org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier Java Examples

public DelegationTokenToRenew(Collection<ApplicationId> applicationIds,
    Token<?> token,
    Configuration conf, long expirationDate, boolean shouldCancelAtEnd,
    String user) {
  this.token = token;
  this.user = user;
  if (token.getKind().equals(new Text("HDFS_DELEGATION_TOKEN"))) {
    try {
      AbstractDelegationTokenIdentifier identifier =
          (AbstractDelegationTokenIdentifier) token.decodeIdentifier();
      maxDate = identifier.getMaxDate();
    } catch (IOException e) {
      throw new YarnRuntimeException(e);
    }
  }
  this.referringAppIds = Collections.synchronizedSet(
      new HashSet<ApplicationId>(applicationIds));
  this.conf = conf;
  this.expirationDate = expirationDate;
  this.timerTask = null;
  this.shouldCancelAtEnd = shouldCancelAtEnd;
}
 

public DelegationTokenToRenew(Collection<ApplicationId> applicationIds,
    Token<?> token,
    Configuration conf, long expirationDate, boolean shouldCancelAtEnd,
    String user) {
  this.token = token;
  this.user = user;
  if (token.getKind().equals(new Text("HDFS_DELEGATION_TOKEN"))) {
    try {
      AbstractDelegationTokenIdentifier identifier =
          (AbstractDelegationTokenIdentifier) token.decodeIdentifier();
      maxDate = identifier.getMaxDate();
    } catch (IOException e) {
      throw new YarnRuntimeException(e);
    }
  }
  this.referringAppIds = Collections.synchronizedSet(
      new HashSet<ApplicationId>(applicationIds));
  this.conf = conf;
  this.expirationDate = expirationDate;
  this.timerTask = null;
  this.shouldCancelAtEnd = shouldCancelAtEnd;
}
 

public static void testEncodeWritable() throws Exception {
  String[] values = new String[]{"", "a", "bb", "ccc", "dddd", "eeeee",
      "ffffff", "ggggggg", "hhhhhhhh", "iiiiiiiii",
      "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM" +
           "NOPQRSTUVWXYZ01234567890!@#$%^&*()-=_+[]{}|;':,./<>?"};
  Token<AbstractDelegationTokenIdentifier> orig;
  Token<AbstractDelegationTokenIdentifier> copy = 
    new Token<AbstractDelegationTokenIdentifier>();
  // ensure that for each string the input and output values match
  for(int i=0; i< values.length; ++i) {
    String val = values[i];
    System.out.println("Input = " + val);
    orig = new Token<AbstractDelegationTokenIdentifier>(val.getBytes(),
        val.getBytes(), new Text(val), new Text(val));
    String encode = orig.encodeToUrlString();
    copy.decodeFromUrlString(encode);
    assertEquals(orig, copy);
    checkUrlSafe(encode);
  }
}
 

/**
 * Tests delegation token APIs in FileContext for Hdfs; and renew and cancel
 * APIs in Hdfs.
 * 
 * @throws UnsupportedFileSystemException
 * @throws IOException
 * @throws InterruptedException
 */
@SuppressWarnings({ "unchecked", "deprecation" })
@Test
public void testFcDelegationToken() throws UnsupportedFileSystemException,
    IOException, InterruptedException {
  FileContext fcHdfs = FileContext.getFileContext(cluster.getFileSystem()
      .getUri());
  final AbstractFileSystem afs = fcHdfs.getDefaultFileSystem();
  final List<Token<?>> tokenList =
      afs.getDelegationTokens(UserGroupInformation.getCurrentUser()
          .getUserName());
  ((Hdfs) afs).renewDelegationToken((Token<DelegationTokenIdentifier>) tokenList
      .get(0));
  ((Hdfs) afs).cancelDelegationToken(
      (Token<? extends AbstractDelegationTokenIdentifier>) tokenList.get(0));
}
 

/**
 * Tests delegation token APIs in FileContext for Hdfs; and renew and cancel
 * APIs in Hdfs.
 * 
 * @throws UnsupportedFileSystemException
 * @throws IOException
 * @throws InterruptedException
 */
@SuppressWarnings({ "unchecked", "deprecation" })
@Test
public void testFcDelegationToken() throws UnsupportedFileSystemException,
    IOException, InterruptedException {
  FileContext fcHdfs = FileContext.getFileContext(cluster.getFileSystem()
      .getUri());
  final AbstractFileSystem afs = fcHdfs.getDefaultFileSystem();
  final List<Token<?>> tokenList =
      afs.getDelegationTokens(UserGroupInformation.getCurrentUser()
          .getUserName());
  ((Hdfs) afs).renewDelegationToken((Token<DelegationTokenIdentifier>) tokenList
      .get(0));
  ((Hdfs) afs).cancelDelegationToken(
      (Token<? extends AbstractDelegationTokenIdentifier>) tokenList.get(0));
}
 

public static void testEncodeWritable() throws Exception {
  String[] values = new String[]{"", "a", "bb", "ccc", "dddd", "eeeee",
      "ffffff", "ggggggg", "hhhhhhhh", "iiiiiiiii",
      "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM" +
           "NOPQRSTUVWXYZ01234567890!@#$%^&*()-=_+[]{}|;':,./<>?"};
  Token<AbstractDelegationTokenIdentifier> orig;
  Token<AbstractDelegationTokenIdentifier> copy = 
    new Token<AbstractDelegationTokenIdentifier>();
  // ensure that for each string the input and output values match
  for(int i=0; i< values.length; ++i) {
    String val = values[i];
    System.out.println("Input = " + val);
    orig = new Token<AbstractDelegationTokenIdentifier>(val.getBytes(),
        val.getBytes(), new Text(val), new Text(val));
    String encode = orig.encodeToUrlString();
    copy.decodeFromUrlString(encode);
    assertEquals(orig, copy);
    checkUrlSafe(encode);
  }
}
 

@SuppressWarnings("unchecked")
public UserGroupInformation verifyToken(
    Token<? extends AbstractDelegationTokenIdentifier> token)
        throws IOException {
  AbstractDelegationTokenIdentifier id = secretManager.decodeTokenIdentifier(token);
  secretManager.verifyToken(id, token.getPassword());
  return id.getUser();
}
 

@SuppressWarnings("unchecked")
public void cancelToken(
    Token<? extends AbstractDelegationTokenIdentifier> token,
    String canceler) throws IOException {
  canceler = (canceler != null) ? canceler :
             verifyToken(token).getShortUserName();
  secretManager.cancelToken(token, canceler);
}
 

/**
 * Cancels a delegation token from the server end-point. It does not require
 * being authenticated by the configured <code>Authenticator</code>.
 *
 * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
 * are supported.
 * @param token the authentication token with the Delegation Token to cancel.
 * @param doAsUser the user to do as, which will be the token owner.
 * @throws IOException if an IO error occurred.
 */
public void cancelDelegationToken(URL url,
    AuthenticatedURL.Token token,
    Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser)
    throws IOException {
  try {
    doDelegationTokenOperation(url, token,
        DelegationTokenOperation.CANCELDELEGATIONTOKEN, null, dToken, false,
        doAsUser);
  } catch (AuthenticationException ex) {
    throw new IOException("This should not happen: " + ex.getMessage(), ex);
  }
}
 

/**
 * Cancels a delegation token from the server end-point. It does not require
 * being authenticated by the configured <code>Authenticator</code>.
 *
 * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
 * are supported.
 * @param token the authentication token with the Delegation Token to cancel.
 * @param doAsUser the user to do as, which will be the token owner.
 * @throws IOException if an IO error occurred.
 */
public void cancelDelegationToken(URL url,
    AuthenticatedURL.Token token,
    Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser)
    throws IOException {
  try {
    doDelegationTokenOperation(url, token,
        DelegationTokenOperation.CANCELDELEGATIONTOKEN, null, dToken, false,
        doAsUser);
  } catch (AuthenticationException ex) {
    throw new IOException("This should not happen: " + ex.getMessage(), ex);
  }
}
 

@SuppressWarnings("unchecked")
public void cancelToken(
    Token<? extends AbstractDelegationTokenIdentifier> token,
    String canceler) throws IOException {
  canceler = (canceler != null) ? canceler :
             verifyToken(token).getShortUserName();
  secretManager.cancelToken(token, canceler);
}
 

@SuppressWarnings("unchecked")
public UserGroupInformation verifyToken(
    Token<? extends AbstractDelegationTokenIdentifier> token)
        throws IOException {
  AbstractDelegationTokenIdentifier id = secretManager.decodeTokenIdentifier(token);
  secretManager.verifyToken(id, token.getPassword());
  return id.getUser();
}
 

@SuppressWarnings("unchecked")
public long renewToken(
    Token<? extends AbstractDelegationTokenIdentifier> token, String renewer)
        throws IOException {
  return secretManager.renewToken(token, renewer);
}
 

/**
 * Returns an authenticated {@link HttpURLConnection}. If the Delegation
 * Token is present, it will be used taking precedence over the configured
 * <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
 * the request will be done on behalf of the specified <code>doAs</code> user.
 *
 * @param url the URL to connect to. Only HTTP/S URLs are supported.
 * @param token the authentication token being used for the user.
 * @param doAs user to do the the request on behalf of, if NULL the request is
 * as self.
 * @return an authenticated {@link HttpURLConnection}.
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication exception occurred.
 */
@SuppressWarnings("unchecked")
public HttpURLConnection openConnection(URL url, Token token, String doAs)
    throws IOException, AuthenticationException {
  Preconditions.checkNotNull(url, "url");
  Preconditions.checkNotNull(token, "token");
  Map<String, String> extraParams = new HashMap<String, String>();
  org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dToken
      = null;
  // if we have valid auth token, it takes precedence over a delegation token
  // and we don't even look for one.
  if (!token.isSet()) {
    // delegation token
    Credentials creds = UserGroupInformation.getCurrentUser().
        getCredentials();
    if (!creds.getAllTokens().isEmpty()) {
      InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
          url.getPort());
      Text service = SecurityUtil.buildTokenService(serviceAddr);
      dToken = creds.getToken(service);
      if (dToken != null) {
        if (useQueryStringForDelegationToken()) {
          // delegation token will go in the query string, injecting it
          extraParams.put(
              KerberosDelegationTokenAuthenticator.DELEGATION_PARAM,
              dToken.encodeToUrlString());
        } else {
          // delegation token will go as request header, setting it in the
          // auth-token to ensure no authentication handshake is triggered
          // (if we have a delegation token, we are authenticated)
          // the delegation token header is injected in the connection request
          // at the end of this method.
          token.delegationToken = (org.apache.hadoop.security.token.Token
              <AbstractDelegationTokenIdentifier>) dToken;
        }
      }
    }
  }

  // proxyuser
  if (doAs != null) {
    extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
  }

  url = augmentURL(url, extraParams);
  HttpURLConnection conn = super.openConnection(url, token);
  if (!token.isSet() && !useQueryStringForDelegationToken() && dToken != null) {
    // injecting the delegation token header in the connection request
    conn.setRequestProperty(
        DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER,
        dToken.encodeToUrlString());
  }
  return conn;
}
 

public void setDelegationToken(
    org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier> delegationToken) {
  this.delegationToken = delegationToken;
}
 

public org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier>
getDelegationToken() {
  return delegationToken;
}
 

/**
 * testing -fileCache option
 * @throws IOException
 */
public void testTokenCacheOption() throws IOException {
  FileSystem localFs = FileSystem.getLocal(conf);
  
  File tmpFile = new File(testDir, "tokenCacheFile");
  if(tmpFile.exists()) {
    tmpFile.delete();
  }
  String[] args = new String[2];
  // pass a files option 
  args[0] = "-tokenCacheFile";
  args[1] = tmpFile.toURI().toString();
  
  // test non existing file
  Throwable th = null;
  try {
    new GenericOptionsParser(conf, args);
  } catch (Exception e) {
    th = e;
  }
  assertNotNull(th);
  assertTrue("FileNotFoundException is not thrown",
      th instanceof FileNotFoundException);
  
  // create file
  Path tmpPath = localFs.makeQualified(new Path(tmpFile.toString()));
  Token<?> token = new Token<AbstractDelegationTokenIdentifier>(
      "identifier".getBytes(), "password".getBytes(),
      new Text("token-kind"), new Text("token-service"));
  Credentials creds = new Credentials();
  creds.addToken(new Text("token-alias"), token);
  creds.writeTokenStorageFile(tmpPath, conf);

  new GenericOptionsParser(conf, args);
  String fileName = conf.get("mapreduce.job.credentials.binary");
  assertNotNull("files is null", fileName);
  assertEquals("files option does not match", tmpPath.toString(), fileName);
  
  Credentials ugiCreds =
      UserGroupInformation.getCurrentUser().getCredentials();
  assertEquals(1, ugiCreds.numberOfTokens());
  Token<?> ugiToken = ugiCreds.getToken(new Text("token-alias"));
  assertNotNull(ugiToken);
  assertEquals(token, ugiToken);
  
  localFs.delete(new Path(testDir.getAbsolutePath()), true);
}
 

/**
 * testing -fileCache option
 * @throws IOException
 */
public void testTokenCacheOption() throws IOException {
  FileSystem localFs = FileSystem.getLocal(conf);
  
  File tmpFile = new File(testDir, "tokenCacheFile");
  if(tmpFile.exists()) {
    tmpFile.delete();
  }
  String[] args = new String[2];
  // pass a files option 
  args[0] = "-tokenCacheFile";
  args[1] = tmpFile.toURI().toString();
  
  // test non existing file
  Throwable th = null;
  try {
    new GenericOptionsParser(conf, args);
  } catch (Exception e) {
    th = e;
  }
  assertNotNull(th);
  assertTrue("FileNotFoundException is not thrown",
      th instanceof FileNotFoundException);
  
  // create file
  Path tmpPath = localFs.makeQualified(new Path(tmpFile.toString()));
  Token<?> token = new Token<AbstractDelegationTokenIdentifier>(
      "identifier".getBytes(), "password".getBytes(),
      new Text("token-kind"), new Text("token-service"));
  Credentials creds = new Credentials();
  creds.addToken(new Text("token-alias"), token);
  creds.writeTokenStorageFile(tmpPath, conf);

  new GenericOptionsParser(conf, args);
  String fileName = conf.get("mapreduce.job.credentials.binary");
  assertNotNull("files is null", fileName);
  assertEquals("files option does not match", tmpPath.toString(), fileName);
  
  Credentials ugiCreds =
      UserGroupInformation.getCurrentUser().getCredentials();
  assertEquals(1, ugiCreds.numberOfTokens());
  Token<?> ugiToken = ugiCreds.getToken(new Text("token-alias"));
  assertNotNull(ugiToken);
  assertEquals(token, ugiToken);
  
  localFs.delete(new Path(testDir.getAbsolutePath()), true);
}
 

@SuppressWarnings("unchecked")
public long renewToken(
    Token<? extends AbstractDelegationTokenIdentifier> token, String renewer)
        throws IOException {
  return secretManager.renewToken(token, renewer);
}
 

public org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier>
getDelegationToken() {
  return delegationToken;
}
 

/**
 * Returns an authenticated {@link HttpURLConnection}. If the Delegation
 * Token is present, it will be used taking precedence over the configured
 * <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
 * the request will be done on behalf of the specified <code>doAs</code> user.
 *
 * @param url the URL to connect to. Only HTTP/S URLs are supported.
 * @param token the authentication token being used for the user.
 * @param doAs user to do the the request on behalf of, if NULL the request is
 * as self.
 * @return an authenticated {@link HttpURLConnection}.
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication exception occurred.
 */
@SuppressWarnings("unchecked")
public HttpURLConnection openConnection(URL url, Token token, String doAs)
    throws IOException, AuthenticationException {
  Preconditions.checkNotNull(url, "url");
  Preconditions.checkNotNull(token, "token");
  Map<String, String> extraParams = new HashMap<String, String>();
  org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dToken
      = null;
  // if we have valid auth token, it takes precedence over a delegation token
  // and we don't even look for one.
  if (!token.isSet()) {
    // delegation token
    Credentials creds = UserGroupInformation.getCurrentUser().
        getCredentials();
    if (!creds.getAllTokens().isEmpty()) {
      InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
          url.getPort());
      Text service = SecurityUtil.buildTokenService(serviceAddr);
      dToken = creds.getToken(service);
      if (dToken != null) {
        if (useQueryStringForDelegationToken()) {
          // delegation token will go in the query string, injecting it
          extraParams.put(
              KerberosDelegationTokenAuthenticator.DELEGATION_PARAM,
              dToken.encodeToUrlString());
        } else {
          // delegation token will go as request header, setting it in the
          // auth-token to ensure no authentication handshake is triggered
          // (if we have a delegation token, we are authenticated)
          // the delegation token header is injected in the connection request
          // at the end of this method.
          token.delegationToken = (org.apache.hadoop.security.token.Token
              <AbstractDelegationTokenIdentifier>) dToken;
        }
      }
    }
  }

  // proxyuser
  if (doAs != null) {
    extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
  }

  url = augmentURL(url, extraParams);
  HttpURLConnection conn = super.openConnection(url, token);
  if (!token.isSet() && !useQueryStringForDelegationToken() && dToken != null) {
    // injecting the delegation token header in the connection request
    conn.setRequestProperty(
        DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER,
        dToken.encodeToUrlString());
  }
  return conn;
}
 

public void setDelegationToken(
    org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier> delegationToken) {
  this.delegationToken = delegationToken;
}
 

/**
 * Renew an existing delegation token.
 * 
 * @param token delegation token obtained earlier
 * @return the new expiration time
 * @throws InvalidToken
 * @throws IOException
 * @deprecated Use Token.renew instead.
 */
@SuppressWarnings("unchecked")
public long renewDelegationToken(
    Token<? extends AbstractDelegationTokenIdentifier> token)
    throws InvalidToken, IOException {
  return dfs.renewDelegationToken((Token<DelegationTokenIdentifier>) token);
}
 

/**
 * Cancel an existing delegation token.
 * 
 * @param token delegation token
 * @throws InvalidToken
 * @throws IOException
 * @deprecated Use Token.cancel instead.
 */
@SuppressWarnings("unchecked")
public void cancelDelegationToken(
    Token<? extends AbstractDelegationTokenIdentifier> token)
    throws InvalidToken, IOException {
  dfs.cancelDelegationToken((Token<DelegationTokenIdentifier>) token);
}
 

/**
 * Renews a delegation token from the server end-point using the
 * configured <code>Authenticator</code> for authentication.
 *
 * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
 * supported.
 * @param token the authentication token with the Delegation Token to renew.
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication exception occurred.
 */
public long renewDelegationToken(URL url,
    AuthenticatedURL.Token token,
    Token<AbstractDelegationTokenIdentifier> dToken)
    throws IOException, AuthenticationException {
  return renewDelegationToken(url, token, dToken, null);
}
 

/**
 * Renews a delegation token from the server end-point using the
 * configured <code>Authenticator</code> for authentication.
 *
 * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
 * supported.
 * @param token the authentication token with the Delegation Token to renew.
 * @param doAsUser the user to do as, which will be the token owner.
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication exception occurred.
 */
public long renewDelegationToken(URL url,
    AuthenticatedURL.Token token,
    Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser)
    throws IOException, AuthenticationException {
  Map json = doDelegationTokenOperation(url, token,
      DelegationTokenOperation.RENEWDELEGATIONTOKEN, null, dToken, true,
      doAsUser);
  return (Long) json.get(RENEW_DELEGATION_TOKEN_JSON);
}
 

/**
 * Cancels a delegation token from the server end-point. It does not require
 * being authenticated by the configured <code>Authenticator</code>.
 *
 * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
 * are supported.
 * @param token the authentication token with the Delegation Token to cancel.
 * @throws IOException if an IO error occurred.
 */
public void cancelDelegationToken(URL url,
    AuthenticatedURL.Token token,
    Token<AbstractDelegationTokenIdentifier> dToken)
    throws IOException {
  cancelDelegationToken(url, token, dToken, null);
}
 

/**
 * Cancels a delegation token from the server end-point. It does not require
 * being authenticated by the configured <code>Authenticator</code>.
 *
 * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
 * are supported.
 * @param token the authentication token with the Delegation Token to cancel.
 * @throws IOException if an IO error occurred.
 */
public void cancelDelegationToken(URL url,
    AuthenticatedURL.Token token,
    Token<AbstractDelegationTokenIdentifier> dToken)
    throws IOException {
  cancelDelegationToken(url, token, dToken, null);
}
 

/**
 * Renews a delegation token from the server end-point using the
 * configured <code>Authenticator</code> for authentication.
 *
 * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
 * supported.
 * @param token the authentication token with the Delegation Token to renew.
 * @param doAsUser the user to do as, which will be the token owner.
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication exception occurred.
 */
public long renewDelegationToken(URL url,
    AuthenticatedURL.Token token,
    Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser)
    throws IOException, AuthenticationException {
  Map json = doDelegationTokenOperation(url, token,
      DelegationTokenOperation.RENEWDELEGATIONTOKEN, null, dToken, true,
      doAsUser);
  return (Long) json.get(RENEW_DELEGATION_TOKEN_JSON);
}
 

/**
 * Renews a delegation token from the server end-point using the
 * configured <code>Authenticator</code> for authentication.
 *
 * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
 * supported.
 * @param token the authentication token with the Delegation Token to renew.
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication exception occurred.
 */
public long renewDelegationToken(URL url,
    AuthenticatedURL.Token token,
    Token<AbstractDelegationTokenIdentifier> dToken)
    throws IOException, AuthenticationException {
  return renewDelegationToken(url, token, dToken, null);
}