001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.security.token.delegation.web;
019
020import org.apache.hadoop.classification.InterfaceAudience;
021import org.apache.hadoop.classification.InterfaceStability;
022import org.apache.hadoop.security.SecurityUtil;
023import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
024import org.apache.hadoop.security.authentication.client.AuthenticationException;
025import org.apache.hadoop.security.authentication.client.Authenticator;
026import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
027import org.apache.hadoop.security.token.Token;
028import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
029import org.apache.hadoop.util.HttpExceptionUtils;
030import org.apache.hadoop.util.StringUtils;
031import org.codehaus.jackson.map.ObjectMapper;
032import org.slf4j.Logger;
033import org.slf4j.LoggerFactory;
034
035import java.io.IOException;
036import java.net.HttpURLConnection;
037import java.net.InetSocketAddress;
038import java.net.URL;
039import java.net.URLEncoder;
040import java.util.HashMap;
041import java.util.Map;
042
043/**
044 * {@link Authenticator} wrapper that enhances an {@link Authenticator} with
045 * Delegation Token support.
046 */
047@InterfaceAudience.Public
048@InterfaceStability.Evolving
049public abstract class DelegationTokenAuthenticator implements Authenticator {
050  private static Logger LOG = 
051      LoggerFactory.getLogger(DelegationTokenAuthenticator.class);
052  
053  private static final String CONTENT_TYPE = "Content-Type";
054  private static final String APPLICATION_JSON_MIME = "application/json";
055
056  private static final String HTTP_GET = "GET";
057  private static final String HTTP_PUT = "PUT";
058
059  public static final String OP_PARAM = "op";
060
061  public static final String DELEGATION_TOKEN_HEADER =
062      "X-Hadoop-Delegation-Token";
063
064  public static final String DELEGATION_PARAM = "delegation";
065  public static final String TOKEN_PARAM = "token";
066  public static final String RENEWER_PARAM = "renewer";
067  public static final String DELEGATION_TOKEN_JSON = "Token";
068  public static final String DELEGATION_TOKEN_URL_STRING_JSON = "urlString";
069  public static final String RENEW_DELEGATION_TOKEN_JSON = "long";
070
071  /**
072   * DelegationToken operations.
073   */
074  @InterfaceAudience.Private
075  public static enum DelegationTokenOperation {
076    GETDELEGATIONTOKEN(HTTP_GET, true),
077    RENEWDELEGATIONTOKEN(HTTP_PUT, true),
078    CANCELDELEGATIONTOKEN(HTTP_PUT, false);
079
080    private String httpMethod;
081    private boolean requiresKerberosCredentials;
082
083    private DelegationTokenOperation(String httpMethod,
084        boolean requiresKerberosCredentials) {
085      this.httpMethod = httpMethod;
086      this.requiresKerberosCredentials = requiresKerberosCredentials;
087    }
088
089    public String getHttpMethod() {
090      return httpMethod;
091    }
092
093    public boolean requiresKerberosCredentials() {
094      return requiresKerberosCredentials;
095    }
096  }
097
098  private Authenticator authenticator;
099  private ConnectionConfigurator connConfigurator;
100
101  public DelegationTokenAuthenticator(Authenticator authenticator) {
102    this.authenticator = authenticator;
103  }
104
105  @Override
106  public void setConnectionConfigurator(ConnectionConfigurator configurator) {
107    authenticator.setConnectionConfigurator(configurator);
108    connConfigurator = configurator;
109  }
110
111  private boolean hasDelegationToken(URL url, AuthenticatedURL.Token token) {
112    boolean hasDt = false;
113    if (token instanceof DelegationTokenAuthenticatedURL.Token) {
114      hasDt = ((DelegationTokenAuthenticatedURL.Token) token).
115          getDelegationToken() != null;
116    }
117    if (!hasDt) {
118      String queryStr = url.getQuery();
119      hasDt = (queryStr != null) && queryStr.contains(DELEGATION_PARAM + "=");
120    }
121    return hasDt;
122  }
123
124  @Override
125  public void authenticate(URL url, AuthenticatedURL.Token token)
126      throws IOException, AuthenticationException {
127    if (!hasDelegationToken(url, token)) {
128      authenticator.authenticate(url, token);
129    }
130  }
131
132  /**
133   * Requests a delegation token using the configured <code>Authenticator</code>
134   * for authentication.
135   *
136   * @param url the URL to get the delegation token from. Only HTTP/S URLs are
137   * supported.
138   * @param token the authentication token being used for the user where the
139   * Delegation token will be stored.
140   * @param renewer the renewer user.
141   * @throws IOException if an IO error occurred.
142   * @throws AuthenticationException if an authentication exception occurred.
143   */
144  public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url,
145      AuthenticatedURL.Token token, String renewer)
146      throws IOException, AuthenticationException {
147   return getDelegationToken(url, token, renewer, null);
148  }
149
150  /**
151   * Requests a delegation token using the configured <code>Authenticator</code>
152   * for authentication.
153   *
154   * @param url the URL to get the delegation token from. Only HTTP/S URLs are
155   * supported.
156   * @param token the authentication token being used for the user where the
157   * Delegation token will be stored.
158   * @param renewer the renewer user.
159   * @param doAsUser the user to do as, which will be the token owner.
160   * @throws IOException if an IO error occurred.
161   * @throws AuthenticationException if an authentication exception occurred.
162   */
163  public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url,
164      AuthenticatedURL.Token token, String renewer, String doAsUser)
165      throws IOException, AuthenticationException {
166    Map json = doDelegationTokenOperation(url, token,
167        DelegationTokenOperation.GETDELEGATIONTOKEN, renewer, null, true,
168        doAsUser);
169    json = (Map) json.get(DELEGATION_TOKEN_JSON);
170    String tokenStr = (String) json.get(DELEGATION_TOKEN_URL_STRING_JSON);
171    Token<AbstractDelegationTokenIdentifier> dToken =
172        new Token<AbstractDelegationTokenIdentifier>();
173    dToken.decodeFromUrlString(tokenStr);
174    InetSocketAddress service = new InetSocketAddress(url.getHost(),
175        url.getPort());
176    SecurityUtil.setTokenService(dToken, service);
177    return dToken;
178  }
179
180  /**
181   * Renews a delegation token from the server end-point using the
182   * configured <code>Authenticator</code> for authentication.
183   *
184   * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
185   * supported.
186   * @param token the authentication token with the Delegation Token to renew.
187   * @throws IOException if an IO error occurred.
188   * @throws AuthenticationException if an authentication exception occurred.
189   */
190  public long renewDelegationToken(URL url,
191      AuthenticatedURL.Token token,
192      Token<AbstractDelegationTokenIdentifier> dToken)
193      throws IOException, AuthenticationException {
194    return renewDelegationToken(url, token, dToken, null);
195  }
196
197  /**
198   * Renews a delegation token from the server end-point using the
199   * configured <code>Authenticator</code> for authentication.
200   *
201   * @param url the URL to renew the delegation token from. Only HTTP/S URLs are
202   * supported.
203   * @param token the authentication token with the Delegation Token to renew.
204   * @param doAsUser the user to do as, which will be the token owner.
205   * @throws IOException if an IO error occurred.
206   * @throws AuthenticationException if an authentication exception occurred.
207   */
208  public long renewDelegationToken(URL url,
209      AuthenticatedURL.Token token,
210      Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser)
211      throws IOException, AuthenticationException {
212    Map json = doDelegationTokenOperation(url, token,
213        DelegationTokenOperation.RENEWDELEGATIONTOKEN, null, dToken, true,
214        doAsUser);
215    return (Long) json.get(RENEW_DELEGATION_TOKEN_JSON);
216  }
217
218  /**
219   * Cancels a delegation token from the server end-point. It does not require
220   * being authenticated by the configured <code>Authenticator</code>.
221   *
222   * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
223   * are supported.
224   * @param token the authentication token with the Delegation Token to cancel.
225   * @throws IOException if an IO error occurred.
226   */
227  public void cancelDelegationToken(URL url,
228      AuthenticatedURL.Token token,
229      Token<AbstractDelegationTokenIdentifier> dToken)
230      throws IOException {
231    cancelDelegationToken(url, token, dToken, null);
232  }
233
234  /**
235   * Cancels a delegation token from the server end-point. It does not require
236   * being authenticated by the configured <code>Authenticator</code>.
237   *
238   * @param url the URL to cancel the delegation token from. Only HTTP/S URLs
239   * are supported.
240   * @param token the authentication token with the Delegation Token to cancel.
241   * @param doAsUser the user to do as, which will be the token owner.
242   * @throws IOException if an IO error occurred.
243   */
244  public void cancelDelegationToken(URL url,
245      AuthenticatedURL.Token token,
246      Token<AbstractDelegationTokenIdentifier> dToken, String doAsUser)
247      throws IOException {
248    try {
249      doDelegationTokenOperation(url, token,
250          DelegationTokenOperation.CANCELDELEGATIONTOKEN, null, dToken, false,
251          doAsUser);
252    } catch (AuthenticationException ex) {
253      throw new IOException("This should not happen: " + ex.getMessage(), ex);
254    }
255  }
256
257  private Map doDelegationTokenOperation(URL url,
258      AuthenticatedURL.Token token, DelegationTokenOperation operation,
259      String renewer, Token<?> dToken, boolean hasResponse, String doAsUser)
260      throws IOException, AuthenticationException {
261    Map ret = null;
262    Map<String, String> params = new HashMap<String, String>();
263    params.put(OP_PARAM, operation.toString());
264    if (renewer != null) {
265      params.put(RENEWER_PARAM, renewer);
266    }
267    if (dToken != null) {
268      params.put(TOKEN_PARAM, dToken.encodeToUrlString());
269    }
270    // proxyuser
271    if (doAsUser != null) {
272      params.put(DelegationTokenAuthenticatedURL.DO_AS,
273          URLEncoder.encode(doAsUser, "UTF-8"));
274    }
275    String urlStr = url.toExternalForm();
276    StringBuilder sb = new StringBuilder(urlStr);
277    String separator = (urlStr.contains("?")) ? "&" : "?";
278    for (Map.Entry<String, String> entry : params.entrySet()) {
279      sb.append(separator).append(entry.getKey()).append("=").
280          append(URLEncoder.encode(entry.getValue(), "UTF8"));
281      separator = "&";
282    }
283    url = new URL(sb.toString());
284    AuthenticatedURL aUrl = new AuthenticatedURL(this, connConfigurator);
285    HttpURLConnection conn = aUrl.openConnection(url, token);
286    conn.setRequestMethod(operation.getHttpMethod());
287    HttpExceptionUtils.validateResponse(conn, HttpURLConnection.HTTP_OK);
288    if (hasResponse) {
289      String contentType = conn.getHeaderField(CONTENT_TYPE);
290      contentType = (contentType != null) ? StringUtils.toLowerCase(contentType)
291                                          : null;
292      if (contentType != null &&
293          contentType.contains(APPLICATION_JSON_MIME)) {
294        try {
295          ObjectMapper mapper = new ObjectMapper();
296          ret = mapper.readValue(conn.getInputStream(), Map.class);
297        } catch (Exception ex) {
298          throw new AuthenticationException(String.format(
299              "'%s' did not handle the '%s' delegation token operation: %s",
300              url.getAuthority(), operation, ex.getMessage()), ex);
301        }
302      } else {
303        throw new AuthenticationException(String.format("'%s' did not " +
304                "respond with JSON to the '%s' delegation token operation",
305            url.getAuthority(), operation));
306      }
307    }
308    return ret;
309  }
310
311}