HADOOP-14920. KMSClientProvider won't work with KMS delegation token retrieved from non-Java client. Contributed by Xiaoyu Yao.

This commit is contained in:
Xiaoyu Yao 2017-10-06 10:12:24 -07:00
parent 72d22b753a
commit 2b08a1fc64
4 changed files with 70 additions and 23 deletions

View File

@ -272,8 +272,11 @@ public abstract class DelegationTokenAuthenticationHandler
}
String renewer = ServletUtils.getParameter(request,
KerberosDelegationTokenAuthenticator.RENEWER_PARAM);
String service = ServletUtils.getParameter(request,
KerberosDelegationTokenAuthenticator.SERVICE_PARAM);
try {
Token<?> dToken = tokenManager.createToken(requestUgi, renewer);
Token<?> dToken = tokenManager.createToken(requestUgi, renewer,
service);
map = delegationTokenToJSON(dToken);
} catch (IOException ex) {
throw new AuthenticationException(ex.toString(), ex);

View File

@ -70,6 +70,7 @@ public abstract class DelegationTokenAuthenticator implements Authenticator {
public static final String DELEGATION_PARAM = "delegation";
public static final String TOKEN_PARAM = "token";
public static final String RENEWER_PARAM = "renewer";
public static final String SERVICE_PARAM = "service";
public static final String DELEGATION_TOKEN_JSON = "Token";
public static final String DELEGATION_TOKEN_URL_STRING_JSON = "urlString";
public static final String RENEW_DELEGATION_TOKEN_JSON = "long";

View File

@ -160,7 +160,14 @@ public class DelegationTokenManager {
@SuppressWarnings("unchecked")
public Token<? extends AbstractDelegationTokenIdentifier> createToken(
UserGroupInformation ugi, String renewer) {
LOG.debug("Creating token with ugi:{}, renewer:{}.", ugi, renewer);
return createToken(ugi, renewer, null);
}
@SuppressWarnings("unchecked")
public Token<? extends AbstractDelegationTokenIdentifier> createToken(
UserGroupInformation ugi, String renewer, String service) {
LOG.debug("Creating token with ugi:{}, renewer:{}, service:{}.",
ugi, renewer, service !=null ? service : "");
renewer = (renewer == null) ? ugi.getShortUserName() : renewer;
String user = ugi.getUserName();
Text owner = new Text(user);
@ -173,7 +180,11 @@ public class DelegationTokenManager {
tokenIdentifier.setOwner(owner);
tokenIdentifier.setRenewer(new Text(renewer));
tokenIdentifier.setRealUser(realUser);
return new Token(tokenIdentifier, secretManager);
Token token = new Token(tokenIdentifier, secretManager);
if (service != null) {
token.setService(new Text(service));
}
return token;
}
@SuppressWarnings("unchecked")

View File

@ -111,12 +111,21 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks {
@Test
public void testManagementOperations() throws Exception {
final Text testTokenKind = new Text("foo");
final String testRenewer = "bar";
final String testService = "192.168.64.101:8888";
testNonManagementOperation();
testManagementOperationErrors();
testGetToken(null, new Text("foo"));
testGetToken("bar", new Text("foo"));
testGetToken(null, null, testTokenKind);
testGetToken(testRenewer, null, testTokenKind);
testCancelToken();
testRenewToken();
testRenewToken(testRenewer);
// Management operations against token requested with service parameter
Token<DelegationTokenIdentifier> testToken =
testGetToken(testRenewer, testService, testTokenKind);
testRenewToken(testToken, testRenewer);
testCancelToken(testToken);
}
private void testNonManagementOperation() throws Exception {
@ -156,8 +165,8 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks {
Mockito.eq("mock"));
}
private void testGetToken(String renewer, Text expectedTokenKind)
throws Exception {
private Token<DelegationTokenIdentifier> testGetToken(String renewer,
String service, Text expectedTokenKind) throws Exception {
DelegationTokenAuthenticator.DelegationTokenOperation op =
DelegationTokenAuthenticator.DelegationTokenOperation.
GETDELEGATIONTOKEN;
@ -173,10 +182,14 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks {
new StringWriter()));
Assert.assertFalse(handler.managementOperation(token, request, response));
Mockito.when(request.getQueryString()).
thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() +
"&" + DelegationTokenAuthenticator.RENEWER_PARAM + "=" + renewer);
String queryString =
DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() + "&" +
DelegationTokenAuthenticator.RENEWER_PARAM + "=" + renewer;
if (service != null) {
queryString += "&" + DelegationTokenAuthenticator.SERVICE_PARAM + "="
+ service;
}
Mockito.when(request.getQueryString()).thenReturn(queryString);
Mockito.reset(response);
Mockito.reset(token);
Mockito.when(token.getUserName()).thenReturn("user");
@ -208,10 +221,25 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks {
dt.decodeFromUrlString(tokenStr);
handler.getTokenManager().verifyToken(dt);
Assert.assertEquals(expectedTokenKind, dt.getKind());
if (service != null) {
Assert.assertEquals(service, dt.getService().toString());
} else {
Assert.assertEquals(0, dt.getService().getLength());
}
return dt;
}
@SuppressWarnings("unchecked")
private void testCancelToken() throws Exception {
Token<DelegationTokenIdentifier> token =
(Token<DelegationTokenIdentifier>) handler.getTokenManager()
.createToken(UserGroupInformation.getCurrentUser(), "foo");
testCancelToken(token);
}
@SuppressWarnings("unchecked")
private void testCancelToken(Token<DelegationTokenIdentifier> token)
throws Exception {
DelegationTokenAuthenticator.DelegationTokenOperation op =
DelegationTokenAuthenticator.DelegationTokenOperation.
CANCELDELEGATIONTOKEN;
@ -228,9 +256,6 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks {
Mockito.contains("requires the parameter [token]"));
Mockito.reset(response);
Token<DelegationTokenIdentifier> token =
(Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken(
UserGroupInformation.getCurrentUser(), "foo");
Mockito.when(request.getQueryString()).thenReturn(
DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() + "&" +
DelegationTokenAuthenticator.TOKEN_PARAM + "=" +
@ -249,7 +274,16 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks {
}
@SuppressWarnings("unchecked")
private void testRenewToken() throws Exception {
private void testRenewToken(String testRenewer) throws Exception {
Token<DelegationTokenIdentifier> dToken = (Token<DelegationTokenIdentifier>)
handler.getTokenManager().createToken(
UserGroupInformation.getCurrentUser(), testRenewer);
testRenewToken(dToken, testRenewer);
}
@SuppressWarnings("unchecked")
private void testRenewToken(Token<DelegationTokenIdentifier> dToken,
String testRenewer) throws Exception {
DelegationTokenAuthenticator.DelegationTokenOperation op =
DelegationTokenAuthenticator.DelegationTokenOperation.
RENEWDELEGATIONTOKEN;
@ -270,7 +304,7 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks {
Mockito.reset(response);
AuthenticationToken token = Mockito.mock(AuthenticationToken.class);
Mockito.when(token.getUserName()).thenReturn("user");
Mockito.when(token.getUserName()).thenReturn(testRenewer);
Assert.assertFalse(handler.managementOperation(token, request, response));
Mockito.verify(response).sendError(
Mockito.eq(HttpServletResponse.SC_BAD_REQUEST),
@ -280,9 +314,7 @@ public class TestDelegationTokenAuthenticationHandlerWithMocks {
StringWriter writer = new StringWriter();
PrintWriter pwriter = new PrintWriter(writer);
Mockito.when(response.getWriter()).thenReturn(pwriter);
Token<DelegationTokenIdentifier> dToken =
(Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken(
UserGroupInformation.getCurrentUser(), "user");
Mockito.when(request.getQueryString()).
thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() +
"&" + DelegationTokenAuthenticator.TOKEN_PARAM + "=" +