org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager Java Examples

The following examples show how to use org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TestWebHdfsUrl.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private WebHdfsFileSystem getWebHdfsFileSystem(UserGroupInformation ugi,
    Configuration conf) throws IOException {
  if (UserGroupInformation.isSecurityEnabled()) {
    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(
        ugi.getUserName()), null, null);
    FSNamesystem namesystem = mock(FSNamesystem.class);
    DelegationTokenSecretManager dtSecretManager = new DelegationTokenSecretManager(
        86400000, 86400000, 86400000, 86400000, namesystem);
    dtSecretManager.startThreads();
    Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
        dtId, dtSecretManager);
    SecurityUtil.setTokenService(
        token, NetUtils.createSocketAddr(uri.getAuthority()));
    token.setKind(WebHdfsFileSystem.TOKEN_KIND);
    ugi.addToken(token);
  }
  return (WebHdfsFileSystem) FileSystem.get(uri, conf);
}
 
Example #2
Source File: TestWebHdfsUrl.java    From big-c with Apache License 2.0 6 votes vote down vote up
private WebHdfsFileSystem getWebHdfsFileSystem(UserGroupInformation ugi,
    Configuration conf) throws IOException {
  if (UserGroupInformation.isSecurityEnabled()) {
    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(
        ugi.getUserName()), null, null);
    FSNamesystem namesystem = mock(FSNamesystem.class);
    DelegationTokenSecretManager dtSecretManager = new DelegationTokenSecretManager(
        86400000, 86400000, 86400000, 86400000, namesystem);
    dtSecretManager.startThreads();
    Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
        dtId, dtSecretManager);
    SecurityUtil.setTokenService(
        token, NetUtils.createSocketAddr(uri.getAuthority()));
    token.setKind(WebHdfsFileSystem.TOKEN_KIND);
    ugi.addToken(token);
  }
  return (WebHdfsFileSystem) FileSystem.get(uri, conf);
}
 
Example #3
Source File: NamenodeWebHdfsMethods.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private Token<? extends TokenIdentifier> generateDelegationToken(
    final NameNode namenode, final UserGroupInformation ugi,
    final String renewer) throws IOException {
  final Credentials c = DelegationTokenSecretManager.createCredentials(
      namenode, ugi, renewer != null? renewer: ugi.getShortUserName());
  if (c == null) {
    return null;
  }
  final Token<? extends TokenIdentifier> t = c.getAllTokens().iterator().next();
  Text kind = request.getScheme().equals("http") ? WebHdfsFileSystem.TOKEN_KIND
      : SWebHdfsFileSystem.TOKEN_KIND;
  t.setKind(kind);
  return t;
}
 
Example #4
Source File: FSImageFormatProtobuf.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void saveSecretManagerSection(FileSummary.Builder summary)
    throws IOException {
  final FSNamesystem fsn = context.getSourceNamesystem();
  DelegationTokenSecretManager.SecretManagerState state = fsn
      .saveSecretManagerState();
  state.section.writeDelimitedTo(sectionOutputStream);
  for (SecretManagerSection.DelegationKey k : state.keys)
    k.writeDelimitedTo(sectionOutputStream);

  for (SecretManagerSection.PersistToken t : state.tokens)
    t.writeDelimitedTo(sectionOutputStream);

  commitSection(summary, SectionName.SECRET_MANAGER);
}
 
Example #5
Source File: FSImageFormatProtobuf.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void saveSecretManagerSection(FileSummary.Builder summary)
    throws IOException {
  final FSNamesystem fsn = context.getSourceNamesystem();
  DelegationTokenSecretManager.SecretManagerState state = fsn
      .saveSecretManagerState();
  state.section.writeDelimitedTo(sectionOutputStream);
  for (SecretManagerSection.DelegationKey k : state.keys)
    k.writeDelimitedTo(sectionOutputStream);

  for (SecretManagerSection.PersistToken t : state.tokens)
    t.writeDelimitedTo(sectionOutputStream);

  commitSection(summary, SectionName.SECRET_MANAGER);
}
 
Example #6
Source File: NamenodeWebHdfsMethods.java    From big-c with Apache License 2.0 5 votes vote down vote up
private Token<? extends TokenIdentifier> generateDelegationToken(
    final NameNode namenode, final UserGroupInformation ugi,
    final String renewer) throws IOException {
  final Credentials c = DelegationTokenSecretManager.createCredentials(
      namenode, ugi, renewer != null? renewer: ugi.getShortUserName());
  if (c == null) {
    return null;
  }
  final Token<? extends TokenIdentifier> t = c.getAllTokens().iterator().next();
  Text kind = request.getScheme().equals("http") ? WebHdfsFileSystem.TOKEN_KIND
      : SWebHdfsFileSystem.TOKEN_KIND;
  t.setKind(kind);
  return t;
}
 
Example #7
Source File: NameNodeAdapter.java    From hadoop with Apache License 2.0 4 votes vote down vote up
public static DelegationTokenSecretManager getDtSecretManager(
    final FSNamesystem ns) {
  return ns.getDelegationTokenSecretManager();
}
 
Example #8
Source File: NameNodeAdapter.java    From big-c with Apache License 2.0 4 votes vote down vote up
public static DelegationTokenSecretManager getDtSecretManager(
    final FSNamesystem ns) {
  return ns.getDelegationTokenSecretManager();
}
 
Example #9
Source File: TestSecurityTokenEditLog.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test(timeout=10000)
public void testEditsForCancelOnTokenExpire() throws IOException,
InterruptedException {
  long renewInterval = 2000;
  Configuration conf = new Configuration();
  conf.setBoolean(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY, true);
  conf.setLong(DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY, renewInterval);
  conf.setLong(DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY, renewInterval*2);

  Text renewer = new Text(UserGroupInformation.getCurrentUser().getUserName());
  FSImage fsImage = mock(FSImage.class);
  FSEditLog log = mock(FSEditLog.class);
  doReturn(log).when(fsImage).getEditLog();   
  FSNamesystem fsn = new FSNamesystem(conf, fsImage);
  
  DelegationTokenSecretManager dtsm = fsn.getDelegationTokenSecretManager();
  try {
    dtsm.startThreads();
    
    // get two tokens
    Token<DelegationTokenIdentifier> token1 = fsn.getDelegationToken(renewer);
    Token<DelegationTokenIdentifier> token2 = fsn.getDelegationToken(renewer);
    DelegationTokenIdentifier ident1 =
        token1.decodeIdentifier();
    DelegationTokenIdentifier ident2 =
        token2.decodeIdentifier();
    
    // verify we got the tokens
    verify(log, times(1)).logGetDelegationToken(eq(ident1), anyLong());
    verify(log, times(1)).logGetDelegationToken(eq(ident2), anyLong());
    
    // this is a little tricky because DTSM doesn't let us set scan interval
    // so need to periodically sleep, then stop/start threads to force scan
    
    // renew first token 1/2 to expire
    Thread.sleep(renewInterval/2);
    fsn.renewDelegationToken(token2);
    verify(log, times(1)).logRenewDelegationToken(eq(ident2), anyLong());
    // force scan and give it a little time to complete
    dtsm.stopThreads(); dtsm.startThreads();
    Thread.sleep(250);
    // no token has expired yet 
    verify(log, times(0)).logCancelDelegationToken(eq(ident1));
    verify(log, times(0)).logCancelDelegationToken(eq(ident2));
    
    // sleep past expiration of 1st non-renewed token
    Thread.sleep(renewInterval/2);
    dtsm.stopThreads(); dtsm.startThreads();
    Thread.sleep(250);
    // non-renewed token should have implicitly been cancelled
    verify(log, times(1)).logCancelDelegationToken(eq(ident1));
    verify(log, times(0)).logCancelDelegationToken(eq(ident2));
    
    // sleep past expiration of 2nd renewed token
    Thread.sleep(renewInterval/2);
    dtsm.stopThreads(); dtsm.startThreads();
    Thread.sleep(250);
    // both tokens should have been implicitly cancelled by now
    verify(log, times(1)).logCancelDelegationToken(eq(ident1));
    verify(log, times(1)).logCancelDelegationToken(eq(ident2));
  } finally {
    dtsm.stopThreads();
  }
}
 
Example #10
Source File: TestDelegationTokensWithHA.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * Test if StandbyException can be thrown from StandbyNN, when it's requested for 
 * password. (HDFS-6475). With StandbyException, the client can failover to try
 * activeNN.
 */
@Test(timeout = 300000)
public void testDelegationTokenStandbyNNAppearFirst() throws Exception {
  // make nn0 the standby NN, and nn1 the active NN
  cluster.transitionToStandby(0);
  cluster.transitionToActive(1);

  final DelegationTokenSecretManager stSecretManager = 
      NameNodeAdapter.getDtSecretManager(
          nn1.getNamesystem());

  // create token
  final Token<DelegationTokenIdentifier> token =
      getDelegationToken(fs, "JobTracker");
  final DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
  byte[] tokenId = token.getIdentifier();
  identifier.readFields(new DataInputStream(
           new ByteArrayInputStream(tokenId)));

  assertTrue(null != stSecretManager.retrievePassword(identifier));

  final UserGroupInformation ugi = UserGroupInformation
      .createRemoteUser("JobTracker");
  ugi.addToken(token);
  
  ugi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() {
      try {
        try {
          byte[] tmppw = dtSecretManager.retrievePassword(identifier);
          fail("InvalidToken with cause StandbyException is expected"
              + " since nn0 is standby");
          return tmppw;
        } catch (IOException e) {
          // Mimic the UserProvider class logic (server side) by throwing
          // SecurityException here
          throw new SecurityException(
              SecurityUtil.FAILED_TO_GET_UGI_MSG_HEADER + " " + e, e);
        }
      } catch (Exception oe) {
        //
        // The exception oe caught here is
        //     java.lang.SecurityException: Failed to obtain user group
        //     information: org.apache.hadoop.security.token.
        //     SecretManager$InvalidToken: StandbyException
        //
        HttpServletResponse response = mock(HttpServletResponse.class);
        ExceptionHandler eh = new ExceptionHandler();
        eh.initResponse(response);
        
        // The Response (resp) below is what the server will send to client          
        //
        // BEFORE HDFS-6475 fix, the resp.entity is
        //     {"RemoteException":{"exception":"SecurityException",
        //      "javaClassName":"java.lang.SecurityException",
        //      "message":"Failed to obtain user group information: 
        //      org.apache.hadoop.security.token.SecretManager$InvalidToken:
        //        StandbyException"}}
        // AFTER the fix, the resp.entity is
        //     {"RemoteException":{"exception":"StandbyException",
        //      "javaClassName":"org.apache.hadoop.ipc.StandbyException",
        //      "message":"Operation category READ is not supported in
        //       state standby"}}
        //
        Response resp = eh.toResponse(oe);
        
        // Mimic the client side logic by parsing the response from server
        //
        Map<?, ?> m = (Map<?, ?>)JSON.parse(resp.getEntity().toString());
        RemoteException re = JsonUtil.toRemoteException(m);
        Exception unwrapped = ((RemoteException)re).unwrapRemoteException(
            StandbyException.class);
        assertTrue (unwrapped instanceof StandbyException);
        return null;
      }
    }
  });
}
 
Example #11
Source File: TestClientProtocolWithDelegationToken.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testDelegationTokenRpc() throws Exception {
  ClientProtocol mockNN = mock(ClientProtocol.class);
  FSNamesystem mockNameSys = mock(FSNamesystem.class);

  DelegationTokenSecretManager sm = new DelegationTokenSecretManager(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT,
      3600000, mockNameSys);
  sm.startThreads();
  final Server server = new RPC.Builder(conf)
      .setProtocol(ClientProtocol.class).setInstance(mockNN)
      .setBindAddress(ADDRESS).setPort(0).setNumHandlers(5).setVerbose(true)
      .setSecretManager(sm).build();
  
  server.start();

  final UserGroupInformation current = UserGroupInformation.getCurrentUser();
  final InetSocketAddress addr = NetUtils.getConnectAddress(server);
  String user = current.getUserName();
  Text owner = new Text(user);
  DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null);
  Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
      dtId, sm);
  SecurityUtil.setTokenService(token, addr);
  LOG.info("Service for token is " + token.getService());
  current.addToken(token);
  current.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws Exception {
      ClientProtocol proxy = null;
      try {
        proxy = RPC.getProxy(ClientProtocol.class,
            ClientProtocol.versionID, addr, conf);
        proxy.getServerDefaults();
      } finally {
        server.stop();
        if (proxy != null) {
          RPC.stopProxy(proxy);
        }
      }
      return null;
    }
  });
}
 
Example #12
Source File: TestDelegationToken.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * Test that the delegation token secret manager only runs when the
 * NN is out of safe mode. This is because the secret manager
 * has to log to the edit log, which should not be written in
 * safe mode. Regression test for HDFS-2579.
 */
@Test
public void testDTManagerInSafeMode() throws Exception {
  cluster.startDataNodes(config, 1, true, StartupOption.REGULAR, null);
  FileSystem fs = cluster.getFileSystem();
  for (int i = 0; i < 5; i++) {
    DFSTestUtil.createFile(fs, new Path("/test-" + i), 100, (short)1, 1L);
  }
  cluster.getConfiguration(0).setInt(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_KEY, 500); 
  cluster.getConfiguration(0).setInt(
      DFSConfigKeys.DFS_NAMENODE_SAFEMODE_EXTENSION_KEY, 30000);
  cluster.setWaitSafeMode(false);
  cluster.restartNameNode();
  NameNode nn = cluster.getNameNode();
  assertTrue(nn.isInSafeMode());
  DelegationTokenSecretManager sm =
    NameNodeAdapter.getDtSecretManager(nn.getNamesystem());
  assertFalse("Secret manager should not run in safe mode", sm.isRunning());
  
  NameNodeAdapter.leaveSafeMode(nn);
  assertTrue("Secret manager should start when safe mode is exited",
      sm.isRunning());
  
  LOG.info("========= entering safemode again");
  
  NameNodeAdapter.enterSafeMode(nn, false);
  assertFalse("Secret manager should stop again when safe mode " +
      "is manually entered", sm.isRunning());
  
  // Set the cluster to leave safemode quickly on its own.
  cluster.getConfiguration(0).setInt(
      DFSConfigKeys.DFS_NAMENODE_SAFEMODE_EXTENSION_KEY, 0);
  cluster.setWaitSafeMode(true);
  cluster.restartNameNode();
  nn = cluster.getNameNode();
  sm = NameNodeAdapter.getDtSecretManager(nn.getNamesystem());

  assertFalse(nn.isInSafeMode());
  assertTrue(sm.isRunning());
}
 
Example #13
Source File: TestSecurityTokenEditLog.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test(timeout=10000)
public void testEditsForCancelOnTokenExpire() throws IOException,
InterruptedException {
  long renewInterval = 2000;
  Configuration conf = new Configuration();
  conf.setBoolean(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY, true);
  conf.setLong(DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY, renewInterval);
  conf.setLong(DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY, renewInterval*2);

  Text renewer = new Text(UserGroupInformation.getCurrentUser().getUserName());
  FSImage fsImage = mock(FSImage.class);
  FSEditLog log = mock(FSEditLog.class);
  doReturn(log).when(fsImage).getEditLog();   
  FSNamesystem fsn = new FSNamesystem(conf, fsImage);
  
  DelegationTokenSecretManager dtsm = fsn.getDelegationTokenSecretManager();
  try {
    dtsm.startThreads();
    
    // get two tokens
    Token<DelegationTokenIdentifier> token1 = fsn.getDelegationToken(renewer);
    Token<DelegationTokenIdentifier> token2 = fsn.getDelegationToken(renewer);
    DelegationTokenIdentifier ident1 =
        token1.decodeIdentifier();
    DelegationTokenIdentifier ident2 =
        token2.decodeIdentifier();
    
    // verify we got the tokens
    verify(log, times(1)).logGetDelegationToken(eq(ident1), anyLong());
    verify(log, times(1)).logGetDelegationToken(eq(ident2), anyLong());
    
    // this is a little tricky because DTSM doesn't let us set scan interval
    // so need to periodically sleep, then stop/start threads to force scan
    
    // renew first token 1/2 to expire
    Thread.sleep(renewInterval/2);
    fsn.renewDelegationToken(token2);
    verify(log, times(1)).logRenewDelegationToken(eq(ident2), anyLong());
    // force scan and give it a little time to complete
    dtsm.stopThreads(); dtsm.startThreads();
    Thread.sleep(250);
    // no token has expired yet 
    verify(log, times(0)).logCancelDelegationToken(eq(ident1));
    verify(log, times(0)).logCancelDelegationToken(eq(ident2));
    
    // sleep past expiration of 1st non-renewed token
    Thread.sleep(renewInterval/2);
    dtsm.stopThreads(); dtsm.startThreads();
    Thread.sleep(250);
    // non-renewed token should have implicitly been cancelled
    verify(log, times(1)).logCancelDelegationToken(eq(ident1));
    verify(log, times(0)).logCancelDelegationToken(eq(ident2));
    
    // sleep past expiration of 2nd renewed token
    Thread.sleep(renewInterval/2);
    dtsm.stopThreads(); dtsm.startThreads();
    Thread.sleep(250);
    // both tokens should have been implicitly cancelled by now
    verify(log, times(1)).logCancelDelegationToken(eq(ident1));
    verify(log, times(1)).logCancelDelegationToken(eq(ident2));
  } finally {
    dtsm.stopThreads();
  }
}
 
Example #14
Source File: TestDelegationTokensWithHA.java    From hadoop with Apache License 2.0 4 votes vote down vote up
/**
 * Test if StandbyException can be thrown from StandbyNN, when it's requested for 
 * password. (HDFS-6475). With StandbyException, the client can failover to try
 * activeNN.
 */
@Test(timeout = 300000)
public void testDelegationTokenStandbyNNAppearFirst() throws Exception {
  // make nn0 the standby NN, and nn1 the active NN
  cluster.transitionToStandby(0);
  cluster.transitionToActive(1);

  final DelegationTokenSecretManager stSecretManager = 
      NameNodeAdapter.getDtSecretManager(
          nn1.getNamesystem());

  // create token
  final Token<DelegationTokenIdentifier> token =
      getDelegationToken(fs, "JobTracker");
  final DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
  byte[] tokenId = token.getIdentifier();
  identifier.readFields(new DataInputStream(
           new ByteArrayInputStream(tokenId)));

  assertTrue(null != stSecretManager.retrievePassword(identifier));

  final UserGroupInformation ugi = UserGroupInformation
      .createRemoteUser("JobTracker");
  ugi.addToken(token);
  
  ugi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() {
      try {
        try {
          byte[] tmppw = dtSecretManager.retrievePassword(identifier);
          fail("InvalidToken with cause StandbyException is expected"
              + " since nn0 is standby");
          return tmppw;
        } catch (IOException e) {
          // Mimic the UserProvider class logic (server side) by throwing
          // SecurityException here
          throw new SecurityException(
              SecurityUtil.FAILED_TO_GET_UGI_MSG_HEADER + " " + e, e);
        }
      } catch (Exception oe) {
        //
        // The exception oe caught here is
        //     java.lang.SecurityException: Failed to obtain user group
        //     information: org.apache.hadoop.security.token.
        //     SecretManager$InvalidToken: StandbyException
        //
        HttpServletResponse response = mock(HttpServletResponse.class);
        ExceptionHandler eh = new ExceptionHandler();
        eh.initResponse(response);
        
        // The Response (resp) below is what the server will send to client          
        //
        // BEFORE HDFS-6475 fix, the resp.entity is
        //     {"RemoteException":{"exception":"SecurityException",
        //      "javaClassName":"java.lang.SecurityException",
        //      "message":"Failed to obtain user group information: 
        //      org.apache.hadoop.security.token.SecretManager$InvalidToken:
        //        StandbyException"}}
        // AFTER the fix, the resp.entity is
        //     {"RemoteException":{"exception":"StandbyException",
        //      "javaClassName":"org.apache.hadoop.ipc.StandbyException",
        //      "message":"Operation category READ is not supported in
        //       state standby"}}
        //
        Response resp = eh.toResponse(oe);
        
        // Mimic the client side logic by parsing the response from server
        //
        Map<?, ?> m = (Map<?, ?>)JSON.parse(resp.getEntity().toString());
        RemoteException re = JsonUtil.toRemoteException(m);
        Exception unwrapped = ((RemoteException)re).unwrapRemoteException(
            StandbyException.class);
        assertTrue (unwrapped instanceof StandbyException);
        return null;
      }
    }
  });
}
 
Example #15
Source File: TestClientProtocolWithDelegationToken.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testDelegationTokenRpc() throws Exception {
  ClientProtocol mockNN = mock(ClientProtocol.class);
  FSNamesystem mockNameSys = mock(FSNamesystem.class);

  DelegationTokenSecretManager sm = new DelegationTokenSecretManager(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT,
      3600000, mockNameSys);
  sm.startThreads();
  final Server server = new RPC.Builder(conf)
      .setProtocol(ClientProtocol.class).setInstance(mockNN)
      .setBindAddress(ADDRESS).setPort(0).setNumHandlers(5).setVerbose(true)
      .setSecretManager(sm).build();
  
  server.start();

  final UserGroupInformation current = UserGroupInformation.getCurrentUser();
  final InetSocketAddress addr = NetUtils.getConnectAddress(server);
  String user = current.getUserName();
  Text owner = new Text(user);
  DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null);
  Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
      dtId, sm);
  SecurityUtil.setTokenService(token, addr);
  LOG.info("Service for token is " + token.getService());
  current.addToken(token);
  current.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws Exception {
      ClientProtocol proxy = null;
      try {
        proxy = RPC.getProxy(ClientProtocol.class,
            ClientProtocol.versionID, addr, conf);
        proxy.getServerDefaults();
      } finally {
        server.stop();
        if (proxy != null) {
          RPC.stopProxy(proxy);
        }
      }
      return null;
    }
  });
}
 
Example #16
Source File: TestDelegationToken.java    From hadoop with Apache License 2.0 4 votes vote down vote up
/**
 * Test that the delegation token secret manager only runs when the
 * NN is out of safe mode. This is because the secret manager
 * has to log to the edit log, which should not be written in
 * safe mode. Regression test for HDFS-2579.
 */
@Test
public void testDTManagerInSafeMode() throws Exception {
  cluster.startDataNodes(config, 1, true, StartupOption.REGULAR, null);
  FileSystem fs = cluster.getFileSystem();
  for (int i = 0; i < 5; i++) {
    DFSTestUtil.createFile(fs, new Path("/test-" + i), 100, (short)1, 1L);
  }
  cluster.getConfiguration(0).setInt(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_KEY, 500); 
  cluster.getConfiguration(0).setInt(
      DFSConfigKeys.DFS_NAMENODE_SAFEMODE_EXTENSION_KEY, 30000);
  cluster.setWaitSafeMode(false);
  cluster.restartNameNode();
  NameNode nn = cluster.getNameNode();
  assertTrue(nn.isInSafeMode());
  DelegationTokenSecretManager sm =
    NameNodeAdapter.getDtSecretManager(nn.getNamesystem());
  assertFalse("Secret manager should not run in safe mode", sm.isRunning());
  
  NameNodeAdapter.leaveSafeMode(nn);
  assertTrue("Secret manager should start when safe mode is exited",
      sm.isRunning());
  
  LOG.info("========= entering safemode again");
  
  NameNodeAdapter.enterSafeMode(nn, false);
  assertFalse("Secret manager should stop again when safe mode " +
      "is manually entered", sm.isRunning());
  
  // Set the cluster to leave safemode quickly on its own.
  cluster.getConfiguration(0).setInt(
      DFSConfigKeys.DFS_NAMENODE_SAFEMODE_EXTENSION_KEY, 0);
  cluster.setWaitSafeMode(true);
  cluster.restartNameNode();
  nn = cluster.getNameNode();
  sm = NameNodeAdapter.getDtSecretManager(nn.getNamesystem());

  assertFalse(nn.isInSafeMode());
  assertTrue(sm.isRunning());
}
 
Example #17
Source File: TestTokenExtractor.java    From NNAnalytics with Apache License 2.0 4 votes vote down vote up
@Before
public void setUp() {
  fsn = Mockito.mock(FSNamesystem.class);
  dtsm = new DelegationTokenSecretManager(0L, 0L, 0L, 0L, fsn);
}
 
Example #18
Source File: HdfsAuditLogger.java    From big-c with Apache License 2.0 2 votes vote down vote up
/**
 * Same as
 * {@link #logAuditEvent(boolean, String, InetAddress, String, String, String, FileStatus)}
 * with additional parameters related to logging delegation token tracking
 * IDs.
 * 
 * @param succeeded Whether authorization succeeded.
 * @param userName Name of the user executing the request.
 * @param addr Remote address of the request.
 * @param cmd The requested command.
 * @param src Path of affected source file.
 * @param dst Path of affected destination file (if any).
 * @param stat File information for operations that change the file's metadata
 *          (permissions, owner, times, etc).
 * @param ugi UserGroupInformation of the current user, or null if not logging
 *          token tracking information
 * @param dtSecretManager The token secret manager, or null if not logging
 *          token tracking information
 */
public abstract void logAuditEvent(boolean succeeded, String userName,
    InetAddress addr, String cmd, String src, String dst,
    FileStatus stat, UserGroupInformation ugi,
    DelegationTokenSecretManager dtSecretManager);
 
Example #19
Source File: TokenExtractor.java    From NNAnalytics with Apache License 2.0 2 votes vote down vote up
/**
 * Constructor.
 *
 * @param dtsm tokensecretmanager from FSNamesystem
 * @param fsn the FSNamesystem
 */
public TokenExtractor(DelegationTokenSecretManager dtsm, FSNamesystem fsn) {
  this.dtsm = dtsm;
  this.fsn = fsn;
}
 
Example #20
Source File: HdfsAuditLogger.java    From hadoop with Apache License 2.0 2 votes vote down vote up
/**
 * Same as
 * {@link #logAuditEvent(boolean, String, InetAddress, String, String, String, FileStatus)}
 * with additional parameters related to logging delegation token tracking
 * IDs.
 * 
 * @param succeeded Whether authorization succeeded.
 * @param userName Name of the user executing the request.
 * @param addr Remote address of the request.
 * @param cmd The requested command.
 * @param src Path of affected source file.
 * @param dst Path of affected destination file (if any).
 * @param stat File information for operations that change the file's metadata
 *          (permissions, owner, times, etc).
 * @param ugi UserGroupInformation of the current user, or null if not logging
 *          token tracking information
 * @param dtSecretManager The token secret manager, or null if not logging
 *          token tracking information
 */
public abstract void logAuditEvent(boolean succeeded, String userName,
    InetAddress addr, String cmd, String src, String dst,
    FileStatus stat, UserGroupInformation ugi,
    DelegationTokenSecretManager dtSecretManager);