diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java index b73b0629ed6..8321c5e73f2 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java @@ -81,7 +81,7 @@ public abstract class DelegationTokenAuthenticationHandler private static final Set DELEGATION_TOKEN_OPS = new HashSet(); - static final String DELEGATION_TOKEN_UGI_ATTRIBUTE = + public static final String DELEGATION_TOKEN_UGI_ATTRIBUTE = "hadoop.security.delegation-token.ugi"; static { diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt index b58d5f1b6ef..ceeebd6ed2a 100644 --- a/hadoop-yarn-project/CHANGES.txt +++ b/hadoop-yarn-project/CHANGES.txt @@ -135,6 +135,9 @@ Release 2.6.0 - UNRELEASED YARN-2501. Enhanced AMRMClient library to support requests against node labels. (Wangda Tan via vinodkv) + YARN-2656. Made RM web services authentication filter support proxy user. + (Varun Vasudev and Zhijie Shen via zjshen) + IMPROVEMENTS YARN-2242. Improve exception information on AM launch crashes. (Li Lu diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilter.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilter.java index 651b5b0c762..3eeb620f22a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilter.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilter.java @@ -18,46 +18,74 @@ package org.apache.hadoop.yarn.server.security.http; -import java.util.Properties; +import java.io.IOException; +import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.classification.InterfaceStability.Unstable; -import org.apache.hadoop.security.authentication.server.AuthenticationFilter; +import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager; +import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter; +import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator; @Private @Unstable -public class RMAuthenticationFilter extends AuthenticationFilter { +public class RMAuthenticationFilter extends + DelegationTokenAuthenticationFilter { + static private AbstractDelegationTokenSecretManager manager; public static final String AUTH_HANDLER_PROPERTY = "yarn.resourcemanager.authentication-handler"; + private static final String OLD_HEADER = "Hadoop-YARN-Auth-Delegation-Token"; public RMAuthenticationFilter() { } @Override - protected Properties getConfiguration(String configPrefix, - FilterConfig filterConfig) throws ServletException { - - // In yarn-site.xml, we can simply set type to "kerberos". However, we need - // to replace the name here to use the customized Kerberos + DT service - // instead of the standard Kerberos handler. - - Properties properties = super.getConfiguration(configPrefix, filterConfig); - String yarnAuthHandler = properties.getProperty(AUTH_HANDLER_PROPERTY); - if (yarnAuthHandler == null || yarnAuthHandler.isEmpty()) { - // if http auth type is simple, the default authentication filter - // will handle it, else throw an exception - if (!properties.getProperty(AUTH_TYPE).equals("simple")) { - throw new ServletException("Authentication handler class is empty"); - } - } - if (properties.getProperty(AUTH_TYPE).equalsIgnoreCase("kerberos")) { - properties.setProperty(AUTH_TYPE, yarnAuthHandler); - } - return properties; + public void init(FilterConfig filterConfig) throws ServletException { + filterConfig.getServletContext().setAttribute( + DelegationTokenAuthenticationFilter.DELEGATION_TOKEN_SECRET_MANAGER_ATTR, + manager); + super.init(filterConfig); } + /** + * {@inheritDoc} + */ + @Override + public void doFilter(ServletRequest request, ServletResponse response, + FilterChain filterChain) throws IOException, ServletException { + HttpServletRequest req = (HttpServletRequest) request; + String newHeader = + req.getHeader(DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER); + if (newHeader == null || newHeader.isEmpty()) { + // For backward compatibility, allow use of the old header field + // only when the new header doesn't exist + final String oldHeader = req.getHeader(OLD_HEADER); + if (oldHeader != null && !oldHeader.isEmpty()) { + request = new HttpServletRequestWrapper(req) { + @Override + public String getHeader(String name) { + if (name + .equals(DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER)) { + return oldHeader; + } + return super.getHeader(name); + } + }; + } + } + super.doFilter(request, response, filterChain); + } + + public static void setDelegationTokenSecretManager( + AbstractDelegationTokenSecretManager manager) { + RMAuthenticationFilter.manager = manager; + } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java index 128794ee6eb..f0baf2be34e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java @@ -35,17 +35,21 @@ import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; +import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler; +import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; @Unstable public class RMAuthenticationFilterInitializer extends FilterInitializer { String configPrefix; + String proxyPrefix; String signatureSecretFileProperty; String kerberosPrincipalProperty; String cookiePath; public RMAuthenticationFilterInitializer() { this.configPrefix = "hadoop.http.authentication."; + this.proxyPrefix = "yarn.resourcemanager.webapp.proxyuser."; this.signatureSecretFileProperty = AuthenticationFilter.SIGNATURE_SECRET + ".file"; this.kerberosPrincipalProperty = KerberosAuthenticationHandler.PRINCIPAL; @@ -59,10 +63,14 @@ public class RMAuthenticationFilterInitializer extends FilterInitializer { filterConfig.put(AuthenticationFilter.COOKIE_PATH, cookiePath); for (Map.Entry entry : conf) { - String name = entry.getKey(); - if (name.startsWith(configPrefix)) { - String value = conf.get(name); - name = name.substring(configPrefix.length()); + String propName = entry.getKey(); + if (propName.startsWith(configPrefix)) { + String value = conf.get(propName); + String name = propName.substring(configPrefix.length()); + filterConfig.put(name, value); + } else if (propName.startsWith(proxyPrefix)) { + String value = conf.get(propName); + String name = propName.substring("yarn.resourcemanager.webapp.".length()); filterConfig.put(name, value); } } @@ -107,6 +115,10 @@ public class RMAuthenticationFilterInitializer extends FilterInitializer { } filterConfig.put(KerberosAuthenticationHandler.PRINCIPAL, principal); } + + filterConfig.put(DelegationTokenAuthenticationHandler.TOKEN_KIND, + RMDelegationTokenIdentifier.KIND_NAME.toString()); + return filterConfig; } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java index 3e5f13801a2..ab4502032e1 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java @@ -901,6 +901,8 @@ public class ResourceManager extends CompositeService implements Recoverable { + " for RM webapp authentication"); RMAuthenticationHandler .setSecretManager(getClientRMService().rmDTSecretManager); + RMAuthenticationFilter + .setDelegationTokenSecretManager(getClientRMService().rmDTSecretManager); String yarnAuthKey = authPrefix + RMAuthenticationFilter.AUTH_HANDLER_PROPERTY; conf.setStrings(yarnAuthKey, RMAuthenticationHandler.class.getName()); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java index 24a90bd69aa..87c895ac14b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java @@ -65,6 +65,7 @@ import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHa import org.apache.hadoop.security.authorize.AuthorizationException; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; +import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler; import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsRequest; import org.apache.hadoop.yarn.api.protocolrecords.GetNewApplicationRequest; import org.apache.hadoop.yarn.api.protocolrecords.GetNewApplicationResponse; @@ -1085,10 +1086,18 @@ public class RMWebServices { } String authType = hsr.getAuthType(); - if (!KerberosAuthenticationHandler.TYPE.equals(authType)) { + if (!KerberosAuthenticationHandler.TYPE.equalsIgnoreCase(authType)) { String msg = "Delegation token operations can only be carried out on a " - + "Kerberos authenticated channel"; + + "Kerberos authenticated channel. Expected auth type is " + + KerberosAuthenticationHandler.TYPE + ", got type " + authType; + throw new YarnException(msg); + } + if (hsr + .getAttribute(DelegationTokenAuthenticationHandler.DELEGATION_TOKEN_UGI_ATTRIBUTE) != null) { + String msg = + "Delegation token operations cannot be carried out using delegation" + + " token authentication."; throw new YarnException(msg); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java index 554f57c8a0a..7161d0c4dbe 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java @@ -708,6 +708,7 @@ public class TestRMAdminService { aclsString); // verify ProxyUsers and ProxyHosts + ProxyUsers.refreshSuperUserGroupsConfiguration(configuration); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() .get("hadoop.proxyuser.test.groups").size() == 1); Assert.assertTrue(ProxyUsers.getDefaultImpersonationProvider().getProxyGroups() diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java index 239d5922eaf..a9ae0b933a2 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.java @@ -31,6 +31,8 @@ import java.io.OutputStream; import java.io.StringWriter; import java.net.HttpURLConnection; import java.net.URL; +import java.util.Arrays; +import java.util.Collection; import java.util.concurrent.Callable; import javax.ws.rs.core.MediaType; @@ -46,7 +48,10 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.KerberosTestUtils; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; +import org.apache.hadoop.security.token.Token; +import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator; import org.apache.hadoop.yarn.conf.YarnConfiguration; +import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; import org.apache.hadoop.yarn.server.resourcemanager.MockRM; import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler; @@ -55,11 +60,15 @@ import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ApplicationSubmi import org.apache.hadoop.yarn.util.ConverterUtils; import org.codehaus.jettison.json.JSONObject; import org.junit.AfterClass; +import org.junit.Assert; import org.junit.BeforeClass; import org.junit.Test; import com.sun.jersey.api.client.ClientResponse.Status; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +@RunWith(Parameterized.class) public class TestRMWebServicesDelegationTokenAuthentication { private static final File testRootDir = new File("target", @@ -74,10 +83,17 @@ public class TestRMWebServicesDelegationTokenAuthentication { private static MiniKdc testMiniKDC; private static MockRM rm; + + String delegationTokenHeader; + // use published header name - final static String DelegationTokenHeader = + final static String OldDelegationTokenHeader = "Hadoop-YARN-Auth-Delegation-Token"; + // alternate header name + final static String NewDelegationTokenHeader = + DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER; + @BeforeClass public static void setUp() { try { @@ -99,8 +115,14 @@ public class TestRMWebServicesDelegationTokenAuthentication { } } - public TestRMWebServicesDelegationTokenAuthentication() throws Exception { + @Parameterized.Parameters + public static Collection headers() { + return Arrays.asList(new Object[][] { {OldDelegationTokenHeader}, {NewDelegationTokenHeader}}); + } + + public TestRMWebServicesDelegationTokenAuthentication(String header) throws Exception { super(); + this.delegationTokenHeader = header; } private static void setupAndStartRM() throws Exception { @@ -136,6 +158,8 @@ public class TestRMWebServicesDelegationTokenAuthentication { rmconf.set(YarnConfiguration.NM_WEBAPP_SPNEGO_KEYTAB_FILE_KEY, httpSpnegoKeytabFile.getAbsolutePath()); rmconf.setBoolean("mockrm.webapp.enabled", true); + rmconf.set("yarn.resourcemanager.webapp.proxyuser.client.hosts", "*"); + rmconf.set("yarn.resourcemanager.webapp.proxyuser.client.groups", "*"); UserGroupInformation.setConfiguration(rmconf); rm = new MockRM(rmconf); rm.start(); @@ -143,10 +167,11 @@ public class TestRMWebServicesDelegationTokenAuthentication { } private static void setupKDC() throws Exception { - if (miniKDCStarted == false) { + if (!miniKDCStarted) { testMiniKDC.start(); getKdc().createPrincipal(httpSpnegoKeytabFile, "HTTP/localhost", - "client", UserGroupInformation.getLoginUser().getShortUserName()); + "client", UserGroupInformation.getLoginUser().getShortUserName(), + "client2"); miniKDCStarted = true; } } @@ -189,11 +214,26 @@ public class TestRMWebServicesDelegationTokenAuthentication { } conn = (HttpURLConnection) url.openConnection(); - conn.setRequestProperty(DelegationTokenHeader, token); + conn.setRequestProperty(delegationTokenHeader, token); setupConn(conn, "POST", MediaType.APPLICATION_XML, requestBody); // this should not fail - conn.getInputStream(); + try { + conn.getInputStream(); + } + catch(IOException ie) { + InputStream errorStream = conn.getErrorStream(); + String error = ""; + BufferedReader reader = null; + reader = new BufferedReader(new InputStreamReader(errorStream, "UTF8")); + for (String line; (line = reader.readLine()) != null;) { + error += line; + } + reader.close(); + errorStream.close(); + fail("Response " + conn.getResponseCode() + "; " + error); + } + boolean appExists = rm.getRMContext().getRMApps() .containsKey(ConverterUtils.toApplicationId(appid)); @@ -203,8 +243,6 @@ public class TestRMWebServicesDelegationTokenAuthentication { .get(ConverterUtils.toApplicationId(appid)); String owner = actualApp.getUser(); assertEquals("client", owner); - - return; } // Test to make sure that cancelled delegation tokens @@ -221,7 +259,7 @@ public class TestRMWebServicesDelegationTokenAuthentication { URL url = new URL("http://localhost:8088/ws/v1/cluster/apps"); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); - conn.setRequestProperty(DelegationTokenHeader, token); + conn.setRequestProperty(delegationTokenHeader, token); setupConn(conn, "POST", MediaType.APPLICATION_XML, requestBody); // this should fail with unauthorized because only @@ -232,7 +270,6 @@ public class TestRMWebServicesDelegationTokenAuthentication { } catch (IOException e) { assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode()); } - return; } // Test to make sure that we can't do delegation token @@ -248,7 +285,7 @@ public class TestRMWebServicesDelegationTokenAuthentication { for (String requestBody : requests) { URL url = new URL("http://localhost:8088/ws/v1/cluster/delegation-token"); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); - conn.setRequestProperty(DelegationTokenHeader, token); + conn.setRequestProperty(delegationTokenHeader, token); setupConn(conn, "POST", MediaType.APPLICATION_JSON, requestBody); try { conn.getInputStream(); @@ -262,7 +299,7 @@ public class TestRMWebServicesDelegationTokenAuthentication { // test cancel URL url = new URL("http://localhost:8088/ws/v1/cluster/delegation-token"); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); - conn.setRequestProperty(DelegationTokenHeader, token); + conn.setRequestProperty(delegationTokenHeader, token); conn.setRequestProperty(RMWebServices.DELEGATION_TOKEN_HEADER, token); setupConn(conn, "DELETE", null, null); try { @@ -271,11 +308,94 @@ public class TestRMWebServicesDelegationTokenAuthentication { } catch (IOException e) { assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode()); } - return; + } + + // Superuser "client" should be able to get a delegation token + // for user "client2" when authenticated using Kerberos + // The request shouldn't work when authenticated using DelegationTokens + @Test + public void testDoAs() throws Exception { + + KerberosTestUtils.doAsClient(new Callable() { + @Override + public Void call() throws Exception { + String token = ""; + String owner = ""; + String renewer = "renewer"; + String body = "{\"renewer\":\"" + renewer + "\"}"; + URL url = + new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2"); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + setupConn(conn, "POST", MediaType.APPLICATION_JSON, body); + InputStream response = conn.getInputStream(); + assertEquals(Status.OK.getStatusCode(), conn.getResponseCode()); + BufferedReader reader = null; + try { + reader = new BufferedReader(new InputStreamReader(response, "UTF8")); + for (String line; (line = reader.readLine()) != null;) { + JSONObject obj = new JSONObject(line); + if (obj.has("token")) { + token = obj.getString("token"); + } + if(obj.has("owner")) { + owner = obj.getString("owner"); + } + } + } finally { + IOUtils.closeQuietly(reader); + IOUtils.closeQuietly(response); + } + Assert.assertEquals("client2", owner); + Token realToken = new Token(); + realToken.decodeFromUrlString(token); + Assert.assertEquals("client2", realToken.decodeIdentifier().getOwner().toString()); + return null; + } + }); + + // this should not work + final String token = getDelegationToken("client"); + String renewer = "renewer"; + String body = "{\"renewer\":\"" + renewer + "\"}"; + URL url = + new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2"); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.setRequestProperty(delegationTokenHeader, token); + setupConn(conn, "POST", MediaType.APPLICATION_JSON, body); + try { + conn.getInputStream(); + fail("Client should not be allowed to impersonate using delegation tokens"); + } + catch(IOException ie) { + assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode()); + } + + // this should also fail due to client2 not being a super user + KerberosTestUtils.doAs("client2@EXAMPLE.COM", new Callable() { + @Override + public Void call() throws Exception { + String renewer = "renewer"; + String body = "{\"renewer\":\"" + renewer + "\"}"; + URL url = + new URL( + "http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client"); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + setupConn(conn, "POST", MediaType.APPLICATION_JSON, body); + try { + conn.getInputStream(); + fail("Non superuser client should not be allowed to carry out doAs"); + } + catch (IOException ie) { + assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode()); + } + return null; + } + }); + } private String getDelegationToken(final String renewer) throws Exception { - String token = KerberosTestUtils.doAsClient(new Callable() { + return KerberosTestUtils.doAsClient(new Callable() { @Override public String call() throws Exception { String ret = null; @@ -305,7 +425,6 @@ public class TestRMWebServicesDelegationTokenAuthentication { return ret; } }); - return token; } private void cancelDelegationToken(final String tokenString) throws Exception { @@ -325,7 +444,6 @@ public class TestRMWebServicesDelegationTokenAuthentication { return null; } }); - return; } static String getMarshalledAppInfo(ApplicationSubmissionContextInfo appInfo) @@ -353,5 +471,4 @@ public class TestRMWebServicesDelegationTokenAuthentication { } } } - } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ResourceManagerRest.apt.vm b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ResourceManagerRest.apt.vm index 37905dec79d..2f73082a36c 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ResourceManagerRest.apt.vm +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ResourceManagerRest.apt.vm @@ -2943,7 +2943,7 @@ Accept: application/xml +---+ PUT http:///ws/v1/cluster/apps/application_1399397633663_0003/state - Hadoop-YARN-Auth-Delegation-Token: MgASY2xpZW50QEVYQU1QTEUuQ09NDHRlc3QtcmVuZXdlcgCKAUbjqcHHigFHB7ZFxwQCFKWD3znCkDSy6SQIjRCLDydxbxvgE1JNX0RFTEVHQVRJT05fVE9LRU4A + X-Hadoop-Delegation-Token: MgASY2xpZW50QEVYQU1QTEUuQ09NDHRlc3QtcmVuZXdlcgCKAUbjqcHHigFHB7ZFxwQCFKWD3znCkDSy6SQIjRCLDydxbxvgE1JNX0RFTEVHQVRJT05fVE9LRU4A Content-Type: application/json; charset=UTF8 { "state":"KILLED"