Java Code Examples for org.apache.hadoop.security.SecurityUtil#buildTokenService()

@Unstable
public static Text getTokenService(Configuration conf, String address,
    String defaultAddr, int defaultPort) {
  if (HAUtil.isHAEnabled(conf)) {
    // Build a list of service addresses to form the service name
    ArrayList<String> services = new ArrayList<String>();
    YarnConfiguration yarnConf = new YarnConfiguration(conf);
    for (String rmId : HAUtil.getRMHAIds(conf)) {
      // Set RM_ID to get the corresponding RM_ADDRESS
      yarnConf.set(YarnConfiguration.RM_HA_ID, rmId);
      services.add(SecurityUtil.buildTokenService(
          yarnConf.getSocketAddr(address, defaultAddr, defaultPort))
          .toString());
    }
    return new Text(Joiner.on(',').join(services));
  }

  // Non-HA case - no need to set RM_ID
  return SecurityUtil.buildTokenService(conf.getSocketAddr(address,
    defaultAddr, defaultPort));
}
 

OMProxyInfo(String serviceID, String nodeID, String rpcAddress) {
  this.serviceId = serviceID;
  this.nodeId = nodeID;
  this.rpcAddrStr = rpcAddress;
  this.rpcAddr = NetUtils.createSocketAddr(rpcAddrStr);
  if (rpcAddr.isUnresolved()) {
    LOG.warn("OzoneManager address {} for serviceID {} remains unresolved " +
            "for node ID {} Check your ozone-site.xml file to ensure ozone " +
            "manager addresses are configured properly.",
        rpcAddress, serviceId, nodeId);
    this.dtService = null;
  } else {

    // This issue will be a problem with docker/kubernetes world where one of
    // the container is killed, and that OM address will be unresolved.
    // For now skip the unresolved OM address setting it to the token
    // service field.

    this.dtService = SecurityUtil.buildTokenService(rpcAddr);
  }
}
 

@VisibleForTesting
void addHistoryToken(Credentials ts) throws IOException, InterruptedException {
  /* check if we have a hsproxy, if not, no need */
  MRClientProtocol hsProxy = clientCache.getInitializedHSProxy();
  if (UserGroupInformation.isSecurityEnabled() && (hsProxy != null)) {
    /*
     * note that get delegation token was called. Again this is hack for oozie
     * to make sure we add history server delegation tokens to the credentials
     */
    RMDelegationTokenSelector tokenSelector = new RMDelegationTokenSelector();
    Text service = resMgrDelegate.getRMDelegationTokenService();
    if (tokenSelector.selectToken(service, ts.getAllTokens()) != null) {
      Text hsService = SecurityUtil.buildTokenService(hsProxy
          .getConnectAddress());
      if (ts.getToken(hsService) == null) {
        ts.addToken(hsService, getDelegationTokenFromHS(hsProxy));
      }
    }
  }
}
 

@Override
public void initialize(final URI name, final Configuration conf)
throws IOException {
  super.initialize(name, conf);
  setConf(conf);
  this.connectionFactory = URLConnectionFactory
      .newDefaultURLConnectionFactory(conf);
  this.ugi = UserGroupInformation.getCurrentUser();
  this.nnUri = getNamenodeUri(name);
  this.tokenServiceName = SecurityUtil.buildTokenService(nnUri);

  try {
    this.hftpURI = new URI(name.getScheme(), name.getAuthority(),
                           null, null, null);
  } catch (URISyntaxException e) {
    throw new IllegalArgumentException(e);
  }

  initTokenAspect();
  if (UserGroupInformation.isSecurityEnabled()) {
    tokenAspect.initDelegationToken(ugi);
  }
}
 

@VisibleForTesting
void addHistoryToken(Credentials ts) throws IOException, InterruptedException {
  /* check if we have a hsproxy, if not, no need */
  MRClientProtocol hsProxy = clientCache.getInitializedHSProxy();
  if (UserGroupInformation.isSecurityEnabled() && (hsProxy != null)) {
    /*
     * note that get delegation token was called. Again this is hack for oozie
     * to make sure we add history server delegation tokens to the credentials
     */
    RMDelegationTokenSelector tokenSelector = new RMDelegationTokenSelector();
    Text service = resMgrDelegate.getRMDelegationTokenService();
    if (tokenSelector.selectToken(service, ts.getAllTokens()) != null) {
      Text hsService = SecurityUtil.buildTokenService(hsProxy
          .getConnectAddress());
      if (ts.getToken(hsService) == null) {
        ts.addToken(hsService, getDelegationTokenFromHS(hsProxy));
      }
    }
  }
}
 

@Override
public void initialize(final URI name, final Configuration conf)
throws IOException {
  super.initialize(name, conf);
  setConf(conf);
  this.connectionFactory = URLConnectionFactory
      .newDefaultURLConnectionFactory(conf);
  this.ugi = UserGroupInformation.getCurrentUser();
  this.nnUri = getNamenodeUri(name);
  this.tokenServiceName = SecurityUtil.buildTokenService(nnUri);

  try {
    this.hftpURI = new URI(name.getScheme(), name.getAuthority(),
                           null, null, null);
  } catch (URISyntaxException e) {
    throw new IllegalArgumentException(e);
  }

  initTokenAspect();
  if (UserGroupInformation.isSecurityEnabled()) {
    tokenAspect.initDelegationToken(ugi);
  }
}
 

/**
 * Select the delegation token for hdfs.  The port will be rewritten to
 * the port of hdfs.service.host_$nnAddr, or the default rpc namenode port. 
 * This method should only be called by non-hdfs filesystems that do not
 * use the rpc port to acquire tokens.  Ex. webhdfs, hftp 
 * @param nnUri of the remote namenode
 * @param tokens as a collection
 * @param conf hadoop configuration
 * @return Token
 */
public Token<DelegationTokenIdentifier> selectToken(
    final URI nnUri, Collection<Token<?>> tokens,
    final Configuration conf) {
  // this guesses the remote cluster's rpc service port.
  // the current token design assumes it's the same as the local cluster's
  // rpc port unless a config key is set.  there should be a way to automatic
  // and correctly determine the value
  Text serviceName = SecurityUtil.buildTokenService(nnUri);
  final String nnServiceName = conf.get(SERVICE_NAME_KEY + serviceName);
  
  int nnRpcPort = NameNode.DEFAULT_PORT;
  if (nnServiceName != null) {
    nnRpcPort = NetUtils.createSocketAddr(nnServiceName, nnRpcPort).getPort(); 
  }
  // use original hostname from the uri to avoid unintentional host resolving
  serviceName = SecurityUtil.buildTokenService(
  		NetUtils.createSocketAddrForHost(nnUri.getHost(), nnRpcPort));
  
  return selectToken(serviceName, tokens);
}
 

/**
 * Select the delegation token for hdfs.  The port will be rewritten to
 * the port of hdfs.service.host_$nnAddr, or the default rpc namenode port. 
 * This method should only be called by non-hdfs filesystems that do not
 * use the rpc port to acquire tokens.  Ex. webhdfs, hftp 
 * @param nnUri of the remote namenode
 * @param tokens as a collection
 * @param conf hadoop configuration
 * @return Token
 */
public Token<DelegationTokenIdentifier> selectToken(
    final URI nnUri, Collection<Token<?>> tokens,
    final Configuration conf) {
  // this guesses the remote cluster's rpc service port.
  // the current token design assumes it's the same as the local cluster's
  // rpc port unless a config key is set.  there should be a way to automatic
  // and correctly determine the value
  Text serviceName = SecurityUtil.buildTokenService(nnUri);
  final String nnServiceName = conf.get(SERVICE_NAME_KEY + serviceName);
  
  int nnRpcPort = NameNode.DEFAULT_PORT;
  if (nnServiceName != null) {
    nnRpcPort = NetUtils.createSocketAddr(nnServiceName, nnRpcPort).getPort(); 
  }
  // use original hostname from the uri to avoid unintentional host resolving
  serviceName = SecurityUtil.buildTokenService(
  		NetUtils.createSocketAddrForHost(nnUri.getHost(), nnRpcPort));
  
  return selectToken(serviceName, tokens);
}
 

/**
 * Creates an explicitly non-HA-enabled proxy object. Most of the time you
 * don't want to use this, and should instead use {@link NameNodeProxies#createProxy}.
 *
 * @param conf the configuration object
 * @param nnAddr address of the remote NN to connect to
 * @param xface the IPC interface which should be created
 * @param ugi the user who is making the calls on the proxy object
 * @param withRetries certain interfaces have a non-standard retry policy
 * @param fallbackToSimpleAuth - set to true or false during this method to
 *   indicate if a secure client falls back to simple auth
 * @return an object containing both the proxy and the associated
 *         delegation token service it corresponds to
 * @throws IOException
 */
@SuppressWarnings("unchecked")
public static <T> ProxyAndInfo<T> createNonHAProxy(
    Configuration conf, InetSocketAddress nnAddr, Class<T> xface,
    UserGroupInformation ugi, boolean withRetries,
    AtomicBoolean fallbackToSimpleAuth) throws IOException {
  Text dtService = SecurityUtil.buildTokenService(nnAddr);

  T proxy;
  if (xface == ClientProtocol.class) {
    proxy = (T) createNNProxyWithClientProtocol(nnAddr, conf, ugi,
        withRetries, fallbackToSimpleAuth);
  } else if (xface == JournalProtocol.class) {
    proxy = (T) createNNProxyWithJournalProtocol(nnAddr, conf, ugi);
  } else if (xface == NamenodeProtocol.class) {
    proxy = (T) createNNProxyWithNamenodeProtocol(nnAddr, conf, ugi,
        withRetries);
  } else if (xface == GetUserMappingsProtocol.class) {
    proxy = (T) createNNProxyWithGetUserMappingsProtocol(nnAddr, conf, ugi);
  } else if (xface == RefreshUserMappingsProtocol.class) {
    proxy = (T) createNNProxyWithRefreshUserMappingsProtocol(nnAddr, conf, ugi);
  } else if (xface == RefreshAuthorizationPolicyProtocol.class) {
    proxy = (T) createNNProxyWithRefreshAuthorizationPolicyProtocol(nnAddr,
        conf, ugi);
  } else if (xface == RefreshCallQueueProtocol.class) {
    proxy = (T) createNNProxyWithRefreshCallQueueProtocol(nnAddr, conf, ugi);
  } else {
    String message = "Unsupported protocol found when creating the proxy " +
        "connection to NameNode: " +
        ((xface != null) ? xface.getClass().getName() : "null");
    LOG.error(message);
    throw new IllegalStateException(message);
  }

  return new ProxyAndInfo<T>(proxy, dtService, nnAddr);
}
 

/**
 * Creates the namenode proxy with the passed protocol. This will handle
 * creation of either HA- or non-HA-enabled proxy objects, depending upon
 * if the provided URI is a configured logical URI.
 *
 * @param conf the configuration containing the required IPC
 *        properties, client failover configurations, etc.
 * @param nameNodeUri the URI pointing either to a specific NameNode
 *        or to a logical nameservice.
 * @param xface the IPC interface which should be created
 * @param fallbackToSimpleAuth set to true or false during calls to indicate if
 *   a secure client falls back to simple auth
 * @return an object containing both the proxy and the associated
 *         delegation token service it corresponds to
 * @throws IOException if there is an error creating the proxy
 **/
@SuppressWarnings("unchecked")
public static <T> ProxyAndInfo<T> createProxy(Configuration conf,
    URI nameNodeUri, Class<T> xface, AtomicBoolean fallbackToSimpleAuth)
    throws IOException {
  AbstractNNFailoverProxyProvider<T> failoverProxyProvider =
      createFailoverProxyProvider(conf, nameNodeUri, xface, true,
        fallbackToSimpleAuth);

  if (failoverProxyProvider == null) {
    // Non-HA case
    return createNonHAProxy(conf, NameNode.getAddress(nameNodeUri), xface,
        UserGroupInformation.getCurrentUser(), true, fallbackToSimpleAuth);
  } else {
    // HA case
    Conf config = new Conf(conf);
    T proxy = (T) RetryProxy.create(xface, failoverProxyProvider,
        RetryPolicies.failoverOnNetworkException(
            RetryPolicies.TRY_ONCE_THEN_FAIL, config.maxFailoverAttempts,
            config.maxRetryAttempts, config.failoverSleepBaseMillis,
            config.failoverSleepMaxMillis));

    Text dtService;
    if (failoverProxyProvider.useLogicalURI()) {
      dtService = HAUtil.buildTokenServiceForLogicalUri(nameNodeUri,
          HdfsConstants.HDFS_URI_SCHEME);
    } else {
      dtService = SecurityUtil.buildTokenService(
          NameNode.getAddress(nameNodeUri));
    }
    return new ProxyAndInfo<T>(proxy, dtService,
        NameNode.getAddress(nameNodeUri));
  }
}
 

@Override
public void initialize(URI name, Configuration conf) throws IOException {
  super.initialize(name, conf);
  setConf(conf);
  this.uri = URI.create(name.getScheme() + "://" + name.getAuthority());
  tokenAspect = new TokenAspect<DummyFs>(this,
      SecurityUtil.buildTokenService(uri), TOKEN_KIND);
  if (emulateSecurityEnabled || UserGroupInformation.isSecurityEnabled()) {
    tokenAspect.initDelegationToken(ugi);
  }
}
 

@Override
public void initialize(URI name, Configuration conf) throws IOException {
  super.initialize(name, conf);
  setConf(conf);
  this.uri = URI.create(name.getScheme() + "://" + name.getAuthority());
  tokenAspect = new TokenAspect<DummyFs>(this,
      SecurityUtil.buildTokenService(uri), TOKEN_KIND);
  if (emulateSecurityEnabled || UserGroupInformation.isSecurityEnabled()) {
    tokenAspect.initDelegationToken(ugi);
  }
}
 

private Text getDelegationTokenService(String strURL) throws IOException {
  URL url = new URL(strURL);
  InetSocketAddress addr = new InetSocketAddress(url.getHost(),
          url.getPort());
  Text dtService = SecurityUtil.buildTokenService(addr);
  return dtService;
}
 

/**
 * Creates an explicitly non-HA-enabled proxy object. Most of the time you
 * don't want to use this, and should instead use {@link NameNodeProxies#createProxy}.
 *
 * @param conf the configuration object
 * @param nnAddr address of the remote NN to connect to
 * @param xface the IPC interface which should be created
 * @param ugi the user who is making the calls on the proxy object
 * @param withRetries certain interfaces have a non-standard retry policy
 * @param fallbackToSimpleAuth - set to true or false during this method to
 *   indicate if a secure client falls back to simple auth
 * @return an object containing both the proxy and the associated
 *         delegation token service it corresponds to
 * @throws IOException
 */
@SuppressWarnings("unchecked")
public static <T> ProxyAndInfo<T> createNonHAProxy(
    Configuration conf, InetSocketAddress nnAddr, Class<T> xface,
    UserGroupInformation ugi, boolean withRetries,
    AtomicBoolean fallbackToSimpleAuth) throws IOException {
  Text dtService = SecurityUtil.buildTokenService(nnAddr);

  T proxy;
  if (xface == ClientProtocol.class) {
    proxy = (T) createNNProxyWithClientProtocol(nnAddr, conf, ugi,
        withRetries, fallbackToSimpleAuth);
  } else if (xface == JournalProtocol.class) {
    proxy = (T) createNNProxyWithJournalProtocol(nnAddr, conf, ugi);
  } else if (xface == NamenodeProtocol.class) {
    proxy = (T) createNNProxyWithNamenodeProtocol(nnAddr, conf, ugi,
        withRetries);
  } else if (xface == GetUserMappingsProtocol.class) {
    proxy = (T) createNNProxyWithGetUserMappingsProtocol(nnAddr, conf, ugi);
  } else if (xface == RefreshUserMappingsProtocol.class) {
    proxy = (T) createNNProxyWithRefreshUserMappingsProtocol(nnAddr, conf, ugi);
  } else if (xface == RefreshAuthorizationPolicyProtocol.class) {
    proxy = (T) createNNProxyWithRefreshAuthorizationPolicyProtocol(nnAddr,
        conf, ugi);
  } else if (xface == RefreshCallQueueProtocol.class) {
    proxy = (T) createNNProxyWithRefreshCallQueueProtocol(nnAddr, conf, ugi);
  } else {
    String message = "Unsupported protocol found when creating the proxy " +
        "connection to NameNode: " +
        ((xface != null) ? xface.getClass().getName() : "null");
    LOG.error(message);
    throw new IllegalStateException(message);
  }

  return new ProxyAndInfo<T>(proxy, dtService, nnAddr);
}
 

/**
 * Creates the namenode proxy with the passed protocol. This will handle
 * creation of either HA- or non-HA-enabled proxy objects, depending upon
 * if the provided URI is a configured logical URI.
 *
 * @param conf the configuration containing the required IPC
 *        properties, client failover configurations, etc.
 * @param nameNodeUri the URI pointing either to a specific NameNode
 *        or to a logical nameservice.
 * @param xface the IPC interface which should be created
 * @param fallbackToSimpleAuth set to true or false during calls to indicate if
 *   a secure client falls back to simple auth
 * @return an object containing both the proxy and the associated
 *         delegation token service it corresponds to
 * @throws IOException if there is an error creating the proxy
 **/
@SuppressWarnings("unchecked")
public static <T> ProxyAndInfo<T> createProxy(Configuration conf,
    URI nameNodeUri, Class<T> xface, AtomicBoolean fallbackToSimpleAuth)
    throws IOException {
  AbstractNNFailoverProxyProvider<T> failoverProxyProvider =
      createFailoverProxyProvider(conf, nameNodeUri, xface, true,
        fallbackToSimpleAuth);

  if (failoverProxyProvider == null) {
    // Non-HA case
    return createNonHAProxy(conf, NameNode.getAddress(nameNodeUri), xface,
        UserGroupInformation.getCurrentUser(), true, fallbackToSimpleAuth);
  } else {
    // HA case
    Conf config = new Conf(conf);
    T proxy = (T) RetryProxy.create(xface, failoverProxyProvider,
        RetryPolicies.failoverOnNetworkException(
            RetryPolicies.TRY_ONCE_THEN_FAIL, config.maxFailoverAttempts,
            config.maxRetryAttempts, config.failoverSleepBaseMillis,
            config.failoverSleepMaxMillis));

    Text dtService;
    if (failoverProxyProvider.useLogicalURI()) {
      dtService = HAUtil.buildTokenServiceForLogicalUri(nameNodeUri,
          HdfsConstants.HDFS_URI_SCHEME);
    } else {
      dtService = SecurityUtil.buildTokenService(
          NameNode.getAddress(nameNodeUri));
    }
    return new ProxyAndInfo<T>(proxy, dtService,
        NameNode.getAddress(nameNodeUri));
  }
}
 

/**
 * Test whether HftpFileSystem maintain wire-compatibility for 0.20.203 when
 * obtaining delegation token. See HDFS-5440 for more details.
 */
@Test
public void testTokenCompatibilityFor203() throws IOException,
    URISyntaxException, AuthenticationException {
  Configuration conf = new Configuration();
  HftpFileSystem fs = new HftpFileSystem();

  Token<?> token = new Token<TokenIdentifier>(new byte[0], new byte[0],
      DelegationTokenIdentifier.HDFS_DELEGATION_KIND, new Text(
          "127.0.0.1:8020"));
  Credentials cred = new Credentials();
  cred.addToken(HftpFileSystem.TOKEN_KIND, token);
  ByteArrayOutputStream os = new ByteArrayOutputStream();
  cred.write(new DataOutputStream(os));

  HttpURLConnection conn = mock(HttpURLConnection.class);
  doReturn(new ByteArrayInputStream(os.toByteArray())).when(conn)
      .getInputStream();
  doReturn(HttpURLConnection.HTTP_OK).when(conn).getResponseCode();

  URLConnectionFactory factory = mock(URLConnectionFactory.class);
  doReturn(conn).when(factory).openConnection(Mockito.<URL> any(),
      anyBoolean());

  final URI uri = new URI("hftp://127.0.0.1:8020");
  fs.initialize(uri, conf);
  fs.connectionFactory = factory;

  UserGroupInformation ugi = UserGroupInformation.createUserForTesting("foo",
      new String[] { "bar" });

  TokenAspect<HftpFileSystem> tokenAspect = new TokenAspect<HftpFileSystem>(
      fs, SecurityUtil.buildTokenService(uri), HftpFileSystem.TOKEN_KIND);

  tokenAspect.initDelegationToken(ugi);
  tokenAspect.ensureTokenInitialized();

  Assert.assertSame(HftpFileSystem.TOKEN_KIND, fs.getRenewToken().getKind());

  Token<?> tok = (Token<?>) Whitebox.getInternalState(fs, "delegationToken");
  Assert.assertNotSame("Not making a copy of the remote token", token, tok);
  Assert.assertEquals(token.getKind(), tok.getKind());
}
 

/**
 * Returns an authenticated {@link HttpURLConnection}. If the Delegation
 * Token is present, it will be used taking precedence over the configured
 * <code>Authenticator</code>. If the <code>doAs</code> parameter is not NULL,
 * the request will be done on behalf of the specified <code>doAs</code> user.
 *
 * @param url the URL to connect to. Only HTTP/S URLs are supported.
 * @param token the authentication token being used for the user.
 * @param doAs user to do the the request on behalf of, if NULL the request is
 * as self.
 * @return an authenticated {@link HttpURLConnection}.
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication exception occurred.
 */
@SuppressWarnings("unchecked")
public HttpURLConnection openConnection(URL url, Token token, String doAs)
    throws IOException, AuthenticationException {
  Preconditions.checkNotNull(url, "url");
  Preconditions.checkNotNull(token, "token");
  Map<String, String> extraParams = new HashMap<String, String>();
  org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dToken
      = null;
  // if we have valid auth token, it takes precedence over a delegation token
  // and we don't even look for one.
  if (!token.isSet()) {
    // delegation token
    Credentials creds = UserGroupInformation.getCurrentUser().
        getCredentials();
    if (!creds.getAllTokens().isEmpty()) {
      InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
          url.getPort());
      Text service = SecurityUtil.buildTokenService(serviceAddr);
      dToken = creds.getToken(service);
      if (dToken != null) {
        if (useQueryStringForDelegationToken()) {
          // delegation token will go in the query string, injecting it
          extraParams.put(
              KerberosDelegationTokenAuthenticator.DELEGATION_PARAM,
              dToken.encodeToUrlString());
        } else {
          // delegation token will go as request header, setting it in the
          // auth-token to ensure no authentication handshake is triggered
          // (if we have a delegation token, we are authenticated)
          // the delegation token header is injected in the connection request
          // at the end of this method.
          token.delegationToken = (org.apache.hadoop.security.token.Token
              <AbstractDelegationTokenIdentifier>) dToken;
        }
      }
    }
  }

  // proxyuser
  if (doAs != null) {
    extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
  }

  url = augmentURL(url, extraParams);
  HttpURLConnection conn = super.openConnection(url, token);
  if (!token.isSet() && !useQueryStringForDelegationToken() && dToken != null) {
    // injecting the delegation token header in the connection request
    conn.setRequestProperty(
        DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER,
        dToken.encodeToUrlString());
  }
  return conn;
}
 

@Test
public void testRenewal() throws Exception {
  Configuration conf = new Configuration();
  Token<?> token1 = mock(Token.class);
  Token<?> token2 = mock(Token.class);
  final long renewCycle = 100;
  DelegationTokenRenewer.renewCycle = renewCycle;

  UserGroupInformation ugi = UserGroupInformation.createUserForTesting("foo",
      new String[] { "bar" });
  DummyFs fs = spy(new DummyFs());

  doReturn(token1).doReturn(token2).when(fs).getDelegationToken(null);
  doReturn(token1).when(fs).getRenewToken();
  // cause token renewer to abandon the token
  doThrow(new IOException("renew failed")).when(token1).renew(conf);
  doThrow(new IOException("get failed")).when(fs).addDelegationTokens(null,
      null);

  final URI uri = new URI("dummyfs://127.0.0.1:1234");
  TokenAspect<DummyFs> tokenAspect = new TokenAspect<DummyFs>(fs,
      SecurityUtil.buildTokenService(uri), DummyFs.TOKEN_KIND);
  fs.initialize(uri, conf);
  tokenAspect.initDelegationToken(ugi);

  // trigger token acquisition
  tokenAspect.ensureTokenInitialized();
  DelegationTokenRenewer.RenewAction<?> action = getActionFromTokenAspect(tokenAspect);
  verify(fs).setDelegationToken(token1);
  assertTrue(action.isValid());

  // upon renewal, token will go bad based on above stubbing
  Thread.sleep(renewCycle * 2);
  assertSame(action, getActionFromTokenAspect(tokenAspect));
  assertFalse(action.isValid());

  // now that token is invalid, should get a new one
  tokenAspect.ensureTokenInitialized();
  verify(fs, times(2)).getDelegationToken(anyString());
  verify(fs).setDelegationToken(token2);
  assertNotSame(action, getActionFromTokenAspect(tokenAspect));

  action = getActionFromTokenAspect(tokenAspect);
  assertTrue(action.isValid());
}
 

public static Text buildTimelineTokenService(Configuration conf) {
  InetSocketAddress timelineServiceAddr =
      getTimelineTokenServiceAddress(conf);
  return SecurityUtil.buildTokenService(timelineServiceAddr);
}
 

public static Text buildTimelineTokenService(Configuration conf) {
  InetSocketAddress timelineServiceAddr =
      getTimelineTokenServiceAddress(conf);
  return SecurityUtil.buildTokenService(timelineServiceAddr);
}