ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); TokenIdent id = createIdentifier(); id.readFields(in); LOG.info("Token renewal for identifier: " + formatTokenId(id) + "; total currentTokens " + currentTokens.size()); if (id.getMaxDate() < now) { throw new InvalidToken(renewer + " tried to renew an expired token " + formatTokenId(id) + " max expiration date: " + Time.formatTime(id.getMaxDate()) + " currentTime: " + Time.formatTime(now)); " tried to renew a token " + formatTokenId(id) + " without a renewer"); + " tries to renew a token " + formatTokenId(id) + " with non-matching renewer " + id.getRenewer()); DelegationKey key = getDelegationKey(id.getMasterKeyId()); if (key == null) { throw new InvalidToken("Unable to find master key for keyId=" + id.getMasterKeyId() + " from cache. Failed to renew an unexpired token " + formatTokenId(id) + " with sequenceNumber=" + id.getSequenceNumber()); byte[] password = createPassword(token.getIdentifier(), key.getKey()); if (!MessageDigest.isEqual(password, token.getPassword())) {
@SuppressWarnings("unchecked") public void cancelToken( Token<? extends AbstractDelegationTokenIdentifier> token, String canceler) throws IOException { LOG.debug("Cancelling token:{} with canceler:{}.", token, canceler); canceler = (canceler != null) ? canceler : verifyToken(token).getShortUserName(); secretManager.cancelToken(token, canceler); }
@SuppressWarnings("unchecked") public long renewToken( Token<? extends AbstractDelegationTokenIdentifier> token, String renewer) throws IOException { LOG.debug("Renewing token:{} with renewer:{}.", token, renewer); return secretManager.renewToken(token, renewer); }
protected void logExpireTokens( Collection<TokenIdent> expiredTokens) throws IOException { for (TokenIdent ident : expiredTokens) { logExpireToken(ident); LOG.info("Removing expired token " + formatTokenId(ident)); removeStoredToken(ident); } }
/** * Verifies that the given identifier and password are valid and match. * @param identifier Token identifier. * @param password Password in the token. * @throws InvalidToken */ public synchronized void verifyToken(TokenIdent identifier, byte[] password) throws InvalidToken { byte[] storedPassword = retrievePassword(identifier); if (!MessageDigest.isEqual(password, storedPassword)) { throw new InvalidToken("token " + formatTokenId(identifier) + " is invalid, password doesn't match"); } }
if (dKey == null) { LOG.warn("No KEY found for persisted identifier " + formatTokenId(identifier)); return; byte[] password = createPassword(identifier.getBytes(), dKey.getKey()); if (identifier.getSequenceNumber() > getDelegationTokenSeqNum()) { setDelegationTokenSeqNum(identifier.getSequenceNumber()); if (getTokenInfo(identifier) == null) { currentTokens.put(identifier, new DelegationTokenInformation(renewDate, password, getTrackingIdIfEnabled(identifier))); } else { throw new IOException("Same delegation token being added twice: " + formatTokenId(identifier));
@Override protected synchronized byte[] createPassword(TokenIdent identifier) { int sequenceNum; long now = Time.now(); sequenceNum = incrementDelegationTokenSeqNum(); identifier.setIssueDate(now); identifier.setMaxDate(now + tokenMaxLifetime); identifier.setMasterKeyId(currentKey.getKeyId()); identifier.setSequenceNumber(sequenceNum); LOG.info("Creating password for identifier: " + formatTokenId(identifier) + ", currentKey: " + currentKey.getKeyId()); byte[] password = createPassword(identifier.getBytes(), currentKey.getKey()); DelegationTokenInformation tokenInfo = new DelegationTokenInformation(now + tokenRenewInterval, password, getTrackingIdIfEnabled(identifier)); try { storeToken(identifier, tokenInfo); } catch (IOException ioe) { LOG.error("Could not store token " + formatTokenId(identifier) + "!!", ioe); } return password; }
@Override protected byte[] createPassword(TestDelegationTokenIdentifier t) { return super.createPassword(t); }
/** Remove expired delegation tokens from cache */ private void removeExpiredToken() throws IOException { long now = Time.now(); Set<TokenIdent> expiredTokens = new HashSet<TokenIdent>(); synchronized (this) { Iterator<Map.Entry<TokenIdent, DelegationTokenInformation>> i = currentTokens.entrySet().iterator(); while (i.hasNext()) { Map.Entry<TokenIdent, DelegationTokenInformation> entry = i.next(); long renewDate = entry.getValue().getRenewDate(); if (renewDate < now) { expiredTokens.add(entry.getKey()); i.remove(); } } } // don't hold lock on 'this' to avoid edit log updates blocking token ops for (TokenIdent ident : expiredTokens) { logExpireToken(ident); removeStoredToken(ident); } }
@Override public byte[] retriableRetrievePassword(DelegationTokenIdentifier identifier) throws InvalidToken, StandbyException, RetriableException, IOException { namesystem.checkOperation(OperationCategory.READ); try { return super.retrievePassword(identifier); } catch (InvalidToken it) { if (namesystem.inTransitionToActive()) { // if the namesystem is currently in the middle of transition to // active state, let client retry since the corresponding editlog may // have not been applied yet throw new RetriableException(it); } else { throw it; } } }
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); TokenIdent id = createIdentifier(); id.readFields(in); LOG.info("Token cancelation requested for identifier: "+id); throw new InvalidToken("Token not found"); removeStoredToken(id); return id;
public static void rollMasterKey( AbstractDelegationTokenSecretManager<? extends AbstractDelegationTokenIdentifier> mgr) throws IOException { mgr.rollMasterKey(); }
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); TokenIdent id = createIdentifier(); id.readFields(in); LOG.info("Token cancellation requested for identifier: " + formatTokenId(id)); throw new InvalidToken("Token with no owner " + formatTokenId(id)); .equals(renewer.toString()))) { throw new AccessControlException(canceller + " is not authorized to cancel the token " + formatTokenId(id)); throw new InvalidToken("Token not found " + formatTokenId(id)); removeStoredToken(id); return id;
/** * For subclasses externalizing the storage, for example Zookeeper * based implementations */ protected void storeDelegationKey(DelegationKey key) throws IOException { allKeys.put(key.getKeyId(), key); storeNewMasterKey(key); }
/** * For subclasses externalizing the storage, for example Zookeeper * based implementations */ protected void storeToken(TokenIdent ident, DelegationTokenInformation tokenInfo) throws IOException { currentTokens.put(ident, tokenInfo); storeNewToken(ident, tokenInfo.getRenewDate()); }
/** * For subclasses externalizing the storage, for example Zookeeper * based implementations */ protected void updateToken(TokenIdent ident, DelegationTokenInformation tokenInfo) throws IOException { currentTokens.put(ident, tokenInfo); updateStoredToken(ident, tokenInfo.getRenewDate()); }
@Override protected void removeStoredToken(TestDelegationTokenIdentifier ident) throws IOException { super.removeStoredToken(ident); isRemoveStoredTokenCalled = true; }
@Override public DelegationKey getDelegationKey(int keyId) { return super.getDelegationKey(keyId); }
if (dKey == null) { LOG.warn("No KEY found for persisted identifier " + formatTokenId(identifier)); return; byte[] password = createPassword(identifier.getBytes(), dKey.getKey()); if (identifier.getSequenceNumber() > getDelegationTokenSeqNum()) { setDelegationTokenSeqNum(identifier.getSequenceNumber()); if (getTokenInfo(identifier) == null) { currentTokens.put(identifier, new DelegationTokenInformation(renewDate, password, getTrackingIdIfEnabled(identifier))); } else { throw new IOException("Same delegation token being added twice: " + formatTokenId(identifier));
@Override protected synchronized byte[] createPassword(TokenIdent identifier) { int sequenceNum; long now = Time.now(); sequenceNum = incrementDelegationTokenSeqNum(); identifier.setIssueDate(now); identifier.setMaxDate(now + tokenMaxLifetime); identifier.setMasterKeyId(currentKey.getKeyId()); identifier.setSequenceNumber(sequenceNum); LOG.info("Creating password for identifier: " + formatTokenId(identifier) + ", currentKey: " + currentKey.getKeyId()); byte[] password = createPassword(identifier.getBytes(), currentKey.getKey()); DelegationTokenInformation tokenInfo = new DelegationTokenInformation(now + tokenRenewInterval, password, getTrackingIdIfEnabled(identifier)); try { storeToken(identifier, tokenInfo); } catch (IOException ioe) { LOG.error("Could not store token " + formatTokenId(identifier) + "!!", ioe); } return password; }