public _PrivilegedExceptionAction_135(DelegationTokenAuthenticatedURL aUrl, Uri url1 , DelegationTokenAuthenticatedURL.Token token) { this.aUrl = aUrl; this.url1 = url1; this.token = token; }
/// <exception cref="System.IO.IOException"/> public KMSClientProvider(URI uri, Configuration conf) : base(conf) { kmsUrl = CreateServiceURL(ExtractKMSPath(uri)); if (Runtime.EqualsIgnoreCase("https", new Uri(kmsUrl).Scheme)) { sslFactory = new SSLFactory(SSLFactory.Mode.Client, conf); try { sslFactory.Init(); } catch (GeneralSecurityException ex) { throw new IOException(ex); } } int timeout = conf.GetInt(TimeoutAttr, DefaultTimeout); authRetry = conf.GetInt(AuthRetry, DefaultAuthRetry); configurator = new KMSClientProvider.TimeoutConnConfigurator(timeout, sslFactory); encKeyVersionQueue = new ValueQueue <KeyProviderCryptoExtension.EncryptedKeyVersion >(conf.GetInt(CommonConfigurationKeysPublic.KmsClientEncKeyCacheSize, CommonConfigurationKeysPublic .KmsClientEncKeyCacheSizeDefault), conf.GetFloat(CommonConfigurationKeysPublic.KmsClientEncKeyCacheLowWatermark , CommonConfigurationKeysPublic.KmsClientEncKeyCacheLowWatermarkDefault), conf.GetInt (CommonConfigurationKeysPublic.KmsClientEncKeyCacheExpiryMs, CommonConfigurationKeysPublic .KmsClientEncKeyCacheExpiryDefault), conf.GetInt(CommonConfigurationKeysPublic.KmsClientEncKeyCacheNumRefillThreads , CommonConfigurationKeysPublic.KmsClientEncKeyCacheNumRefillThreadsDefault), new KMSClientProvider.EncryptedQueueRefiller(this)); authToken = new DelegationTokenAuthenticatedURL.Token(); actualUgi = (UserGroupInformation.GetCurrentUser().GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod .Proxy) ? UserGroupInformation.GetCurrentUser().GetRealUser() : UserGroupInformation .GetCurrentUser(); }
/// <exception cref="System.Exception"/> public object Run() { DelegationTokenAuthenticatedURL.Token emptyToken = new DelegationTokenAuthenticatedURL.Token (); HttpURLConnection conn = aUrl.OpenConnection(url2, emptyToken); Assert.Equal(HttpURLConnection.HttpForbidden, conn.GetResponseCode ()); return(null); }
public virtual void TestMultipleKMSInstancesWithZKSigner() { FilePath testDir = TestKMS.GetTestDir(); Configuration conf = CreateBaseKMSConf(testDir); TestingServer zkServer = new TestingServer(); zkServer.Start(); MiniKMS kms1 = null; MiniKMS kms2 = null; conf.Set(KMSAuthenticationFilter.ConfigPrefix + AuthenticationFilter.SignerSecretProvider , "zookeeper"); conf.Set(KMSAuthenticationFilter.ConfigPrefix + ZKSignerSecretProvider.ZookeeperConnectionString , zkServer.GetConnectString()); conf.Set(KMSAuthenticationFilter.ConfigPrefix + ZKSignerSecretProvider.ZookeeperPath , "/secret"); TestKMS.WriteConf(testDir, conf); try { kms1 = new MiniKMS.Builder().SetKmsConfDir(testDir).SetLog4jConfFile("log4j.properties" ).Build(); kms1.Start(); kms2 = new MiniKMS.Builder().SetKmsConfDir(testDir).SetLog4jConfFile("log4j.properties" ).Build(); kms2.Start(); Uri url1 = new Uri(kms1.GetKMSUrl().ToExternalForm() + KMSRESTConstants.ServiceVersion + "/" + KMSRESTConstants.KeysNamesResource); Uri url2 = new Uri(kms2.GetKMSUrl().ToExternalForm() + KMSRESTConstants.ServiceVersion + "/" + KMSRESTConstants.KeysNamesResource); DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token (); DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL(); UserGroupInformation ugiFoo = UserGroupInformation.CreateUserForTesting("foo", new string[] { "gfoo" }); UserGroupInformation ugiBar = UserGroupInformation.CreateUserForTesting("bar", new string[] { "gBar" }); ugiFoo.DoAs(new _PrivilegedExceptionAction_135(aUrl, url1, token)); ugiBar.DoAs(new _PrivilegedExceptionAction_145(aUrl, url2, token)); ugiBar.DoAs(new _PrivilegedExceptionAction_155(aUrl, url2)); } finally { if (kms2 != null) { kms2.Stop(); } if (kms1 != null) { kms1.Stop(); } zkServer.Stop(); } }
/// <exception cref="System.Exception"/> protected override void ServiceInit(Configuration conf) { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation realUgi = ugi.GetRealUser(); if (realUgi != null) { authUgi = realUgi; doAsUser = ugi.GetShortUserName(); } else { authUgi = ugi; doAsUser = null; } ClientConfig cc = new DefaultClientConfig(); cc.GetClasses().AddItem(typeof(YarnJacksonJaxbJsonProvider)); connConfigurator = NewConnConfigurator(conf); if (UserGroupInformation.IsSecurityEnabled()) { authenticator = new KerberosDelegationTokenAuthenticator(); } else { authenticator = new PseudoDelegationTokenAuthenticator(); } authenticator.SetConnectionConfigurator(connConfigurator); token = new DelegationTokenAuthenticatedURL.Token(); connectionRetry = new TimelineClientImpl.TimelineClientConnectionRetry(conf); client = new Com.Sun.Jersey.Api.Client.Client(new URLConnectionClientHandler(new TimelineClientImpl.TimelineURLConnectionFactory(this)), cc); TimelineClientImpl.TimelineJerseyRetryFilter retryFilter = new TimelineClientImpl.TimelineJerseyRetryFilter (this); client.AddFilter(retryFilter); if (YarnConfiguration.UseHttps(conf)) { resURI = URI.Create(Joiner.Join("https://", conf.Get(YarnConfiguration.TimelineServiceWebappHttpsAddress , YarnConfiguration.DefaultTimelineServiceWebappHttpsAddress), ResourceUriStr)); } else { resURI = URI.Create(Joiner.Join("http://", conf.Get(YarnConfiguration.TimelineServiceWebappAddress , YarnConfiguration.DefaultTimelineServiceWebappAddress), ResourceUriStr)); } Log.Info("Timeline service address: " + resURI); base.ServiceInit(conf); }
/// <exception cref="System.IO.IOException"/> private T Call <T>(HttpURLConnection conn, IDictionary jsonOutput, int expectedResponse , int authRetryCount) { System.Type klass = typeof(T); T ret = null; try { if (jsonOutput != null) { WriteJson(jsonOutput, conn.GetOutputStream()); } } catch (IOException ex) { conn.GetInputStream().Close(); throw; } if ((conn.GetResponseCode() == HttpURLConnection.HttpForbidden && (conn.GetResponseMessage ().Equals(AnonymousRequestsDisallowed) || conn.GetResponseMessage().Contains(InvalidSignature ))) || conn.GetResponseCode() == HttpURLConnection.HttpUnauthorized) { // Ideally, this should happen only when there is an Authentication // failure. Unfortunately, the AuthenticationFilter returns 403 when it // cannot authenticate (Since a 401 requires Server to send // WWW-Authenticate header as well).. this.authToken = new DelegationTokenAuthenticatedURL.Token(); if (authRetryCount > 0) { string contentType = conn.GetRequestProperty(ContentType); string requestMethod = conn.GetRequestMethod(); Uri url = conn.GetURL(); conn = CreateConnection(url, requestMethod); conn.SetRequestProperty(ContentType, contentType); return(Call(conn, jsonOutput, expectedResponse, klass, authRetryCount - 1)); } } try { AuthenticatedURL.ExtractToken(conn, authToken); } catch (AuthenticationException) { } // Ignore the AuthExceptions.. since we are just using the method to // extract and set the authToken.. (Workaround till we actually fix // AuthenticatedURL properly to set authToken post initialization) HttpExceptionUtils.ValidateResponse(conn, expectedResponse); if (Runtime.EqualsIgnoreCase(ApplicationJsonMime, conn.GetContentType()) && klass != null) { ObjectMapper mapper = new ObjectMapper(); InputStream @is = null; try { @is = conn.GetInputStream(); ret = mapper.ReadValue(@is, klass); } catch (IOException ex) { if (@is != null) { @is.Close(); } throw; } finally { if (@is != null) { @is.Close(); } } } return(ret); }