Search in sources :

Example 1 with DelegationParam

use of org.apache.hadoop.hdfs.web.resources.DelegationParam in project hadoop by apache.

the class TestDataNodeUGIProvider method testUGICacheSecure.

@Test
public void testUGICacheSecure() throws Exception {
    // fake turning on security so api thinks it should use tokens
    SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test-user");
    ugi.setAuthenticationMethod(KERBEROS);
    ugi = UserGroupInformation.createProxyUser("test-proxy-user", ugi);
    UserGroupInformation.setLoginUser(ugi);
    List<Token<DelegationTokenIdentifier>> tokens = Lists.newArrayList();
    getWebHdfsFileSystem(ugi, conf, tokens);
    String uri1 = WebHdfsFileSystem.PATH_PREFIX + PATH + "?op=OPEN" + Param.toSortedString("&", new NamenodeAddressParam("127.0.0.1:1010"), new OffsetParam((long) OFFSET), new LengthParam((long) LENGTH), new DelegationParam(tokens.get(0).encodeToUrlString()));
    String uri2 = WebHdfsFileSystem.PATH_PREFIX + PATH + "?op=OPEN" + Param.toSortedString("&", new NamenodeAddressParam("127.0.0.1:1010"), new OffsetParam((long) OFFSET), new LengthParam((long) LENGTH), new DelegationParam(tokens.get(1).encodeToUrlString()));
    DataNodeUGIProvider ugiProvider1 = new DataNodeUGIProvider(new ParameterParser(new QueryStringDecoder(URI.create(uri1)), conf));
    UserGroupInformation ugi11 = ugiProvider1.ugi();
    UserGroupInformation ugi12 = ugiProvider1.ugi();
    Assert.assertEquals("With UGI cache, two UGIs returned by the same token should be same", ugi11, ugi12);
    DataNodeUGIProvider ugiProvider2 = new DataNodeUGIProvider(new ParameterParser(new QueryStringDecoder(URI.create(uri2)), conf));
    UserGroupInformation url21 = ugiProvider2.ugi();
    UserGroupInformation url22 = ugiProvider2.ugi();
    Assert.assertEquals("With UGI cache, two UGIs returned by the same token should be same", url21, url22);
    Assert.assertNotEquals("With UGI cache, two UGIs for the different token should not be same", ugi11, url22);
    ugiProvider2.clearCache();
    awaitCacheEmptyDueToExpiration();
    ugi12 = ugiProvider1.ugi();
    url22 = ugiProvider2.ugi();
    String msg = "With cache eviction, two UGIs returned" + " by the same token should not be same";
    Assert.assertNotEquals(msg, ugi11, ugi12);
    Assert.assertNotEquals(msg, url21, url22);
    Assert.assertNotEquals("With UGI cache, two UGIs for the different token should not be same", ugi11, url22);
}
Also used : QueryStringDecoder(io.netty.handler.codec.http.QueryStringDecoder) NamenodeAddressParam(org.apache.hadoop.hdfs.web.resources.NamenodeAddressParam) OffsetParam(org.apache.hadoop.hdfs.web.resources.OffsetParam) LengthParam(org.apache.hadoop.hdfs.web.resources.LengthParam) Token(org.apache.hadoop.security.token.Token) DelegationParam(org.apache.hadoop.hdfs.web.resources.DelegationParam) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 2 with DelegationParam

use of org.apache.hadoop.hdfs.web.resources.DelegationParam in project hadoop by apache.

the class TestWebHdfsUrl method testSecureProxyAuthParamsInUrl.

@Test(timeout = 60000)
public void testSecureProxyAuthParamsInUrl() throws IOException {
    Configuration conf = new Configuration();
    // fake turning on security so api thinks it should use tokens
    SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test-user");
    ugi.setAuthenticationMethod(KERBEROS);
    ugi = UserGroupInformation.createProxyUser("test-proxy-user", ugi);
    UserGroupInformation.setLoginUser(ugi);
    WebHdfsFileSystem webhdfs = getWebHdfsFileSystem(ugi, conf);
    Path fsPath = new Path("/");
    String tokenString = webhdfs.getDelegationToken().encodeToUrlString();
    // send real+effective
    URL getTokenUrl = webhdfs.toUrl(GetOpParam.Op.GETDELEGATIONTOKEN, fsPath);
    checkQueryParams(new String[] { GetOpParam.Op.GETDELEGATIONTOKEN.toQueryString(), new UserParam(ugi.getRealUser().getShortUserName()).toString(), new DoAsParam(ugi.getShortUserName()).toString() }, getTokenUrl);
    // send real+effective
    URL renewTokenUrl = webhdfs.toUrl(PutOpParam.Op.RENEWDELEGATIONTOKEN, fsPath, new TokenArgumentParam(tokenString));
    checkQueryParams(new String[] { PutOpParam.Op.RENEWDELEGATIONTOKEN.toQueryString(), new UserParam(ugi.getRealUser().getShortUserName()).toString(), new DoAsParam(ugi.getShortUserName()).toString(), new TokenArgumentParam(tokenString).toString() }, renewTokenUrl);
    // send token
    URL cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN, fsPath, new TokenArgumentParam(tokenString));
    checkQueryParams(new String[] { PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(), new UserParam(ugi.getRealUser().getShortUserName()).toString(), new DoAsParam(ugi.getShortUserName()).toString(), new TokenArgumentParam(tokenString).toString() }, cancelTokenUrl);
    // send token
    URL fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
    checkQueryParams(new String[] { GetOpParam.Op.GETFILESTATUS.toQueryString(), new DelegationParam(tokenString).toString() }, fileStatusUrl);
    // wipe out internal token to simulate auth always required
    webhdfs.setDelegationToken(null);
    // send real+effective
    cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN, fsPath, new TokenArgumentParam(tokenString));
    checkQueryParams(new String[] { PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(), new UserParam(ugi.getRealUser().getShortUserName()).toString(), new DoAsParam(ugi.getShortUserName()).toString(), new TokenArgumentParam(tokenString).toString() }, cancelTokenUrl);
    // send real+effective
    fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
    checkQueryParams(new String[] { GetOpParam.Op.GETFILESTATUS.toQueryString(), new DelegationParam(tokenString).toString() }, fileStatusUrl);
}
Also used : Path(org.apache.hadoop.fs.Path) UserParam(org.apache.hadoop.hdfs.web.resources.UserParam) Configuration(org.apache.hadoop.conf.Configuration) DoAsParam(org.apache.hadoop.hdfs.web.resources.DoAsParam) TokenArgumentParam(org.apache.hadoop.hdfs.web.resources.TokenArgumentParam) DelegationParam(org.apache.hadoop.hdfs.web.resources.DelegationParam) URL(java.net.URL) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 3 with DelegationParam

use of org.apache.hadoop.hdfs.web.resources.DelegationParam in project hadoop by apache.

the class TestWebHdfsUrl method testSecureAuthParamsInUrl.

@Test(timeout = 60000)
public void testSecureAuthParamsInUrl() throws IOException {
    Configuration conf = new Configuration();
    // fake turning on security so api thinks it should use tokens
    SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test-user");
    ugi.setAuthenticationMethod(KERBEROS);
    UserGroupInformation.setLoginUser(ugi);
    WebHdfsFileSystem webhdfs = getWebHdfsFileSystem(ugi, conf);
    Path fsPath = new Path("/");
    String tokenString = webhdfs.getDelegationToken().encodeToUrlString();
    // send user
    URL getTokenUrl = webhdfs.toUrl(GetOpParam.Op.GETDELEGATIONTOKEN, fsPath);
    checkQueryParams(new String[] { GetOpParam.Op.GETDELEGATIONTOKEN.toQueryString(), new UserParam(ugi.getShortUserName()).toString() }, getTokenUrl);
    // send user
    URL renewTokenUrl = webhdfs.toUrl(PutOpParam.Op.RENEWDELEGATIONTOKEN, fsPath, new TokenArgumentParam(tokenString));
    checkQueryParams(new String[] { PutOpParam.Op.RENEWDELEGATIONTOKEN.toQueryString(), new UserParam(ugi.getShortUserName()).toString(), new TokenArgumentParam(tokenString).toString() }, renewTokenUrl);
    // send token
    URL cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN, fsPath, new TokenArgumentParam(tokenString));
    checkQueryParams(new String[] { PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(), new UserParam(ugi.getShortUserName()).toString(), new TokenArgumentParam(tokenString).toString() }, cancelTokenUrl);
    // send token
    URL fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
    checkQueryParams(new String[] { GetOpParam.Op.GETFILESTATUS.toQueryString(), new DelegationParam(tokenString).toString() }, fileStatusUrl);
    // wipe out internal token to simulate auth always required
    webhdfs.setDelegationToken(null);
    // send user
    cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN, fsPath, new TokenArgumentParam(tokenString));
    checkQueryParams(new String[] { PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(), new UserParam(ugi.getShortUserName()).toString(), new TokenArgumentParam(tokenString).toString() }, cancelTokenUrl);
    // send user
    fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
    checkQueryParams(new String[] { GetOpParam.Op.GETFILESTATUS.toQueryString(), new DelegationParam(tokenString).toString() }, fileStatusUrl);
}
Also used : Path(org.apache.hadoop.fs.Path) UserParam(org.apache.hadoop.hdfs.web.resources.UserParam) Configuration(org.apache.hadoop.conf.Configuration) TokenArgumentParam(org.apache.hadoop.hdfs.web.resources.TokenArgumentParam) DelegationParam(org.apache.hadoop.hdfs.web.resources.DelegationParam) URL(java.net.URL) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

DelegationParam (org.apache.hadoop.hdfs.web.resources.DelegationParam)3 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)3 Test (org.junit.Test)3 URL (java.net.URL)2 Configuration (org.apache.hadoop.conf.Configuration)2 Path (org.apache.hadoop.fs.Path)2 TokenArgumentParam (org.apache.hadoop.hdfs.web.resources.TokenArgumentParam)2 UserParam (org.apache.hadoop.hdfs.web.resources.UserParam)2 QueryStringDecoder (io.netty.handler.codec.http.QueryStringDecoder)1 DoAsParam (org.apache.hadoop.hdfs.web.resources.DoAsParam)1 LengthParam (org.apache.hadoop.hdfs.web.resources.LengthParam)1 NamenodeAddressParam (org.apache.hadoop.hdfs.web.resources.NamenodeAddressParam)1 OffsetParam (org.apache.hadoop.hdfs.web.resources.OffsetParam)1 Token (org.apache.hadoop.security.token.Token)1