HADOOP-11207. Enhanced common DelegationTokenAuthenticationHandler to support proxy-users on Delegation-token management operations. Contributed by Zhijie Shen.

Author: vinoduec

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -597,6 +597,9 @@ Release 2.6.0 - UNRELEASED
     HADOOP-11181. Generalized o.a.h.s.t.d.DelegationTokenManager to handle all
     sub-classes of AbstractDelegationTokenIdentifier. (zjshen)
 
+    HADOOP-11207. Enhanced common DelegationTokenAuthenticationHandler to support
+    proxy-users on Delegation-token management operations. (Zhijie Shen via
+    vinodkv)
 
   OPTIMIZATIONS
 

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticatedURL.java

@@ -333,19 +333,40 @@ public HttpURLConnection openConnection(URL url, Token token, String doAs)
    * supported.
    * @param token the authentication token being used for the user where the
    * Delegation token will be stored.
+   * @param renewer the renewer user.
    * @return a delegation token.
    * @throws IOException if an IO error occurred.
    * @throws AuthenticationException if an authentication exception occurred.
    */
   public org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier>
       getDelegationToken(URL url, Token token, String renewer)
           throws IOException, AuthenticationException {
+    return getDelegationToken(url, token, renewer, null);
+  }
+
+  /**
+   * Requests a delegation token using the configured <code>Authenticator</code>
+   * for authentication.
+   *
+   * @param url the URL to get the delegation token from. Only HTTP/S URLs are
+   * supported.
+   * @param token the authentication token being used for the user where the
+   * Delegation token will be stored.
+   * @param renewer the renewer user.
+   * @param doAsUser the user to do as, which will be the token owner.
+   * @return a delegation token.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public org.apache.hadoop.security.token.Token<AbstractDelegationTokenIdentifier>
+      getDelegationToken(URL url, Token token, String renewer, String doAsUser)
+          throws IOException, AuthenticationException {
     Preconditions.checkNotNull(url, "url");
     Preconditions.checkNotNull(token, "token");
     try {
       token.delegationToken =
           ((KerberosDelegationTokenAuthenticator) getAuthenticator()).
-              getDelegationToken(url, token, renewer);
+              getDelegationToken(url, token, renewer, doAsUser);
       return token.delegationToken;
     } catch (IOException ex) {
       token.delegationToken = null;
@@ -365,13 +386,29 @@ public HttpURLConnection openConnection(URL url, Token token, String doAs)
    */
   public long renewDelegationToken(URL url, Token token)
       throws IOException, AuthenticationException {
+    return renewDelegationToken(url, token, null);
+  }
+
+  /**
+   * Renews a delegation token from the server end-point using the
+   * configured <code>Authenticator</code> for authentication.
+   *
+   * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
+   * supported.
+   * @param token the authentication token with the Delegation Token to renew.
+   * @param doAsUser the user to do as, which will be the token owner.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public long renewDelegationToken(URL url, Token token, String doAsUser)
+      throws IOException, AuthenticationException {
     Preconditions.checkNotNull(url, "url");
     Preconditions.checkNotNull(token, "token");
     Preconditions.checkNotNull(token.delegationToken,
         "No delegation token available");
     try {
       return ((KerberosDelegationTokenAuthenticator) getAuthenticator()).
-          renewDelegationToken(url, token, token.delegationToken);
+          renewDelegationToken(url, token, token.delegationToken, doAsUser);
     } catch (IOException ex) {
       token.delegationToken = null;
       throw ex;
@@ -389,13 +426,28 @@ public long renewDelegationToken(URL url, Token token)
    */
   public void cancelDelegationToken(URL url, Token token)
       throws IOException {
+    cancelDelegationToken(url, token, null);
+  }
+
+  /**
+   * Cancels a delegation token from the server end-point. It does not require
+   * being authenticated by the configured <code>Authenticator</code>.
+   *
+   * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
+   * are supported.
+   * @param token the authentication token with the Delegation Token to cancel.
+   * @param doAsUser the user to do as, which will be the token owner.
+   * @throws IOException if an IO error occurred.
+   */
+  public void cancelDelegationToken(URL url, Token token, String doAsUser)
+      throws IOException {
     Preconditions.checkNotNull(url, "url");
     Preconditions.checkNotNull(token, "token");
     Preconditions.checkNotNull(token.delegationToken,
         "No delegation token available");
     try {
       ((KerberosDelegationTokenAuthenticator) getAuthenticator()).
-          cancelDelegationToken(url, token, token.delegationToken);
+          cancelDelegationToken(url, token, token.delegationToken, doAsUser);
     } finally {
       token.delegationToken = null;
     }

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java

@@ -17,7 +17,21 @@
  */
 package org.apache.hadoop.security.token.delegation.web;
 
-import com.google.common.annotations.VisibleForTesting;
+import java.io.IOException;
+import java.io.Writer;
+import java.text.MessageFormat;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.MediaType;
+
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
@@ -27,25 +41,15 @@
 import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
 import org.apache.hadoop.security.authentication.server.AuthenticationToken;
 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
 import org.apache.hadoop.util.HttpExceptionUtils;
 import org.codehaus.jackson.map.ObjectMapper;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.core.MediaType;
-import java.io.IOException;
-import java.io.Writer;
-import java.text.MessageFormat;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.LinkedHashMap;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
+import com.google.common.annotations.VisibleForTesting;
 
 /**
  * An {@link AuthenticationHandler} that implements Kerberos SPNEGO mechanism
@@ -188,6 +192,19 @@ public boolean managementOperation(AuthenticationToken token,
           UserGroupInformation requestUgi = (token != null)
               ? UserGroupInformation.createRemoteUser(token.getUserName())
               : null;
+          // Create the proxy user if doAsUser exists
+          String doAsUser = DelegationTokenAuthenticationFilter.getDoAs(request);
+          if (requestUgi != null && doAsUser != null) {
+            requestUgi = UserGroupInformation.createProxyUser(
+                doAsUser, requestUgi);
+            try {
+              ProxyUsers.authorize(requestUgi, request.getRemoteHost());
+            } catch (AuthorizationException ex) {
+              HttpExceptionUtils.createServletExceptionResponse(response,
+                  HttpServletResponse.SC_FORBIDDEN, ex);
+              return false;
+            }
+          }
           Map map = null;
           switch (dtOp) {
             case GETDELEGATIONTOKEN:

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java

@@ -136,14 +136,35 @@ public void authenticate(URL url, AuthenticatedURL.Token token)
    * supported.
    * @param token the authentication token being used for the user where the
    * Delegation token will be stored.
+   * @param renewer the renewer user.
    * @throws IOException if an IO error occurred.
    * @throws AuthenticationException if an authentication exception occurred.
    */
   public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url,
       AuthenticatedURL.Token token, String renewer)
       throws IOException, AuthenticationException {
+   return getDelegationToken(url, token, renewer, null);
+  }
+
+  /**
+   * Requests a delegation token using the configured <code>Authenticator</code>
+   * for authentication.
+   *
+   * @param url the URL to get the delegation token from. Only HTTP/S URLs are
+   * supported.
+   * @param token the authentication token being used for the user where the
+   * Delegation token will be stored.
+   * @param renewer the renewer user.
+   * @param doAsUser the user to do as, which will be the token owner.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url,
+      AuthenticatedURL.Token token, String renewer, String doAsUser)
+      throws IOException, AuthenticationException {
     Map json = doDelegationTokenOperation(url, token,
-        DelegationTokenOperation.GETDELEGATIONTOKEN, renewer, null, true);
+        DelegationTokenOperation.GETDELEGATIONTOKEN, renewer, null, true,
+        doAsUser);
     json = (Map) json.get(DELEGATION_TOKEN_JSON);
     String tokenStr = (String) json.get(DELEGATION_TOKEN_URL_STRING_JSON);
     Token<AbstractDelegationTokenIdentifier> dToken =
@@ -169,8 +190,27 @@ public long renewDelegationToken(URL url,
       AuthenticatedURL.Token token,
       Token<AbstractDelegationTokenIdentifier> dToken)
       throws IOException, AuthenticationException {
+    return renewDelegationToken(url, token, dToken, null);
+  }
+
+  /**
+   * Renews a delegation token from the server end-point using the
+   * configured <code>Authenticator</code> for authentication.
+   *
+   * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
+   * supported.
+   * @param token the authentication token with the Delegation Token to renew.
+   * @param doAsUser the user to do as, which will be the token owner.
+   * @throws IOException if an IO error occurred.
+   * @throws AuthenticationException if an authentication exception occurred.
+   */
+  public long renewDelegationToken(URL url,
+      AuthenticatedURL.Token token,
+      Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser)
+      throws IOException, AuthenticationException {
     Map json = doDelegationTokenOperation(url, token,
-        DelegationTokenOperation.RENEWDELEGATIONTOKEN, null, dToken, true);
+        DelegationTokenOperation.RENEWDELEGATIONTOKEN, null, dToken, true,
+        doAsUser);
     return (Long) json.get(RENEW_DELEGATION_TOKEN_JSON);
   }
 
@@ -187,17 +227,35 @@ public void cancelDelegationToken(URL url,
       AuthenticatedURL.Token token,
       Token<AbstractDelegationTokenIdentifier> dToken)
       throws IOException {
+    cancelDelegationToken(url, token, dToken, null);
+  }
+
+  /**
+   * Cancels a delegation token from the server end-point. It does not require
+   * being authenticated by the configured <code>Authenticator</code>.
+   *
+   * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
+   * are supported.
+   * @param token the authentication token with the Delegation Token to cancel.
+   * @param doAsUser the user to do as, which will be the token owner.
+   * @throws IOException if an IO error occurred.
+   */
+  public void cancelDelegationToken(URL url,
+      AuthenticatedURL.Token token,
+      Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser)
+      throws IOException {
     try {
       doDelegationTokenOperation(url, token,
-          DelegationTokenOperation.CANCELDELEGATIONTOKEN, null, dToken, false);
+          DelegationTokenOperation.CANCELDELEGATIONTOKEN, null, dToken, false,
+          doAsUser);
     } catch (AuthenticationException ex) {
       throw new IOException("This should not happen: " + ex.getMessage(), ex);
     }
   }
 
   private Map doDelegationTokenOperation(URL url,
       AuthenticatedURL.Token token, DelegationTokenOperation operation,
-      String renewer, Token<?> dToken, boolean hasResponse)
+      String renewer, Token<?> dToken, boolean hasResponse, String doAsUser)
       throws IOException, AuthenticationException {
     Map ret = null;
     Map<String, String> params = new HashMap<String, String>();
@@ -208,6 +266,11 @@ private Map doDelegationTokenOperation(URL url,
     if (dToken != null) {
       params.put(TOKEN_PARAM, dToken.encodeToUrlString());
     }
+    // proxyuser
+    if (doAsUser != null) {
+      params.put(DelegationTokenAuthenticatedURL.DO_AS,
+          URLEncoder.encode(doAsUser, "UTF-8"));
+    }
     String urlStr = url.toExternalForm();
     StringBuilder sb = new StringBuilder(urlStr);
     String separator = (urlStr.contains("?")) ? "&" : "?";