Java Code Examples for org.apache.hadoop.security.token.Token#getService()
The following examples show how to use
org.apache.hadoop.security.token.Token#getService() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: AMRMTokenSelector.java From hadoop with Apache License 2.0 | 5 votes |
|
private boolean checkService(Text service,
Token<? extends TokenIdentifier> token) {
if (service == null || token.getService() == null) {
return false;
}
return token.getService().toString().contains(service.toString());
}
Example 2
| Source File: RMDelegationTokenSelector.java From hadoop with Apache License 2.0 | 5 votes |
|
private boolean checkService(Text service,
Token<? extends TokenIdentifier> token) {
if (service == null || token.getService() == null) {
return false;
}
return token.getService().toString().contains(service.toString());
}
Example 3
| Source File: DelegationTokenIdentifier.java From hadoop with Apache License 2.0 | 5 votes |
|
/** @return a string representation of the token */
public static String stringifyToken(final Token<?> token) throws IOException {
DelegationTokenIdentifier ident = new DelegationTokenIdentifier();
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
ident.readFields(in);
if (token.getService().getLength() > 0) {
return ident + " on " + token.getService();
} else {
return ident.toString();
}
}
Example 4
| Source File: HAUtil.java From hadoop with Apache License 2.0 | 5 votes |
|
/**
* Locate a delegation token associated with the given HA cluster URI, and if
* one is found, clone it to also represent the underlying namenode address.
* @param ugi the UGI to modify
* @param haUri the logical URI for the cluster
* @param nnAddrs collection of NNs in the cluster to which the token
* applies
*/
public static void cloneDelegationTokenForLogicalUri(
UserGroupInformation ugi, URI haUri,
Collection<InetSocketAddress> nnAddrs) {
// this cloning logic is only used by hdfs
Text haService = HAUtil.buildTokenServiceForLogicalUri(haUri,
HdfsConstants.HDFS_URI_SCHEME);
Token<DelegationTokenIdentifier> haToken =
tokenSelector.selectToken(haService, ugi.getTokens());
if (haToken != null) {
for (InetSocketAddress singleNNAddr : nnAddrs) {
// this is a minor hack to prevent physical HA tokens from being
// exposed to the user via UGI.getCredentials(), otherwise these
// cloned tokens may be inadvertently propagated to jobs
Token<DelegationTokenIdentifier> specificToken =
new Token.PrivateToken<DelegationTokenIdentifier>(haToken);
SecurityUtil.setTokenService(specificToken, singleNNAddr);
Text alias = new Text(
buildTokenServicePrefixForLogicalUri(HdfsConstants.HDFS_URI_SCHEME)
+ "//" + specificToken.getService());
ugi.addToken(alias, specificToken);
LOG.debug("Mapped HA service delegation token for logical URI " +
haUri + " to namenode " + singleNNAddr);
}
} else {
LOG.debug("No HA service delegation token found for logical URI " +
haUri);
}
}
Example 5
| Source File: AMRMTokenSelector.java From big-c with Apache License 2.0 | 5 votes |
|
private boolean checkService(Text service,
Token<? extends TokenIdentifier> token) {
if (service == null || token.getService() == null) {
return false;
}
return token.getService().toString().contains(service.toString());
}
Example 6
| Source File: RMDelegationTokenSelector.java From big-c with Apache License 2.0 | 5 votes |
|
private boolean checkService(Text service,
Token<? extends TokenIdentifier> token) {
if (service == null || token.getService() == null) {
return false;
}
return token.getService().toString().contains(service.toString());
}
Example 7
| Source File: DelegationTokenIdentifier.java From big-c with Apache License 2.0 | 5 votes |
|
/** @return a string representation of the token */
public static String stringifyToken(final Token<?> token) throws IOException {
DelegationTokenIdentifier ident = new DelegationTokenIdentifier();
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
ident.readFields(in);
if (token.getService().getLength() > 0) {
return ident + " on " + token.getService();
} else {
return ident.toString();
}
}
Example 8
| Source File: HAUtil.java From big-c with Apache License 2.0 | 5 votes |
|
/**
* Locate a delegation token associated with the given HA cluster URI, and if
* one is found, clone it to also represent the underlying namenode address.
* @param ugi the UGI to modify
* @param haUri the logical URI for the cluster
* @param nnAddrs collection of NNs in the cluster to which the token
* applies
*/
public static void cloneDelegationTokenForLogicalUri(
UserGroupInformation ugi, URI haUri,
Collection<InetSocketAddress> nnAddrs) {
// this cloning logic is only used by hdfs
Text haService = HAUtil.buildTokenServiceForLogicalUri(haUri,
HdfsConstants.HDFS_URI_SCHEME);
Token<DelegationTokenIdentifier> haToken =
tokenSelector.selectToken(haService, ugi.getTokens());
if (haToken != null) {
for (InetSocketAddress singleNNAddr : nnAddrs) {
// this is a minor hack to prevent physical HA tokens from being
// exposed to the user via UGI.getCredentials(), otherwise these
// cloned tokens may be inadvertently propagated to jobs
Token<DelegationTokenIdentifier> specificToken =
new Token.PrivateToken<DelegationTokenIdentifier>(haToken);
SecurityUtil.setTokenService(specificToken, singleNNAddr);
Text alias = new Text(
buildTokenServicePrefixForLogicalUri(HdfsConstants.HDFS_URI_SCHEME)
+ "//" + specificToken.getService());
ugi.addToken(alias, specificToken);
LOG.debug("Mapped HA service delegation token for logical URI " +
haUri + " to namenode " + singleNNAddr);
}
} else {
LOG.debug("No HA service delegation token found for logical URI " +
haUri);
}
}
Example 9
| Source File: ClientTokenUtil.java From hbase with Apache License 2.0 | 5 votes |
|
/**
* Converts a Token instance (with embedded identifier) to the protobuf representation.
*
* @param token the Token instance to copy
* @return the protobuf Token message
*/
@InterfaceAudience.Private
static AuthenticationProtos.Token toToken(Token<AuthenticationTokenIdentifier> token) {
AuthenticationProtos.Token.Builder builder = AuthenticationProtos.Token.newBuilder();
builder.setIdentifier(ByteString.copyFrom(token.getIdentifier()));
builder.setPassword(ByteString.copyFrom(token.getPassword()));
if (token.getService() != null) {
builder.setService(ByteString.copyFromUtf8(token.getService().toString()));
}
return builder.build();
}
Example 10
| Source File: TokenUtil.java From elasticsearch-hadoop with Apache License 2.0 | 5 votes |
|
/**
* Obtain an authentication token on behalf of the given user and add it to
* the credentials for the given map reduce job. This version always obtains
* a fresh authentication token instead of checking for existing ones on the
* current user.
*
* @param client The Elasticsearch client
* @param user The user for whom to obtain the token
* @param job The job instance in which the token should be stored
*/
public static void obtainTokenForJob(final RestClient client, User user, Job job) {
Token<EsTokenIdentifier> token = obtainToken(client, user);
if (token == null) {
throw new EsHadoopException("No token returned for user " + user.getKerberosPrincipal().getName());
}
Text clusterName = token.getService();
if (LOG.isDebugEnabled()) {
LOG.debug("Obtained token " + EsTokenIdentifier.KIND_NAME.toString() + " for user " +
user.getKerberosPrincipal().getName() + " on cluster " + clusterName.toString());
}
job.getCredentials().addToken(clusterName, token);
}
Example 11
| Source File: TokenUtil.java From elasticsearch-hadoop with Apache License 2.0 | 5 votes |
|
/**
* Obtain an authentication token on behalf of the given user and add it to
* the credentials for the given map reduce job. This version always obtains
* a fresh authentication token instead of checking for existing ones on the
* current user.
*
* @param client The Elasticsearch client
* @param user The user for whom to obtain the token
* @param jobConf The job configuration in which the token should be stored
*/
public static void obtainTokenForJob(final RestClient client, User user, JobConf jobConf) {
Token<EsTokenIdentifier> token = obtainToken(client, user);
if (token == null) {
throw new EsHadoopException("No token returned for user " + user.getKerberosPrincipal().getName());
}
Text clusterName = token.getService();
if (LOG.isDebugEnabled()) {
LOG.debug("Obtained token " + EsTokenIdentifier.KIND_NAME.toString() + " for user " +
user.getKerberosPrincipal().getName() + " on cluster " + clusterName.toString());
}
jobConf.getCredentials().addToken(clusterName, token);
}
Example 12
| Source File: TestSecureOzoneCluster.java From hadoop-ozone with Apache License 2.0 | 4 votes |
|
/**
* Tests delegation token renewal.
*/
@Test
public void testDelegationTokenRenewal() throws Exception {
GenericTestUtils
.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), INFO);
LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
// Setup secure OM for start.
OzoneConfiguration newConf = new OzoneConfiguration(conf);
int tokenMaxLifetime = 1000;
newConf.setLong(DELEGATION_TOKEN_MAX_LIFETIME_KEY, tokenMaxLifetime);
setupOm(newConf);
long omVersion =
RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
OzoneManager.setTestSecureOmFlag(true);
// Start OM
try {
om.setCertClient(new CertificateClientTestImpl(conf));
om.start();
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
// Get first OM client which will authenticate via Kerberos
omClient = new OzoneManagerProtocolClientSideTranslatorPB(
OmTransportFactory.create(conf, ugi, null),
RandomStringUtils.randomAscii(5));
// Since client is already connected get a delegation token
Token<OzoneTokenIdentifier> token = omClient.getDelegationToken(
new Text("om"));
// Check if token is of right kind and renewer is running om instance
assertNotNull(token);
assertEquals("OzoneToken", token.getKind().toString());
assertEquals(OmUtils.getOmRpcAddress(conf),
token.getService().toString());
// Renew delegation token
long expiryTime = omClient.renewDelegationToken(token);
assertTrue(expiryTime > 0);
omLogs.clearOutput();
// Test failure of delegation renewal
// 1. When token maxExpiryTime exceeds
Thread.sleep(tokenMaxLifetime);
OMException ex = LambdaTestUtils.intercept(OMException.class,
"TOKEN_EXPIRED",
() -> omClient.renewDelegationToken(token));
assertEquals(TOKEN_EXPIRED, ex.getResult());
omLogs.clearOutput();
// 2. When renewer doesn't match (implicitly covers when renewer is
// null or empty )
Token<OzoneTokenIdentifier> token2 = omClient.getDelegationToken(
new Text("randomService"));
assertNotNull(token2);
LambdaTestUtils.intercept(OMException.class,
"Delegation token renewal failed",
() -> omClient.renewDelegationToken(token2));
assertTrue(omLogs.getOutput().contains(" with non-matching " +
"renewer randomService"));
omLogs.clearOutput();
// 3. Test tampered token
OzoneTokenIdentifier tokenId = OzoneTokenIdentifier.readProtoBuf(
token.getIdentifier());
tokenId.setRenewer(new Text("om"));
tokenId.setMaxDate(System.currentTimeMillis() * 2);
Token<OzoneTokenIdentifier> tamperedToken = new Token<>(
tokenId.getBytes(), token2.getPassword(), token2.getKind(),
token2.getService());
LambdaTestUtils.intercept(OMException.class,
"Delegation token renewal failed",
() -> omClient.renewDelegationToken(tamperedToken));
assertTrue(omLogs.getOutput().contains("can't be found in " +
"cache"));
omLogs.clearOutput();
} finally {
om.stop();
om.join();
}
}
Example 13
| Source File: TestClientToAMTokens.java From hadoop with Apache License 2.0 | 4 votes |
|
private void verifyTamperedToken(final Configuration conf, final CustomAM am,
Token<ClientToAMTokenIdentifier> token, UserGroupInformation ugi,
ClientToAMTokenIdentifier maliciousID) {
Token<ClientToAMTokenIdentifier> maliciousToken =
new Token<ClientToAMTokenIdentifier>(maliciousID.getBytes(),
token.getPassword(), token.getKind(),
token.getService());
ugi.addToken(maliciousToken);
try {
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try {
CustomProtocol client =
(CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L,
am.address, conf);
client.ping();
fail("Connection initiation with illegally modified "
+ "tokens is expected to fail.");
return null;
} catch (YarnException ex) {
fail("Cannot get a YARN remote exception as "
+ "it will indicate RPC success");
throw ex;
}
}
});
} catch (Exception e) {
Assert.assertEquals(RemoteException.class.getName(), e.getClass()
.getName());
e = ((RemoteException)e).unwrapRemoteException();
Assert
.assertEquals(SaslException.class
.getCanonicalName(), e.getClass().getCanonicalName());
Assert.assertTrue(e
.getMessage()
.contains(
"DIGEST-MD5: digest response format violation. "
+ "Mismatched response."));
Assert.assertFalse(am.pinged);
}
}
Example 14
| Source File: TestClientToAMTokens.java From big-c with Apache License 2.0 | 4 votes |
|
private void verifyTamperedToken(final Configuration conf, final CustomAM am,
Token<ClientToAMTokenIdentifier> token, UserGroupInformation ugi,
ClientToAMTokenIdentifier maliciousID) {
Token<ClientToAMTokenIdentifier> maliciousToken =
new Token<ClientToAMTokenIdentifier>(maliciousID.getBytes(),
token.getPassword(), token.getKind(),
token.getService());
ugi.addToken(maliciousToken);
try {
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try {
CustomProtocol client =
(CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L,
am.address, conf);
client.ping();
fail("Connection initiation with illegally modified "
+ "tokens is expected to fail.");
return null;
} catch (YarnException ex) {
fail("Cannot get a YARN remote exception as "
+ "it will indicate RPC success");
throw ex;
}
}
});
} catch (Exception e) {
Assert.assertEquals(RemoteException.class.getName(), e.getClass()
.getName());
e = ((RemoteException)e).unwrapRemoteException();
Assert
.assertEquals(SaslException.class
.getCanonicalName(), e.getClass().getCanonicalName());
Assert.assertTrue(e
.getMessage()
.contains(
"DIGEST-MD5: digest response format violation. "
+ "Mismatched response."));
Assert.assertFalse(am.pinged);
}
}
Example 15
| Source File: TokenUtil.java From hbase with Apache License 2.0 | 4 votes |
|
private static Text getClusterId(Token<AuthenticationTokenIdentifier> token)
throws IOException {
return token.getService() != null
? token.getService() : new Text("default");
}
