From 8a1ee4d2b5c49c6bfaa47f12e568b863efa2203c Mon Sep 17 00:00:00 2001
From: Andrew Wang <wang@apache.org>
Date: Thu, 23 Jun 2016 11:08:52 -0700
Subject: [PATCH] Revert "HADOOP-13228. Add delegation token to the connection
 in DelegationTokenAuthenticator. Contributed by Xiao Chen."

This reverts commit 55eda958ccbf3941986d6da63ad7ee16646d7067.
---
 .../DelegationTokenAuthenticationHandler.java |   7 --
 .../web/DelegationTokenAuthenticator.java     |  19 ---
 .../web/TestWebDelegationToken.java           | 114 +-----------------
 3 files changed, 3 insertions(+), 137 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
index 95a849f9ce5..3f191de2fb3 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java
@@ -51,8 +51,6 @@ import org.apache.hadoop.util.StringUtils;
 import org.codehaus.jackson.map.ObjectMapper;
 
 import com.google.common.annotations.VisibleForTesting;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  * An {@link AuthenticationHandler} that implements Kerberos SPNEGO mechanism
@@ -80,9 +78,6 @@ import org.slf4j.LoggerFactory;
 public abstract class DelegationTokenAuthenticationHandler
     implements AuthenticationHandler {
 
-  private static final Logger LOG =
-      LoggerFactory.getLogger(DelegationTokenAuthenticationHandler.class);
-
   protected static final String TYPE_POSTFIX = "-dt";
 
   public static final String PREFIX = "delegation-token.";
@@ -332,8 +327,6 @@ public abstract class DelegationTokenAuthenticationHandler
       throws IOException, AuthenticationException {
     AuthenticationToken token;
     String delegationParam = getDelegationToken(request);
-    LOG.debug("Authenticating with delegationParam: {}, query string: {}",
-        delegationParam, request.getQueryString());
     if (delegationParam != null) {
       try {
         Token<AbstractDelegationTokenIdentifier> dt = new Token();
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
index 53978a6245b..37ae601dacc 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
@@ -122,24 +122,6 @@ public abstract class DelegationTokenAuthenticator implements Authenticator {
     return hasDt;
   }
 
-  /**
-   * Append the delegation token to the request header if needed.
-   */
-  private void appendDelegationToken(final AuthenticatedURL.Token token,
-      final Token<?> dToken, final HttpURLConnection conn) throws IOException {
-    if (token.isSet()) {
-      LOG.debug("Auth token is set, not appending delegation token.");
-      return;
-    }
-    if (dToken == null) {
-      LOG.warn("Delegation token is null, cannot set on request header.");
-      return;
-    }
-    conn.setRequestProperty(
-        DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER,
-        dToken.encodeToUrlString());
-  }
-
   @Override
   public void authenticate(URL url, AuthenticatedURL.Token token)
       throws IOException, AuthenticationException {
@@ -304,7 +286,6 @@ public abstract class DelegationTokenAuthenticator implements Authenticator {
     url = new URL(sb.toString());
     AuthenticatedURL aUrl = new AuthenticatedURL(this, connConfigurator);
     HttpURLConnection conn = aUrl.openConnection(url, token);
-    appendDelegationToken(token, dToken, conn);
     conn.setRequestMethod(operation.getHttpMethod());
     HttpExceptionUtils.validateResponse(conn, HttpURLConnection.HTTP_OK);
     if (hasResponse) {
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
index 65c80a2cad7..73562b559ce 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/delegation/web/TestWebDelegationToken.java
@@ -17,8 +17,6 @@
  */
 package org.apache.hadoop.security.token.delegation.web;
 
-import static org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.DelegationTokenOperation;
-
 import org.apache.commons.io.IOUtils;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.minikdc.MiniKdc;
@@ -32,7 +30,6 @@ import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHa
 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
 import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
-import org.apache.hadoop.test.GenericTestUtils;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.junit.After;
 import org.junit.Assert;
@@ -44,8 +41,6 @@ import org.mortbay.jetty.Server;
 import org.mortbay.jetty.servlet.Context;
 import org.mortbay.jetty.servlet.FilterHolder;
 import org.mortbay.jetty.servlet.ServletHolder;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import javax.security.auth.Subject;
 import javax.security.auth.kerberos.KerberosPrincipal;
@@ -65,6 +60,8 @@ import java.io.File;
 import java.io.IOException;
 import java.io.Writer;
 import java.net.HttpURLConnection;
+import java.net.InetAddress;
+import java.net.ServerSocket;
 import java.net.URL;
 import java.security.Principal;
 import java.security.PrivilegedActionException;
@@ -79,9 +76,6 @@ import java.util.UUID;
 import java.util.concurrent.Callable;
 
 public class TestWebDelegationToken {
-
-  private static final Logger LOG =
-      LoggerFactory.getLogger(TestWebDelegationToken.class);
   private static final String OK_USER = "ok-user";
   private static final String FAIL_USER = "fail-user";
   private static final String FOO_USER = "foo";
@@ -117,7 +111,7 @@ public class TestWebDelegationToken {
       AuthenticationToken token = null;
       if (request.getParameter("authenticated") != null) {
         token = new AuthenticationToken(request.getParameter("authenticated"),
-            "U", "unsupported type");
+            "U", "test");
       } else {
         response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
         response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "dummy");
@@ -140,32 +134,6 @@ public class TestWebDelegationToken {
     }
   }
 
-  /**
-   * A dummy DelegationTokenAuthenticationHandler to verify that the request
-   * header contains delegation token.
-   */
-  public static class HeaderVerifyingDelegationTokenAuthenticationHandler
-      extends DummyDelegationTokenAuthenticationHandler {
-
-    @Override
-    public boolean managementOperation(AuthenticationToken token,
-        HttpServletRequest request, HttpServletResponse response)
-        throws IOException, AuthenticationException {
-      String op = ServletUtils.getParameter(request,
-          KerberosDelegationTokenAuthenticator.OP_PARAM);
-      if (op != null) {
-        DelegationTokenOperation dtOp = DelegationTokenOperation.valueOf(op);
-        if (dtOp == DelegationTokenOperation.RENEWDELEGATIONTOKEN
-            || dtOp == DelegationTokenOperation.CANCELDELEGATIONTOKEN) {
-          Assert.assertNotNull("Request header should have delegation token",
-              request.getHeader(
-                  DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER));
-        }
-      }
-      return super.managementOperation(token, request, response);
-    }
-  }
-
   public static class AFilter extends DelegationTokenAuthenticationFilter {
 
     @Override
@@ -178,24 +146,6 @@ public class TestWebDelegationToken {
     }
   }
 
-  /**
-   * A dummy DelegationTokenAuthenticationFilter that uses a
-   * {@link HeaderVerifyingDelegationTokenAuthenticationHandler} to verify that
-   * the request header contains delegation token.
-   */
-  public static class HeaderVerifyingFilter
-      extends DelegationTokenAuthenticationFilter {
-
-    @Override
-    protected Properties getConfiguration(String configPrefix,
-        FilterConfig filterConfig) {
-      Properties conf = new Properties();
-      conf.setProperty(AUTH_TYPE,
-          HeaderVerifyingDelegationTokenAuthenticationHandler.class.getName());
-      return conf;
-    }
-  }
-
   public static class PingServlet extends HttpServlet {
 
     @Override
@@ -253,7 +203,6 @@ public class TestWebDelegationToken {
   @After
   public void cleanUp() throws Exception {
     jetty.stop();
-    jetty = null;
 
     // resetting hadoop security to simple
     org.apache.hadoop.conf.Configuration conf =
@@ -478,63 +427,6 @@ public class TestWebDelegationToken {
     }
   }
 
-  @Test(timeout=120000)
-  public void testDelegationTokenAuthenticatorUsingDT() throws Exception {
-    Context context = new Context();
-    context.setContextPath("/foo");
-    jetty.setHandler(context);
-    context.addFilter(new FilterHolder(HeaderVerifyingFilter.class), "/*", 0);
-    context.addServlet(new ServletHolder(PingServlet.class), "/bar");
-
-    jetty.start();
-    final URL nonAuthURL = new URL(getJettyURL() + "/foo/bar");
-    URL authURL = new URL(getJettyURL() + "/foo/bar?authenticated=foo");
-    URL authURL2 = new URL(getJettyURL() + "/foo/bar?authenticated=bar");
-
-    DelegationTokenAuthenticatedURL.Token token =
-        new DelegationTokenAuthenticatedURL.Token();
-    final DelegationTokenAuthenticatedURL aUrl =
-        new DelegationTokenAuthenticatedURL();
-    aUrl.getDelegationToken(authURL, token, FOO_USER);
-    Assert.assertNotNull(token.getDelegationToken());
-    Assert.assertEquals(new Text("token-kind"),
-        token.getDelegationToken().getKind());
-
-    // Create a token that only has dt so that we can test ops when
-    // authenticating with a delegation token.
-    DelegationTokenAuthenticatedURL.Token dtOnlyToken =
-        new DelegationTokenAuthenticatedURL.Token();
-    dtOnlyToken.setDelegationToken(token.getDelegationToken());
-
-    /**
-     * We're using delegation token, so everything comes from that.
-     * {@link DelegationTokenAuthenticationHandler#authenticate}.
-     *
-     * This means that the special logic we injected at
-     * {@link DummyAuthenticationHandler#authenticate}
-     * (check "authenticated" and return 401) wouldn't work any more.
-     */
-
-    aUrl.getDelegationToken(authURL, dtOnlyToken, FOO_USER);
-    aUrl.renewDelegationToken(authURL, dtOnlyToken);
-    aUrl.renewDelegationToken(nonAuthURL, dtOnlyToken);
-    aUrl.renewDelegationToken(authURL2, dtOnlyToken);
-
-    // Verify that after cancelling, we can't renew.
-    // After cancelling, the dt on token will be set to null. Back it up here.
-    DelegationTokenAuthenticatedURL.Token cancelledToken =
-        new DelegationTokenAuthenticatedURL.Token();
-    cancelledToken.setDelegationToken(dtOnlyToken.getDelegationToken());
-    aUrl.cancelDelegationToken(authURL, dtOnlyToken);
-    try {
-      aUrl.renewDelegationToken(authURL, cancelledToken);
-      Assert.fail();
-    } catch (Exception ex) {
-      LOG.info("Intentional exception caught:", ex);
-      GenericTestUtils.assertExceptionContains("can't be found in cache", ex);
-    }
-  }
-
   private static class DummyDelegationTokenSecretManager
       extends AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> {