/// <exception cref="System.IO.IOException"/> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// "/> public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest request, HttpServletResponse response) { bool requestContinues = true; string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator .OpParam); op = (op != null) ? StringUtils.ToUpperCase(op) : null; if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS")) { DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation .ValueOf(op); if (dtOp.GetHttpMethod().Equals(request.GetMethod())) { bool doManagement; if (dtOp.RequiresKerberosCredentials() && token == null) { token = Authenticate(request, response); if (token == null) { requestContinues = false; doManagement = false; } else { doManagement = true; } } else { doManagement = true; } if (doManagement) { UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser (token.GetUserName()) : null; // Create the proxy user if doAsUser exists string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request); if (requestUgi != null && doAsUser != null) { requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi); try { ProxyUsers.Authorize(requestUgi, request.GetRemoteHost()); } catch (AuthorizationException ex) { HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden , ex); return(false); } } IDictionary map = null; switch (dtOp) { case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken: { if (requestUgi == null) { throw new InvalidOperationException("request UGI cannot be NULL"); } string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator .RenewerParam); try { Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken( requestUgi, renewer); map = DelegationTokenToJSON(dToken); } catch (IOException ex) { throw new AuthenticationException(ex.ToString(), ex); } break; } case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken: { if (requestUgi == null) { throw new InvalidOperationException("request UGI cannot be NULL"); } string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator .TokenParam); if (tokenToRenew == null) { response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]" , dtOp, KerberosDelegationTokenAuthenticator.TokenParam)); requestContinues = false; } else { Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new Org.Apache.Hadoop.Security.Token.Token(); try { dt.DecodeFromUrlString(tokenToRenew); long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName()); map = new Hashtable(); map["long"] = expirationTime; } catch (IOException ex) { throw new AuthenticationException(ex.ToString(), ex); } } break; } case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken: { string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator .TokenParam); if (tokenToCancel == null) { response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]" , dtOp, KerberosDelegationTokenAuthenticator.TokenParam)); requestContinues = false; } else { Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new Org.Apache.Hadoop.Security.Token.Token(); try { dt.DecodeFromUrlString(tokenToCancel); tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName() : null); } catch (IOException) { response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel" ); requestContinues = false; } } break; } } if (requestContinues) { response.SetStatus(HttpServletResponse.ScOk); if (map != null) { response.SetContentType(MediaType.ApplicationJson); TextWriter writer = response.GetWriter(); ObjectMapper jsonMapper = new ObjectMapper(); jsonMapper.WriteValue(writer, map); writer.Write(Enter); writer.Flush(); } requestContinues = false; } } } else { response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be " + "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod())); requestContinues = false; } } return(requestContinues); }
public virtual void TestDTManager() { Configuration conf = new Configuration(false); conf.SetLong(DelegationTokenManager.UpdateInterval, DayInSecs); conf.SetLong(DelegationTokenManager.MaxLifetime, DayInSecs); conf.SetLong(DelegationTokenManager.RenewInterval, DayInSecs); conf.SetLong(DelegationTokenManager.RemovalScanInterval, DayInSecs); conf.GetBoolean(DelegationTokenManager.EnableZkKey, enableZKKey); DelegationTokenManager tm = new DelegationTokenManager(conf, new Text("foo")); tm.Init(); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = (Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>)tm.CreateToken(UserGroupInformation.GetCurrentUser() , "foo"); NUnit.Framework.Assert.IsNotNull(token); tm.VerifyToken(token); Assert.True(tm.RenewToken(token, "foo") > Runtime.CurrentTimeMillis ()); tm.CancelToken(token, "foo"); try { tm.VerifyToken(token); NUnit.Framework.Assert.Fail(); } catch (IOException) { } catch (Exception) { //NOP NUnit.Framework.Assert.Fail(); } tm.Destroy(); }