Examples with AuthenticatedURL org.apache.hadoop.security.authentication.client.AuthenticatedURL used on opensource projects

Example 1 with AuthenticatedURL

use of org.apache.hadoop.security.authentication.client.AuthenticatedURL in project hadoop by apache.

the class WhoClient method main.

public static void main(String[] args) {
    try {
        if (args.length != 1) {
            System.err.println("Usage: <URL>");
            System.exit(-1);
        }
        AuthenticatedURL.Token token = new AuthenticatedURL.Token();
        URL url = new URL(args[0]);
        HttpURLConnection conn = new AuthenticatedURL().openConnection(url, token);
        System.out.println();
        System.out.println("Token value: " + token);
        System.out.println("Status code: " + conn.getResponseCode() + " " + conn.getResponseMessage());
        System.out.println();
        if (conn.getResponseCode() == HttpURLConnection.HTTP_OK) {
            BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getInputStream(), Charset.forName("UTF-8")));
            String line = reader.readLine();
            while (line != null) {
                System.out.println(line);
                line = reader.readLine();
            }
            reader.close();
        }
        System.out.println();
    } catch (Exception ex) {
        System.err.println("ERROR: " + ex.getMessage());
        System.exit(-1);
    }
}

Example 2 with AuthenticatedURL

use of org.apache.hadoop.security.authentication.client.AuthenticatedURL in project hadoop by apache.

the class KMSClientProvider method call.

private <T> T call(HttpURLConnection conn, Map jsonOutput, int expectedResponse, Class<T> klass, int authRetryCount) throws IOException {
    T ret = null;
    try {
        if (jsonOutput != null) {
            writeJson(jsonOutput, conn.getOutputStream());
        }
    } catch (IOException ex) {
        IOUtils.closeStream(conn.getInputStream());
        throw ex;
    }
    if ((conn.getResponseCode() == HttpURLConnection.HTTP_FORBIDDEN && (conn.getResponseMessage().equals(ANONYMOUS_REQUESTS_DISALLOWED) || conn.getResponseMessage().contains(INVALID_SIGNATURE))) || conn.getResponseCode() == HttpURLConnection.HTTP_UNAUTHORIZED) {
        // Ideally, this should happen only when there is an Authentication
        // failure. Unfortunately, the AuthenticationFilter returns 403 when it
        // cannot authenticate (Since a 401 requires Server to send
        // WWW-Authenticate header as well)..
        KMSClientProvider.this.authToken = new DelegationTokenAuthenticatedURL.Token();
        if (authRetryCount > 0) {
            String contentType = conn.getRequestProperty(CONTENT_TYPE);
            String requestMethod = conn.getRequestMethod();
            URL url = conn.getURL();
            conn = createConnection(url, requestMethod);
            conn.setRequestProperty(CONTENT_TYPE, contentType);
            return call(conn, jsonOutput, expectedResponse, klass, authRetryCount - 1);
        }
    }
    try {
        AuthenticatedURL.extractToken(conn, authToken);
    } catch (AuthenticationException e) {
    // Ignore the AuthExceptions.. since we are just using the method to
    // extract and set the authToken.. (Workaround till we actually fix
    // AuthenticatedURL properly to set authToken post initialization)
    }
    HttpExceptionUtils.validateResponse(conn, expectedResponse);
    if (conn.getContentType() != null && conn.getContentType().trim().toLowerCase().startsWith(APPLICATION_JSON_MIME) && klass != null) {
        ObjectMapper mapper = new ObjectMapper();
        InputStream is = null;
        try {
            is = conn.getInputStream();
            ret = mapper.readValue(is, klass);
        } finally {
            IOUtils.closeStream(is);
        }
    }
    return ret;
}

Example 3 with AuthenticatedURL

use of org.apache.hadoop.security.authentication.client.AuthenticatedURL in project hadoop by apache.

the class TestHttpFSWithKerberos method testDelegationTokenHttpFSAccess.

@Test
@TestDir
@TestJetty
@TestHdfs
public void testDelegationTokenHttpFSAccess() throws Exception {
    createHttpFSServer();
    KerberosTestUtils.doAsClient(new Callable<Void>() {

        @Override
        public Void call() throws Exception {
            //get delegation token doing SPNEGO authentication
            URL url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=GETDELEGATIONTOKEN");
            AuthenticatedURL aUrl = new AuthenticatedURL();
            AuthenticatedURL.Token aToken = new AuthenticatedURL.Token();
            HttpURLConnection conn = aUrl.openConnection(url, aToken);
            Assert.assertEquals(conn.getResponseCode(), HttpURLConnection.HTTP_OK);
            JSONObject json = (JSONObject) new JSONParser().parse(new InputStreamReader(conn.getInputStream()));
            json = (JSONObject) json.get(DelegationTokenAuthenticator.DELEGATION_TOKEN_JSON);
            String tokenStr = (String) json.get(DelegationTokenAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON);
            //access httpfs using the delegation token
            url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=GETHOMEDIRECTORY&delegation=" + tokenStr);
            conn = (HttpURLConnection) url.openConnection();
            Assert.assertEquals(conn.getResponseCode(), HttpURLConnection.HTTP_OK);
            //try to renew the delegation token without SPNEGO credentials
            url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=RENEWDELEGATIONTOKEN&token=" + tokenStr);
            conn = (HttpURLConnection) url.openConnection();
            conn.setRequestMethod("PUT");
            Assert.assertEquals(conn.getResponseCode(), HttpURLConnection.HTTP_UNAUTHORIZED);
            //renew the delegation token with SPNEGO credentials
            url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=RENEWDELEGATIONTOKEN&token=" + tokenStr);
            conn = aUrl.openConnection(url, aToken);
            conn.setRequestMethod("PUT");
            Assert.assertEquals(conn.getResponseCode(), HttpURLConnection.HTTP_OK);
            //cancel delegation token, no need for SPNEGO credentials
            url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=CANCELDELEGATIONTOKEN&token=" + tokenStr);
            conn = (HttpURLConnection) url.openConnection();
            conn.setRequestMethod("PUT");
            Assert.assertEquals(conn.getResponseCode(), HttpURLConnection.HTTP_OK);
            //try to access httpfs with the canceled delegation token
            url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=GETHOMEDIRECTORY&delegation=" + tokenStr);
            conn = (HttpURLConnection) url.openConnection();
            Assert.assertEquals(conn.getResponseCode(), HttpURLConnection.HTTP_UNAUTHORIZED);
            return null;
        }
    });
}

Example 4 with AuthenticatedURL

use of org.apache.hadoop.security.authentication.client.AuthenticatedURL in project hadoop by apache.

the class URLConnectionFactory method openConnection.

/**
   * Opens a url with read and connect timeouts
   *
   * @param url
   *          URL to open
   * @param isSpnego
   *          whether the url should be authenticated via SPNEGO
   * @return URLConnection
   * @throws IOException
   * @throws AuthenticationException
   */
public URLConnection openConnection(URL url, boolean isSpnego) throws IOException, AuthenticationException {
    if (isSpnego) {
        LOG.debug("open AuthenticatedURL connection {}", url);
        UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab();
        final AuthenticatedURL.Token authToken = new AuthenticatedURL.Token();
        return new AuthenticatedURL(new KerberosUgiAuthenticator(), connConfigurator).openConnection(url, authToken);
    } else {
        LOG.debug("open URL connection");
        URLConnection connection = url.openConnection();
        if (connection instanceof HttpURLConnection) {
            connConfigurator.configure((HttpURLConnection) connection);
        }
        return connection;
    }
}

Example 5 with AuthenticatedURL

use of org.apache.hadoop.security.authentication.client.AuthenticatedURL in project hadoop by apache.

the class TestHttpServerWithSpengo method testAuthenticationWithProxyUser.

/**
   * groupA
   *  - userA
   * groupB
   *  - userA, userB
   * groupC
   *  - userC
   * SPNEGO filter has been enabled.
   * userA has the privilege to impersonate users in groupB.
   * userA has admin access to all default servlets, but userB
   * and userC don't have. So "/logs" can only be accessed by userA.
   * @throws Exception
   */
@Test
public void testAuthenticationWithProxyUser() throws Exception {
    Configuration spengoConf = getSpengoConf(new Configuration());
    //setup logs dir
    System.setProperty("hadoop.log.dir", testRootDir.getAbsolutePath());
    // Setup user group
    UserGroupInformation.createUserForTesting("userA", new String[] { "groupA", "groupB" });
    UserGroupInformation.createUserForTesting("userB", new String[] { "groupB" });
    UserGroupInformation.createUserForTesting("userC", new String[] { "groupC" });
    // Make userA impersonate users in groupB
    spengoConf.set("hadoop.proxyuser.userA.hosts", "*");
    spengoConf.set("hadoop.proxyuser.userA.groups", "groupB");
    ProxyUsers.refreshSuperUserGroupsConfiguration(spengoConf);
    HttpServer2 httpServer = null;
    try {
        // Create http server to test.
        httpServer = getCommonBuilder().setConf(spengoConf).setACL(new AccessControlList("userA groupA")).build();
        httpServer.start();
        // Get signer to encrypt token
        Signer signer = getSignerToEncrypt();
        // setup auth token for userA
        AuthenticatedURL.Token token = getEncryptedAuthToken(signer, "userA");
        String serverURL = "http://" + NetUtils.getHostPortString(httpServer.getConnectorAddress(0)) + "/";
        // The default authenticator is kerberos.
        AuthenticatedURL authUrl = new AuthenticatedURL();
        // userA impersonates userB, it's allowed.
        for (String servlet : new String[] { "stacks", "jmx", "conf" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet + "?doAs=userB"), token);
            Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
        }
        // can be accessed.
        for (String servlet : new String[] { "stacks", "jmx", "conf" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet + "?doAs=userC"), token);
            Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
        }
        // only userA has the access.
        for (String servlet : new String[] { "logLevel", "logs" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet + "?doAs=userC"), token);
            Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
        }
        // only userA has the access.
        for (String servlet : new String[] { "logLevel", "logs" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet), token);
            Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
        }
        // Setup token for userB
        token = getEncryptedAuthToken(signer, "userB");
        // userB cannot access these servlets.
        for (String servlet : new String[] { "logLevel", "logs" }) {
            HttpURLConnection conn = authUrl.openConnection(new URL(serverURL + servlet), token);
            Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
        }
    } finally {
        if (httpServer != null) {
            httpServer.stop();
        }
    }
}