Java Code Examples for org.apache.hadoop.security.UserGroupInformation#setLoginUser()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#setLoginUser() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
@Test
public void testAclEnabledListAllDisallowed() throws Exception {
  // ozone.acl.enabled = true, ozone.om.volume.listall.allowed = false
  MiniOzoneCluster cluster = startCluster(true, false);
  // The default user is adminUser as set in init(),
  // listall always succeeds if we use that UGI, we should use non-admin here
  UserGroupInformation.setLoginUser(user1);
  checkUser(cluster, user1, Arrays.asList("volume1", "volume4", "volume5"),
      false);
  UserGroupInformation.setLoginUser(user2);
  checkUser(cluster, user2, Arrays.asList("volume2", "volume3", "volume5"),
      false);
  UserGroupInformation.setLoginUser(adminUser);
  checkUser(cluster, adminUser, Arrays.asList("volume1", "volume2", "volume3",
      "volume4", "volume5"), true);
  stopCluster(cluster);
}
 
Example 2
Source Project: hadoop   File: TestWebHdfsUrl.java    License: Apache License 2.0 6 votes vote down vote up
@Test(timeout=60000)
public void testSimpleAuthParamsInUrl() throws IOException {
  Configuration conf = new Configuration();

  UserGroupInformation ugi =
      UserGroupInformation.createRemoteUser("test-user");
  UserGroupInformation.setLoginUser(ugi);

  WebHdfsFileSystem webhdfs = getWebHdfsFileSystem(ugi, conf);
  Path fsPath = new Path("/");

  // send user+token
  URL fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETFILESTATUS.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString()
      },
      fileStatusUrl);
}
 
Example 3
Source Project: hadoop   File: TestWebHdfsUrl.java    License: Apache License 2.0 6 votes vote down vote up
@Test(timeout=60000)
public void testCheckAccessUrl() throws IOException {
  Configuration conf = new Configuration();

  UserGroupInformation ugi =
      UserGroupInformation.createRemoteUser("test-user");
  UserGroupInformation.setLoginUser(ugi);

  WebHdfsFileSystem webhdfs = getWebHdfsFileSystem(ugi, conf);
  Path fsPath = new Path("/p1");

  URL checkAccessUrl = webhdfs.toUrl(GetOpParam.Op.CHECKACCESS,
      fsPath, new FsActionParam(FsAction.READ_WRITE));
  checkQueryParams(
      new String[]{
          GetOpParam.Op.CHECKACCESS.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          FsActionParam.NAME + "=" + FsAction.READ_WRITE.SYMBOL
      },
      checkAccessUrl);
}
 
Example 4
/**
 * apex.dfsRootDirectory set: absolute path with %USER_NAME% and impersonation enabled
 * @throws IOException
 * @throws InterruptedException
 *
 */
@Test
public void getApexDFSRootDirAbsPathAndVar() throws IOException, InterruptedException
{
  final Configuration conf = new YarnConfiguration(new Configuration(false));
  conf.set(StramClientUtils.APEX_APP_DFS_ROOT_DIR, "/x/%USER_NAME%/z");
  conf.setBoolean(StramUserLogin.DT_APP_PATH_IMPERSONATED, true);

  final FileSystem fs = FileSystem.newInstance(conf);
  UserGroupInformation testUser = UserGroupInformation.createUserForTesting("testUser1", new String[]{""});
  UserGroupInformation.setLoginUser(testUser);
  UserGroupInformation doAsUser = UserGroupInformation.createUserForTesting("impersonated", new String[]{""});

  doAsUser.doAs(new PrivilegedExceptionAction<Void>()
  {
    @Override
    public Void run() throws Exception
    {
      Path path = StramClientUtils.getApexDFSRootDir(fs, conf);
      Assert.assertEquals("file:/x/impersonated/z", path.toString());
      return null;
    }
  });
}
 
Example 5
Source Project: big-c   File: TestWebHdfsTokens.java    License: Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void setUp() {
  conf = new Configuration();
  SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
  UserGroupInformation.setConfiguration(conf);    
  UserGroupInformation.setLoginUser(
      UserGroupInformation.createUserForTesting(
          "LoginUser", new String[]{"supergroup"}));
}
 
Example 6
Source Project: big-c   File: TestRMContainerAllocator.java    License: Apache License 2.0 5 votes vote down vote up
@Before
public void setup() {
  MyContainerAllocator.getJobUpdatedNodeEvents().clear();
  MyContainerAllocator.getTaskAttemptKillEvents().clear();

  // make each test create a fresh user to avoid leaking tokens between tests
  UserGroupInformation.setLoginUser(null);
}
 
Example 7
@Test
public void testAclDisabledListAllDisallowed() throws Exception {
  // ozone.acl.enabled = false, ozone.om.volume.listall.allowed = false
  MiniOzoneCluster cluster = startCluster(false, false);
  // If ACL is disabled, all permission checks are disabled in Ozone by design
  UserGroupInformation.setLoginUser(user1);
  checkUser(cluster, user1, Arrays.asList("volume1", "volume3", "volume5"),
      true);
  UserGroupInformation.setLoginUser(user2);
  checkUser(cluster, user2, Arrays.asList("volume2", "volume4"),
      true);  // listall will succeed since acl is disabled
  stopCluster(cluster);
}
 
Example 8
@Test
public void testProviderRefresh() throws IOException {
    TestingTools.startServer(new FakeServer(fakeKDC), grpcCleanup);
    Configuration conf = TestingTools.getBrokerConfig();
    Subject alice = fakeKDC.login(ALICE);
    UserGroupInformation.loginUserFromSubject(alice);
    AccessToken token = refresh(conf);
    assertEquals("FakeAccessToken/AuthenticatedUser=" + ALICE + ";Owner=" + ALICE + ";Target=" + MOCK_BUCKET, token.getToken());
    UserGroupInformation.setLoginUser(null);
}
 
Example 9
/**
 * Same as testProviderRefresh but with access boundary disabled
 */
@Test
public void testProviderRefreshWithoutAccessBoundary() throws IOException {
    TestingTools.startServer(new FakeServer(fakeKDC), grpcCleanup);
    Configuration conf = TestingTools.getBrokerConfig();
    conf.set("gcp.token.broker.access.boundary.enabled", "false");
    Subject alice = fakeKDC.login(ALICE);
    UserGroupInformation.loginUserFromSubject(alice);
    AccessToken token = refresh(conf);
    assertEquals("FakeAccessToken/AuthenticatedUser=" + ALICE + ";Owner=" + ALICE + ";Target=", token.getToken());
    UserGroupInformation.setLoginUser(null);
}
 
Example 10
@Test
public void testGetSessionToken() throws IOException {
    TestingTools.startServer(new FakeServer(fakeKDC), grpcCleanup);
    Configuration conf = TestingTools.getBrokerConfig();
    Subject alice = fakeKDC.login(ALICE);
    UserGroupInformation.loginUserFromSubject(alice);
    String token = getSessionToken(conf);
    assertEquals("FakeSessionToken/AuthenticatedUser=" + ALICE + ";Owner=" + ALICE + ";Target=" + MOCK_BUCKET, token);
    UserGroupInformation.setLoginUser(null);
}
 
Example 11
/**
 * Same as testGetSessionToken but with access boundary disabled
 */
@Test
public void testGetSessionTokenWithoutAccessBoundary() throws IOException {
    TestingTools.startServer(new FakeServer(fakeKDC), grpcCleanup);
    Configuration conf = TestingTools.getBrokerConfig();
    conf.set("gcp.token.broker.access.boundary.enabled", "false");
    Subject alice = fakeKDC.login(ALICE);
    UserGroupInformation.loginUserFromSubject(alice);
    String token = getSessionToken(conf);
    assertEquals("FakeSessionToken/AuthenticatedUser=" + ALICE + ";Owner=" + ALICE + ";Target=", token);
    UserGroupInformation.setLoginUser(null);
}
 
Example 12
private void startApp() throws Exception {
  // submit a dummy app
  ApplicationSubmissionContext appSubmissionContext =
      yarnClient.createApplication().getApplicationSubmissionContext();
  this.applicationId = appSubmissionContext.getApplicationId();

  ContainerLaunchContext containerLaunchContext =
      BuilderUtils.newContainerLaunchContext(Collections.emptyMap(), Collections.emptyMap(),
          Arrays.asList("sleep", "100"), Collections.emptyMap(), null, Collections.emptyMap());

  // Setup the application submission context
  appSubmissionContext.setApplicationName("TestApp");
  appSubmissionContext.setResource(Resource.newInstance(128, 1));
  appSubmissionContext.setPriority(Priority.newInstance(0));
  appSubmissionContext.setAMContainerSpec(containerLaunchContext);

  this.yarnClient.submitApplication(appSubmissionContext);

  // wait for application to be accepted
  int i;
  RMAppAttempt attempt = null;
  for (i = 0; i < 120; i++) {
    ApplicationReport appReport = yarnClient.getApplicationReport(applicationId);

    if (appReport.getYarnApplicationState() == YarnApplicationState.ACCEPTED) {
      this.applicationAttemptId = appReport.getCurrentApplicationAttemptId();
      attempt = yarnCluster.getResourceManager().getRMContext().getRMApps()
          .get(appReport.getCurrentApplicationAttemptId().getApplicationId()).getCurrentAppAttempt();
      break;
    }
    Thread.sleep(1000);
  }

  Assert.assertTrue(i < 120, "timed out waiting for ACCEPTED state");

  // Set the AM-RM token in the UGI for access during testing
  UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(UserGroupInformation.getCurrentUser()
      .getUserName()));
  UserGroupInformation.getCurrentUser().addToken(attempt.getAMRMToken());
}
 
Example 13
Source Project: hadoop-etl-udfs   File: KerberosHadoopUtils.java    License: MIT License 4 votes vote down vote up
/**
 * Configure JAAS for Export if JDBC statements must be executed using Kerberos authentication.
 */
public static void configKerberosJaas(String path, String user, String password) throws Exception {
    final String krbKey = "ExaAuthType=Kerberos";
    String[] confKeytab = password.split(";");
    if (confKeytab.length != 3 || !confKeytab[0].equals(krbKey)) {
        throw new RuntimeException("An invalid Kerberos CONNECTION was specified.");
    }

    String confPath = UdfUtils.writeTempFile(DatatypeConverter.parseBase64Binary(confKeytab[1]), path, "krb5_", ".conf");
    String keytabPath = UdfUtils.writeTempFile(DatatypeConverter.parseBase64Binary(confKeytab[2]), path, "kt_", ".keytab");

    StringBuilder jaasData = new StringBuilder();
    jaasData.append("Client {\n");
    jaasData.append("com.sun.security.auth.module.Krb5LoginModule required\n");
    jaasData.append("principal=\"" + user + "\"\n");
    jaasData.append("useKeyTab=true\n");
    jaasData.append("keyTab=\"" + keytabPath + "\"\n");
    jaasData.append("doNotPrompt=true\n");
    jaasData.append("useTicketCache=false;\n");
    jaasData.append("};\n");
    jaasData.append("com.sun.security.jgss.initiate {\n");
    jaasData.append("com.sun.security.auth.module.Krb5LoginModule required\n");
    jaasData.append("principal=\"" + user + "\"\n");
    jaasData.append("useKeyTab=true\n");
    jaasData.append("keyTab=\"" + keytabPath + "\"\n");
    jaasData.append("doNotPrompt=true\n");
    jaasData.append("useTicketCache=false;\n");
    jaasData.append("};\n");
    String jaasPath = UdfUtils.writeTempFile(jaasData.toString().getBytes(Charset.forName("UTF-8")), path, "jaas_", ".conf");

    System.setProperty("java.security.auth.login.config", jaasPath);
    System.setProperty("java.security.krb5.conf", confPath);
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    // Set login user. The value is actually not important, but something must be specified.
    // UnixLoginModule makes a native system call to get the username.
    int endIndex = StringUtils.indexOfAny(user, "/@");
    if (endIndex != -1) {
        user = user.substring(0, endIndex);
    }
    UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(user));
}
 
Example 14
Source Project: big-c   File: TestAMRMClient.java    License: Apache License 2.0 4 votes vote down vote up
@Before
public void startApp() throws Exception {
  // submit new app
  ApplicationSubmissionContext appContext = 
      yarnClient.createApplication().getApplicationSubmissionContext();
  ApplicationId appId = appContext.getApplicationId();
  // set the application name
  appContext.setApplicationName("Test");
  // Set the priority for the application master
  Priority pri = Records.newRecord(Priority.class);
  pri.setPriority(0);
  appContext.setPriority(pri);
  // Set the queue to which this application is to be submitted in the RM
  appContext.setQueue("default");
  // Set up the container launch context for the application master
  ContainerLaunchContext amContainer =
      BuilderUtils.newContainerLaunchContext(
        Collections.<String, LocalResource> emptyMap(),
        new HashMap<String, String>(), Arrays.asList("sleep", "100"),
        new HashMap<String, ByteBuffer>(), null,
        new HashMap<ApplicationAccessType, String>());
  appContext.setAMContainerSpec(amContainer);
  appContext.setResource(Resource.newInstance(1024, 1));
  // Create the request to send to the applications manager
  SubmitApplicationRequest appRequest = Records
      .newRecord(SubmitApplicationRequest.class);
  appRequest.setApplicationSubmissionContext(appContext);
  // Submit the application to the applications manager
  yarnClient.submitApplication(appContext);

  // wait for app to start
  RMAppAttempt appAttempt = null;
  while (true) {
    ApplicationReport appReport = yarnClient.getApplicationReport(appId);
    if (appReport.getYarnApplicationState() == YarnApplicationState.ACCEPTED) {
      attemptId = appReport.getCurrentApplicationAttemptId();
      appAttempt =
          yarnCluster.getResourceManager().getRMContext().getRMApps()
            .get(attemptId.getApplicationId()).getCurrentAppAttempt();
      while (true) {
        if (appAttempt.getAppAttemptState() == RMAppAttemptState.LAUNCHED) {
          break;
        }
      }
      break;
    }
  }
  // Just dig into the ResourceManager and get the AMRMToken just for the sake
  // of testing.
  UserGroupInformation.setLoginUser(UserGroupInformation
    .createRemoteUser(UserGroupInformation.getCurrentUser().getUserName()));

  // emulate RM setup of AMRM token in credentials by adding the token
  // *before* setting the token service
  UserGroupInformation.getCurrentUser().addToken(appAttempt.getAMRMToken());
  appAttempt.getAMRMToken().setService(ClientRMProxy.getAMRMTokenService(conf));
}
 
Example 15
@Override
@SuppressFBWarnings(value="DM_EXIT", justification = "Forcing process exit")
public void takeLeadership(CuratorFramework curatorFramework) throws Exception {
    LOG.info("Taken leadership, starting OlapServer-"+queueName);

    String principal = System.getProperty("splice.spark.yarn.principal");
    String keytab = System.getProperty("splice.spark.yarn.keytab");

    if (principal != null && keytab != null) {
        LOG.info("Running kerberized");
        runKerberized(conf);
    } else {
        LOG.info("Running non kerberized");
        runNonKerberized(conf);
    }

    String root = HConfiguration.getConfiguration().getSpliceRootPath();
    String queueRoot = root + HBaseConfiguration.OLAP_SERVER_PATH + HBaseConfiguration.OLAP_SERVER_QUEUE_PATH;
    String appRoot = root + HBaseConfiguration.OLAP_SERVER_PATH + HBaseConfiguration.OLAP_SERVER_KEEP_ALIVE_PATH;
    zkSafeCreate(queueRoot);
    zkSafeCreate(appRoot);
    queueZkPath = queueRoot + "/" + queueName;
    appZkPath = appRoot + "/" + appId;

    UserGroupInformation.setLoginUser(ugi);
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        try {
            submitSparkApplication(conf);
        } catch (Exception e) {
            LOG.error("Unexpected exception when submitting Spark application with authentication", e);

            reportDiagnostics(e.getMessage());

            if (mode == Mode.YARN) {
                rmClient.unregisterApplicationMaster(
                        FinalApplicationStatus.FAILED, "", "");
                rmClient.stop();
            }

            throw e;
        }
        return null;
    });

    if (mode == Mode.YARN) {
        rmClient.unregisterApplicationMaster(
                FinalApplicationStatus.SUCCEEDED, "", "");
        rmClient.stop();
    }

    finished.countDown();

    System.exit(0);
}
 
Example 16
Source Project: big-c   File: TestMRAppMaster.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void testMRAppMasterCredentials() throws Exception {

  Logger rootLogger = LogManager.getRootLogger();
  rootLogger.setLevel(Level.DEBUG);

  // Simulate credentials passed to AM via client->RM->NM
  Credentials credentials = new Credentials();
  byte[] identifier = "MyIdentifier".getBytes();
  byte[] password = "MyPassword".getBytes();
  Text kind = new Text("MyTokenKind");
  Text service = new Text("host:port");
  Token<? extends TokenIdentifier> myToken =
      new Token<TokenIdentifier>(identifier, password, kind, service);
  Text tokenAlias = new Text("myToken");
  credentials.addToken(tokenAlias, myToken);

  Text appTokenService = new Text("localhost:0");
  Token<AMRMTokenIdentifier> appToken =
      new Token<AMRMTokenIdentifier>(identifier, password,
          AMRMTokenIdentifier.KIND_NAME, appTokenService);
  credentials.addToken(appTokenService, appToken);
  
  Text keyAlias = new Text("mySecretKeyAlias");
  credentials.addSecretKey(keyAlias, "mySecretKey".getBytes());
  Token<? extends TokenIdentifier> storedToken =
      credentials.getToken(tokenAlias);

  JobConf conf = new JobConf();

  Path tokenFilePath = new Path(testDir.getAbsolutePath(), "tokens-file");
  Map<String, String> newEnv = new HashMap<String, String>();
  newEnv.put(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION, tokenFilePath
    .toUri().getPath());
  setNewEnvironmentHack(newEnv);
  credentials.writeTokenStorageFile(tokenFilePath, conf);

  ApplicationId appId = ApplicationId.newInstance(12345, 56);
  ApplicationAttemptId applicationAttemptId =
      ApplicationAttemptId.newInstance(appId, 1);
  ContainerId containerId =
      ContainerId.newContainerId(applicationAttemptId, 546);
  String userName = UserGroupInformation.getCurrentUser().getShortUserName();

  // Create staging dir, so MRAppMaster doesn't barf.
  File stagingDir =
      new File(MRApps.getStagingAreaDir(conf, userName).toString());
  stagingDir.mkdirs();

  // Set login-user to null as that is how real world MRApp starts with.
  // This is null is the reason why token-file is read by UGI.
  UserGroupInformation.setLoginUser(null);

  MRAppMasterTest appMaster =
      new MRAppMasterTest(applicationAttemptId, containerId, "host", -1, -1,
        System.currentTimeMillis(), false, true);
  MRAppMaster.initAndStartAppMaster(appMaster, conf, userName);

  // Now validate the task credentials
  Credentials appMasterCreds = appMaster.getCredentials();
  Assert.assertNotNull(appMasterCreds);
  Assert.assertEquals(1, appMasterCreds.numberOfSecretKeys());
  Assert.assertEquals(1, appMasterCreds.numberOfTokens());

  // Validate the tokens - app token should not be present
  Token<? extends TokenIdentifier> usedToken =
      appMasterCreds.getToken(tokenAlias);
  Assert.assertNotNull(usedToken);
  Assert.assertEquals(storedToken, usedToken);

  // Validate the keys
  byte[] usedKey = appMasterCreds.getSecretKey(keyAlias);
  Assert.assertNotNull(usedKey);
  Assert.assertEquals("mySecretKey", new String(usedKey));

  // The credentials should also be added to conf so that OuputCommitter can
  // access it - app token should not be present
  Credentials confCredentials = conf.getCredentials();
  Assert.assertEquals(1, confCredentials.numberOfSecretKeys());
  Assert.assertEquals(1, confCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, confCredentials.getToken(tokenAlias));
  Assert.assertEquals("mySecretKey",
    new String(confCredentials.getSecretKey(keyAlias)));
  
  // Verify the AM's ugi - app token should be present
  Credentials ugiCredentials = appMaster.getUgi().getCredentials();
  Assert.assertEquals(1, ugiCredentials.numberOfSecretKeys());
  Assert.assertEquals(2, ugiCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, ugiCredentials.getToken(tokenAlias));
  Assert.assertEquals(appToken, ugiCredentials.getToken(appTokenService));
  Assert.assertEquals("mySecretKey",
    new String(ugiCredentials.getSecretKey(keyAlias)));


}
 
Example 17
Source Project: hadoop   File: TestAMRMClient.java    License: Apache License 2.0 4 votes vote down vote up
@Before
public void startApp() throws Exception {
  // submit new app
  ApplicationSubmissionContext appContext = 
      yarnClient.createApplication().getApplicationSubmissionContext();
  ApplicationId appId = appContext.getApplicationId();
  // set the application name
  appContext.setApplicationName("Test");
  // Set the priority for the application master
  Priority pri = Records.newRecord(Priority.class);
  pri.setPriority(0);
  appContext.setPriority(pri);
  // Set the queue to which this application is to be submitted in the RM
  appContext.setQueue("default");
  // Set up the container launch context for the application master
  ContainerLaunchContext amContainer =
      BuilderUtils.newContainerLaunchContext(
        Collections.<String, LocalResource> emptyMap(),
        new HashMap<String, String>(), Arrays.asList("sleep", "100"),
        new HashMap<String, ByteBuffer>(), null,
        new HashMap<ApplicationAccessType, String>());
  appContext.setAMContainerSpec(amContainer);
  appContext.setResource(Resource.newInstance(1024, 1, 1));
  // Create the request to send to the applications manager
  SubmitApplicationRequest appRequest = Records
      .newRecord(SubmitApplicationRequest.class);
  appRequest.setApplicationSubmissionContext(appContext);
  // Submit the application to the applications manager
  yarnClient.submitApplication(appContext);

  // wait for app to start
  RMAppAttempt appAttempt = null;
  while (true) {
    ApplicationReport appReport = yarnClient.getApplicationReport(appId);
    if (appReport.getYarnApplicationState() == YarnApplicationState.ACCEPTED) {
      attemptId = appReport.getCurrentApplicationAttemptId();
      appAttempt =
          yarnCluster.getResourceManager().getRMContext().getRMApps()
            .get(attemptId.getApplicationId()).getCurrentAppAttempt();
      while (true) {
        if (appAttempt.getAppAttemptState() == RMAppAttemptState.LAUNCHED) {
          break;
        }
      }
      break;
    }
  }
  // Just dig into the ResourceManager and get the AMRMToken just for the sake
  // of testing.
  UserGroupInformation.setLoginUser(UserGroupInformation
    .createRemoteUser(UserGroupInformation.getCurrentUser().getUserName()));

  // emulate RM setup of AMRM token in credentials by adding the token
  // *before* setting the token service
  UserGroupInformation.getCurrentUser().addToken(appAttempt.getAMRMToken());
  appAttempt.getAMRMToken().setService(ClientRMProxy.getAMRMTokenService(conf));
}
 
Example 18
Source Project: hadoop   File: TestWebHdfsUrl.java    License: Apache License 2.0 4 votes vote down vote up
@Test(timeout=60000)
public void testSecureAuthParamsInUrl() throws IOException {
  Configuration conf = new Configuration();
  // fake turning on security so api thinks it should use tokens
  SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
  UserGroupInformation.setConfiguration(conf);

  UserGroupInformation ugi =
      UserGroupInformation.createRemoteUser("test-user");
  ugi.setAuthenticationMethod(KERBEROS);
  UserGroupInformation.setLoginUser(ugi);

  WebHdfsFileSystem webhdfs = getWebHdfsFileSystem(ugi, conf);
  Path fsPath = new Path("/");
  String tokenString = webhdfs.getDelegationToken().encodeToUrlString();

  // send user
  URL getTokenUrl = webhdfs.toUrl(GetOpParam.Op.GETDELEGATIONTOKEN, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString()
      },
      getTokenUrl);

  // send user
  URL renewTokenUrl = webhdfs.toUrl(PutOpParam.Op.RENEWDELEGATIONTOKEN,
      fsPath, new TokenArgumentParam(tokenString));
  checkQueryParams(
      new String[]{
          PutOpParam.Op.RENEWDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          new TokenArgumentParam(tokenString).toString(),
      },
      renewTokenUrl);

  // send token
  URL cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
      fsPath, new TokenArgumentParam(tokenString));
  checkQueryParams(
      new String[]{
          PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          new TokenArgumentParam(tokenString).toString(),
      },
      cancelTokenUrl);
  
  // send token
  URL fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETFILESTATUS.toQueryString(),
          new DelegationParam(tokenString).toString()
      },
      fileStatusUrl);

  // wipe out internal token to simulate auth always required
  webhdfs.setDelegationToken(null);

  // send user
  cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
      fsPath, new TokenArgumentParam(tokenString));
  checkQueryParams(
      new String[]{
          PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          new TokenArgumentParam(tokenString).toString(),
      },
      cancelTokenUrl);

  // send user
  fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETFILESTATUS.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString()
      },
      fileStatusUrl);    
}
 
Example 19
Source Project: hadoop   File: TestMRAppMaster.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void testMRAppMasterCredentials() throws Exception {

  Logger rootLogger = LogManager.getRootLogger();
  rootLogger.setLevel(Level.DEBUG);

  // Simulate credentials passed to AM via client->RM->NM
  Credentials credentials = new Credentials();
  byte[] identifier = "MyIdentifier".getBytes();
  byte[] password = "MyPassword".getBytes();
  Text kind = new Text("MyTokenKind");
  Text service = new Text("host:port");
  Token<? extends TokenIdentifier> myToken =
      new Token<TokenIdentifier>(identifier, password, kind, service);
  Text tokenAlias = new Text("myToken");
  credentials.addToken(tokenAlias, myToken);

  Text appTokenService = new Text("localhost:0");
  Token<AMRMTokenIdentifier> appToken =
      new Token<AMRMTokenIdentifier>(identifier, password,
          AMRMTokenIdentifier.KIND_NAME, appTokenService);
  credentials.addToken(appTokenService, appToken);
  
  Text keyAlias = new Text("mySecretKeyAlias");
  credentials.addSecretKey(keyAlias, "mySecretKey".getBytes());
  Token<? extends TokenIdentifier> storedToken =
      credentials.getToken(tokenAlias);

  JobConf conf = new JobConf();

  Path tokenFilePath = new Path(testDir.getAbsolutePath(), "tokens-file");
  Map<String, String> newEnv = new HashMap<String, String>();
  newEnv.put(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION, tokenFilePath
    .toUri().getPath());
  setNewEnvironmentHack(newEnv);
  credentials.writeTokenStorageFile(tokenFilePath, conf);

  ApplicationId appId = ApplicationId.newInstance(12345, 56);
  ApplicationAttemptId applicationAttemptId =
      ApplicationAttemptId.newInstance(appId, 1);
  ContainerId containerId =
      ContainerId.newContainerId(applicationAttemptId, 546);
  String userName = UserGroupInformation.getCurrentUser().getShortUserName();

  // Create staging dir, so MRAppMaster doesn't barf.
  File stagingDir =
      new File(MRApps.getStagingAreaDir(conf, userName).toString());
  stagingDir.mkdirs();

  // Set login-user to null as that is how real world MRApp starts with.
  // This is null is the reason why token-file is read by UGI.
  UserGroupInformation.setLoginUser(null);

  MRAppMasterTest appMaster =
      new MRAppMasterTest(applicationAttemptId, containerId, "host", -1, -1,
        System.currentTimeMillis(), false, true);
  MRAppMaster.initAndStartAppMaster(appMaster, conf, userName);

  // Now validate the task credentials
  Credentials appMasterCreds = appMaster.getCredentials();
  Assert.assertNotNull(appMasterCreds);
  Assert.assertEquals(1, appMasterCreds.numberOfSecretKeys());
  Assert.assertEquals(1, appMasterCreds.numberOfTokens());

  // Validate the tokens - app token should not be present
  Token<? extends TokenIdentifier> usedToken =
      appMasterCreds.getToken(tokenAlias);
  Assert.assertNotNull(usedToken);
  Assert.assertEquals(storedToken, usedToken);

  // Validate the keys
  byte[] usedKey = appMasterCreds.getSecretKey(keyAlias);
  Assert.assertNotNull(usedKey);
  Assert.assertEquals("mySecretKey", new String(usedKey));

  // The credentials should also be added to conf so that OuputCommitter can
  // access it - app token should not be present
  Credentials confCredentials = conf.getCredentials();
  Assert.assertEquals(1, confCredentials.numberOfSecretKeys());
  Assert.assertEquals(1, confCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, confCredentials.getToken(tokenAlias));
  Assert.assertEquals("mySecretKey",
    new String(confCredentials.getSecretKey(keyAlias)));
  
  // Verify the AM's ugi - app token should be present
  Credentials ugiCredentials = appMaster.getUgi().getCredentials();
  Assert.assertEquals(1, ugiCredentials.numberOfSecretKeys());
  Assert.assertEquals(2, ugiCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, ugiCredentials.getToken(tokenAlias));
  Assert.assertEquals(appToken, ugiCredentials.getToken(appTokenService));
  Assert.assertEquals("mySecretKey",
    new String(ugiCredentials.getSecretKey(keyAlias)));


}
 
Example 20
Source Project: big-c   File: TestNMClient.java    License: Apache License 2.0 4 votes vote down vote up
@Before
public void setup() throws YarnException, IOException {
  // start minicluster
  conf = new YarnConfiguration();
  yarnCluster =
      new MiniYARNCluster(TestAMRMClient.class.getName(), nodeCount, 1, 1);
  yarnCluster.init(conf);
  yarnCluster.start();
  assertNotNull(yarnCluster);
  assertEquals(STATE.STARTED, yarnCluster.getServiceState());

  // start rm client
  yarnClient = (YarnClientImpl) YarnClient.createYarnClient();
  yarnClient.init(conf);
  yarnClient.start();
  assertNotNull(yarnClient);
  assertEquals(STATE.STARTED, yarnClient.getServiceState());

  // get node info
  nodeReports = yarnClient.getNodeReports(NodeState.RUNNING);

  // submit new app
  ApplicationSubmissionContext appContext = 
      yarnClient.createApplication().getApplicationSubmissionContext();
  ApplicationId appId = appContext.getApplicationId();
  // set the application name
  appContext.setApplicationName("Test");
  // Set the priority for the application master
  Priority pri = Priority.newInstance(0);
  appContext.setPriority(pri);
  // Set the queue to which this application is to be submitted in the RM
  appContext.setQueue("default");
  // Set up the container launch context for the application master
  ContainerLaunchContext amContainer = Records
      .newRecord(ContainerLaunchContext.class);
  appContext.setAMContainerSpec(amContainer);
  // unmanaged AM
  appContext.setUnmanagedAM(true);
  // Create the request to send to the applications manager
  SubmitApplicationRequest appRequest = Records
      .newRecord(SubmitApplicationRequest.class);
  appRequest.setApplicationSubmissionContext(appContext);
  // Submit the application to the applications manager
  yarnClient.submitApplication(appContext);

  // wait for app to start
  int iterationsLeft = 30;
  RMAppAttempt appAttempt = null;
  while (iterationsLeft > 0) {
    ApplicationReport appReport = yarnClient.getApplicationReport(appId);
    if (appReport.getYarnApplicationState() ==
        YarnApplicationState.ACCEPTED) {
      attemptId = appReport.getCurrentApplicationAttemptId();
      appAttempt =
          yarnCluster.getResourceManager().getRMContext().getRMApps()
            .get(attemptId.getApplicationId()).getCurrentAppAttempt();
      while (true) {
        if (appAttempt.getAppAttemptState() == RMAppAttemptState.LAUNCHED) {
          break;
        }
      }
      break;
    }
    sleep(1000);
    --iterationsLeft;
  }
  if (iterationsLeft == 0) {
    fail("Application hasn't bee started");
  }

  // Just dig into the ResourceManager and get the AMRMToken just for the sake
  // of testing.
  UserGroupInformation.setLoginUser(UserGroupInformation
    .createRemoteUser(UserGroupInformation.getCurrentUser().getUserName()));
  UserGroupInformation.getCurrentUser().addToken(appAttempt.getAMRMToken());

  //creating an instance NMTokenCase
  nmTokenCache = new NMTokenCache();
  
  // start am rm client
  rmClient =
      (AMRMClientImpl<ContainerRequest>) AMRMClient
        .<ContainerRequest> createAMRMClient();

  //setting an instance NMTokenCase
  rmClient.setNMTokenCache(nmTokenCache);
  rmClient.init(conf);
  rmClient.start();
  assertNotNull(rmClient);
  assertEquals(STATE.STARTED, rmClient.getServiceState());

  // start am nm client
  nmClient = (NMClientImpl) NMClient.createNMClient();
  
  //propagating the AMRMClient NMTokenCache instance
  nmClient.setNMTokenCache(rmClient.getNMTokenCache());
  nmClient.init(conf);
  nmClient.start();
  assertNotNull(nmClient);
  assertEquals(STATE.STARTED, nmClient.getServiceState());
}