/// <summary> /// Get /// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/> /// and possibly the delegation token out of /// the request. /// </summary> /// <param name="context">the ServletContext that is serving this request.</param> /// <param name="request">the http request</param> /// <param name="conf">configuration</param> /// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param> /// <param name="tryUgiParameter">Should it try the ugi parameter?</param> /// <returns>a new user from the request</returns> /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token /// </exception> /// <exception cref="System.IO.IOException"/> public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod , bool tryUgiParameter) { UserGroupInformation ugi = null; string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter); string doAsUserFromQuery = request.GetParameter(DoAsParam.Name); string remoteUser; if (UserGroupInformation.IsSecurityEnabled()) { remoteUser = request.GetRemoteUser(); string tokenString = request.GetParameter(DelegationParameterName); if (tokenString != null) { // Token-based connections need only verify the effective user, and // disallow proxying to different user. Proxy authorization checks // are not required since the checks apply to issuing a token. ugi = GetTokenUGI(context, request, tokenString, conf); CheckUsername(ugi.GetShortUserName(), usernameFromQuery); CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery); } else { if (remoteUser == null) { throw new IOException("Security enabled but user not authenticated by filter"); } } } else { // Security's not on, pull from url or use default web user remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery; } // not specified in request if (ugi == null) { // security is off, or there's no token ugi = UserGroupInformation.CreateRemoteUser(remoteUser); CheckUsername(ugi.GetShortUserName(), usernameFromQuery); if (UserGroupInformation.IsSecurityEnabled()) { // This is not necessarily true, could have been auth'ed by user-facing // filter ugi.SetAuthenticationMethod(secureAuthMethod); } if (doAsUserFromQuery != null) { // create and attempt to authorize a proxy user ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi); ProxyUsers.Authorize(ugi, GetRemoteAddr(request)); } } if (Log.IsDebugEnabled()) { Log.Debug("getUGI is returning: " + ugi.GetShortUserName()); } return(ugi); }
/// <exception cref="System.Exception"/> public virtual void TestUGIAuthMethodInRealUser() { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation proxyUgi = UserGroupInformation.CreateProxyUser("proxy", ugi ); UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod .Kerberos; ugi.SetAuthenticationMethod(am); Assert.Equal(am, ugi.GetAuthenticationMethod()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy, proxyUgi.GetAuthenticationMethod()); Assert.Equal(am, UserGroupInformation.GetRealAuthenticationMethod (proxyUgi)); proxyUgi.DoAs(new _PrivilegedExceptionAction_690(am)); UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.GetSubject()); proxyUgi2.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Proxy ); Assert.Equal(proxyUgi, proxyUgi2); // Equality should work if authMethod is null UserGroupInformation realugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation proxyUgi3 = UserGroupInformation.CreateProxyUser("proxyAnother" , realugi); UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.GetSubject()); Assert.Equal(proxyUgi3, proxyUgi4); }
/// <exception cref="System.IO.IOException"/> private void TryLoginAuthenticationMethod(UserGroupInformation.AuthenticationMethod method, bool expectSuccess) { SecurityUtil.SetAuthenticationMethod(method, conf); UserGroupInformation.SetConfiguration(conf); // pick up changed auth UserGroupInformation ugi = null; Exception ex = null; try { ugi = UserGroupInformation.GetLoginUser(); } catch (Exception e) { ex = e; } if (expectSuccess) { NUnit.Framework.Assert.IsNotNull(ugi); Assert.Equal(method, ugi.GetAuthenticationMethod()); } else { NUnit.Framework.Assert.IsNotNull(ex); Assert.Equal(typeof(NotSupportedException), ex.GetType()); Assert.Equal(method + " login authentication is not supported" , ex.Message); } }
/// <exception cref="System.Exception"/> public virtual void TestUGIAuthMethod() { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod .Kerberos; ugi.SetAuthenticationMethod(am); Assert.Equal(am, ugi.GetAuthenticationMethod()); ugi.DoAs(new _PrivilegedExceptionAction_668(am)); }
public static void SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod authenticationMethod, Configuration conf) { if (authenticationMethod == null) { authenticationMethod = UserGroupInformation.AuthenticationMethod.Simple; } conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, StringUtils. ToLowerCase(authenticationMethod.ToString())); }
public User(string name, UserGroupInformation.AuthenticationMethod authMethod, LoginContext login) { try { shortName = new HadoopKerberosName(name).GetShortName(); } catch (IOException ioe) { throw new ArgumentException("Illegal principal name " + name + ": " + ioe.ToString (), ioe); } fullName = name; this.authMethod = authMethod; this.login = login; }
public _PrivilegedExceptionAction_690(UserGroupInformation.AuthenticationMethod am ) { this.am = am; }
public virtual void SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod authMethod) { this.authMethod = authMethod; }