Java Code Examples for org.apache.hadoop.security.UserGroupInformation.setAuthenticationMethod()

The following are Jave code examples for showing how to use setAuthenticationMethod() of the org.apache.hadoop.security.UserGroupInformation class. You can vote up the examples you like. Your votes will be used in our system to get more good examples.
+ Save this method
Example 1
Project: hadoop-oss   File: AbstractDelegationTokenIdentifier.java   View Source Code Vote up 7 votes
/**
 * Get the username encoded in the token identifier
 * 
 * @return the username or owner
 */
@Override
public UserGroupInformation getUser() {
  if ( (owner == null) || (owner.toString().isEmpty())) {
    return null;
  }
  final UserGroupInformation realUgi;
  final UserGroupInformation ugi;
  if ((realUser == null) || (realUser.toString().isEmpty())
      || realUser.equals(owner)) {
    ugi = realUgi = UserGroupInformation.createRemoteUser(owner.toString());
  } else {
    realUgi = UserGroupInformation.createRemoteUser(realUser.toString());
    ugi = UserGroupInformation.createProxyUser(owner.toString(), realUgi);
  }
  realUgi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
  return ugi;
}
 
Example 2
Project: hadoop   File: TestDFSClientCache.java   View Source Code Vote up 6 votes
@Test
public void testGetUserGroupInformationSecure() throws IOException {
  String userName = "user1";
  String currentUser = "test-user";


  NfsConfiguration conf = new NfsConfiguration();
  UserGroupInformation currentUserUgi
          = UserGroupInformation.createRemoteUser(currentUser);
  currentUserUgi.setAuthenticationMethod(KERBEROS);
  UserGroupInformation.setLoginUser(currentUserUgi);

  DFSClientCache cache = new DFSClientCache(conf);
  UserGroupInformation ugiResult
          = cache.getUserGroupInformation(userName, currentUserUgi);

  assertThat(ugiResult.getUserName(), is(userName));
  assertThat(ugiResult.getRealUser(), is(currentUserUgi));
  assertThat(
          ugiResult.getAuthenticationMethod(),
          is(UserGroupInformation.AuthenticationMethod.PROXY));
}
 
Example 3
Project: hadoop   File: AbstractDelegationTokenIdentifier.java   View Source Code Vote up 6 votes
/**
 * Get the username encoded in the token identifier
 * 
 * @return the username or owner
 */
@Override
public UserGroupInformation getUser() {
  if ( (owner == null) || (owner.toString().isEmpty())) {
    return null;
  }
  final UserGroupInformation realUgi;
  final UserGroupInformation ugi;
  if ((realUser == null) || (realUser.toString().isEmpty())
      || realUser.equals(owner)) {
    ugi = realUgi = UserGroupInformation.createRemoteUser(owner.toString());
  } else {
    realUgi = UserGroupInformation.createRemoteUser(realUser.toString());
    ugi = UserGroupInformation.createProxyUser(owner.toString(), realUgi);
  }
  realUgi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
  return ugi;
}
 
Example 4
Project: ditb   File: RpcServer.java   View Source Code Vote up 6 votes
private UserGroupInformation getAuthorizedUgi(String authorizedId)
    throws IOException {
  UserGroupInformation authorizedUgi;
  if (authMethod == AuthMethod.DIGEST) {
    TokenIdentifier tokenId = HBaseSaslRpcServer.getIdentifier(authorizedId,
        secretManager);
    authorizedUgi = tokenId.getUser();
    if (authorizedUgi == null) {
      throw new AccessDeniedException(
          "Can't retrieve username from tokenIdentifier.");
    }
    authorizedUgi.addTokenIdentifier(tokenId);
  } else {
    authorizedUgi = UserGroupInformation.createRemoteUser(authorizedId);
  }
  authorizedUgi.setAuthenticationMethod(authMethod.authenticationMethod.getAuthMethod());
  return authorizedUgi;
}
 
Example 5
Project: ditb   File: TestTokenAuthentication.java   View Source Code Vote up 5 votes
@Test
public void testTokenAuthentication() throws Exception {
  UserGroupInformation testuser =
      UserGroupInformation.createUserForTesting("testuser", new String[]{"testgroup"});

  testuser.setAuthenticationMethod(
      UserGroupInformation.AuthenticationMethod.TOKEN);
  final Configuration conf = TEST_UTIL.getConfiguration();
  UserGroupInformation.setConfiguration(conf);
  Token<AuthenticationTokenIdentifier> token =
      secretManager.generateToken("testuser");
  LOG.debug("Got token: " + token.toString());
  testuser.addToken(token);

  // verify the server authenticates us as this token user
  testuser.doAs(new PrivilegedExceptionAction<Object>() {
    public Object run() throws Exception {
      Configuration c = server.getConfiguration();
      RpcClient rpcClient = RpcClientFactory.createClient(c, clusterId.toString());
      ServerName sn =
          ServerName.valueOf(server.getAddress().getHostName(), server.getAddress().getPort(),
              System.currentTimeMillis());
      try {
        BlockingRpcChannel channel = rpcClient.createBlockingRpcChannel(sn,
            User.getCurrent(), HConstants.DEFAULT_HBASE_RPC_TIMEOUT);
        AuthenticationProtos.AuthenticationService.BlockingInterface stub =
            AuthenticationProtos.AuthenticationService.newBlockingStub(channel);
        AuthenticationProtos.WhoAmIResponse response =
            stub.whoAmI(null, AuthenticationProtos.WhoAmIRequest.getDefaultInstance());
        String myname = response.getUsername();
        assertEquals("testuser", myname);
        String authMethod = response.getAuthMethod();
        assertEquals("TOKEN", authMethod);
      } finally {
        rpcClient.close();
      }
      return null;
    }
  });
}
 
Example 6
Project: hadoop   File: JspHelper.java   View Source Code Vote up 4 votes
/**
 * Get {@link UserGroupInformation} and possibly the delegation token out of
 * the request.
 * @param context the ServletContext that is serving this request.
 * @param request the http request
 * @param conf configuration
 * @param secureAuthMethod the AuthenticationMethod used in secure mode.
 * @param tryUgiParameter Should it try the ugi parameter?
 * @return a new user from the request
 * @throws AccessControlException if the request has no token
 */
public static UserGroupInformation getUGI(ServletContext context,
    HttpServletRequest request, Configuration conf,
    final AuthenticationMethod secureAuthMethod,
    final boolean tryUgiParameter) throws IOException {
  UserGroupInformation ugi = null;
  final String usernameFromQuery = getUsernameFromQuery(request, tryUgiParameter);
  final String doAsUserFromQuery = request.getParameter(DoAsParam.NAME);
  final String remoteUser;
 
  if (UserGroupInformation.isSecurityEnabled()) {
    remoteUser = request.getRemoteUser();
    final String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME);
    if (tokenString != null) {
      // Token-based connections need only verify the effective user, and
      // disallow proxying to different user.  Proxy authorization checks
      // are not required since the checks apply to issuing a token.
      ugi = getTokenUGI(context, request, tokenString, conf);
      checkUsername(ugi.getShortUserName(), usernameFromQuery);
      checkUsername(ugi.getShortUserName(), doAsUserFromQuery);
    } else if (remoteUser == null) {
      throw new IOException(
          "Security enabled but user not authenticated by filter");
    }
  } else {
    // Security's not on, pull from url or use default web user
    remoteUser = (usernameFromQuery == null)
        ? getDefaultWebUserName(conf) // not specified in request
        : usernameFromQuery;
  }

  if (ugi == null) { // security is off, or there's no token
    ugi = UserGroupInformation.createRemoteUser(remoteUser);
    checkUsername(ugi.getShortUserName(), usernameFromQuery);
    if (UserGroupInformation.isSecurityEnabled()) {
      // This is not necessarily true, could have been auth'ed by user-facing
      // filter
      ugi.setAuthenticationMethod(secureAuthMethod);
    }
    if (doAsUserFromQuery != null) {
      // create and attempt to authorize a proxy user
      ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
      ProxyUsers.authorize(ugi, getRemoteAddr(request));
    }
  }
  
  if(LOG.isDebugEnabled())
    LOG.debug("getUGI is returning: " + ugi.getShortUserName());
  return ugi;
}
 
Example 7
Project: hadoop   File: TestWebHdfsUrl.java   View Source Code Vote up 4 votes
@Test(timeout=60000)
public void testSecureAuthParamsInUrl() throws IOException {
  Configuration conf = new Configuration();
  // fake turning on security so api thinks it should use tokens
  SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
  UserGroupInformation.setConfiguration(conf);

  UserGroupInformation ugi =
      UserGroupInformation.createRemoteUser("test-user");
  ugi.setAuthenticationMethod(KERBEROS);
  UserGroupInformation.setLoginUser(ugi);

  WebHdfsFileSystem webhdfs = getWebHdfsFileSystem(ugi, conf);
  Path fsPath = new Path("/");
  String tokenString = webhdfs.getDelegationToken().encodeToUrlString();

  // send user
  URL getTokenUrl = webhdfs.toUrl(GetOpParam.Op.GETDELEGATIONTOKEN, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString()
      },
      getTokenUrl);

  // send user
  URL renewTokenUrl = webhdfs.toUrl(PutOpParam.Op.RENEWDELEGATIONTOKEN,
      fsPath, new TokenArgumentParam(tokenString));
  checkQueryParams(
      new String[]{
          PutOpParam.Op.RENEWDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          new TokenArgumentParam(tokenString).toString(),
      },
      renewTokenUrl);

  // send token
  URL cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
      fsPath, new TokenArgumentParam(tokenString));
  checkQueryParams(
      new String[]{
          PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          new TokenArgumentParam(tokenString).toString(),
      },
      cancelTokenUrl);
  
  // send token
  URL fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETFILESTATUS.toQueryString(),
          new DelegationParam(tokenString).toString()
      },
      fileStatusUrl);

  // wipe out internal token to simulate auth always required
  webhdfs.setDelegationToken(null);

  // send user
  cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
      fsPath, new TokenArgumentParam(tokenString));
  checkQueryParams(
      new String[]{
          PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          new TokenArgumentParam(tokenString).toString(),
      },
      cancelTokenUrl);

  // send user
  fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETFILESTATUS.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString()
      },
      fileStatusUrl);    
}