Пример #1
0
            /// <exception cref="System.Exception"/>
            public Void Run()
            {
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                HttpURLConnection conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser
                                                             );

                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());

                Assert.Equal(1, ret.Count);
                Assert.Equal(TestWebDelegationToken.OkUser, ret[0]);
                conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.FailUser);
                Assert.Equal(HttpURLConnection.HttpForbidden, conn.GetResponseCode
                                 ());
                aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser);
                UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();

                ugi.AddToken(token.GetDelegationToken());
                token = new DelegationTokenAuthenticatedURL.Token();
                conn  = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser);
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                ret = IOUtils.ReadLines(conn.GetInputStream());
                Assert.Equal(1, ret.Count);
                Assert.Equal(TestWebDelegationToken.FooUser, ret[0]);
                return(null);
            }
Пример #2
0
        public virtual void TestExternalDelegationTokenSecretManager()
        {
            TestWebDelegationToken.DummyDelegationTokenSecretManager secretMgr = new TestWebDelegationToken.DummyDelegationTokenSecretManager
                                                                                     ();
            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
                              0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
                               "/bar");
            try
            {
                secretMgr.StartThreads();
                context.SetAttribute(DelegationTokenAuthenticationFilter.DelegationTokenSecretManagerAttr
                                     , secretMgr);
                jetty.Start();
                Uri authURL = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                aUrl.GetDelegationToken(authURL, token, FooUser);
                NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
                Assert.Equal(new Text("fooKind"), token.GetDelegationToken().GetKind
                                 ());
            }
            finally
            {
                jetty.Stop();
                secretMgr.StopThreads();
            }
        }
Пример #3
0
 public _Callable_778(DelegationTokenAuthenticatedURL aUrl, Uri url, DelegationTokenAuthenticatedURL.Token
                      token, bool doAs, string doAsUser)
 {
     this.aUrl     = aUrl;
     this.url      = url;
     this.token    = token;
     this.doAs     = doAs;
     this.doAsUser = doAsUser;
 }
        /// <summary>
        /// Returns an authenticated
        /// <see cref="HttpURLConnection"/>
        /// . If the Delegation
        /// Token is present, it will be used taking precedence over the configured
        /// <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
        /// the request will be done on behalf of the specified <code>doAs</code> user.
        /// </summary>
        /// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param>
        /// <param name="token">the authentication token being used for the user.</param>
        /// <param name="doAs">
        /// user to do the the request on behalf of, if NULL the request is
        /// as self.
        /// </param>
        /// <returns>
        /// an authenticated
        /// <see cref="HttpURLConnection"/>
        /// .
        /// </returns>
        /// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
        /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
        ///     ">if an authentication exception occurred.</exception>
        public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token
                                                        token, string doAs)
        {
            Preconditions.CheckNotNull(url, "url");
            Preconditions.CheckNotNull(token, "token");
            IDictionary <string, string> extraParams = new Dictionary <string, string>();

            Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> dToken = null;
            // if we have valid auth token, it takes precedence over a delegation token
            // and we don't even look for one.
            if (!token.IsSet())
            {
                // delegation token
                Credentials creds = UserGroupInformation.GetCurrentUser().GetCredentials();
                if (!creds.GetAllTokens().IsEmpty())
                {
                    IPEndPoint serviceAddr = new IPEndPoint(url.GetHost(), url.Port);
                    Text       service     = SecurityUtil.BuildTokenService(serviceAddr);
                    dToken = creds.GetToken(service);
                    if (dToken != null)
                    {
                        if (UseQueryStringForDelegationToken())
                        {
                            // delegation token will go in the query string, injecting it
                            extraParams[KerberosDelegationTokenAuthenticator.DelegationParam] = dToken.EncodeToUrlString
                                                                                                    ();
                        }
                        else
                        {
                            // delegation token will go as request header, setting it in the
                            // auth-token to ensure no authentication handshake is triggered
                            // (if we have a delegation token, we are authenticated)
                            // the delegation token header is injected in the connection request
                            // at the end of this method.
                            token.delegationToken = (Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier
                                                                                             >)dToken;
                        }
                    }
                }
            }
            // proxyuser
            if (doAs != null)
            {
                extraParams[DoAs] = URLEncoder.Encode(doAs, "UTF-8");
            }
            url = AugmentURL(url, extraParams);
            HttpURLConnection conn = base.OpenConnection(url, token);

            if (!token.IsSet() && !UseQueryStringForDelegationToken() && dToken != null)
            {
                // injecting the delegation token header in the connection request
                conn.SetRequestProperty(DelegationTokenAuthenticator.DelegationTokenHeader, dToken
                                        .EncodeToUrlString());
            }
            return(conn);
        }
Пример #5
0
        /// <exception cref="System.Exception"/>
        private void TestKerberosDelegationTokenAuthenticator(bool doAs)
        {
            string doAsUser = doAs ? OkUser : null;
            // setting hadoop security to kerberos
            Configuration conf = new Configuration();

            conf.Set("hadoop.security.authentication", "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            FilePath testDir = new FilePath("target/" + UUID.RandomUUID().ToString());

            Assert.True(testDir.Mkdirs());
            MiniKdc kdc = new MiniKdc(MiniKdc.CreateConf(), testDir);

            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.KDTAFilter)), "/*"
                              , 0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
                               "/bar");
            try
            {
                kdc.Start();
                FilePath keytabFile = new FilePath(testDir, "test.keytab");
                kdc.CreatePrincipal(keytabFile, "client", "HTTP/localhost");
                TestWebDelegationToken.KDTAFilter.keytabFile = keytabFile.GetAbsolutePath();
                jetty.Start();
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                Uri url = new Uri(GetJettyURL() + "/foo/bar");
                try
                {
                    aUrl.GetDelegationToken(url, token, FooUser, doAsUser);
                    NUnit.Framework.Assert.Fail();
                }
                catch (AuthenticationException ex)
                {
                    Assert.True(ex.Message.Contains("GSSException"));
                }
                DoAsKerberosUser("client", keytabFile.GetAbsolutePath(), new _Callable_778(aUrl,
                                                                                           url, token, doAs, doAsUser));
            }
            finally
            {
                // Make sure the token belongs to the right owner
                jetty.Stop();
                kdc.Stop();
            }
        }
 /// <summary>Cancels a delegation token from the server end-point.</summary>
 /// <remarks>
 /// Cancels a delegation token from the server end-point. It does not require
 /// being authenticated by the configured <code>Authenticator</code>.
 /// </remarks>
 /// <param name="url">
 /// the URL to cancel the delegation token from. Only HTTP/S URLs
 /// are supported.
 /// </param>
 /// <param name="token">the authentication token with the Delegation Token to cancel.
 ///     </param>
 /// <param name="doAsUser">the user to do as, which will be the token owner.</param>
 /// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
 public virtual void CancelDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token
                                           token, string doAsUser)
 {
     Preconditions.CheckNotNull(url, "url");
     Preconditions.CheckNotNull(token, "token");
     Preconditions.CheckNotNull(token.delegationToken, "No delegation token available"
                                );
     try
     {
         ((KerberosDelegationTokenAuthenticator)GetAuthenticator()).CancelDelegationToken(
             url, token, token.delegationToken, doAsUser);
     }
     finally
     {
         token.delegationToken = null;
     }
 }
 /// <summary>
 /// Renews a delegation token from the server end-point using the
 /// configured <code>Authenticator</code> for authentication.
 /// </summary>
 /// <param name="url">
 /// the URL to renew the delegation token from. Only HTTP/S URLs are
 /// supported.
 /// </param>
 /// <param name="token">the authentication token with the Delegation Token to renew.</param>
 /// <param name="doAsUser">the user to do as, which will be the token owner.</param>
 /// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
 /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
 ///     ">if an authentication exception occurred.</exception>
 public virtual long RenewDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token
                                          token, string doAsUser)
 {
     Preconditions.CheckNotNull(url, "url");
     Preconditions.CheckNotNull(token, "token");
     Preconditions.CheckNotNull(token.delegationToken, "No delegation token available"
                                );
     try
     {
         return(((KerberosDelegationTokenAuthenticator)GetAuthenticator()).RenewDelegationToken
                    (url, token, token.delegationToken, doAsUser));
     }
     catch (IOException ex)
     {
         token.delegationToken = null;
         throw;
     }
 }
Пример #8
0
            /// <exception cref="System.Exception"/>
            public Void Run()
            {
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                HttpURLConnection conn = aUrl.OpenConnection(url, token);

                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());

                Assert.Equal(1, ret.Count);
                Assert.Equal(TestWebDelegationToken.FooUser, ret[0]);
                aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser);
                NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
                Assert.Equal(new Text("token-kind"), token.GetDelegationToken(
                                 ).GetKind());
                return(null);
            }
Пример #9
0
            /// <exception cref="System.Exception"/>
            public Void Run()
            {
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                HttpURLConnection conn = aUrl.OpenConnection(url, token);

                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());

                Assert.Equal(1, ret.Count);
                Assert.Equal("remoteuser="******":ugi=" + TestWebDelegationToken.FooUser, ret[0]);
                conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser);
                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                ret = IOUtils.ReadLines(conn.GetInputStream());
                Assert.Equal(1, ret.Count);
                Assert.Equal("realugi=" + TestWebDelegationToken.FooUser + ":remoteuser="******":ugi=" + TestWebDelegationToken.OkUser, ret[
                                 0]);
                return(null);
            }
Пример #10
0
            /// <exception cref="System.Exception"/>
            public Void Run()
            {
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                HttpURLConnection conn = aUrl.OpenConnection(url, token);

                Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode());
                IList <string> ret = IOUtils.ReadLines(conn.GetInputStream());

                Assert.Equal(1, ret.Count);
                Assert.Equal(TestWebDelegationToken.FooUser, ret[0]);
                try
                {
                    aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser);
                    NUnit.Framework.Assert.Fail();
                }
                catch (AuthenticationException ex)
                {
                    Assert.True(ex.Message.Contains("delegation token operation"));
                }
                return(null);
            }
 /// <summary>Cancels a delegation token from the server end-point.</summary>
 /// <remarks>
 /// Cancels a delegation token from the server end-point. It does not require
 /// being authenticated by the configured <code>Authenticator</code>.
 /// </remarks>
 /// <param name="url">
 /// the URL to cancel the delegation token from. Only HTTP/S URLs
 /// are supported.
 /// </param>
 /// <param name="token">the authentication token with the Delegation Token to cancel.
 ///     </param>
 /// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
 public virtual void CancelDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token
                                           token)
 {
     CancelDelegationToken(url, token, null);
 }
 /// <summary>
 /// Renews a delegation token from the server end-point using the
 /// configured <code>Authenticator</code> for authentication.
 /// </summary>
 /// <param name="url">
 /// the URL to renew the delegation token from. Only HTTP/S URLs are
 /// supported.
 /// </param>
 /// <param name="token">the authentication token with the Delegation Token to renew.</param>
 /// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
 /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
 ///     ">if an authentication exception occurred.</exception>
 public virtual long RenewDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token
                                          token)
 {
     return(RenewDelegationToken(url, token, null));
 }
                                                        > GetDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token, string
                                                                             renewer, string doAsUser)
 {
     Preconditions.CheckNotNull(url, "url");
     Preconditions.CheckNotNull(token, "token");
     try
     {
         token.delegationToken = ((KerberosDelegationTokenAuthenticator)GetAuthenticator()
                                  ).GetDelegationToken(url, token, renewer, doAsUser);
         return(token.delegationToken);
     }
     catch (IOException ex)
     {
         token.delegationToken = null;
         throw;
     }
 }
                                                        > GetDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token, string
                                                                             renewer)
 {
     return(GetDelegationToken(url, token, renewer, null));
 }
 /// <summary>
 /// Returns an authenticated
 /// <see cref="HttpURLConnection"/>
 /// . If the Delegation
 /// Token is present, it will be used taking precedence over the configured
 /// <code>Authenticator</code>.
 /// </summary>
 /// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param>
 /// <param name="token">the authentication token being used for the user.</param>
 /// <returns>
 /// an authenticated
 /// <see cref="HttpURLConnection"/>
 /// .
 /// </returns>
 /// <exception cref="System.IO.IOException">if an IO error occurred.</exception>
 /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
 ///     ">if an authentication exception occurred.</exception>
 public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token
                                                 token)
 {
     return(OpenConnection(url, token, null));
 }
Пример #16
0
        /// <exception cref="System.Exception"/>
        private void TestDelegationTokenAuthenticatorCalls(bool useQS)
        {
            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*",
                              0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)),
                               "/bar");
            try
            {
                jetty.Start();
                Uri nonAuthURL = new Uri(GetJettyURL() + "/foo/bar");
                Uri authURL    = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo");
                Uri authURL2   = new Uri(GetJettyURL() + "/foo/bar?authenticated=bar");
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                aUrl.SetUseQueryStringForDelegationToken(useQS);
                try
                {
                    aUrl.GetDelegationToken(nonAuthURL, token, FooUser);
                    NUnit.Framework.Assert.Fail();
                }
                catch (Exception ex)
                {
                    Assert.True(ex.Message.Contains("401"));
                }
                aUrl.GetDelegationToken(authURL, token, FooUser);
                NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken());
                Assert.Equal(new Text("token-kind"), token.GetDelegationToken(
                                 ).GetKind());
                aUrl.RenewDelegationToken(authURL, token);
                try
                {
                    aUrl.RenewDelegationToken(nonAuthURL, token);
                    NUnit.Framework.Assert.Fail();
                }
                catch (Exception ex)
                {
                    Assert.True(ex.Message.Contains("401"));
                }
                aUrl.GetDelegationToken(authURL, token, FooUser);
                try
                {
                    aUrl.RenewDelegationToken(authURL2, token);
                    NUnit.Framework.Assert.Fail();
                }
                catch (Exception ex)
                {
                    Assert.True(ex.Message.Contains("403"));
                }
                aUrl.GetDelegationToken(authURL, token, FooUser);
                aUrl.CancelDelegationToken(authURL, token);
                aUrl.GetDelegationToken(authURL, token, FooUser);
                aUrl.CancelDelegationToken(nonAuthURL, token);
                aUrl.GetDelegationToken(authURL, token, FooUser);
                try
                {
                    aUrl.RenewDelegationToken(nonAuthURL, token);
                }
                catch (Exception ex)
                {
                    Assert.True(ex.Message.Contains("401"));
                }
                aUrl.GetDelegationToken(authURL, token, "foo");
                UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
                ugi.AddToken(token.GetDelegationToken());
                ugi.DoAs(new _PrivilegedExceptionAction_412(aUrl, nonAuthURL, useQS));
            }
            finally
            {
                jetty.Stop();
            }
        }