Example 6 with RMDelegationTokenIdentifier
use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.
the class TestRMWebServicesDelegationTokenAuthentication method testDoAs.
// Superuser "client" should be able to get a delegation token
// for user "client2" when authenticated using Kerberos
// The request shouldn't work when authenticated using DelegationTokens
@Test
public void testDoAs() throws Exception {
KerberosTestUtils.doAsClient(new Callable<Void>() {
@Override
public Void call() throws Exception {
String token = "";
String owner = "";
String renewer = "renewer";
String body = "{\"renewer\":\"" + renewer + "\"}";
URL url = new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
setupConn(conn, "POST", MediaType.APPLICATION_JSON, body);
InputStream response = conn.getInputStream();
assertEquals(Status.OK.getStatusCode(), conn.getResponseCode());
BufferedReader reader = null;
try {
reader = new BufferedReader(new InputStreamReader(response, "UTF8"));
for (String line; (line = reader.readLine()) != null; ) {
JSONObject obj = new JSONObject(line);
if (obj.has("token")) {
token = obj.getString("token");
}
if (obj.has("owner")) {
owner = obj.getString("owner");
}
}
} finally {
IOUtils.closeQuietly(reader);
IOUtils.closeQuietly(response);
}
Assert.assertEquals("client2", owner);
Token<RMDelegationTokenIdentifier> realToken = new Token<RMDelegationTokenIdentifier>();
realToken.decodeFromUrlString(token);
Assert.assertEquals("client2", realToken.decodeIdentifier().getOwner().toString());
return null;
}
});
// this should not work
final String token = getDelegationToken("client");
String renewer = "renewer";
String body = "{\"renewer\":\"" + renewer + "\"}";
URL url = new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestProperty(delegationTokenHeader, token);
setupConn(conn, "POST", MediaType.APPLICATION_JSON, body);
try {
conn.getInputStream();
fail("Client should not be allowed to impersonate using delegation tokens");
} catch (IOException ie) {
assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
}
// this should also fail due to client2 not being a super user
KerberosTestUtils.doAs("client2@EXAMPLE.COM", new Callable<Void>() {
@Override
public Void call() throws Exception {
String renewer = "renewer";
String body = "{\"renewer\":\"" + renewer + "\"}";
URL url = new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
setupConn(conn, "POST", MediaType.APPLICATION_JSON, body);
try {
conn.getInputStream();
fail("Non superuser client should not be allowed to carry out doAs");
} catch (IOException ie) {
assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
}
return null;
}
});
}
Also used :
InputStreamReader(java.io.InputStreamReader)
InputStream(java.io.InputStream)
Token(org.apache.hadoop.security.token.Token)
RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)
IOException(java.io.IOException)
IOException(java.io.IOException)
URL(java.net.URL)
HttpURLConnection(java.net.HttpURLConnection)
JSONObject(org.codehaus.jettison.json.JSONObject)
BufferedReader(java.io.BufferedReader)
Test(org.junit.Test)
Example 7 with RMDelegationTokenIdentifier
use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.
the class TestRMWebServicesDelegationTokens method assertValidRMToken.
private void assertValidRMToken(String encodedToken) throws IOException {
Token<RMDelegationTokenIdentifier> realToken = new Token<RMDelegationTokenIdentifier>();
realToken.decodeFromUrlString(encodedToken);
RMDelegationTokenIdentifier ident = rm.getRMContext().getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
rm.getRMContext().getRMDelegationTokenSecretManager().verifyToken(ident, realToken.getPassword());
assertTrue(rm.getRMContext().getRMDelegationTokenSecretManager().getAllTokens().containsKey(ident));
}
Also used :
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken)
RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)
Example 8 with RMDelegationTokenIdentifier
use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.
the class TestRMWebServicesDelegationTokens method verifyKerberosAuthCreate.
private void verifyKerberosAuthCreate(String mType, String cType, String reqBody, String renUser) throws Exception {
final String mediaType = mType;
final String contentType = cType;
final String body = reqBody;
final String renewer = renUser;
KerberosTestUtils.doAsClient(new Callable<Void>() {
@Override
public Void call() throws Exception {
ClientResponse response = resource().path("ws").path("v1").path("cluster").path("delegation-token").accept(contentType).entity(body, mediaType).post(ClientResponse.class);
assertResponseStatusCode(Status.OK, response.getStatusInfo());
DelegationToken tok = getDelegationTokenFromResponse(response);
assertFalse(tok.getToken().isEmpty());
Token<RMDelegationTokenIdentifier> token = new Token<RMDelegationTokenIdentifier>();
token.decodeFromUrlString(tok.getToken());
assertEquals(renewer, token.decodeIdentifier().getRenewer().toString());
assertValidRMToken(tok.getToken());
DelegationToken dtoken = new DelegationToken();
response = resource().path("ws").path("v1").path("cluster").path("delegation-token").accept(contentType).entity(dtoken, mediaType).post(ClientResponse.class);
assertResponseStatusCode(Status.OK, response.getStatusInfo());
tok = getDelegationTokenFromResponse(response);
assertFalse(tok.getToken().isEmpty());
token = new Token<RMDelegationTokenIdentifier>();
token.decodeFromUrlString(tok.getToken());
assertEquals("", token.decodeIdentifier().getRenewer().toString());
assertValidRMToken(tok.getToken());
return null;
}
});
}
Also used :
ClientResponse(com.sun.jersey.api.client.ClientResponse)
DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken)
RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)
ServletException(javax.servlet.ServletException)
SAXException(org.xml.sax.SAXException)
IOException(java.io.IOException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
JSONException(org.codehaus.jettison.json.JSONException)
Example 9 with RMDelegationTokenIdentifier
use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.
the class TestRMWebServicesDelegationTokens method assertTokenCancelled.
private void assertTokenCancelled(String encodedToken) throws Exception {
Token<RMDelegationTokenIdentifier> realToken = new Token<RMDelegationTokenIdentifier>();
realToken.decodeFromUrlString(encodedToken);
RMDelegationTokenIdentifier ident = rm.getRMContext().getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
boolean exceptionCaught = false;
try {
rm.getRMContext().getRMDelegationTokenSecretManager().verifyToken(ident, realToken.getPassword());
} catch (InvalidToken it) {
exceptionCaught = true;
}
assertTrue("InvalidToken exception not thrown", exceptionCaught);
assertFalse(rm.getRMContext().getRMDelegationTokenSecretManager().getAllTokens().containsKey(ident));
}
Also used :
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken)
RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)
Example 10 with RMDelegationTokenIdentifier
use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.
the class ClientRMService method renewDelegationToken.
@Override
public RenewDelegationTokenResponse renewDelegationToken(RenewDelegationTokenRequest request) throws YarnException {
try {
if (!isAllowedDelegationTokenOp()) {
throw new IOException("Delegation Token can be renewed only with kerberos authentication");
}
org.apache.hadoop.yarn.api.records.Token protoToken = request.getDelegationToken();
Token<RMDelegationTokenIdentifier> token = new Token<RMDelegationTokenIdentifier>(protoToken.getIdentifier().array(), protoToken.getPassword().array(), new Text(protoToken.getKind()), new Text(protoToken.getService()));
String user = getRenewerForToken(token);
long nextExpTime = rmDTSecretManager.renewToken(token, user);
RenewDelegationTokenResponse renewResponse = Records.newRecord(RenewDelegationTokenResponse.class);
renewResponse.setNextExpirationTime(nextExpTime);
return renewResponse;
} catch (IOException e) {
throw RPCUtil.getRemoteException(e);
}
}
Also used :
Token(org.apache.hadoop.security.token.Token)
Text(org.apache.hadoop.io.Text)
IOException(java.io.IOException)
RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)
RenewDelegationTokenResponse(org.apache.hadoop.yarn.api.protocolrecords.RenewDelegationTokenResponse)
Aggregations
RMDelegationTokenIdentifier (org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)30
Token (org.apache.hadoop.security.token.Token)15
Text (org.apache.hadoop.io.Text)13
IOException (java.io.IOException)12
Test (org.junit.Test)11
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)8
DelegationKey (org.apache.hadoop.security.token.delegation.DelegationKey)6
YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)6
Configuration (org.apache.hadoop.conf.Configuration)5
Credentials (org.apache.hadoop.security.Credentials)5
GetDelegationTokenResponse (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenResponse)5
DelegationToken (org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken)5
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)4
GetDelegationTokenRequest (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest)4
YarnException (org.apache.hadoop.yarn.exceptions.YarnException)4
RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)4
ByteArrayInputStream (java.io.ByteArrayInputStream)3
DataInputStream (java.io.DataInputStream)3
UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)3
AccessControlException (java.security.AccessControlException)3
