@Override public void setConnectionConfigurator(ConnectionConfigurator configurator) { authenticator.setConnectionConfigurator(configurator); connConfigurator = configurator; }
/** Gets the Hadoop kerberos secure connection (not an SSL connection). */ private HttpURLConnection getSecureConnection(URL url) throws IOException { AuthenticatedURL.Token token = new AuthenticatedURL.Token(); try { return new AuthenticatedURL().openConnection(url, token); } catch (AuthenticationException e) { throw new IOException(e); } }
/** * Calls the wrapped configure() method, then sets timeouts * @param conn the {@link HttpURLConnection} instance to configure. * @return the connection * @throws IOException */ @Override public HttpURLConnection configure(HttpURLConnection conn) throws IOException { if (cc != null) { conn = cc.configure(conn); } conn.setConnectTimeout(timeout * 1000); // conversion to milliseconds conn.setReadTimeout(timeout * 1000); return conn; } }
AuthenticatedURL.Token token = new AuthenticatedURL.Token(); AuthenticatedURL aUrl; SSLFactory clientSslFactory; SSLSocketFactory sslSocketF = clientSslFactory.createSSLSocketFactory(); aUrl = new AuthenticatedURL( new KerberosAuthenticator(), clientSslFactory); connection = aUrl.openConnection(url, token); HttpsURLConnection httpsConn = (HttpsURLConnection) connection; httpsConn.setSSLSocketFactory(sslSocketF); } else { aUrl = new AuthenticatedURL(new KerberosAuthenticator()); connection = aUrl.openConnection(url, token);
AuthenticatedURL aUrl = new AuthenticatedURL(this, connConfigurator); org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier> dt = null; HttpURLConnection conn = aUrl.openConnection(url, token); conn.setRequestMethod(operation.getHttpMethod()); HttpExceptionUtils.validateResponse(conn, HttpURLConnection.HTTP_OK); ret = JsonSerialization.mapReader().readValue(conn.getInputStream()); } catch (Exception ex) { throw new AuthenticationException(String.format( "'%s' did not handle the '%s' delegation token operation: %s", url.getAuthority(), operation, ex.getMessage()), ex); throw new AuthenticationException(String.format("'%s' did not " + "respond with JSON to the '%s' delegation token operation", url.getAuthority(), operation));
throw (IOException) ex.getException(); } else { throw new AuthenticationException(ex.getException());
/** * Initiate client side Kerberos negotiation with the server. * @param method method to inject the authentication token into. * @param uri the String to parse as a URL. * @throws IOException if unknown protocol is found. */ private void negotiate(HttpUriRequest method, String uri) throws IOException { try { AuthenticatedURL.Token token = new AuthenticatedURL.Token(); KerberosAuthenticator authenticator = new KerberosAuthenticator(); authenticator.authenticate(new URL(uri), token); // Inject the obtained negotiated token in the method cookie injectToken(method, token); } catch (AuthenticationException e) { LOG.error("Failed to negotiate with the server.", e); throw new IOException(e); } }
/** * Returns an authenticated {@link HttpURLConnection}, it uses a Delegation * Token only if the given auth token is an instance of {@link Token} and * it contains a Delegation Token, otherwise use the configured * {@link DelegationTokenAuthenticator} to authenticate the connection. * * @param url the URL to connect to. Only HTTP/S URLs are supported. * @param token the authentication token being used for the user. * @return an authenticated {@link HttpURLConnection}. * @throws IOException if an IO error occurred. * @throws AuthenticationException if an authentication exception occurred. */ @Override public HttpURLConnection openConnection(URL url, AuthenticatedURL.Token token) throws IOException, AuthenticationException { return (token instanceof Token) ? openConnection(url, (Token) token) : super.openConnection(url ,token); }
/** * Cancels a delegation token from the server end-point. It does not require * being authenticated by the configured <code>Authenticator</code>. * * @param url the URL to cancel the delegation token from. Only HTTP/S URLs * are supported. * @param token the authentication token with the Delegation Token to cancel. * @param doAsUser the user to do as, which will be the token owner. * @throws IOException if an IO error occurred. */ public void cancelDelegationToken(URL url, AuthenticatedURL.Token token, Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser) throws IOException { try { doDelegationTokenOperation(url, token, DelegationTokenOperation.CANCELDELEGATIONTOKEN, null, dToken, false, doAsUser); } catch (AuthenticationException ex) { throw new IOException("This should not happen: " + ex.getMessage(), ex); } }
@Override public void authenticate(URL url, AuthenticatedURL.Token token) throws IOException, AuthenticationException { if (!hasDelegationToken(url, token)) { try { // check and renew TGT to handle potential expiration UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab(); LOG.debug("No delegation token found for url={}, token={}, " + "authenticating with {}", url, token, authenticator.getClass()); authenticator.authenticate(url, token); } catch (IOException ex) { throw NetUtils.wrapException(url.getHost(), url.getPort(), null, 0, ex); } } else { LOG.debug("Authenticated from delegation token. url={}, token={}", url, token); } }
/** * Helper method that injects an authentication token to send with the method. * @param method method to inject the authentication token into. * @param token authentication token to inject. */ private void injectToken(HttpUriRequest method, AuthenticatedURL.Token token) { String t = token.toString(); if (t != null) { if (!t.startsWith("\"")) { t = "\"" + t + "\""; } method.addHeader(COOKIE, AUTH_COOKIE_EQ + t); } }
public static HttpURLConnection loginAuthenticatedURL(final URL url, final String keytabPrincipal, final String keytabPath) throws Exception { final List<URL> resources = new ArrayList<>(); resources.add(url); final URLClassLoader ucl = new URLClassLoader(resources.toArray(new URL[resources.size()])); final Configuration conf = new Configuration(); conf.setClassLoader(ucl); UserGroupInformation.setConfiguration(conf); logger.info( "Logging in URL: " + url.toString() + " using Principal: " + keytabPrincipal + ", Keytab: " + keytabPath); UserGroupInformation.loginUserFromKeytab(keytabPrincipal, keytabPath); final HttpURLConnection connection = UserGroupInformation.getLoginUser().doAs( (PrivilegedExceptionAction<HttpURLConnection>) () -> { final Token token = new Token(); return new AuthenticatedURL().openConnection(url, token); }); return connection; } }
throw new AuthenticationException(ex); token = AuthenticationToken.parse(tokenStr); if (!token.getType().equals(getAuthenticationHandler().getType())) { throw new AuthenticationException("Invalid AuthenticationToken type"); throw new AuthenticationException("AuthenticationToken expired");
HttpURLConnection conn = super.openConnection(url, token); if (!token.isSet() && !useQueryStringForDelegationToken() && dToken != null) {
log.warn("AuthenticationToken ignored: " + ex.getMessage()); authenticationEx = ex; if (log.isDebugEnabled()) { log.debug(ex, "Authentication exception: " + ex.getMessage()); } else { log.warn("Authentication exception: " + ex.getMessage()); } else { httpResponse.sendError(errCode, authenticationEx.getMessage());
throw new AuthenticationException(le);
throw new AuthenticationException(e);
return new String(BASE_64_CODEC.encode(outToken), StandardCharsets.US_ASCII); } catch (GSSException | IllegalAccessException | NoSuchFieldException | ClassNotFoundException e) { throw new AuthenticationException(e); } finally { KERBEROS_LOCK.unlock();
token = null; HttpExceptionUtils.createServletExceptionResponse(response, HttpServletResponse.SC_FORBIDDEN, new AuthenticationException(ex));
@Test public void testReportExceptionForStats() throws NoSuchMethodException, InvocationTargetException, IllegalAccessException { Map<Exception, Map> config = new HashMap<Exception, Map>(); config.put(new Exception(new AuthenticationException("test")), buildMethodResultMap(1, 0, 0, 0, 0)); config.put(new FileNotFoundException(), buildMethodResultMap(0, 1, 0, 0, 0)); config.put(new IOException(), buildMethodResultMap(0, 0, 1, 0, 0)); config.put(new QuotaExceededException("test"), buildMethodResultMap(0, 0, 0, 1, 0)); config.put(new UnauthorizedStoreException("test"), buildMethodResultMap(0, 0, 0, 0, 1)); HdfsFetcherAggStats aggStats = HdfsFetcherAggStats.getStats(); for (Map.Entry<Exception, Map> entry : config.entrySet()) { Exception e = entry.getKey(); Map<String, Long> methodResMap = entry.getValue(); Set<String> methodSet = methodResMap.keySet(); // Get result before invocation Map<String, Long> beforeRes = invokeInternalMethod(aggStats, methodSet); HdfsCopyStats.reportExceptionForStats(e); // Get result after invocation Map<String, Long> afterRes = invokeInternalMethod(aggStats, methodSet); // Compare the difference for (String methodName : methodSet) { String msg = "Method expects " + methodResMap.get(methodName) + " with exception: " + e.getClass().getName(); assertEquals(msg, methodResMap.get(methodName).longValue(), afterRes.get(methodName).longValue() - beforeRes.get(methodName).longValue()); } } } }