Examples with DelegationToken org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken used on opensource projects

Search in sources :

Example 1 with DelegationToken

use of org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken in project hadoop by apache.

the class RMWebServices method renewDelegationToken.

private Response renewDelegationToken(DelegationToken tokenData, HttpServletRequest hsr, UserGroupInformation callerUGI) throws AuthorizationException, IOException, InterruptedException, Exception {
    Token<RMDelegationTokenIdentifier> token = extractToken(tokenData.getToken());
    org.apache.hadoop.yarn.api.records.Token dToken = BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind().toString(), token.getPassword(), token.getService().toString());
    final RenewDelegationTokenRequest req = RenewDelegationTokenRequest.newInstance(dToken);
    RenewDelegationTokenResponse resp;
    try {
        resp = callerUGI.doAs(new PrivilegedExceptionAction<RenewDelegationTokenResponse>() {

            @Override
            public RenewDelegationTokenResponse run() throws IOException, YarnException {
                return rm.getClientRMService().renewDelegationToken(req);
            }
        });
    } catch (UndeclaredThrowableException ue) {
        if (ue.getCause() instanceof YarnException) {
            if (ue.getCause().getCause() instanceof InvalidToken) {
                throw new BadRequestException(ue.getCause().getCause().getMessage());
            } else if (ue.getCause().getCause() instanceof org.apache.hadoop.security.AccessControlException) {
                return Response.status(Status.FORBIDDEN).entity(ue.getCause().getCause().getMessage()).build();
            }
            LOG.info("Renew delegation token request failed", ue);
            throw ue;
        }
        LOG.info("Renew delegation token request failed", ue);
        throw ue;
    } catch (Exception e) {
        LOG.info("Renew delegation token request failed", e);
        throw e;
    }
    long renewTime = resp.getNextExpirationTime();
    DelegationToken respToken = new DelegationToken();
    respToken.setNextExpirationTime(renewTime);
    return Response.status(Status.OK).entity(respToken).build();
}
Also used : RenewDelegationTokenRequest(org.apache.hadoop.yarn.api.protocolrecords.RenewDelegationTokenRequest) DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) AccessControlException(java.security.AccessControlException) RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) RenewDelegationTokenResponse(org.apache.hadoop.yarn.api.protocolrecords.RenewDelegationTokenResponse) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) ForbiddenException(org.apache.hadoop.yarn.webapp.ForbiddenException) NotFoundException(org.apache.hadoop.yarn.webapp.NotFoundException) IOException(java.io.IOException) YarnRuntimeException(org.apache.hadoop.yarn.exceptions.YarnRuntimeException) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) ParseException(java.text.ParseException) AccessControlException(java.security.AccessControlException) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) BadRequestException(org.apache.hadoop.yarn.webapp.BadRequestException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken) BadRequestException(org.apache.hadoop.yarn.webapp.BadRequestException)

Example 2 with DelegationToken

use of org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken in project hadoop by apache.

the class RMWebServices method createDelegationToken.

private Response createDelegationToken(DelegationToken tokenData, HttpServletRequest hsr, UserGroupInformation callerUGI) throws AuthorizationException, IOException, InterruptedException, Exception {
    final String renewer = tokenData.getRenewer();
    GetDelegationTokenResponse resp;
    try {
        resp = callerUGI.doAs(new PrivilegedExceptionAction<GetDelegationTokenResponse>() {

            @Override
            public GetDelegationTokenResponse run() throws IOException, YarnException {
                GetDelegationTokenRequest createReq = GetDelegationTokenRequest.newInstance(renewer);
                return rm.getClientRMService().getDelegationToken(createReq);
            }
        });
    } catch (Exception e) {
        LOG.info("Create delegation token request failed", e);
        throw e;
    }
    Token<RMDelegationTokenIdentifier> tk = new Token<RMDelegationTokenIdentifier>(resp.getRMDelegationToken().getIdentifier().array(), resp.getRMDelegationToken().getPassword().array(), new Text(resp.getRMDelegationToken().getKind()), new Text(resp.getRMDelegationToken().getService()));
    RMDelegationTokenIdentifier identifier = tk.decodeIdentifier();
    long currentExpiration = rm.getRMContext().getRMDelegationTokenSecretManager().getRenewDate(identifier);
    DelegationToken respToken = new DelegationToken(tk.encodeToUrlString(), renewer, identifier.getOwner().toString(), tk.getKind().toString(), currentExpiration, identifier.getMaxDate());
    return Response.status(Status.OK).entity(respToken).build();
}
Also used : GetDelegationTokenRequest(org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest) GetDelegationTokenResponse(org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenResponse) DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken) Token(org.apache.hadoop.security.token.Token) DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) Text(org.apache.hadoop.io.Text) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier) ForbiddenException(org.apache.hadoop.yarn.webapp.ForbiddenException) NotFoundException(org.apache.hadoop.yarn.webapp.NotFoundException) IOException(java.io.IOException) YarnRuntimeException(org.apache.hadoop.yarn.exceptions.YarnRuntimeException) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) ParseException(java.text.ParseException) AccessControlException(java.security.AccessControlException) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) BadRequestException(org.apache.hadoop.yarn.webapp.BadRequestException)

Example 3 with DelegationToken

use of org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken in project hadoop by apache.

the class RMWebServices method postDelegationTokenExpiration.

@POST
@Path("/delegation-token/expiration")
@Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 })
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public Response postDelegationTokenExpiration(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException, Exception {
    init();
    UserGroupInformation callerUGI;
    try {
        callerUGI = createKerberosUserGroupInformation(hsr);
    } catch (YarnException ye) {
        return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build();
    }
    DelegationToken requestToken = new DelegationToken();
    requestToken.setToken(extractToken(hsr).encodeToUrlString());
    return renewDelegationToken(requestToken, hsr, callerUGI);
}
Also used : DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces) Consumes(javax.ws.rs.Consumes)

Example 4 with DelegationToken

use of org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken in project hadoop by apache.

the class TestRMWebServicesDelegationTokens method testRenewDelegationToken.

// Test to verify renew functionality - create a token and then try to renew
// it. The renewer should succeed; owner and third user should fail
@Test
public void testRenewDelegationToken() throws Exception {
    client().addFilter(new LoggingFilter(System.out));
    rm.start();
    final String renewer = "client2";
    this.client().addFilter(new LoggingFilter(System.out));
    final DelegationToken dummyToken = new DelegationToken();
    dummyToken.setRenewer(renewer);
    String[] mediaTypes = { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML };
    for (final String mediaType : mediaTypes) {
        for (final String contentType : mediaTypes) {
            if (isKerberosAuth == false) {
                verifySimpleAuthRenew(mediaType, contentType);
                continue;
            }
            // test "client" and client2" trying to renew "client" token
            final DelegationToken responseToken = KerberosTestUtils.doAsClient(new Callable<DelegationToken>() {

                @Override
                public DelegationToken call() throws Exception {
                    ClientResponse response = resource().path("ws").path("v1").path("cluster").path("delegation-token").accept(contentType).entity(dummyToken, mediaType).post(ClientResponse.class);
                    assertResponseStatusCode(Status.OK, response.getStatusInfo());
                    DelegationToken tok = getDelegationTokenFromResponse(response);
                    assertFalse(tok.getToken().isEmpty());
                    String body = generateRenewTokenBody(mediaType, tok.getToken());
                    response = resource().path("ws").path("v1").path("cluster").path("delegation-token").path("expiration").header(yarnTokenHeader, tok.getToken()).accept(contentType).entity(body, mediaType).post(ClientResponse.class);
                    assertResponseStatusCode(Status.FORBIDDEN, response.getStatusInfo());
                    return tok;
                }
            });
            KerberosTestUtils.doAs(renewer, new Callable<DelegationToken>() {

                @Override
                public DelegationToken call() throws Exception {
                    // renew twice so that we can confirm that the
                    // expiration time actually changes
                    long oldExpirationTime = Time.now();
                    assertValidRMToken(responseToken.getToken());
                    String body = generateRenewTokenBody(mediaType, responseToken.getToken());
                    ClientResponse response = resource().path("ws").path("v1").path("cluster").path("delegation-token").path("expiration").header(yarnTokenHeader, responseToken.getToken()).accept(contentType).entity(body, mediaType).post(ClientResponse.class);
                    assertResponseStatusCode(Status.OK, response.getStatusInfo());
                    DelegationToken tok = getDelegationTokenFromResponse(response);
                    String message = "Expiration time not as expected: old = " + oldExpirationTime + "; new = " + tok.getNextExpirationTime();
                    assertTrue(message, tok.getNextExpirationTime() > oldExpirationTime);
                    oldExpirationTime = tok.getNextExpirationTime();
                    // artificial sleep to ensure we get a different expiration time
                    Thread.sleep(1000);
                    response = resource().path("ws").path("v1").path("cluster").path("delegation-token").path("expiration").header(yarnTokenHeader, responseToken.getToken()).accept(contentType).entity(body, mediaType).post(ClientResponse.class);
                    assertResponseStatusCode(Status.OK, response.getStatusInfo());
                    tok = getDelegationTokenFromResponse(response);
                    message = "Expiration time not as expected: old = " + oldExpirationTime + "; new = " + tok.getNextExpirationTime();
                    assertTrue(message, tok.getNextExpirationTime() > oldExpirationTime);
                    return tok;
                }
            });
            // test unauthorized user renew attempt
            KerberosTestUtils.doAs("client3", new Callable<DelegationToken>() {

                @Override
                public DelegationToken call() throws Exception {
                    String body = generateRenewTokenBody(mediaType, responseToken.getToken());
                    ClientResponse response = resource().path("ws").path("v1").path("cluster").path("delegation-token").path("expiration").header(yarnTokenHeader, responseToken.getToken()).accept(contentType).entity(body, mediaType).post(ClientResponse.class);
                    assertResponseStatusCode(Status.FORBIDDEN, response.getStatusInfo());
                    return null;
                }
            });
            // test bad request - incorrect format, empty token string and random
            // token string
            KerberosTestUtils.doAsClient(new Callable<Void>() {

                @Override
                public Void call() throws Exception {
                    String token = "TEST_TOKEN_STRING";
                    String body = "";
                    if (mediaType.equals(MediaType.APPLICATION_JSON)) {
                        body = "{\"token\": \"" + token + "\" }";
                    } else {
                        body = "<delegation-token><token>" + token + "</token></delegation-token>";
                    }
                    // missing token header
                    ClientResponse response = resource().path("ws").path("v1").path("cluster").path("delegation-token").path("expiration").accept(contentType).entity(body, mediaType).post(ClientResponse.class);
                    assertResponseStatusCode(Status.BAD_REQUEST, response.getStatusInfo());
                    return null;
                }
            });
        }
    }
    rm.stop();
    return;
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) LoggingFilter(com.sun.jersey.api.client.filter.LoggingFilter) ServletException(javax.servlet.ServletException) SAXException(org.xml.sax.SAXException) IOException(java.io.IOException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) JSONException(org.codehaus.jettison.json.JSONException) Test(org.junit.Test)

Example 5 with DelegationToken

use of org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken in project hadoop by apache.

the class TestRMWebServicesDelegationTokens method verifyKerberosAuthCreate.

private void verifyKerberosAuthCreate(String mType, String cType, String reqBody, String renUser) throws Exception {
    final String mediaType = mType;
    final String contentType = cType;
    final String body = reqBody;
    final String renewer = renUser;
    KerberosTestUtils.doAsClient(new Callable<Void>() {

        @Override
        public Void call() throws Exception {
            ClientResponse response = resource().path("ws").path("v1").path("cluster").path("delegation-token").accept(contentType).entity(body, mediaType).post(ClientResponse.class);
            assertResponseStatusCode(Status.OK, response.getStatusInfo());
            DelegationToken tok = getDelegationTokenFromResponse(response);
            assertFalse(tok.getToken().isEmpty());
            Token<RMDelegationTokenIdentifier> token = new Token<RMDelegationTokenIdentifier>();
            token.decodeFromUrlString(tok.getToken());
            assertEquals(renewer, token.decodeIdentifier().getRenewer().toString());
            assertValidRMToken(tok.getToken());
            DelegationToken dtoken = new DelegationToken();
            response = resource().path("ws").path("v1").path("cluster").path("delegation-token").accept(contentType).entity(dtoken, mediaType).post(ClientResponse.class);
            assertResponseStatusCode(Status.OK, response.getStatusInfo());
            tok = getDelegationTokenFromResponse(response);
            assertFalse(tok.getToken().isEmpty());
            token = new Token<RMDelegationTokenIdentifier>();
            token.decodeFromUrlString(tok.getToken());
            assertEquals("", token.decodeIdentifier().getRenewer().toString());
            assertValidRMToken(tok.getToken());
            return null;
        }
    });
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken) Token(org.apache.hadoop.security.token.Token) DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier) ServletException(javax.servlet.ServletException) SAXException(org.xml.sax.SAXException) IOException(java.io.IOException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) JSONException(org.codehaus.jettison.json.JSONException)

Aggregations

DelegationToken (org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken)8 IOException (java.io.IOException)6 ClientResponse (com.sun.jersey.api.client.ClientResponse)4 ServletException (javax.servlet.ServletException)4 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)4 JSONException (org.codehaus.jettison.json.JSONException)4 SAXException (org.xml.sax.SAXException)4 InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)3 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)3 RMDelegationTokenIdentifier (org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)3 LoggingFilter (com.sun.jersey.api.client.filter.LoggingFilter)2 UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)2 AccessControlException (java.security.AccessControlException)2 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2 ParseException (java.text.ParseException)2 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)2 Token (org.apache.hadoop.security.token.Token)2 YarnRuntimeException (org.apache.hadoop.yarn.exceptions.YarnRuntimeException)2 BadRequestException (org.apache.hadoop.yarn.webapp.BadRequestException)2 ForbiddenException (org.apache.hadoop.yarn.webapp.ForbiddenException)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial