Example 21 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hive by apache.
the class TestHadoopAuthBridge23 method testDelegationTokenSharedStore.
/**
* Test delegation token store/load from shared store.
* @throws Exception
*/
@Test
public void testDelegationTokenSharedStore() throws Exception {
UserGroupInformation clientUgi = UserGroupInformation.getCurrentUser();
TokenStoreDelegationTokenSecretManager tokenManager = new TokenStoreDelegationTokenSecretManager(0, 60 * 60 * 1000, 60 * 60 * 1000, 0, MyTokenStore.TOKEN_STORE);
// initializes current key
tokenManager.startThreads();
tokenManager.stopThreads();
String tokenStrForm = tokenManager.getDelegationToken(clientUgi.getShortUserName());
Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>();
t.decodeFromUrlString(tokenStrForm);
//check whether the username in the token is what we expect
DelegationTokenIdentifier d = new DelegationTokenIdentifier();
d.readFields(new DataInputStream(new ByteArrayInputStream(t.getIdentifier())));
Assert.assertTrue("Usernames don't match", clientUgi.getShortUserName().equals(d.getUser().getShortUserName()));
DelegationTokenInformation tokenInfo = MyTokenStore.TOKEN_STORE.getToken(d);
Assert.assertNotNull("token not in store", tokenInfo);
Assert.assertFalse("duplicate token add", MyTokenStore.TOKEN_STORE.addToken(d, tokenInfo));
// check keys are copied from token store when token is loaded
TokenStoreDelegationTokenSecretManager anotherManager = new TokenStoreDelegationTokenSecretManager(0, 0, 0, 0, MyTokenStore.TOKEN_STORE);
Assert.assertEquals("master keys empty on init", 0, anotherManager.getAllKeys().length);
Assert.assertNotNull("token loaded", anotherManager.retrievePassword(d));
anotherManager.renewToken(t, clientUgi.getShortUserName());
Assert.assertEquals("master keys not loaded from store", MyTokenStore.TOKEN_STORE.getMasterKeys().length, anotherManager.getAllKeys().length);
// cancel the delegation token
tokenManager.cancelDelegationToken(tokenStrForm);
Assert.assertNull("token not removed from store after cancel", MyTokenStore.TOKEN_STORE.getToken(d));
Assert.assertFalse("token removed (again)", MyTokenStore.TOKEN_STORE.removeToken(d));
try {
anotherManager.retrievePassword(d);
Assert.fail("InvalidToken expected after cancel");
} catch (InvalidToken ex) {
// expected
}
// token expiration
MyTokenStore.TOKEN_STORE.addToken(d, new DelegationTokenInformation(0, t.getPassword()));
Assert.assertNotNull(MyTokenStore.TOKEN_STORE.getToken(d));
anotherManager.removeExpiredTokens();
Assert.assertNull("Expired token not removed", MyTokenStore.TOKEN_STORE.getToken(d));
// key expiration - create an already expired key
// generates initial key
anotherManager.startThreads();
anotherManager.stopThreads();
DelegationKey expiredKey = new DelegationKey(-1, 0, anotherManager.getAllKeys()[0].getKey());
// updates key with sequence number
anotherManager.logUpdateMasterKey(expiredKey);
Assert.assertTrue("expired key not in allKeys", anotherManager.reloadKeys().containsKey(expiredKey.getKeyId()));
anotherManager.rollMasterKeyExt();
Assert.assertFalse("Expired key not removed", anotherManager.reloadKeys().containsKey(expiredKey.getKeyId()));
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DataInputStream(java.io.DataInputStream)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
DelegationTokenInformation(org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.DelegationTokenInformation)
Test(org.junit.Test)
Example 22 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class DelegationTokenSecretManager method saveSecretManagerState.
public synchronized SecretManagerState saveSecretManagerState() {
SecretManagerSection s = SecretManagerSection.newBuilder().setCurrentId(currentId).setTokenSequenceNumber(delegationTokenSequenceNumber).setNumKeys(allKeys.size()).setNumTokens(currentTokens.size()).build();
ArrayList<SecretManagerSection.DelegationKey> keys = Lists.newArrayListWithCapacity(allKeys.size());
ArrayList<SecretManagerSection.PersistToken> tokens = Lists.newArrayListWithCapacity(currentTokens.size());
for (DelegationKey v : allKeys.values()) {
SecretManagerSection.DelegationKey.Builder b = SecretManagerSection.DelegationKey.newBuilder().setId(v.getKeyId()).setExpiryDate(v.getExpiryDate());
if (v.getEncodedKey() != null) {
b.setKey(ByteString.copyFrom(v.getEncodedKey()));
}
keys.add(b.build());
}
for (Entry<DelegationTokenIdentifier, DelegationTokenInformation> e : currentTokens.entrySet()) {
DelegationTokenIdentifier id = e.getKey();
SecretManagerSection.PersistToken.Builder b = SecretManagerSection.PersistToken.newBuilder().setOwner(id.getOwner().toString()).setRenewer(id.getRenewer().toString()).setRealUser(id.getRealUser().toString()).setIssueDate(id.getIssueDate()).setMaxDate(id.getMaxDate()).setSequenceNumber(id.getSequenceNumber()).setMasterKeyId(id.getMasterKeyId()).setExpiryDate(e.getValue().getRenewDate());
tokens.add(b.build());
}
return new SecretManagerState(s, keys, tokens);
}
Also used :
SecretManagerSection(org.apache.hadoop.hdfs.server.namenode.FsImageProto.SecretManagerSection)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
Example 23 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class FSEditLogOp method delegationKeyFromXml.
public static DelegationKey delegationKeyFromXml(Stanza st) throws InvalidXmlException {
int keyId = Integer.parseInt(st.getValue("KEY_ID"));
long expiryDate = Long.parseLong(st.getValue("EXPIRY_DATE"));
byte[] key = null;
try {
key = Hex.decodeHex(st.getValue("KEY").toCharArray());
} catch (DecoderException e) {
throw new InvalidXmlException(e.toString());
} catch (InvalidXmlException e) {
}
return new DelegationKey(keyId, expiryDate, key);
}
Also used :
DecoderException(org.apache.commons.codec.DecoderException)
InvalidXmlException(org.apache.hadoop.hdfs.util.XMLUtils.InvalidXmlException)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
Example 24 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class TestHistoryServerFileSystemStateStoreService method testTokenStore.
private void testTokenStore(String stateStoreUri) throws IOException {
conf.set(JHAdminConfig.MR_HS_FS_STATE_STORE_URI, stateStoreUri);
HistoryServerStateStoreService store = createAndStartStore();
HistoryServerState state = store.loadState();
assertTrue("token state not empty", state.tokenState.isEmpty());
assertTrue("key state not empty", state.tokenMasterKeyState.isEmpty());
final DelegationKey key1 = new DelegationKey(1, 2, "keyData1".getBytes());
final MRDelegationTokenIdentifier token1 = new MRDelegationTokenIdentifier(new Text("tokenOwner1"), new Text("tokenRenewer1"), new Text("tokenUser1"));
token1.setSequenceNumber(1);
final Long tokenDate1 = 1L;
final MRDelegationTokenIdentifier token2 = new MRDelegationTokenIdentifier(new Text("tokenOwner2"), new Text("tokenRenewer2"), new Text("tokenUser2"));
token2.setSequenceNumber(12345678);
final Long tokenDate2 = 87654321L;
store.storeTokenMasterKey(key1);
try {
store.storeTokenMasterKey(key1);
fail("redundant store of key undetected");
} catch (IOException e) {
// expected
}
store.storeToken(token1, tokenDate1);
store.storeToken(token2, tokenDate2);
try {
store.storeToken(token1, tokenDate1);
fail("redundant store of token undetected");
} catch (IOException e) {
// expected
}
store.close();
store = createAndStartStore();
state = store.loadState();
assertEquals("incorrect loaded token count", 2, state.tokenState.size());
assertTrue("missing token 1", state.tokenState.containsKey(token1));
assertEquals("incorrect token 1 date", tokenDate1, state.tokenState.get(token1));
assertTrue("missing token 2", state.tokenState.containsKey(token2));
assertEquals("incorrect token 2 date", tokenDate2, state.tokenState.get(token2));
assertEquals("incorrect master key count", 1, state.tokenMasterKeyState.size());
assertTrue("missing master key 1", state.tokenMasterKeyState.contains(key1));
final DelegationKey key2 = new DelegationKey(3, 4, "keyData2".getBytes());
final DelegationKey key3 = new DelegationKey(5, 6, "keyData3".getBytes());
final MRDelegationTokenIdentifier token3 = new MRDelegationTokenIdentifier(new Text("tokenOwner3"), new Text("tokenRenewer3"), new Text("tokenUser3"));
token3.setSequenceNumber(12345679);
final Long tokenDate3 = 87654321L;
store.removeToken(token1);
store.storeTokenMasterKey(key2);
final Long newTokenDate2 = 975318642L;
store.updateToken(token2, newTokenDate2);
store.removeTokenMasterKey(key1);
store.storeTokenMasterKey(key3);
store.storeToken(token3, tokenDate3);
store.close();
store = createAndStartStore();
state = store.loadState();
assertEquals("incorrect loaded token count", 2, state.tokenState.size());
assertFalse("token 1 not removed", state.tokenState.containsKey(token1));
assertTrue("missing token 2", state.tokenState.containsKey(token2));
assertEquals("incorrect token 2 date", newTokenDate2, state.tokenState.get(token2));
assertTrue("missing token 3", state.tokenState.containsKey(token3));
assertEquals("incorrect token 3 date", tokenDate3, state.tokenState.get(token3));
assertEquals("incorrect master key count", 2, state.tokenMasterKeyState.size());
assertFalse("master key 1 not removed", state.tokenMasterKeyState.contains(key1));
assertTrue("missing master key 2", state.tokenMasterKeyState.contains(key2));
assertTrue("missing master key 3", state.tokenMasterKeyState.contains(key3));
}
Also used :
HistoryServerState(org.apache.hadoop.mapreduce.v2.hs.HistoryServerStateStoreService.HistoryServerState)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
MRDelegationTokenIdentifier(org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier)
Text(org.apache.hadoop.io.Text)
IOException(java.io.IOException)
Example 25 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class TestHistoryServerLeveldbStateStoreService method testTokenStore.
@Test
public void testTokenStore() throws IOException {
HistoryServerStateStoreService store = createAndStartStore();
// verify initially the store is empty
HistoryServerState state = store.loadState();
assertTrue("token state not empty", state.tokenState.isEmpty());
assertTrue("key state not empty", state.tokenMasterKeyState.isEmpty());
// store a key and some tokens
final DelegationKey key1 = new DelegationKey(1, 2, "keyData1".getBytes());
final MRDelegationTokenIdentifier token1 = new MRDelegationTokenIdentifier(new Text("tokenOwner1"), new Text("tokenRenewer1"), new Text("tokenUser1"));
token1.setSequenceNumber(1);
final Long tokenDate1 = 1L;
final MRDelegationTokenIdentifier token2 = new MRDelegationTokenIdentifier(new Text("tokenOwner2"), new Text("tokenRenewer2"), new Text("tokenUser2"));
token2.setSequenceNumber(12345678);
final Long tokenDate2 = 87654321L;
store.storeTokenMasterKey(key1);
store.storeToken(token1, tokenDate1);
store.storeToken(token2, tokenDate2);
store.close();
// verify the key and tokens can be recovered
store = createAndStartStore();
state = store.loadState();
assertEquals("incorrect loaded token count", 2, state.tokenState.size());
assertTrue("missing token 1", state.tokenState.containsKey(token1));
assertEquals("incorrect token 1 date", tokenDate1, state.tokenState.get(token1));
assertTrue("missing token 2", state.tokenState.containsKey(token2));
assertEquals("incorrect token 2 date", tokenDate2, state.tokenState.get(token2));
assertEquals("incorrect master key count", 1, state.tokenMasterKeyState.size());
assertTrue("missing master key 1", state.tokenMasterKeyState.contains(key1));
// store some more keys and tokens, remove the previous key and one
// of the tokens, and renew a previous token
final DelegationKey key2 = new DelegationKey(3, 4, "keyData2".getBytes());
final DelegationKey key3 = new DelegationKey(5, 6, "keyData3".getBytes());
final MRDelegationTokenIdentifier token3 = new MRDelegationTokenIdentifier(new Text("tokenOwner3"), new Text("tokenRenewer3"), new Text("tokenUser3"));
token3.setSequenceNumber(12345679);
final Long tokenDate3 = 87654321L;
store.removeToken(token1);
store.storeTokenMasterKey(key2);
final Long newTokenDate2 = 975318642L;
store.updateToken(token2, newTokenDate2);
store.removeTokenMasterKey(key1);
store.storeTokenMasterKey(key3);
store.storeToken(token3, tokenDate3);
store.close();
// verify the new keys and tokens are recovered, the removed key and
// token are no longer present, and the renewed token has the updated
// expiration date
store = createAndStartStore();
state = store.loadState();
assertEquals("incorrect loaded token count", 2, state.tokenState.size());
assertFalse("token 1 not removed", state.tokenState.containsKey(token1));
assertTrue("missing token 2", state.tokenState.containsKey(token2));
assertEquals("incorrect token 2 date", newTokenDate2, state.tokenState.get(token2));
assertTrue("missing token 3", state.tokenState.containsKey(token3));
assertEquals("incorrect token 3 date", tokenDate3, state.tokenState.get(token3));
assertEquals("incorrect master key count", 2, state.tokenMasterKeyState.size());
assertFalse("master key 1 not removed", state.tokenMasterKeyState.contains(key1));
assertTrue("missing master key 2", state.tokenMasterKeyState.contains(key2));
assertTrue("missing master key 3", state.tokenMasterKeyState.contains(key3));
store.close();
}
Also used :
HistoryServerState(org.apache.hadoop.mapreduce.v2.hs.HistoryServerStateStoreService.HistoryServerState)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
MRDelegationTokenIdentifier(org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier)
Text(org.apache.hadoop.io.Text)
Test(org.junit.Test)
Aggregations
DelegationKey (org.apache.hadoop.security.token.delegation.DelegationKey)30
IOException (java.io.IOException)8
Test (org.junit.Test)8
ByteArrayInputStream (java.io.ByteArrayInputStream)7
DataInputStream (java.io.DataInputStream)7
Text (org.apache.hadoop.io.Text)7
RMDelegationTokenIdentifier (org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)6
HashMap (java.util.HashMap)3
HashSet (java.util.HashSet)3
MRDelegationTokenIdentifier (org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier)3
MemoryRMStateStore (org.apache.hadoop.yarn.server.resourcemanager.recovery.MemoryRMStateStore)3
RMState (org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState)3
Configuration (org.apache.hadoop.conf.Configuration)2
FSDataInputStream (org.apache.hadoop.fs.FSDataInputStream)2
SecretManagerSection (org.apache.hadoop.hdfs.server.namenode.FsImageProto.SecretManagerSection)2
HistoryServerState (org.apache.hadoop.mapreduce.v2.hs.HistoryServerStateStoreService.HistoryServerState)2
Token (org.apache.hadoop.security.token.Token)2
GetDelegationTokenRequest (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest)2
GetDelegationTokenResponse (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenResponse)2
MockRM (org.apache.hadoop.yarn.server.resourcemanager.MockRM)2
