Java Code Examples for org.apache.hadoop.security.token.Token#decodeFromUrlString()
The following examples show how to use
org.apache.hadoop.security.token.Token#decodeFromUrlString() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: TestOzoneTokenIdentifier.java From hadoop-ozone with Apache License 2.0 | 6 votes |
|
@Test
public void testTokenSerialization() throws IOException {
OzoneTokenIdentifier idEncode = getIdentifierInst();
idEncode.setOmServiceId("defaultServiceId");
Token<OzoneTokenIdentifier> token = new Token<OzoneTokenIdentifier>(
idEncode.getBytes(), new byte[0], new Text("OzoneToken"),
new Text("om1:9862,om2:9852,om3:9852"));
String encodedStr = token.encodeToUrlString();
Token<OzoneTokenIdentifier> tokenDecode = new Token<>();
tokenDecode.decodeFromUrlString(encodedStr);
ByteArrayInputStream buf = new ByteArrayInputStream(
tokenDecode.getIdentifier());
DataInputStream in = new DataInputStream(buf);
OzoneTokenIdentifier idDecode = new OzoneTokenIdentifier();
idDecode.readFields(in);
Assert.assertEquals(idEncode, idDecode);
}
Example 2
| Source File: TestRMWebServicesDelegationTokens.java From big-c with Apache License 2.0 | 6 votes |
|
private void assertTokenCancelled(String encodedToken) throws Exception {
Token<RMDelegationTokenIdentifier> realToken =
new Token<RMDelegationTokenIdentifier>();
realToken.decodeFromUrlString(encodedToken);
RMDelegationTokenIdentifier ident = rm.getRMContext()
.getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
boolean exceptionCaught = false;
try {
rm.getRMContext().getRMDelegationTokenSecretManager()
.verifyToken(ident, realToken.getPassword());
} catch (InvalidToken it) {
exceptionCaught = true;
}
assertTrue("InvalidToken exception not thrown", exceptionCaught);
assertFalse(rm.getRMContext().getRMDelegationTokenSecretManager()
.getAllTokens().containsKey(ident));
}
Example 3
| Source File: TestRMWebServicesDelegationTokens.java From hadoop with Apache License 2.0 | 6 votes |
|
private void assertTokenCancelled(String encodedToken) throws Exception {
Token<RMDelegationTokenIdentifier> realToken =
new Token<RMDelegationTokenIdentifier>();
realToken.decodeFromUrlString(encodedToken);
RMDelegationTokenIdentifier ident = rm.getRMContext()
.getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
boolean exceptionCaught = false;
try {
rm.getRMContext().getRMDelegationTokenSecretManager()
.verifyToken(ident, realToken.getPassword());
} catch (InvalidToken it) {
exceptionCaught = true;
}
assertTrue("InvalidToken exception not thrown", exceptionCaught);
assertFalse(rm.getRMContext().getRMDelegationTokenSecretManager()
.getAllTokens().containsKey(ident));
}
Example 4
| Source File: CancelDelegationTokenServlet.java From hadoop with Apache License 2.0 | 5 votes |
|
@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
throws ServletException, IOException {
final UserGroupInformation ugi;
final ServletContext context = getServletContext();
final Configuration conf = NameNodeHttpServer.getConfFromContext(context);
try {
ugi = getUGI(req, conf);
} catch(IOException ioe) {
LOG.info("Request for token received with no authentication from "
+ req.getRemoteAddr(), ioe);
resp.sendError(HttpServletResponse.SC_FORBIDDEN,
"Unable to identify or authenticate user");
return;
}
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(
context);
String tokenString = req.getParameter(TOKEN);
if (tokenString == null) {
resp.sendError(HttpServletResponse.SC_MULTIPLE_CHOICES,
"Token to renew not specified");
}
final Token<DelegationTokenIdentifier> token =
new Token<DelegationTokenIdentifier>();
token.decodeFromUrlString(tokenString);
try {
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
nn.getRpcServer().cancelDelegationToken(token);
return null;
}
});
} catch(Exception e) {
LOG.info("Exception while cancelling token. Re-throwing. ", e);
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
e.getMessage());
}
}
Example 5
| Source File: ParameterParser.java From big-c with Apache License 2.0 | 5 votes |
|
Token<DelegationTokenIdentifier> delegationToken() throws IOException {
String delegation = param(DelegationParam.NAME);
final Token<DelegationTokenIdentifier> token = new
Token<DelegationTokenIdentifier>();
token.decodeFromUrlString(delegation);
URI nnUri = URI.create(HDFS_URI_SCHEME + "://" + namenodeId());
boolean isLogical = HAUtil.isLogicalUri(conf, nnUri);
if (isLogical) {
token.setService(HAUtil.buildTokenServiceForLogicalUri(nnUri,
HDFS_URI_SCHEME));
} else {
token.setService(SecurityUtil.buildTokenService(nnUri));
}
return token;
}
Example 6
| Source File: CancelDelegationTokenServlet.java From big-c with Apache License 2.0 | 5 votes |
|
@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
throws ServletException, IOException {
final UserGroupInformation ugi;
final ServletContext context = getServletContext();
final Configuration conf = NameNodeHttpServer.getConfFromContext(context);
try {
ugi = getUGI(req, conf);
} catch(IOException ioe) {
LOG.info("Request for token received with no authentication from "
+ req.getRemoteAddr(), ioe);
resp.sendError(HttpServletResponse.SC_FORBIDDEN,
"Unable to identify or authenticate user");
return;
}
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(
context);
String tokenString = req.getParameter(TOKEN);
if (tokenString == null) {
resp.sendError(HttpServletResponse.SC_MULTIPLE_CHOICES,
"Token to renew not specified");
}
final Token<DelegationTokenIdentifier> token =
new Token<DelegationTokenIdentifier>();
token.decodeFromUrlString(tokenString);
try {
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
nn.getRpcServer().cancelDelegationToken(token);
return null;
}
});
} catch(Exception e) {
LOG.info("Exception while cancelling token. Re-throwing. ", e);
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
e.getMessage());
}
}
Example 7
| Source File: JspHelper.java From big-c with Apache License 2.0 | 5 votes |
|
private static UserGroupInformation getTokenUGI(ServletContext context,
HttpServletRequest request,
String tokenString,
Configuration conf)
throws IOException {
final Token<DelegationTokenIdentifier> token =
new Token<DelegationTokenIdentifier>();
token.decodeFromUrlString(tokenString);
InetSocketAddress serviceAddress = getNNServiceAddress(context, request);
if (serviceAddress != null) {
SecurityUtil.setTokenService(token, serviceAddress);
token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
}
ByteArrayInputStream buf =
new ByteArrayInputStream(token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.readFields(in);
if (context != null) {
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
if (nn != null) {
// Verify the token.
nn.getNamesystem().verifyToken(id, token.getPassword());
}
}
UserGroupInformation ugi = id.getUser();
ugi.addToken(token);
return ugi;
}
Example 8
| Source File: JsonUtil.java From big-c with Apache License 2.0 | 5 votes |
|
/** Convert a Json map to a Token. */
public static Token<? extends TokenIdentifier> toToken(
final Map<?, ?> m) throws IOException {
if (m == null) {
return null;
}
final Token<DelegationTokenIdentifier> token
= new Token<DelegationTokenIdentifier>();
token.decodeFromUrlString((String)m.get("urlString"));
return token;
}
Example 9
| Source File: TestRMWebServicesDelegationTokens.java From big-c with Apache License 2.0 | 5 votes |
|
private void assertValidRMToken(String encodedToken) throws IOException {
Token<RMDelegationTokenIdentifier> realToken =
new Token<RMDelegationTokenIdentifier>();
realToken.decodeFromUrlString(encodedToken);
RMDelegationTokenIdentifier ident = rm.getRMContext()
.getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
rm.getRMContext().getRMDelegationTokenSecretManager()
.verifyToken(ident, realToken.getPassword());
assertTrue(rm.getRMContext().getRMDelegationTokenSecretManager()
.getAllTokens().containsKey(ident));
}
Example 10
| Source File: RMWebServices.java From big-c with Apache License 2.0 | 5 votes |
|
private Token<RMDelegationTokenIdentifier> extractToken(String encodedToken) {
Token<RMDelegationTokenIdentifier> token =
new Token<RMDelegationTokenIdentifier>();
try {
token.decodeFromUrlString(encodedToken);
} catch (Exception ie) {
String msg = "Could not decode encoded token";
throw new BadRequestException(msg);
}
return token;
}
Example 11
| Source File: JspHelper.java From hadoop with Apache License 2.0 | 5 votes |
|
private static UserGroupInformation getTokenUGI(ServletContext context,
HttpServletRequest request,
String tokenString,
Configuration conf)
throws IOException {
final Token<DelegationTokenIdentifier> token =
new Token<DelegationTokenIdentifier>();
token.decodeFromUrlString(tokenString);
InetSocketAddress serviceAddress = getNNServiceAddress(context, request);
if (serviceAddress != null) {
SecurityUtil.setTokenService(token, serviceAddress);
token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
}
ByteArrayInputStream buf =
new ByteArrayInputStream(token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.readFields(in);
if (context != null) {
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
if (nn != null) {
// Verify the token.
nn.getNamesystem().verifyToken(id, token.getPassword());
}
}
UserGroupInformation ugi = id.getUser();
ugi.addToken(token);
return ugi;
}
Example 12
| Source File: ParameterParser.java From hadoop with Apache License 2.0 | 5 votes |
|
Token<DelegationTokenIdentifier> delegationToken() throws IOException {
String delegation = param(DelegationParam.NAME);
final Token<DelegationTokenIdentifier> token = new
Token<DelegationTokenIdentifier>();
token.decodeFromUrlString(delegation);
URI nnUri = URI.create(HDFS_URI_SCHEME + "://" + namenodeId());
boolean isLogical = HAUtil.isLogicalUri(conf, nnUri);
if (isLogical) {
token.setService(HAUtil.buildTokenServiceForLogicalUri(nnUri,
HDFS_URI_SCHEME));
} else {
token.setService(SecurityUtil.buildTokenService(nnUri));
}
return token;
}
Example 13
| Source File: JsonUtil.java From hadoop with Apache License 2.0 | 5 votes |
|
/** Convert a Json map to a Token. */
public static Token<? extends TokenIdentifier> toToken(
final Map<?, ?> m) throws IOException {
if (m == null) {
return null;
}
final Token<DelegationTokenIdentifier> token
= new Token<DelegationTokenIdentifier>();
token.decodeFromUrlString((String)m.get("urlString"));
return token;
}
Example 14
| Source File: TestRMWebServicesDelegationTokens.java From hadoop with Apache License 2.0 | 5 votes |
|
private void assertValidRMToken(String encodedToken) throws IOException {
Token<RMDelegationTokenIdentifier> realToken =
new Token<RMDelegationTokenIdentifier>();
realToken.decodeFromUrlString(encodedToken);
RMDelegationTokenIdentifier ident = rm.getRMContext()
.getRMDelegationTokenSecretManager().decodeTokenIdentifier(realToken);
rm.getRMContext().getRMDelegationTokenSecretManager()
.verifyToken(ident, realToken.getPassword());
assertTrue(rm.getRMContext().getRMDelegationTokenSecretManager()
.getAllTokens().containsKey(ident));
}
Example 15
| Source File: RMWebServices.java From hadoop with Apache License 2.0 | 5 votes |
|
private Token<RMDelegationTokenIdentifier> extractToken(String encodedToken) {
Token<RMDelegationTokenIdentifier> token =
new Token<RMDelegationTokenIdentifier>();
try {
token.decodeFromUrlString(encodedToken);
} catch (Exception ie) {
String msg = "Could not decode encoded token";
throw new BadRequestException(msg);
}
return token;
}
Example 16
| Source File: KerberosHiveMetastoreAuthentication.java From presto with Apache License 2.0 | 5 votes |
|
private static Token<DelegationTokenIdentifier> decodeDelegationToken(String tokenValue)
throws IOException
{
Token<DelegationTokenIdentifier> token = new Token<>();
token.decodeFromUrlString(tokenValue);
return token;
}
Example 17
| Source File: TokenUtils.java From incubator-gobblin with Apache License 2.0 | 5 votes |
|
/**
* function to fetch hcat token as per the specified hive configuration and then store the token
* in to the credential store specified .
*
* @param userToProxy String value indicating the name of the user the token will be fetched for.
* @param hiveConf the configuration based off which the hive client will be initialized.
*/
private static Token<DelegationTokenIdentifier> fetchHcatToken(final String userToProxy, final HiveConf hiveConf,
final String tokenSignatureOverwrite, final IMetaStoreClient hiveClient)
throws IOException, TException, InterruptedException {
LOG.info(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname + ": " + hiveConf.get(
HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname));
LOG.info(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname + ": " + hiveConf.get(
HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname));
final Token<DelegationTokenIdentifier> hcatToken = new Token<>();
hcatToken.decodeFromUrlString(
hiveClient.getDelegationToken(userToProxy, UserGroupInformation.getLoginUser().getShortUserName()));
// overwrite the value of the service property of the token if the signature
// override is specified.
// If the service field is set, do not overwrite that
if (hcatToken.getService().getLength() <= 0 && tokenSignatureOverwrite != null
&& tokenSignatureOverwrite.trim().length() > 0) {
hcatToken.setService(new Text(tokenSignatureOverwrite.trim().toLowerCase()));
LOG.info(HIVE_TOKEN_SIGNATURE_KEY + ":" + tokenSignatureOverwrite);
}
LOG.info("Created hive metastore token for user:" + userToProxy + " with kind[" + hcatToken.getKind() + "]"
+ " and service[" + hcatToken.getService() + "]");
return hcatToken;
}
Example 18
| Source File: BlockTokenVerifier.java From hadoop-ozone with Apache License 2.0 | 4 votes |
|
@Override
public void verify(String user, String tokenStr,
ContainerProtos.Type cmd, String id) throws SCMSecurityException {
if (!conf.isBlockTokenEnabled() || !HddsUtils.requireBlockToken(cmd)) {
return;
}
// TODO: add audit logs.
if (Strings.isNullOrEmpty(tokenStr)) {
throw new BlockTokenException("Fail to find any token (empty or " +
"null.)");
}
final Token<OzoneBlockTokenIdentifier> token = new Token();
OzoneBlockTokenIdentifier tokenId = new OzoneBlockTokenIdentifier();
try {
token.decodeFromUrlString(tokenStr);
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Verifying token:{} for user:{} ", token, user);
}
ByteArrayInputStream buf = new ByteArrayInputStream(
token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
tokenId.readFields(in);
} catch (IOException ex) {
throw new BlockTokenException("Failed to decode token : " + tokenStr);
}
if (caClient == null) {
throw new SCMSecurityException("Certificate client not available " +
"to validate token");
}
UserGroupInformation tokenUser = tokenId.getUser();
X509Certificate signerCert;
signerCert = caClient.getCertificate(tokenId.getOmCertSerialId());
if (signerCert == null) {
throw new BlockTokenException("Can't find signer certificate " +
"(OmCertSerialId: " + tokenId.getOmCertSerialId() +
") of the block token for user: " + tokenUser);
}
boolean validToken = caClient.verifySignature(tokenId.getBytes(),
token.getPassword(), signerCert);
if (!validToken) {
throw new BlockTokenException("Invalid block token for user: " +
tokenId.getUser());
}
// check expiration
if (isExpired(tokenId.getExpiryDate())) {
throw new BlockTokenException("Expired block token for user: " +
tokenUser);
}
// Token block id mismatch
if (!tokenId.getBlockId().equals(id)) {
throw new BlockTokenException("Block id mismatch. Token for block ID: " +
tokenId.getBlockId() + " can't be used to access block: " + id +
" by user: " + tokenUser);
}
// TODO: check cmd type and the permissions(AccessMode) in the token
}
Example 19
| Source File: RenewDelegationTokenServlet.java From hadoop with Apache License 2.0 | 4 votes |
|
@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
throws ServletException, IOException {
final UserGroupInformation ugi;
final ServletContext context = getServletContext();
final Configuration conf = NameNodeHttpServer.getConfFromContext(context);
try {
ugi = getUGI(req, conf);
} catch(IOException ioe) {
LOG.info("Request for token received with no authentication from "
+ req.getRemoteAddr(), ioe);
resp.sendError(HttpServletResponse.SC_FORBIDDEN,
"Unable to identify or authenticate user");
return;
}
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
String tokenString = req.getParameter(TOKEN);
if (tokenString == null) {
resp.sendError(HttpServletResponse.SC_MULTIPLE_CHOICES,
"Token to renew not specified");
}
final Token<DelegationTokenIdentifier> token =
new Token<DelegationTokenIdentifier>();
token.decodeFromUrlString(tokenString);
try {
long result = ugi.doAs(new PrivilegedExceptionAction<Long>() {
@Override
public Long run() throws Exception {
return nn.getRpcServer().renewDelegationToken(token);
}
});
final PrintWriter os = new PrintWriter(new OutputStreamWriter(
resp.getOutputStream(), Charsets.UTF_8));
os.println(result);
os.close();
} catch(Exception e) {
// transfer exception over the http
String exceptionClass = e.getClass().getName();
String exceptionMsg = e.getLocalizedMessage();
String strException = exceptionClass + ";" + exceptionMsg;
LOG.info("Exception while renewing token. Re-throwing. s=" + strException, e);
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, strException);
}
}
Example 20
| Source File: TestOzoneBlockTokenIdentifier.java From hadoop-ozone with Apache License 2.0 | 4 votes |
|
@Test
public void testTokenSerialization() throws GeneralSecurityException,
IOException {
String keystore = new File(KEYSTORES_DIR, "keystore.jks")
.getAbsolutePath();
String truststore = new File(KEYSTORES_DIR, "truststore.jks")
.getAbsolutePath();
String trustPassword = "trustPass";
String keyStorePassword = "keyStorePass";
String keyPassword = "keyPass";
long maxLength = 128L;
KeyStoreTestUtil.createKeyStore(keystore, keyStorePassword, keyPassword,
"OzoneMaster", keyPair.getPrivate(), cert);
// Create trust store and put the certificate in the trust store
Map<String, X509Certificate> certs = Collections.singletonMap("server",
cert);
KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);
// Sign the OzoneMaster Token with Ozone Master private key
PrivateKey privateKey = keyPair.getPrivate();
OzoneBlockTokenIdentifier tokenId = new OzoneBlockTokenIdentifier(
"testUser", "84940",
EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class),
expiryTime, cert.getSerialNumber().toString(), maxLength);
byte[] signedToken = signTokenAsymmetric(tokenId, privateKey);
Token<OzoneBlockTokenIdentifier> token = new Token(tokenId.getBytes(),
signedToken, tokenId.getKind(), new Text("host:port"));
String encodeToUrlString = token.encodeToUrlString();
Token<OzoneBlockTokenIdentifier>decodedToken = new Token();
decodedToken.decodeFromUrlString(encodeToUrlString);
OzoneBlockTokenIdentifier decodedTokenId = new OzoneBlockTokenIdentifier();
decodedTokenId.readFields(new DataInputStream(
new ByteArrayInputStream(decodedToken.getIdentifier())));
Assert.assertEquals(decodedTokenId, tokenId);
Assert.assertEquals(decodedTokenId.getMaxLength(), maxLength);
// Verify a decoded signed Token with public key(certificate)
boolean isValidToken = verifyTokenAsymmetric(decodedTokenId, decodedToken
.getPassword(), cert);
LOG.info("{} is {}", tokenId, isValidToken ? "valid." : "invalid.");
}
