org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL Java Examples

The following examples show how to use org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TimelineClientImpl.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public Token<TimelineDelegationTokenIdentifier> getDelegationToken(
    final String renewer) throws IOException, YarnException {
  PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>> getDTAction =
      new PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>>() {

        @Override
        public Token<TimelineDelegationTokenIdentifier> run()
            throws Exception {
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          return (Token) authUrl.getDelegationToken(
              resURI.toURL(), token, renewer, doAsUser);
        }
      };
  return (Token<TimelineDelegationTokenIdentifier>) operateDelegationToken(getDTAction);
}
 
Example #2
Source File: HttpFSFileSystem.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Called after a new FileSystem instance is constructed.
 *
 * @param name a uri whose authority section names the host, port, etc. for this FileSystem
 * @param conf the configuration
 */
@Override
public void initialize(URI name, Configuration conf) throws IOException {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();

  //the real use is the one that has the Kerberos credentials needed for
  //SPNEGO to work
  realUser = ugi.getRealUser();
  if (realUser == null) {
    realUser = UserGroupInformation.getLoginUser();
  }
  super.initialize(name, conf);
  try {
    uri = new URI(name.getScheme() + "://" + name.getAuthority());
  } catch (URISyntaxException ex) {
    throw new IOException(ex);
  }

  Class<? extends DelegationTokenAuthenticator> klass =
      getConf().getClass("httpfs.authenticator.class",
          KerberosDelegationTokenAuthenticator.class,
          DelegationTokenAuthenticator.class);
  DelegationTokenAuthenticator authenticator =
      ReflectionUtils.newInstance(klass, getConf());
  authURL = new DelegationTokenAuthenticatedURL(authenticator);
}
 
Example #3
Source File: HttpFSFileSystem.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Called after a new FileSystem instance is constructed.
 *
 * @param name a uri whose authority section names the host, port, etc. for this FileSystem
 * @param conf the configuration
 */
@Override
public void initialize(URI name, Configuration conf) throws IOException {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();

  //the real use is the one that has the Kerberos credentials needed for
  //SPNEGO to work
  realUser = ugi.getRealUser();
  if (realUser == null) {
    realUser = UserGroupInformation.getLoginUser();
  }
  super.initialize(name, conf);
  try {
    uri = new URI(name.getScheme() + "://" + name.getAuthority());
  } catch (URISyntaxException ex) {
    throw new IOException(ex);
  }

  Class<? extends DelegationTokenAuthenticator> klass =
      getConf().getClass("httpfs.authenticator.class",
          KerberosDelegationTokenAuthenticator.class,
          DelegationTokenAuthenticator.class);
  DelegationTokenAuthenticator authenticator =
      ReflectionUtils.newInstance(klass, getConf());
  authURL = new DelegationTokenAuthenticatedURL(authenticator);
}
 
Example #4
Source File: TimelineClientImpl.java    From big-c with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public Token<TimelineDelegationTokenIdentifier> getDelegationToken(
    final String renewer) throws IOException, YarnException {
  PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>> getDTAction =
      new PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>>() {

        @Override
        public Token<TimelineDelegationTokenIdentifier> run()
            throws Exception {
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          return (Token) authUrl.getDelegationToken(
              resURI.toURL(), token, renewer, doAsUser);
        }
      };
  return (Token<TimelineDelegationTokenIdentifier>) operateDelegationToken(getDTAction);
}
 
Example #5
Source File: TimelineClientImpl.java    From big-c with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public long renewDelegationToken(
    final Token<TimelineDelegationTokenIdentifier> timelineDT)
        throws IOException, YarnException {
  final boolean isTokenServiceAddrEmpty =
      timelineDT.getService().toString().isEmpty();
  final String scheme = isTokenServiceAddrEmpty ? null
      : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
  final InetSocketAddress address = isTokenServiceAddrEmpty ? null
      : SecurityUtil.getTokenServiceAddr(timelineDT);
  PrivilegedExceptionAction<Long> renewDTAction =
      new PrivilegedExceptionAction<Long>() {

        @Override
        public Long run() throws Exception {
          // If the timeline DT to renew is different than cached, replace it.
          // Token to set every time for retry, because when exception happens,
          // DelegationTokenAuthenticatedURL will reset it to null;
          if (!timelineDT.equals(token.getDelegationToken())) {
            token.setDelegationToken((Token) timelineDT);
          }
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          // If the token service address is not available, fall back to use
          // the configured service address.
          final URI serviceURI = isTokenServiceAddrEmpty ? resURI
              : new URI(scheme, null, address.getHostName(),
              address.getPort(), RESOURCE_URI_STR, null, null);
          return authUrl
              .renewDelegationToken(serviceURI.toURL(), token, doAsUser);
        }
      };
  return (Long) operateDelegationToken(renewDTAction);
}
 
Example #6
Source File: ResourceRequest.java    From sqoop-on-spark with Apache License 2.0 5 votes vote down vote up
public Token<?>[] addDelegationTokens(String strURL, String renewer,
                                      Credentials credentials) throws IOException {
  Token<?>[] tokens = null;
  Text dtService = getDelegationTokenService(strURL);
  Token<?> token = credentials.getToken(dtService);
  if (token == null) {
    URL url = new URL(strURL);
    DelegationTokenAuthenticatedURL authUrl =
            new DelegationTokenAuthenticatedURL(new ConnectionConfigurator() {
              @Override
              public HttpURLConnection configure(HttpURLConnection conn) throws IOException {
                return conn;
              }
            });
    try {
      token = authUrl.getDelegationToken(url, authToken, renewer);
      if (token != null) {
        credentials.addToken(token.getService(), token);
        tokens = new Token<?>[]{token};
      } else {
        throw new IOException("Got NULL as delegation token");
      }
    } catch (AuthenticationException ex) {
      throw new IOException(ex);
    }
  }
  return tokens;
}
 
Example #7
Source File: TimelineClientImpl.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public HttpURLConnection getHttpURLConnection(final URL url) throws IOException {
  authUgi.checkTGTAndReloginFromKeytab();
  try {
    return new DelegationTokenAuthenticatedURL(
        authenticator, connConfigurator).openConnection(url, token,
          doAsUser);
  } catch (UndeclaredThrowableException e) {
    throw new IOException(e.getCause());
  } catch (AuthenticationException ae) {
    throw new IOException(ae);
  }
}
 
Example #8
Source File: TimelineClientImpl.java    From big-c with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public void cancelDelegationToken(
    final Token<TimelineDelegationTokenIdentifier> timelineDT)
        throws IOException, YarnException {
  final boolean isTokenServiceAddrEmpty =
      timelineDT.getService().toString().isEmpty();
  final String scheme = isTokenServiceAddrEmpty ? null
      : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
  final InetSocketAddress address = isTokenServiceAddrEmpty ? null
      : SecurityUtil.getTokenServiceAddr(timelineDT);
  PrivilegedExceptionAction<Void> cancelDTAction =
      new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
          // If the timeline DT to cancel is different than cached, replace it.
          // Token to set every time for retry, because when exception happens,
          // DelegationTokenAuthenticatedURL will reset it to null;
          if (!timelineDT.equals(token.getDelegationToken())) {
            token.setDelegationToken((Token) timelineDT);
          }
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          // If the token service address is not available, fall back to use
          // the configured service address.
          final URI serviceURI = isTokenServiceAddrEmpty ? resURI
              : new URI(scheme, null, address.getHostName(),
              address.getPort(), RESOURCE_URI_STR, null, null);
          authUrl.cancelDelegationToken(serviceURI.toURL(), token, doAsUser);
          return null;
        }
      };
  operateDelegationToken(cancelDTAction);
}
 
Example #9
Source File: TimelineClientImpl.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public HttpURLConnection getHttpURLConnection(final URL url) throws IOException {
  authUgi.checkTGTAndReloginFromKeytab();
  try {
    return new DelegationTokenAuthenticatedURL(
        authenticator, connConfigurator).openConnection(url, token,
          doAsUser);
  } catch (UndeclaredThrowableException e) {
    throw new IOException(e.getCause());
  } catch (AuthenticationException ae) {
    throw new IOException(ae);
  }
}
 
Example #10
Source File: TimelineClientImpl.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public void cancelDelegationToken(
    final Token<TimelineDelegationTokenIdentifier> timelineDT)
        throws IOException, YarnException {
  final boolean isTokenServiceAddrEmpty =
      timelineDT.getService().toString().isEmpty();
  final String scheme = isTokenServiceAddrEmpty ? null
      : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
  final InetSocketAddress address = isTokenServiceAddrEmpty ? null
      : SecurityUtil.getTokenServiceAddr(timelineDT);
  PrivilegedExceptionAction<Void> cancelDTAction =
      new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
          // If the timeline DT to cancel is different than cached, replace it.
          // Token to set every time for retry, because when exception happens,
          // DelegationTokenAuthenticatedURL will reset it to null;
          if (!timelineDT.equals(token.getDelegationToken())) {
            token.setDelegationToken((Token) timelineDT);
          }
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          // If the token service address is not available, fall back to use
          // the configured service address.
          final URI serviceURI = isTokenServiceAddrEmpty ? resURI
              : new URI(scheme, null, address.getHostName(),
              address.getPort(), RESOURCE_URI_STR, null, null);
          authUrl.cancelDelegationToken(serviceURI.toURL(), token, doAsUser);
          return null;
        }
      };
  operateDelegationToken(cancelDTAction);
}
 
Example #11
Source File: TimelineClientImpl.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public long renewDelegationToken(
    final Token<TimelineDelegationTokenIdentifier> timelineDT)
        throws IOException, YarnException {
  final boolean isTokenServiceAddrEmpty =
      timelineDT.getService().toString().isEmpty();
  final String scheme = isTokenServiceAddrEmpty ? null
      : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
  final InetSocketAddress address = isTokenServiceAddrEmpty ? null
      : SecurityUtil.getTokenServiceAddr(timelineDT);
  PrivilegedExceptionAction<Long> renewDTAction =
      new PrivilegedExceptionAction<Long>() {

        @Override
        public Long run() throws Exception {
          // If the timeline DT to renew is different than cached, replace it.
          // Token to set every time for retry, because when exception happens,
          // DelegationTokenAuthenticatedURL will reset it to null;
          if (!timelineDT.equals(token.getDelegationToken())) {
            token.setDelegationToken((Token) timelineDT);
          }
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          // If the token service address is not available, fall back to use
          // the configured service address.
          final URI serviceURI = isTokenServiceAddrEmpty ? resURI
              : new URI(scheme, null, address.getHostName(),
              address.getPort(), RESOURCE_URI_STR, null, null);
          return authUrl
              .renewDelegationToken(serviceURI.toURL(), token, doAsUser);
        }
      };
  return (Long) operateDelegationToken(renewDTAction);
}
 
Example #12
Source File: SubmissionResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public SubmissionResourceRequest(DelegationTokenAuthenticatedURL.Token token){
  super(token);
}
 
Example #13
Source File: SqoopResourceRequests.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public SqoopResourceRequests() {
  authToken = new DelegationTokenAuthenticatedURL.Token();
}
 
Example #14
Source File: TimelineClientImpl.java    From hadoop with Apache License 2.0 4 votes vote down vote up
protected void serviceInit(Configuration conf) throws Exception {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUgi = ugi.getRealUser();
  if (realUgi != null) {
    authUgi = realUgi;
    doAsUser = ugi.getShortUserName();
  } else {
    authUgi = ugi;
    doAsUser = null;
  }
  ClientConfig cc = new DefaultClientConfig();
  cc.getClasses().add(YarnJacksonJaxbJsonProvider.class);
  connConfigurator = newConnConfigurator(conf);
  if (UserGroupInformation.isSecurityEnabled()) {
    authenticator = new KerberosDelegationTokenAuthenticator();
  } else {
    authenticator = new PseudoDelegationTokenAuthenticator();
  }
  authenticator.setConnectionConfigurator(connConfigurator);
  token = new DelegationTokenAuthenticatedURL.Token();

  connectionRetry = new TimelineClientConnectionRetry(conf);
  client = new Client(new URLConnectionClientHandler(
      new TimelineURLConnectionFactory()), cc);
  TimelineJerseyRetryFilter retryFilter = new TimelineJerseyRetryFilter();
  client.addFilter(retryFilter);

  if (YarnConfiguration.useHttps(conf)) {
    resURI = URI
        .create(JOINER.join("https://", conf.get(
            YarnConfiguration.TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS,
            YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS),
            RESOURCE_URI_STR));
  } else {
    resURI = URI.create(JOINER.join("http://", conf.get(
        YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
        YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_ADDRESS),
        RESOURCE_URI_STR));
  }
  LOG.info("Timeline service address: " + resURI);
  super.serviceInit(conf);
}
 
Example #15
Source File: ResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public DelegationTokenAuthenticatedURL.Token getAuthToken() {
  return authToken;
}
 
Example #16
Source File: ResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public ResourceRequest(DelegationTokenAuthenticatedURL.Token token) {
  this.authToken = token == null ? new DelegationTokenAuthenticatedURL.Token() : token;
}
 
Example #17
Source File: ResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public ResourceRequest() {
  this.authToken = new DelegationTokenAuthenticatedURL.Token();
}
 
Example #18
Source File: VersionResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public VersionResourceRequest(DelegationTokenAuthenticatedURL.Token token){
  super(token);
}
 
Example #19
Source File: JobResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public JobResourceRequest(DelegationTokenAuthenticatedURL.Token token){
  super(token);
}
 
Example #20
Source File: AuthorizationResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public AuthorizationResourceRequest(DelegationTokenAuthenticatedURL.Token token) {
  super(token);
}
 
Example #21
Source File: LinkResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public LinkResourceRequest(DelegationTokenAuthenticatedURL.Token token){
  super(token);
}
 
Example #22
Source File: DriverResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public DriverResourceRequest(DelegationTokenAuthenticatedURL.Token token){
  super(token);
}
 
Example #23
Source File: ConnectorResourceRequest.java    From sqoop-on-spark with Apache License 2.0 4 votes vote down vote up
public ConnectorResourceRequest(DelegationTokenAuthenticatedURL.Token token){
  super(token);
}
 
Example #24
Source File: KMSClientProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
public KMSClientProvider(URI uri, Configuration conf) throws IOException {
  super(conf);
  kmsUrl = createServiceURL(extractKMSPath(uri));
  if ("https".equalsIgnoreCase(new URL(kmsUrl).getProtocol())) {
    sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
    try {
      sslFactory.init();
    } catch (GeneralSecurityException ex) {
      throw new IOException(ex);
    }
  }
  int timeout = conf.getInt(TIMEOUT_ATTR, DEFAULT_TIMEOUT);
  authRetry = conf.getInt(AUTH_RETRY, DEFAULT_AUTH_RETRY);
  configurator = new TimeoutConnConfigurator(timeout, sslFactory);
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(
              CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_SIZE,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_MS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          new EncryptedQueueRefiller());
  authToken = new DelegationTokenAuthenticatedURL.Token();
  actualUgi =
      (UserGroupInformation.getCurrentUser().getAuthenticationMethod() ==
      UserGroupInformation.AuthenticationMethod.PROXY) ? UserGroupInformation
          .getCurrentUser().getRealUser() : UserGroupInformation
          .getCurrentUser();
}
 
Example #25
Source File: TimelineClientImpl.java    From big-c with Apache License 2.0 4 votes vote down vote up
protected void serviceInit(Configuration conf) throws Exception {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUgi = ugi.getRealUser();
  if (realUgi != null) {
    authUgi = realUgi;
    doAsUser = ugi.getShortUserName();
  } else {
    authUgi = ugi;
    doAsUser = null;
  }
  ClientConfig cc = new DefaultClientConfig();
  cc.getClasses().add(YarnJacksonJaxbJsonProvider.class);
  connConfigurator = newConnConfigurator(conf);
  if (UserGroupInformation.isSecurityEnabled()) {
    authenticator = new KerberosDelegationTokenAuthenticator();
  } else {
    authenticator = new PseudoDelegationTokenAuthenticator();
  }
  authenticator.setConnectionConfigurator(connConfigurator);
  token = new DelegationTokenAuthenticatedURL.Token();

  connectionRetry = new TimelineClientConnectionRetry(conf);
  client = new Client(new URLConnectionClientHandler(
      new TimelineURLConnectionFactory()), cc);
  TimelineJerseyRetryFilter retryFilter = new TimelineJerseyRetryFilter();
  client.addFilter(retryFilter);

  if (YarnConfiguration.useHttps(conf)) {
    resURI = URI
        .create(JOINER.join("https://", conf.get(
            YarnConfiguration.TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS,
            YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS),
            RESOURCE_URI_STR));
  } else {
    resURI = URI.create(JOINER.join("http://", conf.get(
        YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
        YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_ADDRESS),
        RESOURCE_URI_STR));
  }
  LOG.info("Timeline service address: " + resURI);
  super.serviceInit(conf);
}
 
Example #26
Source File: KMSClientProvider.java    From hadoop with Apache License 2.0 4 votes vote down vote up
public KMSClientProvider(URI uri, Configuration conf) throws IOException {
  super(conf);
  kmsUrl = createServiceURL(extractKMSPath(uri));
  if ("https".equalsIgnoreCase(new URL(kmsUrl).getProtocol())) {
    sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
    try {
      sslFactory.init();
    } catch (GeneralSecurityException ex) {
      throw new IOException(ex);
    }
  }
  int timeout = conf.getInt(TIMEOUT_ATTR, DEFAULT_TIMEOUT);
  authRetry = conf.getInt(AUTH_RETRY, DEFAULT_AUTH_RETRY);
  configurator = new TimeoutConnConfigurator(timeout, sslFactory);
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(
              CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_SIZE,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_MS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          new EncryptedQueueRefiller());
  authToken = new DelegationTokenAuthenticatedURL.Token();
  actualUgi =
      (UserGroupInformation.getCurrentUser().getAuthenticationMethod() ==
      UserGroupInformation.AuthenticationMethod.PROXY) ? UserGroupInformation
          .getCurrentUser().getRealUser() : UserGroupInformation
          .getCurrentUser();
}