/// <summary>
/// Get
/// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/>
/// and possibly the delegation token out of
/// the request.
/// </summary>
/// <param name="context">the ServletContext that is serving this request.</param>
/// <param name="request">the http request</param>
/// <param name="conf">configuration</param>
/// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param>
/// <param name="tryUgiParameter">Should it try the ugi parameter?</param>
/// <returns>a new user from the request</returns>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token
/// </exception>
/// <exception cref="System.IO.IOException"/>
public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest
request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod
, bool tryUgiParameter)
{
UserGroupInformation ugi = null;
string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter);
string doAsUserFromQuery = request.GetParameter(DoAsParam.Name);
string remoteUser;
if (UserGroupInformation.IsSecurityEnabled())
{
remoteUser = request.GetRemoteUser();
string tokenString = request.GetParameter(DelegationParameterName);
if (tokenString != null)
{
// Token-based connections need only verify the effective user, and
// disallow proxying to different user. Proxy authorization checks
// are not required since the checks apply to issuing a token.
ugi = GetTokenUGI(context, request, tokenString, conf);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery);
}
else
{
if (remoteUser == null)
{
throw new IOException("Security enabled but user not authenticated by filter");
}
}
}
else
{
// Security's not on, pull from url or use default web user
remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery;
}
// not specified in request
if (ugi == null)
{
// security is off, or there's no token
ugi = UserGroupInformation.CreateRemoteUser(remoteUser);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
if (UserGroupInformation.IsSecurityEnabled())
{
// This is not necessarily true, could have been auth'ed by user-facing
// filter
ugi.SetAuthenticationMethod(secureAuthMethod);
}
if (doAsUserFromQuery != null)
{
// create and attempt to authorize a proxy user
ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi);
ProxyUsers.Authorize(ugi, GetRemoteAddr(request));
}
}
if (Log.IsDebugEnabled())
{
Log.Debug("getUGI is returning: " + ugi.GetShortUserName());
}
return(ugi);
}
/// <exception cref="System.Exception"/>
public virtual void TestUGIAuthMethodInRealUser()
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation proxyUgi = UserGroupInformation.CreateProxyUser("proxy", ugi
);
UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod
.Kerberos;
ugi.SetAuthenticationMethod(am);
Assert.Equal(am, ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
proxyUgi.GetAuthenticationMethod());
Assert.Equal(am, UserGroupInformation.GetRealAuthenticationMethod
(proxyUgi));
proxyUgi.DoAs(new _PrivilegedExceptionAction_690(am));
UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.GetSubject());
proxyUgi2.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Proxy
);
Assert.Equal(proxyUgi, proxyUgi2);
// Equality should work if authMethod is null
UserGroupInformation realugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation proxyUgi3 = UserGroupInformation.CreateProxyUser("proxyAnother"
, realugi);
UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.GetSubject());
Assert.Equal(proxyUgi3, proxyUgi4);
}
/// <exception cref="System.IO.IOException"/>
private void TryLoginAuthenticationMethod(UserGroupInformation.AuthenticationMethod
method, bool expectSuccess)
{
SecurityUtil.SetAuthenticationMethod(method, conf);
UserGroupInformation.SetConfiguration(conf);
// pick up changed auth
UserGroupInformation ugi = null;
Exception ex = null;
try
{
ugi = UserGroupInformation.GetLoginUser();
}
catch (Exception e)
{
ex = e;
}
if (expectSuccess)
{
NUnit.Framework.Assert.IsNotNull(ugi);
Assert.Equal(method, ugi.GetAuthenticationMethod());
}
else
{
NUnit.Framework.Assert.IsNotNull(ex);
Assert.Equal(typeof(NotSupportedException), ex.GetType());
Assert.Equal(method + " login authentication is not supported"
, ex.Message);
}
}
/// <exception cref="System.Exception"/>
public virtual void TestUGIAuthMethod()
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod
.Kerberos;
ugi.SetAuthenticationMethod(am);
Assert.Equal(am, ugi.GetAuthenticationMethod());
ugi.DoAs(new _PrivilegedExceptionAction_668(am));
}
public static void SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod
authenticationMethod, Configuration conf)
{
if (authenticationMethod == null)
{
authenticationMethod = UserGroupInformation.AuthenticationMethod.Simple;
}
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, StringUtils.
ToLowerCase(authenticationMethod.ToString()));
}
public User(string name, UserGroupInformation.AuthenticationMethod authMethod, LoginContext
login)
{
try
{
shortName = new HadoopKerberosName(name).GetShortName();
}
catch (IOException ioe)
{
throw new ArgumentException("Illegal principal name " + name + ": " + ioe.ToString
(), ioe);
}
fullName = name;
this.authMethod = authMethod;
this.login = login;
}
public _PrivilegedExceptionAction_690(UserGroupInformation.AuthenticationMethod am
)
{
this.am = am;
}
public virtual void SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod
authMethod)
{
this.authMethod = authMethod;
}
