/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
request, HttpServletResponse response)
{
bool requestContinues = true;
string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.OpParam);
op = (op != null) ? StringUtils.ToUpperCase(op) : null;
if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
{
DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
.ValueOf(op);
if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
{
bool doManagement;
if (dtOp.RequiresKerberosCredentials() && token == null)
{
token = Authenticate(request, response);
if (token == null)
{
requestContinues = false;
doManagement = false;
}
else
{
doManagement = true;
}
}
else
{
doManagement = true;
}
if (doManagement)
{
UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
(token.GetUserName()) : null;
// Create the proxy user if doAsUser exists
string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
if (requestUgi != null && doAsUser != null)
{
requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
try
{
ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
}
catch (AuthorizationException ex)
{
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, ex);
return(false);
}
}
IDictionary map = null;
switch (dtOp)
{
case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.RenewerParam);
try
{
Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
requestUgi, renewer);
map = DelegationTokenToJSON(dToken);
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToRenew == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToRenew);
long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
map = new Hashtable();
map["long"] = expirationTime;
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
{
string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToCancel == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToCancel);
tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
: null);
}
catch (IOException)
{
response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
);
requestContinues = false;
}
}
break;
}
}
if (requestContinues)
{
response.SetStatus(HttpServletResponse.ScOk);
if (map != null)
{
response.SetContentType(MediaType.ApplicationJson);
TextWriter writer = response.GetWriter();
ObjectMapper jsonMapper = new ObjectMapper();
jsonMapper.WriteValue(writer, map);
writer.Write(Enter);
writer.Flush();
}
requestContinues = false;
}
}
}
else
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
+ "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
requestContinues = false;
}
}
return(requestContinues);
}
public virtual void TestDTManager()
{
Configuration conf = new Configuration(false);
conf.SetLong(DelegationTokenManager.UpdateInterval, DayInSecs);
conf.SetLong(DelegationTokenManager.MaxLifetime, DayInSecs);
conf.SetLong(DelegationTokenManager.RenewInterval, DayInSecs);
conf.SetLong(DelegationTokenManager.RemovalScanInterval, DayInSecs);
conf.GetBoolean(DelegationTokenManager.EnableZkKey, enableZKKey);
DelegationTokenManager tm = new DelegationTokenManager(conf, new Text("foo"));
tm.Init();
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = (Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)tm.CreateToken(UserGroupInformation.GetCurrentUser()
, "foo");
NUnit.Framework.Assert.IsNotNull(token);
tm.VerifyToken(token);
Assert.True(tm.RenewToken(token, "foo") > Runtime.CurrentTimeMillis
());
tm.CancelToken(token, "foo");
try
{
tm.VerifyToken(token);
NUnit.Framework.Assert.Fail();
}
catch (IOException)
{
}
catch (Exception)
{
//NOP
NUnit.Framework.Assert.Fail();
}
tm.Destroy();
}