Search in sources :

Example 31 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class TestDelegationTokensWithHA method testDelegationTokenDuringNNFailover.

/**
   * Test if correct exception (StandbyException or RetriableException) can be
   * thrown during the NN failover. 
   */
@Test(timeout = 300000)
public void testDelegationTokenDuringNNFailover() throws Exception {
    EditLogTailer editLogTailer = nn1.getNamesystem().getEditLogTailer();
    // stop the editLogTailer of nn1
    editLogTailer.stop();
    Configuration conf = (Configuration) Whitebox.getInternalState(editLogTailer, "conf");
    nn1.getNamesystem().setEditLogTailerForTests(new EditLogTailerForTest(nn1.getNamesystem(), conf));
    // create token
    final Token<DelegationTokenIdentifier> token = getDelegationToken(fs, "JobTracker");
    DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
    byte[] tokenId = token.getIdentifier();
    identifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
    // Ensure that it's present in the nn0 secret manager and can
    // be renewed directly from there.
    LOG.info("A valid token should have non-null password, " + "and should be renewed successfully");
    assertTrue(null != dtSecretManager.retrievePassword(identifier));
    dtSecretManager.renewToken(token, "JobTracker");
    // transition nn0 to standby
    cluster.transitionToStandby(0);
    try {
        cluster.getNameNodeRpc(0).renewDelegationToken(token);
        fail("StandbyException is expected since nn0 is in standby state");
    } catch (StandbyException e) {
        GenericTestUtils.assertExceptionContains(HAServiceState.STANDBY.toString(), e);
    }
    new Thread() {

        @Override
        public void run() {
            try {
                cluster.transitionToActive(1);
            } catch (Exception e) {
                LOG.error("Transition nn1 to active failed", e);
            }
        }
    }.start();
    Thread.sleep(1000);
    try {
        nn1.getNamesystem().verifyToken(token.decodeIdentifier(), token.getPassword());
        fail("RetriableException/StandbyException is expected since nn1 is in transition");
    } catch (IOException e) {
        assertTrue(e instanceof StandbyException || e instanceof RetriableException);
        LOG.info("Got expected exception", e);
    }
    catchup = true;
    synchronized (this) {
        this.notifyAll();
    }
    Configuration clientConf = dfs.getConf();
    doRenewOrCancel(token, clientConf, TokenTestAction.RENEW);
    doRenewOrCancel(token, clientConf, TokenTestAction.CANCEL);
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) IOException(java.io.IOException) DataInputStream(java.io.DataInputStream) StandbyException(org.apache.hadoop.ipc.StandbyException) IOException(java.io.IOException) RetriableException(org.apache.hadoop.ipc.RetriableException) StandbyException(org.apache.hadoop.ipc.StandbyException) ByteArrayInputStream(java.io.ByteArrayInputStream) RetriableException(org.apache.hadoop.ipc.RetriableException) Test(org.junit.Test)

Example 32 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class TestDelegationTokensWithHA method testDelegationTokenWithDoAs.

@Test(timeout = 300000)
public void testDelegationTokenWithDoAs() throws Exception {
    final Token<DelegationTokenIdentifier> token = getDelegationToken(fs, "JobTracker");
    final UserGroupInformation longUgi = UserGroupInformation.createRemoteUser("JobTracker/foo.com@FOO.COM");
    final UserGroupInformation shortUgi = UserGroupInformation.createRemoteUser("JobTracker");
    longUgi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            // try renew with long name
            token.renew(conf);
            return null;
        }
    });
    shortUgi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            token.renew(conf);
            return null;
        }
    });
    longUgi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            token.cancel(conf);
            ;
            return null;
        }
    });
}
Also used : DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) StandbyException(org.apache.hadoop.ipc.StandbyException) IOException(java.io.IOException) RetriableException(org.apache.hadoop.ipc.RetriableException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 33 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class TestDelegationTokensWithHA method testDelegationTokenDFSApi.

@Test(timeout = 300000)
public void testDelegationTokenDFSApi() throws Exception {
    final Token<DelegationTokenIdentifier> token = getDelegationToken(fs, "JobTracker");
    DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
    byte[] tokenId = token.getIdentifier();
    identifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
    // Ensure that it's present in the NN's secret manager and can
    // be renewed directly from there.
    LOG.info("A valid token should have non-null password, " + "and should be renewed successfully");
    assertTrue(null != dtSecretManager.retrievePassword(identifier));
    dtSecretManager.renewToken(token, "JobTracker");
    // Use the client conf with the failover info present to check
    // renewal.
    Configuration clientConf = dfs.getConf();
    doRenewOrCancel(token, clientConf, TokenTestAction.RENEW);
    // Using a configuration that doesn't have the logical nameservice
    // configured should result in a reasonable error message.
    Configuration emptyConf = new Configuration();
    try {
        doRenewOrCancel(token, emptyConf, TokenTestAction.RENEW);
        fail("Did not throw trying to renew with an empty conf!");
    } catch (IOException ioe) {
        GenericTestUtils.assertExceptionContains("Unable to map logical nameservice URI", ioe);
    }
    // Ensure that the token can be renewed again after a failover.
    cluster.transitionToStandby(0);
    cluster.transitionToActive(1);
    doRenewOrCancel(token, clientConf, TokenTestAction.RENEW);
    doRenewOrCancel(token, clientConf, TokenTestAction.CANCEL);
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) ByteArrayInputStream(java.io.ByteArrayInputStream) IOException(java.io.IOException) DataInputStream(java.io.DataInputStream) Test(org.junit.Test)

Example 34 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class TestDelegationTokensWithHA method testDFSGetCanonicalServiceName.

/**
   * HDFS-3062: DistributedFileSystem.getCanonicalServiceName() throws an
   * exception if the URI is a logical URI. This bug fails the combination of
   * ha + mapred + security.
   */
@Test(timeout = 300000)
public void testDFSGetCanonicalServiceName() throws Exception {
    URI hAUri = HATestUtil.getLogicalUri(cluster);
    String haService = HAUtilClient.buildTokenServiceForLogicalUri(hAUri, HdfsConstants.HDFS_URI_SCHEME).toString();
    assertEquals(haService, dfs.getCanonicalServiceName());
    final String renewer = UserGroupInformation.getCurrentUser().getShortUserName();
    final Token<DelegationTokenIdentifier> token = getDelegationToken(dfs, renewer);
    assertEquals(haService, token.getService().toString());
    // make sure the logical uri is handled correctly
    token.renew(dfs.getConf());
    token.cancel(dfs.getConf());
}
Also used : DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) URI(java.net.URI) Test(org.junit.Test)

Example 35 with DelegationTokenIdentifier

use of org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier in project hadoop by apache.

the class TestDelegationTokensWithHA method testHAUtilClonesDelegationTokens.

@Test(timeout = 300000)
public void testHAUtilClonesDelegationTokens() throws Exception {
    final Token<DelegationTokenIdentifier> token = getDelegationToken(fs, "JobTracker");
    UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test");
    URI haUri = new URI("hdfs://my-ha-uri/");
    token.setService(HAUtilClient.buildTokenServiceForLogicalUri(haUri, HdfsConstants.HDFS_URI_SCHEME));
    ugi.addToken(token);
    Collection<InetSocketAddress> nnAddrs = new HashSet<InetSocketAddress>();
    nnAddrs.add(new InetSocketAddress("localhost", nn0.getNameNodeAddress().getPort()));
    nnAddrs.add(new InetSocketAddress("localhost", nn1.getNameNodeAddress().getPort()));
    HAUtil.cloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs);
    Collection<Token<? extends TokenIdentifier>> tokens = ugi.getTokens();
    assertEquals(3, tokens.size());
    LOG.info("Tokens:\n" + Joiner.on("\n").join(tokens));
    DelegationTokenSelector dts = new DelegationTokenSelector();
    // matches the one we received
    for (InetSocketAddress addr : nnAddrs) {
        Text ipcDtService = SecurityUtil.buildTokenService(addr);
        Token<DelegationTokenIdentifier> token2 = dts.selectToken(ipcDtService, ugi.getTokens());
        assertNotNull(token2);
        assertArrayEquals(token.getIdentifier(), token2.getIdentifier());
        assertArrayEquals(token.getPassword(), token2.getPassword());
    }
    // switch to host-based tokens, shouldn't match existing tokens 
    SecurityUtilTestHelper.setTokenServiceUseIp(false);
    for (InetSocketAddress addr : nnAddrs) {
        Text ipcDtService = SecurityUtil.buildTokenService(addr);
        Token<DelegationTokenIdentifier> token2 = dts.selectToken(ipcDtService, ugi.getTokens());
        assertNull(token2);
    }
    // reclone the tokens, and see if they match now
    HAUtil.cloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs);
    for (InetSocketAddress addr : nnAddrs) {
        Text ipcDtService = SecurityUtil.buildTokenService(addr);
        Token<DelegationTokenIdentifier> token2 = dts.selectToken(ipcDtService, ugi.getTokens());
        assertNotNull(token2);
        assertArrayEquals(token.getIdentifier(), token2.getIdentifier());
        assertArrayEquals(token.getPassword(), token2.getPassword());
    }
}
Also used : TokenIdentifier(org.apache.hadoop.security.token.TokenIdentifier) DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier) InetSocketAddress(java.net.InetSocketAddress) Token(org.apache.hadoop.security.token.Token) Text(org.apache.hadoop.io.Text) URI(java.net.URI) DelegationTokenSelector(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSelector) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

DelegationTokenIdentifier (org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)46 Test (org.junit.Test)28 Text (org.apache.hadoop.io.Text)25 Token (org.apache.hadoop.security.token.Token)21 IOException (java.io.IOException)18 Configuration (org.apache.hadoop.conf.Configuration)13 InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)12 Credentials (org.apache.hadoop.security.Credentials)11 ByteArrayInputStream (java.io.ByteArrayInputStream)10 DataInputStream (java.io.DataInputStream)10 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)9 ByteBuffer (java.nio.ByteBuffer)7 DataInputByteBuffer (org.apache.hadoop.io.DataInputByteBuffer)7 MockNM (org.apache.hadoop.yarn.server.resourcemanager.MockNM)7 MockRM (org.apache.hadoop.yarn.server.resourcemanager.MockRM)7 TestSecurityMockRM (org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)7 InetSocketAddress (java.net.InetSocketAddress)6 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)6 DelegationTokenSecretManager (org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager)5 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)5