/** * Check if access should be allowed. userID is not checked if null. This * method doesn't check if token password is correct. It should be used only * when token password has already been verified (e.g., in the RPC layer). * * Some places need to check the access using StorageTypes and for other * places the StorageTypes is not relevant. */ public void checkAccess(BlockTokenIdentifier id, String userId, ExtendedBlock block, BlockTokenIdentifier.AccessMode mode, StorageType[] storageTypes, String[] storageIds) throws InvalidToken { checkAccess(id, userId, block, mode); if (ArrayUtils.isNotEmpty(storageTypes)) { checkAccess(id.getStorageTypes(), storageTypes, "StorageTypes"); } if (ArrayUtils.isNotEmpty(storageIds)) { checkAccess(id.getStorageIds(), storageIds, "StorageIDs"); } }
/** * See {@link BlockTokenSecretManager#checkAccess(BlockTokenIdentifier, * String, ExtendedBlock, BlockTokenIdentifier.AccessMode, * StorageType[], String[])} */ public void checkAccess(BlockTokenIdentifier id, String userId, ExtendedBlock block, AccessMode mode, StorageType[] storageTypes, String[] storageIds) throws InvalidToken { get(block.getBlockPoolId()).checkAccess(id, userId, block, mode, storageTypes, storageIds); }
/** * See {@link BlockTokenSecretManager#checkAccess(Token, String, * ExtendedBlock, BlockTokenIdentifier.AccessMode, * StorageType[], String[])} */ public void checkAccess(Token<BlockTokenIdentifier> token, String userId, ExtendedBlock block, AccessMode mode, StorageType[] storageTypes, String[] storageIds) throws InvalidToken { get(block.getBlockPoolId()).checkAccess(token, userId, block, mode, storageTypes, storageIds); }
/** Check if access should be allowed. userID is not checked if null */ public void checkAccess(Token<BlockTokenIdentifier> token, String userId, ExtendedBlock block, BlockTokenIdentifier.AccessMode mode, StorageType[] storageTypes, String[] storageIds) throws InvalidToken { BlockTokenIdentifier id = new BlockTokenIdentifier(); try { id.readFields(new DataInputStream(new ByteArrayInputStream(token .getIdentifier()))); } catch (IOException e) { throw new InvalidToken( "Unable to de-serialize block token identifier for user=" + userId + ", block=" + block + ", access mode=" + mode); } checkAccess(id, userId, block, mode, storageTypes, storageIds); if (!Arrays.equals(retrievePassword(id), token.getPassword())) { throw new InvalidToken("Block token with " + id + " doesn't have the correct token password"); } }
private void tokenGenerationAndVerification(BlockTokenSecretManager master, BlockTokenSecretManager slave) throws Exception { // single-mode tokens for (BlockTokenSecretManager.AccessMode mode : BlockTokenSecretManager.AccessMode .values()) { // generated by master Token<BlockTokenIdentifier> token1 = master.generateToken(block1, EnumSet.of(mode)); master.checkAccess(token1, null, block1, mode); slave.checkAccess(token1, null, block1, mode); // generated by slave Token<BlockTokenIdentifier> token2 = slave.generateToken(block2, EnumSet.of(mode)); master.checkAccess(token2, null, block2, mode); slave.checkAccess(token2, null, block2, mode); } // multi-mode tokens Token<BlockTokenIdentifier> mtoken = master.generateToken(block3, EnumSet .allOf(BlockTokenSecretManager.AccessMode.class)); for (BlockTokenSecretManager.AccessMode mode : BlockTokenSecretManager.AccessMode .values()) { master.checkAccess(mtoken, null, block3, mode); slave.checkAccess(mtoken, null, block3, mode); } }
/** * See {@link BlockTokenSecretManager#checkAccess(BlockTokenIdentifier, * String, ExtendedBlock, AccessMode)} */ public void checkAccess(BlockTokenIdentifier id, String userId, ExtendedBlock block, AccessMode mode) throws InvalidToken { get(block.getBlockPoolId()).checkAccess(id, userId, block, mode); }
/** * See {@link BlockTokenSecretManager#checkAccess(Token, String, * ExtendedBlock, AccessMode)} */ public void checkAccess(Token<BlockTokenIdentifier> token, String userId, ExtendedBlock block, AccessMode mode) throws InvalidToken { get(block.getBlockPoolId()).checkAccess(token, userId, block, mode); }
/** * See {@link BlockTokenSecretManager#checkAccess(Token, String, * ExtendedBlock, AccessMode)} */ public void checkAccess(Token<BlockTokenIdentifier> token, String userId, ExtendedBlock block, AccessMode mode) throws InvalidToken { get(block.getBlockPoolId()).checkAccess(token, userId, block, mode); }
/** * See {@link BlockTokenSecretManager#checkAccess(BlockTokenIdentifier, * String, ExtendedBlock, AccessMode)} */ public void checkAccess(BlockTokenIdentifier id, String userId, ExtendedBlock block, AccessMode mode) throws InvalidToken { get(block.getBlockPoolId()).checkAccess(id, userId, block, mode); }
/** Check block access token for the given access mode */ private void checkBlockToken(Block block, BlockTokenSecretManager.AccessMode accessMode) throws IOException { if (isBlockTokenEnabled && UserGroupInformation.isSecurityEnabled()) { Set<TokenIdentifier> tokenIds = UserGroupInformation.getCurrentUser() .getTokenIdentifiers(); if (tokenIds.size() != 1) { throw new IOException("Can't continue with " + "authorization since " + tokenIds.size() + " BlockTokenIdentifier " + "is found."); } for (TokenIdentifier tokenId : tokenIds) { BlockTokenIdentifier id = (BlockTokenIdentifier) tokenId; if (LOG.isDebugEnabled()) { LOG.debug("Got: " + id.toString()); } blockTokenSecretManager.checkAccess(id, null, block, accessMode); } } }
private void checkBlockToken(Block block, Token<BlockTokenIdentifier> token, AccessMode accessMode) throws IOException { if (isBlockTokenEnabled && UserGroupInformation.isSecurityEnabled()) { BlockTokenIdentifier id = new BlockTokenIdentifier(); ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); id.readFields(in); if (LOG.isDebugEnabled()) { LOG.debug("Got: " + id.toString()); } blockTokenSecretManager.checkAccess(id, null, block, accessMode); } }
@Override public Long answer(InvocationOnMock invocation) throws IOException { Object args[] = invocation.getArguments(); assertEquals(1, args.length); Block block = (Block) args[0]; Set<TokenIdentifier> tokenIds = UserGroupInformation.getCurrentUser() .getTokenIdentifiers(); assertEquals("Only one BlockTokenIdentifier expected", 1, tokenIds.size()); long result = 0; for (TokenIdentifier tokenId : tokenIds) { BlockTokenIdentifier id = (BlockTokenIdentifier) tokenId; LOG.info("Got: " + id.toString()); assertTrue("Received BlockTokenIdentifier is wrong", ident.equals(id)); sm.checkAccess(id, null, block, BlockTokenSecretManager.AccessMode.WRITE); result = id.getBlockId(); } return result; } }
/** Check if access should be allowed. userID is not checked if null */ public void checkAccess(Token<BlockTokenIdentifier> token, String userId, ExtendedBlock block, AccessMode mode) throws InvalidToken { BlockTokenIdentifier id = new BlockTokenIdentifier(); try { id.readFields(new DataInputStream(new ByteArrayInputStream(token .getIdentifier()))); } catch (IOException e) { throw new InvalidToken( "Unable to de-serialize block token identifier for user=" + userId + ", block=" + block + ", access mode=" + mode); } checkAccess(id, userId, block, mode); if (!Arrays.equals(retrievePassword(id), token.getPassword())) { throw new InvalidToken("Block token with " + id.toString() + " doesn't have the correct token password"); } }
private void tokenGenerationAndVerification(BlockTokenSecretManager master, BlockTokenSecretManager slave) throws Exception { // single-mode tokens for (BlockTokenSecretManager.AccessMode mode : BlockTokenSecretManager.AccessMode .values()) { // generated by master Token<BlockTokenIdentifier> token1 = master.generateToken(block1, EnumSet.of(mode)); master.checkAccess(token1, null, block1, mode); slave.checkAccess(token1, null, block1, mode); // generated by slave Token<BlockTokenIdentifier> token2 = slave.generateToken(block2, EnumSet.of(mode)); master.checkAccess(token2, null, block2, mode); slave.checkAccess(token2, null, block2, mode); } // multi-mode tokens Token<BlockTokenIdentifier> mtoken = master.generateToken(block3, EnumSet.allOf(BlockTokenSecretManager.AccessMode.class)); for (BlockTokenSecretManager.AccessMode mode : BlockTokenSecretManager.AccessMode .values()) { master.checkAccess(mtoken, null, block3, mode); slave.checkAccess(mtoken, null, block3, mode); } }
/** Check if access should be allowed. userID is not checked if null */ public void checkAccess(Token<BlockTokenIdentifier> token, String userId, ExtendedBlock block, AccessMode mode) throws InvalidToken { BlockTokenIdentifier id = new BlockTokenIdentifier(); try { id.readFields(new DataInputStream(new ByteArrayInputStream(token .getIdentifier()))); } catch (IOException e) { throw new InvalidToken( "Unable to de-serialize block token identifier for user=" + userId + ", block=" + block + ", access mode=" + mode); } checkAccess(id, userId, block, mode); if (!Arrays.equals(retrievePassword(id), token.getPassword())) { throw new InvalidToken("Block token with " + id.toString() + " doesn't have the correct token password"); } }
@Override public GetReplicaVisibleLengthResponseProto answer( InvocationOnMock invocation) throws IOException { Object args[] = invocation.getArguments(); assertEquals(2, args.length); GetReplicaVisibleLengthRequestProto req = (GetReplicaVisibleLengthRequestProto) args[1]; Set<TokenIdentifier> tokenIds = UserGroupInformation.getCurrentUser() .getTokenIdentifiers(); assertEquals("Only one BlockTokenIdentifier expected", 1, tokenIds.size()); long result = 0; for (TokenIdentifier tokenId : tokenIds) { BlockTokenIdentifier id = (BlockTokenIdentifier) tokenId; LOG.info("Got: " + id.toString()); assertTrue("Received BlockTokenIdentifier is wrong", ident.equals(id)); sm.checkAccess(id, null, PBHelper.convert(req.getBlock()), BlockTokenSecretManager.AccessMode.WRITE); result = id.getBlockId(); } return GetReplicaVisibleLengthResponseProto.newBuilder() .setLength(result).build(); } }