Examples with DelegationTokenAuthenticatedURL org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL used on opensource projects

Example 6 with DelegationTokenAuthenticatedURL

use of org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL in project hadoop by apache.

the class TestKMSWithZK method testMultipleKMSInstancesWithZKSigner.

@Test
public void testMultipleKMSInstancesWithZKSigner() throws Exception {
    final File testDir = TestKMS.getTestDir();
    Configuration conf = createBaseKMSConf(testDir);
    TestingServer zkServer = new TestingServer();
    zkServer.start();
    MiniKMS kms1 = null;
    MiniKMS kms2 = null;
    conf.set(KMSAuthenticationFilter.CONFIG_PREFIX + AuthenticationFilter.SIGNER_SECRET_PROVIDER, "zookeeper");
    conf.set(KMSAuthenticationFilter.CONFIG_PREFIX + ZKSignerSecretProvider.ZOOKEEPER_CONNECTION_STRING, zkServer.getConnectString());
    conf.set(KMSAuthenticationFilter.CONFIG_PREFIX + ZKSignerSecretProvider.ZOOKEEPER_PATH, "/secret");
    TestKMS.writeConf(testDir, conf);
    try {
        kms1 = new MiniKMS.Builder().setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
        kms1.start();
        kms2 = new MiniKMS.Builder().setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
        kms2.start();
        final URL url1 = new URL(kms1.getKMSUrl().toExternalForm() + KMSRESTConstants.SERVICE_VERSION + "/" + KMSRESTConstants.KEYS_NAMES_RESOURCE);
        final URL url2 = new URL(kms2.getKMSUrl().toExternalForm() + KMSRESTConstants.SERVICE_VERSION + "/" + KMSRESTConstants.KEYS_NAMES_RESOURCE);
        final DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
        final DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
        UserGroupInformation ugiFoo = UserGroupInformation.createUserForTesting("foo", new String[] { "gfoo" });
        UserGroupInformation ugiBar = UserGroupInformation.createUserForTesting("bar", new String[] { "gBar" });
        ugiFoo.doAs(new PrivilegedExceptionAction<Object>() {

            @Override
            public Object run() throws Exception {
                HttpURLConnection conn = aUrl.openConnection(url1, token);
                Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
                return null;
            }
        });
        ugiBar.doAs(new PrivilegedExceptionAction<Object>() {

            @Override
            public Object run() throws Exception {
                HttpURLConnection conn = aUrl.openConnection(url2, token);
                Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
                return null;
            }
        });
        ugiBar.doAs(new PrivilegedExceptionAction<Object>() {

            @Override
            public Object run() throws Exception {
                final DelegationTokenAuthenticatedURL.Token emptyToken = new DelegationTokenAuthenticatedURL.Token();
                HttpURLConnection conn = aUrl.openConnection(url2, emptyToken);
                Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
                return null;
            }
        });
    } finally {
        if (kms2 != null) {
            kms2.stop();
        }
        if (kms1 != null) {
            kms1.stop();
        }
        zkServer.stop();
    }
}

Example 7 with DelegationTokenAuthenticatedURL

use of org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL in project incubator-atlas by apache.

the class SecureClientUtils method getClientConnectionHandler.

public static URLConnectionClientHandler getClientConnectionHandler(DefaultClientConfig config, org.apache.commons.configuration.Configuration clientConfig, String doAsUser, final UserGroupInformation ugi) {
    config.getProperties().put(URLConnectionClientHandler.PROPERTY_HTTP_URL_CONNECTION_SET_METHOD_WORKAROUND, true);
    Configuration conf = new Configuration();
    conf.addResource(conf.get(SSLFactory.SSL_CLIENT_CONF_KEY, SecurityProperties.SSL_CLIENT_PROPERTIES));
    UserGroupInformation.setConfiguration(conf);
    final ConnectionConfigurator connConfigurator = newConnConfigurator(conf);
    Authenticator authenticator = new KerberosDelegationTokenAuthenticator();
    authenticator.setConnectionConfigurator(connConfigurator);
    final DelegationTokenAuthenticator finalAuthenticator = (DelegationTokenAuthenticator) authenticator;
    final DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
    HttpURLConnectionFactory httpURLConnectionFactory = null;
    try {
        UserGroupInformation ugiToUse = ugi != null ? ugi : UserGroupInformation.getCurrentUser();
        final UserGroupInformation actualUgi = (ugiToUse.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY) ? ugiToUse.getRealUser() : ugiToUse;
        LOG.info("Real User: {}, is from ticket cache? {}", actualUgi, actualUgi.isLoginTicketBased());
        if (StringUtils.isEmpty(doAsUser)) {
            doAsUser = actualUgi.getShortUserName();
        }
        LOG.info("doAsUser: {}", doAsUser);
        final String finalDoAsUser = doAsUser;
        httpURLConnectionFactory = new HttpURLConnectionFactory() {

            @Override
            public HttpURLConnection getHttpURLConnection(final URL url) throws IOException {
                try {
                    return actualUgi.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {

                        @Override
                        public HttpURLConnection run() throws Exception {
                            try {
                                return new DelegationTokenAuthenticatedURL(finalAuthenticator, connConfigurator).openConnection(url, token, finalDoAsUser);
                            } catch (Exception e) {
                                throw new IOException(e);
                            }
                        }
                    });
                } catch (Exception e) {
                    if (e instanceof IOException) {
                        throw (IOException) e;
                    } else {
                        throw new IOException(e);
                    }
                }
            }
        };
    } catch (IOException e) {
        LOG.warn("Error obtaining user", e);
    }
    return new URLConnectionClientHandler(httpURLConnectionFactory);
}

Example 8 with DelegationTokenAuthenticatedURL

use of org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL in project hadoop by apache.

the class TimelineClientImpl method renewDelegationToken.

@SuppressWarnings("unchecked")
@Override
public long renewDelegationToken(final Token<TimelineDelegationTokenIdentifier> timelineDT) throws IOException, YarnException {
    final boolean isTokenServiceAddrEmpty = timelineDT.getService().toString().isEmpty();
    final String scheme = isTokenServiceAddrEmpty ? null : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
    final InetSocketAddress address = isTokenServiceAddrEmpty ? null : SecurityUtil.getTokenServiceAddr(timelineDT);
    PrivilegedExceptionAction<Long> renewDTAction = new PrivilegedExceptionAction<Long>() {

        @Override
        public Long run() throws Exception {
            // happens, DelegationTokenAuthenticatedURL will reset it to null;
            if (!timelineDT.equals(token.getDelegationToken())) {
                token.setDelegationToken((Token) timelineDT);
            }
            DelegationTokenAuthenticatedURL authUrl = connector.getDelegationTokenAuthenticatedURL();
            // If the token service address is not available, fall back to use
            // the configured service address.
            final URI serviceURI = isTokenServiceAddrEmpty ? TimelineConnector.constructResURI(getConfig(), getTimelineServiceAddress(), RESOURCE_URI_STR_V1) : new URI(scheme, null, address.getHostName(), address.getPort(), RESOURCE_URI_STR_V1, null, null);
            return authUrl.renewDelegationToken(serviceURI.toURL(), token, doAsUser);
        }
    };
    return (Long) connector.operateDelegationToken(renewDTAction);
}

Example 9 with DelegationTokenAuthenticatedURL

use of org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL in project hadoop by apache.

the class TimelineClientImpl method cancelDelegationToken.

@SuppressWarnings("unchecked")
@Override
public void cancelDelegationToken(final Token<TimelineDelegationTokenIdentifier> timelineDT) throws IOException, YarnException {
    final boolean isTokenServiceAddrEmpty = timelineDT.getService().toString().isEmpty();
    final String scheme = isTokenServiceAddrEmpty ? null : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
    final InetSocketAddress address = isTokenServiceAddrEmpty ? null : SecurityUtil.getTokenServiceAddr(timelineDT);
    PrivilegedExceptionAction<Void> cancelDTAction = new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            // happens, DelegationTokenAuthenticatedURL will reset it to null;
            if (!timelineDT.equals(token.getDelegationToken())) {
                token.setDelegationToken((Token) timelineDT);
            }
            DelegationTokenAuthenticatedURL authUrl = connector.getDelegationTokenAuthenticatedURL();
            // If the token service address is not available, fall back to use
            // the configured service address.
            final URI serviceURI = isTokenServiceAddrEmpty ? TimelineConnector.constructResURI(getConfig(), getTimelineServiceAddress(), RESOURCE_URI_STR_V1) : new URI(scheme, null, address.getHostName(), address.getPort(), RESOURCE_URI_STR_V1, null, null);
            authUrl.cancelDelegationToken(serviceURI.toURL(), token, doAsUser);
            return null;
        }
    };
    connector.operateDelegationToken(cancelDTAction);
}