HDDS-991. Fix failures in TestSecureOzoneCluster. Contributed by Ajay Kumar.
This commit is contained in:
parent
1d523279da
commit
2ec296e659
@ -125,6 +125,11 @@ public enum ResultCodes {
|
|||||||
COMPLETE_MULTIPART_UPLOAD_FAILED,
|
COMPLETE_MULTIPART_UPLOAD_FAILED,
|
||||||
ENTITY_TOO_SMALL,
|
ENTITY_TOO_SMALL,
|
||||||
ABORT_MULTIPART_UPLOAD_FAILED,
|
ABORT_MULTIPART_UPLOAD_FAILED,
|
||||||
INVALID_REQUEST;
|
INVALID_REQUEST,
|
||||||
|
INVALID_AUTH_METHOD,
|
||||||
|
INVALID_TOKEN,
|
||||||
|
TOKEN_EXPIRED,
|
||||||
|
TOKEN_ERROR_OTHER,
|
||||||
|
UNKNOWN
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -17,13 +17,13 @@
|
|||||||
*/
|
*/
|
||||||
package org.apache.hadoop.ozone.om.protocol;
|
package org.apache.hadoop.ozone.om.protocol;
|
||||||
|
|
||||||
import java.io.IOException;
|
|
||||||
import org.apache.hadoop.io.Text;
|
import org.apache.hadoop.io.Text;
|
||||||
import org.apache.hadoop.io.retry.Idempotent;
|
import org.apache.hadoop.io.retry.Idempotent;
|
||||||
import org.apache.hadoop.ozone.om.OMConfigKeys;
|
import org.apache.hadoop.ozone.om.OMConfigKeys;
|
||||||
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
|
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
|
||||||
import org.apache.hadoop.security.KerberosInfo;
|
import org.apache.hadoop.security.KerberosInfo;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
|
import org.apache.hadoop.ozone.om.exceptions.OMException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Security protocol for a secure OzoneManager.
|
* Security protocol for a secure OzoneManager.
|
||||||
@ -37,31 +37,31 @@ public interface OzoneManagerSecurityProtocol {
|
|||||||
*
|
*
|
||||||
* @param renewer the designated renewer for the token
|
* @param renewer the designated renewer for the token
|
||||||
* @return Token<OzoneDelegationTokenSelector>
|
* @return Token<OzoneDelegationTokenSelector>
|
||||||
* @throws IOException
|
* @throws OMException
|
||||||
*/
|
*/
|
||||||
@Idempotent
|
@Idempotent
|
||||||
Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
||||||
throws IOException;
|
throws OMException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Renew an existing delegation token.
|
* Renew an existing delegation token.
|
||||||
*
|
*
|
||||||
* @param token delegation token obtained earlier
|
* @param token delegation token obtained earlier
|
||||||
* @return the new expiration time
|
* @return the new expiration time
|
||||||
* @throws IOException
|
* @throws OMException
|
||||||
*/
|
*/
|
||||||
@Idempotent
|
@Idempotent
|
||||||
long renewDelegationToken(Token<OzoneTokenIdentifier> token)
|
long renewDelegationToken(Token<OzoneTokenIdentifier> token)
|
||||||
throws IOException;
|
throws OMException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Cancel an existing delegation token.
|
* Cancel an existing delegation token.
|
||||||
*
|
*
|
||||||
* @param token delegation token
|
* @param token delegation token
|
||||||
* @throws IOException
|
* @throws OMException
|
||||||
*/
|
*/
|
||||||
@Idempotent
|
@Idempotent
|
||||||
void cancelDelegationToken(Token<OzoneTokenIdentifier> token)
|
void cancelDelegationToken(Token<OzoneTokenIdentifier> token)
|
||||||
throws IOException;
|
throws OMException;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -41,7 +41,7 @@
|
|||||||
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
|
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
|
||||||
import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
|
import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
|
||||||
import org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol;
|
import org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol;
|
||||||
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
|
import org.apache.hadoop.ozone.om.exceptions.OMException;
|
||||||
import org.apache.hadoop.ozone.protocol.proto
|
import org.apache.hadoop.ozone.protocol.proto
|
||||||
.OzoneManagerProtocolProtos.AllocateBlockRequest;
|
.OzoneManagerProtocolProtos.AllocateBlockRequest;
|
||||||
import org.apache.hadoop.ozone.protocol.proto
|
import org.apache.hadoop.ozone.protocol.proto
|
||||||
@ -189,6 +189,12 @@
|
|||||||
.OzoneManagerProtocolProtos.CancelDelegationTokenResponseProto;
|
.OzoneManagerProtocolProtos.CancelDelegationTokenResponseProto;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
|
|
||||||
|
import static org.apache.hadoop.ozone.om.exceptions.OMException.*;
|
||||||
|
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_ERROR_OTHER;
|
||||||
|
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.UNKNOWN;
|
||||||
|
import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Status.OK;
|
||||||
|
import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Status.ACCESS_DENIED;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The client side implementation of OzoneManagerProtocol.
|
* The client side implementation of OzoneManagerProtocol.
|
||||||
*/
|
*/
|
||||||
@ -288,7 +294,7 @@ public void createVolume(OmVolumeArgs args) throws IOException {
|
|||||||
CreateVolumeResponse resp = submitRequest(omRequest)
|
CreateVolumeResponse resp = submitRequest(omRequest)
|
||||||
.getCreateVolumeResponse();
|
.getCreateVolumeResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new
|
throw new
|
||||||
IOException("Volume creation failed, error:" + resp.getStatus());
|
IOException("Volume creation failed, error:" + resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -314,7 +320,7 @@ public void setOwner(String volume, String owner) throws IOException {
|
|||||||
SetVolumePropertyResponse resp = submitRequest(omRequest)
|
SetVolumePropertyResponse resp = submitRequest(omRequest)
|
||||||
.getSetVolumePropertyResponse();
|
.getSetVolumePropertyResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new
|
throw new
|
||||||
IOException("Volume owner change failed, error:" + resp.getStatus());
|
IOException("Volume owner change failed, error:" + resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -340,7 +346,7 @@ public void setQuota(String volume, long quota) throws IOException {
|
|||||||
SetVolumePropertyResponse resp = submitRequest(omRequest)
|
SetVolumePropertyResponse resp = submitRequest(omRequest)
|
||||||
.getSetVolumePropertyResponse();
|
.getSetVolumePropertyResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new
|
throw new
|
||||||
IOException("Volume quota change failed, error:" + resp.getStatus());
|
IOException("Volume quota change failed, error:" + resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -369,9 +375,9 @@ public boolean checkVolumeAccess(String volume, OzoneAclInfo userAcl) throws
|
|||||||
CheckVolumeAccessResponse resp = submitRequest(omRequest)
|
CheckVolumeAccessResponse resp = submitRequest(omRequest)
|
||||||
.getCheckVolumeAccessResponse();
|
.getCheckVolumeAccessResponse();
|
||||||
|
|
||||||
if (resp.getStatus() == Status.ACCESS_DENIED) {
|
if (resp.getStatus() == ACCESS_DENIED) {
|
||||||
return false;
|
return false;
|
||||||
} else if (resp.getStatus() == Status.OK) {
|
} else if (resp.getStatus() == OK) {
|
||||||
return true;
|
return true;
|
||||||
} else {
|
} else {
|
||||||
throw new
|
throw new
|
||||||
@ -397,7 +403,7 @@ public OmVolumeArgs getVolumeInfo(String volume) throws IOException {
|
|||||||
|
|
||||||
InfoVolumeResponse resp = submitRequest(omRequest).getInfoVolumeResponse();
|
InfoVolumeResponse resp = submitRequest(omRequest).getInfoVolumeResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new
|
throw new
|
||||||
IOException("Info Volume failed, error:" + resp.getStatus());
|
IOException("Info Volume failed, error:" + resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -422,7 +428,7 @@ public void deleteVolume(String volume) throws IOException {
|
|||||||
DeleteVolumeResponse resp = submitRequest(omRequest)
|
DeleteVolumeResponse resp = submitRequest(omRequest)
|
||||||
.getDeleteVolumeResponse();
|
.getDeleteVolumeResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new
|
throw new
|
||||||
IOException("Delete Volume failed, error:" + resp.getStatus());
|
IOException("Delete Volume failed, error:" + resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -490,7 +496,7 @@ private List<OmVolumeArgs> listVolume(ListVolumeRequest request)
|
|||||||
|
|
||||||
ListVolumeResponse resp = submitRequest(omRequest).getListVolumeResponse();
|
ListVolumeResponse resp = submitRequest(omRequest).getListVolumeResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("List volume failed, error: "
|
throw new IOException("List volume failed, error: "
|
||||||
+ resp.getStatus());
|
+ resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -520,7 +526,7 @@ public void createBucket(OmBucketInfo bucketInfo) throws IOException {
|
|||||||
CreateBucketResponse resp = submitRequest(omRequest)
|
CreateBucketResponse resp = submitRequest(omRequest)
|
||||||
.getCreateBucketResponse();
|
.getCreateBucketResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("Bucket creation failed, error: "
|
throw new IOException("Bucket creation failed, error: "
|
||||||
+ resp.getStatus());
|
+ resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -548,7 +554,7 @@ public OmBucketInfo getBucketInfo(String volume, String bucket)
|
|||||||
|
|
||||||
InfoBucketResponse resp = submitRequest(omRequest).getInfoBucketResponse();
|
InfoBucketResponse resp = submitRequest(omRequest).getInfoBucketResponse();
|
||||||
|
|
||||||
if (resp.getStatus() == Status.OK) {
|
if (resp.getStatus() == OK) {
|
||||||
return OmBucketInfo.getFromProtobuf(resp.getBucketInfo());
|
return OmBucketInfo.getFromProtobuf(resp.getBucketInfo());
|
||||||
} else {
|
} else {
|
||||||
throw new IOException("Info Bucket failed, error: "
|
throw new IOException("Info Bucket failed, error: "
|
||||||
@ -576,7 +582,7 @@ public void setBucketProperty(OmBucketArgs args)
|
|||||||
SetBucketPropertyResponse resp = submitRequest(omRequest)
|
SetBucketPropertyResponse resp = submitRequest(omRequest)
|
||||||
.getSetBucketPropertyResponse();
|
.getSetBucketPropertyResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("Setting bucket property failed, error: "
|
throw new IOException("Setting bucket property failed, error: "
|
||||||
+ resp.getStatus());
|
+ resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -614,7 +620,7 @@ public List<OmBucketInfo> listBuckets(String volumeName,
|
|||||||
ListBucketsResponse resp = submitRequest(omRequest)
|
ListBucketsResponse resp = submitRequest(omRequest)
|
||||||
.getListBucketsResponse();
|
.getListBucketsResponse();
|
||||||
|
|
||||||
if (resp.getStatus() == Status.OK) {
|
if (resp.getStatus() == OK) {
|
||||||
buckets.addAll(
|
buckets.addAll(
|
||||||
resp.getBucketInfoList().stream()
|
resp.getBucketInfoList().stream()
|
||||||
.map(OmBucketInfo::getFromProtobuf)
|
.map(OmBucketInfo::getFromProtobuf)
|
||||||
@ -677,7 +683,7 @@ public OpenKeySession openKey(OmKeyArgs args) throws IOException {
|
|||||||
|
|
||||||
CreateKeyResponse resp = submitRequest(omRequest).getCreateKeyResponse();
|
CreateKeyResponse resp = submitRequest(omRequest).getCreateKeyResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("Create key failed, error:" + resp.getStatus());
|
throw new IOException("Create key failed, error:" + resp.getStatus());
|
||||||
}
|
}
|
||||||
return new OpenKeySession(resp.getID(),
|
return new OpenKeySession(resp.getID(),
|
||||||
@ -703,7 +709,7 @@ public OmKeyLocationInfo allocateBlock(OmKeyArgs args, long clientId)
|
|||||||
AllocateBlockResponse resp = submitRequest(omRequest)
|
AllocateBlockResponse resp = submitRequest(omRequest)
|
||||||
.getAllocateBlockResponse();
|
.getAllocateBlockResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("Allocate block failed, error:" +
|
throw new IOException("Allocate block failed, error:" +
|
||||||
resp.getStatus());
|
resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -733,7 +739,7 @@ public void commitKey(OmKeyArgs args, long clientId)
|
|||||||
|
|
||||||
CommitKeyResponse resp = submitRequest(omRequest).getCommitKeyResponse();
|
CommitKeyResponse resp = submitRequest(omRequest).getCommitKeyResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("Commit key failed, error:" +
|
throw new IOException("Commit key failed, error:" +
|
||||||
resp.getStatus());
|
resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -756,7 +762,7 @@ public OmKeyInfo lookupKey(OmKeyArgs args) throws IOException {
|
|||||||
|
|
||||||
LookupKeyResponse resp = submitRequest(omRequest).getLookupKeyResponse();
|
LookupKeyResponse resp = submitRequest(omRequest).getLookupKeyResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("Lookup key failed, error:" +
|
throw new IOException("Lookup key failed, error:" +
|
||||||
resp.getStatus());
|
resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -780,7 +786,7 @@ public void renameKey(OmKeyArgs args, String toKeyName) throws IOException {
|
|||||||
|
|
||||||
RenameKeyResponse resp = submitRequest(omRequest).getRenameKeyResponse();
|
RenameKeyResponse resp = submitRequest(omRequest).getRenameKeyResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("Rename key failed, error:" +
|
throw new IOException("Rename key failed, error:" +
|
||||||
resp.getStatus());
|
resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -807,7 +813,7 @@ public void deleteKey(OmKeyArgs args) throws IOException {
|
|||||||
|
|
||||||
DeleteKeyResponse resp = submitRequest(omRequest).getDeleteKeyResponse();
|
DeleteKeyResponse resp = submitRequest(omRequest).getDeleteKeyResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("Delete key failed, error:" +
|
throw new IOException("Delete key failed, error:" +
|
||||||
resp.getStatus());
|
resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -831,7 +837,7 @@ public void deleteBucket(String volume, String bucket) throws IOException {
|
|||||||
DeleteBucketResponse resp = submitRequest(omRequest)
|
DeleteBucketResponse resp = submitRequest(omRequest)
|
||||||
.getDeleteBucketResponse();
|
.getDeleteBucketResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new
|
throw new
|
||||||
IOException("Delete Bucket failed, error:" + resp.getStatus());
|
IOException("Delete Bucket failed, error:" + resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -865,7 +871,7 @@ public List<OmKeyInfo> listKeys(String volumeName, String bucketName,
|
|||||||
|
|
||||||
ListKeysResponse resp = submitRequest(omRequest).getListKeysResponse();
|
ListKeysResponse resp = submitRequest(omRequest).getListKeysResponse();
|
||||||
|
|
||||||
if (resp.getStatus() == Status.OK) {
|
if (resp.getStatus() == OK) {
|
||||||
keys.addAll(
|
keys.addAll(
|
||||||
resp.getKeyInfoList().stream()
|
resp.getKeyInfoList().stream()
|
||||||
.map(OmKeyInfo::getFromProtobuf)
|
.map(OmKeyInfo::getFromProtobuf)
|
||||||
@ -892,7 +898,7 @@ public void createS3Bucket(String userName, String s3BucketName)
|
|||||||
S3CreateBucketResponse resp = submitRequest(omRequest)
|
S3CreateBucketResponse resp = submitRequest(omRequest)
|
||||||
.getCreateS3BucketResponse();
|
.getCreateS3BucketResponse();
|
||||||
|
|
||||||
if(resp.getStatus() != Status.OK) {
|
if(resp.getStatus() != OK) {
|
||||||
throw new IOException("Creating S3 bucket failed, error: "
|
throw new IOException("Creating S3 bucket failed, error: "
|
||||||
+ resp.getStatus());
|
+ resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -912,7 +918,7 @@ public void deleteS3Bucket(String s3BucketName) throws IOException {
|
|||||||
S3DeleteBucketResponse resp = submitRequest(omRequest)
|
S3DeleteBucketResponse resp = submitRequest(omRequest)
|
||||||
.getDeleteS3BucketResponse();
|
.getDeleteS3BucketResponse();
|
||||||
|
|
||||||
if(resp.getStatus() != Status.OK) {
|
if(resp.getStatus() != OK) {
|
||||||
throw new IOException("Creating S3 bucket failed, error: "
|
throw new IOException("Creating S3 bucket failed, error: "
|
||||||
+ resp.getStatus());
|
+ resp.getStatus());
|
||||||
}
|
}
|
||||||
@ -933,7 +939,7 @@ public String getOzoneBucketMapping(String s3BucketName)
|
|||||||
S3BucketInfoResponse resp = submitRequest(omRequest)
|
S3BucketInfoResponse resp = submitRequest(omRequest)
|
||||||
.getInfoS3BucketResponse();
|
.getInfoS3BucketResponse();
|
||||||
|
|
||||||
if(resp.getStatus() != Status.OK) {
|
if(resp.getStatus() != OK) {
|
||||||
throw new IOException("GetOzoneBucketMapping failed, error:" + resp
|
throw new IOException("GetOzoneBucketMapping failed, error:" + resp
|
||||||
.getStatus());
|
.getStatus());
|
||||||
}
|
}
|
||||||
@ -963,7 +969,7 @@ public List<OmBucketInfo> listS3Buckets(String userName, String startKey,
|
|||||||
S3ListBucketsResponse resp = submitRequest(omRequest)
|
S3ListBucketsResponse resp = submitRequest(omRequest)
|
||||||
.getListS3BucketsResponse();
|
.getListS3BucketsResponse();
|
||||||
|
|
||||||
if (resp.getStatus() == Status.OK) {
|
if (resp.getStatus() == OK) {
|
||||||
buckets.addAll(
|
buckets.addAll(
|
||||||
resp.getBucketInfoList().stream()
|
resp.getBucketInfoList().stream()
|
||||||
.map(OmBucketInfo::getFromProtobuf)
|
.map(OmBucketInfo::getFromProtobuf)
|
||||||
@ -986,7 +992,7 @@ public S3SecretValue getS3Secret(String kerberosID) throws IOException {
|
|||||||
final GetS3SecretResponse resp = submitRequest(omRequest)
|
final GetS3SecretResponse resp = submitRequest(omRequest)
|
||||||
.getGetS3SecretResponse();
|
.getGetS3SecretResponse();
|
||||||
|
|
||||||
if(resp.getStatus() != Status.OK) {
|
if(resp.getStatus() != OK) {
|
||||||
throw new IOException("Fetch S3 Secret failed, error: " +
|
throw new IOException("Fetch S3 Secret failed, error: " +
|
||||||
resp.getStatus());
|
resp.getStatus());
|
||||||
} else {
|
} else {
|
||||||
@ -1022,7 +1028,7 @@ public OmMultipartInfo initiateMultipartUpload(OmKeyArgs omKeyArgs) throws
|
|||||||
MultipartInfoInitiateResponse resp = submitRequest(omRequest)
|
MultipartInfoInitiateResponse resp = submitRequest(omRequest)
|
||||||
.getInitiateMultiPartUploadResponse();
|
.getInitiateMultiPartUploadResponse();
|
||||||
|
|
||||||
if (resp.getStatus() != Status.OK) {
|
if (resp.getStatus() != OK) {
|
||||||
throw new IOException("Initiate Multipart upload failed, error:" + resp
|
throw new IOException("Initiate Multipart upload failed, error:" + resp
|
||||||
.getStatus());
|
.getStatus());
|
||||||
}
|
}
|
||||||
@ -1064,7 +1070,7 @@ public OmMultipartCommitUploadPartInfo commitMultipartUploadPart(
|
|||||||
MultipartCommitUploadPartResponse response = submitRequest(omRequest)
|
MultipartCommitUploadPartResponse response = submitRequest(omRequest)
|
||||||
.getCommitMultiPartUploadResponse();
|
.getCommitMultiPartUploadResponse();
|
||||||
|
|
||||||
if (response.getStatus() != Status.OK) {
|
if (response.getStatus() != OK) {
|
||||||
throw new IOException("Commit multipart upload part key failed, error:"
|
throw new IOException("Commit multipart upload part key failed, error:"
|
||||||
+ response.getStatus());
|
+ response.getStatus());
|
||||||
}
|
}
|
||||||
@ -1099,7 +1105,7 @@ public OmMultipartUploadCompleteInfo completeMultipartUpload(
|
|||||||
MultipartUploadCompleteResponse response = submitRequest(omRequest)
|
MultipartUploadCompleteResponse response = submitRequest(omRequest)
|
||||||
.getCompleteMultiPartUploadResponse();
|
.getCompleteMultiPartUploadResponse();
|
||||||
|
|
||||||
if (response.getStatus() != Status.OK) {
|
if (response.getStatus() != OK) {
|
||||||
throw new IOException("Complete multipart upload failed, error:" +
|
throw new IOException("Complete multipart upload failed, error:" +
|
||||||
response.getStatus());
|
response.getStatus());
|
||||||
}
|
}
|
||||||
@ -1130,7 +1136,7 @@ public void abortMultipartUpload(OmKeyArgs omKeyArgs) throws IOException {
|
|||||||
MultipartUploadAbortResponse response =
|
MultipartUploadAbortResponse response =
|
||||||
submitRequest(omRequest).getAbortMultiPartUploadResponse();
|
submitRequest(omRequest).getAbortMultiPartUploadResponse();
|
||||||
|
|
||||||
if (response.getStatus() != Status.OK) {
|
if (response.getStatus() != OK) {
|
||||||
throw new IOException("Abort multipart upload failed, error:" +
|
throw new IOException("Abort multipart upload failed, error:" +
|
||||||
response.getStatus());
|
response.getStatus());
|
||||||
}
|
}
|
||||||
@ -1147,7 +1153,7 @@ public List<ServiceInfo> getServiceList() throws IOException {
|
|||||||
final ServiceListResponse resp = submitRequest(omRequest)
|
final ServiceListResponse resp = submitRequest(omRequest)
|
||||||
.getServiceListResponse();
|
.getServiceListResponse();
|
||||||
|
|
||||||
if (resp.getStatus() == Status.OK) {
|
if (resp.getStatus() == OK) {
|
||||||
return resp.getServiceInfoList().stream()
|
return resp.getServiceInfoList().stream()
|
||||||
.map(ServiceInfo::getFromProtobuf)
|
.map(ServiceInfo::getFromProtobuf)
|
||||||
.collect(Collectors.toList());
|
.collect(Collectors.toList());
|
||||||
@ -1162,11 +1168,11 @@ public List<ServiceInfo> getServiceList() throws IOException {
|
|||||||
*
|
*
|
||||||
* @param renewer the designated renewer for the token
|
* @param renewer the designated renewer for the token
|
||||||
* @return Token<OzoneDelegationTokenSelector>
|
* @return Token<OzoneDelegationTokenSelector>
|
||||||
* @throws IOException
|
* @throws OMException
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
public Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
||||||
throws IOException {
|
throws OMException {
|
||||||
GetDelegationTokenRequestProto req = GetDelegationTokenRequestProto
|
GetDelegationTokenRequestProto req = GetDelegationTokenRequestProto
|
||||||
.newBuilder()
|
.newBuilder()
|
||||||
.setRenewer(renewer == null ? "" : renewer.toString())
|
.setRenewer(renewer == null ? "" : renewer.toString())
|
||||||
@ -1176,15 +1182,23 @@ public Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
|||||||
.setGetDelegationTokenRequest(req)
|
.setGetDelegationTokenRequest(req)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
final GetDelegationTokenResponseProto resp = submitRequest(omRequest)
|
final GetDelegationTokenResponseProto resp;
|
||||||
.getGetDelegationTokenResponse();
|
try {
|
||||||
if (resp.getStatus() == Status.OK) {
|
resp = submitRequest(omRequest).getGetDelegationTokenResponse();
|
||||||
|
|
||||||
|
if (resp.getStatus() == OK) {
|
||||||
return resp.getResponse().hasToken() ?
|
return resp.getResponse().hasToken() ?
|
||||||
OMPBHelper.convertToDelegationToken(resp.getResponse().getToken())
|
OMPBHelper.convertToDelegationToken(resp.getResponse().getToken())
|
||||||
: null;
|
: null;
|
||||||
} else {
|
}
|
||||||
throw new IOException("Get Delegation Token failed, error : " + resp
|
throw new OMException("Get delegation token failed with response:"
|
||||||
.getStatus());
|
+ resp.getStatus(), toResultStatus(resp.getStatus()));
|
||||||
|
} catch (IOException e) {
|
||||||
|
if(e instanceof OMException) {
|
||||||
|
throw (OMException)e;
|
||||||
|
}
|
||||||
|
throw new OMException("Get delegation token failed.", e,
|
||||||
|
TOKEN_ERROR_OTHER);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1193,11 +1207,10 @@ public Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
|||||||
*
|
*
|
||||||
* @param token delegation token obtained earlier
|
* @param token delegation token obtained earlier
|
||||||
* @return the new expiration time
|
* @return the new expiration time
|
||||||
* @throws IOException
|
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public long renewDelegationToken(Token<OzoneTokenIdentifier> token)
|
public long renewDelegationToken(Token<OzoneTokenIdentifier> token)
|
||||||
throws IOException {
|
throws OMException {
|
||||||
RenewDelegationTokenRequestProto req =
|
RenewDelegationTokenRequestProto req =
|
||||||
RenewDelegationTokenRequestProto.newBuilder().
|
RenewDelegationTokenRequestProto.newBuilder().
|
||||||
setToken(OMPBHelper.convertToTokenProto(token)).
|
setToken(OMPBHelper.convertToTokenProto(token)).
|
||||||
@ -1207,13 +1220,21 @@ public long renewDelegationToken(Token<OzoneTokenIdentifier> token)
|
|||||||
.setRenewDelegationTokenRequest(req)
|
.setRenewDelegationTokenRequest(req)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
final RenewDelegationTokenResponseProto resp = submitRequest(omRequest)
|
final RenewDelegationTokenResponseProto resp;
|
||||||
|
try {
|
||||||
|
resp = submitRequest(omRequest)
|
||||||
.getRenewDelegationTokenResponse();
|
.getRenewDelegationTokenResponse();
|
||||||
if (resp.getStatus() == Status.OK) {
|
if (resp.getStatus() == OK) {
|
||||||
return resp.getResponse().getNewExpiryTime();
|
return resp.getResponse().getNewExpiryTime();
|
||||||
} else {
|
}
|
||||||
throw new IOException("Renew Delegation Token failed, error : " + resp
|
throw new OMException("Renew delegation token failed with response:"
|
||||||
.getStatus());
|
+ resp.getStatus(), toResultStatus(resp.getStatus()));
|
||||||
|
} catch (IOException e) {
|
||||||
|
if(e instanceof OMException) {
|
||||||
|
throw (OMException)e;
|
||||||
|
}
|
||||||
|
throw new OMException("Renew delegation token failed.", e,
|
||||||
|
TOKEN_ERROR_OTHER);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1221,11 +1242,10 @@ public long renewDelegationToken(Token<OzoneTokenIdentifier> token)
|
|||||||
* Cancel an existing delegation token.
|
* Cancel an existing delegation token.
|
||||||
*
|
*
|
||||||
* @param token delegation token
|
* @param token delegation token
|
||||||
* @throws IOException
|
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public void cancelDelegationToken(Token<OzoneTokenIdentifier> token)
|
public void cancelDelegationToken(Token<OzoneTokenIdentifier> token)
|
||||||
throws IOException {
|
throws OMException {
|
||||||
CancelDelegationTokenRequestProto req = CancelDelegationTokenRequestProto
|
CancelDelegationTokenRequestProto req = CancelDelegationTokenRequestProto
|
||||||
.newBuilder()
|
.newBuilder()
|
||||||
.setToken(OMPBHelper.convertToTokenProto(token))
|
.setToken(OMPBHelper.convertToTokenProto(token))
|
||||||
@ -1235,11 +1255,40 @@ public void cancelDelegationToken(Token<OzoneTokenIdentifier> token)
|
|||||||
.setCancelDelegationTokenRequest(req)
|
.setCancelDelegationTokenRequest(req)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
final CancelDelegationTokenResponseProto resp = submitRequest(omRequest)
|
final CancelDelegationTokenResponseProto resp;
|
||||||
.getCancelDelegationTokenResponse();
|
try {
|
||||||
if (resp.getStatus() != Status.OK) {
|
resp = submitRequest(omRequest).getCancelDelegationTokenResponse();
|
||||||
throw new IOException("Cancel Delegation Token failed, error : " + resp
|
if (resp.getStatus() == OK) {
|
||||||
.getStatus());
|
return;
|
||||||
|
}
|
||||||
|
throw new OMException("Cancel delegation token failed with response:"
|
||||||
|
+ resp.getStatus(), toResultStatus(resp.getStatus()));
|
||||||
|
} catch (IOException e) {
|
||||||
|
if(e instanceof OMException) {
|
||||||
|
throw (OMException)e;
|
||||||
|
}
|
||||||
|
throw new OMException("Cancel delegation token failed.", e,
|
||||||
|
TOKEN_ERROR_OTHER);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Converts proto status to OMException result code.
|
||||||
|
*
|
||||||
|
* @param status Proto status received from rpc call.
|
||||||
|
*/
|
||||||
|
public ResultCodes toResultStatus(Status status) {
|
||||||
|
switch (status) {
|
||||||
|
case INVALID_AUTH_METHOD:
|
||||||
|
return ResultCodes.INVALID_AUTH_METHOD;
|
||||||
|
case INVALID_TOKEN:
|
||||||
|
return ResultCodes.INVALID_TOKEN;
|
||||||
|
case TOKEN_EXPIRED:
|
||||||
|
return ResultCodes.TOKEN_EXPIRED;
|
||||||
|
case TOKEN_ERROR_OTHER:
|
||||||
|
return TOKEN_ERROR_OTHER;
|
||||||
|
default:
|
||||||
|
return UNKNOWN;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -22,6 +22,7 @@
|
|||||||
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
|
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
|
||||||
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
|
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
|
||||||
import org.apache.hadoop.io.Text;
|
import org.apache.hadoop.io.Text;
|
||||||
|
import org.apache.hadoop.ozone.om.exceptions.OMException;
|
||||||
import org.apache.hadoop.ozone.security.OzoneSecretStore.OzoneManagerSecretState;
|
import org.apache.hadoop.ozone.security.OzoneSecretStore.OzoneManagerSecretState;
|
||||||
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier.TokenInfo;
|
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier.TokenInfo;
|
||||||
import org.apache.hadoop.security.AccessControlException;
|
import org.apache.hadoop.security.AccessControlException;
|
||||||
@ -41,6 +42,8 @@
|
|||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.concurrent.ConcurrentHashMap;
|
import java.util.concurrent.ConcurrentHashMap;
|
||||||
|
|
||||||
|
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_EXPIRED;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* SecretManager for Ozone Master. Responsible for signing identifiers with
|
* SecretManager for Ozone Master. Responsible for signing identifiers with
|
||||||
* private key,
|
* private key,
|
||||||
@ -172,8 +175,7 @@ private void updateIdentifierDetails(OzoneTokenIdentifier identifier) {
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public synchronized long renewToken(Token<OzoneTokenIdentifier> token,
|
public synchronized long renewToken(Token<OzoneTokenIdentifier> token,
|
||||||
String renewer)
|
String renewer) throws IOException {
|
||||||
throws IOException {
|
|
||||||
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
|
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
|
||||||
DataInputStream in = new DataInputStream(buf);
|
DataInputStream in = new DataInputStream(buf);
|
||||||
OzoneTokenIdentifier id = OzoneTokenIdentifier.readProtoBuf(in);
|
OzoneTokenIdentifier id = OzoneTokenIdentifier.readProtoBuf(in);
|
||||||
@ -184,10 +186,10 @@ public synchronized long renewToken(Token<OzoneTokenIdentifier> token,
|
|||||||
|
|
||||||
long now = Time.monotonicNow();
|
long now = Time.monotonicNow();
|
||||||
if (id.getMaxDate() < now) {
|
if (id.getMaxDate() < now) {
|
||||||
throw new InvalidToken(renewer + " tried to renew an expired token "
|
throw new OMException(renewer + " tried to renew an expired token "
|
||||||
+ formatTokenId(id) + " max expiration date: "
|
+ formatTokenId(id) + " max expiration date: "
|
||||||
+ Time.formatTime(id.getMaxDate())
|
+ Time.formatTime(id.getMaxDate())
|
||||||
+ " currentTime: " + Time.formatTime(now));
|
+ " currentTime: " + Time.formatTime(now), TOKEN_EXPIRED);
|
||||||
}
|
}
|
||||||
validateToken(id);
|
validateToken(id);
|
||||||
if ((id.getRenewer() == null) || (id.getRenewer().toString().isEmpty())) {
|
if ((id.getRenewer() == null) || (id.getRenewer().toString().isEmpty())) {
|
||||||
|
@ -208,6 +208,12 @@ enum Status {
|
|||||||
ABORT_MULTIPART_UPLOAD_FAILED = 31;
|
ABORT_MULTIPART_UPLOAD_FAILED = 31;
|
||||||
|
|
||||||
S3_SECRET_NOT_FOUND = 32;
|
S3_SECRET_NOT_FOUND = 32;
|
||||||
|
|
||||||
|
INVALID_AUTH_METHOD = 33;
|
||||||
|
INVALID_TOKEN = 34;
|
||||||
|
TOKEN_EXPIRED = 35;
|
||||||
|
TOKEN_ERROR_OTHER = 36;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -21,6 +21,9 @@
|
|||||||
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
|
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
|
||||||
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ENABLED;
|
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ENABLED;
|
||||||
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
|
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
|
||||||
|
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_AUTH_METHOD;
|
||||||
|
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_ERROR_OTHER;
|
||||||
|
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_EXPIRED;
|
||||||
import static org.slf4j.event.Level.INFO;
|
import static org.slf4j.event.Level.INFO;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
@ -50,7 +53,6 @@
|
|||||||
import org.apache.hadoop.io.Text;
|
import org.apache.hadoop.io.Text;
|
||||||
import org.apache.hadoop.ipc.Client;
|
import org.apache.hadoop.ipc.Client;
|
||||||
import org.apache.hadoop.ipc.RPC;
|
import org.apache.hadoop.ipc.RPC;
|
||||||
import org.apache.hadoop.ipc.RemoteException;
|
|
||||||
import org.apache.hadoop.ipc.Server;
|
import org.apache.hadoop.ipc.Server;
|
||||||
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
|
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
|
||||||
import org.apache.hadoop.minikdc.MiniKdc;
|
import org.apache.hadoop.minikdc.MiniKdc;
|
||||||
@ -58,13 +60,13 @@
|
|||||||
import org.apache.hadoop.ozone.om.OMConfigKeys;
|
import org.apache.hadoop.ozone.om.OMConfigKeys;
|
||||||
import org.apache.hadoop.ozone.om.OMStorage;
|
import org.apache.hadoop.ozone.om.OMStorage;
|
||||||
import org.apache.hadoop.ozone.om.OzoneManager;
|
import org.apache.hadoop.ozone.om.OzoneManager;
|
||||||
|
import org.apache.hadoop.ozone.om.exceptions.OMException;
|
||||||
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB;
|
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB;
|
||||||
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolPB;
|
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolPB;
|
||||||
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
|
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
|
||||||
import org.apache.hadoop.security.KerberosAuthException;
|
import org.apache.hadoop.security.KerberosAuthException;
|
||||||
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
|
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
|
||||||
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
import org.apache.hadoop.test.GenericTestUtils;
|
import org.apache.hadoop.test.GenericTestUtils;
|
||||||
@ -80,7 +82,6 @@
|
|||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
import javax.ws.rs.HEAD;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Test class to for security enabled Ozone cluster.
|
* Test class to for security enabled Ozone cluster.
|
||||||
@ -345,6 +346,7 @@ public void testDelegationToken() throws Exception {
|
|||||||
|
|
||||||
// Capture logs for assertions
|
// Capture logs for assertions
|
||||||
LogCapturer logs = LogCapturer.captureLogs(Server.AUDITLOG);
|
LogCapturer logs = LogCapturer.captureLogs(Server.AUDITLOG);
|
||||||
|
LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
|
||||||
GenericTestUtils
|
GenericTestUtils
|
||||||
.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), INFO);
|
.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), INFO);
|
||||||
|
|
||||||
@ -414,11 +416,21 @@ public Void run() throws Exception {
|
|||||||
// Case 4: Test failure of token renewal.
|
// Case 4: Test failure of token renewal.
|
||||||
// Call to renewDelegationToken will fail but it will confirm that
|
// Call to renewDelegationToken will fail but it will confirm that
|
||||||
// initial connection via DT succeeded
|
// initial connection via DT succeeded
|
||||||
LambdaTestUtils.intercept(RemoteException.class, "Delegation "
|
omLogs.clearOutput();
|
||||||
+ "Token can be renewed only with kerberos or web authentication",
|
|
||||||
() -> omClient.renewDelegationToken(token));
|
LambdaTestUtils.intercept(OMException.class, "Renew delegation token " +
|
||||||
|
"failed",
|
||||||
|
() -> {
|
||||||
|
try {
|
||||||
|
omClient.renewDelegationToken(token);
|
||||||
|
} catch (OMException ex) {
|
||||||
|
Assert.assertTrue(ex.getResult().equals(INVALID_AUTH_METHOD));
|
||||||
|
throw ex;
|
||||||
|
}
|
||||||
|
});
|
||||||
Assert.assertTrue(logs.getOutput().contains(
|
Assert.assertTrue(logs.getOutput().contains(
|
||||||
"Auth successful for " + username + " (auth:TOKEN)"));
|
"Auth successful for " + username + " (auth:TOKEN)"));
|
||||||
|
omLogs.clearOutput();
|
||||||
//testUser.setAuthenticationMethod(AuthMethod.KERBEROS);
|
//testUser.setAuthenticationMethod(AuthMethod.KERBEROS);
|
||||||
UserGroupInformation.setLoginUser(ugi);
|
UserGroupInformation.setLoginUser(ugi);
|
||||||
omClient = new OzoneManagerProtocolClientSideTranslatorPB(
|
omClient = new OzoneManagerProtocolClientSideTranslatorPB(
|
||||||
@ -438,14 +450,23 @@ public Void run() throws Exception {
|
|||||||
|
|
||||||
// Case 6: Test failure of token cancellation.
|
// Case 6: Test failure of token cancellation.
|
||||||
// Get Om client, this time authentication using Token will fail as
|
// Get Om client, this time authentication using Token will fail as
|
||||||
// token is expired
|
// token is not in cache anymore.
|
||||||
omClient = new OzoneManagerProtocolClientSideTranslatorPB(
|
omClient = new OzoneManagerProtocolClientSideTranslatorPB(
|
||||||
RPC.getProxy(OzoneManagerProtocolPB.class, omVersion,
|
RPC.getProxy(OzoneManagerProtocolPB.class, omVersion,
|
||||||
OmUtils.getOmAddress(conf), testUser, conf,
|
OmUtils.getOmAddress(conf), testUser, conf,
|
||||||
NetUtils.getDefaultSocketFactory(conf),
|
NetUtils.getDefaultSocketFactory(conf),
|
||||||
Client.getRpcTimeout(conf)), RandomStringUtils.randomAscii(5));
|
Client.getRpcTimeout(conf)), RandomStringUtils.randomAscii(5));
|
||||||
LambdaTestUtils.intercept(RemoteException.class, "can't be found in cache",
|
LambdaTestUtils.intercept(OMException.class, "Cancel delegation " +
|
||||||
() -> omClient.cancelDelegationToken(token));
|
"token failed",
|
||||||
|
() -> {
|
||||||
|
try {
|
||||||
|
omClient.cancelDelegationToken(token);
|
||||||
|
} catch (OMException ex) {
|
||||||
|
Assert.assertTrue(ex.getResult().equals(TOKEN_ERROR_OTHER));
|
||||||
|
throw ex;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
Assert.assertTrue(logs.getOutput().contains("Auth failed for"));
|
Assert.assertTrue(logs.getOutput().contains("Auth failed for"));
|
||||||
} finally {
|
} finally {
|
||||||
om.stop();
|
om.stop();
|
||||||
@ -469,6 +490,7 @@ private void generateKeyPair(OzoneConfiguration config) throws Exception {
|
|||||||
public void testDelegationTokenRenewal() throws Exception {
|
public void testDelegationTokenRenewal() throws Exception {
|
||||||
GenericTestUtils
|
GenericTestUtils
|
||||||
.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), INFO);
|
.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), INFO);
|
||||||
|
LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
|
||||||
|
|
||||||
// Setup secure OM for start.
|
// Setup secure OM for start.
|
||||||
OzoneConfiguration newConf = new OzoneConfiguration(conf);
|
OzoneConfiguration newConf = new OzoneConfiguration(conf);
|
||||||
@ -502,16 +524,35 @@ public void testDelegationTokenRenewal() throws Exception {
|
|||||||
// Renew delegation token
|
// Renew delegation token
|
||||||
long expiryTime = omClient.renewDelegationToken(token);
|
long expiryTime = omClient.renewDelegationToken(token);
|
||||||
Assert.assertTrue(expiryTime > 0);
|
Assert.assertTrue(expiryTime > 0);
|
||||||
|
omLogs.clearOutput();
|
||||||
|
|
||||||
// Test failure of delegation renewal
|
// Test failure of delegation renewal
|
||||||
// 1. When renewer doesn't match (implicitly covers when renewer is
|
// 1. When token maxExpiryTime exceeds
|
||||||
|
Thread.sleep(500);
|
||||||
|
LambdaTestUtils.intercept(OMException.class,
|
||||||
|
"Renew delegation token failed",
|
||||||
|
() -> {
|
||||||
|
try {
|
||||||
|
omClient.renewDelegationToken(token);
|
||||||
|
} catch (OMException ex) {
|
||||||
|
Assert.assertTrue(ex.getResult().equals(TOKEN_EXPIRED));
|
||||||
|
throw ex;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
omLogs.clearOutput();
|
||||||
|
|
||||||
|
// 2. When renewer doesn't match (implicitly covers when renewer is
|
||||||
// null or empty )
|
// null or empty )
|
||||||
Token token2 = omClient.getDelegationToken(new Text("randomService"));
|
Token token2 = omClient.getDelegationToken(new Text("randomService"));
|
||||||
LambdaTestUtils.intercept(RemoteException.class,
|
LambdaTestUtils.intercept(OMException.class,
|
||||||
" with non-matching renewer randomService",
|
"Renew delegation token failed",
|
||||||
() -> omClient.renewDelegationToken(token2));
|
() -> omClient.renewDelegationToken(token2));
|
||||||
|
Assert.assertTrue(omLogs.getOutput().contains(" with non-matching " +
|
||||||
|
"renewer randomService"));
|
||||||
|
omLogs.clearOutput();
|
||||||
|
|
||||||
// 2. Test tampered token
|
// 3. Test tampered token
|
||||||
OzoneTokenIdentifier tokenId = OzoneTokenIdentifier.readProtoBuf(
|
OzoneTokenIdentifier tokenId = OzoneTokenIdentifier.readProtoBuf(
|
||||||
token.getIdentifier());
|
token.getIdentifier());
|
||||||
tokenId.setRenewer(new Text("om"));
|
tokenId.setRenewer(new Text("om"));
|
||||||
@ -519,15 +560,13 @@ public void testDelegationTokenRenewal() throws Exception {
|
|||||||
Token<OzoneTokenIdentifier> tamperedToken = new Token<>(
|
Token<OzoneTokenIdentifier> tamperedToken = new Token<>(
|
||||||
tokenId.getBytes(), token2.getPassword(), token2.getKind(),
|
tokenId.getBytes(), token2.getPassword(), token2.getKind(),
|
||||||
token2.getService());
|
token2.getService());
|
||||||
LambdaTestUtils.intercept(RemoteException.class,
|
LambdaTestUtils.intercept(OMException.class,
|
||||||
"can't be found in cache",
|
"Renew delegation token failed",
|
||||||
() -> omClient.renewDelegationToken(tamperedToken));
|
() -> omClient.renewDelegationToken(tamperedToken));
|
||||||
|
Assert.assertTrue(omLogs.getOutput().contains("can't be found in " +
|
||||||
|
"cache"));
|
||||||
|
omLogs.clearOutput();
|
||||||
|
|
||||||
// 3. When token maxExpiryTime exceeds
|
|
||||||
Thread.sleep(500);
|
|
||||||
LambdaTestUtils.intercept(RemoteException.class,
|
|
||||||
"om tried to renew an expired" + " token",
|
|
||||||
() -> omClient.renewDelegationToken(token));
|
|
||||||
} finally {
|
} finally {
|
||||||
om.stop();
|
om.stop();
|
||||||
om.join();
|
om.join();
|
||||||
|
@ -100,7 +100,6 @@
|
|||||||
import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
|
import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
|
||||||
import org.apache.hadoop.ozone.security.OzoneDelegationTokenSecretManager;
|
import org.apache.hadoop.ozone.security.OzoneDelegationTokenSecretManager;
|
||||||
import org.apache.hadoop.ozone.util.OzoneVersionInfo;
|
import org.apache.hadoop.ozone.util.OzoneVersionInfo;
|
||||||
import org.apache.hadoop.security.AccessControlException;
|
|
||||||
import org.apache.hadoop.security.SecurityUtil;
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||||
@ -157,6 +156,8 @@
|
|||||||
.OZONE_OM_METRICS_SAVE_INTERVAL;
|
.OZONE_OM_METRICS_SAVE_INTERVAL;
|
||||||
import static org.apache.hadoop.ozone.om.OMConfigKeys
|
import static org.apache.hadoop.ozone.om.OMConfigKeys
|
||||||
.OZONE_OM_METRICS_SAVE_INTERVAL_DEFAULT;
|
.OZONE_OM_METRICS_SAVE_INTERVAL_DEFAULT;
|
||||||
|
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_AUTH_METHOD;
|
||||||
|
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_ERROR_OTHER;
|
||||||
import static org.apache.hadoop.ozone.protocol.proto
|
import static org.apache.hadoop.ozone.protocol.proto
|
||||||
.OzoneManagerProtocolProtos.OzoneManagerService
|
.OzoneManagerProtocolProtos.OzoneManagerService
|
||||||
.newReflectiveBlockingService;
|
.newReflectiveBlockingService;
|
||||||
@ -1031,14 +1032,15 @@ private static UserGroupInformation getRemoteUser() throws IOException {
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
public Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
||||||
throws IOException {
|
throws OMException {
|
||||||
final boolean success;
|
final boolean success;
|
||||||
final String tokenId;
|
final String tokenId;
|
||||||
Token<OzoneTokenIdentifier> token;
|
Token<OzoneTokenIdentifier> token;
|
||||||
|
try {
|
||||||
if (!isAllowedDelegationTokenOp()) {
|
if (!isAllowedDelegationTokenOp()) {
|
||||||
throw new IOException("Delegation Token can be issued only with "
|
throw new OMException("Delegation Token can be issued only with "
|
||||||
+ "kerberos or web authentication");
|
+ "kerberos or web authentication",
|
||||||
|
INVALID_AUTH_METHOD);
|
||||||
}
|
}
|
||||||
if (delegationTokenMgr == null || !delegationTokenMgr.isRunning()) {
|
if (delegationTokenMgr == null || !delegationTokenMgr.isRunning()) {
|
||||||
LOG.warn("trying to get DT with no secret manager running in OM.");
|
LOG.warn("trying to get DT with no secret manager running in OM.");
|
||||||
@ -1053,8 +1055,14 @@ public Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
|||||||
realUser = new Text(ugi.getRealUser().getUserName());
|
realUser = new Text(ugi.getRealUser().getUserName());
|
||||||
}
|
}
|
||||||
|
|
||||||
token = delegationTokenMgr.createToken(owner, renewer, realUser);
|
return delegationTokenMgr.createToken(owner, renewer, realUser);
|
||||||
return token;
|
} catch (OMException oex) {
|
||||||
|
throw oex;
|
||||||
|
} catch (IOException ex) {
|
||||||
|
LOG.error("Get Delegation token failed, cause: {}", ex.getMessage());
|
||||||
|
throw new OMException("Get Delegation token failed.", ex,
|
||||||
|
TOKEN_ERROR_OTHER);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1066,24 +1074,31 @@ public Token<OzoneTokenIdentifier> getDelegationToken(Text renewer)
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public long renewDelegationToken(Token<OzoneTokenIdentifier> token)
|
public long renewDelegationToken(Token<OzoneTokenIdentifier> token)
|
||||||
throws InvalidToken, IOException {
|
throws OMException {
|
||||||
long expiryTime;
|
long expiryTime;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
||||||
if (!isAllowedDelegationTokenOp()) {
|
if (!isAllowedDelegationTokenOp()) {
|
||||||
throw new IOException("Delegation Token can be renewed only with "
|
throw new OMException("Delegation Token can be renewed only with "
|
||||||
+ "kerberos or web authentication");
|
+ "kerberos or web authentication",
|
||||||
|
INVALID_AUTH_METHOD);
|
||||||
}
|
}
|
||||||
String renewer = getRemoteUser().getShortUserName();
|
String renewer = getRemoteUser().getShortUserName();
|
||||||
expiryTime = delegationTokenMgr.renewToken(token, renewer);
|
expiryTime = delegationTokenMgr.renewToken(token, renewer);
|
||||||
|
|
||||||
} catch (AccessControlException ace) {
|
} catch (OMException oex) {
|
||||||
final OzoneTokenIdentifier id = OzoneTokenIdentifier.readProtoBuf(
|
throw oex;
|
||||||
token.getIdentifier());
|
} catch (IOException ex) {
|
||||||
LOG.error("Delegation token renewal failed for dt: {}, cause: {}",
|
OzoneTokenIdentifier id = null;
|
||||||
id.toString(), ace.getMessage());
|
try {
|
||||||
throw ace;
|
id = OzoneTokenIdentifier.readProtoBuf(token.getIdentifier());
|
||||||
|
} catch (IOException exe) {
|
||||||
|
}
|
||||||
|
LOG.error("Delegation token renewal failed for dt id: {}, cause: {}",
|
||||||
|
id, ex.getMessage());
|
||||||
|
throw new OMException("Delegation token renewal failed for dt: " + token,
|
||||||
|
ex, TOKEN_ERROR_OTHER);
|
||||||
}
|
}
|
||||||
return expiryTime;
|
return expiryTime;
|
||||||
}
|
}
|
||||||
@ -1095,16 +1110,19 @@ public long renewDelegationToken(Token<OzoneTokenIdentifier> token)
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public void cancelDelegationToken(Token<OzoneTokenIdentifier> token)
|
public void cancelDelegationToken(Token<OzoneTokenIdentifier> token)
|
||||||
throws IOException {
|
throws OMException {
|
||||||
OzoneTokenIdentifier id = null;
|
OzoneTokenIdentifier id = null;
|
||||||
try {
|
try {
|
||||||
String canceller = getRemoteUser().getUserName();
|
String canceller = getRemoteUser().getUserName();
|
||||||
id = delegationTokenMgr.cancelToken(token, canceller);
|
id = delegationTokenMgr.cancelToken(token, canceller);
|
||||||
LOG.trace("Delegation token renewed for dt: {}", id);
|
LOG.trace("Delegation token cancelled for dt: {}", id);
|
||||||
} catch (AccessControlException ace) {
|
} catch (OMException oex) {
|
||||||
LOG.error("Delegation token renewal failed for dt: {}, cause: {}", id,
|
throw oex;
|
||||||
ace.getMessage());
|
} catch (IOException ex) {
|
||||||
throw ace;
|
LOG.error("Delegation token cancellation failed for dt id: {}, cause: {}",
|
||||||
|
id, ex.getMessage());
|
||||||
|
throw new OMException("Delegation token renewal failed for dt: " + token,
|
||||||
|
ex, TOKEN_ERROR_OTHER);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
/**
|
/**
|
||||||
|
@ -57,7 +57,7 @@ public OzoneManagerProtocolServerSideTranslatorPB(
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Submit requests to Ratis server for OM HA implmentation.
|
* Submit requests to Ratis server for OM HA implementation.
|
||||||
* TODO: Once HA is implemented fully, we should have only one server side
|
* TODO: Once HA is implemented fully, we should have only one server side
|
||||||
* translator for OM protocol.
|
* translator for OM protocol.
|
||||||
*/
|
*/
|
||||||
|
@ -163,7 +163,6 @@
|
|||||||
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetDelegationTokenResponseProto;
|
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetDelegationTokenResponseProto;
|
||||||
import org.apache.hadoop.security.proto.SecurityProtos.RenewDelegationTokenRequestProto;
|
import org.apache.hadoop.security.proto.SecurityProtos.RenewDelegationTokenRequestProto;
|
||||||
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.RenewDelegationTokenResponseProto;
|
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.RenewDelegationTokenResponseProto;
|
||||||
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetS3SecretRequest;
|
|
||||||
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetS3SecretResponse;
|
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetS3SecretResponse;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
|
|
||||||
@ -418,6 +417,14 @@ private Status exceptionToResponseStatus(IOException ex) {
|
|||||||
return Status.ENTITY_TOO_SMALL;
|
return Status.ENTITY_TOO_SMALL;
|
||||||
case ABORT_MULTIPART_UPLOAD_FAILED:
|
case ABORT_MULTIPART_UPLOAD_FAILED:
|
||||||
return Status.ABORT_MULTIPART_UPLOAD_FAILED;
|
return Status.ABORT_MULTIPART_UPLOAD_FAILED;
|
||||||
|
case INVALID_AUTH_METHOD:
|
||||||
|
return Status.INVALID_AUTH_METHOD;
|
||||||
|
case INVALID_TOKEN:
|
||||||
|
return Status.INVALID_TOKEN;
|
||||||
|
case TOKEN_EXPIRED:
|
||||||
|
return Status.TOKEN_EXPIRED;
|
||||||
|
case TOKEN_ERROR_OTHER:
|
||||||
|
return Status.TOKEN_ERROR_OTHER;
|
||||||
default:
|
default:
|
||||||
return Status.INTERNAL_ERROR;
|
return Status.INTERNAL_ERROR;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user