Search in sources :

Example 1 with AbstractDelegationTokenIdentifier

use of org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier in project hadoop by apache.

the class DelegationTokenAuthenticationHandler method authenticate.

/**
   * Authenticates a request looking for the <code>delegation</code>
   * query-string parameter and verifying it is a valid token. If there is not
   * <code>delegation</code> query-string parameter, it delegates the
   * authentication to the {@link KerberosAuthenticationHandler} unless it is
   * disabled.
   *
   * @param request the HTTP client request.
   * @param response the HTTP client response.
   * @return the authentication token for the authenticated request.
   * @throws IOException thrown if an IO error occurred.
   * @throws AuthenticationException thrown if the authentication failed.
   */
@SuppressWarnings("unchecked")
@Override
public AuthenticationToken authenticate(HttpServletRequest request, HttpServletResponse response) throws IOException, AuthenticationException {
    AuthenticationToken token;
    String delegationParam = getDelegationToken(request);
    if (delegationParam != null) {
        try {
            Token<AbstractDelegationTokenIdentifier> dt = new Token();
            dt.decodeFromUrlString(delegationParam);
            UserGroupInformation ugi = tokenManager.verifyToken(dt);
            final String shortName = ugi.getShortUserName();
            // creating a ephemeral token
            token = new AuthenticationToken(shortName, ugi.getUserName(), getType());
            token.setExpires(0);
            request.setAttribute(DELEGATION_TOKEN_UGI_ATTRIBUTE, ugi);
        } catch (Throwable ex) {
            token = null;
            HttpExceptionUtils.createServletExceptionResponse(response, HttpServletResponse.SC_FORBIDDEN, new AuthenticationException(ex));
        }
    } else {
        token = authHandler.authenticate(request, response);
    }
    return token;
}
Also used : AbstractDelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier) AuthenticationToken(org.apache.hadoop.security.authentication.server.AuthenticationToken) AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException) AuthenticationToken(org.apache.hadoop.security.authentication.server.AuthenticationToken) Token(org.apache.hadoop.security.token.Token) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 2 with AbstractDelegationTokenIdentifier

use of org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier in project hadoop by apache.

the class DelegationTokenAuthenticationHandler method managementOperation.

@Override
@SuppressWarnings("unchecked")
public boolean managementOperation(AuthenticationToken token, HttpServletRequest request, HttpServletResponse response) throws IOException, AuthenticationException {
    boolean requestContinues = true;
    String op = ServletUtils.getParameter(request, KerberosDelegationTokenAuthenticator.OP_PARAM);
    op = (op != null) ? StringUtils.toUpperCase(op) : null;
    if (isManagementOperation(request)) {
        KerberosDelegationTokenAuthenticator.DelegationTokenOperation dtOp = KerberosDelegationTokenAuthenticator.DelegationTokenOperation.valueOf(op);
        if (dtOp.getHttpMethod().equals(request.getMethod())) {
            boolean doManagement;
            if (dtOp.requiresKerberosCredentials() && token == null) {
                // Don't authenticate via DT for DT ops.
                token = authHandler.authenticate(request, response);
                if (token == null) {
                    requestContinues = false;
                    doManagement = false;
                } else {
                    doManagement = true;
                }
            } else {
                doManagement = true;
            }
            if (doManagement) {
                UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.createRemoteUser(token.getUserName()) : null;
                // Create the proxy user if doAsUser exists
                String doAsUser = DelegationTokenAuthenticationFilter.getDoAs(request);
                if (requestUgi != null && doAsUser != null) {
                    requestUgi = UserGroupInformation.createProxyUser(doAsUser, requestUgi);
                    try {
                        ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
                    } catch (AuthorizationException ex) {
                        HttpExceptionUtils.createServletExceptionResponse(response, HttpServletResponse.SC_FORBIDDEN, ex);
                        return false;
                    }
                }
                Map map = null;
                switch(dtOp) {
                    case GETDELEGATIONTOKEN:
                        if (requestUgi == null) {
                            throw new IllegalStateException("request UGI cannot be NULL");
                        }
                        String renewer = ServletUtils.getParameter(request, KerberosDelegationTokenAuthenticator.RENEWER_PARAM);
                        try {
                            Token<?> dToken = tokenManager.createToken(requestUgi, renewer);
                            map = delegationTokenToJSON(dToken);
                        } catch (IOException ex) {
                            throw new AuthenticationException(ex.toString(), ex);
                        }
                        break;
                    case RENEWDELEGATIONTOKEN:
                        if (requestUgi == null) {
                            throw new IllegalStateException("request UGI cannot be NULL");
                        }
                        String tokenToRenew = ServletUtils.getParameter(request, KerberosDelegationTokenAuthenticator.TOKEN_PARAM);
                        if (tokenToRenew == null) {
                            response.sendError(HttpServletResponse.SC_BAD_REQUEST, MessageFormat.format("Operation [{0}] requires the parameter [{1}]", dtOp, KerberosDelegationTokenAuthenticator.TOKEN_PARAM));
                            requestContinues = false;
                        } else {
                            Token<AbstractDelegationTokenIdentifier> dt = new Token();
                            try {
                                dt.decodeFromUrlString(tokenToRenew);
                                long expirationTime = tokenManager.renewToken(dt, requestUgi.getShortUserName());
                                map = new HashMap();
                                map.put("long", expirationTime);
                            } catch (IOException ex) {
                                throw new AuthenticationException(ex.toString(), ex);
                            }
                        }
                        break;
                    case CANCELDELEGATIONTOKEN:
                        String tokenToCancel = ServletUtils.getParameter(request, KerberosDelegationTokenAuthenticator.TOKEN_PARAM);
                        if (tokenToCancel == null) {
                            response.sendError(HttpServletResponse.SC_BAD_REQUEST, MessageFormat.format("Operation [{0}] requires the parameter [{1}]", dtOp, KerberosDelegationTokenAuthenticator.TOKEN_PARAM));
                            requestContinues = false;
                        } else {
                            Token<AbstractDelegationTokenIdentifier> dt = new Token();
                            try {
                                dt.decodeFromUrlString(tokenToCancel);
                                tokenManager.cancelToken(dt, (requestUgi != null) ? requestUgi.getShortUserName() : null);
                            } catch (IOException ex) {
                                response.sendError(HttpServletResponse.SC_NOT_FOUND, "Invalid delegation token, cannot cancel");
                                requestContinues = false;
                            }
                        }
                        break;
                }
                if (requestContinues) {
                    response.setStatus(HttpServletResponse.SC_OK);
                    if (map != null) {
                        response.setContentType(MediaType.APPLICATION_JSON);
                        Writer writer = response.getWriter();
                        ObjectMapper jsonMapper = new ObjectMapper(jsonFactory);
                        jsonMapper.writeValue(writer, map);
                        writer.write(ENTER);
                        writer.flush();
                    }
                    requestContinues = false;
                }
            }
        } else {
            response.sendError(HttpServletResponse.SC_BAD_REQUEST, MessageFormat.format("Wrong HTTP method [{0}] for operation [{1}], it should be " + "[{2}]", request.getMethod(), dtOp, dtOp.getHttpMethod()));
            requestContinues = false;
        }
    }
    return requestContinues;
}
Also used : AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) AuthenticationToken(org.apache.hadoop.security.authentication.server.AuthenticationToken) Token(org.apache.hadoop.security.token.Token) IOException(java.io.IOException) AbstractDelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map) Writer(java.io.Writer) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 3 with AbstractDelegationTokenIdentifier

use of org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier in project hadoop by apache.

the class DelegationTokenManager method createToken.

@SuppressWarnings("unchecked")
public Token<? extends AbstractDelegationTokenIdentifier> createToken(UserGroupInformation ugi, String renewer) {
    LOG.debug("Creating token with ugi:{}, renewer:{}.", ugi, renewer);
    renewer = (renewer == null) ? ugi.getShortUserName() : renewer;
    String user = ugi.getUserName();
    Text owner = new Text(user);
    Text realUser = null;
    if (ugi.getRealUser() != null) {
        realUser = new Text(ugi.getRealUser().getUserName());
    }
    AbstractDelegationTokenIdentifier tokenIdentifier = (AbstractDelegationTokenIdentifier) secretManager.createIdentifier();
    tokenIdentifier.setOwner(owner);
    tokenIdentifier.setRenewer(new Text(renewer));
    tokenIdentifier.setRealUser(realUser);
    return new Token(tokenIdentifier, secretManager);
}
Also used : AbstractDelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier) Text(org.apache.hadoop.io.Text) Token(org.apache.hadoop.security.token.Token)

Example 4 with AbstractDelegationTokenIdentifier

use of org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier in project hadoop by apache.

the class DelegationTokenManager method verifyToken.

@SuppressWarnings("unchecked")
public UserGroupInformation verifyToken(Token<? extends AbstractDelegationTokenIdentifier> token) throws IOException {
    AbstractDelegationTokenIdentifier id = secretManager.decodeTokenIdentifier(token);
    secretManager.verifyToken(id, token.getPassword());
    return id.getUser();
}
Also used : AbstractDelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier)

Example 5 with AbstractDelegationTokenIdentifier

use of org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier in project hadoop by apache.

the class DelegationTokenRenewer method skipTokenRenewal.

/*
   * Skip renewing token if the renewer of the token is set to ""
   * Caller is expected to have examined that token.isManaged() returns
   * true before calling this method.
   */
private boolean skipTokenRenewal(Token<?> token) throws IOException {
    @SuppressWarnings("unchecked") AbstractDelegationTokenIdentifier identifier = ((Token<AbstractDelegationTokenIdentifier>) token).decodeIdentifier();
    if (identifier == null) {
        return false;
    }
    Text renewer = identifier.getRenewer();
    return (renewer != null && renewer.toString().equals(""));
}
Also used : AbstractDelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier) Token(org.apache.hadoop.security.token.Token) Text(org.apache.hadoop.io.Text)

Aggregations

AbstractDelegationTokenIdentifier (org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier)9 Token (org.apache.hadoop.security.token.Token)6 HashMap (java.util.HashMap)4 Map (java.util.Map)3 Text (org.apache.hadoop.io.Text)3 AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)3 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)2 IOException (java.io.IOException)2 HttpURLConnection (java.net.HttpURLConnection)2 InetSocketAddress (java.net.InetSocketAddress)2 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2 AuthenticationToken (org.apache.hadoop.security.authentication.server.AuthenticationToken)2 Writer (java.io.Writer)1 URL (java.net.URL)1 LinkedHashMap (java.util.LinkedHashMap)1 Credentials (org.apache.hadoop.security.Credentials)1 AuthenticatedURL (org.apache.hadoop.security.authentication.client.AuthenticatedURL)1 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)1