Example 6 with DelegationTokenIdentifier
use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.
the class TestDelegationToken method checkTokenIdentifier.
@SuppressWarnings("unchecked")
private void checkTokenIdentifier(UserGroupInformation ugi, final Token<?> token) throws Exception {
Assert.assertNotNull(token);
// should be able to use token.decodeIdentifier() but webhdfs isn't
// registered with the service loader for token decoding
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = token.getIdentifier();
DataInputStream in = new DataInputStream(new ByteArrayInputStream(tokenId));
try {
identifier.readFields(in);
} finally {
in.close();
}
Assert.assertNotNull(identifier);
LOG.info("A valid token should have non-null password, and should be renewed successfully");
Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
dtSecretManager.renewToken((Token<DelegationTokenIdentifier>) token, "JobTracker");
ugi.doAs(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
token.renew(config);
token.cancel(config);
return null;
}
});
}
Also used :
DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DataInputStream(java.io.DataInputStream)
IOException(java.io.IOException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
Example 7 with DelegationTokenIdentifier
use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.
the class TestDelegationToken method testDelegationTokenWithDoAs.
@Test
public void testDelegationTokenWithDoAs() throws Exception {
final DistributedFileSystem dfs = cluster.getFileSystem();
final Credentials creds = new Credentials();
final Token<?>[] tokens = dfs.addDelegationTokens("JobTracker", creds);
Assert.assertEquals(1, tokens.length);
@SuppressWarnings("unchecked") final Token<DelegationTokenIdentifier> token = (Token<DelegationTokenIdentifier>) tokens[0];
final UserGroupInformation longUgi = UserGroupInformation.createRemoteUser("JobTracker/foo.com@FOO.COM");
final UserGroupInformation shortUgi = UserGroupInformation.createRemoteUser("JobTracker");
longUgi.doAs(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws IOException {
try {
token.renew(config);
} catch (Exception e) {
Assert.fail("Could not renew delegation token for user " + longUgi);
}
return null;
}
});
shortUgi.doAs(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
token.renew(config);
return null;
}
});
longUgi.doAs(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws IOException {
try {
token.cancel(config);
} catch (Exception e) {
Assert.fail("Could not cancel delegation token for user " + longUgi);
}
return null;
}
});
}
Also used :
DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
IOException(java.io.IOException)
DistributedFileSystem(org.apache.hadoop.hdfs.DistributedFileSystem)
IOException(java.io.IOException)
AccessControlException(org.apache.hadoop.security.AccessControlException)
Credentials(org.apache.hadoop.security.Credentials)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 8 with DelegationTokenIdentifier
use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.
the class TestDelegationToken method testDelegationTokenSecretManager.
@Test
public void testDelegationTokenSecretManager() throws Exception {
Token<DelegationTokenIdentifier> token = generateDelegationToken("SomeUser", "JobTracker");
// Fake renewer should not be able to renew
try {
dtSecretManager.renewToken(token, "FakeRenewer");
Assert.fail("should have failed");
} catch (AccessControlException ace) {
// PASS
}
dtSecretManager.renewToken(token, "JobTracker");
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = token.getIdentifier();
identifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
LOG.info("Sleep to expire the token");
Thread.sleep(6000);
//Token should be expired
try {
dtSecretManager.retrievePassword(identifier);
//Should not come here
Assert.fail("Token should have expired");
} catch (InvalidToken e) {
//Success
}
dtSecretManager.renewToken(token, "JobTracker");
LOG.info("Sleep beyond the max lifetime");
Thread.sleep(5000);
try {
dtSecretManager.renewToken(token, "JobTracker");
Assert.fail("should have been expired");
} catch (InvalidToken it) {
// PASS
}
}
Also used :
DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
AccessControlException(org.apache.hadoop.security.AccessControlException)
DataInputStream(java.io.DataInputStream)
Test(org.junit.Test)
Example 9 with DelegationTokenIdentifier
use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.
the class TestDelegationTokenForProxyUser method testDelegationTokenWithRealUser.
@Test(timeout = 20000)
public void testDelegationTokenWithRealUser() throws IOException {
try {
Token<?>[] tokens = proxyUgi.doAs(new PrivilegedExceptionAction<Token<?>[]>() {
@Override
public Token<?>[] run() throws IOException {
return cluster.getFileSystem().addDelegationTokens("RenewerUser", null);
}
});
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = tokens[0].getIdentifier();
identifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
Assert.assertEquals(identifier.getUser().getUserName(), PROXY_USER);
Assert.assertEquals(identifier.getUser().getRealUser().getUserName(), REAL_USER);
} catch (InterruptedException e) {
//Do Nothing
}
}
Also used :
DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Token(org.apache.hadoop.security.token.Token)
IOException(java.io.IOException)
DataInputStream(java.io.DataInputStream)
Test(org.junit.Test)
Example 10 with DelegationTokenIdentifier
use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.
the class TestDataNodeUGIProvider method getWebHdfsFileSystem.
private WebHdfsFileSystem getWebHdfsFileSystem(UserGroupInformation ugi, Configuration conf, List<Token<DelegationTokenIdentifier>> tokens) throws IOException {
if (UserGroupInformation.isSecurityEnabled()) {
DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(ugi.getUserName()), null, null);
FSNamesystem namesystem = mock(FSNamesystem.class);
DelegationTokenSecretManager dtSecretManager = new DelegationTokenSecretManager(86400000, 86400000, 86400000, 86400000, namesystem);
dtSecretManager.startThreads();
Token<DelegationTokenIdentifier> token1 = new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
Token<DelegationTokenIdentifier> token2 = new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
SecurityUtil.setTokenService(token1, NetUtils.createSocketAddr(uri.getAuthority()));
SecurityUtil.setTokenService(token2, NetUtils.createSocketAddr(uri.getAuthority()));
token1.setKind(WebHdfsConstants.WEBHDFS_TOKEN_KIND);
token2.setKind(WebHdfsConstants.WEBHDFS_TOKEN_KIND);
tokens.add(token1);
tokens.add(token2);
ugi.addToken(token1);
ugi.addToken(token2);
}
return (WebHdfsFileSystem) FileSystem.get(uri, conf);
}
Also used :
DelegationTokenSecretManager(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager)
DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)
Text(org.apache.hadoop.io.Text)
Token(org.apache.hadoop.security.token.Token)
WebHdfsFileSystem(org.apache.hadoop.hdfs.web.WebHdfsFileSystem)
FSNamesystem(org.apache.hadoop.hdfs.server.namenode.FSNamesystem)
Aggregations
DelegationTokenIdentifier (org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)46
Test (org.junit.Test)28
Text (org.apache.hadoop.io.Text)25
Token (org.apache.hadoop.security.token.Token)21
IOException (java.io.IOException)18
Configuration (org.apache.hadoop.conf.Configuration)13
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)12
Credentials (org.apache.hadoop.security.Credentials)11
ByteArrayInputStream (java.io.ByteArrayInputStream)10
DataInputStream (java.io.DataInputStream)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)9
ByteBuffer (java.nio.ByteBuffer)7
DataInputByteBuffer (org.apache.hadoop.io.DataInputByteBuffer)7
MockNM (org.apache.hadoop.yarn.server.resourcemanager.MockNM)7
MockRM (org.apache.hadoop.yarn.server.resourcemanager.MockRM)7
TestSecurityMockRM (org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)7
InetSocketAddress (java.net.InetSocketAddress)6
RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)6
DelegationTokenSecretManager (org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager)5
YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)5
