List of usage examples for org.apache.hadoop.security.token Token getPassword
public byte[] getPassword()
From source file:azkaban.security.HadoopSecurityManager_H_2_0.java
License:Apache License
private void cancelJhsToken(final Token<? extends TokenIdentifier> t, String userToProxy) throws HadoopSecurityManagerException { // it appears yarn would clean up this token after app finish, after a long // while though. org.apache.hadoop.yarn.api.records.Token token = org.apache.hadoop.yarn.api.records.Token .newInstance(t.getIdentifier(), t.getKind().toString(), t.getPassword(), t.getService().toString()); final YarnRPC rpc = YarnRPC.create(conf); final InetSocketAddress jhsAddress = SecurityUtil.getTokenServiceAddr(t); MRClientProtocol jhsProxy = null;//from www . ja v a2s.c o m try { jhsProxy = UserGroupInformation.getCurrentUser().doAs(new PrivilegedAction<MRClientProtocol>() { @Override public MRClientProtocol run() { return (MRClientProtocol) rpc.getProxy(HSClientProtocol.class, jhsAddress, conf); } }); CancelDelegationTokenRequest request = Records.newRecord(CancelDelegationTokenRequest.class); request.setDelegationToken(token); jhsProxy.cancelDelegationToken(request); } catch (Exception e) { throw new HadoopSecurityManagerException("Failed to cancel token. " + e.getMessage() + e.getCause(), e); } finally { RPC.stopProxy(jhsProxy); } }
From source file:co.cask.cdap.security.impersonation.UGIProviderTest.java
License:Apache License
@Test public void testRemoteUGIProvider() throws Exception { // Starts a mock server to handle remote UGI requests final NettyHttpService httpService = NettyHttpService.builder("remoteUGITest") .addHttpHandlers(Collections.singleton(new UGIProviderTestHandler())).build(); httpService.startAndWait();//from w w w . j a va 2 s .co m try { InMemoryDiscoveryService discoveryService = new InMemoryDiscoveryService(); discoveryService .register(new Discoverable(Constants.Service.APP_FABRIC_HTTP, httpService.getBindAddress())); // Create Alice UGI RemoteUGIProvider ugiProvider = new RemoteUGIProvider(cConf, discoveryService, locationFactory); ImpersonationInfo aliceInfo = new ImpersonationInfo(getPrincipal("alice"), keytabFile.toURI().toString()); UserGroupInformation aliceUGI = ugiProvider.getConfiguredUGI(aliceInfo); // Shouldn't be a kerberos UGI Assert.assertFalse(aliceUGI.hasKerberosCredentials()); // Validate the credentials Token<? extends TokenIdentifier> token = aliceUGI.getCredentials().getToken(new Text("principal")); Assert.assertArrayEquals(aliceInfo.getPrincipal().getBytes(StandardCharsets.UTF_8), token.getIdentifier()); Assert.assertArrayEquals(aliceInfo.getPrincipal().getBytes(StandardCharsets.UTF_8), token.getPassword()); Assert.assertEquals(new Text("principal"), token.getKind()); Assert.assertEquals(new Text("service"), token.getService()); token = aliceUGI.getCredentials().getToken(new Text("keytab")); Assert.assertArrayEquals(aliceInfo.getKeytabURI().getBytes(StandardCharsets.UTF_8), token.getIdentifier()); Assert.assertArrayEquals(aliceInfo.getKeytabURI().getBytes(StandardCharsets.UTF_8), token.getPassword()); Assert.assertEquals(new Text("keytab"), token.getKind()); Assert.assertEquals(new Text("service"), token.getService()); // Fetch it again, it should return the same UGI due to caching Assert.assertSame(aliceUGI, ugiProvider.getConfiguredUGI(aliceInfo)); // Invalid the cache and fetch it again. A different UGI should be returned ugiProvider.invalidCache(); Assert.assertNotSame(aliceUGI, ugiProvider.getConfiguredUGI(aliceInfo)); } finally { httpService.stopAndWait(); } }
From source file:com.cloudera.impala.security.DelegationTokenSecretManager.java
License:Apache License
public synchronized DelegationTokenManager.DelegationToken getDelegationToken(String owner, String renewer, String realUser) throws IOException { if (realUser == null) realUser = owner;/* w w w . j a v a 2 s . c om*/ DelegationTokenIdentifier ident = new DelegationTokenIdentifier(new Text(owner), new Text(renewer), new Text(realUser)); Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>(ident, this); return new DelegationTokenManager.DelegationToken(encodeIdentifier(ident.serialize()), encodePassword(t.getPassword()), t.encodeToUrlString().getBytes()); }
From source file:com.cloudera.impala.security.DelegationTokenTest.java
License:Apache License
@Test public void TestStartSecretManager() throws IOException { DelegationTokenSecretManager mgr = new DelegationTokenSecretManager(0, 60 * 60 * 1000, 60 * 60 * 1000, 0); mgr.startThreads();/*ww w. j a va 2s .c o m*/ String userName = UserGroupInformation.getCurrentUser().getUserName(); // Create a token for user. String tokenStrForm = mgr.getDelegationToken(userName); Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>(); t.decodeFromUrlString(tokenStrForm); // Check the token contains the proper username. DelegationTokenIdentifier d = new DelegationTokenIdentifier(); d.readFields(new DataInputStream(new ByteArrayInputStream(t.getIdentifier()))); assertTrue("Usernames don't match", userName.equals(d.getUser().getShortUserName())); assertEquals(d.getSequenceNumber(), 1); byte[] password = mgr.retrievePassword(d); assertEquals(password.length, t.getPassword().length); for (int i = 0; i < t.getPassword().length; ++i) { assertEquals(t.getPassword()[i], password[i]); } mgr.stopThreads(); }
From source file:com.cloudera.impala.security.DelegationTokenTest.java
License:Apache License
private void testTokenManager(boolean useZK) throws IOException { String userName = UserGroupInformation.getCurrentUser().getUserName(); Configuration config = new Configuration(); ZooKeeperSession zk = null;/* ww w . jav a 2 s . c o m*/ if (useZK) { config.set(ZooKeeperSession.ZOOKEEPER_CONNECTION_STRING_CONF, ZOOKEEPER_HOSTPORT); config.set(ZooKeeperSession.ZOOKEEPER_STORE_ACL_CONF, ZOOKEEPER_ACL); zk = new ZooKeeperSession(config, "test", 1, 1); } DelegationTokenManager mgr = new DelegationTokenManager(config, true, zk); // Create two tokens byte[] token1 = mgr.getToken(userName, userName, userName).token; byte[] token2 = mgr.getToken(userName, userName, null).token; // Retrieve the passwords by token. Although the token contains the // password, this retrieves it using just the identifier. byte[] password1 = mgr.getPasswordByToken(token1); byte[] password2 = mgr.getPasswordByToken(token2); // Make sure it matches the password in token and doesn't match the password for // the other token. Token<DelegationTokenIdentifier> t1 = new Token<DelegationTokenIdentifier>(); t1.decodeFromUrlString(new String(token1)); assertTrue(Arrays.equals(t1.getPassword(), password1)); assertFalse(Arrays.equals(t1.getPassword(), password2)); // Get the password from just the identifier. This does not contain the password // but the server stores it. DelegationTokenIdentifier id1 = new DelegationTokenIdentifier(); id1.readFields(new DataInputStream(new ByteArrayInputStream(t1.getIdentifier()))); byte[] serializedId1 = Base64.encodeBase64(id1.serialize()); assertTrue(serializedId1.length < token1.length); // Retrieve the password from the manager by serialized id. DelegationTokenManager.UserPassword userPw = mgr.retrieveUserPassword(new String(serializedId1)); assertTrue(Arrays.equals(password1, Base64.decodeBase64(userPw.password))); assertEquals(userName, userPw.user); // Cancel token2, token1 should continue to work fine. mgr.cancelToken(userName, token2); assertTrue(Arrays.equals(mgr.getPasswordByToken(token1), password1)); // Renew token1, should continue to work. mgr.renewToken(userName, token1); assertTrue(Arrays.equals(mgr.getPasswordByToken(token1), password1)); // Cancel token1, should fail to get password for it. mgr.cancelToken(userName, token1); boolean exceptionThrown = false; try { mgr.getPasswordByToken(token1); } catch (IOException e) { exceptionThrown = true; assertTrue(e.getMessage().contains("can't be found")); } catch (TokenStoreException e) { exceptionThrown = true; assertTrue(e.getMessage(), e.getMessage().contains("Token does not exist")); } assertTrue(exceptionThrown); // Try to renew. exceptionThrown = false; try { mgr.renewToken(userName, token1); } catch (IOException e) { exceptionThrown = true; assertTrue(e.getMessage().contains("Renewal request for unknown token")); } catch (TokenStoreException e) { exceptionThrown = true; assertTrue(e.getMessage(), e.getMessage().contains("Token does not exist")); } assertTrue(exceptionThrown); // Try to cancel. try { mgr.cancelToken(userName, token1); } catch (IOException e) { // Depending on the underlying store (ZK vs in mem), we will throw an exception // or silently fail. Having cancel be idempotent is reasonable and the ZK // behavior. assertTrue(e.getMessage().contains("Token not found")); } // Try a corrupt token. exceptionThrown = false; try { mgr.cancelToken(userName, new byte[100]); } catch (IOException e) { exceptionThrown = true; assertTrue(e.getMessage().contains("Token is corrupt.")); } assertTrue(exceptionThrown); }
From source file:com.cloudera.recordservice.mr.security.TokenUtils.java
License:Apache License
/** * Serializes a token to TDelegationToken. *//*ww w.ja v a 2 s .c o m*/ public static DelegationToken toDelegationToken(Token<DelegationTokenIdentifier> t) throws IOException { if (t == null) return null; return new DelegationToken(encodeAsString(t.getIdentifier()), encodeAsString(t.getPassword()), t.encodeToUrlString().getBytes()); }
From source file:com.datatorrent.stram.security.StramWSFilter.java
License:Apache License
private String verifyClientToken(String tokenstr) throws IOException { Token<StramDelegationTokenIdentifier> token = new Token<StramDelegationTokenIdentifier>(); token.decodeFromUrlString(tokenstr); byte[] identifier = token.getIdentifier(); byte[] password = token.getPassword(); StramDelegationTokenIdentifier tokenIdentifier = new StramDelegationTokenIdentifier(); DataInputStream input = new DataInputStream(new ByteArrayInputStream(identifier)); tokenIdentifier.readFields(input);/* w w w. ja va2s. c o m*/ tokenManager.verifyToken(tokenIdentifier, password); return tokenIdentifier.getOwner().toString(); }
From source file:com.datatorrent.stram.StramClient.java
License:Apache License
private Token<RMDelegationTokenIdentifier> getRMHAToken( org.apache.hadoop.yarn.api.records.Token rmDelegationToken) { // Build a list of service addresses to form the service name ArrayList<String> services = new ArrayList<String>(); for (String rmId : conf.getStringCollection(RM_HA_IDS)) { LOG.info("Yarn Resource Manager id: {}", rmId); // Set RM_ID to get the corresponding RM_ADDRESS services.add(/*from w w w.j a v a 2 s. c o m*/ SecurityUtil.buildTokenService(NetUtils.createSocketAddr(conf.get(RM_HOSTNAME_PREFIX + rmId), YarnConfiguration.DEFAULT_RM_PORT, RM_HOSTNAME_PREFIX + rmId)).toString()); } Text rmTokenService = new Text(Joiner.on(',').join(services)); return new Token<RMDelegationTokenIdentifier>(rmDelegationToken.getIdentifier().array(), rmDelegationToken.getPassword().array(), new Text(rmDelegationToken.getKind()), rmTokenService); }
From source file:it.crs4.pydoop.mapreduce.pipes.Application.java
License:Apache License
/** * Start the child process to handle the task for us. * @throws IOException// www . j ava 2 s.c o m * @throws InterruptedException */ Application(TaskInputOutputContext<K1, V1, K2, V2> context, DummyRecordReader input) throws IOException, InterruptedException { Configuration conf = context.getConfiguration(); serverSocket = new ServerSocket(0); Map<String, String> env = new HashMap<String, String>(); // add TMPDIR environment variable with the value of java.io.tmpdir env.put("TMPDIR", System.getProperty("java.io.tmpdir")); env.put(Submitter.PORT, Integer.toString(serverSocket.getLocalPort())); //Add token to the environment if security is enabled Token<JobTokenIdentifier> jobToken = TokenCache.getJobToken(context.getCredentials()); // This password is used as shared secret key between this application and // child pipes process byte[] password = jobToken.getPassword(); String localPasswordFile = new File(".") + Path.SEPARATOR + "jobTokenPassword"; writePasswordToLocalFile(localPasswordFile, password, conf); // FIXME why is this not Submitter.SECRET_LOCATION ? env.put("hadoop.pipes.shared.secret.location", localPasswordFile); List<String> cmd = new ArrayList<String>(); String interpretor = conf.get(Submitter.INTERPRETOR); if (interpretor != null) { cmd.add(interpretor); } String executable = context.getLocalCacheFiles()[0].toString(); if (!(new File(executable).canExecute())) { // LinuxTaskController sets +x permissions on all distcache files already. // In case of DefaultTaskController, set permissions here. FileUtil.chmod(executable, "u+x"); } cmd.add(executable); // wrap the command in a stdout/stderr capture // we are starting map/reduce task of the pipes job. this is not a cleanup // attempt. TaskAttemptID taskid = context.getTaskAttemptID(); File stdout = TaskLog.getTaskLogFile(taskid, false, TaskLog.LogName.STDOUT); File stderr = TaskLog.getTaskLogFile(taskid, false, TaskLog.LogName.STDERR); long logLength = TaskLog.getTaskLogLength(conf); cmd = TaskLog.captureOutAndError(null, cmd, stdout, stderr, logLength, false); process = runClient(cmd, env); clientSocket = serverSocket.accept(); String challenge = getSecurityChallenge(); String digestToSend = createDigest(password, challenge); String digestExpected = createDigest(password, digestToSend); handler = new OutputHandler<K2, V2>(context, input, digestExpected); K2 outputKey = (K2) ReflectionUtils.newInstance(context.getOutputKeyClass(), conf); V2 outputValue = (V2) ReflectionUtils.newInstance(context.getOutputValueClass(), conf); downlink = new BinaryProtocol<K1, V1, K2, V2>(clientSocket, handler, outputKey, outputValue, conf); downlink.authenticate(digestToSend, challenge); waitForAuthentication(); LOG.debug("Authentication succeeded"); downlink.start(); downlink.setJobConf(conf); }
From source file:it.crs4.pydoop.pipes.Application.java
License:Apache License
/** * Start the child process to handle the task for us. * @param conf the task's configuration/*from w w w . j av a 2 s.c o m*/ * @param recordReader the fake record reader to update progress with * @param output the collector to send output to * @param reporter the reporter for the task * @param outputKeyClass the class of the output keys * @param outputValueClass the class of the output values * @throws IOException * @throws InterruptedException */ Application(JobConf conf, RecordReader<FloatWritable, NullWritable> recordReader, OutputCollector<K2, V2> output, Reporter reporter, Class<? extends K2> outputKeyClass, Class<? extends V2> outputValueClass) throws IOException, InterruptedException { serverSocket = new ServerSocket(0); Map<String, String> env = new HashMap<String, String>(); // add TMPDIR environment variable with the value of java.io.tmpdir env.put("TMPDIR", System.getProperty("java.io.tmpdir")); env.put(Submitter.PORT, Integer.toString(serverSocket.getLocalPort())); TaskAttemptID taskid = TaskAttemptID.forName(conf.get(MRJobConfig.TASK_ATTEMPT_ID)); // get the task's working directory String workDir = LocalJobRunner.getLocalTaskDir(conf.getUser(), taskid.getJobID().toString(), taskid.getTaskID().toString(), false); //Add token to the environment if security is enabled Token<JobTokenIdentifier> jobToken = TokenCache.getJobToken(conf.getCredentials()); // This password is used as shared secret key between this application and // child pipes process byte[] password = jobToken.getPassword(); String localPasswordFile = new File(workDir, "jobTokenPassword").getAbsolutePath(); writePasswordToLocalFile(localPasswordFile, password, conf); env.put("hadoop.pipes.shared.secret.location", localPasswordFile); List<String> cmd = new ArrayList<String>(); String interpretor = conf.get(Submitter.INTERPRETOR); if (interpretor != null) { cmd.add(interpretor); } String executable = DistributedCache.getLocalCacheFiles(conf)[0].toString(); if (!(new File(executable).canExecute())) { // LinuxTaskController sets +x permissions on all distcache files already. // In case of DefaultTaskController, set permissions here. FileUtil.chmod(executable, "u+x"); } cmd.add(executable); // wrap the command in a stdout/stderr capture // we are starting map/reduce task of the pipes job. this is not a cleanup // attempt. File stdout = TaskLog.getTaskLogFile(taskid, false, TaskLog.LogName.STDOUT); File stderr = TaskLog.getTaskLogFile(taskid, false, TaskLog.LogName.STDERR); long logLength = TaskLog.getTaskLogLength(conf); cmd = TaskLog.captureOutAndError(null, cmd, stdout, stderr, logLength, false); process = runClient(cmd, env); clientSocket = serverSocket.accept(); String challenge = getSecurityChallenge(); String digestToSend = createDigest(password, challenge); String digestExpected = createDigest(password, digestToSend); handler = new OutputHandler<K2, V2>(output, reporter, recordReader, digestExpected); K2 outputKey = (K2) ReflectionUtils.newInstance(outputKeyClass, conf); V2 outputValue = (V2) ReflectionUtils.newInstance(outputValueClass, conf); downlink = new BinaryProtocol<K1, V1, K2, V2>(clientSocket, handler, outputKey, outputValue, conf); downlink.authenticate(digestToSend, challenge); waitForAuthentication(); LOG.debug("Authentication succeeded"); downlink.start(); downlink.setJobConf(conf); }