/** * Select a delegation token from all tokens in credentials, based on url. */ @InterfaceAudience.Private public org.apache.hadoop.security.token.Token<? extends TokenIdentifier> selectDelegationToken(URL url, Credentials creds) { final InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(), url.getPort()); final Text service = SecurityUtil.buildTokenService(serviceAddr); org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dToken = creds.getToken(service); LOG.debug("Using delegation token {} from service:{}", dToken, service); return dToken; }
protected static Token<?> selectDelegationToken(Credentials creds, Text service) { Token<?> token = creds.getToken(service); LOG.debug("selected by alias={} token={}", service, token); if (token != null && TOKEN_KIND.equals(token.getKind())) { return token; } token = TokenSelector.INSTANCE.selectToken(service, creds.getAllTokens()); LOG.debug("selected by service={} token={}", service, token); return token; }
@SuppressWarnings("unchecked") Token<LlapTokenIdentifier> llapToken = (Token<LlapTokenIdentifier>)credentials.getToken(LlapTokenIdentifier.KIND_NAME); this.token = llapToken; } else {
Token<?> token = credentials.getToken(service); if (token == null) { token = issuer.getDelegationToken(renewer);
@Test public void testCredentialsNotOverwritten() throws Exception { final UserGroupInformation testUser = UserGroupInformation.createUserForTesting("test_user", new String[0]); final DagUtils dagUtils = DagUtils.getInstance(); Credentials originalCredentials = new Credentials(); final Text testTokenAlias = new Text("my_test_token"); @SuppressWarnings("unchecked") Token<? extends TokenIdentifier> testToken = mock(Token.class); originalCredentials.addToken(testTokenAlias, testToken); Credentials testUserCredentials = new Credentials(); testUser.addCredentials(testUserCredentials); final BaseWork work = mock(BaseWork.class); final DAG dag = DAG.create("test_credentials_dag"); dag.setCredentials(originalCredentials); testUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { dagUtils.addCredentials(work, dag); return null; } }); Token<? extends TokenIdentifier> actualToken = dag.getCredentials().getToken(testTokenAlias); assertEquals(testToken, actualToken); }
public DelegationTokenImpl(String instanceID, UserGroupInformation user, AuthenticationTokenIdentifier identifier) { requireNonNull(instanceID); requireNonNull(user); requireNonNull(identifier); Credentials creds = user.getCredentials(); Token<? extends TokenIdentifier> token = creds .getToken(new Text(SERVICE_NAME + "-" + instanceID)); if (token == null) { throw new IllegalArgumentException( "Did not find Accumulo delegation token in provided UserGroupInformation"); } setPasswordFromToken(token, identifier); }
/** * Unwraps the provided {@link AuthenticationToken} if it is an instance of DelegationTokenStub, * reconstituting it from the provided {@link JobConf}. * * @param job * The job * @param token * The authentication token */ public static AuthenticationToken unwrapAuthenticationToken(JobConf job, AuthenticationToken token) { requireNonNull(job); requireNonNull(token); if (token instanceof org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) { org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub delTokenStub = (org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) token; Token<? extends TokenIdentifier> hadoopToken = job.getCredentials() .getToken(new Text(delTokenStub.getServiceName())); AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(); try { identifier .readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier()))); return new DelegationTokenImpl(hadoopToken.getPassword(), identifier); } catch (IOException e) { throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e); } } return token; }
/** * Unwraps the provided {@link AuthenticationToken} if it is an instance of DelegationTokenStub, * reconstituting it from the provided {@link JobConf}. * * @param job * The job * @param token * The authentication token */ public static AuthenticationToken unwrapAuthenticationToken(JobContext job, AuthenticationToken token) { requireNonNull(job); requireNonNull(token); if (token instanceof org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) { org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub delTokenStub = (org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) token; Token<? extends TokenIdentifier> hadoopToken = job.getCredentials() .getToken(new Text(delTokenStub.getServiceName())); AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(); try { identifier .readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier()))); return new DelegationTokenImpl(hadoopToken.getPassword(), identifier); } catch (IOException e) { throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e); } } return token; }
private void checkToken(Credentials creds, Token<?> ... tokens) { assertEquals(tokens.length, creds.getAllTokens().size()); for (Token<?> token : tokens) { Token<?> credsToken = creds.getToken(token.getService()); assertTrue(credsToken != null); assertEquals(token, credsToken); } }
@Test public void testUGICredentialsPropogation() throws Exception { Credentials creds = new Credentials(); Token<?> token = mock(Token.class); Text tokenService = new Text("service"); Text secretName = new Text("secret"); byte secret[] = new byte[]{}; creds.addToken(tokenService, token); creds.addSecretKey(secretName, secret); UserGroupInformation.getLoginUser().addCredentials(creds); JobConf jobConf = new JobConf(); Job job = new Job(jobConf); assertSame(token, job.getCredentials().getToken(tokenService)); assertSame(secret, job.getCredentials().getSecretKey(secretName)); } }
Token<?> token3 = creds.getToken(new Text(fs3.getCanonicalServiceName())); assertTrue(token3 != null); checkToken(creds, newerToken1, token2, token3);
/** * * @return job token */ @SuppressWarnings("unchecked") @InterfaceAudience.Private public static Token<JobTokenIdentifier> getJobToken(Credentials credentials) { return (Token<JobTokenIdentifier>) credentials.getToken(JOB_TOKEN); }
/** * * @return job token */ @SuppressWarnings("unchecked") @InterfaceAudience.Private public static Token<JobTokenIdentifier> getJobToken(Credentials credentials) { return (Token<JobTokenIdentifier>) credentials.getToken(JOB_TOKEN); }
/** * * @return job token */ @SuppressWarnings("unchecked") @InterfaceAudience.Private public static Token<JobTokenIdentifier> getJobToken(Credentials credentials) { return (Token<JobTokenIdentifier>) credentials.getToken(JOB_TOKEN); } }
private boolean currentUgiContainsKmsDt() throws IOException { // Add existing credentials from current UGI, since provider is cached. Credentials creds = UserGroupInformation.getCurrentUser(). getCredentials(); if (!creds.getAllTokens().isEmpty()) { org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dToken = creds.getToken(getDelegationTokenService()); if (dToken != null) { return true; } } return false; }
@Test public void testFsWithTokenExists() throws Exception { Credentials credentials = new Credentials(); Text service = new Text("singleTokenFs"); MockFileSystem fs = createFileSystemForServiceName(service); Token<?> token = mock(Token.class); credentials.addToken(service, token); fs.addDelegationTokens(renewer, credentials); verifyTokenFetch(fs, false); assertEquals(1, credentials.numberOfTokens()); assertSame(token, credentials.getToken(service)); }
@Test public void testFsWithToken() throws Exception { Text service = new Text("singleTokenFs"); MockFileSystem fs = createFileSystemForServiceName(service); Credentials credentials = new Credentials(); fs.addDelegationTokens(renewer, credentials); verifyTokenFetch(fs, true); assertEquals(1, credentials.numberOfTokens()); assertNotNull(credentials.getToken(service)); }
@Test public void testFsWithToken() throws Exception { Text service = new Text("singleTokenFs"); MockFileSystem fs = createFileSystemForServiceName(service); Credentials credentials = new Credentials(); fs.addDelegationTokens(renewer, credentials); verifyTokenFetch(fs, true); assertEquals(1, credentials.numberOfTokens()); assertNotNull(credentials.getToken(service)); }
@Test public void testFsWithDuplicateChildren() throws Exception { Credentials credentials = new Credentials(); Text service = new Text("singleTokenFs1"); MockFileSystem fs = createFileSystemForServiceName(service); MockFileSystem multiFs = createFileSystemForServiceName(null, fs, new FilterFileSystem(fs)); multiFs.addDelegationTokens(renewer, credentials); verifyTokenFetch(multiFs, false); verifyTokenFetch(fs, true); assertEquals(1, credentials.numberOfTokens()); assertNotNull(credentials.getToken(service)); }
@Test public void testFsWithDuplicateChildren() throws Exception { Credentials credentials = new Credentials(); Text service = new Text("singleTokenFs1"); MockFileSystem fs = createFileSystemForServiceName(service); MockFileSystem multiFs = createFileSystemForServiceName(null, fs, new FilterFileSystem(fs)); multiFs.addDelegationTokens(renewer, credentials); verifyTokenFetch(multiFs, false); verifyTokenFetch(fs, true); assertEquals(1, credentials.numberOfTokens()); assertNotNull(credentials.getToken(service)); }