public Token<? extends TokenIdentifier> getHadoopToken(AuthenticationToken token) throws IOException { if (!(token instanceof DelegationTokenImpl)) { throw new IOException("Expected a DelegationTokenImpl but found " + (token != null ? token.getClass() : "null")); } DelegationTokenImpl dt = (DelegationTokenImpl) token; try { AuthenticationTokenIdentifier identifier = dt.getIdentifier(); return new Token<AuthenticationTokenIdentifier>(identifier.getBytes(), dt.getPassword(), identifier.getKind(), dt.getServiceName()); } catch (Exception e) { throw new IOException("Failed to create Hadoop token from Accumulo DelegationToken", e); } }
requireNonNull(cfg); final AuthenticationTokenIdentifier id = new AuthenticationTokenIdentifier(username, cfg); if (null != id.getInstanceId()) { svcName.append("-").append(id.getInstanceId()); Token<AuthenticationTokenIdentifier> token = new Token<>(id.getBytes(), password, id.getKind(), new Text(svcName.toString())); return Maps.immutableEntry(token, id);
@Override public void readFields(DataInput in) throws IOException { super.readFields(in); identifier = new AuthenticationTokenIdentifier(); identifier.readFields(in); }
@Override public byte[] retrievePassword(AuthenticationTokenIdentifier identifier) throws InvalidToken { long now = System.currentTimeMillis(); if (identifier.getExpirationDate() < now) { throw new InvalidToken("Token has expired"); } if (identifier.getIssueDate() > now) { throw new InvalidToken("Token issued in the future"); } AuthenticationKey masterKey = allKeys.get(identifier.getKeyId()); if (masterKey == null) { throw new InvalidToken("Unknown master key for token (id=" + identifier.getKeyId() + ")"); } // regenerate the password return createPassword(identifier.getBytes(), masterKey.getKey()); }
@Override protected byte[] createPassword(AuthenticationTokenIdentifier identifier) { DelegationTokenConfig cfg = identifier.getConfig(); secretKey = currentKey; identifier.setKeyId(secretKey.getKeyId()); identifier.setIssueDate(now); long expiration = now + tokenMaxLifetime; identifier.setExpirationDate(expiration); long requestedLifetime = cfg.getTokenLifetime(TimeUnit.MILLISECONDS); if (0 < requestedLifetime) { long requestedExpirationDate = identifier.getIssueDate() + requestedLifetime; if (requestedExpirationDate < identifier.getIssueDate()) { requestedExpirationDate = Long.MAX_VALUE; if (requestedExpirationDate > identifier.getExpirationDate()) { throw new RuntimeException("Requested token lifetime exceeds configured maximum"); log.trace("Overriding token expiration date from {} to {}", identifier.getExpirationDate(), requestedExpirationDate); identifier.setExpirationDate(requestedExpirationDate); identifier.setInstanceId(instance.getInstanceID()); return createPassword(identifier.getBytes(), secretKey.getKey());
@Override public AuthenticationTokenIdentifier createIdentifier() { // Return our TokenIdentifier implementation return new AuthenticationTokenIdentifier(); }
public SaslClientDigestCallbackHandler(DelegationTokenImpl token) { requireNonNull(token); this.userName = encodeIdentifier(token.getIdentifier().getBytes()); this.userPassword = encodePassword(token.getPassword()); }
@Test public void testDelegationTokenWithReducedLifetime() throws Throwable { // Login as the "root" user UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI( rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); log.info("Logged in as {}", rootUser.getPrincipal()); // As the "root" user, open up the connection and get a delegation token final AuthenticationToken dt = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); log.info("Created connector as {}", rootUser.getPrincipal()); assertEquals(rootUser.getPrincipal(), conn.whoami()); return conn.securityOperations() .getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, TimeUnit.MINUTES)); } }); AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier(); assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= (5 * 60 * 1000)); }
private AuthenticationTokenIdentifier getIdentifier(String id, AuthenticationTokenSecretManager secretManager) throws InvalidToken { byte[] tokenId = decodeIdentifier(id); AuthenticationTokenIdentifier tokenIdentifier = secretManager.createIdentifier(); try { tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId))); } catch (IOException e) { throw (InvalidToken) new InvalidToken("Can't de-serialize tokenIdentifier").initCause(e); } return tokenIdentifier; }
public AuthenticationTokenIdentifier(AuthenticationTokenIdentifier identifier) { requireNonNull(identifier); impl = new TAuthenticationTokenIdentifier(identifier.getThriftIdentifier()); }
/** * The service name used to identify the {@link Token} */ public Text getServiceName() { requireNonNull(identifier); return new Text(SERVICE_NAME + "-" + identifier.getInstanceId()); }
@Override public DelegationTokenImpl clone() { DelegationTokenImpl copy = (DelegationTokenImpl) super.clone(); copy.setPassword(getPassword()); copy.identifier = new AuthenticationTokenIdentifier(identifier); return copy; }
@Override public TDelegationToken getDelegationToken(TInfo tinfo, TCredentials credentials, TDelegationTokenConfig tConfig) throws ThriftSecurityException, TException { if (!master.security.canObtainDelegationToken(credentials)) { throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED); } // Make sure we're actually generating the secrets to make delegation tokens // Round-about way to verify that SASL is also enabled. if (!master.delegationTokensAvailable()) { throw new TException("Delegation tokens are not available for use"); } final DelegationTokenConfig config = DelegationTokenConfigSerializer.deserialize(tConfig); final AuthenticationTokenSecretManager secretManager = master.getSecretManager(); try { Entry<Token<AuthenticationTokenIdentifier>,AuthenticationTokenIdentifier> pair = secretManager .generateToken(credentials.principal, config); return new TDelegationToken(ByteBuffer.wrap(pair.getKey().getPassword()), pair.getValue().getThriftIdentifier()); } catch (Exception e) { throw new TException(e.getMessage()); } }
/** * Unwraps the provided {@link AuthenticationToken} if it is an instance of * {@link DelegationTokenStub}, reconstituting it from the provided {@link JobConf}. * * @param job * The job * @param token * The authentication token */ public static AuthenticationToken unwrapAuthenticationToken(JobConf job, AuthenticationToken token) { requireNonNull(job); requireNonNull(token); if (token instanceof DelegationTokenStub) { DelegationTokenStub delTokenStub = (DelegationTokenStub) token; Token<? extends TokenIdentifier> hadoopToken = job.getCredentials() .getToken(new Text(delTokenStub.getServiceName())); AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(); try { identifier .readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier()))); return new DelegationTokenImpl(hadoopToken.getPassword(), identifier); } catch (IOException e) { throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e); } } return token; }
@Override public DelegationToken getDelegationToken(DelegationTokenConfig cfg) throws AccumuloException, AccumuloSecurityException { final TDelegationTokenConfig tConfig; if (null != cfg) { tConfig = DelegationTokenConfigSerializer.serialize(cfg); } else { tConfig = new TDelegationTokenConfig(); } TDelegationToken thriftToken; try { thriftToken = MasterClient.execute(context, new ClientExecReturn<TDelegationToken,Client>() { @Override public TDelegationToken execute(Client client) throws Exception { return client.getDelegationToken(Tracer.traceInfo(), context.rpcCreds(), tConfig); } }); } catch (TableNotFoundException e) { // should never happen throw new AssertionError( "Received TableNotFoundException on method which should not throw that exception", e); } AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier( thriftToken.getIdentifier()); // Get the password out of the thrift delegation token return new DelegationTokenImpl(thriftToken.getPassword(), identifier); }
/** * Unwraps the provided {@link AuthenticationToken} if it is an instance of * {@link DelegationTokenStub}, reconstituting it from the provided {@link JobConf}. * * @param job * The job * @param token * The authentication token */ public static AuthenticationToken unwrapAuthenticationToken(JobConf job, AuthenticationToken token) { requireNonNull(job); requireNonNull(token); if (token instanceof DelegationTokenStub) { DelegationTokenStub delTokenStub = (DelegationTokenStub) token; Token<? extends TokenIdentifier> hadoopToken = job.getCredentials() .getToken(new Text(delTokenStub.getServiceName())); AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(); try { identifier .readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier()))); return new DelegationTokenImpl(hadoopToken.getPassword(), identifier); } catch (IOException e) { throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e); } } return token; }