public static MockFileSystem createFileSystemForServiceName( final Text service, final FileSystem... children) throws IOException { final MockFileSystem fs = new MockFileSystem(); final MockFileSystem mockFs = fs.getRawFileSystem(); if (service != null) { when(mockFs.getCanonicalServiceName()).thenReturn(service.toString()); when(mockFs.getDelegationToken(any(String.class))).thenAnswer( new Answer<Token<?>>() { @Override public Token<?> answer(InvocationOnMock invocation) throws Throwable { Token<?> token = new Token<TokenIdentifier>(); token.setService(service); return token; } }); } when(mockFs.getChildFileSystems()).thenReturn(children); return fs; }
@SuppressWarnings("unchecked") // from Mockito mocks @Test (timeout = 30000) public <T extends TokenIdentifier> void testAddCreds() throws Exception { UserGroupInformation ugi = UserGroupInformation.createRemoteUser("someone"); Text service = new Text("service"); Token<T> t1 = mock(Token.class); when(t1.getService()).thenReturn(service); Token<T> t2 = mock(Token.class); when(t2.getService()).thenReturn(new Text("service2")); byte[] secret = new byte[]{}; Text secretKey = new Text("sshhh"); // fill credentials Credentials creds = new Credentials(); creds.addToken(t1.getService(), t1); creds.addToken(t2.getService(), t2); creds.addSecretKey(secretKey, secret); // add creds to ugi, and check ugi ugi.addCredentials(creds); checkTokens(ugi, t1, t2); assertSame(secret, ugi.getCredentials().getSecretKey(secretKey)); }
@Test public void testGetRemoteToken() throws IOException, URISyntaxException { Configuration conf = new Configuration(); DummyFs fs = spy(new DummyFs()); Token<TokenIdentifier> token = new Token<TokenIdentifier>(new byte[0], new byte[0], DummyFs.TOKEN_KIND, new Text("127.0.0.1:1234")); doReturn(token).when(fs).getDelegationToken(anyString()); doReturn(token).when(fs).getRenewToken(); fs.initialize(new URI("dummyfs://127.0.0.1:1234"), conf); fs.tokenAspect.ensureTokenInitialized(); // Select a token, store and renew it verify(fs).setDelegationToken(token); assertNotNull(Whitebox.getInternalState(fs.tokenAspect, "dtRenewer")); assertNotNull(Whitebox.getInternalState(fs.tokenAspect, "action")); }
@SuppressWarnings("unchecked") // from Mockito mocks @Test (timeout = 30000) public <T extends TokenIdentifier> void testGetCreds() throws Exception { UserGroupInformation ugi = UserGroupInformation.createRemoteUser("someone"); Text service = new Text("service"); Token<T> t1 = mock(Token.class); when(t1.getService()).thenReturn(service); Token<T> t2 = mock(Token.class); when(t2.getService()).thenReturn(new Text("service2")); Token<T> t3 = mock(Token.class); when(t3.getService()).thenReturn(service); // add token to ugi ugi.addToken(t1); ugi.addToken(t2); checkTokens(ugi, t1, t2); Credentials creds = ugi.getCredentials(); creds.addToken(t3.getService(), t3); assertSame(t3, creds.getToken(service)); // check that ugi wasn't modified checkTokens(ugi, t1, t2); }
private void verifyTokenService(InetSocketAddress addr, String host, String ip, int port, boolean useIp) { //LOG.info("address:"+addr+" host:"+host+" ip:"+ip+" port:"+port); SecurityUtil.setTokenServiceUseIp(useIp); String serviceHost = useIp ? ip : StringUtils.toLowerCase(host); Token<?> token = new Token<TokenIdentifier>(); Text service = new Text(serviceHost+":"+port); assertEquals(service, SecurityUtil.buildTokenService(addr)); SecurityUtil.setTokenService(token, addr); assertEquals(service, token.getService()); InetSocketAddress serviceAddr = SecurityUtil.getTokenServiceAddr(token); assertNotNull(serviceAddr); verifyValues(serviceAddr, serviceHost, ip, port); }
@SuppressWarnings("unchecked") // from Mockito mocks @Test (timeout = 30000) public <T extends TokenIdentifier> void testAddNamedToken() throws Exception { UserGroupInformation ugi = UserGroupInformation.createRemoteUser("someone"); Token<T> t1 = mock(Token.class); Text service1 = new Text("t1"); Text service2 = new Text("t2"); when(t1.getService()).thenReturn(service1); // add token ugi.addToken(service1, t1); assertSame(t1, ugi.getCredentials().getToken(service1)); // add token with another name ugi.addToken(service2, t1); assertSame(t1, ugi.getCredentials().getToken(service1)); assertSame(t1, ugi.getCredentials().getToken(service2)); }
@Override public Token<AuthenticationTokenIdentifier> selectToken(Text serviceName, Collection<Token<? extends TokenIdentifier>> tokens) { if (serviceName != null) { for (Token ident : tokens) { if (serviceName.equals(ident.getService()) && AuthenticationTokenIdentifier.AUTH_TOKEN_TYPE.equals(ident.getKind())) { if (LOG.isDebugEnabled()) { LOG.debug("Returning token "+ident); } return (Token<AuthenticationTokenIdentifier>)ident; } } } LOG.debug("No matching token found"); return null; }
/** * In some scenario, such as HA, delegation tokens are associated with a * logical name. The tokens are cloned and are associated with the * physical address of the server where the service is provided. * This test ensures cloned delegated tokens are locally used * and are not returned in {@link UserGroupInformation#getCredentials()} */ @Test public void testPrivateTokenExclusion() throws Exception { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); TestTokenIdentifier tokenId = new TestTokenIdentifier(); Token<TestTokenIdentifier> token = new Token<TestTokenIdentifier>( tokenId.getBytes(), "password".getBytes(), tokenId.getKind(), null); ugi.addToken(new Text("regular-token"), token); // Now add cloned private token ugi.addToken(new Text("private-token"), new Token.PrivateToken<TestTokenIdentifier>(token)); ugi.addToken(new Text("private-token1"), new Token.PrivateToken<TestTokenIdentifier>(token)); // Ensure only non-private tokens are returned Collection<Token<? extends TokenIdentifier>> tokens = ugi.getCredentials().getAllTokens(); assertEquals(1, tokens.size()); }
@SuppressWarnings("unchecked") public Token<AMRMTokenIdentifier> selectToken(Text service, Collection<Token<? extends TokenIdentifier>> tokens) { if (service == null) { return null; } LOG.debug("Looking for a token with service " + service.toString()); for (Token<? extends TokenIdentifier> token : tokens) { LOG.debug("Token kind is " + token.getKind().toString() + " and the token's service name is " + token.getService()); if (AMRMTokenIdentifier.KIND_NAME.equals(token.getKind()) && checkService(service, token)) { return (Token<AMRMTokenIdentifier>) token; } } return null; }
@Override public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) { if (!protocol .equals(ContainerManagementProtocolPB.class)) { return null; } return new TokenInfo() { @Override public Class<? extends Annotation> annotationType() { return null; } @Override public Class<? extends TokenSelector<? extends TokenIdentifier>> value() { return NMTokenSelector.class; } }; }
@Override public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) { if (!protocol.equals(ApplicationMasterProtocolPB.class)) { return null; } return new TokenInfo() { @Override public Class<? extends Annotation> annotationType() { return null; } @Override public Class<? extends TokenSelector<? extends TokenIdentifier>> value() { return AMRMTokenSelector.class; } }; }
@SuppressWarnings("unchecked") public Token<TimelineDelegationTokenIdentifier> selectToken(Text service, Collection<Token<? extends TokenIdentifier>> tokens) { if (service == null) { return null; } if (LOG.isDebugEnabled()) { LOG.debug("Looking for a token with service " + service.toString()); } for (Token<? extends TokenIdentifier> token : tokens) { if (LOG.isDebugEnabled()) { LOG.debug("Token kind is " + token.getKind().toString() + " and the token's service name is " + token.getService()); } if (TimelineDelegationTokenIdentifier.KIND_NAME.equals(token.getKind()) && service.equals(token.getService())) { return (Token<TimelineDelegationTokenIdentifier>) token; } } return null; }
@SuppressWarnings("unchecked") public Token<RMDelegationTokenIdentifier> selectToken(Text service, Collection<Token<? extends TokenIdentifier>> tokens) { if (service == null) { return null; } LOG.debug("Looking for a token with service " + service.toString()); for (Token<? extends TokenIdentifier> token : tokens) { LOG.debug("Token kind is " + token.getKind().toString() + " and the token's service name is " + token.getService()); if (RMDelegationTokenIdentifier.KIND_NAME.equals(token.getKind()) && checkService(service, token)) { return (Token<RMDelegationTokenIdentifier>) token; } } return null; }
@Override public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) { if (!protocol .equals(ApplicationClientProtocolPB.class)) { return null; } return new TokenInfo() { @Override public Class<? extends Annotation> annotationType() { return null; } @Override public Class<? extends TokenSelector<? extends TokenIdentifier>> value() { return RMDelegationTokenSelector.class; } }; }
@SuppressWarnings("unchecked") public Token<ClientToAMTokenIdentifier> selectToken(Text service, Collection<Token<? extends TokenIdentifier>> tokens) { if (service == null) { return null; } LOG.debug("Looking for a token with service " + service.toString()); for (Token<? extends TokenIdentifier> token : tokens) { LOG.debug("Token kind is " + token.getKind().toString() + " and the token's service name is " + token.getService()); if (ClientToAMTokenIdentifier.KIND_NAME.equals(token.getKind()) && service.equals(token.getService())) { return (Token<ClientToAMTokenIdentifier>) token; } } return null; }
@Override public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) { if (!protocol .equals(ApplicationHistoryProtocolPB.class)) { return null; } return new TokenInfo() { @Override public Class<? extends Annotation> annotationType() { return null; } @Override public Class<? extends TokenSelector<? extends TokenIdentifier>> value() { return TimelineDelegationTokenSelector.class; } }; }
@SuppressWarnings("unchecked") @Override public Token<NMTokenIdentifier> selectToken(Text service, Collection<Token<? extends TokenIdentifier>> tokens) { if (service == null) { return null; } for (Token<? extends TokenIdentifier> token : tokens) { if (LOG.isDebugEnabled()) { LOG.info("Looking for service: " + service + ". Current token is " + token); } if (NMTokenIdentifier.KIND.equals(token.getKind()) && service.equals(token.getService())) { return (Token<NMTokenIdentifier>) token; } } return null; }
/** * Convert a protobuf token into a rpc token and set its service. Supposed * to be used for tokens other than RMDelegationToken. For * RMDelegationToken, use * {@link #convertFromYarn(org.apache.hadoop.yarn.api.records.Token, * org.apache.hadoop.io.Text)} instead. * * @param protoToken the yarn token * @param serviceAddr the connect address for the service * @return rpc token */ public static <T extends TokenIdentifier> Token<T> convertFromYarn( org.apache.hadoop.yarn.api.records.Token protoToken, InetSocketAddress serviceAddr) { Token<T> token = new Token<T>(protoToken.getIdentifier().array(), protoToken.getPassword().array(), new Text(protoToken.getKind()), new Text(protoToken.getService())); if (serviceAddr != null) { SecurityUtil.setTokenService(token, serviceAddr); } return token; }
@Override public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) { if (!protocol .equals(LocalizationProtocolPB.class)) { return null; } return new TokenInfo() { @Override public Class<? extends Annotation> annotationType() { return null; } @Override public Class<? extends TokenSelector<? extends TokenIdentifier>> value() { LOG.debug("Using localizerTokenSecurityInfo"); return LocalizerTokenSelector.class; } }; }
@SuppressWarnings("unchecked") @Override public Token<LocalizerTokenIdentifier> selectToken(Text service, Collection<Token<? extends TokenIdentifier>> tokens) { LOG.debug("Using localizerTokenSelector."); for (Token<? extends TokenIdentifier> token : tokens) { LOG.debug("Token of kind " + token.getKind() + " is found"); if (LocalizerTokenIdentifier.KIND.equals(token.getKind())) { return (Token<LocalizerTokenIdentifier>) token; } } LOG.debug("Returning null."); return null; }
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws IOException { UserGroupInformation authorizedUgi; if (authMethod == AuthMethod.DIGEST) { TokenIdentifier tokenId = HBaseSaslRpcServer.getIdentifier(authorizedId, secretManager); authorizedUgi = tokenId.getUser(); if (authorizedUgi == null) { throw new AccessDeniedException( "Can't retrieve username from tokenIdentifier."); } authorizedUgi.addTokenIdentifier(tokenId); } else { authorizedUgi = UserGroupInformation.createRemoteUser(authorizedId); } authorizedUgi.setAuthenticationMethod(authMethod.authenticationMethod.getAuthMethod()); return authorizedUgi; }
@Test public void testSaslClientCallbackHandler() throws UnsupportedCallbackException { final Token<? extends TokenIdentifier> token = createTokenMock(); when(token.getIdentifier()).thenReturn(DEFAULT_USER_NAME.getBytes()); when(token.getPassword()).thenReturn(DEFAULT_USER_PASSWORD.getBytes()); final NameCallback nameCallback = mock(NameCallback.class); final PasswordCallback passwordCallback = mock(PasswordCallback.class); final RealmCallback realmCallback = mock(RealmCallback.class); final RealmChoiceCallback realmChoiceCallback = mock(RealmChoiceCallback.class); Callback[] callbackArray = {nameCallback, passwordCallback, realmCallback, realmChoiceCallback}; final SaslClientCallbackHandler saslClCallbackHandler = new SaslClientCallbackHandler(token); saslClCallbackHandler.handle(callbackArray); verify(nameCallback).setName(anyString()); verify(realmCallback).setText(anyString()); verify(passwordCallback).setPassword(any(char[].class)); }
private static void createBinaryTokenFile(Configuration conf) { // Fetch delegation tokens and store in binary token file. try { Credentials cred1 = new Credentials(); Credentials cred2 = new Credentials(); TokenCache.obtainTokensForNamenodesInternal(cred1, new Path[] { p1 }, conf); for (Token<? extends TokenIdentifier> t : cred1.getAllTokens()) { cred2.addToken(new Text(DELEGATION_TOKEN_KEY), t); } DataOutputStream os = new DataOutputStream(new FileOutputStream( binaryTokenFileName.toString())); try { cred2.writeTokenStorageToStream(os); } finally { os.close(); } } catch (IOException e) { Assert.fail("Exception " + e); } }
@Override public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) { if (!protocol .equals(HSClientProtocolPB.class)) { return null; } return new TokenInfo() { @Override public Class<? extends Annotation> annotationType() { return null; } @Override public Class<? extends TokenSelector<? extends TokenIdentifier>> value() { return ClientHSTokenSelector.class; } }; }
private MockFileSystem createFileSystemForServiceName(final String service) throws IOException { MockFileSystem mockFs = new MockFileSystem(); when(mockFs.getCanonicalServiceName()).thenReturn(service); when(mockFs.getDelegationToken(any(String.class))).thenAnswer( new Answer<Token<?>>() { int unique = 0; @Override public Token<?> answer(InvocationOnMock invocation) throws Throwable { Token<?> token = new Token<TokenIdentifier>(); token.setService(new Text(service)); // use unique value so when we restore from token storage, we can // tell if it's really the same token token.setKind(new Text("token" + unique++)); return token; } }); return mockFs; }
private void checkReadAccess(final ExtendedBlock block) throws IOException { if (isBlockTokenEnabled) { Set<TokenIdentifier> tokenIds = UserGroupInformation.getCurrentUser() .getTokenIdentifiers(); if (tokenIds.size() != 1) { throw new IOException("Can't continue since none or more than one " + "BlockTokenIdentifier is found."); } for (TokenIdentifier tokenId : tokenIds) { BlockTokenIdentifier id = (BlockTokenIdentifier) tokenId; if (LOG.isDebugEnabled()) { LOG.debug("Got: " + id.toString()); } blockPoolTokenSecretManager.checkAccess(id, null, block, BlockTokenSecretManager.AccessMode.READ); } } }
@Test public void testCachedInitialization() throws IOException, URISyntaxException { Configuration conf = new Configuration(); DummyFs fs = spy(new DummyFs()); Token<TokenIdentifier> token = new Token<TokenIdentifier>(new byte[0], new byte[0], DummyFs.TOKEN_KIND, new Text("127.0.0.1:1234")); doReturn(token).when(fs).getDelegationToken(anyString()); doReturn(token).when(fs).getRenewToken(); fs.emulateSecurityEnabled = true; fs.initialize(new URI("dummyfs://127.0.0.1:1234"), conf); fs.tokenAspect.ensureTokenInitialized(); verify(fs, times(1)).getDelegationToken(null); verify(fs, times(1)).setDelegationToken(token); // For the second iteration, the token should be cached. fs.tokenAspect.ensureTokenInitialized(); verify(fs, times(1)).getDelegationToken(null); verify(fs, times(1)).setDelegationToken(token); }
/** * Add a token in the storage (in memory) * @param alias the alias for the key * @param t the token object */ public void addToken(Text alias, Token<? extends TokenIdentifier> t) { if (t != null) { tokenMap.put(alias, t); } else { LOG.warn("Null token ignored for " + alias); } }
@SuppressWarnings("unchecked") @Override public Token<TokenIdent> selectToken(Text service, Collection<Token<? extends TokenIdentifier>> tokens) { if (service == null) { return null; } for (Token<? extends TokenIdentifier> token : tokens) { if (kindName.equals(token.getKind()) && service.equals(token.getService())) { return (Token<TokenIdent>) token; } } return null; }
private Token<? extends TokenIdentifier> createTokenMockWithCredentials( String principal, String password) throws IOException { Token<? extends TokenIdentifier> token = createTokenMock(); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(password)) { when(token.getIdentifier()).thenReturn(DEFAULT_USER_NAME.getBytes()); when(token.getPassword()).thenReturn(DEFAULT_USER_PASSWORD.getBytes()); } return token; }
public static <T extends TokenIdentifier> T getIdentifier(String id, SecretManager<T> secretManager) throws InvalidToken { byte[] tokenId = decodeIdentifier(id); T tokenIdentifier = secretManager.createIdentifier(); try { tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream( tokenId))); } catch (IOException e) { throw (InvalidToken) new InvalidToken( "Can't de-serialize tokenIdentifier").initCause(e); } return tokenIdentifier; }
/** * Dump all tokens of a UGI. * @param ugi UGI to examine */ public void dumpTokens(UserGroupInformation ugi) { Collection<Token<? extends TokenIdentifier>> tokens = ugi.getCredentials().getAllTokens(); title("Token Count: %d", tokens.size()); for (Token<? extends TokenIdentifier> token : tokens) { println("Token %s", token.getKind()); } endln(); }
@Override public org.apache.hadoop.ipc.RPC.Server getServer(Class<?> protocol, Object instance, String bindAddress, int port, int numHandlers, int numReaders, int queueSizePerHandler, boolean verbose, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, String portRangeConfig) throws IOException { return null; }
/** * Obtain the collection of tokens associated with this user. * * @return an unmodifiable collection of tokens associated with user */ public Collection<Token<? extends TokenIdentifier>> getTokens() { synchronized (subject) { return Collections.unmodifiableCollection( new ArrayList<Token<?>>(getCredentialsInternal().getAllTokens())); } }
@Override public RPC.Server getServer(Class<?> protocolClass, Object protocolImpl, String bindAddress, int port, int numHandlers, int numReaders, int queueSizePerHandler, boolean verbose, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, String portRangeConfig) throws IOException { return new Server(protocolClass, protocolImpl, conf, bindAddress, port, numHandlers, numReaders, queueSizePerHandler, verbose, secretManager, portRangeConfig); }
protected Server(String bindAddress, int port, Class<? extends Writable> rpcRequestClass, int handlerCount, int numReaders, int queueSizePerHandler, Configuration conf, String serverName, SecretManager<? extends TokenIdentifier> secretManager) throws IOException { this(bindAddress, port, rpcRequestClass, handlerCount, numReaders, queueSizePerHandler, conf, serverName, secretManager, null); }
@Override public RPC.Server getServer(Class<?> protocol, Object protocolImpl, String bindAddress, int port, int numHandlers, int numReaders, int queueSizePerHandler, boolean verbose, Configuration conf, SecretManager<? extends TokenIdentifier> secretManager, String portRangeConfig) throws IOException { return new Server(protocol, protocolImpl, conf, bindAddress, port, numHandlers, numReaders, queueSizePerHandler, verbose, secretManager, portRangeConfig); }
