@Test public void testDelegationTokenWithReducedLifetime() throws Throwable { // Login as the "root" user UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI( rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); log.info("Logged in as {}", rootUser.getPrincipal()); // As the "root" user, open up the connection and get a delegation token final AuthenticationToken dt = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); log.info("Created connector as {}", rootUser.getPrincipal()); assertEquals(rootUser.getPrincipal(), conn.whoami()); return conn.securityOperations() .getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, TimeUnit.MINUTES)); } }); AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier(); assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= (5 * 60 * 1000)); }
@Override public byte[] retrievePassword(AuthenticationTokenIdentifier identifier) throws InvalidToken { long now = System.currentTimeMillis(); if (identifier.getExpirationDate() < now) { throw new InvalidToken("Token has expired"); } if (identifier.getIssueDate() > now) { throw new InvalidToken("Token issued in the future"); } AuthenticationKey masterKey = allKeys.get(identifier.getKeyId()); if (masterKey == null) { throw new InvalidToken("Unknown master key for token (id=" + identifier.getKeyId() + ")"); } // regenerate the password return createPassword(identifier.getBytes(), masterKey.getKey()); }
long requestedLifetime = cfg.getTokenLifetime(TimeUnit.MILLISECONDS); if (0 < requestedLifetime) { long requestedExpirationDate = identifier.getIssueDate() + requestedLifetime; if (requestedExpirationDate < identifier.getIssueDate()) { requestedExpirationDate = Long.MAX_VALUE;