Java Code Examples for org.apache.hadoop.security.token.Token#decodeFromUrlString()

The following examples show how to use org.apache.hadoop.security.token.Token#decodeFromUrlString() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: TestOzoneTokenIdentifier.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
@Test
public void testTokenSerialization() throws IOException {
  OzoneTokenIdentifier idEncode = getIdentifierInst();
  idEncode.setOmServiceId("defaultServiceId");
  Token<OzoneTokenIdentifier> token = new Token<OzoneTokenIdentifier>(
      idEncode.getBytes(), new byte[0], new Text("OzoneToken"),
      new Text("om1:9862,om2:9852,om3:9852"));
  String encodedStr = token.encodeToUrlString();

  Token<OzoneTokenIdentifier> tokenDecode = new Token<>();
  tokenDecode.decodeFromUrlString(encodedStr);

  ByteArrayInputStream buf = new ByteArrayInputStream(
      tokenDecode.getIdentifier());
  DataInputStream in = new DataInputStream(buf);
  OzoneTokenIdentifier idDecode = new OzoneTokenIdentifier();
  idDecode.readFields(in);
  Assert.assertEquals(idEncode, idDecode);
}
 
Example 2
Source File: TestRMWebServicesDelegationTokens.java    From big-c with Apache License 2.0 6 votes vote down vote up
private void assertTokenCancelled(String encodedToken) throws Exception {
  Token<RMDelegationTokenIdentifier> realToken =
      new Token<RMDelegationTokenIdentifier>();
  realToken.decodeFromUrlString(encodedToken);
  RMDelegationTokenIdentifier ident = rm.getRMContext()
    .getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
  boolean exceptionCaught = false;
  try {
    rm.getRMContext().getRMDelegationTokenSecretManager()
      .verifyToken(ident, realToken.getPassword());
  } catch (InvalidToken it) {
    exceptionCaught = true;
  }
  assertTrue("InvalidToken exception not thrown", exceptionCaught);
  assertFalse(rm.getRMContext().getRMDelegationTokenSecretManager()
    .getAllTokens().containsKey(ident));
}
 
Example 3
Source File: TestRMWebServicesDelegationTokens.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private void assertTokenCancelled(String encodedToken) throws Exception {
  Token<RMDelegationTokenIdentifier> realToken =
      new Token<RMDelegationTokenIdentifier>();
  realToken.decodeFromUrlString(encodedToken);
  RMDelegationTokenIdentifier ident = rm.getRMContext()
    .getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
  boolean exceptionCaught = false;
  try {
    rm.getRMContext().getRMDelegationTokenSecretManager()
      .verifyToken(ident, realToken.getPassword());
  } catch (InvalidToken it) {
    exceptionCaught = true;
  }
  assertTrue("InvalidToken exception not thrown", exceptionCaught);
  assertFalse(rm.getRMContext().getRMDelegationTokenSecretManager()
    .getAllTokens().containsKey(ident));
}
 
Example 4
Source File: CancelDelegationTokenServlet.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
    throws ServletException, IOException {
  final UserGroupInformation ugi;
  final ServletContext context = getServletContext();
  final Configuration conf = NameNodeHttpServer.getConfFromContext(context);
  try {
    ugi = getUGI(req, conf);
  } catch(IOException ioe) {
    LOG.info("Request for token received with no authentication from "
        + req.getRemoteAddr(), ioe);
    resp.sendError(HttpServletResponse.SC_FORBIDDEN, 
        "Unable to identify or authenticate user");
    return;
  }
  final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(
      context);
  String tokenString = req.getParameter(TOKEN);
  if (tokenString == null) {
    resp.sendError(HttpServletResponse.SC_MULTIPLE_CHOICES,
                   "Token to renew not specified");
  }
  final Token<DelegationTokenIdentifier> token = 
    new Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString(tokenString);
  
  try {
    ugi.doAs(new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        nn.getRpcServer().cancelDelegationToken(token);
        return null;
      }
    });
  } catch(Exception e) {
    LOG.info("Exception while cancelling token. Re-throwing. ", e);
    resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
                   e.getMessage());
  }
}
 
Example 5
Source File: ParameterParser.java    From big-c with Apache License 2.0 5 votes vote down vote up
Token<DelegationTokenIdentifier> delegationToken() throws IOException {
  String delegation = param(DelegationParam.NAME);
  final Token<DelegationTokenIdentifier> token = new
    Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString(delegation);
  URI nnUri = URI.create(HDFS_URI_SCHEME + "://" + namenodeId());
  boolean isLogical = HAUtil.isLogicalUri(conf, nnUri);
  if (isLogical) {
    token.setService(HAUtil.buildTokenServiceForLogicalUri(nnUri,
      HDFS_URI_SCHEME));
  } else {
    token.setService(SecurityUtil.buildTokenService(nnUri));
  }
  return token;
}
 
Example 6
Source File: CancelDelegationTokenServlet.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
    throws ServletException, IOException {
  final UserGroupInformation ugi;
  final ServletContext context = getServletContext();
  final Configuration conf = NameNodeHttpServer.getConfFromContext(context);
  try {
    ugi = getUGI(req, conf);
  } catch(IOException ioe) {
    LOG.info("Request for token received with no authentication from "
        + req.getRemoteAddr(), ioe);
    resp.sendError(HttpServletResponse.SC_FORBIDDEN, 
        "Unable to identify or authenticate user");
    return;
  }
  final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(
      context);
  String tokenString = req.getParameter(TOKEN);
  if (tokenString == null) {
    resp.sendError(HttpServletResponse.SC_MULTIPLE_CHOICES,
                   "Token to renew not specified");
  }
  final Token<DelegationTokenIdentifier> token = 
    new Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString(tokenString);
  
  try {
    ugi.doAs(new PrivilegedExceptionAction<Void>() {
      @Override
      public Void run() throws Exception {
        nn.getRpcServer().cancelDelegationToken(token);
        return null;
      }
    });
  } catch(Exception e) {
    LOG.info("Exception while cancelling token. Re-throwing. ", e);
    resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
                   e.getMessage());
  }
}
 
Example 7
Source File: JspHelper.java    From big-c with Apache License 2.0 5 votes vote down vote up
private static UserGroupInformation getTokenUGI(ServletContext context,
                                                HttpServletRequest request,
                                                String tokenString,
                                                Configuration conf)
                                                    throws IOException {
  final Token<DelegationTokenIdentifier> token =
      new Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString(tokenString);
  InetSocketAddress serviceAddress = getNNServiceAddress(context, request);
  if (serviceAddress != null) {
    SecurityUtil.setTokenService(token, serviceAddress);
    token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
  }

  ByteArrayInputStream buf =
      new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);
  DelegationTokenIdentifier id = new DelegationTokenIdentifier();
  id.readFields(in);
  if (context != null) {
    final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
    if (nn != null) {
      // Verify the token.
      nn.getNamesystem().verifyToken(id, token.getPassword());
    }
  }
  UserGroupInformation ugi = id.getUser();
  ugi.addToken(token);
  return ugi;
}
 
Example 8
Source File: JsonUtil.java    From big-c with Apache License 2.0 5 votes vote down vote up
/** Convert a Json map to a Token. */
public static Token<? extends TokenIdentifier> toToken(
    final Map<?, ?> m) throws IOException {
  if (m == null) {
    return null;
  }

  final Token<DelegationTokenIdentifier> token
      = new Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString((String)m.get("urlString"));
  return token;
}
 
Example 9
Source File: TestRMWebServicesDelegationTokens.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void assertValidRMToken(String encodedToken) throws IOException {
  Token<RMDelegationTokenIdentifier> realToken =
      new Token<RMDelegationTokenIdentifier>();
  realToken.decodeFromUrlString(encodedToken);
  RMDelegationTokenIdentifier ident = rm.getRMContext()
    .getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
  rm.getRMContext().getRMDelegationTokenSecretManager()
    .verifyToken(ident, realToken.getPassword());
  assertTrue(rm.getRMContext().getRMDelegationTokenSecretManager()
    .getAllTokens().containsKey(ident));
}
 
Example 10
Source File: RMWebServices.java    From big-c with Apache License 2.0 5 votes vote down vote up
private Token<RMDelegationTokenIdentifier> extractToken(String encodedToken) {
  Token<RMDelegationTokenIdentifier> token =
      new Token<RMDelegationTokenIdentifier>();
  try {
    token.decodeFromUrlString(encodedToken);
  } catch (Exception ie) {
    String msg = "Could not decode encoded token";
    throw new BadRequestException(msg);
  }
  return token;
}
 
Example 11
Source File: JspHelper.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private static UserGroupInformation getTokenUGI(ServletContext context,
                                                HttpServletRequest request,
                                                String tokenString,
                                                Configuration conf)
                                                    throws IOException {
  final Token<DelegationTokenIdentifier> token =
      new Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString(tokenString);
  InetSocketAddress serviceAddress = getNNServiceAddress(context, request);
  if (serviceAddress != null) {
    SecurityUtil.setTokenService(token, serviceAddress);
    token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
  }

  ByteArrayInputStream buf =
      new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);
  DelegationTokenIdentifier id = new DelegationTokenIdentifier();
  id.readFields(in);
  if (context != null) {
    final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
    if (nn != null) {
      // Verify the token.
      nn.getNamesystem().verifyToken(id, token.getPassword());
    }
  }
  UserGroupInformation ugi = id.getUser();
  ugi.addToken(token);
  return ugi;
}
 
Example 12
Source File: ParameterParser.java    From hadoop with Apache License 2.0 5 votes vote down vote up
Token<DelegationTokenIdentifier> delegationToken() throws IOException {
  String delegation = param(DelegationParam.NAME);
  final Token<DelegationTokenIdentifier> token = new
    Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString(delegation);
  URI nnUri = URI.create(HDFS_URI_SCHEME + "://" + namenodeId());
  boolean isLogical = HAUtil.isLogicalUri(conf, nnUri);
  if (isLogical) {
    token.setService(HAUtil.buildTokenServiceForLogicalUri(nnUri,
      HDFS_URI_SCHEME));
  } else {
    token.setService(SecurityUtil.buildTokenService(nnUri));
  }
  return token;
}
 
Example 13
Source File: JsonUtil.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/** Convert a Json map to a Token. */
public static Token<? extends TokenIdentifier> toToken(
    final Map<?, ?> m) throws IOException {
  if (m == null) {
    return null;
  }

  final Token<DelegationTokenIdentifier> token
      = new Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString((String)m.get("urlString"));
  return token;
}
 
Example 14
Source File: TestRMWebServicesDelegationTokens.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void assertValidRMToken(String encodedToken) throws IOException {
  Token<RMDelegationTokenIdentifier> realToken =
      new Token<RMDelegationTokenIdentifier>();
  realToken.decodeFromUrlString(encodedToken);
  RMDelegationTokenIdentifier ident = rm.getRMContext()
    .getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
  rm.getRMContext().getRMDelegationTokenSecretManager()
    .verifyToken(ident, realToken.getPassword());
  assertTrue(rm.getRMContext().getRMDelegationTokenSecretManager()
    .getAllTokens().containsKey(ident));
}
 
Example 15
Source File: RMWebServices.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private Token<RMDelegationTokenIdentifier> extractToken(String encodedToken) {
  Token<RMDelegationTokenIdentifier> token =
      new Token<RMDelegationTokenIdentifier>();
  try {
    token.decodeFromUrlString(encodedToken);
  } catch (Exception ie) {
    String msg = "Could not decode encoded token";
    throw new BadRequestException(msg);
  }
  return token;
}
 
Example 16
Source File: KerberosHiveMetastoreAuthentication.java    From presto with Apache License 2.0 5 votes vote down vote up
private static Token<DelegationTokenIdentifier> decodeDelegationToken(String tokenValue)
        throws IOException
{
    Token<DelegationTokenIdentifier> token = new Token<>();
    token.decodeFromUrlString(tokenValue);
    return token;
}
 
Example 17
Source File: TokenUtils.java    From incubator-gobblin with Apache License 2.0 5 votes vote down vote up
/**
 * function to fetch hcat token as per the specified hive configuration and then store the token
 * in to the credential store specified .
 *
 * @param userToProxy String value indicating the name of the user the token will be fetched for.
 * @param hiveConf the configuration based off which the hive client will be initialized.
 */
private static Token<DelegationTokenIdentifier> fetchHcatToken(final String userToProxy, final HiveConf hiveConf,
    final String tokenSignatureOverwrite, final IMetaStoreClient hiveClient)
    throws IOException, TException, InterruptedException {

  LOG.info(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname + ": " + hiveConf.get(
      HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname));

  LOG.info(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname + ": " + hiveConf.get(
      HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname));

  final Token<DelegationTokenIdentifier> hcatToken = new Token<>();

  hcatToken.decodeFromUrlString(
      hiveClient.getDelegationToken(userToProxy, UserGroupInformation.getLoginUser().getShortUserName()));

  // overwrite the value of the service property of the token if the signature
  // override is specified.
  // If the service field is set, do not overwrite that
  if (hcatToken.getService().getLength() <= 0 && tokenSignatureOverwrite != null
      && tokenSignatureOverwrite.trim().length() > 0) {
    hcatToken.setService(new Text(tokenSignatureOverwrite.trim().toLowerCase()));

    LOG.info(HIVE_TOKEN_SIGNATURE_KEY + ":" + tokenSignatureOverwrite);
  }

  LOG.info("Created hive metastore token for user:" + userToProxy + " with kind[" + hcatToken.getKind() + "]"
      + " and service[" + hcatToken.getService() + "]");
  return hcatToken;
}
 
Example 18
Source File: BlockTokenVerifier.java    From hadoop-ozone with Apache License 2.0 4 votes vote down vote up
@Override
public void verify(String user, String tokenStr,
    ContainerProtos.Type cmd, String id) throws SCMSecurityException {
  if (!conf.isBlockTokenEnabled() || !HddsUtils.requireBlockToken(cmd)) {
    return;
  }

  // TODO: add audit logs.
  if (Strings.isNullOrEmpty(tokenStr)) {
    throw new BlockTokenException("Fail to find any token (empty or " +
        "null.)");
  }

  final Token<OzoneBlockTokenIdentifier> token = new Token();
  OzoneBlockTokenIdentifier tokenId = new OzoneBlockTokenIdentifier();
  try {
    token.decodeFromUrlString(tokenStr);
    if (LOGGER.isDebugEnabled()) {
      LOGGER.debug("Verifying token:{} for user:{} ", token, user);
    }
    ByteArrayInputStream buf = new ByteArrayInputStream(
        token.getIdentifier());
    DataInputStream in = new DataInputStream(buf);
    tokenId.readFields(in);

  } catch (IOException ex) {
    throw new BlockTokenException("Failed to decode token : " + tokenStr);
  }

  if (caClient == null) {
    throw new SCMSecurityException("Certificate client not available " +
        "to validate token");
  }

  UserGroupInformation tokenUser = tokenId.getUser();
  X509Certificate signerCert;
  signerCert = caClient.getCertificate(tokenId.getOmCertSerialId());

  if (signerCert == null) {
    throw new BlockTokenException("Can't find signer certificate " +
        "(OmCertSerialId: " + tokenId.getOmCertSerialId() +
        ") of the block token for user: " + tokenUser);
  }
  boolean validToken = caClient.verifySignature(tokenId.getBytes(),
      token.getPassword(), signerCert);
  if (!validToken) {
    throw new BlockTokenException("Invalid block token for user: " +
        tokenId.getUser());
  }
  // check expiration
  if (isExpired(tokenId.getExpiryDate())) {
    throw new BlockTokenException("Expired block token for user: " +
        tokenUser);
  }

  // Token block id mismatch
  if (!tokenId.getBlockId().equals(id)) {
    throw new BlockTokenException("Block id mismatch. Token for block ID: " +
        tokenId.getBlockId() + " can't be used to access block: " + id +
        " by user: " + tokenUser);
  }

  // TODO: check cmd type and the permissions(AccessMode) in the token
}
 
Example 19
Source File: RenewDelegationTokenServlet.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
    throws ServletException, IOException {
  final UserGroupInformation ugi;
  final ServletContext context = getServletContext();
  final Configuration conf = NameNodeHttpServer.getConfFromContext(context);
  try {
    ugi = getUGI(req, conf);
  } catch(IOException ioe) {
    LOG.info("Request for token received with no authentication from "
        + req.getRemoteAddr(), ioe);
    resp.sendError(HttpServletResponse.SC_FORBIDDEN, 
        "Unable to identify or authenticate user");
    return;
  }
  final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
  String tokenString = req.getParameter(TOKEN);
  if (tokenString == null) {
    resp.sendError(HttpServletResponse.SC_MULTIPLE_CHOICES,
                   "Token to renew not specified");
  }
  final Token<DelegationTokenIdentifier> token = 
    new Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString(tokenString);
  
  try {
    long result = ugi.doAs(new PrivilegedExceptionAction<Long>() {
      @Override
      public Long run() throws Exception {
        return nn.getRpcServer().renewDelegationToken(token);
      }
    });
    final PrintWriter os = new PrintWriter(new OutputStreamWriter(
        resp.getOutputStream(), Charsets.UTF_8));
    os.println(result);
    os.close();
  } catch(Exception e) {
    // transfer exception over the http
    String exceptionClass = e.getClass().getName();
    String exceptionMsg = e.getLocalizedMessage();
    String strException = exceptionClass + ";" + exceptionMsg;
    LOG.info("Exception while renewing token. Re-throwing. s=" + strException, e);
    resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, strException);
  }
}
 
Example 20
Source File: TestOzoneBlockTokenIdentifier.java    From hadoop-ozone with Apache License 2.0 4 votes vote down vote up
@Test
public void testTokenSerialization() throws GeneralSecurityException,
    IOException {
  String keystore = new File(KEYSTORES_DIR, "keystore.jks")
      .getAbsolutePath();
  String truststore = new File(KEYSTORES_DIR, "truststore.jks")
      .getAbsolutePath();
  String trustPassword = "trustPass";
  String keyStorePassword = "keyStorePass";
  String keyPassword = "keyPass";
  long maxLength = 128L;

  KeyStoreTestUtil.createKeyStore(keystore, keyStorePassword, keyPassword,
      "OzoneMaster", keyPair.getPrivate(), cert);

  // Create trust store and put the certificate in the trust store
  Map<String, X509Certificate> certs = Collections.singletonMap("server",
      cert);
  KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);

  // Sign the OzoneMaster Token with Ozone Master private key
  PrivateKey privateKey = keyPair.getPrivate();
  OzoneBlockTokenIdentifier tokenId = new OzoneBlockTokenIdentifier(
      "testUser", "84940",
      EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class),
      expiryTime, cert.getSerialNumber().toString(), maxLength);
  byte[] signedToken = signTokenAsymmetric(tokenId, privateKey);


  Token<OzoneBlockTokenIdentifier> token = new Token(tokenId.getBytes(),
      signedToken, tokenId.getKind(), new Text("host:port"));

  String encodeToUrlString = token.encodeToUrlString();

  Token<OzoneBlockTokenIdentifier>decodedToken = new Token();
  decodedToken.decodeFromUrlString(encodeToUrlString);

  OzoneBlockTokenIdentifier decodedTokenId = new OzoneBlockTokenIdentifier();
  decodedTokenId.readFields(new DataInputStream(
      new ByteArrayInputStream(decodedToken.getIdentifier())));

  Assert.assertEquals(decodedTokenId, tokenId);
  Assert.assertEquals(decodedTokenId.getMaxLength(), maxLength);

  // Verify a decoded signed Token with public key(certificate)
  boolean isValidToken = verifyTokenAsymmetric(decodedTokenId, decodedToken
      .getPassword(), cert);
  LOG.info("{} is {}", tokenId, isValidToken ? "valid." : "invalid.");
}