@Override public GetDelegationTokenResponseProto getDelegationToken( RpcController controller, GetDelegationTokenRequestProto proto) throws ServiceException { GetDelegationTokenRequest request = new GetDelegationTokenRequestPBImpl(proto); try { GetDelegationTokenResponse response = real.getDelegationToken(request); return ((GetDelegationTokenResponsePBImpl)response).getProto(); } catch (IOException e) { throw new ServiceException(e); } }
@Override public GetDelegationTokenResponse getDelegationToken( GetDelegationTokenRequest request) throws IOException { GetDelegationTokenRequestProto requestProto = ((GetDelegationTokenRequestPBImpl) request).getProto(); try { return new GetDelegationTokenResponsePBImpl(proxy.getDelegationToken( null, requestProto)); } catch (ServiceException e) { throw unwrapAndThrowException(e); } }
@Override public GetDelegationTokenResponse getDelegationToken( GetDelegationTokenRequest request) throws IOException { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); // Verify that the connection is kerberos authenticated if (!isAllowedDelegationTokenOp()) { throw new IOException( "Delegation Token can be issued only with kerberos authentication"); } GetDelegationTokenResponse response = recordFactory.newRecordInstance( GetDelegationTokenResponse.class); String user = ugi.getUserName(); Text owner = new Text(user); Text realUser = null; if (ugi.getRealUser() != null) { realUser = new Text(ugi.getRealUser().getUserName()); } MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner, new Text( request.getRenewer()), realUser); Token<MRDelegationTokenIdentifier> realJHSToken = new Token<MRDelegationTokenIdentifier>(tokenIdentifier, jhsDTSecretManager); org.apache.hadoop.yarn.api.records.Token mrDToken = org.apache.hadoop.yarn.api.records.Token.newInstance( realJHSToken.getIdentifier(), realJHSToken.getKind().toString(), realJHSToken.getPassword(), realJHSToken.getService().toString()); response.setDelegationToken(mrDToken); return response; }
@Override public GetDelegationTokenResponse getDelegationToken( GetDelegationTokenRequest request) throws IOException { throw new IOException("MR AM not authorized to issue delegation" + " token"); }
@Override public GetDelegationTokenResponse getDelegationToken( GetDelegationTokenRequest request) throws IOException { /* Should not be invoked by anyone. */ throw new NotImplementedException(); }
@Override public GetDelegationTokenResponse getDelegationToken( GetDelegationTokenRequest request) throws IOException { return null; }
@Test(timeout=20000) public void testGetHSDelegationToken() throws Exception { try { Configuration conf = new Configuration(); // Setup mock service InetSocketAddress mockRmAddress = new InetSocketAddress("localhost", 4444); Text rmTokenSevice = SecurityUtil.buildTokenService(mockRmAddress); InetSocketAddress mockHsAddress = new InetSocketAddress("localhost", 9200); Text hsTokenSevice = SecurityUtil.buildTokenService(mockHsAddress); // Setup mock rm token RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier( new Text("owner"), new Text("renewer"), new Text("real")); Token<RMDelegationTokenIdentifier> token = new Token<RMDelegationTokenIdentifier>( new byte[0], new byte[0], tokenIdentifier.getKind(), rmTokenSevice); token.setKind(RMDelegationTokenIdentifier.KIND_NAME); // Setup mock history token org.apache.hadoop.yarn.api.records.Token historyToken = org.apache.hadoop.yarn.api.records.Token.newInstance(new byte[0], MRDelegationTokenIdentifier.KIND_NAME.toString(), new byte[0], hsTokenSevice.toString()); GetDelegationTokenResponse getDtResponse = Records.newRecord(GetDelegationTokenResponse.class); getDtResponse.setDelegationToken(historyToken); // mock services MRClientProtocol mockHsProxy = mock(MRClientProtocol.class); doReturn(mockHsAddress).when(mockHsProxy).getConnectAddress(); doReturn(getDtResponse).when(mockHsProxy).getDelegationToken( any(GetDelegationTokenRequest.class)); ResourceMgrDelegate rmDelegate = mock(ResourceMgrDelegate.class); doReturn(rmTokenSevice).when(rmDelegate).getRMDelegationTokenService(); ClientCache clientCache = mock(ClientCache.class); doReturn(mockHsProxy).when(clientCache).getInitializedHSProxy(); Credentials creds = new Credentials(); YARNRunner yarnRunner = new YARNRunner(conf, rmDelegate, clientCache); // No HS token if no RM token yarnRunner.addHistoryToken(creds); verify(mockHsProxy, times(0)).getDelegationToken( any(GetDelegationTokenRequest.class)); // No HS token if RM token, but secirity disabled. creds.addToken(new Text("rmdt"), token); yarnRunner.addHistoryToken(creds); verify(mockHsProxy, times(0)).getDelegationToken( any(GetDelegationTokenRequest.class)); conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); UserGroupInformation.setConfiguration(conf); creds = new Credentials(); // No HS token if no RM token, security enabled yarnRunner.addHistoryToken(creds); verify(mockHsProxy, times(0)).getDelegationToken( any(GetDelegationTokenRequest.class)); // HS token if RM token present, security enabled creds.addToken(new Text("rmdt"), token); yarnRunner.addHistoryToken(creds); verify(mockHsProxy, times(1)).getDelegationToken( any(GetDelegationTokenRequest.class)); // No additional call to get HS token if RM and HS token present yarnRunner.addHistoryToken(creds); verify(mockHsProxy, times(1)).getDelegationToken( any(GetDelegationTokenRequest.class)); } finally { // Back to defaults. UserGroupInformation.setConfiguration(new Configuration()); } }
