Java Code Examples for org.apache.hadoop.security.SecurityUtil#buildTokenService()

The following examples show how to use org.apache.hadoop.security.SecurityUtil#buildTokenService() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ClientRMProxy.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Unstable
public static Text getTokenService(Configuration conf, String address,
    String defaultAddr, int defaultPort) {
  if (HAUtil.isHAEnabled(conf)) {
    // Build a list of service addresses to form the service name
    ArrayList<String> services = new ArrayList<String>();
    YarnConfiguration yarnConf = new YarnConfiguration(conf);
    for (String rmId : HAUtil.getRMHAIds(conf)) {
      // Set RM_ID to get the corresponding RM_ADDRESS
      yarnConf.set(YarnConfiguration.RM_HA_ID, rmId);
      services.add(SecurityUtil.buildTokenService(
          yarnConf.getSocketAddr(address, defaultAddr, defaultPort))
          .toString());
    }
    return new Text(Joiner.on(',').join(services));
  }

  // Non-HA case - no need to set RM_ID
  return SecurityUtil.buildTokenService(conf.getSocketAddr(address,
    defaultAddr, defaultPort));
}
 
Example 2
Source File: OMProxyInfo.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
OMProxyInfo(String serviceID, String nodeID, String rpcAddress) {
  this.serviceId = serviceID;
  this.nodeId = nodeID;
  this.rpcAddrStr = rpcAddress;
  this.rpcAddr = NetUtils.createSocketAddr(rpcAddrStr);
  if (rpcAddr.isUnresolved()) {
    LOG.warn("OzoneManager address {} for serviceID {} remains unresolved " +
            "for node ID {} Check your ozone-site.xml file to ensure ozone " +
            "manager addresses are configured properly.",
        rpcAddress, serviceId, nodeId);
    this.dtService = null;
  } else {

    // This issue will be a problem with docker/kubernetes world where one of
    // the container is killed, and that OM address will be unresolved.
    // For now skip the unresolved OM address setting it to the token
    // service field.

    this.dtService = SecurityUtil.buildTokenService(rpcAddr);
  }
}
 
Example 3
Source File: YARNRunner.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@VisibleForTesting
void addHistoryToken(Credentials ts) throws IOException, InterruptedException {
  /* check if we have a hsproxy, if not, no need */
  MRClientProtocol hsProxy = clientCache.getInitializedHSProxy();
  if (UserGroupInformation.isSecurityEnabled() && (hsProxy != null)) {
    /*
     * note that get delegation token was called. Again this is hack for oozie
     * to make sure we add history server delegation tokens to the credentials
     */
    RMDelegationTokenSelector tokenSelector = new RMDelegationTokenSelector();
    Text service = resMgrDelegate.getRMDelegationTokenService();
    if (tokenSelector.selectToken(service, ts.getAllTokens()) != null) {
      Text hsService = SecurityUtil.buildTokenService(hsProxy
          .getConnectAddress());
      if (ts.getToken(hsService) == null) {
        ts.addToken(hsService, getDelegationTokenFromHS(hsProxy));
      }
    }
  }
}
 
Example 4
Source File: HftpFileSystem.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
public void initialize(final URI name, final Configuration conf)
throws IOException {
  super.initialize(name, conf);
  setConf(conf);
  this.connectionFactory = URLConnectionFactory
      .newDefaultURLConnectionFactory(conf);
  this.ugi = UserGroupInformation.getCurrentUser();
  this.nnUri = getNamenodeUri(name);
  this.tokenServiceName = SecurityUtil.buildTokenService(nnUri);

  try {
    this.hftpURI = new URI(name.getScheme(), name.getAuthority(),
                           null, null, null);
  } catch (URISyntaxException e) {
    throw new IllegalArgumentException(e);
  }

  initTokenAspect();
  if (UserGroupInformation.isSecurityEnabled()) {
    tokenAspect.initDelegationToken(ugi);
  }
}
 
Example 5
Source File: YARNRunner.java    From big-c with Apache License 2.0 6 votes vote down vote up
@VisibleForTesting
void addHistoryToken(Credentials ts) throws IOException, InterruptedException {
  /* check if we have a hsproxy, if not, no need */
  MRClientProtocol hsProxy = clientCache.getInitializedHSProxy();
  if (UserGroupInformation.isSecurityEnabled() && (hsProxy != null)) {
    /*
     * note that get delegation token was called. Again this is hack for oozie
     * to make sure we add history server delegation tokens to the credentials
     */
    RMDelegationTokenSelector tokenSelector = new RMDelegationTokenSelector();
    Text service = resMgrDelegate.getRMDelegationTokenService();
    if (tokenSelector.selectToken(service, ts.getAllTokens()) != null) {
      Text hsService = SecurityUtil.buildTokenService(hsProxy
          .getConnectAddress());
      if (ts.getToken(hsService) == null) {
        ts.addToken(hsService, getDelegationTokenFromHS(hsProxy));
      }
    }
  }
}
 
Example 6
Source File: HftpFileSystem.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
public void initialize(final URI name, final Configuration conf)
throws IOException {
  super.initialize(name, conf);
  setConf(conf);
  this.connectionFactory = URLConnectionFactory
      .newDefaultURLConnectionFactory(conf);
  this.ugi = UserGroupInformation.getCurrentUser();
  this.nnUri = getNamenodeUri(name);
  this.tokenServiceName = SecurityUtil.buildTokenService(nnUri);

  try {
    this.hftpURI = new URI(name.getScheme(), name.getAuthority(),
                           null, null, null);
  } catch (URISyntaxException e) {
    throw new IllegalArgumentException(e);
  }

  initTokenAspect();
  if (UserGroupInformation.isSecurityEnabled()) {
    tokenAspect.initDelegationToken(ugi);
  }
}
 
Example 7
Source File: DelegationTokenSelector.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Select the delegation token for hdfs.  The port will be rewritten to
 * the port of hdfs.service.host_$nnAddr, or the default rpc namenode port. 
 * This method should only be called by non-hdfs filesystems that do not
 * use the rpc port to acquire tokens.  Ex. webhdfs, hftp 
 * @param nnUri of the remote namenode
 * @param tokens as a collection
 * @param conf hadoop configuration
 * @return Token
 */
public Token<DelegationTokenIdentifier> selectToken(
    final URI nnUri, Collection<Token<?>> tokens,
    final Configuration conf) {
  // this guesses the remote cluster's rpc service port.
  // the current token design assumes it's the same as the local cluster's
  // rpc port unless a config key is set.  there should be a way to automatic
  // and correctly determine the value
  Text serviceName = SecurityUtil.buildTokenService(nnUri);
  final String nnServiceName = conf.get(SERVICE_NAME_KEY + serviceName);
  
  int nnRpcPort = NameNode.DEFAULT_PORT;
  if (nnServiceName != null) {
    nnRpcPort = NetUtils.createSocketAddr(nnServiceName, nnRpcPort).getPort(); 
  }
  // use original hostname from the uri to avoid unintentional host resolving
  serviceName = SecurityUtil.buildTokenService(
  		NetUtils.createSocketAddrForHost(nnUri.getHost(), nnRpcPort));
  
  return selectToken(serviceName, tokens);
}
 
Example 8
Source File: DelegationTokenSelector.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Select the delegation token for hdfs.  The port will be rewritten to
 * the port of hdfs.service.host_$nnAddr, or the default rpc namenode port. 
 * This method should only be called by non-hdfs filesystems that do not
 * use the rpc port to acquire tokens.  Ex. webhdfs, hftp 
 * @param nnUri of the remote namenode
 * @param tokens as a collection
 * @param conf hadoop configuration
 * @return Token
 */
public Token<DelegationTokenIdentifier> selectToken(
    final URI nnUri, Collection<Token<?>> tokens,
    final Configuration conf) {
  // this guesses the remote cluster's rpc service port.
  // the current token design assumes it's the same as the local cluster's
  // rpc port unless a config key is set.  there should be a way to automatic
  // and correctly determine the value
  Text serviceName = SecurityUtil.buildTokenService(nnUri);
  final String nnServiceName = conf.get(SERVICE_NAME_KEY + serviceName);
  
  int nnRpcPort = NameNode.DEFAULT_PORT;
  if (nnServiceName != null) {
    nnRpcPort = NetUtils.createSocketAddr(nnServiceName, nnRpcPort).getPort(); 
  }
  // use original hostname from the uri to avoid unintentional host resolving
  serviceName = SecurityUtil.buildTokenService(
  		NetUtils.createSocketAddrForHost(nnUri.getHost(), nnRpcPort));
  
  return selectToken(serviceName, tokens);
}
 
Example 9
Source File: NameNodeProxies.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Creates an explicitly non-HA-enabled proxy object. Most of the time you
 * don't want to use this, and should instead use {@link NameNodeProxies#createProxy}.
 *
 * @param conf the configuration object
 * @param nnAddr address of the remote NN to connect to
 * @param xface the IPC interface which should be created
 * @param ugi the user who is making the calls on the proxy object
 * @param withRetries certain interfaces have a non-standard retry policy
 * @param fallbackToSimpleAuth - set to true or false during this method to
 *   indicate if a secure client falls back to simple auth
 * @return an object containing both the proxy and the associated
 *         delegation token service it corresponds to
 * @throws IOException
 */
@SuppressWarnings("unchecked")
public static <T> ProxyAndInfo<T> createNonHAProxy(
    Configuration conf, InetSocketAddress nnAddr, Class<T> xface,
    UserGroupInformation ugi, boolean withRetries,
    AtomicBoolean fallbackToSimpleAuth) throws IOException {
  Text dtService = SecurityUtil.buildTokenService(nnAddr);

  T proxy;
  if (xface == ClientProtocol.class) {
    proxy = (T) createNNProxyWithClientProtocol(nnAddr, conf, ugi,
        withRetries, fallbackToSimpleAuth);
  } else if (xface == JournalProtocol.class) {
    proxy = (T) createNNProxyWithJournalProtocol(nnAddr, conf, ugi);
  } else if (xface == NamenodeProtocol.class) {
    proxy = (T) createNNProxyWithNamenodeProtocol(nnAddr, conf, ugi,
        withRetries);
  } else if (xface == GetUserMappingsProtocol.class) {
    proxy = (T) createNNProxyWithGetUserMappingsProtocol(nnAddr, conf, ugi);
  } else if (xface == RefreshUserMappingsProtocol.class) {
    proxy = (T) createNNProxyWithRefreshUserMappingsProtocol(nnAddr, conf, ugi);
  } else if (xface == RefreshAuthorizationPolicyProtocol.class) {
    proxy = (T) createNNProxyWithRefreshAuthorizationPolicyProtocol(nnAddr,
        conf, ugi);
  } else if (xface == RefreshCallQueueProtocol.class) {
    proxy = (T) createNNProxyWithRefreshCallQueueProtocol(nnAddr, conf, ugi);
  } else {
    String message = "Unsupported protocol found when creating the proxy " +
        "connection to NameNode: " +
        ((xface != null) ? xface.getClass().getName() : "null");
    LOG.error(message);
    throw new IllegalStateException(message);
  }

  return new ProxyAndInfo<T>(proxy, dtService, nnAddr);
}
 
Example 10
Source File: NameNodeProxies.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Creates the namenode proxy with the passed protocol. This will handle
 * creation of either HA- or non-HA-enabled proxy objects, depending upon
 * if the provided URI is a configured logical URI.
 *
 * @param conf the configuration containing the required IPC
 *        properties, client failover configurations, etc.
 * @param nameNodeUri the URI pointing either to a specific NameNode
 *        or to a logical nameservice.
 * @param xface the IPC interface which should be created
 * @param fallbackToSimpleAuth set to true or false during calls to indicate if
 *   a secure client falls back to simple auth
 * @return an object containing both the proxy and the associated
 *         delegation token service it corresponds to
 * @throws IOException if there is an error creating the proxy
 **/
@SuppressWarnings("unchecked")
public static <T> ProxyAndInfo<T> createProxy(Configuration conf,
    URI nameNodeUri, Class<T> xface, AtomicBoolean fallbackToSimpleAuth)
    throws IOException {
  AbstractNNFailoverProxyProvider<T> failoverProxyProvider =
      createFailoverProxyProvider(conf, nameNodeUri, xface, true,
        fallbackToSimpleAuth);

  if (failoverProxyProvider == null) {
    // Non-HA case
    return createNonHAProxy(conf, NameNode.getAddress(nameNodeUri), xface,
        UserGroupInformation.getCurrentUser(), true, fallbackToSimpleAuth);
  } else {
    // HA case
    Conf config = new Conf(conf);
    T proxy = (T) RetryProxy.create(xface, failoverProxyProvider,
        RetryPolicies.failoverOnNetworkException(
            RetryPolicies.TRY_ONCE_THEN_FAIL, config.maxFailoverAttempts,
            config.maxRetryAttempts, config.failoverSleepBaseMillis,
            config.failoverSleepMaxMillis));

    Text dtService;
    if (failoverProxyProvider.useLogicalURI()) {
      dtService = HAUtil.buildTokenServiceForLogicalUri(nameNodeUri,
          HdfsConstants.HDFS_URI_SCHEME);
    } else {
      dtService = SecurityUtil.buildTokenService(
          NameNode.getAddress(nameNodeUri));
    }
    return new ProxyAndInfo<T>(proxy, dtService,
        NameNode.getAddress(nameNodeUri));
  }
}
 
Example 11
Source File: TestTokenAspect.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public void initialize(URI name, Configuration conf) throws IOException {
  super.initialize(name, conf);
  setConf(conf);
  this.uri = URI.create(name.getScheme() + "://" + name.getAuthority());
  tokenAspect = new TokenAspect<DummyFs>(this,
      SecurityUtil.buildTokenService(uri), TOKEN_KIND);
  if (emulateSecurityEnabled || UserGroupInformation.isSecurityEnabled()) {
    tokenAspect.initDelegationToken(ugi);
  }
}
 
Example 12
Source File: TestTokenAspect.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public void initialize(URI name, Configuration conf) throws IOException {
  super.initialize(name, conf);
  setConf(conf);
  this.uri = URI.create(name.getScheme() + "://" + name.getAuthority());
  tokenAspect = new TokenAspect<DummyFs>(this,
      SecurityUtil.buildTokenService(uri), TOKEN_KIND);
  if (emulateSecurityEnabled || UserGroupInformation.isSecurityEnabled()) {
    tokenAspect.initDelegationToken(ugi);
  }
}
 
Example 13
Source File: ResourceRequest.java    From sqoop-on-spark with Apache License 2.0 5 votes vote down vote up
private Text getDelegationTokenService(String strURL) throws IOException {
  URL url = new URL(strURL);
  InetSocketAddress addr = new InetSocketAddress(url.getHost(),
          url.getPort());
  Text dtService = SecurityUtil.buildTokenService(addr);
  return dtService;
}
 
Example 14
Source File: NameNodeProxies.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Creates an explicitly non-HA-enabled proxy object. Most of the time you
 * don't want to use this, and should instead use {@link NameNodeProxies#createProxy}.
 *
 * @param conf the configuration object
 * @param nnAddr address of the remote NN to connect to
 * @param xface the IPC interface which should be created
 * @param ugi the user who is making the calls on the proxy object
 * @param withRetries certain interfaces have a non-standard retry policy
 * @param fallbackToSimpleAuth - set to true or false during this method to
 *   indicate if a secure client falls back to simple auth
 * @return an object containing both the proxy and the associated
 *         delegation token service it corresponds to
 * @throws IOException
 */
@SuppressWarnings("unchecked")
public static <T> ProxyAndInfo<T> createNonHAProxy(
    Configuration conf, InetSocketAddress nnAddr, Class<T> xface,
    UserGroupInformation ugi, boolean withRetries,
    AtomicBoolean fallbackToSimpleAuth) throws IOException {
  Text dtService = SecurityUtil.buildTokenService(nnAddr);

  T proxy;
  if (xface == ClientProtocol.class) {
    proxy = (T) createNNProxyWithClientProtocol(nnAddr, conf, ugi,
        withRetries, fallbackToSimpleAuth);
  } else if (xface == JournalProtocol.class) {
    proxy = (T) createNNProxyWithJournalProtocol(nnAddr, conf, ugi);
  } else if (xface == NamenodeProtocol.class) {
    proxy = (T) createNNProxyWithNamenodeProtocol(nnAddr, conf, ugi,
        withRetries);
  } else if (xface == GetUserMappingsProtocol.class) {
    proxy = (T) createNNProxyWithGetUserMappingsProtocol(nnAddr, conf, ugi);
  } else if (xface == RefreshUserMappingsProtocol.class) {
    proxy = (T) createNNProxyWithRefreshUserMappingsProtocol(nnAddr, conf, ugi);
  } else if (xface == RefreshAuthorizationPolicyProtocol.class) {
    proxy = (T) createNNProxyWithRefreshAuthorizationPolicyProtocol(nnAddr,
        conf, ugi);
  } else if (xface == RefreshCallQueueProtocol.class) {
    proxy = (T) createNNProxyWithRefreshCallQueueProtocol(nnAddr, conf, ugi);
  } else {
    String message = "Unsupported protocol found when creating the proxy " +
        "connection to NameNode: " +
        ((xface != null) ? xface.getClass().getName() : "null");
    LOG.error(message);
    throw new IllegalStateException(message);
  }

  return new ProxyAndInfo<T>(proxy, dtService, nnAddr);
}
 
Example 15
Source File: NameNodeProxies.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Creates the namenode proxy with the passed protocol. This will handle
 * creation of either HA- or non-HA-enabled proxy objects, depending upon
 * if the provided URI is a configured logical URI.
 *
 * @param conf the configuration containing the required IPC
 *        properties, client failover configurations, etc.
 * @param nameNodeUri the URI pointing either to a specific NameNode
 *        or to a logical nameservice.
 * @param xface the IPC interface which should be created
 * @param fallbackToSimpleAuth set to true or false during calls to indicate if
 *   a secure client falls back to simple auth
 * @return an object containing both the proxy and the associated
 *         delegation token service it corresponds to
 * @throws IOException if there is an error creating the proxy
 **/
@SuppressWarnings("unchecked")
public static <T> ProxyAndInfo<T> createProxy(Configuration conf,
    URI nameNodeUri, Class<T> xface, AtomicBoolean fallbackToSimpleAuth)
    throws IOException {
  AbstractNNFailoverProxyProvider<T> failoverProxyProvider =
      createFailoverProxyProvider(conf, nameNodeUri, xface, true,
        fallbackToSimpleAuth);

  if (failoverProxyProvider == null) {
    // Non-HA case
    return createNonHAProxy(conf, NameNode.getAddress(nameNodeUri), xface,
        UserGroupInformation.getCurrentUser(), true, fallbackToSimpleAuth);
  } else {
    // HA case
    Conf config = new Conf(conf);
    T proxy = (T) RetryProxy.create(xface, failoverProxyProvider,
        RetryPolicies.failoverOnNetworkException(
            RetryPolicies.TRY_ONCE_THEN_FAIL, config.maxFailoverAttempts,
            config.maxRetryAttempts, config.failoverSleepBaseMillis,
            config.failoverSleepMaxMillis));

    Text dtService;
    if (failoverProxyProvider.useLogicalURI()) {
      dtService = HAUtil.buildTokenServiceForLogicalUri(nameNodeUri,
          HdfsConstants.HDFS_URI_SCHEME);
    } else {
      dtService = SecurityUtil.buildTokenService(
          NameNode.getAddress(nameNodeUri));
    }
    return new ProxyAndInfo<T>(proxy, dtService,
        NameNode.getAddress(nameNodeUri));
  }
}
 
Example 16
Source File: TestHftpDelegationToken.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * Test whether HftpFileSystem maintain wire-compatibility for 0.20.203 when
 * obtaining delegation token. See HDFS-5440 for more details.
 */
@Test
public void testTokenCompatibilityFor203() throws IOException,
    URISyntaxException, AuthenticationException {
  Configuration conf = new Configuration();
  HftpFileSystem fs = new HftpFileSystem();

  Token<?> token = new Token<TokenIdentifier>(new byte[0], new byte[0],
      DelegationTokenIdentifier.HDFS_DELEGATION_KIND, new Text(
          "127.0.0.1:8020"));
  Credentials cred = new Credentials();
  cred.addToken(HftpFileSystem.TOKEN_KIND, token);
  ByteArrayOutputStream os = new ByteArrayOutputStream();
  cred.write(new DataOutputStream(os));

  HttpURLConnection conn = mock(HttpURLConnection.class);
  doReturn(new ByteArrayInputStream(os.toByteArray())).when(conn)
      .getInputStream();
  doReturn(HttpURLConnection.HTTP_OK).when(conn).getResponseCode();

  URLConnectionFactory factory = mock(URLConnectionFactory.class);
  doReturn(conn).when(factory).openConnection(Mockito.<URL> any(),
      anyBoolean());

  final URI uri = new URI("hftp://127.0.0.1:8020");
  fs.initialize(uri, conf);
  fs.connectionFactory = factory;

  UserGroupInformation ugi = UserGroupInformation.createUserForTesting("foo",
      new String[] { "bar" });

  TokenAspect<HftpFileSystem> tokenAspect = new TokenAspect<HftpFileSystem>(
      fs, SecurityUtil.buildTokenService(uri), HftpFileSystem.TOKEN_KIND);

  tokenAspect.initDelegationToken(ugi);
  tokenAspect.ensureTokenInitialized();

  Assert.assertSame(HftpFileSystem.TOKEN_KIND, fs.getRenewToken().getKind());

  Token<?> tok = (Token<?>) Whitebox.getInternalState(fs, "delegationToken");
  Assert.assertNotSame("Not making a copy of the remote token", token, tok);
  Assert.assertEquals(token.getKind(), tok.getKind());
}
 
Example 17
Source File: DelegationTokenAuthenticatedURL.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * Returns an authenticated {@link HttpURLConnection}. If the Delegation
 * Token is present, it will be used taking precedence over the configured
 * <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
 * the request will be done on behalf of the specified <code>doAs</code> user.
 *
 * @param url the URL to connect to. Only HTTP/S URLs are supported.
 * @param token the authentication token being used for the user.
 * @param doAs user to do the the request on behalf of, if NULL the request is
 * as self.
 * @return an authenticated {@link HttpURLConnection}.
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication exception occurred.
 */
@SuppressWarnings("unchecked")
public HttpURLConnection openConnection(URL url, Token token, String doAs)
    throws IOException, AuthenticationException {
  Preconditions.checkNotNull(url, "url");
  Preconditions.checkNotNull(token, "token");
  Map<String, String> extraParams = new HashMap<String, String>();
  org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dToken
      = null;
  // if we have valid auth token, it takes precedence over a delegation token
  // and we don't even look for one.
  if (!token.isSet()) {
    // delegation token
    Credentials creds = UserGroupInformation.getCurrentUser().
        getCredentials();
    if (!creds.getAllTokens().isEmpty()) {
      InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
          url.getPort());
      Text service = SecurityUtil.buildTokenService(serviceAddr);
      dToken = creds.getToken(service);
      if (dToken != null) {
        if (useQueryStringForDelegationToken()) {
          // delegation token will go in the query string, injecting it
          extraParams.put(
              KerberosDelegationTokenAuthenticator.DELEGATION_PARAM,
              dToken.encodeToUrlString());
        } else {
          // delegation token will go as request header, setting it in the
          // auth-token to ensure no authentication handshake is triggered
          // (if we have a delegation token, we are authenticated)
          // the delegation token header is injected in the connection request
          // at the end of this method.
          token.delegationToken = (org.apache.hadoop.security.token.Token
              <AbstractDelegationTokenIdentifier>) dToken;
        }
      }
    }
  }

  // proxyuser
  if (doAs != null) {
    extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
  }

  url = augmentURL(url, extraParams);
  HttpURLConnection conn = super.openConnection(url, token);
  if (!token.isSet() && !useQueryStringForDelegationToken() && dToken != null) {
    // injecting the delegation token header in the connection request
    conn.setRequestProperty(
        DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER,
        dToken.encodeToUrlString());
  }
  return conn;
}
 
Example 18
Source File: TestTokenAspect.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testRenewal() throws Exception {
  Configuration conf = new Configuration();
  Token<?> token1 = mock(Token.class);
  Token<?> token2 = mock(Token.class);
  final long renewCycle = 100;
  DelegationTokenRenewer.renewCycle = renewCycle;

  UserGroupInformation ugi = UserGroupInformation.createUserForTesting("foo",
      new String[] { "bar" });
  DummyFs fs = spy(new DummyFs());

  doReturn(token1).doReturn(token2).when(fs).getDelegationToken(null);
  doReturn(token1).when(fs).getRenewToken();
  // cause token renewer to abandon the token
  doThrow(new IOException("renew failed")).when(token1).renew(conf);
  doThrow(new IOException("get failed")).when(fs).addDelegationTokens(null,
      null);

  final URI uri = new URI("dummyfs://127.0.0.1:1234");
  TokenAspect<DummyFs> tokenAspect = new TokenAspect<DummyFs>(fs,
      SecurityUtil.buildTokenService(uri), DummyFs.TOKEN_KIND);
  fs.initialize(uri, conf);
  tokenAspect.initDelegationToken(ugi);

  // trigger token acquisition
  tokenAspect.ensureTokenInitialized();
  DelegationTokenRenewer.RenewAction<?> action = getActionFromTokenAspect(tokenAspect);
  verify(fs).setDelegationToken(token1);
  assertTrue(action.isValid());

  // upon renewal, token will go bad based on above stubbing
  Thread.sleep(renewCycle * 2);
  assertSame(action, getActionFromTokenAspect(tokenAspect));
  assertFalse(action.isValid());

  // now that token is invalid, should get a new one
  tokenAspect.ensureTokenInitialized();
  verify(fs, times(2)).getDelegationToken(anyString());
  verify(fs).setDelegationToken(token2);
  assertNotSame(action, getActionFromTokenAspect(tokenAspect));

  action = getActionFromTokenAspect(tokenAspect);
  assertTrue(action.isValid());
}
 
Example 19
Source File: TimelineUtils.java    From big-c with Apache License 2.0 4 votes vote down vote up
public static Text buildTimelineTokenService(Configuration conf) {
  InetSocketAddress timelineServiceAddr =
      getTimelineTokenServiceAddress(conf);
  return SecurityUtil.buildTokenService(timelineServiceAddr);
}
 
Example 20
Source File: TimelineUtils.java    From hadoop with Apache License 2.0 4 votes vote down vote up
public static Text buildTimelineTokenService(Configuration conf) {
  InetSocketAddress timelineServiceAddr =
      getTimelineTokenServiceAddress(conf);
  return SecurityUtil.buildTokenService(timelineServiceAddr);
}