/** * Returns all the tokens stored in the user's credentials. */ public Collection<Token<? extends TokenIdentifier>> getTokens() { return ugi.getTokens(); }
/** * Indicates whether the current user has an HDFS delegation token. */ public static boolean hasHDFSDelegationToken() throws Exception { UserGroupInformation loginUser = UserGroupInformation.getCurrentUser(); Collection<Token<? extends TokenIdentifier>> usrTok = loginUser.getTokens(); for (Token<? extends TokenIdentifier> token : usrTok) { if (token.getKind().equals(HDFS_DELEGATION_TOKEN_KIND)) { return true; } } return false; }
/** * Returns the Token of the specified kind associated with this user, * or null if the Token is not present. * * @param kind the kind of token * @param service service on which the token is supposed to be used * @return the token of the specified kind. */ public Token<?> getToken(String kind, String service) throws IOException { for (Token<?> token : ugi.getTokens()) { if (token.getKind().toString().equals(kind) && (service != null && token.getService().toString().equals(service))) { return token; } } return null; }
/** * Log current UGI and token information into specified log. * @param ugi - UGI * @throws IOException */ @InterfaceAudience.LimitedPrivate({"HDFS", "KMS"}) @InterfaceStability.Unstable public static void logUserInfo(Logger log, String caption, UserGroupInformation ugi) throws IOException { if (log.isDebugEnabled()) { log.debug(caption + " UGI: " + ugi); for (Token<?> token : ugi.getTokens()) { log.debug("+token:" + token); } } }
/** * Get the string form of the token given a token signature. The signature is used as the value of * the "service" field in the token for lookup. Ref: AbstractDelegationTokenSelector in Hadoop. If * there exists such a token in the token cache (credential store) of the job, the lookup returns * that. This is relevant only when running against a "secure" hadoop release The method gets hold * of the tokens if they are set up by hadoop - this should happen on the map/reduce tasks if the * client added the tokens into hadoop's credential store in the front end during job submission. * The method will select the hive delegation token among the set of tokens and return the string * form of it * * @param tokenSignature * @return the string form of the token found * @throws IOException */ public static String getTokenStrForm(String tokenSignature) throws IOException { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); TokenSelector<? extends TokenIdentifier> tokenSelector = new DelegationTokenSelector(); Token<? extends TokenIdentifier> token = tokenSelector.selectToken( tokenSignature == null ? new Text() : new Text(tokenSignature), ugi.getTokens()); return token != null ? token.encodeToUrlString() : null; }
/** * Get the string form of the token given a token signature. The signature is used as the value of * the "service" field in the token for lookup. Ref: AbstractDelegationTokenSelector in Hadoop. If * there exists such a token in the token cache (credential store) of the job, the lookup returns * that. This is relevant only when running against a "secure" hadoop release The method gets hold * of the tokens if they are set up by hadoop - this should happen on the map/reduce tasks if the * client added the tokens into hadoop's credential store in the front end during job submission. * The method will select the hive delegation token among the set of tokens and return the string * form of it * * @param tokenSignature * @return the string form of the token found * @throws IOException */ public static String getTokenStrForm(String tokenSignature) throws IOException { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); TokenSelector<? extends TokenIdentifier> tokenSelector = new DelegationTokenSelector(); Token<? extends TokenIdentifier> token = tokenSelector.selectToken( tokenSignature == null ? new Text() : new Text(tokenSignature), ugi.getTokens()); return token != null ? token.encodeToUrlString() : null; }
} else { boolean foundHBaseAuthToken = false; for (Token<? extends TokenIdentifier> token : ugi.getTokens()) { LOG.debug("Token in UGI (delegation token): {} / {}", token.toString(), token.decodeIdentifier().getUser());
public static void setTokensFor(ContainerLaunchContext amContainer, List<Path> paths, Configuration conf) throws IOException { Credentials credentials = new Credentials(); // for HDFS TokenCache.obtainTokensForNamenodes(credentials, paths.toArray(new Path[0]), conf); // for HBase obtainTokenForHBase(credentials, conf); // for user UserGroupInformation currUsr = UserGroupInformation.getCurrentUser(); Collection<Token<? extends TokenIdentifier>> usrTok = currUsr.getTokens(); for (Token<? extends TokenIdentifier> token : usrTok) { final Text id = new Text(token.getIdentifier()); LOG.info("Adding user token " + id + " with " + token); credentials.addToken(id, token); } try (DataOutputBuffer dob = new DataOutputBuffer()) { credentials.writeTokenStorageToStream(dob); if (LOG.isDebugEnabled()) { LOG.debug("Wrote tokens. Credentials buffer length: " + dob.getLength()); } ByteBuffer securityTokens = ByteBuffer.wrap(dob.getData(), 0, dob.getLength()); amContainer.setTokens(securityTokens); } }
/** * Try to locate the required token for the server. * * @param authType of the SASL client * @return Token for server, or null if no token available * @throws IOException - token selector cannot be instantiated */ private Token<?> getServerToken(SaslAuth authType) throws IOException { TokenInfo tokenInfo = SecurityUtil.getTokenInfo(protocol, conf); LOG.debug("Get token info proto:" + protocol + " info:" + tokenInfo); if (tokenInfo == null) { // protocol has no support for tokens return null; } TokenSelector<?> tokenSelector = null; try { tokenSelector = tokenInfo.value().newInstance(); } catch (InstantiationException | IllegalAccessException e) { throw new IOException(e.toString(), e); } return tokenSelector.selectToken( SecurityUtil.buildTokenService(serverAddr), ugi.getTokens()); }
.get(tokenKind); if (tokenSelector != null) { token = tokenSelector.selectToken(new Text(clusterId), ticket.getTokens()); } else if (LOG.isDebugEnabled()) { LOG.debug("No token selector found for type " + tokenKind);
new Text(), ugi.getTokens()); LOG.info("Security::handleSecurity(): Checking for pre-existing metastore token... " + (hiveToken == null? "Not found. Creating a new one." : "Found. Using existing token.")); new org.apache.hadoop.mapreduce.security.token.delegation.DelegationTokenSelector(); Token jtToken = jtTokenSelector.selectToken(org.apache.hadoop.security.SecurityUtil.buildTokenService( ShimLoader.getHadoopShims().getHCatShim().getResourceManagerAddress(conf)), ugi.getTokens()); if (jtToken == null) {
@Test(dependsOnMethods = "testWriteDelegationTokenToFile") public void testYarnContainerSecurityManager() throws IOException { Collection<Token<?>> tokens = this.yarnContainerSecurityManager.readDelegationTokens(this.tokenFilePath); assertToken(tokens); this.yarnContainerSecurityManager.addDelegationTokens(tokens); assertToken(UserGroupInformation.getCurrentUser().getTokens()); }
(ticket != null && !ticket.getTokens().isEmpty()); this.authProtocol = trySasl ? AuthProtocol.SASL : AuthProtocol.NONE;
.get(tokenKind); if (tokenSelector != null) { token = tokenSelector.selectToken(new Text(clusterId), ticket.getTokens()); } else if (LOG.isDebugEnabled()) { LOG.debug("No token selector found for type " + tokenKind);
/** * Returns all the tokens stored in the user's credentials. */ public Collection<Token<? extends TokenIdentifier>> getTokens() { return ugi.getTokens(); }
/** * Returns all the tokens stored in the user's credentials. */ public Collection<Token<? extends TokenIdentifier>> getTokens() { return ugi.getTokens(); }
public Token<?> getAccumuloToken(UserGroupInformation user) { checkNotNull(user, "Provided UGI was null"); Collection<Token<? extends TokenIdentifier>> tokens = user.getTokens(); for (Token<?> token : tokens) { if (ACCUMULO_SERVICE.equals(token.getKind())) { return token; } } return null; }
@VisibleForTesting Token<DelegationTokenIdentifier> selectDelegationToken( UserGroupInformation ugi) { return dtSelector.selectToken(serviceName, ugi.getTokens()); }
@Override public Collection<Token<?>> run() throws IOException { return UserGroupInformation.getCurrentUser().getTokens(); } });
private static void setAMRMTokenService(final Configuration conf) throws IOException { for (org.apache.hadoop.security.token.Token<? extends TokenIdentifier> token : UserGroupInformation .getCurrentUser().getTokens()) { if (token.getKind().equals(AMRMTokenIdentifier.KIND_NAME)) { token.setService(ClientRMProxy.getAMRMTokenService(conf)); } } }