Example 6 with TokenIdentifier
use of org.apache.hadoop.security.token.TokenIdentifier in project hadoop by apache.
the class RMWebServices method createCredentials.
/**
* Generate a Credentials object from the information in the CredentialsInfo
* object.
*
* @param credentials
* the CredentialsInfo provided by the user.
* @return
*/
private Credentials createCredentials(CredentialsInfo credentials) {
Credentials ret = new Credentials();
try {
for (Map.Entry<String, String> entry : credentials.getTokens().entrySet()) {
Text alias = new Text(entry.getKey());
Token<TokenIdentifier> token = new Token<TokenIdentifier>();
token.decodeFromUrlString(entry.getValue());
ret.addToken(alias, token);
}
for (Map.Entry<String, String> entry : credentials.getSecrets().entrySet()) {
Text alias = new Text(entry.getKey());
Base64 decoder = new Base64(0, null, true);
byte[] secret = decoder.decode(entry.getValue());
ret.addSecretKey(alias, secret);
}
} catch (IOException ie) {
throw new BadRequestException("Could not parse credentials data; exception message = " + ie.getMessage());
}
return ret;
}
Also used :
TokenIdentifier(org.apache.hadoop.security.token.TokenIdentifier)
RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)
Base64(org.apache.commons.codec.binary.Base64)
BadRequestException(org.apache.hadoop.yarn.webapp.BadRequestException)
Text(org.apache.hadoop.io.Text)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken)
IOException(java.io.IOException)
Map(java.util.Map)
HashMap(java.util.HashMap)
ConcurrentMap(java.util.concurrent.ConcurrentMap)
Credentials(org.apache.hadoop.security.Credentials)
Example 7 with TokenIdentifier
use of org.apache.hadoop.security.token.TokenIdentifier in project hadoop by apache.
the class TestYarnClient method testAutomaticTimelineDelegationTokenLoading.
@Test
public void testAutomaticTimelineDelegationTokenLoading() throws Exception {
Configuration conf = new YarnConfiguration();
conf.setBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED, true);
SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
TimelineDelegationTokenIdentifier timelineDT = new TimelineDelegationTokenIdentifier();
final Token<TimelineDelegationTokenIdentifier> dToken = new Token<TimelineDelegationTokenIdentifier>(timelineDT.getBytes(), new byte[0], timelineDT.getKind(), new Text());
// create a mock client
YarnClientImpl client = spy(new YarnClientImpl() {
@Override
TimelineClient createTimelineClient() throws IOException, YarnException {
timelineClient = mock(TimelineClient.class);
when(timelineClient.getDelegationToken(any(String.class))).thenReturn(dToken);
return timelineClient;
}
@Override
protected void serviceStart() throws Exception {
rmClient = mock(ApplicationClientProtocol.class);
}
@Override
protected void serviceStop() throws Exception {
}
@Override
public ApplicationReport getApplicationReport(ApplicationId appId) {
ApplicationReport report = mock(ApplicationReport.class);
when(report.getYarnApplicationState()).thenReturn(YarnApplicationState.RUNNING);
return report;
}
@Override
public boolean isSecurityEnabled() {
return true;
}
});
client.init(conf);
client.start();
try {
// when i == 1, timeline DT doesn't exist, need to get one more
for (int i = 0; i < 2; ++i) {
ApplicationSubmissionContext context = mock(ApplicationSubmissionContext.class);
ApplicationId applicationId = ApplicationId.newInstance(0, i + 1);
when(context.getApplicationId()).thenReturn(applicationId);
DataOutputBuffer dob = new DataOutputBuffer();
Credentials credentials = new Credentials();
if (i == 0) {
credentials.addToken(client.timelineService, dToken);
}
credentials.writeTokenStorageToStream(dob);
ByteBuffer tokens = ByteBuffer.wrap(dob.getData(), 0, dob.getLength());
ContainerLaunchContext clc = ContainerLaunchContext.newInstance(null, null, null, null, tokens, null);
when(context.getAMContainerSpec()).thenReturn(clc);
client.submitApplication(context);
if (i == 0) {
// GetTimelineDelegationToken shouldn't be called
verify(client, never()).getTimelineDelegationToken();
}
// In either way, token should be there
credentials = new Credentials();
DataInputByteBuffer dibb = new DataInputByteBuffer();
tokens = clc.getTokens();
if (tokens != null) {
dibb.reset(tokens);
credentials.readTokenStorageStream(dibb);
tokens.rewind();
}
Collection<Token<? extends TokenIdentifier>> dTokens = credentials.getAllTokens();
Assert.assertEquals(1, dTokens.size());
Assert.assertEquals(dToken, dTokens.iterator().next());
}
} finally {
client.stop();
}
}
Also used :
TokenIdentifier(org.apache.hadoop.security.token.TokenIdentifier)
TimelineDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier)
CapacitySchedulerConfiguration(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration)
DataInputByteBuffer(org.apache.hadoop.io.DataInputByteBuffer)
TimelineDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier)
Token(org.apache.hadoop.security.token.Token)
Text(org.apache.hadoop.io.Text)
IOException(java.io.IOException)
ContainerLaunchContext(org.apache.hadoop.yarn.api.records.ContainerLaunchContext)
ByteBuffer(java.nio.ByteBuffer)
DataInputByteBuffer(org.apache.hadoop.io.DataInputByteBuffer)
YarnException(org.apache.hadoop.yarn.exceptions.YarnException)
ApplicationNotFoundException(org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException)
ApplicationIdNotProvidedException(org.apache.hadoop.yarn.exceptions.ApplicationIdNotProvidedException)
IOException(java.io.IOException)
ContainerNotFoundException(org.apache.hadoop.yarn.exceptions.ContainerNotFoundException)
YarnException(org.apache.hadoop.yarn.exceptions.YarnException)
ApplicationReport(org.apache.hadoop.yarn.api.records.ApplicationReport)
TimelineClient(org.apache.hadoop.yarn.client.api.TimelineClient)
YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration)
ApplicationSubmissionContext(org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext)
DataOutputBuffer(org.apache.hadoop.io.DataOutputBuffer)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
Credentials(org.apache.hadoop.security.Credentials)
Test(org.junit.Test)
Example 8 with TokenIdentifier
use of org.apache.hadoop.security.token.TokenIdentifier in project hadoop by apache.
the class YarnServerSecurityUtils method selectAMRMTokenIdentifier.
// Obtain the needed AMRMTokenIdentifier from the remote-UGI. RPC layer
// currently sets only the required id, but iterate through anyways just to be
// sure.
private static AMRMTokenIdentifier selectAMRMTokenIdentifier(UserGroupInformation remoteUgi) throws IOException {
AMRMTokenIdentifier result = null;
Set<TokenIdentifier> tokenIds = remoteUgi.getTokenIdentifiers();
for (TokenIdentifier tokenId : tokenIds) {
if (tokenId instanceof AMRMTokenIdentifier) {
result = (AMRMTokenIdentifier) tokenId;
break;
}
}
return result;
}
Also used :
AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier)
TokenIdentifier(org.apache.hadoop.security.token.TokenIdentifier)
AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier)
Example 9 with TokenIdentifier
use of org.apache.hadoop.security.token.TokenIdentifier in project hadoop by apache.
the class TestUserGroupInformation method testPrivateTokenExclusion.
/**
* In some scenario, such as HA, delegation tokens are associated with a
* logical name. The tokens are cloned and are associated with the
* physical address of the server where the service is provided.
* This test ensures cloned delegated tokens are locally used
* and are not returned in {@link UserGroupInformation#getCredentials()}
*/
@Test
public void testPrivateTokenExclusion() throws Exception {
UserGroupInformation ugi = UserGroupInformation.createUserForTesting("privateUser", new String[] { "PRIVATEUSERS" });
TestTokenIdentifier tokenId = new TestTokenIdentifier();
Token<TestTokenIdentifier> token = new Token<TestTokenIdentifier>(tokenId.getBytes(), "password".getBytes(), tokenId.getKind(), null);
ugi.addToken(new Text("regular-token"), token);
// Now add cloned private token
Text service = new Text("private-token");
ugi.addToken(service, token.privateClone(service));
Text service1 = new Text("private-token1");
ugi.addToken(service1, token.privateClone(service1));
// Ensure only non-private tokens are returned
Collection<Token<? extends TokenIdentifier>> tokens = ugi.getCredentials().getAllTokens();
assertEquals(1, tokens.size());
}
Also used :
TestTokenIdentifier(org.apache.hadoop.ipc.TestRpcBase.TestTokenIdentifier)
TestTokenIdentifier(org.apache.hadoop.ipc.TestRpcBase.TestTokenIdentifier)
TokenIdentifier(org.apache.hadoop.security.token.TokenIdentifier)
Token(org.apache.hadoop.security.token.Token)
Text(org.apache.hadoop.io.Text)
Test(org.junit.Test)
Example 10 with TokenIdentifier
use of org.apache.hadoop.security.token.TokenIdentifier in project hadoop by apache.
the class TestUserGroupInformation method testUGITokens.
// from Mockito mocks
@SuppressWarnings("unchecked")
@Test(timeout = 30000)
public <T extends TokenIdentifier> void testUGITokens() throws Exception {
UserGroupInformation ugi = UserGroupInformation.createUserForTesting("TheDoctor", new String[] { "TheTARDIS" });
Token<T> t1 = mock(Token.class);
when(t1.getService()).thenReturn(new Text("t1"));
Token<T> t2 = mock(Token.class);
when(t2.getService()).thenReturn(new Text("t2"));
Credentials creds = new Credentials();
byte[] secretKey = new byte[] {};
Text secretName = new Text("shhh");
creds.addSecretKey(secretName, secretKey);
ugi.addToken(t1);
ugi.addToken(t2);
ugi.addCredentials(creds);
Collection<Token<? extends TokenIdentifier>> z = ugi.getTokens();
assertTrue(z.contains(t1));
assertTrue(z.contains(t2));
assertEquals(2, z.size());
Credentials ugiCreds = ugi.getCredentials();
assertSame(secretKey, ugiCreds.getSecretKey(secretName));
assertEquals(1, ugiCreds.numberOfSecretKeys());
try {
z.remove(t1);
fail("Shouldn't be able to modify token collection from UGI");
} catch (UnsupportedOperationException uoe) {
// Can't modify tokens
}
// ensure that the tokens are passed through doAs
Collection<Token<? extends TokenIdentifier>> otherSet = ugi.doAs(new PrivilegedExceptionAction<Collection<Token<?>>>() {
@Override
public Collection<Token<?>> run() throws IOException {
return UserGroupInformation.getCurrentUser().getTokens();
}
});
assertTrue(otherSet.contains(t1));
assertTrue(otherSet.contains(t2));
}
Also used :
TestTokenIdentifier(org.apache.hadoop.ipc.TestRpcBase.TestTokenIdentifier)
TokenIdentifier(org.apache.hadoop.security.token.TokenIdentifier)
Text(org.apache.hadoop.io.Text)
Token(org.apache.hadoop.security.token.Token)
IOException(java.io.IOException)
Collection(java.util.Collection)
Test(org.junit.Test)
Aggregations
TokenIdentifier (org.apache.hadoop.security.token.TokenIdentifier)35
Token (org.apache.hadoop.security.token.Token)25
Text (org.apache.hadoop.io.Text)16
Credentials (org.apache.hadoop.security.Credentials)13
Test (org.junit.Test)12
IOException (java.io.IOException)11
Configuration (org.apache.hadoop.conf.Configuration)7
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)6
URI (java.net.URI)5
ByteBuffer (java.nio.ByteBuffer)5
DataOutputBuffer (org.apache.hadoop.io.DataOutputBuffer)5
HashMap (java.util.HashMap)4
AMRMTokenIdentifier (org.apache.hadoop.yarn.security.AMRMTokenIdentifier)4
InetSocketAddress (java.net.InetSocketAddress)3
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)3
TestTokenIdentifier (org.apache.hadoop.ipc.TestRpcBase.TestTokenIdentifier)3
IAutoCredentials (org.apache.storm.security.auth.IAutoCredentials)3
File (java.io.File)2
ArrayList (java.util.ArrayList)2
Collection (java.util.Collection)2
