HDFS-935. Adds a real user component in Delegation token. Contributed by Jitendra Nath Pandey.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/hdfs/trunk@907550 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -18,6 +18,9 @@ Trunk (unreleased changes)
     HDFS-933. Adds Delegation token based authentication in the NameNode.
     (Kan Zhang via ddas)
 
+    HDFS-935. Adds a real user component in Delegation token.
+    (Jitendra Nath Pandey via ddas)
+
   IMPROVEMENTS
     
     HDFS-703. Replace current fault injection implementation with one

src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java

@@ -90,11 +90,11 @@ public class DFSConfigKeys extends CommonConfigurationKeys {
 
   //Delegation token related keys
   public static final String  DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_KEY = "dfs.namenode.delegation.key.update-interval";
-  public static final long    DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT = 86400;
+  public static final long    DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT = 24*60*60*1000; // 1 day
   public static final String  DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY = "dfs.namenode.delegation.token.renew-interval";
-  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_DEFAULT = 86400;
+  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_DEFAULT = 24*60*60*1000;  // 1 day
   public static final String  DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY = "dfs.namenode.delegation.token.max-lifetime";
-  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT = 604800;
+  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT = 7*24*60*60*1000; // 7 days
 
   //Following keys have no defaults
   public static final String  DFS_DATANODE_DATA_DIR_KEY = "dfs.datanode.data.dir";

src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java

@@ -23,10 +23,8 @@ import java.io.DataOutput;
 import java.io.IOException;
 
 import org.apache.hadoop.io.Text;
-import org.apache.hadoop.io.Writable;
-import org.apache.hadoop.io.WritableFactories;
-import org.apache.hadoop.io.WritableFactory;
 import org.apache.hadoop.io.WritableUtils;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.TokenIdentifier;
 
 public class DelegationTokenIdentifier extends TokenIdentifier {
@@ -34,18 +32,24 @@ public class DelegationTokenIdentifier extends TokenIdentifier {
 
   private Text owner;
   private Text renewer;
+  private Text realUser;
   private long issueDate;
   private long maxDate;
   private int sequenceNumber;
   private int masterKeyId = 0;
   
   public DelegationTokenIdentifier() {
-    this(new Text(), new Text());
+    this(new Text(), new Text(), new Text());
   }
   
-  public DelegationTokenIdentifier(Text owner, Text renewer) {
+  public DelegationTokenIdentifier(Text owner, Text renewer, Text realUser) {
     this.owner = owner;
     this.renewer = renewer;
+    if (realUser == null) {
+      this.realUser = new Text();
+    } else {
+      this.realUser = realUser;
+    }
     issueDate = 0;
     maxDate = 0;
   }
@@ -60,10 +64,20 @@ public class DelegationTokenIdentifier extends TokenIdentifier {
    * 
    * @return the username or owner
    */
-  public Text getUsername() {
-    return owner;
+  public UserGroupInformation getUser() {
+    if ( (owner == null) || ("".equals(owner.toString()))) {
+      return null;
+    }
+    if ((realUser == null) || ("".equals(realUser.toString()))
+        || realUser.equals(owner)) {
+      return UserGroupInformation.createRemoteUser(owner.toString());
+    } else {
+      UserGroupInformation realUgi = UserGroupInformation
+          .createRemoteUser(realUser.toString());
+      return UserGroupInformation.createProxyUser(owner.toString(), realUgi);
+    }
   }
-  
+
   public Text getRenewer() {
     return renewer;
   }
@@ -116,7 +130,8 @@ public class DelegationTokenIdentifier extends TokenIdentifier {
           && this.maxDate == that.maxDate
           && this.masterKeyId == that.masterKeyId
           && isEqual(this.owner, that.owner) 
-          && isEqual(this.renewer, that.renewer);
+          && isEqual(this.renewer, that.renewer)
+          && isEqual(this.realUser, that.realUser);
     }
     return false;
   }
@@ -129,6 +144,7 @@ public class DelegationTokenIdentifier extends TokenIdentifier {
   public void readFields(DataInput in) throws IOException {
     owner.readFields(in);
     renewer.readFields(in);
+    realUser.readFields(in);
     issueDate = WritableUtils.readVLong(in);
     maxDate = WritableUtils.readVLong(in);
     sequenceNumber = WritableUtils.readVInt(in);
@@ -138,6 +154,7 @@ public class DelegationTokenIdentifier extends TokenIdentifier {
   public void write(DataOutput out) throws IOException {
     owner.write(out);
     renewer.write(out);
+    realUser.write(out);
     WritableUtils.writeVLong(out, issueDate);
     WritableUtils.writeVLong(out, maxDate);
     WritableUtils.writeVInt(out, sequenceNumber);

src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java

@@ -242,11 +242,11 @@ public class DelegationTokenSecretManager
       LOG.warn("Renewer is null: Invalid Identifier");
       return false;
     }
-    if (id.getUsername() == null) {
+    if (id.getUser() == null) {
       LOG.warn("owner is null: Invalid Identifier");
       return false;
     }
-    String owner = id.getUsername().toString();
+    String owner = id.getUser().getUserName();
     String renewer = id.getRenewer().toString();
     if (!canceller.equals(owner) && !canceller.equals(renewer)) {
       LOG.warn(canceller + " is not authorized to cancel the token");
@@ -314,10 +314,6 @@ public class DelegationTokenSecretManager
       LOG.debug("Stopping expired delegation token remover thread");
     running = false;
     tokenRemoverThread.interrupt();
-    try {
-      tokenRemoverThread.join();
-    } catch (InterruptedException e) {
-    }
   }
   
   private class ExpiredTokenRemover extends Thread {
@@ -344,12 +340,14 @@ public class DelegationTokenSecretManager
             removeExpiredToken();
             lastTokenCacheCleanup = now;
           }
-          Thread.sleep(5000); // 5 seconds
-        }
-      } catch (InterruptedException ie) {
-        LOG
+          try {
+            Thread.sleep(5000); // 5 seconds
+          } catch (InterruptedException ie) {
+            LOG
             .error("InterruptedExcpetion recieved for ExpiredTokenRemover thread "
                 + ie);
+          }
+        }
       } catch (Throwable t) {
         LOG.error("ExpiredTokenRemover thread received unexpected exception. "
             + t);

src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java

@@ -471,6 +471,7 @@ public class FSNamesystem implements FSConstants, FSNamesystemMBean, FSClusterSt
       if (replthread != null) replthread.interrupt();
       if (dnthread != null) dnthread.interrupt();
       if (smmthread != null) smmthread.interrupt();
+      if (dtSecretManager != null) dtSecretManager.stopThreads();
     } catch (Exception e) {
       LOG.warn("Exception shutting down FSNamesystem", e);
     } finally {
@@ -4328,10 +4329,10 @@ public class FSNamesystem implements FSConstants, FSNamesystemMBean, FSClusterSt
         DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT),
         conf.getLong(
             DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY,
-            DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT),
+            DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT),
         conf.getLong(
             DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY,
-            DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT),
+            DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_DEFAULT),
         DELEGATION_TOKEN_REMOVER_SCAN_INTERVAL);
   }
 
@@ -4341,9 +4342,15 @@ public class FSNamesystem implements FSConstants, FSNamesystemMBean, FSClusterSt
 
   public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer)
       throws IOException {
-    String user = UserGroupInformation.getCurrentUser().getShortUserName();
+    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+    String user = ugi.getUserName();
     Text owner = new Text(user);
-    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, renewer);
+    Text realUser = null;
+    if (ugi.getRealUser() != null) {
+      realUser = new Text(ugi.getRealUser().getUserName());
+    }
+    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner,
+        renewer, realUser);
     return new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
   }
 

src/test/hdfs/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java

@@ -92,7 +92,7 @@ public class TestClientProtocolWithDelegationToken {
     final InetSocketAddress addr = NetUtils.getConnectAddress(server);
     String user = current.getUserName();
     Text owner = new Text(user);
-    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner);
+    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null);
     Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
         dtId, sm);
     Text host = new Text(addr.getAddress().getHostAddress() + ":"

src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java

@@ -22,6 +22,8 @@ package org.apache.hadoop.security;
 
 import java.io.ByteArrayInputStream;
 import java.io.DataInputStream;
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
 
 import junit.framework.Assert;
 
@@ -44,6 +46,10 @@ import org.mortbay.log.Log;
 public class TestDelegationToken {
   private MiniDFSCluster cluster;
   Configuration config;
+  final private static String GROUP1_NAME = "group1";
+  final private static String GROUP2_NAME = "group2";
+  final private static String[] GROUP_NAMES = new String[] { GROUP1_NAME,
+      GROUP2_NAME };
   
   @Before
   public void setUp() throws Exception {
@@ -67,7 +73,7 @@ public class TestDelegationToken {
     DelegationTokenSecretManager dtSecretManager = cluster.getNamesystem()
         .getDelegationTokenSecretManager();
     DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(
-        owner), new Text(renewer));
+        owner), new Text(renewer), null);
     return new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
   }
   
@@ -126,5 +132,32 @@ public class TestDelegationToken {
     Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
     Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
   }
+ 
+  @Test
+  public void testDelegationTokenWithRealUser() throws IOException {
+    UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+        "RealUser", GROUP_NAMES);
+    final UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser(
+        "proxyUser", ugi);
+    try {
+      Token<DelegationTokenIdentifier> token = proxyUgi
+          .doAs(new PrivilegedExceptionAction<Token<DelegationTokenIdentifier>>() {
+            public Token<DelegationTokenIdentifier> run() throws IOException {
+              DistributedFileSystem dfs = (DistributedFileSystem) cluster
+                  .getFileSystem();
+              return dfs.getDelegationToken(new Text("RenewerUser"));
+            }
+          });
+      DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
+      byte[] tokenId = token.getIdentifier();
+      identifier.readFields(new DataInputStream(new ByteArrayInputStream(
+          tokenId)));
+      Assert.assertEquals(identifier.getUser().getUserName(), "proxyUser");
+      Assert.assertEquals(identifier.getUser().getRealUser().getUserName(),
+          "RealUser");
+    } catch (InterruptedException e) {
+      //Do Nothing
+    }
+  }
   
 }