DataInputStream in = new DataInputStream(buf); TokenIdent id = createIdentifier(); id.readFields(in); LOG.info("Token renewal for identifier: " + formatTokenId(id) + "; total currentTokens " + currentTokens.size()); if (id.getMaxDate() < now) { throw new InvalidToken(renewer + " tried to renew an expired token " + formatTokenId(id) + " max expiration date: " + Time.formatTime(id.getMaxDate()) + " currentTime: " + Time.formatTime(now)); if ((id.getRenewer() == null) || (id.getRenewer().toString().isEmpty())) { throw new AccessControlException(renewer + " tried to renew a token " + formatTokenId(id) + " without a renewer"); if (!id.getRenewer().toString().equals(renewer)) { throw new AccessControlException(renewer + " tries to renew a token " + formatTokenId(id) + " with non-matching renewer " + id.getRenewer()); DelegationKey key = getDelegationKey(id.getMasterKeyId()); if (key == null) { throw new InvalidToken("Unable to find master key for keyId=" + id.getMasterKeyId() + " from cache. Failed to renew an unexpired token " + formatTokenId(id) + " with sequenceNumber=" + id.getSequenceNumber());
private void addOrUpdateToken(TokenIdent ident, DelegationTokenInformation info, boolean isUpdate) throws Exception { String nodeCreatePath = getNodePath(ZK_DTSM_TOKENS_ROOT, DELEGATION_TOKEN_PREFIX + ident.getSequenceNumber()); try (ByteArrayOutputStream tokenOs = new ByteArrayOutputStream(); DataOutputStream tokenOut = new DataOutputStream(tokenOs)) { ident.write(tokenOut); tokenOut.writeLong(info.getRenewDate()); tokenOut.writeInt(info.getPassword().length); tokenOut.write(info.getPassword()); if (LOG.isDebugEnabled()) { LOG.debug((isUpdate ? "Updating " : "Storing ") + "ZKDTSMDelegationToken_" + ident.getSequenceNumber()); } if (isUpdate) { zkClient.setData().forPath(nodeCreatePath, tokenOs.toByteArray()) .setVersion(-1); } else { zkClient.create().withMode(CreateMode.PERSISTENT) .forPath(nodeCreatePath, tokenOs.toByteArray()); } } }
DataInputStream in = new DataInputStream(buf); TokenIdent id = createIdentifier(); id.readFields(in); LOG.info("Token cancellation requested for identifier: " + formatTokenId(id)); if (id.getUser() == null) { throw new InvalidToken("Token with no owner " + formatTokenId(id)); String owner = id.getUser().getUserName(); Text renewer = id.getRenewer(); HadoopKerberosName cancelerKrbName = new HadoopKerberosName(canceller); String cancelerShortName = cancelerKrbName.getShortName();
String nodePath = getNodePath(ZK_DTSM_TOKENS_ROOT, DELEGATION_TOKEN_PREFIX + ident.getSequenceNumber()); try { byte[] data = zkClient.getData().forPath(nodePath); createIdentifier().readFields(din); long renewDate = din.readLong(); int pwdLen = din.readInt();
@Override protected synchronized byte[] createPassword(TokenIdent identifier) { int sequenceNum; long now = Time.now(); sequenceNum = incrementDelegationTokenSeqNum(); identifier.setIssueDate(now); identifier.setMaxDate(now + tokenMaxLifetime); identifier.setMasterKeyId(currentKey.getKeyId()); identifier.setSequenceNumber(sequenceNum); LOG.info("Creating password for identifier: " + formatTokenId(identifier) + ", currentKey: " + currentKey.getKeyId()); byte[] password = createPassword(identifier.getBytes(), currentKey.getKey()); DelegationTokenInformation tokenInfo = new DelegationTokenInformation(now + tokenRenewInterval, password, getTrackingIdIfEnabled(identifier)); try { storeToken(identifier, tokenInfo); } catch (IOException ioe) { LOG.error("Could not store token " + formatTokenId(identifier) + "!!", ioe); } return password; }
@Override public void readFields(DataInput in) throws IOException { super.readFields(in); clusterId = in.readUTF(); Preconditions.checkNotNull(clusterId); appId = in.readUTF(); isSigningRequired = in.readBoolean(); appId = appId == null ? "" : appId; }
"Can't add persisted delegation token to a running SecretManager."); int keyId = identifier.getMasterKeyId(); DelegationKey dKey = allKeys.get(keyId); if (dKey == null) { LOG.warn("No KEY found for persisted identifier " + identifier.toString()); return; byte[] password = createPassword(identifier.getBytes(), dKey.getKey()); if (identifier.getSequenceNumber() > getDelegationTokenSeqNum()) { setDelegationTokenSeqNum(identifier.getSequenceNumber());
/** * Create a string for people to look at * @param token token to convert to a string form * @return a printable view of the token */ public static String tokenToString(Token<? extends TokenIdentifier> token) { DateFormat df = DateFormat.getDateTimeInstance( DateFormat.SHORT, DateFormat.SHORT); StringBuilder buffer = new StringBuilder(128); buffer.append(token.toString()); try { TokenIdentifier ti = token.decodeIdentifier(); buffer.append("; ").append(ti); if (ti instanceof AbstractDelegationTokenIdentifier) { // details in human readable form, and compensate for information HDFS DT omits AbstractDelegationTokenIdentifier dt = (AbstractDelegationTokenIdentifier) ti; buffer.append("; Renewer: ").append(dt.getRenewer()); buffer.append("; Issued: ") .append(df.format(new Date(dt.getIssueDate()))); buffer.append("; Max Date: ") .append(df.format(new Date(dt.getMaxDate()))); } } catch (IOException e) { //marshall problem; not ours LOG.debug("Failed to decode {}: {}", token, e, e); } return buffer.toString(); }
/** Print out a Credentials object. * @param creds the Credentials object to be printed out. * @param alias print only tokens matching alias (null matches all). * @param out print to this stream. * @throws IOException */ public static void printCredentials( Credentials creds, Text alias, PrintStream out) throws IOException { boolean tokenHeader = true; String fmt = "%-24s %-20s %-15s %-12s %s%n"; for (Token<?> token : creds.getAllTokens()) { if (matchAlias(token, alias)) { if (tokenHeader) { out.printf(fmt, "Token kind", "Service", "Renewer", "Exp date", "URL enc token"); out.println(StringUtils.repeat("-", 80)); tokenHeader = false; } AbstractDelegationTokenIdentifier id = (AbstractDelegationTokenIdentifier) token.decodeIdentifier(); out.printf(fmt, token.getKind(), token.getService(), (id != null) ? id.getRenewer() : NA_STRING, (id != null) ? formatDate(id.getMaxDate()) : NA_STRING, token.encodeToUrlString()); } } }
@Override public void write(DataOutput out) throws IOException { super.write(out); out.writeUTF(clusterId); out.writeUTF(appId); out.writeBoolean(isSigningRequired); }
@Override protected DelegationTokenInformation getTokenInfo(TokenIdent ident) { // First check if I have this.. DelegationTokenInformation tokenInfo = currentTokens.get(ident); // Then query ZK if (tokenInfo == null) { try { tokenInfo = getTokenInfoFromZK(ident); if (tokenInfo != null) { currentTokens.put(ident, tokenInfo); } } catch (IOException e) { LOG.error("Error retrieving tokenInfo [" + ident.getSequenceNumber() + "] from ZK", e); } } return tokenInfo; }
"Can't add persisted delegation token to a running SecretManager."); int keyId = identifier.getMasterKeyId(); DelegationKey dKey = allKeys.get(keyId); if (dKey == null) { return; byte[] password = createPassword(identifier.getBytes(), dKey.getKey()); if (identifier.getSequenceNumber() > getDelegationTokenSeqNum()) { setDelegationTokenSeqNum(identifier.getSequenceNumber());
/** * Get the expiry time of a token. * @param token token to examine * @return the time in milliseconds after which the token is invalid. * @throws IOException */ public static long getTokenExpiryTime(Token token) throws IOException { TokenIdentifier identifier = token.decodeIdentifier(); Preconditions.checkState(identifier instanceof AbstractDelegationTokenIdentifier, "Token %s of type: %s has an identifier which cannot be examined: %s", token, token.getClass(), identifier); AbstractDelegationTokenIdentifier id = (AbstractDelegationTokenIdentifier) identifier; return id.getMaxDate(); }
@SuppressWarnings("unchecked") public UserGroupInformation verifyToken( Token<? extends AbstractDelegationTokenIdentifier> token) throws IOException { AbstractDelegationTokenIdentifier id = secretManager.decodeTokenIdentifier(token); secretManager.verifyToken(id, token.getPassword()); return id.getUser(); }
protected String getTrackingIdIfEnabled(TokenIdent ident) { if (storeTokenTrackingId) { return ident.getTrackingId(); } return null; }
@Override public boolean equals(Object obj) { if (obj == this) { return true; } if (obj instanceof AbstractDelegationTokenIdentifier) { AbstractDelegationTokenIdentifier that = (AbstractDelegationTokenIdentifier) obj; return this.sequenceNumber == that.sequenceNumber && this.issueDate == that.issueDate && this.maxDate == that.maxDate && this.masterKeyId == that.masterKeyId && isEqual(this.owner, that.owner) && isEqual(this.renewer, that.renewer) && isEqual(this.realUser, that.realUser); } return false; }
private boolean skipTokenRenewal(Token<?> token) throws IOException { @SuppressWarnings("unchecked") AbstractDelegationTokenIdentifier identifier = ((Token<AbstractDelegationTokenIdentifier>) token).decodeIdentifier(); if (identifier == null) { return false; } Text renewer = identifier.getRenewer(); return (renewer != null && renewer.toString().equals("")); }
@Override protected synchronized byte[] createPassword(TokenIdent identifier) { int sequenceNum; long now = Time.now(); sequenceNum = incrementDelegationTokenSeqNum(); identifier.setIssueDate(now); identifier.setMaxDate(now + tokenMaxLifetime); identifier.setMasterKeyId(currentKey.getKeyId()); identifier.setSequenceNumber(sequenceNum); LOG.info("Creating password for identifier: " + identifier + ", currentKey: " + currentKey.getKeyId()); byte[] password = createPassword(identifier.getBytes(), currentKey.getKey()); DelegationTokenInformation tokenInfo = new DelegationTokenInformation(now + tokenRenewInterval, password, getTrackingIdIfEnabled(identifier)); try { storeToken(identifier, tokenInfo); } catch (IOException ioe) { LOG.error("Could not store token !!", ioe); } return password; }
private void processTokenRemoved(ChildData data) throws IOException { ByteArrayInputStream bin = new ByteArrayInputStream(data.getData()); DataInputStream din = new DataInputStream(bin); TokenIdent ident = createIdentifier(); ident.readFields(din); synchronized (this) { currentTokens.remove(ident); // The cancel task might be waiting notifyAll(); } }
"Can't add persisted delegation token to a running SecretManager."); int keyId = identifier.getMasterKeyId(); DelegationKey dKey = allKeys.get(keyId); if (dKey == null) { LOG.warn("No KEY found for persisted identifier " + identifier.toString()); return; byte[] password = createPassword(identifier.getBytes(), dKey.getKey()); if (identifier.getSequenceNumber() > getDelegationTokenSeqNum()) { setDelegationTokenSeqNum(identifier.getSequenceNumber());