private void init() { if (this.zkConnectString == null) { throw new IllegalStateException("Not initialized"); } if (this.zkSession != null) { try { this.zkSession.close(); } catch (InterruptedException ex) { LOGGER.warn("Failed to close existing session.", ex); } } ZooKeeper zk = getSession(); try { ensurePath(zk, rootNode + NODE_KEYS, newNodeAcl); ensurePath(zk, rootNode + NODE_TOKENS, newNodeAcl); } catch (Exception e) { throw new TokenStoreException("Failed to validate token path.", e); } }
private Map<Integer, byte[]> getAllKeys() throws KeeperException, InterruptedException { String masterKeyNode = rootNode + NODE_KEYS; ZooKeeper zk = getSession(); List<String> nodes = zk.getChildren(masterKeyNode, false); Map<Integer, byte[]> result = new HashMap<Integer, byte[]>(); for (String node : nodes) { byte[] data = zk.getData(masterKeyNode + "/" + node, false, null); if (data != null) { result.put(getSeq(node), data); } } return result; }
@Override public boolean removeToken(DelegationTokenIdentifier tokenIdentifier) { String tokenPath = getTokenPath(tokenIdentifier); zkDelete(tokenPath); return true; }
private Map<Integer, byte[]> getAllKeys() throws KeeperException, InterruptedException { String masterKeyNode = rootNode + NODE_KEYS; // get children of key node List<String> nodes = zkGetChildren(masterKeyNode); // read each child node, add to results Map<Integer, byte[]> result = new HashMap<Integer, byte[]>(); for (String node : nodes) { String nodePath = masterKeyNode + "/" + node; byte[] data = zkGetData(nodePath); if (data != null) { result.put(getSeq(node), data); } } return result; }
@Override public boolean removeToken(DelegationTokenIdentifier tokenIdentifier) { try { ZooKeeper zk = getSession(); zk.delete(getTokenPath(tokenIdentifier), -1); return true; } catch (KeeperException.NoNodeException ex) { return false; } catch (KeeperException ex) { throw new TokenStoreException(ex); } catch (InterruptedException ex) { throw new TokenStoreException(ex); } }
String aclStr = conf.get(HadoopThriftAuthBridge.Server.DELEGATION_TOKEN_STORE_ZK_ACL, null); if (StringUtils.isNotBlank(aclStr)) { this.newNodeAcl = parseACLs(aclStr); setupJAASConfig(conf); } catch (IOException e) { throw new TokenStoreException("Error setting up JAAS configuration for zookeeper client " + e.getMessage(), e); initClientAndPaths();
private List<String> zkGetChildren(String path) { CuratorFramework zk = getSession(); try { return zk.getChildren().forPath(path); } catch (Exception e) { throw new TokenStoreException("Error getting children for " + path, e); } }
@Override public DelegationTokenInformation getToken(DelegationTokenIdentifier tokenIdentifier) { byte[] tokenBytes = zkGetData(getTokenPath(tokenIdentifier)); try { return HiveDelegationTokenSupport.decodeDelegationTokenInformation(tokenBytes); } catch (Exception ex) { throw new TokenStoreException("Failed to decode token", ex); } }
@Override public String[] getMasterKeys() { try { Map<Integer, byte[]> allKeys = getAllKeys(); String[] result = new String[allKeys.size()]; int resultIdx = 0; for (byte[] keyBytes : allKeys.values()) { result[resultIdx++] = new String(keyBytes); } return result; } catch (KeeperException ex) { throw new TokenStoreException(ex); } catch (InterruptedException ex) { throw new TokenStoreException(ex); } }
/** * Parse comma separated list of ACL entries to secure generated nodes, e.g. * <code>sasl:hive/host1@MY.DOMAIN:cdrwa,sasl:hive/host2@MY.DOMAIN:cdrwa</code> * @param aclString * @return ACL list */ public static List<ACL> parseACLs(String aclString) { String[] aclComps = StringUtils.splitByWholeSeparator(aclString, ","); List<ACL> acl = new ArrayList<ACL>(aclComps.length); for (String a : aclComps) { if (StringUtils.isBlank(a)) { continue; } a = a.trim(); // from ZooKeeperMain private method int firstColon = a.indexOf(':'); int lastColon = a.lastIndexOf(':'); if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) { LOGGER.error(a + " does not have the form scheme:id:perm"); continue; } ACL newAcl = new ACL(); newAcl.setId(new Id(a.substring(0, firstColon), a.substring( firstColon + 1, lastColon))); newAcl.setPerms(getPermFromString(a.substring(lastColon + 1))); acl.add(newAcl); } return acl; }
@Override public void setConf(Configuration conf) { if (conf == null) { throw new IllegalArgumentException("conf is null"); } this.zkConnectString = conf.get( HadoopThriftAuthBridge20S.Server.DELEGATION_TOKEN_STORE_ZK_CONNECT_STR, null); this.connectTimeoutMillis = conf.getLong( HadoopThriftAuthBridge20S.Server.DELEGATION_TOKEN_STORE_ZK_CONNECT_TIMEOUTMILLIS, -1); this.rootNode = conf.get( HadoopThriftAuthBridge20S.Server.DELEGATION_TOKEN_STORE_ZK_ZNODE, HadoopThriftAuthBridge20S.Server.DELEGATION_TOKEN_STORE_ZK_ZNODE_DEFAULT); String csv = conf.get(HadoopThriftAuthBridge20S.Server.DELEGATION_TOKEN_STORE_ZK_ACL, null); if (StringUtils.isNotBlank(csv)) { this.newNodeAcl = parseACLs(csv); } init(); }
private void initClientAndPaths() { if (this.zkSession != null) { this.zkSession.close(); } try { ensurePath(rootNode + NODE_KEYS, newNodeAcl); ensurePath(rootNode + NODE_TOKENS, newNodeAcl); } catch (TokenStoreException e) { throw e; } }
private void setupJAASConfig(Configuration conf) throws IOException { if (!UserGroupInformation.getLoginUser().isFromKeytab()) { // The process has not logged in using keytab // this should be a test mode, can't use keytab to authenticate // with zookeeper. LOGGER.warn("Login is not from keytab"); return; } String principal; String keytab; switch (serverMode) { case METASTORE: principal = getNonEmptyConfVar(conf, "hive.metastore.kerberos.principal"); keytab = getNonEmptyConfVar(conf, "hive.metastore.kerberos.keytab.file"); break; case HIVESERVER2: principal = getNonEmptyConfVar(conf, "hive.server2.authentication.kerberos.principal"); keytab = getNonEmptyConfVar(conf, "hive.server2.authentication.kerberos.keytab"); break; default: throw new AssertionError("Unexpected server mode " + serverMode); } Utils.setZookeeperClientKerberosJaasConfig(principal, keytab); }
@Override public boolean addToken(DelegationTokenIdentifier tokenIdentifier, DelegationTokenInformation token) { try { ZooKeeper zk = getSession(); byte[] tokenBytes = HiveDelegationTokenSupport.encodeDelegationTokenInformation(token); String newNode = zk.create(getTokenPath(tokenIdentifier), tokenBytes, newNodeAcl, CreateMode.PERSISTENT); LOGGER.info("Added token: {}", newNode); return true; } catch (KeeperException.NodeExistsException ex) { return false; } catch (KeeperException ex) { throw new TokenStoreException(ex); } catch (InterruptedException ex) { throw new TokenStoreException(ex); } }
private Map<Integer, byte[]> getAllKeys() throws KeeperException, InterruptedException { String masterKeyNode = rootNode + NODE_KEYS; // get children of key node List<String> nodes = zkGetChildren(masterKeyNode); // read each child node, add to results Map<Integer, byte[]> result = new HashMap<Integer, byte[]>(); for (String node : nodes) { String nodePath = masterKeyNode + "/" + node; byte[] data = zkGetData(nodePath); if (data != null) { result.put(getSeq(node), data); } } return result; }
String aclStr = conf.get(HadoopThriftAuthBridge20S.Server.DELEGATION_TOKEN_STORE_ZK_ACL, null); if (StringUtils.isNotBlank(aclStr)) { this.newNodeAcl = parseACLs(aclStr); setupJAASConfig(conf); } catch (IOException e) { throw new TokenStoreException("Error setting up JAAS configuration for zookeeper client " + e.getMessage(), e); initClientAndPaths();
private byte[] zkGetData(String nodePath) { CuratorFramework zk = getSession(); try { return zk.getData().forPath(nodePath); } catch (KeeperException.NoNodeException ex) { return null; } catch (Exception e) { throw new TokenStoreException("Error reading " + nodePath, e); } }
@Override public DelegationTokenInformation getToken(DelegationTokenIdentifier tokenIdentifier) { byte[] tokenBytes = zkGetData(getTokenPath(tokenIdentifier)); try { return HiveDelegationTokenSupport.decodeDelegationTokenInformation(tokenBytes); } catch (Exception ex) { throw new TokenStoreException("Failed to decode token", ex); } }
@Override public String[] getMasterKeys() { try { Map<Integer, byte[]> allKeys = getAllKeys(); String[] result = new String[allKeys.size()]; int resultIdx = 0; for (byte[] keyBytes : allKeys.values()) { result[resultIdx++] = new String(keyBytes); } return result; } catch (KeeperException ex) { throw new TokenStoreException(ex); } catch (InterruptedException ex) { throw new TokenStoreException(ex); } }
/** * Parse comma separated list of ACL entries to secure generated nodes, e.g. * <code>sasl:hive/host1@MY.DOMAIN:cdrwa,sasl:hive/host2@MY.DOMAIN:cdrwa</code> * @param aclString * @return ACL list */ public static List<ACL> parseACLs(String aclString) { String[] aclComps = StringUtils.splitByWholeSeparator(aclString, ","); List<ACL> acl = new ArrayList<ACL>(aclComps.length); for (String a : aclComps) { if (StringUtils.isBlank(a)) { continue; } a = a.trim(); // from ZooKeeperMain private method int firstColon = a.indexOf(':'); int lastColon = a.lastIndexOf(':'); if (firstColon == -1 || lastColon == -1 || firstColon == lastColon) { LOGGER.error(a + " does not have the form scheme:id:perm"); continue; } ACL newAcl = new ACL(); newAcl.setId(new Id(a.substring(0, firstColon), a.substring( firstColon + 1, lastColon))); newAcl.setPerms(getPermFromString(a.substring(lastColon + 1))); acl.add(newAcl); } return acl; }