Exemplo n.º 1
0
 @Test
 public void testUGIAuthMethodInRealUser() throws Exception {
   final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
   UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser("proxy", ugi);
   final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
   ugi.setAuthenticationMethod(am);
   Assert.assertEquals(am, ugi.getAuthenticationMethod());
   Assert.assertEquals(AuthenticationMethod.PROXY, proxyUgi.getAuthenticationMethod());
   proxyUgi.doAs(
       new PrivilegedExceptionAction<Object>() {
         public Object run() throws IOException {
           Assert.assertEquals(
               AuthenticationMethod.PROXY,
               UserGroupInformation.getCurrentUser().getAuthenticationMethod());
           Assert.assertEquals(
               am, UserGroupInformation.getCurrentUser().getRealUser().getAuthenticationMethod());
           return null;
         }
       });
   UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.getSubject());
   proxyUgi2.setAuthenticationMethod(AuthenticationMethod.PROXY);
   Assert.assertEquals(proxyUgi, proxyUgi2);
   // Equality should work if authMethod is null
   UserGroupInformation realugi = UserGroupInformation.getCurrentUser();
   UserGroupInformation proxyUgi3 = UserGroupInformation.createProxyUser("proxyAnother", realugi);
   UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.getSubject());
   Assert.assertEquals(proxyUgi3, proxyUgi4);
 }
Exemplo n.º 2
0
 private void checkUgiFromToken(UserGroupInformation ugi) {
   if (ugi.getRealUser() != null) {
     Assert.assertEquals(AuthenticationMethod.PROXY, ugi.getAuthenticationMethod());
     Assert.assertEquals(AuthenticationMethod.TOKEN, ugi.getRealUser().getAuthenticationMethod());
   } else {
     Assert.assertEquals(AuthenticationMethod.TOKEN, ugi.getAuthenticationMethod());
   }
 }
Exemplo n.º 3
0
 /**
  * @param ugi A user group information.
  * @return true if delegation token operation is allowed
  */
 private boolean isAllowedDelegationTokenOp(UserGroupInformation ugi) throws IOException {
   AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
   if (authMethod == AuthenticationMethod.PROXY) {
     authMethod = ugi.getRealUser().getAuthenticationMethod();
   }
   if (authMethod != AuthenticationMethod.KERBEROS
       && authMethod != AuthenticationMethod.KERBEROS_SSL
       && authMethod != AuthenticationMethod.CERTIFICATE) {
     return false;
   }
   return true;
 }
Exemplo n.º 4
0
 @Test
 public void testUGIAuthMethod() throws Exception {
   final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
   final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
   ugi.setAuthenticationMethod(am);
   Assert.assertEquals(am, ugi.getAuthenticationMethod());
   ugi.doAs(
       new PrivilegedExceptionAction<Object>() {
         public Object run() throws IOException {
           Assert.assertEquals(
               am, UserGroupInformation.getCurrentUser().getAuthenticationMethod());
           return null;
         }
       });
 }
Exemplo n.º 5
0
  @Override
  public void getAuthenticationToken(
      RpcController controller,
      AuthenticationProtos.GetAuthenticationTokenRequest request,
      RpcCallback<AuthenticationProtos.GetAuthenticationTokenResponse> done) {
    AuthenticationProtos.GetAuthenticationTokenResponse.Builder response =
        AuthenticationProtos.GetAuthenticationTokenResponse.newBuilder();

    try {
      if (secretManager == null) {
        throw new IOException("No secret manager configured for token authentication");
      }

      User currentUser = RequestContext.getRequestUser();
      UserGroupInformation ugi = null;
      if (currentUser != null) {
        ugi = currentUser.getUGI();
      }
      if (currentUser == null) {
        throw new AccessDeniedException("No authenticated user for request!");
      } else if (!isAllowedDelegationTokenOp(ugi)) {
        LOG.warn(
            "Token generation denied for user="******", authMethod="
                + ugi.getAuthenticationMethod());
        throw new AccessDeniedException(
            "Token generation only allowed for Kerberos authenticated clients");
      }

      Token<AuthenticationTokenIdentifier> token =
          secretManager.generateToken(currentUser.getName());
      response.setToken(ProtobufUtil.toToken(token)).build();
    } catch (IOException ioe) {
      ResponseConverter.setControllerException(controller, ioe);
    }
    done.run(response.build());
  }
  private void validateHadoopFS(List<ConfigIssue> issues) {
    boolean validHapoopFsUri = true;
    hadoopConf = getHadoopConfiguration(issues);
    String hdfsUriInConf;
    if (hdfsUri != null && !hdfsUri.isEmpty()) {
      hadoopConf.set(CommonConfigurationKeys.FS_DEFAULT_NAME_KEY, hdfsUri);
    } else {
      hdfsUriInConf = hadoopConf.get(CommonConfigurationKeys.FS_DEFAULT_NAME_KEY);
      if (hdfsUriInConf == null) {
        issues.add(
            getContext().createConfigIssue(Groups.HADOOP_FS.name(), "hdfsUri", Errors.HADOOPFS_19));
        return;
      } else {
        hdfsUri = hdfsUriInConf;
      }
    }
    if (hdfsUri.contains("://")) {
      try {
        URI uri = new URI(hdfsUri);
        if (!"hdfs".equals(uri.getScheme())) {
          issues.add(
              getContext()
                  .createConfigIssue(
                      Groups.HADOOP_FS.name(),
                      "hdfsUri",
                      Errors.HADOOPFS_12,
                      hdfsUri,
                      uri.getScheme()));
          validHapoopFsUri = false;
        } else if (uri.getAuthority() == null) {
          issues.add(
              getContext()
                  .createConfigIssue(
                      Groups.HADOOP_FS.name(), "hdfsUri", Errors.HADOOPFS_13, hdfsUri));
          validHapoopFsUri = false;
        }
      } catch (Exception ex) {
        issues.add(
            getContext()
                .createConfigIssue(
                    Groups.HADOOP_FS.name(),
                    "hdfsUri",
                    Errors.HADOOPFS_22,
                    hdfsUri,
                    ex.getMessage(),
                    ex));
        validHapoopFsUri = false;
      }
    } else {
      issues.add(
          getContext()
              .createConfigIssue(Groups.HADOOP_FS.name(), "hdfsUri", Errors.HADOOPFS_02, hdfsUri));
      validHapoopFsUri = false;
    }

    StringBuilder logMessage = new StringBuilder();
    try {
      // forcing UGI to initialize with the security settings from the stage
      UserGroupInformation.setConfiguration(hadoopConf);
      Subject subject = Subject.getSubject(AccessController.getContext());
      if (UserGroupInformation.isSecurityEnabled()) {
        loginUgi = UserGroupInformation.getUGIFromSubject(subject);
      } else {
        UserGroupInformation.loginUserFromSubject(subject);
        loginUgi = UserGroupInformation.getLoginUser();
      }
      LOG.info(
          "Subject = {}, Principals = {}, Login UGI = {}",
          subject,
          subject == null ? "null" : subject.getPrincipals(),
          loginUgi);
      if (hdfsKerberos) {
        logMessage.append("Using Kerberos");
        if (loginUgi.getAuthenticationMethod()
            != UserGroupInformation.AuthenticationMethod.KERBEROS) {
          issues.add(
              getContext()
                  .createConfigIssue(
                      Groups.HADOOP_FS.name(),
                      "hdfsKerberos",
                      Errors.HADOOPFS_00,
                      loginUgi.getAuthenticationMethod(),
                      UserGroupInformation.AuthenticationMethod.KERBEROS));
        }
      } else {
        logMessage.append("Using Simple");
        hadoopConf.set(
            CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
            UserGroupInformation.AuthenticationMethod.SIMPLE.name());
      }
      if (validHapoopFsUri) {
        getUGI()
            .doAs(
                new PrivilegedExceptionAction<Void>() {
                  @Override
                  public Void run() throws Exception {
                    try (FileSystem fs = getFileSystemForInitDestroy()) { // to trigger the close
                    }
                    return null;
                  }
                });
      }
    } catch (Exception ex) {
      LOG.info("Error connecting to FileSystem: " + ex, ex);
      issues.add(
          getContext()
              .createConfigIssue(
                  Groups.HADOOP_FS.name(),
                  null,
                  Errors.HADOOPFS_11,
                  hdfsUri,
                  String.valueOf(ex),
                  ex));
    }
    LOG.info("Authentication Config: " + logMessage);
  }
  public static URLConnectionClientHandler getClientConnectionHandler(
      DefaultClientConfig config,
      PropertiesConfiguration clientConfig,
      final String doAsUser,
      final UserGroupInformation ugi) {
    config
        .getProperties()
        .put(URLConnectionClientHandler.PROPERTY_HTTP_URL_CONNECTION_SET_METHOD_WORKAROUND, true);
    Configuration conf = new Configuration();
    conf.addResource(conf.get(SSLFactory.SSL_CLIENT_CONF_KEY, "ssl-client.xml"));
    UserGroupInformation.setConfiguration(conf);
    final ConnectionConfigurator connConfigurator = newConnConfigurator(conf);
    String authType = "simple";
    if (clientConfig != null) {
      authType = clientConfig.getString("atlas.http.authentication.type", "simple");
    }
    Authenticator authenticator = new PseudoDelegationTokenAuthenticator();
    if (!authType.equals("simple")) {
      authenticator = new KerberosDelegationTokenAuthenticator();
    }
    authenticator.setConnectionConfigurator(connConfigurator);
    final DelegationTokenAuthenticator finalAuthenticator =
        (DelegationTokenAuthenticator) authenticator;
    final DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
    HttpURLConnectionFactory httpURLConnectionFactory = null;
    try {
      UserGroupInformation ugiToUse = ugi != null ? ugi : UserGroupInformation.getCurrentUser();
      final UserGroupInformation actualUgi =
          (ugiToUse.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY)
              ? ugiToUse.getRealUser()
              : ugiToUse;
      LOG.info(
          "Real User: {}, is from ticket cache? {}", actualUgi, actualUgi.isLoginTicketBased());
      LOG.info("doAsUser: {}", doAsUser);
      httpURLConnectionFactory =
          new HttpURLConnectionFactory() {
            @Override
            public HttpURLConnection getHttpURLConnection(final URL url) throws IOException {
              try {
                return actualUgi.doAs(
                    new PrivilegedExceptionAction<HttpURLConnection>() {
                      @Override
                      public HttpURLConnection run() throws Exception {
                        try {
                          return new DelegationTokenAuthenticatedURL(
                                  finalAuthenticator, connConfigurator)
                              .openConnection(url, token, doAsUser);
                        } catch (Exception e) {
                          throw new IOException(e);
                        }
                      }
                    });
              } catch (Exception e) {
                if (e instanceof IOException) {
                  throw (IOException) e;
                } else {
                  throw new IOException(e);
                }
              }
            }
          };
    } catch (IOException e) {
      LOG.warn("Error obtaining user", e);
    }

    return new URLConnectionClientHandler(httpURLConnectionFactory);
  }