Search in sources :

Example 1 with DelegationTokenManager

use of org.apache.hadoop.security.token.delegation.web.DelegationTokenManager in project hadoop by apache.

the class TestZKDelegationTokenSecretManager method testMultiNodeOperations.

@SuppressWarnings("unchecked")
@Test
public void testMultiNodeOperations() throws Exception {
    for (int i = 0; i < TEST_RETRIES; i++) {
        DelegationTokenManager tm1, tm2 = null;
        String connectString = zkServer.getConnectString();
        Configuration conf = getSecretConf(connectString);
        tm1 = new DelegationTokenManager(conf, new Text("bla"));
        tm1.init();
        tm2 = new DelegationTokenManager(conf, new Text("bla"));
        tm2.init();
        Token<DelegationTokenIdentifier> token = (Token<DelegationTokenIdentifier>) tm1.createToken(UserGroupInformation.getCurrentUser(), "foo");
        Assert.assertNotNull(token);
        tm2.verifyToken(token);
        tm2.renewToken(token, "foo");
        tm1.verifyToken(token);
        tm1.cancelToken(token, "foo");
        try {
            verifyTokenFail(tm2, token);
            fail("Expected InvalidToken");
        } catch (SecretManager.InvalidToken it) {
        // Ignore
        }
        token = (Token<DelegationTokenIdentifier>) tm2.createToken(UserGroupInformation.getCurrentUser(), "bar");
        Assert.assertNotNull(token);
        tm1.verifyToken(token);
        tm1.renewToken(token, "bar");
        tm2.verifyToken(token);
        tm2.cancelToken(token, "bar");
        try {
            verifyTokenFail(tm1, token);
            fail("Expected InvalidToken");
        } catch (SecretManager.InvalidToken it) {
        // Ignore
        }
        verifyDestroy(tm1, conf);
        verifyDestroy(tm2, conf);
    }
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) DelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier) Text(org.apache.hadoop.io.Text) Token(org.apache.hadoop.security.token.Token) SecretManager(org.apache.hadoop.security.token.SecretManager) DelegationTokenManager(org.apache.hadoop.security.token.delegation.web.DelegationTokenManager) Test(org.junit.Test)

Example 2 with DelegationTokenManager

use of org.apache.hadoop.security.token.delegation.web.DelegationTokenManager in project hadoop by apache.

the class TestZKDelegationTokenSecretManager method testStopThreads.

@SuppressWarnings({ "unchecked", "rawtypes" })
@Test
public void testStopThreads() throws Exception {
    DelegationTokenManager tm1 = null;
    String connectString = zkServer.getConnectString();
    // let's make the update interval short and the shutdown interval
    // comparatively longer, so if the update thread runs after shutdown,
    // it will cause an error.
    final long updateIntervalSeconds = 1;
    final long shutdownTimeoutMillis = updateIntervalSeconds * 1000 * 5;
    Configuration conf = getSecretConf(connectString);
    conf.setLong(DelegationTokenManager.UPDATE_INTERVAL, updateIntervalSeconds);
    conf.setLong(DelegationTokenManager.REMOVAL_SCAN_INTERVAL, updateIntervalSeconds);
    conf.setLong(DelegationTokenManager.RENEW_INTERVAL, updateIntervalSeconds);
    conf.setLong(ZKDelegationTokenSecretManager.ZK_DTSM_ZK_SHUTDOWN_TIMEOUT, shutdownTimeoutMillis);
    tm1 = new DelegationTokenManager(conf, new Text("foo"));
    tm1.init();
    Token<DelegationTokenIdentifier> token = (Token<DelegationTokenIdentifier>) tm1.createToken(UserGroupInformation.getCurrentUser(), "foo");
    Assert.assertNotNull(token);
    AbstractDelegationTokenSecretManager sm = tm1.getDelegationTokenSecretManager();
    ZKDelegationTokenSecretManager zksm = (ZKDelegationTokenSecretManager) sm;
    ExecutorService es = zksm.getListenerThreadPool();
    es.submit(new Callable<Void>() {

        public Void call() throws Exception {
            // force this to be shutdownNow
            Thread.sleep(shutdownTimeoutMillis * 2);
            return null;
        }
    });
    tm1.destroy();
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) DelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier) Text(org.apache.hadoop.io.Text) Token(org.apache.hadoop.security.token.Token) IOException(java.io.IOException) ExecutorService(java.util.concurrent.ExecutorService) DelegationTokenManager(org.apache.hadoop.security.token.delegation.web.DelegationTokenManager) Test(org.junit.Test)

Example 3 with DelegationTokenManager

use of org.apache.hadoop.security.token.delegation.web.DelegationTokenManager in project hadoop by apache.

the class TestZKDelegationTokenSecretManager method testNodesLoadedAfterRestart.

@SuppressWarnings({ "unchecked" })
@Test
public void testNodesLoadedAfterRestart() throws Exception {
    final String connectString = zkServer.getConnectString();
    final Configuration conf = getSecretConf(connectString);
    final int removeScan = 1;
    // Set the remove scan interval to remove expired tokens
    conf.setLong(DelegationTokenManager.REMOVAL_SCAN_INTERVAL, removeScan);
    // Set the update interval to trigger background thread to run. The thread
    // is hard-coded to sleep at least 5 seconds.
    conf.setLong(DelegationTokenManager.UPDATE_INTERVAL, 5);
    // Set token expire time to 5 seconds.
    conf.setLong(DelegationTokenManager.RENEW_INTERVAL, 5);
    DelegationTokenManager tm = new DelegationTokenManager(conf, new Text("bla"));
    tm.init();
    Token<DelegationTokenIdentifier> token = (Token<DelegationTokenIdentifier>) tm.createToken(UserGroupInformation.getCurrentUser(), "good");
    Assert.assertNotNull(token);
    Token<DelegationTokenIdentifier> cancelled = (Token<DelegationTokenIdentifier>) tm.createToken(UserGroupInformation.getCurrentUser(), "cancelled");
    Assert.assertNotNull(cancelled);
    tm.verifyToken(token);
    tm.verifyToken(cancelled);
    // Cancel one token, verify it's gone
    tm.cancelToken(cancelled, "cancelled");
    final AbstractDelegationTokenSecretManager sm = tm.getDelegationTokenSecretManager();
    final ZKDelegationTokenSecretManager zksm = (ZKDelegationTokenSecretManager) sm;
    final AbstractDelegationTokenIdentifier idCancelled = sm.decodeTokenIdentifier(cancelled);
    LOG.info("Waiting for the cancelled token to be removed");
    GenericTestUtils.waitFor(new Supplier<Boolean>() {

        @Override
        public Boolean get() {
            AbstractDelegationTokenSecretManager.DelegationTokenInformation dtinfo = zksm.getTokenInfo(idCancelled);
            return dtinfo == null;
        }
    }, 100, 5000);
    // Fake a restart which launches a new tm
    tm.destroy();
    tm = new DelegationTokenManager(conf, new Text("bla"));
    tm.init();
    final AbstractDelegationTokenSecretManager smNew = tm.getDelegationTokenSecretManager();
    final ZKDelegationTokenSecretManager zksmNew = (ZKDelegationTokenSecretManager) smNew;
    // The cancelled token should be gone, and not loaded.
    AbstractDelegationTokenIdentifier id = smNew.decodeTokenIdentifier(cancelled);
    AbstractDelegationTokenSecretManager.DelegationTokenInformation dtinfo = zksmNew.getTokenInfo(id);
    Assert.assertNull("canceled dt should be gone!", dtinfo);
    // The good token should be loaded on startup, and removed after expiry.
    id = smNew.decodeTokenIdentifier(token);
    dtinfo = zksmNew.getTokenInfoFromMemory(id);
    Assert.assertNotNull("good dt should be in memory!", dtinfo);
    // Wait for the good token to expire.
    Thread.sleep(5000);
    final ZKDelegationTokenSecretManager zksm1 = zksmNew;
    final AbstractDelegationTokenIdentifier id1 = id;
    GenericTestUtils.waitFor(new Supplier<Boolean>() {

        @Override
        public Boolean get() {
            LOG.info("Waiting for the expired token to be removed...");
            return zksm1.getTokenInfo(id1) == null;
        }
    }, 1000, 5000);
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) DelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier) Text(org.apache.hadoop.io.Text) Token(org.apache.hadoop.security.token.Token) DelegationTokenManager(org.apache.hadoop.security.token.delegation.web.DelegationTokenManager) Test(org.junit.Test)

Example 4 with DelegationTokenManager

use of org.apache.hadoop.security.token.delegation.web.DelegationTokenManager in project hadoop by apache.

the class TestZKDelegationTokenSecretManager method testNodeUpAferAWhile.

@SuppressWarnings("unchecked")
@Test
public void testNodeUpAferAWhile() throws Exception {
    for (int i = 0; i < TEST_RETRIES; i++) {
        String connectString = zkServer.getConnectString();
        Configuration conf = getSecretConf(connectString);
        DelegationTokenManager tm1 = new DelegationTokenManager(conf, new Text("bla"));
        tm1.init();
        Token<DelegationTokenIdentifier> token1 = (Token<DelegationTokenIdentifier>) tm1.createToken(UserGroupInformation.getCurrentUser(), "foo");
        Assert.assertNotNull(token1);
        Token<DelegationTokenIdentifier> token2 = (Token<DelegationTokenIdentifier>) tm1.createToken(UserGroupInformation.getCurrentUser(), "bar");
        Assert.assertNotNull(token2);
        Token<DelegationTokenIdentifier> token3 = (Token<DelegationTokenIdentifier>) tm1.createToken(UserGroupInformation.getCurrentUser(), "boo");
        Assert.assertNotNull(token3);
        tm1.verifyToken(token1);
        tm1.verifyToken(token2);
        tm1.verifyToken(token3);
        // Cancel one token
        tm1.cancelToken(token1, "foo");
        // Start second node after some time..
        Thread.sleep(1000);
        DelegationTokenManager tm2 = new DelegationTokenManager(conf, new Text("bla"));
        tm2.init();
        tm2.verifyToken(token2);
        tm2.verifyToken(token3);
        try {
            verifyTokenFail(tm2, token1);
            fail("Expected InvalidToken");
        } catch (SecretManager.InvalidToken it) {
        // Ignore
        }
        // Create a new token thru the new ZKDTSM
        Token<DelegationTokenIdentifier> token4 = (Token<DelegationTokenIdentifier>) tm2.createToken(UserGroupInformation.getCurrentUser(), "xyz");
        Assert.assertNotNull(token4);
        tm2.verifyToken(token4);
        tm1.verifyToken(token4);
        // Bring down tm2
        verifyDestroy(tm2, conf);
        // Start third node after some time..
        Thread.sleep(1000);
        DelegationTokenManager tm3 = new DelegationTokenManager(conf, new Text("bla"));
        tm3.init();
        tm3.verifyToken(token2);
        tm3.verifyToken(token3);
        tm3.verifyToken(token4);
        try {
            verifyTokenFail(tm3, token1);
            fail("Expected InvalidToken");
        } catch (SecretManager.InvalidToken it) {
        // Ignore
        }
        verifyDestroy(tm3, conf);
        verifyDestroy(tm1, conf);
    }
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) DelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier) Text(org.apache.hadoop.io.Text) Token(org.apache.hadoop.security.token.Token) SecretManager(org.apache.hadoop.security.token.SecretManager) DelegationTokenManager(org.apache.hadoop.security.token.delegation.web.DelegationTokenManager) Test(org.junit.Test)

Example 5 with DelegationTokenManager

use of org.apache.hadoop.security.token.delegation.web.DelegationTokenManager in project hadoop by apache.

the class TestZKDelegationTokenSecretManager method testACLs.

@Test
public void testACLs() throws Exception {
    DelegationTokenManager tm1;
    String connectString = zkServer.getConnectString();
    Configuration conf = getSecretConf(connectString);
    RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
    String userPass = "myuser:mypass";
    final ACL digestACL = new ACL(ZooDefs.Perms.ALL, new Id("digest", DigestAuthenticationProvider.generateDigest(userPass)));
    ACLProvider digestAclProvider = new ACLProvider() {

        @Override
        public List<ACL> getAclForPath(String path) {
            return getDefaultAcl();
        }

        @Override
        public List<ACL> getDefaultAcl() {
            List<ACL> ret = new ArrayList<ACL>();
            ret.add(digestACL);
            return ret;
        }
    };
    CuratorFramework curatorFramework = CuratorFrameworkFactory.builder().connectString(connectString).retryPolicy(retryPolicy).aclProvider(digestAclProvider).authorization("digest", userPass.getBytes("UTF-8")).build();
    curatorFramework.start();
    ZKDelegationTokenSecretManager.setCurator(curatorFramework);
    tm1 = new DelegationTokenManager(conf, new Text("bla"));
    tm1.init();
    // check ACL
    String workingPath = conf.get(ZKDelegationTokenSecretManager.ZK_DTSM_ZNODE_WORKING_PATH);
    verifyACL(curatorFramework, "/" + workingPath, digestACL);
    tm1.destroy();
    ZKDelegationTokenSecretManager.setCurator(null);
    curatorFramework.close();
}
Also used : ACLProvider(org.apache.curator.framework.api.ACLProvider) CuratorFramework(org.apache.curator.framework.CuratorFramework) Configuration(org.apache.hadoop.conf.Configuration) ExponentialBackoffRetry(org.apache.curator.retry.ExponentialBackoffRetry) ArrayList(java.util.ArrayList) ACL(org.apache.zookeeper.data.ACL) Text(org.apache.hadoop.io.Text) Id(org.apache.zookeeper.data.Id) RetryPolicy(org.apache.curator.RetryPolicy) DelegationTokenManager(org.apache.hadoop.security.token.delegation.web.DelegationTokenManager) Test(org.junit.Test)

Aggregations

Configuration (org.apache.hadoop.conf.Configuration)7 Text (org.apache.hadoop.io.Text)7 DelegationTokenManager (org.apache.hadoop.security.token.delegation.web.DelegationTokenManager)7 Test (org.junit.Test)7 Token (org.apache.hadoop.security.token.Token)6 DelegationTokenIdentifier (org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier)6 SecretManager (org.apache.hadoop.security.token.SecretManager)3 IOException (java.io.IOException)1 ArrayList (java.util.ArrayList)1 ExecutorService (java.util.concurrent.ExecutorService)1 RetryPolicy (org.apache.curator.RetryPolicy)1 CuratorFramework (org.apache.curator.framework.CuratorFramework)1 ACLProvider (org.apache.curator.framework.api.ACLProvider)1 ExponentialBackoffRetry (org.apache.curator.retry.ExponentialBackoffRetry)1 ACL (org.apache.zookeeper.data.ACL)1 Id (org.apache.zookeeper.data.Id)1