/** * Deserializes a base64-encoded binary representation of a block access * token. * * @param str String to deserialize * @return BlockTokenIdentifier deserialized from str * @throws IOException if there is any I/O error */ private BlockTokenIdentifier deserializeIdentifier(String str) throws IOException { BlockTokenIdentifier identifier = new BlockTokenIdentifier(); identifier.readFields(new DataInputStream(new ByteArrayInputStream( Base64.decodeBase64(str)))); return identifier; }
public void checkAccess(BlockTokenIdentifier id, String userId, ExtendedBlock block, BlockTokenIdentifier.AccessMode mode) throws InvalidToken { if (LOG.isDebugEnabled()) { LOG.debug("Checking access for user=" + userId + ", block=" + block + ", access mode=" + mode + " using " + id); } if (userId != null && !userId.equals(id.getUserId())) { throw new InvalidToken("Block token with " + id + " doesn't belong to user " + userId); } if (!id.getBlockPoolId().equals(block.getBlockPoolId())) { throw new InvalidToken("Block token with " + id + " doesn't apply to block " + block); } if (id.getBlockId() != block.getBlockId()) { throw new InvalidToken("Block token with " + id + " doesn't apply to block " + block); } if (isExpired(id.getExpiryDate())) { throw new InvalidToken("Block token with " + id + " is expired."); } if (!id.getAccessModes().contains(mode)) { throw new InvalidToken("Block token with " + id + " doesn't have " + mode + " permission"); } }
/** * Look up the token password/secret for the given block token identifier. * * @param identifier * the block token identifier to look up * @return token password/secret as byte[] * @throws InvalidToken */ @Override public byte[] retrievePassword(BlockTokenIdentifier identifier) throws InvalidToken { if (isExpired(identifier.getExpiryDate())) { throw new InvalidToken("Block token with " + identifier + " is expired."); } BlockKey key = null; synchronized (this) { key = allKeys.get(identifier.getKeyId()); } if (key == null) { throw new InvalidToken("Can't re-compute password for " + identifier + ", since the required block key (keyID=" + identifier.getKeyId() + ") doesn't exist."); } return createPassword(identifier.getBytes(), key.getKey()); }
/** * Create a new password/secret for the given block token identifier. * * @param identifier * the block token identifier * @return token password/secret */ @Override protected byte[] createPassword(BlockTokenIdentifier identifier) { BlockKey key = null; synchronized (this) { key = currentKey; } if (key == null) { throw new IllegalStateException("currentKey hasn't been initialized."); } identifier.setExpiryDate(timer.now() + tokenLifetime); identifier.setKeyId(key.getKeyId()); if (LOG.isDebugEnabled()) { LOG.debug("Generating block token for " + identifier); } return createPassword(identifier.getBytes(), key.getKey()); }
@Override public String toString() { return "block_token_identifier (expiryDate=" + this.getExpiryDate() + ", keyId=" + this.getKeyId() + ", userId=" + this.getUserId() + ", blockPoolId=" + this.getBlockPoolId() + ", blockId=" + this.getBlockId() + ", access modes=" + this.getAccessModes() + ", storageTypes= " + Arrays.toString(this.getStorageTypes()) + ", storageIds= " + Arrays.toString(this.getStorageIds()) + ")"; }
private void checkBlockToken(ExtendedBlock block, Token<BlockTokenIdentifier> token, AccessMode accessMode) throws IOException { if (isBlockTokenEnabled) { BlockTokenIdentifier id = new BlockTokenIdentifier(); ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); id.readFields(in); if (LOG.isDebugEnabled()) { LOG.debug("Got: " + id.toString()); } blockPoolTokenSecretManager.checkAccess(id, null, block, accessMode); } }
/** * Look up the token password/secret for the given block token identifier. * * @param identifier * the block token identifier to look up * @return token password/secret as byte[] * @throws InvalidToken */ @Override public byte[] retrievePassword(BlockTokenIdentifier identifier) throws InvalidToken { if (isExpired(identifier.getExpiryDate())) { throw new InvalidToken("Block token with " + identifier.toString() + " is expired."); } BlockKey key = null; synchronized (this) { key = allKeys.get(identifier.getKeyId()); } if (key == null) { throw new InvalidToken("Can't re-compute password for " + identifier.toString() + ", since the required block key (keyID=" + identifier.getKeyId() + ") doesn't exist."); } return createPassword(identifier.getBytes(), key.getKey()); }
/** * Create a new password/secret for the given block token identifier. * * @param identifier * the block token identifier * @return token password/secret */ @Override protected byte[] createPassword(BlockTokenIdentifier identifier) { BlockKey key = null; synchronized (this) { key = currentKey; } if (key == null) throw new IllegalStateException("currentKey hasn't been initialized."); identifier.setExpiryDate(timer.now() + tokenLifetime); identifier.setKeyId(key.getKeyId()); if (LOG.isDebugEnabled()) { LOG.debug("Generating block token for " + identifier.toString()); } return createPassword(identifier.getBytes(), key.getKey()); }
/** * Create an empty block token identifier * * @return a newly created empty block token identifier */ @Override public BlockTokenIdentifier createIdentifier() { return new BlockTokenIdentifier(); }
@Override public Long answer(InvocationOnMock invocation) throws IOException { Object args[] = invocation.getArguments(); assertEquals(1, args.length); Block block = (Block) args[0]; Set<TokenIdentifier> tokenIds = UserGroupInformation.getCurrentUser() .getTokenIdentifiers(); assertEquals("Only one BlockTokenIdentifier expected", 1, tokenIds.size()); long result = 0; for (TokenIdentifier tokenId : tokenIds) { BlockTokenIdentifier id = (BlockTokenIdentifier) tokenId; LOG.info("Got: " + id.toString()); assertTrue("Received BlockTokenIdentifier is wrong", ident.equals(id)); sm.checkAccess(id, null, block, BlockTokenSecretManager.AccessMode.WRITE); result = id.getBlockId(); } return result; } }
private BlockTokenIdentifier generateTokenId(BlockTokenSecretManager sm, Block block, EnumSet<BlockTokenSecretManager.AccessMode> accessModes) throws IOException { Token<BlockTokenIdentifier> token = sm.generateToken(block, accessModes); BlockTokenIdentifier id = sm.createIdentifier(); id.readFields(new DataInputStream(new ByteArrayInputStream(token .getIdentifier()))); return id; }
@Override public byte[] retrievePassword(BlockTokenIdentifier identifier) throws InvalidToken { return get(identifier.getBlockPoolId()).retrievePassword(identifier); }
/** Check block access token for the given access mode */ private void checkBlockToken(Block block, BlockTokenSecretManager.AccessMode accessMode) throws IOException { if (isBlockTokenEnabled && UserGroupInformation.isSecurityEnabled()) { Set<TokenIdentifier> tokenIds = UserGroupInformation.getCurrentUser() .getTokenIdentifiers(); if (tokenIds.size() != 1) { throw new IOException("Can't continue with " + "authorization since " + tokenIds.size() + " BlockTokenIdentifier " + "is found."); } for (TokenIdentifier tokenId : tokenIds) { BlockTokenIdentifier id = (BlockTokenIdentifier) tokenId; if (LOG.isDebugEnabled()) { LOG.debug("Got: " + id.toString()); } blockTokenSecretManager.checkAccess(id, null, block, accessMode); } } }
@Override public LocatedBlocks answer(InvocationOnMock arg0) throws Throwable { LocatedBlocks locatedBlocks = (LocatedBlocks)arg0.callRealMethod(); for (LocatedBlock lb : locatedBlocks.getLocatedBlocks()) { Token<BlockTokenIdentifier> token = lb.getBlockToken(); BlockTokenIdentifier id = lb.getBlockToken().decodeIdentifier(); // This will make the token invalid, since the password // won't match anymore id.setExpiryDate(Time.now() + 10); Token<BlockTokenIdentifier> newToken = new Token<BlockTokenIdentifier>(id.getBytes(), token.getPassword(), token.getKind(), token.getService()); lb.setBlockToken(newToken); } return locatedBlocks; } }).when(spyDfsClient).getLocatedBlocks(Mockito.anyString(),
public static BlockTokenSecretProto convert( BlockTokenIdentifier blockTokenSecret) { BlockTokenSecretProto.Builder builder = BlockTokenSecretProto.newBuilder(); builder.setExpiryDate(blockTokenSecret.getExpiryDate()); builder.setKeyId(blockTokenSecret.getKeyId()); String userId = blockTokenSecret.getUserId(); if (userId != null) { builder.setUserId(userId); } String blockPoolId = blockTokenSecret.getBlockPoolId(); if (blockPoolId != null) { builder.setBlockPoolId(blockPoolId); } builder.setBlockId(blockTokenSecret.getBlockId()); for (BlockTokenIdentifier.AccessMode aMode : blockTokenSecret.getAccessModes()) { builder.addModes(convert(aMode)); } for (StorageType storageType : blockTokenSecret.getStorageTypes()) { builder.addStorageTypes(convertStorageType(storageType)); } for (String storageId : blockTokenSecret.getStorageIds()) { builder.addStorageIds(storageId); } return builder.build(); }
private void checkBlockToken(Block block, Token<BlockTokenIdentifier> token, AccessMode accessMode) throws IOException { if (isBlockTokenEnabled && UserGroupInformation.isSecurityEnabled()) { BlockTokenIdentifier id = new BlockTokenIdentifier(); ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); id.readFields(in); if (LOG.isDebugEnabled()) { LOG.debug("Got: " + id.toString()); } blockTokenSecretManager.checkAccess(id, null, block, accessMode); } }
/** * Look up the token password/secret for the given block token identifier. * * @param identifier * the block token identifier to look up * @return token password/secret as byte[] * @throws InvalidToken */ @Override public byte[] retrievePassword(BlockTokenIdentifier identifier) throws InvalidToken { if (isExpired(identifier.getExpiryDate())) { throw new InvalidToken("Block token with " + identifier.toString() + " is expired."); } BlockKey key = null; synchronized (this) { key = allKeys.get(identifier.getKeyId()); } if (key == null) { throw new InvalidToken("Can't re-compute password for " + identifier.toString() + ", since the required block key (keyID=" + identifier.getKeyId() + ") doesn't exist."); } return createPassword(identifier.getBytes(), key.getKey()); }
/** * Create a new password/secret for the given block token identifier. * * @param identifier * the block token identifier * @return token password/secret */ @Override protected byte[] createPassword(BlockTokenIdentifier identifier) { BlockKey key = null; synchronized (this) { key = currentKey; } if (key == null) throw new IllegalStateException("currentKey hasn't been initialized."); identifier.setExpiryDate(timer.now() + tokenLifetime); identifier.setKeyId(key.getKeyId()); if (LOG.isDebugEnabled()) { LOG.debug("Generating block token for " + identifier.toString()); } return createPassword(identifier.getBytes(), key.getKey()); }
/** Return an empty BlockTokenIdentifer */ @Override public BlockTokenIdentifier createIdentifier() { return new BlockTokenIdentifier(); }
@Override public GetReplicaVisibleLengthResponseProto answer( InvocationOnMock invocation) throws IOException { Object args[] = invocation.getArguments(); assertEquals(2, args.length); GetReplicaVisibleLengthRequestProto req = (GetReplicaVisibleLengthRequestProto) args[1]; Set<TokenIdentifier> tokenIds = UserGroupInformation.getCurrentUser() .getTokenIdentifiers(); assertEquals("Only one BlockTokenIdentifier expected", 1, tokenIds.size()); long result = 0; for (TokenIdentifier tokenId : tokenIds) { BlockTokenIdentifier id = (BlockTokenIdentifier) tokenId; LOG.info("Got: " + id.toString()); assertTrue("Received BlockTokenIdentifier is wrong", ident.equals(id)); sm.checkAccess(id, null, PBHelper.convert(req.getBlock()), BlockTokenSecretManager.AccessMode.WRITE); result = id.getBlockId(); } return GetReplicaVisibleLengthResponseProto.newBuilder() .setLength(result).build(); } }