Examples with InvalidToken org.apache.hadoop.security.token.SecretManager.InvalidToken used on opensource projects

Example 11 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hadoop by apache.

the class TestShortCircuitCache method testShmBasedStaleness.

@Test(timeout = 60000)
public void testShmBasedStaleness() throws Exception {
    BlockReaderTestUtil.enableShortCircuitShmTracing();
    TemporarySocketDirectory sockDir = new TemporarySocketDirectory();
    Configuration conf = createShortCircuitConf("testShmBasedStaleness", sockDir);
    MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
    cluster.waitActive();
    DistributedFileSystem fs = cluster.getFileSystem();
    final ShortCircuitCache cache = fs.getClient().getClientContext().getShortCircuitCache();
    String TEST_FILE = "/test_file";
    final int TEST_FILE_LEN = 8193;
    final int SEED = 0xFADED;
    DFSTestUtil.createFile(fs, new Path(TEST_FILE), TEST_FILE_LEN, (short) 1, SEED);
    FSDataInputStream fis = fs.open(new Path(TEST_FILE));
    int first = fis.read();
    final ExtendedBlock block = DFSTestUtil.getFirstBlock(fs, new Path(TEST_FILE));
    Assert.assertTrue(first != -1);
    cache.accept(new CacheVisitor() {

        @Override
        public void visit(int numOutstandingMmaps, Map<ExtendedBlockId, ShortCircuitReplica> replicas, Map<ExtendedBlockId, InvalidToken> failedLoads, LinkedMap evictable, LinkedMap evictableMmapped) {
            ShortCircuitReplica replica = replicas.get(ExtendedBlockId.fromExtendedBlock(block));
            Assert.assertNotNull(replica);
            Assert.assertTrue(replica.getSlot().isValid());
        }
    });
    // Stop the Namenode.  This will close the socket keeping the client's
    // shared memory segment alive, and make it stale.
    cluster.getDataNodes().get(0).shutdown();
    cache.accept(new CacheVisitor() {

        @Override
        public void visit(int numOutstandingMmaps, Map<ExtendedBlockId, ShortCircuitReplica> replicas, Map<ExtendedBlockId, InvalidToken> failedLoads, LinkedMap evictable, LinkedMap evictableMmapped) {
            ShortCircuitReplica replica = replicas.get(ExtendedBlockId.fromExtendedBlock(block));
            Assert.assertNotNull(replica);
            Assert.assertFalse(replica.getSlot().isValid());
        }
    });
    cluster.shutdown();
    sockDir.close();
}

Example 12 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hadoop by apache.

the class TestDelegationToken method testDelegationTokenSecretManager.

@Test
public void testDelegationTokenSecretManager() throws Exception {
    Token<DelegationTokenIdentifier> token = generateDelegationToken("SomeUser", "JobTracker");
    // Fake renewer should not be able to renew
    try {
        dtSecretManager.renewToken(token, "FakeRenewer");
        Assert.fail("should have failed");
    } catch (AccessControlException ace) {
    // PASS
    }
    dtSecretManager.renewToken(token, "JobTracker");
    DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
    byte[] tokenId = token.getIdentifier();
    identifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
    Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
    LOG.info("Sleep to expire the token");
    Thread.sleep(6000);
    //Token should be expired
    try {
        dtSecretManager.retrievePassword(identifier);
        //Should not come here
        Assert.fail("Token should have expired");
    } catch (InvalidToken e) {
    //Success
    }
    dtSecretManager.renewToken(token, "JobTracker");
    LOG.info("Sleep beyond the max lifetime");
    Thread.sleep(5000);
    try {
        dtSecretManager.renewToken(token, "JobTracker");
        Assert.fail("should have been expired");
    } catch (InvalidToken it) {
    // PASS
    }
}

Example 13 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hive by apache.

the class TestHadoopAuthBridge23 method testDelegationTokenSharedStore.

/**
   * Test delegation token store/load from shared store.
   * @throws Exception
   */
@Test
public void testDelegationTokenSharedStore() throws Exception {
    UserGroupInformation clientUgi = UserGroupInformation.getCurrentUser();
    TokenStoreDelegationTokenSecretManager tokenManager = new TokenStoreDelegationTokenSecretManager(0, 60 * 60 * 1000, 60 * 60 * 1000, 0, MyTokenStore.TOKEN_STORE);
    // initializes current key
    tokenManager.startThreads();
    tokenManager.stopThreads();
    String tokenStrForm = tokenManager.getDelegationToken(clientUgi.getShortUserName());
    Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>();
    t.decodeFromUrlString(tokenStrForm);
    //check whether the username in the token is what we expect
    DelegationTokenIdentifier d = new DelegationTokenIdentifier();
    d.readFields(new DataInputStream(new ByteArrayInputStream(t.getIdentifier())));
    Assert.assertTrue("Usernames don't match", clientUgi.getShortUserName().equals(d.getUser().getShortUserName()));
    DelegationTokenInformation tokenInfo = MyTokenStore.TOKEN_STORE.getToken(d);
    Assert.assertNotNull("token not in store", tokenInfo);
    Assert.assertFalse("duplicate token add", MyTokenStore.TOKEN_STORE.addToken(d, tokenInfo));
    // check keys are copied from token store when token is loaded
    TokenStoreDelegationTokenSecretManager anotherManager = new TokenStoreDelegationTokenSecretManager(0, 0, 0, 0, MyTokenStore.TOKEN_STORE);
    Assert.assertEquals("master keys empty on init", 0, anotherManager.getAllKeys().length);
    Assert.assertNotNull("token loaded", anotherManager.retrievePassword(d));
    anotherManager.renewToken(t, clientUgi.getShortUserName());
    Assert.assertEquals("master keys not loaded from store", MyTokenStore.TOKEN_STORE.getMasterKeys().length, anotherManager.getAllKeys().length);
    // cancel the delegation token
    tokenManager.cancelDelegationToken(tokenStrForm);
    Assert.assertNull("token not removed from store after cancel", MyTokenStore.TOKEN_STORE.getToken(d));
    Assert.assertFalse("token removed (again)", MyTokenStore.TOKEN_STORE.removeToken(d));
    try {
        anotherManager.retrievePassword(d);
        Assert.fail("InvalidToken expected after cancel");
    } catch (InvalidToken ex) {
    // expected
    }
    // token expiration
    MyTokenStore.TOKEN_STORE.addToken(d, new DelegationTokenInformation(0, t.getPassword()));
    Assert.assertNotNull(MyTokenStore.TOKEN_STORE.getToken(d));
    anotherManager.removeExpiredTokens();
    Assert.assertNull("Expired token not removed", MyTokenStore.TOKEN_STORE.getToken(d));
    // key expiration - create an already expired key
    // generates initial key
    anotherManager.startThreads();
    anotherManager.stopThreads();
    DelegationKey expiredKey = new DelegationKey(-1, 0, anotherManager.getAllKeys()[0].getKey());
    // updates key with sequence number
    anotherManager.logUpdateMasterKey(expiredKey);
    Assert.assertTrue("expired key not in allKeys", anotherManager.reloadKeys().containsKey(expiredKey.getKeyId()));
    anotherManager.rollMasterKeyExt();
    Assert.assertFalse("Expired key not removed", anotherManager.reloadKeys().containsKey(expiredKey.getKeyId()));
}

Example 14 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hadoop by apache.

the class RMWebServices method cancelDelegationToken.

// For cancelling tokens, the encoded token is passed as a header
// There are two reasons for this -
// 1. Passing a request body as part of a DELETE request is not
// allowed by Jetty
// 2. Passing the encoded token as part of the url is not ideal
// since urls tend to get logged and anyone with access to
// the logs can extract tokens which are meant to be secret
@DELETE
@Path("/delegation-token")
@Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 })
public Response cancelDelegationToken(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException, Exception {
    init();
    UserGroupInformation callerUGI;
    try {
        callerUGI = createKerberosUserGroupInformation(hsr);
    } catch (YarnException ye) {
        return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
    }
    Token<RMDelegationTokenIdentifier> token = extractToken(hsr);
    org.apache.hadoop.yarn.api.records.Token dToken = BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind().toString(), token.getPassword(), token.getService().toString());
    final CancelDelegationTokenRequest req = CancelDelegationTokenRequest.newInstance(dToken);
    try {
        callerUGI.doAs(new PrivilegedExceptionAction<CancelDelegationTokenResponse>() {

            @Override
            public CancelDelegationTokenResponse run() throws IOException, YarnException {
                return rm.getClientRMService().cancelDelegationToken(req);
            }
        });
    } catch (UndeclaredThrowableException ue) {
        if (ue.getCause() instanceof YarnException) {
            if (ue.getCause().getCause() instanceof InvalidToken) {
                throw new BadRequestException(ue.getCause().getCause().getMessage());
            } else if (ue.getCause().getCause() instanceof org.apache.hadoop.security.AccessControlException) {
                return Response.status(Status.FORBIDDEN).entity(ue.getCause().getCause().getMessage()).build();
            }
            LOG.info("Renew delegation token request failed", ue);
            throw ue;
        }
        LOG.info("Renew delegation token request failed", ue);
        throw ue;
    } catch (Exception e) {
        LOG.info("Renew delegation token request failed", e);
        throw e;
    }
    return Response.status(Status.OK).build();
}

Example 15 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hadoop by apache.

the class TestDelegationTokenRenewer method testDTKeepAlive2.

/**
   * Basic idea of the test:
   * 0. Setup token KEEP_ALIVE
   * 1. create tokens.
   * 2. register them for renewal - to be cancelled on app complete
   * 3. Complete app.
   * 4. Verify token is alive within the KEEP_ALIVE time
   * 5. Send an explicity KEEP_ALIVE_REQUEST
   * 6. Verify token KEEP_ALIVE time is renewed.
   * 7. Verify token has been cancelled after the renewed KEEP_ALIVE_TIME.
   * @throws IOException
   * @throws URISyntaxException
   */
@Test(timeout = 60000)
public void testDTKeepAlive2() throws Exception {
    Configuration lconf = new Configuration(conf);
    lconf.setBoolean(YarnConfiguration.LOG_AGGREGATION_ENABLED, true);
    //Keep tokens alive for 6 seconds.
    lconf.setLong(YarnConfiguration.RM_NM_EXPIRY_INTERVAL_MS, 6000l);
    //Try removing tokens every second.
    lconf.setLong(YarnConfiguration.RM_DELAYED_DELEGATION_TOKEN_REMOVAL_INTERVAL_MS, 1000l);
    DelegationTokenRenewer localDtr = createNewDelegationTokenRenewer(conf, counter);
    RMContext mockContext = mock(RMContext.class);
    when(mockContext.getSystemCredentialsForApps()).thenReturn(new ConcurrentHashMap<ApplicationId, ByteBuffer>());
    ClientRMService mockClientRMService = mock(ClientRMService.class);
    when(mockContext.getClientRMService()).thenReturn(mockClientRMService);
    when(mockContext.getDelegationTokenRenewer()).thenReturn(localDtr);
    when(mockContext.getDispatcher()).thenReturn(dispatcher);
    InetSocketAddress sockAddr = InetSocketAddress.createUnresolved("localhost", 1234);
    when(mockClientRMService.getBindAddress()).thenReturn(sockAddr);
    localDtr.setRMContext(mockContext);
    localDtr.init(lconf);
    localDtr.start();
    MyFS dfs = (MyFS) FileSystem.get(lconf);
    LOG.info("dfs=" + (Object) dfs.hashCode() + ";conf=" + lconf.hashCode());
    Credentials ts = new Credentials();
    // get the delegation tokens
    MyToken token1 = dfs.getDelegationToken("user1");
    String nn1 = DelegationTokenRenewer.SCHEME + "://host1:0";
    ts.addToken(new Text(nn1), token1);
    // register the tokens for renewal
    ApplicationId applicationId_0 = BuilderUtils.newApplicationId(0, 0);
    localDtr.addApplicationAsync(applicationId_0, ts, true, "user", new Configuration());
    localDtr.applicationFinished(applicationId_0);
    waitForEventsToGetProcessed(delegationTokenRenewer);
    //Send another keep alive.
    localDtr.updateKeepAliveApplications(Collections.singletonList(applicationId_0));
    //Renewal should not fail.
    token1.renew(lconf);
    //Token should be around after this. 
    Thread.sleep(4500l);
    //Renewal should not fail. - ~1.5 seconds for keepalive timeout.
    token1.renew(lconf);
    //Allow the keepalive time to run out
    Thread.sleep(3000l);
    //The token should have been cancelled at this point. Renewal will fail.
    try {
        token1.renew(lconf);
        fail("Renewal of cancelled token should have failed");
    } catch (InvalidToken ite) {
    }
}