Examples with AbstractDelegationTokenIdentifier org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier used on opensource projects

Example 6 with AbstractDelegationTokenIdentifier

use of org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier in project hadoop by apache.

the class DtFileOperations method printCredentials.

/** Print out a Credentials object.
   *  @param creds the Credentials object to be printed out.
   *  @param alias print only tokens matching alias (null matches all).
   *  @param out print to this stream.
   *  @throws IOException
   */
public static void printCredentials(Credentials creds, Text alias, PrintStream out) throws IOException {
    boolean tokenHeader = true;
    String fmt = "%-24s %-20s %-15s %-12s %s%n";
    for (Token<?> token : creds.getAllTokens()) {
        if (matchAlias(token, alias)) {
            if (tokenHeader) {
                out.printf(fmt, "Token kind", "Service", "Renewer", "Exp date", "URL enc token");
                out.println(StringUtils.repeat("-", 80));
                tokenHeader = false;
            }
            AbstractDelegationTokenIdentifier id = (AbstractDelegationTokenIdentifier) token.decodeIdentifier();
            out.printf(fmt, token.getKind(), token.getService(), (id != null) ? id.getRenewer() : NA_STRING, (id != null) ? formatDate(id.getMaxDate()) : NA_STRING, token.encodeToUrlString());
        }
    }
}

Example 7 with AbstractDelegationTokenIdentifier

use of org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier in project hadoop by apache.

the class DelegationTokenAuthenticator method getDelegationToken.

/**
   * Requests a delegation token using the configured <code>Authenticator</code>
   * for authentication.
   *
   * @param url the URL to get the delegation token from. Only HTTP/S URLs are
   * supported.
   * @param token the authentication token being used for the user where the
   * Delegation token will be stored.
   * @param renewer the renewer user.
   * @param doAsUser the user to do as, which will be the token owner.
   * @throws IOException if an IO error occurred.
   * @throws AuthenticationException if an authentication exception occurred.
   */
public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url, AuthenticatedURL.Token token, String renewer, String doAsUser) throws IOException, AuthenticationException {
    Map json = doDelegationTokenOperation(url, token, DelegationTokenOperation.GETDELEGATIONTOKEN, renewer, null, true, doAsUser);
    json = (Map) json.get(DELEGATION_TOKEN_JSON);
    String tokenStr = (String) json.get(DELEGATION_TOKEN_URL_STRING_JSON);
    Token<AbstractDelegationTokenIdentifier> dToken = new Token<AbstractDelegationTokenIdentifier>();
    dToken.decodeFromUrlString(tokenStr);
    InetSocketAddress service = new InetSocketAddress(url.getHost(), url.getPort());
    SecurityUtil.setTokenService(dToken, service);
    return dToken;
}

Example 8 with AbstractDelegationTokenIdentifier

use of org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier in project hadoop by apache.

the class DelegationTokenAuthenticator method doDelegationTokenOperation.

private Map doDelegationTokenOperation(URL url, AuthenticatedURL.Token token, DelegationTokenOperation operation, String renewer, Token<?> dToken, boolean hasResponse, String doAsUser) throws IOException, AuthenticationException {
    Map ret = null;
    Map<String, String> params = new HashMap<String, String>();
    params.put(OP_PARAM, operation.toString());
    if (renewer != null) {
        params.put(RENEWER_PARAM, renewer);
    }
    if (dToken != null) {
        params.put(TOKEN_PARAM, dToken.encodeToUrlString());
    }
    // proxyuser
    if (doAsUser != null) {
        params.put(DelegationTokenAuthenticatedURL.DO_AS, URLEncoder.encode(doAsUser, "UTF-8"));
    }
    String urlStr = url.toExternalForm();
    StringBuilder sb = new StringBuilder(urlStr);
    String separator = (urlStr.contains("?")) ? "&" : "?";
    for (Map.Entry<String, String> entry : params.entrySet()) {
        sb.append(separator).append(entry.getKey()).append("=").append(URLEncoder.encode(entry.getValue(), "UTF8"));
        separator = "&";
    }
    url = new URL(sb.toString());
    AuthenticatedURL aUrl = new AuthenticatedURL(this, connConfigurator);
    org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier> dt = null;
    if (token instanceof DelegationTokenAuthenticatedURL.Token && operation.requiresKerberosCredentials()) {
        // Unset delegation token to trigger fall-back authentication.
        dt = ((DelegationTokenAuthenticatedURL.Token) token).getDelegationToken();
        ((DelegationTokenAuthenticatedURL.Token) token).setDelegationToken(null);
    }
    try {
        HttpURLConnection conn = aUrl.openConnection(url, token);
        conn.setRequestMethod(operation.getHttpMethod());
        HttpExceptionUtils.validateResponse(conn, HttpURLConnection.HTTP_OK);
        if (hasResponse) {
            String contentType = conn.getHeaderField(CONTENT_TYPE);
            contentType = (contentType != null) ? StringUtils.toLowerCase(contentType) : null;
            if (contentType != null && contentType.contains(APPLICATION_JSON_MIME)) {
                try {
                    ObjectMapper mapper = new ObjectMapper();
                    ret = mapper.readValue(conn.getInputStream(), Map.class);
                } catch (Exception ex) {
                    throw new AuthenticationException(String.format("'%s' did not handle the '%s' delegation token operation: %s", url.getAuthority(), operation, ex.getMessage()), ex);
                }
            } else {
                throw new AuthenticationException(String.format("'%s' did not " + "respond with JSON to the '%s' delegation token operation", url.getAuthority(), operation));
            }
        }
    } finally {
        if (dt != null) {
            ((DelegationTokenAuthenticatedURL.Token) token).setDelegationToken(dt);
        }
    }
    return ret;
}

Example 9 with AbstractDelegationTokenIdentifier

use of org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier in project hadoop by apache.

the class DelegationTokenAuthenticatedURL method openConnection.

/**
   * Returns an authenticated {@link HttpURLConnection}. If the Delegation
   * Token is present, it will be used taking precedence over the configured
   * <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
   * the request will be done on behalf of the specified <code>doAs</code> user.
   *
   * @param url the URL to connect to. Only HTTP/S URLs are supported.
   * @param token the authentication token being used for the user.
   * @param doAs user to do the the request on behalf of, if NULL the request is
   * as self.
   * @return an authenticated {@link HttpURLConnection}.
   * @throws IOException if an IO error occurred.
   * @throws AuthenticationException if an authentication exception occurred.
   */
@SuppressWarnings("unchecked")
public HttpURLConnection openConnection(URL url, Token token, String doAs) throws IOException, AuthenticationException {
    Preconditions.checkNotNull(url, "url");
    Preconditions.checkNotNull(token, "token");
    Map<String, String> extraParams = new HashMap<String, String>();
    org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dToken = null;
    // and we don't even look for one.
    if (!token.isSet()) {
        // delegation token
        Credentials creds = UserGroupInformation.getCurrentUser().getCredentials();
        if (!creds.getAllTokens().isEmpty()) {
            InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(), url.getPort());
            Text service = SecurityUtil.buildTokenService(serviceAddr);
            dToken = creds.getToken(service);
            if (dToken != null) {
                if (useQueryStringForDelegationToken()) {
                    // delegation token will go in the query string, injecting it
                    extraParams.put(KerberosDelegationTokenAuthenticator.DELEGATION_PARAM, dToken.encodeToUrlString());
                } else {
                    // delegation token will go as request header, setting it in the
                    // auth-token to ensure no authentication handshake is triggered
                    // (if we have a delegation token, we are authenticated)
                    // the delegation token header is injected in the connection request
                    // at the end of this method.
                    token.delegationToken = (org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier>) dToken;
                }
            }
        }
    }
    // proxyuser
    if (doAs != null) {
        extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
    }
    url = augmentURL(url, extraParams);
    HttpURLConnection conn = super.openConnection(url, token);
    if (!token.isSet() && !useQueryStringForDelegationToken() && dToken != null) {
        // injecting the delegation token header in the connection request
        conn.setRequestProperty(DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER, dToken.encodeToUrlString());
    }
    return conn;
}