Java Code Examples for org.apache.hadoop.security.token.Token#getService()

The following examples show how to use org.apache.hadoop.security.token.Token#getService() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop   File: AMRMTokenSelector.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkService(Text service,
    Token<? extends TokenIdentifier> token) {
  if (service == null || token.getService() == null) {
    return false;
  }
  return token.getService().toString().contains(service.toString());
}
 
Example 2
private boolean checkService(Text service,
    Token<? extends TokenIdentifier> token) {
  if (service == null || token.getService() == null) {
    return false;
  }
  return token.getService().toString().contains(service.toString());
}
 
Example 3
/** @return a string representation of the token */
public static String stringifyToken(final Token<?> token) throws IOException {
  DelegationTokenIdentifier ident = new DelegationTokenIdentifier();
  ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);  
  ident.readFields(in);

  if (token.getService().getLength() > 0) {
    return ident + " on " + token.getService();
  } else {
    return ident.toString();
  }
}
 
Example 4
Source Project: hadoop   File: HAUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Locate a delegation token associated with the given HA cluster URI, and if
 * one is found, clone it to also represent the underlying namenode address.
 * @param ugi the UGI to modify
 * @param haUri the logical URI for the cluster
 * @param nnAddrs collection of NNs in the cluster to which the token
 * applies
 */
public static void cloneDelegationTokenForLogicalUri(
    UserGroupInformation ugi, URI haUri,
    Collection<InetSocketAddress> nnAddrs) {
  // this cloning logic is only used by hdfs
  Text haService = HAUtil.buildTokenServiceForLogicalUri(haUri,
      HdfsConstants.HDFS_URI_SCHEME);
  Token<DelegationTokenIdentifier> haToken =
      tokenSelector.selectToken(haService, ugi.getTokens());
  if (haToken != null) {
    for (InetSocketAddress singleNNAddr : nnAddrs) {
      // this is a minor hack to prevent physical HA tokens from being
      // exposed to the user via UGI.getCredentials(), otherwise these
      // cloned tokens may be inadvertently propagated to jobs
      Token<DelegationTokenIdentifier> specificToken =
          new Token.PrivateToken<DelegationTokenIdentifier>(haToken);
      SecurityUtil.setTokenService(specificToken, singleNNAddr);
      Text alias = new Text(
          buildTokenServicePrefixForLogicalUri(HdfsConstants.HDFS_URI_SCHEME)
              + "//" + specificToken.getService());
      ugi.addToken(alias, specificToken);
      LOG.debug("Mapped HA service delegation token for logical URI " +
          haUri + " to namenode " + singleNNAddr);
    }
  } else {
    LOG.debug("No HA service delegation token found for logical URI " +
        haUri);
  }
}
 
Example 5
Source Project: big-c   File: AMRMTokenSelector.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkService(Text service,
    Token<? extends TokenIdentifier> token) {
  if (service == null || token.getService() == null) {
    return false;
  }
  return token.getService().toString().contains(service.toString());
}
 
Example 6
Source Project: big-c   File: RMDelegationTokenSelector.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkService(Text service,
    Token<? extends TokenIdentifier> token) {
  if (service == null || token.getService() == null) {
    return false;
  }
  return token.getService().toString().contains(service.toString());
}
 
Example 7
Source Project: big-c   File: DelegationTokenIdentifier.java    License: Apache License 2.0 5 votes vote down vote up
/** @return a string representation of the token */
public static String stringifyToken(final Token<?> token) throws IOException {
  DelegationTokenIdentifier ident = new DelegationTokenIdentifier();
  ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);  
  ident.readFields(in);

  if (token.getService().getLength() > 0) {
    return ident + " on " + token.getService();
  } else {
    return ident.toString();
  }
}
 
Example 8
Source Project: big-c   File: HAUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Locate a delegation token associated with the given HA cluster URI, and if
 * one is found, clone it to also represent the underlying namenode address.
 * @param ugi the UGI to modify
 * @param haUri the logical URI for the cluster
 * @param nnAddrs collection of NNs in the cluster to which the token
 * applies
 */
public static void cloneDelegationTokenForLogicalUri(
    UserGroupInformation ugi, URI haUri,
    Collection<InetSocketAddress> nnAddrs) {
  // this cloning logic is only used by hdfs
  Text haService = HAUtil.buildTokenServiceForLogicalUri(haUri,
      HdfsConstants.HDFS_URI_SCHEME);
  Token<DelegationTokenIdentifier> haToken =
      tokenSelector.selectToken(haService, ugi.getTokens());
  if (haToken != null) {
    for (InetSocketAddress singleNNAddr : nnAddrs) {
      // this is a minor hack to prevent physical HA tokens from being
      // exposed to the user via UGI.getCredentials(), otherwise these
      // cloned tokens may be inadvertently propagated to jobs
      Token<DelegationTokenIdentifier> specificToken =
          new Token.PrivateToken<DelegationTokenIdentifier>(haToken);
      SecurityUtil.setTokenService(specificToken, singleNNAddr);
      Text alias = new Text(
          buildTokenServicePrefixForLogicalUri(HdfsConstants.HDFS_URI_SCHEME)
              + "//" + specificToken.getService());
      ugi.addToken(alias, specificToken);
      LOG.debug("Mapped HA service delegation token for logical URI " +
          haUri + " to namenode " + singleNNAddr);
    }
  } else {
    LOG.debug("No HA service delegation token found for logical URI " +
        haUri);
  }
}
 
Example 9
Source Project: hbase   File: ClientTokenUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Converts a Token instance (with embedded identifier) to the protobuf representation.
 *
 * @param token the Token instance to copy
 * @return the protobuf Token message
 */
@InterfaceAudience.Private
static AuthenticationProtos.Token toToken(Token<AuthenticationTokenIdentifier> token) {
  AuthenticationProtos.Token.Builder builder = AuthenticationProtos.Token.newBuilder();
  builder.setIdentifier(ByteString.copyFrom(token.getIdentifier()));
  builder.setPassword(ByteString.copyFrom(token.getPassword()));
  if (token.getService() != null) {
    builder.setService(ByteString.copyFromUtf8(token.getService().toString()));
  }
  return builder.build();
}
 
Example 10
Source Project: elasticsearch-hadoop   File: TokenUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Obtain an authentication token on behalf of the given user and add it to
 * the credentials for the given map reduce job. This version always obtains
 * a fresh authentication token instead of checking for existing ones on the
 * current user.
 *
 * @param client The Elasticsearch client
 * @param user The user for whom to obtain the token
 * @param job The job instance in which the token should be stored
 */
public static void obtainTokenForJob(final RestClient client, User user, Job job) {
    Token<EsTokenIdentifier> token = obtainToken(client, user);
    if (token == null) {
        throw new EsHadoopException("No token returned for user " + user.getKerberosPrincipal().getName());
    }
    Text clusterName = token.getService();
    if (LOG.isDebugEnabled()) {
        LOG.debug("Obtained token " + EsTokenIdentifier.KIND_NAME.toString() + " for user " +
                user.getKerberosPrincipal().getName() + " on cluster " + clusterName.toString());
    }
    job.getCredentials().addToken(clusterName, token);
}
 
Example 11
Source Project: elasticsearch-hadoop   File: TokenUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Obtain an authentication token on behalf of the given user and add it to
 * the credentials for the given map reduce job. This version always obtains
 * a fresh authentication token instead of checking for existing ones on the
 * current user.
 *
 * @param client The Elasticsearch client
 * @param user The user for whom to obtain the token
 * @param jobConf The job configuration in which the token should be stored
 */
public static void obtainTokenForJob(final RestClient client, User user, JobConf jobConf) {
    Token<EsTokenIdentifier> token = obtainToken(client, user);
    if (token == null) {
        throw new EsHadoopException("No token returned for user " + user.getKerberosPrincipal().getName());
    }
    Text clusterName = token.getService();
    if (LOG.isDebugEnabled()) {
        LOG.debug("Obtained token " + EsTokenIdentifier.KIND_NAME.toString() + " for user " +
                user.getKerberosPrincipal().getName() + " on cluster " + clusterName.toString());
    }
    jobConf.getCredentials().addToken(clusterName, token);
}
 
Example 12
/**
 * Tests delegation token renewal.
 */
@Test
public void testDelegationTokenRenewal() throws Exception {
  GenericTestUtils
      .setLogLevel(LoggerFactory.getLogger(Server.class.getName()), INFO);
  LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());

  // Setup secure OM for start.
  OzoneConfiguration newConf = new OzoneConfiguration(conf);
  int tokenMaxLifetime = 1000;
  newConf.setLong(DELEGATION_TOKEN_MAX_LIFETIME_KEY, tokenMaxLifetime);
  setupOm(newConf);
  long omVersion =
      RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
  OzoneManager.setTestSecureOmFlag(true);
  // Start OM

  try {
    om.setCertClient(new CertificateClientTestImpl(conf));
    om.start();

    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();

    // Get first OM client which will authenticate via Kerberos
    omClient = new OzoneManagerProtocolClientSideTranslatorPB(
        OmTransportFactory.create(conf, ugi, null),
        RandomStringUtils.randomAscii(5));

    // Since client is already connected get a delegation token
    Token<OzoneTokenIdentifier> token = omClient.getDelegationToken(
        new Text("om"));

    // Check if token is of right kind and renewer is running om instance
    assertNotNull(token);
    assertEquals("OzoneToken", token.getKind().toString());
    assertEquals(OmUtils.getOmRpcAddress(conf),
        token.getService().toString());

    // Renew delegation token
    long expiryTime = omClient.renewDelegationToken(token);
    assertTrue(expiryTime > 0);
    omLogs.clearOutput();

    // Test failure of delegation renewal
    // 1. When token maxExpiryTime exceeds
    Thread.sleep(tokenMaxLifetime);
    OMException ex = LambdaTestUtils.intercept(OMException.class,
        "TOKEN_EXPIRED",
        () -> omClient.renewDelegationToken(token));
    assertEquals(TOKEN_EXPIRED, ex.getResult());
    omLogs.clearOutput();

    // 2. When renewer doesn't match (implicitly covers when renewer is
    // null or empty )
    Token<OzoneTokenIdentifier> token2 = omClient.getDelegationToken(
        new Text("randomService"));
    assertNotNull(token2);
    LambdaTestUtils.intercept(OMException.class,
        "Delegation token renewal failed",
        () -> omClient.renewDelegationToken(token2));
    assertTrue(omLogs.getOutput().contains(" with non-matching " +
        "renewer randomService"));
    omLogs.clearOutput();

    // 3. Test tampered token
    OzoneTokenIdentifier tokenId = OzoneTokenIdentifier.readProtoBuf(
        token.getIdentifier());
    tokenId.setRenewer(new Text("om"));
    tokenId.setMaxDate(System.currentTimeMillis() * 2);
    Token<OzoneTokenIdentifier> tamperedToken = new Token<>(
        tokenId.getBytes(), token2.getPassword(), token2.getKind(),
        token2.getService());
    LambdaTestUtils.intercept(OMException.class,
        "Delegation token renewal failed",
        () -> omClient.renewDelegationToken(tamperedToken));
    assertTrue(omLogs.getOutput().contains("can't be found in " +
        "cache"));
    omLogs.clearOutput();

  } finally {
    om.stop();
    om.join();
  }
}
 
Example 13
Source Project: hadoop   File: TestClientToAMTokens.java    License: Apache License 2.0 4 votes vote down vote up
private void verifyTamperedToken(final Configuration conf, final CustomAM am,
    Token<ClientToAMTokenIdentifier> token, UserGroupInformation ugi,
    ClientToAMTokenIdentifier maliciousID) {
  Token<ClientToAMTokenIdentifier> maliciousToken =
      new Token<ClientToAMTokenIdentifier>(maliciousID.getBytes(),
        token.getPassword(), token.getKind(),
        token.getService());
  ugi.addToken(maliciousToken);

  try {
    ugi.doAs(new PrivilegedExceptionAction<Void>()  {
      @Override
      public Void run() throws Exception {
        try {
          CustomProtocol client =
              (CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L,
                am.address, conf);
          client.ping();
          fail("Connection initiation with illegally modified "
              + "tokens is expected to fail.");
          return null;
        } catch (YarnException ex) {
          fail("Cannot get a YARN remote exception as "
              + "it will indicate RPC success");
          throw ex;
        }
      }
    });
  } catch (Exception e) {
    Assert.assertEquals(RemoteException.class.getName(), e.getClass()
        .getName());
    e = ((RemoteException)e).unwrapRemoteException();
    Assert
      .assertEquals(SaslException.class
        .getCanonicalName(), e.getClass().getCanonicalName());
    Assert.assertTrue(e
      .getMessage()
      .contains(
        "DIGEST-MD5: digest response format violation. "
            + "Mismatched response."));
    Assert.assertFalse(am.pinged);
  }
}
 
Example 14
Source Project: big-c   File: TestClientToAMTokens.java    License: Apache License 2.0 4 votes vote down vote up
private void verifyTamperedToken(final Configuration conf, final CustomAM am,
    Token<ClientToAMTokenIdentifier> token, UserGroupInformation ugi,
    ClientToAMTokenIdentifier maliciousID) {
  Token<ClientToAMTokenIdentifier> maliciousToken =
      new Token<ClientToAMTokenIdentifier>(maliciousID.getBytes(),
        token.getPassword(), token.getKind(),
        token.getService());
  ugi.addToken(maliciousToken);

  try {
    ugi.doAs(new PrivilegedExceptionAction<Void>()  {
      @Override
      public Void run() throws Exception {
        try {
          CustomProtocol client =
              (CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L,
                am.address, conf);
          client.ping();
          fail("Connection initiation with illegally modified "
              + "tokens is expected to fail.");
          return null;
        } catch (YarnException ex) {
          fail("Cannot get a YARN remote exception as "
              + "it will indicate RPC success");
          throw ex;
        }
      }
    });
  } catch (Exception e) {
    Assert.assertEquals(RemoteException.class.getName(), e.getClass()
        .getName());
    e = ((RemoteException)e).unwrapRemoteException();
    Assert
      .assertEquals(SaslException.class
        .getCanonicalName(), e.getClass().getCanonicalName());
    Assert.assertTrue(e
      .getMessage()
      .contains(
        "DIGEST-MD5: digest response format violation. "
            + "Mismatched response."));
    Assert.assertFalse(am.pinged);
  }
}
 
Example 15
Source Project: hbase   File: TokenUtil.java    License: Apache License 2.0 4 votes vote down vote up
private static Text getClusterId(Token<AuthenticationTokenIdentifier> token)
    throws IOException {
  return token.getService() != null
      ? token.getService() : new Text("default");
}