Repository: hadoop Updated Branches: refs/heads/branch-2.8 8f10d0209 -> 5f6806d90
HADOOP-14920. KMSClientProvider won't work with KMS delegation token retrieved from non-Java client. Contributed by Xiaoyu Yao. (cherry picked from commit 2b08a1fc644904a37545107666efc25b3552542d) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/5f6806d9 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/5f6806d9 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/5f6806d9 Branch: refs/heads/branch-2.8 Commit: 5f6806d906659900e0a9cdaa307aa50e96220538 Parents: 8f10d02 Author: Xiaoyu Yao <[email protected]> Authored: Fri Oct 6 10:12:24 2017 -0700 Committer: Xiaoyu Yao <[email protected]> Committed: Thu Feb 8 09:23:56 2018 -0800 ---------------------------------------------------------------------- .../DelegationTokenAuthenticationHandler.java | 5 +- .../web/DelegationTokenAuthenticator.java | 1 + .../delegation/web/DelegationTokenManager.java | 15 +++- ...tionTokenAuthenticationHandlerWithMocks.java | 72 ++++++++++++++------ 4 files changed, 70 insertions(+), 23 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/5f6806d9/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java index c23a94f..caf3172 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java @@ -236,8 +236,11 @@ public abstract class DelegationTokenAuthenticationHandler } String renewer = ServletUtils.getParameter(request, KerberosDelegationTokenAuthenticator.RENEWER_PARAM); + String service = ServletUtils.getParameter(request, + KerberosDelegationTokenAuthenticator.SERVICE_PARAM); try { - Token<?> dToken = tokenManager.createToken(requestUgi, renewer); + Token<?> dToken = tokenManager.createToken(requestUgi, renewer, + service); map = delegationTokenToJSON(dToken); } catch (IOException ex) { throw new AuthenticationException(ex.toString(), ex); http://git-wip-us.apache.org/repos/asf/hadoop/blob/5f6806d9/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java index 2d60d4a..509c6ef 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java @@ -66,6 +66,7 @@ public abstract class DelegationTokenAuthenticator implements Authenticator { public static final String DELEGATION_PARAM = "delegation"; public static final String TOKEN_PARAM = "token"; public static final String RENEWER_PARAM = "renewer"; + public static final String SERVICE_PARAM = "service"; public static final String DELEGATION_TOKEN_JSON = "Token"; public static final String DELEGATION_TOKEN_URL_STRING_JSON = "urlString"; public static final String RENEW_DELEGATION_TOKEN_JSON = "long"; http://git-wip-us.apache.org/repos/asf/hadoop/blob/5f6806d9/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java index b1a8d48..fd19b67 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java @@ -160,7 +160,14 @@ public class DelegationTokenManager { @SuppressWarnings("unchecked") public Token<? extends AbstractDelegationTokenIdentifier> createToken( UserGroupInformation ugi, String renewer) { - LOG.debug("Creating token with ugi:{}, renewer:{}.", ugi, renewer); + return createToken(ugi, renewer, null); + } + + @SuppressWarnings("unchecked") + public Token<? extends AbstractDelegationTokenIdentifier> createToken( + UserGroupInformation ugi, String renewer, String service) { + LOG.debug("Creating token with ugi:{}, renewer:{}, service:{}.", + ugi, renewer, service !=null ? service : ""); renewer = (renewer == null) ? ugi.getShortUserName() : renewer; String user = ugi.getUserName(); Text owner = new Text(user); @@ -173,7 +180,11 @@ public class DelegationTokenManager { tokenIdentifier.setOwner(owner); tokenIdentifier.setRenewer(new Text(renewer)); tokenIdentifier.setRealUser(realUser); - return new Token(tokenIdentifier, secretManager); + Token token = new Token(tokenIdentifier, secretManager); + if (service != null) { + token.setService(new Text(service)); + } + return token; } @SuppressWarnings("unchecked") http://git-wip-us.apache.org/repos/asf/hadoop/blob/5f6806d9/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java index d9c4f02..678e1ee 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestDelegationTokenAuthenticationHandlerWithMocks.java @@ -107,12 +107,21 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks { @Test public void testManagementOperations() throws Exception { - testNonManagementOperation(); - testManagementOperationErrors(); - testGetToken(null, new Text("foo")); - testGetToken("bar", new Text("foo")); - testCancelToken(); - testRenewToken(); + final Text testTokenKind = new Text("foo"); + final String testRenewer = "bar"; + final String testService = "192.168.64.101:8888"; + testNonManagementOperation(); + testManagementOperationErrors(); + testGetToken(null, null, testTokenKind); + testGetToken(testRenewer, null, testTokenKind); + testCancelToken(); + testRenewToken(testRenewer); + + // Management operations against token requested with service parameter + Token<DelegationTokenIdentifier> testToken = + testGetToken(testRenewer, testService, testTokenKind); + testRenewToken(testToken, testRenewer); + testCancelToken(testToken); } private void testNonManagementOperation() throws Exception { @@ -152,8 +161,8 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks { Mockito.eq("mock")); } - private void testGetToken(String renewer, Text expectedTokenKind) - throws Exception { + private Token<DelegationTokenIdentifier> testGetToken(String renewer, + String service, Text expectedTokenKind) throws Exception { DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation. GETDELEGATIONTOKEN; @@ -169,10 +178,14 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks { new StringWriter())); Assert.assertFalse(handler.managementOperation(token, request, response)); - Mockito.when(request.getQueryString()). - thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() + - "&" + DelegationTokenAuthenticator.RENEWER_PARAM + "=" + renewer); - + String queryString = + DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() + "&" + + DelegationTokenAuthenticator.RENEWER_PARAM + "=" + renewer; + if (service != null) { + queryString += "&" + DelegationTokenAuthenticator.SERVICE_PARAM + "=" + + service; + } + Mockito.when(request.getQueryString()).thenReturn(queryString); Mockito.reset(response); Mockito.reset(token); Mockito.when(token.getUserName()).thenReturn("user"); @@ -204,10 +217,25 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks { dt.decodeFromUrlString(tokenStr); handler.getTokenManager().verifyToken(dt); Assert.assertEquals(expectedTokenKind, dt.getKind()); + if (service != null) { + Assert.assertEquals(service, dt.getService().toString()); + } else { + Assert.assertEquals(0, dt.getService().getLength()); + } + return dt; } @SuppressWarnings("unchecked") private void testCancelToken() throws Exception { + Token<DelegationTokenIdentifier> token = + (Token<DelegationTokenIdentifier>) handler.getTokenManager() + .createToken(UserGroupInformation.getCurrentUser(), "foo"); + testCancelToken(token); + } + + @SuppressWarnings("unchecked") + private void testCancelToken(Token<DelegationTokenIdentifier> token) + throws Exception { DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation. CANCELDELEGATIONTOKEN; @@ -224,9 +252,6 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks { Mockito.contains("requires the parameter [token]")); Mockito.reset(response); - Token<DelegationTokenIdentifier> token = - (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken( - UserGroupInformation.getCurrentUser(), "foo"); Mockito.when(request.getQueryString()).thenReturn( DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() + "&" + DelegationTokenAuthenticator.TOKEN_PARAM + "=" + @@ -245,7 +270,16 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks { } @SuppressWarnings("unchecked") - private void testRenewToken() throws Exception { + private void testRenewToken(String testRenewer) throws Exception { + Token<DelegationTokenIdentifier> dToken = (Token<DelegationTokenIdentifier>) + handler.getTokenManager().createToken( + UserGroupInformation.getCurrentUser(), testRenewer); + testRenewToken(dToken, testRenewer); + } + + @SuppressWarnings("unchecked") + private void testRenewToken(Token<DelegationTokenIdentifier> dToken, + String testRenewer) throws Exception { DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation. RENEWDELEGATIONTOKEN; @@ -266,7 +300,7 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks { Mockito.reset(response); AuthenticationToken token = Mockito.mock(AuthenticationToken.class); - Mockito.when(token.getUserName()).thenReturn("user"); + Mockito.when(token.getUserName()).thenReturn(testRenewer); Assert.assertFalse(handler.managementOperation(token, request, response)); Mockito.verify(response).sendError( Mockito.eq(HttpServletResponse.SC_BAD_REQUEST), @@ -276,9 +310,7 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks { StringWriter writer = new StringWriter(); PrintWriter pwriter = new PrintWriter(writer); Mockito.when(response.getWriter()).thenReturn(pwriter); - Token<DelegationTokenIdentifier> dToken = - (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken( - UserGroupInformation.getCurrentUser(), "user"); + Mockito.when(request.getQueryString()). thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() + "&" + DelegationTokenAuthenticator.TOKEN_PARAM + "=" + --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
