ServiceInit(conf); }
/// <exception cref="System.IO.IOException"/> public virtual void TestSimpleProxyAuthParamsInUrl() { Configuration conf = new Configuration(); UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user"); ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi); UserGroupInformation.SetLoginUser(ugi); WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf); Path fsPath = new Path("/"); // send real+effective Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName ()).ToString() }, fileStatusUrl); }
public virtual void TestGetUserGroupInformation() { string userName = "******"; string currentUser = "******"; UserGroupInformation currentUserUgi = UserGroupInformation.CreateUserForTesting(currentUser , new string[0]); NfsConfiguration conf = new NfsConfiguration(); conf.Set(FileSystem.FsDefaultNameKey, "hdfs://localhost"); DFSClientCache cache = new DFSClientCache(conf); UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi ); Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName)); Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi)); Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod .Proxy)); }
public virtual void TestGetUserGroupInformationSecure() { string userName = "******"; string currentUser = "******"; NfsConfiguration conf = new NfsConfiguration(); UserGroupInformation currentUserUgi = UserGroupInformation.CreateRemoteUser(currentUser ); currentUserUgi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod. Kerberos); UserGroupInformation.SetLoginUser(currentUserUgi); DFSClientCache cache = new DFSClientCache(conf); UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi ); Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName)); Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi)); Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod .Proxy)); }
/// <exception cref="Javax.Servlet.ServletException"/> /// <exception cref="System.IO.IOException"/> protected override void DoGet(HttpServletRequest req, HttpServletResponse resp) { UserGroupInformation ugi = HttpUserGroupInformation.Get(); if (ugi != null) { string ret = "remoteuser="******":ugi=" + ugi.GetShortUserName (); if (ugi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.Proxy) { ret = "realugi=" + ugi.GetRealUser().GetShortUserName() + ":" + ret; } resp.SetStatus(HttpServletResponse.ScOk); resp.GetWriter().Write(ret); } else { resp.SetStatus(HttpServletResponse.ScInternalServerError); } }
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/> public virtual void Authorize(UserGroupInformation user, string remoteAddress) { UserGroupInformation realUser = user.GetRealUser(); if (realUser == null) { return; } AccessControlList acl = proxyUserAcl[configPrefix + realUser.GetShortUserName()]; if (acl == null || !acl.IsUserAllowed(user)) { throw new AuthorizationException("User: "******" is not allowed to impersonate " + user.GetUserName()); } MachineList MachineList = proxyHosts[GetProxySuperuserIpConfKey(realUser.GetShortUserName ())]; if (MachineList == null || !MachineList.Includes(remoteAddress)) { throw new AuthorizationException("Unauthorized connection for super-user: "******" from IP " + remoteAddress); } }
public virtual void TestRefreshSuperUserGroupsConfiguration() { string SuperUser = "******"; string[] GroupNames1 = new string[] { "gr1", "gr2" }; string[] GroupNames2 = new string[] { "gr3", "gr4" }; //keys in conf string userKeyGroups = DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (SuperUser); string userKeyHosts = DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (SuperUser); config.Set(userKeyGroups, "gr3,gr4,gr5"); // superuser can proxy for this group config.Set(userKeyHosts, "127.0.0.1"); ProxyUsers.RefreshSuperUserGroupsConfiguration(config); UserGroupInformation ugi1 = Org.Mockito.Mockito.Mock <UserGroupInformation>(); UserGroupInformation ugi2 = Org.Mockito.Mockito.Mock <UserGroupInformation>(); UserGroupInformation suUgi = Org.Mockito.Mockito.Mock <UserGroupInformation>(); Org.Mockito.Mockito.When(ugi1.GetRealUser()).ThenReturn(suUgi); Org.Mockito.Mockito.When(ugi2.GetRealUser()).ThenReturn(suUgi); Org.Mockito.Mockito.When(suUgi.GetShortUserName()).ThenReturn(SuperUser); // super user Org.Mockito.Mockito.When(suUgi.GetUserName()).ThenReturn(SuperUser + "L"); // super user Org.Mockito.Mockito.When(ugi1.GetShortUserName()).ThenReturn("user1"); Org.Mockito.Mockito.When(ugi2.GetShortUserName()).ThenReturn("user2"); Org.Mockito.Mockito.When(ugi1.GetUserName()).ThenReturn("userL1"); Org.Mockito.Mockito.When(ugi2.GetUserName()).ThenReturn("userL2"); // set groups for users Org.Mockito.Mockito.When(ugi1.GetGroupNames()).ThenReturn(GroupNames1); Org.Mockito.Mockito.When(ugi2.GetGroupNames()).ThenReturn(GroupNames2); // check before try { ProxyUsers.Authorize(ugi1, "127.0.0.1"); NUnit.Framework.Assert.Fail("first auth for " + ugi1.GetShortUserName() + " should've failed " ); } catch (AuthorizationException) { // expected System.Console.Error.WriteLine("auth for " + ugi1.GetUserName() + " failed"); } try { ProxyUsers.Authorize(ugi2, "127.0.0.1"); System.Console.Error.WriteLine("auth for " + ugi2.GetUserName() + " succeeded"); } catch (AuthorizationException e) { // expected NUnit.Framework.Assert.Fail("first auth for " + ugi2.GetShortUserName() + " should've succeeded: " + e.GetLocalizedMessage()); } // refresh will look at configuration on the server side // add additional resource with the new value // so the server side will pick it up string rsrc = "testGroupMappingRefresh_rsrc.xml"; AddNewConfigResource(rsrc, userKeyGroups, "gr2", userKeyHosts, "127.0.0.1"); DFSAdmin admin = new DFSAdmin(config); string[] args = new string[] { "-refreshSuperUserGroupsConfiguration" }; admin.Run(args); try { ProxyUsers.Authorize(ugi2, "127.0.0.1"); NUnit.Framework.Assert.Fail("second auth for " + ugi2.GetShortUserName() + " should've failed " ); } catch (AuthorizationException) { // expected System.Console.Error.WriteLine("auth for " + ugi2.GetUserName() + " failed"); } try { ProxyUsers.Authorize(ugi1, "127.0.0.1"); System.Console.Error.WriteLine("auth for " + ugi1.GetUserName() + " succeeded"); } catch (AuthorizationException e) { // expected NUnit.Framework.Assert.Fail("second auth for " + ugi1.GetShortUserName() + " should've succeeded: " + e.GetLocalizedMessage()); } }