requireNonNull(cfg); final AuthenticationTokenIdentifier id = new AuthenticationTokenIdentifier(username, cfg); if (id.getInstanceId() != null) { svcName.append("-").append(id.getInstanceId()); Token<AuthenticationTokenIdentifier> token = new Token<>(id.getBytes(), password, id.getKind(), new Text(svcName.toString())); return Maps.immutableEntry(token, id);
public AuthenticationTokenIdentifier(AuthenticationTokenIdentifier identifier) { requireNonNull(identifier); impl = new TAuthenticationTokenIdentifier(identifier.getThriftIdentifier()); }
@Override public void readFields(DataInput in) throws IOException { super.readFields(in); identifier = new AuthenticationTokenIdentifier(); identifier.readFields(in); }
@Override protected byte[] createPassword(AuthenticationTokenIdentifier identifier) { DelegationTokenConfig cfg = identifier.getConfig(); secretKey = currentKey; identifier.setKeyId(secretKey.getKeyId()); identifier.setIssueDate(now); long expiration = now + tokenMaxLifetime; identifier.setExpirationDate(expiration); long requestedLifetime = cfg.getTokenLifetime(TimeUnit.MILLISECONDS); if (requestedLifetime > 0) { long requestedExpirationDate = identifier.getIssueDate() + requestedLifetime; if (requestedExpirationDate < identifier.getIssueDate()) { requestedExpirationDate = Long.MAX_VALUE; if (requestedExpirationDate > identifier.getExpirationDate()) { throw new RuntimeException("Requested token lifetime exceeds configured maximum"); log.trace("Overriding token expiration date from {} to {}", identifier.getExpirationDate(), requestedExpirationDate); identifier.setExpirationDate(requestedExpirationDate); identifier.setInstanceId(instanceID); return createPassword(identifier.getBytes(), secretKey.getKey());
@Override public byte[] retrievePassword(AuthenticationTokenIdentifier identifier) throws InvalidToken { long now = System.currentTimeMillis(); if (identifier.getExpirationDate() < now) { throw new InvalidToken("Token has expired"); } if (identifier.getIssueDate() > now) { throw new InvalidToken("Token issued in the future"); } AuthenticationKey masterKey = allKeys.get(identifier.getKeyId()); if (masterKey == null) { throw new InvalidToken("Unknown master key for token (id=" + identifier.getKeyId() + ")"); } // regenerate the password return createPassword(identifier.getBytes(), masterKey.getKey()); }
@Override public AuthenticationTokenIdentifier createIdentifier() { // Return our TokenIdentifier implementation return new AuthenticationTokenIdentifier(); }
/** * The service name used to identify the {@link Token} */ public Text getServiceName() { requireNonNull(identifier); return new Text(SERVICE_NAME + "-" + identifier.getInstanceId()); }
private AuthenticationTokenIdentifier getIdentifier(String id, AuthenticationTokenSecretManager secretManager) throws InvalidToken { byte[] tokenId = decodeIdentifier(id); AuthenticationTokenIdentifier tokenIdentifier = secretManager.createIdentifier(); try { tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId))); } catch (IOException e) { throw (InvalidToken) new InvalidToken("Can't de-serialize tokenIdentifier").initCause(e); } return tokenIdentifier; }
public SaslClientDigestCallbackHandler(DelegationTokenImpl token) { requireNonNull(token); this.userName = encodeIdentifier(token.getIdentifier().getBytes()); this.userPassword = encodePassword(token.getPassword()); }
@Override public boolean equals(Object obj) { // We assume we can cast obj to DelegationToken because the super.equals(obj) check ensures obj // is of the same type as this return super.equals(obj) && identifier.equals(((DelegationTokenImpl) obj).identifier); }
@Override public DelegationTokenImpl clone() { DelegationTokenImpl copy = (DelegationTokenImpl) super.clone(); copy.setPassword(getPassword()); copy.identifier = new AuthenticationTokenIdentifier(identifier); return copy; }
/** * Unwraps the provided {@link AuthenticationToken} if it is an instance of DelegationTokenStub, * reconstituting it from the provided {@link JobConf}. * * @param job * The job * @param token * The authentication token */ public static AuthenticationToken unwrapAuthenticationToken(JobConf job, AuthenticationToken token) { requireNonNull(job); requireNonNull(token); if (token instanceof org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) { org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub delTokenStub = (org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) token; Token<? extends TokenIdentifier> hadoopToken = job.getCredentials() .getToken(new Text(delTokenStub.getServiceName())); AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(); try { identifier .readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier()))); return new DelegationTokenImpl(hadoopToken.getPassword(), identifier); } catch (IOException e) { throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e); } } return token; }
@Override public DelegationToken getDelegationToken(DelegationTokenConfig cfg) throws AccumuloException, AccumuloSecurityException { final TDelegationTokenConfig tConfig; if (cfg != null) { tConfig = DelegationTokenConfigSerializer.serialize(cfg); } else { tConfig = new TDelegationTokenConfig(); } TDelegationToken thriftToken; try { thriftToken = MasterClient.execute(context, client -> client.getDelegationToken(Tracer.traceInfo(), context.rpcCreds(), tConfig)); } catch (TableNotFoundException e) { // should never happen throw new AssertionError( "Received TableNotFoundException on method which should not throw that exception", e); } AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier( thriftToken.getIdentifier()); // Get the password out of the thrift delegation token return new DelegationTokenImpl(thriftToken.getPassword(), identifier); }
@Override public TDelegationToken getDelegationToken(TInfo tinfo, TCredentials credentials, TDelegationTokenConfig tConfig) throws ThriftSecurityException, TException { if (!master.security.canObtainDelegationToken(credentials)) { throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED); } // Make sure we're actually generating the secrets to make delegation tokens // Round-about way to verify that SASL is also enabled. if (!master.delegationTokensAvailable()) { throw new TException("Delegation tokens are not available for use"); } final DelegationTokenConfig config = DelegationTokenConfigSerializer.deserialize(tConfig); final AuthenticationTokenSecretManager secretManager = master.getContext().getSecretManager(); try { Entry<Token<AuthenticationTokenIdentifier>,AuthenticationTokenIdentifier> pair = secretManager .generateToken(credentials.principal, config); return new TDelegationToken(ByteBuffer.wrap(pair.getKey().getPassword()), pair.getValue().getThriftIdentifier()); } catch (Exception e) { throw new TException(e.getMessage()); } }
/** * Unwraps the provided {@link AuthenticationToken} if it is an instance of DelegationTokenStub, * reconstituting it from the provided {@link JobConf}. * * @param job * The job * @param token * The authentication token */ public static AuthenticationToken unwrapAuthenticationToken(JobContext job, AuthenticationToken token) { requireNonNull(job); requireNonNull(token); if (token instanceof org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) { org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub delTokenStub = (org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) token; Token<? extends TokenIdentifier> hadoopToken = job.getCredentials() .getToken(new Text(delTokenStub.getServiceName())); AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(); try { identifier .readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier()))); return new DelegationTokenImpl(hadoopToken.getPassword(), identifier); } catch (IOException e) { throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e); } } return token; }