YARN-2656. Made RM web services authentication filter support proxy user. Contributed by Varun Vasudev and Zhijie Shen.
This commit is contained in:
parent
0260231667
commit
1220bb72d4
|
@ -81,7 +81,7 @@ public abstract class DelegationTokenAuthenticationHandler
|
|||
|
||||
private static final Set<String> DELEGATION_TOKEN_OPS = new HashSet<String>();
|
||||
|
||||
static final String DELEGATION_TOKEN_UGI_ATTRIBUTE =
|
||||
public static final String DELEGATION_TOKEN_UGI_ATTRIBUTE =
|
||||
"hadoop.security.delegation-token.ugi";
|
||||
|
||||
static {
|
||||
|
|
|
@ -162,6 +162,9 @@ Release 2.6.0 - UNRELEASED
|
|||
YARN-2501. Enhanced AMRMClient library to support requests against node
|
||||
labels. (Wangda Tan via vinodkv)
|
||||
|
||||
YARN-2656. Made RM web services authentication filter support proxy user.
|
||||
(Varun Vasudev and Zhijie Shen via zjshen)
|
||||
|
||||
IMPROVEMENTS
|
||||
|
||||
YARN-2197. Add a link to YARN CHANGES.txt in the left side of doc
|
||||
|
|
|
@ -18,46 +18,74 @@
|
|||
|
||||
package org.apache.hadoop.yarn.server.security.http;
|
||||
|
||||
import java.util.Properties;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.FilterConfig;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletRequestWrapper;
|
||||
|
||||
import org.apache.hadoop.classification.InterfaceAudience.Private;
|
||||
import org.apache.hadoop.classification.InterfaceStability.Unstable;
|
||||
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
||||
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
|
||||
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter;
|
||||
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator;
|
||||
|
||||
@Private
|
||||
@Unstable
|
||||
public class RMAuthenticationFilter extends AuthenticationFilter {
|
||||
public class RMAuthenticationFilter extends
|
||||
DelegationTokenAuthenticationFilter {
|
||||
|
||||
static private AbstractDelegationTokenSecretManager<?> manager;
|
||||
public static final String AUTH_HANDLER_PROPERTY =
|
||||
"yarn.resourcemanager.authentication-handler";
|
||||
private static final String OLD_HEADER = "Hadoop-YARN-Auth-Delegation-Token";
|
||||
|
||||
public RMAuthenticationFilter() {
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Properties getConfiguration(String configPrefix,
|
||||
FilterConfig filterConfig) throws ServletException {
|
||||
|
||||
// In yarn-site.xml, we can simply set type to "kerberos". However, we need
|
||||
// to replace the name here to use the customized Kerberos + DT service
|
||||
// instead of the standard Kerberos handler.
|
||||
|
||||
Properties properties = super.getConfiguration(configPrefix, filterConfig);
|
||||
String yarnAuthHandler = properties.getProperty(AUTH_HANDLER_PROPERTY);
|
||||
if (yarnAuthHandler == null || yarnAuthHandler.isEmpty()) {
|
||||
// if http auth type is simple, the default authentication filter
|
||||
// will handle it, else throw an exception
|
||||
if (!properties.getProperty(AUTH_TYPE).equals("simple")) {
|
||||
throw new ServletException("Authentication handler class is empty");
|
||||
}
|
||||
}
|
||||
if (properties.getProperty(AUTH_TYPE).equalsIgnoreCase("kerberos")) {
|
||||
properties.setProperty(AUTH_TYPE, yarnAuthHandler);
|
||||
}
|
||||
return properties;
|
||||
public void init(FilterConfig filterConfig) throws ServletException {
|
||||
filterConfig.getServletContext().setAttribute(
|
||||
DelegationTokenAuthenticationFilter.DELEGATION_TOKEN_SECRET_MANAGER_ATTR,
|
||||
manager);
|
||||
super.init(filterConfig);
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public void doFilter(ServletRequest request, ServletResponse response,
|
||||
FilterChain filterChain) throws IOException, ServletException {
|
||||
HttpServletRequest req = (HttpServletRequest) request;
|
||||
String newHeader =
|
||||
req.getHeader(DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER);
|
||||
if (newHeader == null || newHeader.isEmpty()) {
|
||||
// For backward compatibility, allow use of the old header field
|
||||
// only when the new header doesn't exist
|
||||
final String oldHeader = req.getHeader(OLD_HEADER);
|
||||
if (oldHeader != null && !oldHeader.isEmpty()) {
|
||||
request = new HttpServletRequestWrapper(req) {
|
||||
@Override
|
||||
public String getHeader(String name) {
|
||||
if (name
|
||||
.equals(DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER)) {
|
||||
return oldHeader;
|
||||
}
|
||||
return super.getHeader(name);
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
||||
super.doFilter(request, response, filterChain);
|
||||
}
|
||||
|
||||
public static void setDelegationTokenSecretManager(
|
||||
AbstractDelegationTokenSecretManager<?> manager) {
|
||||
RMAuthenticationFilter.manager = manager;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -35,17 +35,21 @@ import org.apache.hadoop.security.SecurityUtil;
|
|||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
||||
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
|
||||
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
|
||||
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
|
||||
|
||||
@Unstable
|
||||
public class RMAuthenticationFilterInitializer extends FilterInitializer {
|
||||
|
||||
String configPrefix;
|
||||
String proxyPrefix;
|
||||
String signatureSecretFileProperty;
|
||||
String kerberosPrincipalProperty;
|
||||
String cookiePath;
|
||||
|
||||
public RMAuthenticationFilterInitializer() {
|
||||
this.configPrefix = "hadoop.http.authentication.";
|
||||
this.proxyPrefix = "yarn.resourcemanager.webapp.proxyuser.";
|
||||
this.signatureSecretFileProperty =
|
||||
AuthenticationFilter.SIGNATURE_SECRET + ".file";
|
||||
this.kerberosPrincipalProperty = KerberosAuthenticationHandler.PRINCIPAL;
|
||||
|
@ -59,10 +63,14 @@ public class RMAuthenticationFilterInitializer extends FilterInitializer {
|
|||
filterConfig.put(AuthenticationFilter.COOKIE_PATH, cookiePath);
|
||||
|
||||
for (Map.Entry<String, String> entry : conf) {
|
||||
String name = entry.getKey();
|
||||
if (name.startsWith(configPrefix)) {
|
||||
String value = conf.get(name);
|
||||
name = name.substring(configPrefix.length());
|
||||
String propName = entry.getKey();
|
||||
if (propName.startsWith(configPrefix)) {
|
||||
String value = conf.get(propName);
|
||||
String name = propName.substring(configPrefix.length());
|
||||
filterConfig.put(name, value);
|
||||
} else if (propName.startsWith(proxyPrefix)) {
|
||||
String value = conf.get(propName);
|
||||
String name = propName.substring("yarn.resourcemanager.webapp.".length());
|
||||
filterConfig.put(name, value);
|
||||
}
|
||||
}
|
||||
|
@ -107,6 +115,10 @@ public class RMAuthenticationFilterInitializer extends FilterInitializer {
|
|||
}
|
||||
filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal);
|
||||
}
|
||||
|
||||
filterConfig.put(DelegationTokenAuthenticationHandler.TOKEN_KIND,
|
||||
RMDelegationTokenIdentifier.KIND_NAME.toString());
|
||||
|
||||
return filterConfig;
|
||||
}
|
||||
|
||||
|
|
|
@ -901,6 +901,8 @@ public class ResourceManager extends CompositeService implements Recoverable {
|
|||
+ " for RM webapp authentication");
|
||||
RMAuthenticationHandler
|
||||
.setSecretManager(getClientRMService().rmDTSecretManager);
|
||||
RMAuthenticationFilter
|
||||
.setDelegationTokenSecretManager(getClientRMService().rmDTSecretManager);
|
||||
String yarnAuthKey =
|
||||
authPrefix + RMAuthenticationFilter.AUTH_HANDLER_PROPERTY;
|
||||
conf.setStrings(yarnAuthKey, RMAuthenticationHandler.class.getName());
|
||||
|
|
|
@ -65,6 +65,7 @@ import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHa
|
|||
import org.apache.hadoop.security.authorize.AuthorizationException;
|
||||
import org.apache.hadoop.security.token.Token;
|
||||
import org.apache.hadoop.security.token.TokenIdentifier;
|
||||
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
|
||||
import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsRequest;
|
||||
import org.apache.hadoop.yarn.api.protocolrecords.GetNewApplicationRequest;
|
||||
import org.apache.hadoop.yarn.api.protocolrecords.GetNewApplicationResponse;
|
||||
|
@ -1085,10 +1086,18 @@ public class RMWebServices {
|
|||
}
|
||||
|
||||
String authType = hsr.getAuthType();
|
||||
if (!KerberosAuthenticationHandler.TYPE.equals(authType)) {
|
||||
if (!KerberosAuthenticationHandler.TYPE.equalsIgnoreCase(authType)) {
|
||||
String msg =
|
||||
"Delegation token operations can only be carried out on a "
|
||||
+ "Kerberos authenticated channel";
|
||||
+ "Kerberos authenticated channel. Expected auth type is "
|
||||
+ KerberosAuthenticationHandler.TYPE + ", got type " + authType;
|
||||
throw new YarnException(msg);
|
||||
}
|
||||
if (hsr
|
||||
.getAttribute(DelegationTokenAuthenticationHandler.DELEGATION_TOKEN_UGI_ATTRIBUTE) != null) {
|
||||
String msg =
|
||||
"Delegation token operations cannot be carried out using delegation"
|
||||
+ " token authentication.";
|
||||
throw new YarnException(msg);
|
||||
}
|
||||
|
||||
|
|
|
@ -708,6 +708,7 @@ public class TestRMAdminService {
|
|||
aclsString);
|
||||
|
||||
// verify ProxyUsers and ProxyHosts
|
||||
ProxyUsers.refreshSuperUserGroupsConfiguration(configuration);
|
||||
Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups()
|
||||
.get("hadoop.proxyuser.test.groups").size() == 1);
|
||||
Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups()
|
||||
|
|
|
@ -31,6 +31,8 @@ import java.io.OutputStream;
|
|||
import java.io.StringWriter;
|
||||
import java.net.HttpURLConnection;
|
||||
import java.net.URL;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
import javax.ws.rs.core.MediaType;
|
||||
|
@ -46,7 +48,10 @@ import org.apache.hadoop.security.UserGroupInformation;
|
|||
import org.apache.hadoop.security.authentication.KerberosTestUtils;
|
||||
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
||||
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
|
||||
import org.apache.hadoop.security.token.Token;
|
||||
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator;
|
||||
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
|
||||
|
@ -55,11 +60,15 @@ import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ApplicationSubmi
|
|||
import org.apache.hadoop.yarn.util.ConverterUtils;
|
||||
import org.codehaus.jettison.json.JSONObject;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Assert;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
import com.sun.jersey.api.client.ClientResponse.Status;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.junit.runners.Parameterized;
|
||||
|
||||
@RunWith(Parameterized.class)
|
||||
public class TestRMWebServicesDelegationTokenAuthentication {
|
||||
|
||||
private static final File testRootDir = new File("target",
|
||||
|
@ -74,10 +83,17 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
private static MiniKdc testMiniKDC;
|
||||
private static MockRM rm;
|
||||
|
||||
|
||||
String delegationTokenHeader;
|
||||
|
||||
// use published header name
|
||||
final static String DelegationTokenHeader =
|
||||
final static String OldDelegationTokenHeader =
|
||||
"Hadoop-YARN-Auth-Delegation-Token";
|
||||
|
||||
// alternate header name
|
||||
final static String NewDelegationTokenHeader =
|
||||
DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER;
|
||||
|
||||
@BeforeClass
|
||||
public static void setUp() {
|
||||
try {
|
||||
|
@ -99,8 +115,14 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
}
|
||||
}
|
||||
|
||||
public TestRMWebServicesDelegationTokenAuthentication() throws Exception {
|
||||
@Parameterized.Parameters
|
||||
public static Collection<Object[]> headers() {
|
||||
return Arrays.asList(new Object[][] { {OldDelegationTokenHeader}, {NewDelegationTokenHeader}});
|
||||
}
|
||||
|
||||
public TestRMWebServicesDelegationTokenAuthentication(String header) throws Exception {
|
||||
super();
|
||||
this.delegationTokenHeader = header;
|
||||
}
|
||||
|
||||
private static void setupAndStartRM() throws Exception {
|
||||
|
@ -136,6 +158,8 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
rmconf.set(YarnConfiguration.NM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY,
|
||||
httpSpnegoKeytabFile.getAbsolutePath());
|
||||
rmconf.setBoolean("mockrm.webapp.enabled", true);
|
||||
rmconf.set("yarn.resourcemanager.webapp.proxyuser.client.hosts", "*");
|
||||
rmconf.set("yarn.resourcemanager.webapp.proxyuser.client.groups", "*");
|
||||
UserGroupInformation.setConfiguration(rmconf);
|
||||
rm = new MockRM(rmconf);
|
||||
rm.start();
|
||||
|
@ -143,10 +167,11 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
}
|
||||
|
||||
private static void setupKDC() throws Exception {
|
||||
if (miniKDCStarted == false) {
|
||||
if (!miniKDCStarted) {
|
||||
testMiniKDC.start();
|
||||
getKdc().createPrincipal(httpSpnegoKeytabFile, "HTTP/localhost",
|
||||
"client", UserGroupInformation.getLoginUser().getShortUserName());
|
||||
"client", UserGroupInformation.getLoginUser().getShortUserName(),
|
||||
"client2");
|
||||
miniKDCStarted = true;
|
||||
}
|
||||
}
|
||||
|
@ -189,11 +214,26 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
}
|
||||
|
||||
conn = (HttpURLConnection) url.openConnection();
|
||||
conn.setRequestProperty(DelegationTokenHeader, token);
|
||||
conn.setRequestProperty(delegationTokenHeader, token);
|
||||
setupConn(conn, "POST", MediaType.APPLICATION_XML, requestBody);
|
||||
|
||||
// this should not fail
|
||||
conn.getInputStream();
|
||||
try {
|
||||
conn.getInputStream();
|
||||
}
|
||||
catch(IOException ie) {
|
||||
InputStream errorStream = conn.getErrorStream();
|
||||
String error = "";
|
||||
BufferedReader reader = null;
|
||||
reader = new BufferedReader(new InputStreamReader(errorStream, "UTF8"));
|
||||
for (String line; (line = reader.readLine()) != null;) {
|
||||
error += line;
|
||||
}
|
||||
reader.close();
|
||||
errorStream.close();
|
||||
fail("Response " + conn.getResponseCode() + "; " + error);
|
||||
}
|
||||
|
||||
boolean appExists =
|
||||
rm.getRMContext().getRMApps()
|
||||
.containsKey(ConverterUtils.toApplicationId(appid));
|
||||
|
@ -203,8 +243,6 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
.get(ConverterUtils.toApplicationId(appid));
|
||||
String owner = actualApp.getUser();
|
||||
assertEquals("client", owner);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
// Test to make sure that cancelled delegation tokens
|
||||
|
@ -221,7 +259,7 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
|
||||
URL url = new URL("http://localhost:8088/ws/v1/cluster/apps");
|
||||
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||
conn.setRequestProperty(DelegationTokenHeader, token);
|
||||
conn.setRequestProperty(delegationTokenHeader, token);
|
||||
setupConn(conn, "POST", MediaType.APPLICATION_XML, requestBody);
|
||||
|
||||
// this should fail with unauthorized because only
|
||||
|
@ -232,7 +270,6 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
} catch (IOException e) {
|
||||
assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// Test to make sure that we can't do delegation token
|
||||
|
@ -248,7 +285,7 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
for (String requestBody : requests) {
|
||||
URL url = new URL("http://localhost:8088/ws/v1/cluster/delegation-token");
|
||||
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||
conn.setRequestProperty(DelegationTokenHeader, token);
|
||||
conn.setRequestProperty(delegationTokenHeader, token);
|
||||
setupConn(conn, "POST", MediaType.APPLICATION_JSON, requestBody);
|
||||
try {
|
||||
conn.getInputStream();
|
||||
|
@ -262,7 +299,7 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
// test cancel
|
||||
URL url = new URL("http://localhost:8088/ws/v1/cluster/delegation-token");
|
||||
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||
conn.setRequestProperty(DelegationTokenHeader, token);
|
||||
conn.setRequestProperty(delegationTokenHeader, token);
|
||||
conn.setRequestProperty(RMWebServices.DELEGATION_TOKEN_HEADER, token);
|
||||
setupConn(conn, "DELETE", null, null);
|
||||
try {
|
||||
|
@ -271,11 +308,94 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
} catch (IOException e) {
|
||||
assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// Superuser "client" should be able to get a delegation token
|
||||
// for user "client2" when authenticated using Kerberos
|
||||
// The request shouldn't work when authenticated using DelegationTokens
|
||||
@Test
|
||||
public void testDoAs() throws Exception {
|
||||
|
||||
KerberosTestUtils.doAsClient(new Callable<Void>() {
|
||||
@Override
|
||||
public Void call() throws Exception {
|
||||
String token = "";
|
||||
String owner = "";
|
||||
String renewer = "renewer";
|
||||
String body = "{\"renewer\":\"" + renewer + "\"}";
|
||||
URL url =
|
||||
new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2");
|
||||
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||
setupConn(conn, "POST", MediaType.APPLICATION_JSON, body);
|
||||
InputStream response = conn.getInputStream();
|
||||
assertEquals(Status.OK.getStatusCode(), conn.getResponseCode());
|
||||
BufferedReader reader = null;
|
||||
try {
|
||||
reader = new BufferedReader(new InputStreamReader(response, "UTF8"));
|
||||
for (String line; (line = reader.readLine()) != null;) {
|
||||
JSONObject obj = new JSONObject(line);
|
||||
if (obj.has("token")) {
|
||||
token = obj.getString("token");
|
||||
}
|
||||
if(obj.has("owner")) {
|
||||
owner = obj.getString("owner");
|
||||
}
|
||||
}
|
||||
} finally {
|
||||
IOUtils.closeQuietly(reader);
|
||||
IOUtils.closeQuietly(response);
|
||||
}
|
||||
Assert.assertEquals("client2", owner);
|
||||
Token<RMDelegationTokenIdentifier> realToken = new Token<RMDelegationTokenIdentifier>();
|
||||
realToken.decodeFromUrlString(token);
|
||||
Assert.assertEquals("client2", realToken.decodeIdentifier().getOwner().toString());
|
||||
return null;
|
||||
}
|
||||
});
|
||||
|
||||
// this should not work
|
||||
final String token = getDelegationToken("client");
|
||||
String renewer = "renewer";
|
||||
String body = "{\"renewer\":\"" + renewer + "\"}";
|
||||
URL url =
|
||||
new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2");
|
||||
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||
conn.setRequestProperty(delegationTokenHeader, token);
|
||||
setupConn(conn, "POST", MediaType.APPLICATION_JSON, body);
|
||||
try {
|
||||
conn.getInputStream();
|
||||
fail("Client should not be allowed to impersonate using delegation tokens");
|
||||
}
|
||||
catch(IOException ie) {
|
||||
assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
|
||||
}
|
||||
|
||||
// this should also fail due to client2 not being a super user
|
||||
KerberosTestUtils.doAs("client2@EXAMPLE.COM", new Callable<Void>() {
|
||||
@Override
|
||||
public Void call() throws Exception {
|
||||
String renewer = "renewer";
|
||||
String body = "{\"renewer\":\"" + renewer + "\"}";
|
||||
URL url =
|
||||
new URL(
|
||||
"http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client");
|
||||
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||
setupConn(conn, "POST", MediaType.APPLICATION_JSON, body);
|
||||
try {
|
||||
conn.getInputStream();
|
||||
fail("Non superuser client should not be allowed to carry out doAs");
|
||||
}
|
||||
catch (IOException ie) {
|
||||
assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode());
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
|
||||
}
|
||||
|
||||
private String getDelegationToken(final String renewer) throws Exception {
|
||||
String token = KerberosTestUtils.doAsClient(new Callable<String>() {
|
||||
return KerberosTestUtils.doAsClient(new Callable<String>() {
|
||||
@Override
|
||||
public String call() throws Exception {
|
||||
String ret = null;
|
||||
|
@ -305,7 +425,6 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
return ret;
|
||||
}
|
||||
});
|
||||
return token;
|
||||
}
|
||||
|
||||
private void cancelDelegationToken(final String tokenString) throws Exception {
|
||||
|
@ -325,7 +444,6 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
return null;
|
||||
}
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
static String getMarshalledAppInfo(ApplicationSubmissionContextInfo appInfo)
|
||||
|
@ -353,5 +471,4 @@ public class TestRMWebServicesDelegationTokenAuthentication {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -2943,7 +2943,7 @@ Accept: application/xml
|
|||
|
||||
+---+
|
||||
PUT http://<rm http address:port>/ws/v1/cluster/apps/application_1399397633663_0003/state
|
||||
Hadoop-YARN-Auth-Delegation-Token: MgASY2xpZW50QEVYQU1QTEUuQ09NDHRlc3QtcmVuZXdlcgCKAUbjqcHHigFHB7ZFxwQCFKWD3znCkDSy6SQIjRCLDydxbxvgE1JNX0RFTEVHQVRJT05fVE9LRU4A
|
||||
X-Hadoop-Delegation-Token: MgASY2xpZW50QEVYQU1QTEUuQ09NDHRlc3QtcmVuZXdlcgCKAUbjqcHHigFHB7ZFxwQCFKWD3znCkDSy6SQIjRCLDydxbxvgE1JNX0RFTEVHQVRJT05fVE9LRU4A
|
||||
Content-Type: application/json; charset=UTF8
|
||||
{
|
||||
"state":"KILLED"
|
||||
|
|
Loading…
Reference in New Issue