private void injectToken() throws IOException { if (UserGroupInformation.isSecurityEnabled()) { Token<DelegationTokenIdentifier> token = params.delegationToken(); token.setKind(HDFS_DELEGATION_KIND); ugi.addToken(token); } }
private Token<? extends TokenIdentifier> generateDelegationToken( final NameNode namenode, final UserGroupInformation ugi, final String renewer) throws IOException { final Credentials c = DelegationTokenSecretManager.createCredentials( namenode, ugi, renewer != null ? renewer : ugi.getShortUserName()); final Token<? extends TokenIdentifier> t = c.getAllTokens().iterator().next(); t.setKind(WebHdfsFileSystem.TOKEN_KIND); SecurityUtil.setTokenService(t, namenode.getHttpAddress()); return t; }
private WebHdfsFileSystem getWebHdfsFileSystem(UserGroupInformation ugi, Configuration conf) throws IOException { if (UserGroupInformation.isSecurityEnabled()) { DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(ugi.getUserName()), null, null); FSNamesystem namesystem = mock(FSNamesystem.class); DelegationTokenSecretManager dtSecretManager = new DelegationTokenSecretManager(86400000, 86400000, 86400000, 86400000, namesystem); dtSecretManager.startThreads(); Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(dtId, dtSecretManager); SecurityUtil.setTokenService(token, NetUtils.createSocketAddr(uri.getAuthority())); token.setKind(WebHdfsConstants.WEBHDFS_TOKEN_KIND); ugi.addToken(token); } return (WebHdfsFileSystem) FileSystem.get(uri, conf); }
public static Credentials getDTfromRemote(String nnAddr, String renewer) throws IOException { DataInputStream dis = null; try { StringBuffer url = new StringBuffer(); if (renewer != null) { url.append(nnAddr) .append(GetDelegationTokenServlet.PATH_SPEC) .append("?") .append(GetDelegationTokenServlet.RENEWER) .append("=") .append(renewer); } else { url.append(nnAddr).append(GetDelegationTokenServlet.PATH_SPEC); } if (LOG.isDebugEnabled()) { LOG.debug("Retrieving token from: " + url); } URL remoteURL = new URL(url.toString()); SecurityUtil.fetchServiceTicket(remoteURL); URLConnection connection = remoteURL.openConnection(); InputStream in = connection.getInputStream(); Credentials ts = new Credentials(); dis = new DataInputStream(in); ts.readFields(dis); for (Token<?> token : ts.getAllTokens()) { token.setKind(HftpFileSystem.TOKEN_KIND); token.setService( new Text( SecurityUtil.buildDTServiceName( remoteURL.toURI(), DFSConfigKeys.DFS_HTTPS_PORT_DEFAULT))); } return ts; } catch (Exception e) { throw new IOException("Unable to obtain remote token", e); } finally { if (dis != null) dis.close(); } }
/** * Get {@link UserGroupInformation} and possibly the delegation token out of the request. * * @param context the Servlet context * @param request the http request * @param conf configuration * @param secureAuthMethod the AuthenticationMethod used in secure mode. * @param tryUgiParameter Should it try the ugi parameter? * @return a new user from the request * @throws AccessControlException if the request has no token */ public static UserGroupInformation getUGI( ServletContext context, HttpServletRequest request, Configuration conf, final AuthenticationMethod secureAuthMethod, final boolean tryUgiParameter) throws IOException { final UserGroupInformation ugi; final String usernameFromQuery = getUsernameFromQuery(request, tryUgiParameter); final String doAsUserFromQuery = request.getParameter(DoAsParam.NAME); if (UserGroupInformation.isSecurityEnabled()) { final String remoteUser = request.getRemoteUser(); String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME); if (tokenString != null) { Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(); token.decodeFromUrlString(tokenString); SecurityUtil.setTokenService(token, NameNode.getAddress(conf)); token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND); ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.readFields(in); if (context != null) { NameNode nn = (NameNode) context.getAttribute("name.node"); if (nn != null) { // Verify the token. nn.getNamesystem() .getDelegationTokenSecretManager() .verifyToken(id, token.getPassword()); } } ugi = id.getUser(); if (ugi.getRealUser() == null) { // non-proxy case checkUsername(ugi.getShortUserName(), usernameFromQuery); checkUsername(null, doAsUserFromQuery); } else { // proxy case checkUsername(ugi.getRealUser().getShortUserName(), usernameFromQuery); checkUsername(ugi.getShortUserName(), doAsUserFromQuery); ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); } ugi.addToken(token); ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN); } else { if (remoteUser == null) { throw new IOException("Security enabled but user not " + "authenticated by filter"); } final UserGroupInformation realUgi = UserGroupInformation.createRemoteUser(remoteUser); checkUsername(realUgi.getShortUserName(), usernameFromQuery); // This is not necessarily true, could have been auth'ed by user-facing // filter realUgi.setAuthenticationMethod(secureAuthMethod); ugi = initUGI(realUgi, doAsUserFromQuery, request, true, conf); } } else { // Security's not on, pull from url final UserGroupInformation realUgi = usernameFromQuery == null ? getDefaultWebUser(conf) // not specified in request : UserGroupInformation.createRemoteUser(usernameFromQuery); realUgi.setAuthenticationMethod(AuthenticationMethod.SIMPLE); ugi = initUGI(realUgi, doAsUserFromQuery, request, false, conf); } if (LOG.isDebugEnabled()) LOG.debug("getUGI is returning: " + ugi.getShortUserName()); return ugi; }
@Test(timeout = 20000) public void testGetHSDelegationToken() throws Exception { try { Configuration conf = new Configuration(); // Setup mock service InetSocketAddress mockRmAddress = new InetSocketAddress("localhost", 4444); Text rmTokenSevice = SecurityUtil.buildTokenService(mockRmAddress); InetSocketAddress mockHsAddress = new InetSocketAddress("localhost", 9200); Text hsTokenSevice = SecurityUtil.buildTokenService(mockHsAddress); // Setup mock rm token RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(new Text("owner"), new Text("renewer"), new Text("real")); Token<RMDelegationTokenIdentifier> token = new Token<RMDelegationTokenIdentifier>( new byte[0], new byte[0], tokenIdentifier.getKind(), rmTokenSevice); token.setKind(RMDelegationTokenIdentifier.KIND_NAME); // Setup mock history token DelegationToken historyToken = BuilderUtils.newDelegationToken( new byte[0], MRDelegationTokenIdentifier.KIND_NAME.toString(), new byte[0], hsTokenSevice.toString()); GetDelegationTokenResponse getDtResponse = Records.newRecord(GetDelegationTokenResponse.class); getDtResponse.setDelegationToken(historyToken); // mock services MRClientProtocol mockHsProxy = mock(MRClientProtocol.class); doReturn(mockHsAddress).when(mockHsProxy).getConnectAddress(); doReturn(getDtResponse) .when(mockHsProxy) .getDelegationToken(any(GetDelegationTokenRequest.class)); ResourceMgrDelegate rmDelegate = mock(ResourceMgrDelegate.class); doReturn(mockRmAddress).when(rmDelegate).getConnectAddress(); ClientCache clientCache = mock(ClientCache.class); doReturn(mockHsProxy).when(clientCache).getInitializedHSProxy(); Credentials creds = new Credentials(); YARNRunner yarnRunner = new YARNRunner(conf, rmDelegate, clientCache); // No HS token if no RM token yarnRunner.addHistoyToken(creds); verify(mockHsProxy, times(0)).getDelegationToken(any(GetDelegationTokenRequest.class)); // No HS token if RM token, but secirity disabled. creds.addToken(new Text("rmdt"), token); yarnRunner.addHistoyToken(creds); verify(mockHsProxy, times(0)).getDelegationToken(any(GetDelegationTokenRequest.class)); conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); UserGroupInformation.setConfiguration(conf); creds = new Credentials(); // No HS token if no RM token, security enabled yarnRunner.addHistoyToken(creds); verify(mockHsProxy, times(0)).getDelegationToken(any(GetDelegationTokenRequest.class)); // HS token if RM token present, security enabled creds.addToken(new Text("rmdt"), token); yarnRunner.addHistoyToken(creds); verify(mockHsProxy, times(1)).getDelegationToken(any(GetDelegationTokenRequest.class)); // No additional call to get HS token if RM and HS token present yarnRunner.addHistoyToken(creds); verify(mockHsProxy, times(1)).getDelegationToken(any(GetDelegationTokenRequest.class)); } finally { // Back to defaults. UserGroupInformation.setConfiguration(new Configuration()); } }