/// <exception cref="System.Exception"/> public Void Run() { DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token (); DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL(); HttpURLConnection conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser ); Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode()); IList <string> ret = IOUtils.ReadLines(conn.GetInputStream()); Assert.Equal(1, ret.Count); Assert.Equal(TestWebDelegationToken.OkUser, ret[0]); conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.FailUser); Assert.Equal(HttpURLConnection.HttpForbidden, conn.GetResponseCode ()); aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser); UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); ugi.AddToken(token.GetDelegationToken()); token = new DelegationTokenAuthenticatedURL.Token(); conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser); Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode()); ret = IOUtils.ReadLines(conn.GetInputStream()); Assert.Equal(1, ret.Count); Assert.Equal(TestWebDelegationToken.FooUser, ret[0]); return(null); }
public virtual void TestExternalDelegationTokenSecretManager() { TestWebDelegationToken.DummyDelegationTokenSecretManager secretMgr = new TestWebDelegationToken.DummyDelegationTokenSecretManager (); Org.Mortbay.Jetty.Server jetty = CreateJettyServer(); Context context = new Context(); context.SetContextPath("/foo"); jetty.SetHandler(context); context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*", 0); context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)), "/bar"); try { secretMgr.StartThreads(); context.SetAttribute(DelegationTokenAuthenticationFilter.DelegationTokenSecretManagerAttr , secretMgr); jetty.Start(); Uri authURL = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo"); DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token (); DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL(); aUrl.GetDelegationToken(authURL, token, FooUser); NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken()); Assert.Equal(new Text("fooKind"), token.GetDelegationToken().GetKind ()); } finally { jetty.Stop(); secretMgr.StopThreads(); } }
public _Callable_778(DelegationTokenAuthenticatedURL aUrl, Uri url, DelegationTokenAuthenticatedURL.Token token, bool doAs, string doAsUser) { this.aUrl = aUrl; this.url = url; this.token = token; this.doAs = doAs; this.doAsUser = doAsUser; }
/// <summary> /// Returns an authenticated /// <see cref="HttpURLConnection"/> /// . If the Delegation /// Token is present, it will be used taking precedence over the configured /// <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL, /// the request will be done on behalf of the specified <code>doAs</code> user. /// </summary> /// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param> /// <param name="token">the authentication token being used for the user.</param> /// <param name="doAs"> /// user to do the the request on behalf of, if NULL the request is /// as self. /// </param> /// <returns> /// an authenticated /// <see cref="HttpURLConnection"/> /// . /// </returns> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// ">if an authentication exception occurred.</exception> public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token token, string doAs) { Preconditions.CheckNotNull(url, "url"); Preconditions.CheckNotNull(token, "token"); IDictionary <string, string> extraParams = new Dictionary <string, string>(); Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> dToken = null; // if we have valid auth token, it takes precedence over a delegation token // and we don't even look for one. if (!token.IsSet()) { // delegation token Credentials creds = UserGroupInformation.GetCurrentUser().GetCredentials(); if (!creds.GetAllTokens().IsEmpty()) { IPEndPoint serviceAddr = new IPEndPoint(url.GetHost(), url.Port); Text service = SecurityUtil.BuildTokenService(serviceAddr); dToken = creds.GetToken(service); if (dToken != null) { if (UseQueryStringForDelegationToken()) { // delegation token will go in the query string, injecting it extraParams[KerberosDelegationTokenAuthenticator.DelegationParam] = dToken.EncodeToUrlString (); } else { // delegation token will go as request header, setting it in the // auth-token to ensure no authentication handshake is triggered // (if we have a delegation token, we are authenticated) // the delegation token header is injected in the connection request // at the end of this method. token.delegationToken = (Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier >)dToken; } } } } // proxyuser if (doAs != null) { extraParams[DoAs] = URLEncoder.Encode(doAs, "UTF-8"); } url = AugmentURL(url, extraParams); HttpURLConnection conn = base.OpenConnection(url, token); if (!token.IsSet() && !UseQueryStringForDelegationToken() && dToken != null) { // injecting the delegation token header in the connection request conn.SetRequestProperty(DelegationTokenAuthenticator.DelegationTokenHeader, dToken .EncodeToUrlString()); } return(conn); }
/// <exception cref="System.Exception"/> private void TestKerberosDelegationTokenAuthenticator(bool doAs) { string doAsUser = doAs ? OkUser : null; // setting hadoop security to kerberos Configuration conf = new Configuration(); conf.Set("hadoop.security.authentication", "kerberos"); UserGroupInformation.SetConfiguration(conf); FilePath testDir = new FilePath("target/" + UUID.RandomUUID().ToString()); Assert.True(testDir.Mkdirs()); MiniKdc kdc = new MiniKdc(MiniKdc.CreateConf(), testDir); Org.Mortbay.Jetty.Server jetty = CreateJettyServer(); Context context = new Context(); context.SetContextPath("/foo"); jetty.SetHandler(context); context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.KDTAFilter)), "/*" , 0); context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)), "/bar"); try { kdc.Start(); FilePath keytabFile = new FilePath(testDir, "test.keytab"); kdc.CreatePrincipal(keytabFile, "client", "HTTP/localhost"); TestWebDelegationToken.KDTAFilter.keytabFile = keytabFile.GetAbsolutePath(); jetty.Start(); DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token (); DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL(); Uri url = new Uri(GetJettyURL() + "/foo/bar"); try { aUrl.GetDelegationToken(url, token, FooUser, doAsUser); NUnit.Framework.Assert.Fail(); } catch (AuthenticationException ex) { Assert.True(ex.Message.Contains("GSSException")); } DoAsKerberosUser("client", keytabFile.GetAbsolutePath(), new _Callable_778(aUrl, url, token, doAs, doAsUser)); } finally { // Make sure the token belongs to the right owner jetty.Stop(); kdc.Stop(); } }
/// <summary>Cancels a delegation token from the server end-point.</summary> /// <remarks> /// Cancels a delegation token from the server end-point. It does not require /// being authenticated by the configured <code>Authenticator</code>. /// </remarks> /// <param name="url"> /// the URL to cancel the delegation token from. Only HTTP/S URLs /// are supported. /// </param> /// <param name="token">the authentication token with the Delegation Token to cancel. /// </param> /// <param name="doAsUser">the user to do as, which will be the token owner.</param> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> public virtual void CancelDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token, string doAsUser) { Preconditions.CheckNotNull(url, "url"); Preconditions.CheckNotNull(token, "token"); Preconditions.CheckNotNull(token.delegationToken, "No delegation token available" ); try { ((KerberosDelegationTokenAuthenticator)GetAuthenticator()).CancelDelegationToken( url, token, token.delegationToken, doAsUser); } finally { token.delegationToken = null; } }
/// <summary> /// Renews a delegation token from the server end-point using the /// configured <code>Authenticator</code> for authentication. /// </summary> /// <param name="url"> /// the URL to renew the delegation token from. Only HTTP/S URLs are /// supported. /// </param> /// <param name="token">the authentication token with the Delegation Token to renew.</param> /// <param name="doAsUser">the user to do as, which will be the token owner.</param> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// ">if an authentication exception occurred.</exception> public virtual long RenewDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token, string doAsUser) { Preconditions.CheckNotNull(url, "url"); Preconditions.CheckNotNull(token, "token"); Preconditions.CheckNotNull(token.delegationToken, "No delegation token available" ); try { return(((KerberosDelegationTokenAuthenticator)GetAuthenticator()).RenewDelegationToken (url, token, token.delegationToken, doAsUser)); } catch (IOException ex) { token.delegationToken = null; throw; } }
/// <exception cref="System.Exception"/> public Void Run() { DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token (); DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL(); HttpURLConnection conn = aUrl.OpenConnection(url, token); Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode()); IList <string> ret = IOUtils.ReadLines(conn.GetInputStream()); Assert.Equal(1, ret.Count); Assert.Equal(TestWebDelegationToken.FooUser, ret[0]); aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser); NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken()); Assert.Equal(new Text("token-kind"), token.GetDelegationToken( ).GetKind()); return(null); }
/// <exception cref="System.Exception"/> public Void Run() { DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token (); DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL(); HttpURLConnection conn = aUrl.OpenConnection(url, token); Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode()); IList <string> ret = IOUtils.ReadLines(conn.GetInputStream()); Assert.Equal(1, ret.Count); Assert.Equal("remoteuser="******":ugi=" + TestWebDelegationToken.FooUser, ret[0]); conn = aUrl.OpenConnection(url, token, TestWebDelegationToken.OkUser); Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode()); ret = IOUtils.ReadLines(conn.GetInputStream()); Assert.Equal(1, ret.Count); Assert.Equal("realugi=" + TestWebDelegationToken.FooUser + ":remoteuser="******":ugi=" + TestWebDelegationToken.OkUser, ret[ 0]); return(null); }
/// <exception cref="System.Exception"/> public Void Run() { DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token (); DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL(); HttpURLConnection conn = aUrl.OpenConnection(url, token); Assert.Equal(HttpURLConnection.HttpOk, conn.GetResponseCode()); IList <string> ret = IOUtils.ReadLines(conn.GetInputStream()); Assert.Equal(1, ret.Count); Assert.Equal(TestWebDelegationToken.FooUser, ret[0]); try { aUrl.GetDelegationToken(url, token, TestWebDelegationToken.FooUser); NUnit.Framework.Assert.Fail(); } catch (AuthenticationException ex) { Assert.True(ex.Message.Contains("delegation token operation")); } return(null); }
/// <summary>Cancels a delegation token from the server end-point.</summary> /// <remarks> /// Cancels a delegation token from the server end-point. It does not require /// being authenticated by the configured <code>Authenticator</code>. /// </remarks> /// <param name="url"> /// the URL to cancel the delegation token from. Only HTTP/S URLs /// are supported. /// </param> /// <param name="token">the authentication token with the Delegation Token to cancel. /// </param> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> public virtual void CancelDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token) { CancelDelegationToken(url, token, null); }
/// <summary> /// Renews a delegation token from the server end-point using the /// configured <code>Authenticator</code> for authentication. /// </summary> /// <param name="url"> /// the URL to renew the delegation token from. Only HTTP/S URLs are /// supported. /// </param> /// <param name="token">the authentication token with the Delegation Token to renew.</param> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// ">if an authentication exception occurred.</exception> public virtual long RenewDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token) { return(RenewDelegationToken(url, token, null)); }
> GetDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token, string renewer, string doAsUser) { Preconditions.CheckNotNull(url, "url"); Preconditions.CheckNotNull(token, "token"); try { token.delegationToken = ((KerberosDelegationTokenAuthenticator)GetAuthenticator() ).GetDelegationToken(url, token, renewer, doAsUser); return(token.delegationToken); } catch (IOException ex) { token.delegationToken = null; throw; } }
> GetDelegationToken(Uri url, DelegationTokenAuthenticatedURL.Token token, string renewer) { return(GetDelegationToken(url, token, renewer, null)); }
/// <summary> /// Returns an authenticated /// <see cref="HttpURLConnection"/> /// . If the Delegation /// Token is present, it will be used taking precedence over the configured /// <code>Authenticator</code>. /// </summary> /// <param name="url">the URL to connect to. Only HTTP/S URLs are supported.</param> /// <param name="token">the authentication token being used for the user.</param> /// <returns> /// an authenticated /// <see cref="HttpURLConnection"/> /// . /// </returns> /// <exception cref="System.IO.IOException">if an IO error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// ">if an authentication exception occurred.</exception> public virtual HttpURLConnection OpenConnection(Uri url, DelegationTokenAuthenticatedURL.Token token) { return(OpenConnection(url, token, null)); }
/// <exception cref="System.Exception"/> private void TestDelegationTokenAuthenticatorCalls(bool useQS) { Org.Mortbay.Jetty.Server jetty = CreateJettyServer(); Context context = new Context(); context.SetContextPath("/foo"); jetty.SetHandler(context); context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.AFilter)), "/*", 0); context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.PingServlet)), "/bar"); try { jetty.Start(); Uri nonAuthURL = new Uri(GetJettyURL() + "/foo/bar"); Uri authURL = new Uri(GetJettyURL() + "/foo/bar?authenticated=foo"); Uri authURL2 = new Uri(GetJettyURL() + "/foo/bar?authenticated=bar"); DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token (); DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL(); aUrl.SetUseQueryStringForDelegationToken(useQS); try { aUrl.GetDelegationToken(nonAuthURL, token, FooUser); NUnit.Framework.Assert.Fail(); } catch (Exception ex) { Assert.True(ex.Message.Contains("401")); } aUrl.GetDelegationToken(authURL, token, FooUser); NUnit.Framework.Assert.IsNotNull(token.GetDelegationToken()); Assert.Equal(new Text("token-kind"), token.GetDelegationToken( ).GetKind()); aUrl.RenewDelegationToken(authURL, token); try { aUrl.RenewDelegationToken(nonAuthURL, token); NUnit.Framework.Assert.Fail(); } catch (Exception ex) { Assert.True(ex.Message.Contains("401")); } aUrl.GetDelegationToken(authURL, token, FooUser); try { aUrl.RenewDelegationToken(authURL2, token); NUnit.Framework.Assert.Fail(); } catch (Exception ex) { Assert.True(ex.Message.Contains("403")); } aUrl.GetDelegationToken(authURL, token, FooUser); aUrl.CancelDelegationToken(authURL, token); aUrl.GetDelegationToken(authURL, token, FooUser); aUrl.CancelDelegationToken(nonAuthURL, token); aUrl.GetDelegationToken(authURL, token, FooUser); try { aUrl.RenewDelegationToken(nonAuthURL, token); } catch (Exception ex) { Assert.True(ex.Message.Contains("401")); } aUrl.GetDelegationToken(authURL, token, "foo"); UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); ugi.AddToken(token.GetDelegationToken()); ugi.DoAs(new _PrivilegedExceptionAction_412(aUrl, nonAuthURL, useQS)); } finally { jetty.Stop(); } }