Search in sources :

Example 1 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class TestWebHdfsTokens method testSetTokenServiceAndKind.

@Test
public void testSetTokenServiceAndKind() throws Exception {
    MiniDFSCluster cluster = null;
    try {
        final Configuration clusterConf = new HdfsConfiguration(conf);
        SecurityUtil.setAuthenticationMethod(SIMPLE, clusterConf);
        clusterConf.setBoolean(DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY, true);
        // trick the NN into thinking s[ecurity is enabled w/o it trying
        // to login from a keytab
        UserGroupInformation.setConfiguration(clusterConf);
        cluster = new MiniDFSCluster.Builder(clusterConf).numDataNodes(0).build();
        cluster.waitActive();
        SecurityUtil.setAuthenticationMethod(KERBEROS, clusterConf);
        final WebHdfsFileSystem fs = WebHdfsTestUtil.getWebHdfsFileSystem(clusterConf, "webhdfs");
        Whitebox.setInternalState(fs, "canRefreshDelegationToken", true);
        URLConnectionFactory factory = new URLConnectionFactory(new ConnectionConfigurator() {

            @Override
            public HttpURLConnection configure(HttpURLConnection conn) throws IOException {
                return conn;
            }
        }) {

            @Override
            public URLConnection openConnection(URL url) throws IOException {
                return super.openConnection(new URL(url + "&service=foo&kind=bar"));
            }
        };
        Whitebox.setInternalState(fs, "connectionFactory", factory);
        Token<?> token1 = fs.getDelegationToken();
        Assert.assertEquals(new Text("bar"), token1.getKind());
        final HttpOpParam.Op op = GetOpParam.Op.GETDELEGATIONTOKEN;
        Token<DelegationTokenIdentifier> token2 = fs.new FsPathResponseRunner<Token<DelegationTokenIdentifier>>(op, null, new RenewerParam(null)) {

            @Override
            Token<DelegationTokenIdentifier> decodeResponse(Map<?, ?> json) throws IOException {
                return JsonUtilClient.toDelegationToken(json);
            }
        }.run();
        Assert.assertEquals(new Text("bar"), token2.getKind());
        Assert.assertEquals(new Text("foo"), token2.getService());
    } finally {
        if (cluster != null) {
            cluster.shutdown();
        }
    }
}
Also used : ConnectionConfigurator(org.apache.hadoop.security.authentication.client.ConnectionConfigurator) MiniDFSCluster(org.apache.hadoop.hdfs.MiniDFSCluster) Configuration(org.apache.hadoop.conf.Configuration) HdfsConfiguration(org.apache.hadoop.hdfs.HdfsConfiguration) DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) Text(org.apache.hadoop.io.Text) InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken) Token(org.apache.hadoop.security.token.Token) IOException(java.io.IOException) HdfsConfiguration(org.apache.hadoop.hdfs.HdfsConfiguration) URL(java.net.URL) HttpURLConnection(java.net.HttpURLConnection) Test(org.junit.Test)

Example 2 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class DataNodeUGIProvider method tokenUGI.

private UserGroupInformation tokenUGI(Token<DelegationTokenIdentifier> token) throws IOException {
    ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
    DataInputStream in = new DataInputStream(buf);
    DelegationTokenIdentifier id = new DelegationTokenIdentifier();
    id.readFields(in);
    UserGroupInformation ugi = id.getUser();
    ugi.addToken(token);
    return ugi;
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) DataInputStream(java.io.DataInputStream) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 3 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class FSEditLogOp method delegationTokenFromXml.

public static DelegationTokenIdentifier delegationTokenFromXml(Stanza st) throws InvalidXmlException {
    String kind = st.getValue("KIND");
    if (!kind.equals(DelegationTokenIdentifier.HDFS_DELEGATION_KIND.toString())) {
        throw new InvalidXmlException("can't understand " + "DelegationTokenIdentifier KIND " + kind);
    }
    int seqNum = Integer.parseInt(st.getValue("SEQUENCE_NUMBER"));
    String owner = st.getValue("OWNER");
    String renewer = st.getValue("RENEWER");
    String realuser = st.getValue("REALUSER");
    long issueDate = Long.parseLong(st.getValue("ISSUE_DATE"));
    long maxDate = Long.parseLong(st.getValue("MAX_DATE"));
    int masterKeyId = Integer.parseInt(st.getValue("MASTER_KEY_ID"));
    DelegationTokenIdentifier token = new DelegationTokenIdentifier(new Text(owner), new Text(renewer), new Text(realuser));
    token.setSequenceNumber(seqNum);
    token.setIssueDate(issueDate);
    token.setMaxDate(maxDate);
    token.setMasterKeyId(masterKeyId);
    return token;
}
Also used : InvalidXmlException(org.apache.hadoop.hdfs.util.XMLUtils.InvalidXmlException) DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) Text(org.apache.hadoop.io.Text)

Example 4 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class FSNamesystem method renewDelegationToken.

/**
   * 
   * @param token token to renew
   * @return new expiryTime of the token
   * @throws InvalidToken if {@code token} is invalid
   * @throws IOException on other errors
   */
long renewDelegationToken(Token<DelegationTokenIdentifier> token) throws InvalidToken, IOException {
    long expiryTime;
    checkOperation(OperationCategory.WRITE);
    writeLock();
    try {
        checkOperation(OperationCategory.WRITE);
        checkNameNodeSafeMode("Cannot renew delegation token");
        if (!isAllowedDelegationTokenOp()) {
            throw new IOException("Delegation Token can be renewed only with kerberos or web authentication");
        }
        String renewer = getRemoteUser().getShortUserName();
        expiryTime = dtSecretManager.renewToken(token, renewer);
        DelegationTokenIdentifier id = new DelegationTokenIdentifier();
        ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
        DataInputStream in = new DataInputStream(buf);
        id.readFields(in);
        getEditLog().logRenewDelegationToken(id, expiryTime);
    } finally {
        writeUnlock("renewDelegationToken");
    }
    getEditLog().logSync();
    return expiryTime;
}
Also used : DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) ByteArrayInputStream(java.io.ByteArrayInputStream) IOException(java.io.IOException) DataInputStream(java.io.DataInputStream)

Example 5 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class FSNamesystem method getDelegationToken.

/**
   * @param renewer Renewer information
   * @return delegation toek
   * @throws IOException on error
   */
Token<DelegationTokenIdentifier> getDelegationToken(Text renewer) throws IOException {
    Token<DelegationTokenIdentifier> token;
    checkOperation(OperationCategory.WRITE);
    writeLock();
    try {
        checkOperation(OperationCategory.WRITE);
        checkNameNodeSafeMode("Cannot issue delegation token");
        if (!isAllowedDelegationTokenOp()) {
            throw new IOException("Delegation Token can be issued only with kerberos or web authentication");
        }
        if (dtSecretManager == null || !dtSecretManager.isRunning()) {
            LOG.warn("trying to get DT with no secret manager running");
            return null;
        }
        UserGroupInformation ugi = getRemoteUser();
        String user = ugi.getUserName();
        Text owner = new Text(user);
        Text realUser = null;
        if (ugi.getRealUser() != null) {
            realUser = new Text(ugi.getRealUser().getUserName());
        }
        DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, renewer, realUser);
        token = new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
        long expiryTime = dtSecretManager.getTokenExpiryTime(dtId);
        getEditLog().logGetDelegationToken(dtId, expiryTime);
    } finally {
        writeUnlock("getDelegationToken");
    }
    getEditLog().logSync();
    return token;
}
Also used : DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) Text(org.apache.hadoop.io.Text) IOException(java.io.IOException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

DelegationTokenIdentifier (org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)46 Test (org.junit.Test)28 Text (org.apache.hadoop.io.Text)25 Token (org.apache.hadoop.security.token.Token)21 IOException (java.io.IOException)18 Configuration (org.apache.hadoop.conf.Configuration)13 InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)12 Credentials (org.apache.hadoop.security.Credentials)11 ByteArrayInputStream (java.io.ByteArrayInputStream)10 DataInputStream (java.io.DataInputStream)10 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)9 ByteBuffer (java.nio.ByteBuffer)7 DataInputByteBuffer (org.apache.hadoop.io.DataInputByteBuffer)7 MockNM (org.apache.hadoop.yarn.server.resourcemanager.MockNM)7 MockRM (org.apache.hadoop.yarn.server.resourcemanager.MockRM)7 TestSecurityMockRM (org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)7 InetSocketAddress (java.net.InetSocketAddress)6 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)6 DelegationTokenSecretManager (org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager)5 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)5