Java Code Examples for org.apache.hadoop.security.Credentials#getSecretKey()

private void recoverAppAttemptCredentials(Credentials appAttemptTokens,
    RMAppAttemptState state) {
  if (appAttemptTokens == null || state == RMAppAttemptState.FAILED
      || state == RMAppAttemptState.FINISHED
      || state == RMAppAttemptState.KILLED) {
    return;
  }

  if (UserGroupInformation.isSecurityEnabled()) {
    byte[] clientTokenMasterKeyBytes = appAttemptTokens.getSecretKey(
        RMStateStore.AM_CLIENT_TOKEN_MASTER_KEY_NAME);
    if (clientTokenMasterKeyBytes != null) {
      clientTokenMasterKey = rmContext.getClientToAMTokenSecretManager()
          .registerMasterKey(applicationAttemptId, clientTokenMasterKeyBytes);
    }
  }

  setAMRMToken(rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
      applicationAttemptId));
}
 

private static void checkSecrets(Credentials ts) {
  if  ( ts == null){
    throw new RuntimeException("The credentials are not available"); 
    // fail the test
  }

  for(int i=0; i<NUM_OF_KEYS; i++) {
    String secretName = "alias"+i;
    // get token storage and a key
    byte[] secretValue =  ts.getSecretKey(new Text(secretName));
    System.out.println(secretValue);

    if (secretValue == null){
      throw new RuntimeException("The key "+ secretName + " is not available. "); 
      // fail the test
    }

    String secretValueStr = new String (secretValue);

    if  ( !("password"+i).equals(secretValueStr)){
      throw new RuntimeException("The key "+ secretName +
          " is not correct. Expected value is "+ ("password"+i) +
          ". Actual value is " + secretValueStr); // fail the test
    }        
  }
}
 

private void recoverAppAttemptCredentials(Credentials appAttemptTokens,
    RMAppAttemptState state) {
  if (appAttemptTokens == null || state == RMAppAttemptState.FAILED
      || state == RMAppAttemptState.FINISHED
      || state == RMAppAttemptState.KILLED) {
    return;
  }

  if (UserGroupInformation.isSecurityEnabled()) {
    byte[] clientTokenMasterKeyBytes = appAttemptTokens.getSecretKey(
        RMStateStore.AM_CLIENT_TOKEN_MASTER_KEY_NAME);
    if (clientTokenMasterKeyBytes != null) {
      clientTokenMasterKey = rmContext.getClientToAMTokenSecretManager()
          .registerMasterKey(applicationAttemptId, clientTokenMasterKeyBytes);
    }
  }

  setAMRMToken(rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
      applicationAttemptId));
}
 

private static void checkSecrets(Credentials ts) {
  if  ( ts == null){
    throw new RuntimeException("The credentials are not available"); 
    // fail the test
  }

  for(int i=0; i<NUM_OF_KEYS; i++) {
    String secretName = "alias"+i;
    // get token storage and a key
    byte[] secretValue =  ts.getSecretKey(new Text(secretName));
    System.out.println(secretValue);

    if (secretValue == null){
      throw new RuntimeException("The key "+ secretName + " is not available. "); 
      // fail the test
    }

    String secretValueStr = new String (secretValue);

    if  ( !("password"+i).equals(secretValueStr)){
      throw new RuntimeException("The key "+ secretName +
          " is not correct. Expected value is "+ ("password"+i) +
          ". Actual value is " + secretValueStr); // fail the test
    }        
  }
}
 

public static URI getKeyProviderUri(UserGroupInformation ugi,
    URI namespaceUri, String kmsUriSrv, ConfigurationSource conf)
    throws IOException {
  URI keyProviderUri = null;
  Credentials credentials = ugi.getCredentials();
  Text credsKey = null;
  if (namespaceUri != null) {
    // from ugi
    credsKey = getKeyProviderMapKey(namespaceUri);
    byte[] keyProviderUriBytes = credentials.getSecretKey(credsKey);
    if (keyProviderUriBytes != null) {
      keyProviderUri = URI.create(bytes2String(keyProviderUriBytes));
    }
  }
  if (keyProviderUri == null) {
    // from client conf
    if (kmsUriSrv == null) {
      Configuration hadoopConfig =
          LegacyHadoopConfigurationSource.asHadoopConfiguration(conf);
      keyProviderUri = KMSUtil.getKeyProviderUri(
          hadoopConfig, keyProviderUriKeyName);
    } else if (!kmsUriSrv.isEmpty()) {
      // from om server
      keyProviderUri = URI.create(kmsUriSrv);
    }
  }
  // put back into UGI
  if (keyProviderUri != null && credsKey != null) {
    credentials.addSecretKey(
        credsKey, StringUtils.string2Bytes(keyProviderUri.toString()));
  }

  return keyProviderUri;
}
 

@Test
public void testMRAppMasterCredentials() throws Exception {

  Logger rootLogger = LogManager.getRootLogger();
  rootLogger.setLevel(Level.DEBUG);

  // Simulate credentials passed to AM via client->RM->NM
  Credentials credentials = new Credentials();
  byte[] identifier = "MyIdentifier".getBytes();
  byte[] password = "MyPassword".getBytes();
  Text kind = new Text("MyTokenKind");
  Text service = new Text("host:port");
  Token<? extends TokenIdentifier> myToken =
      new Token<TokenIdentifier>(identifier, password, kind, service);
  Text tokenAlias = new Text("myToken");
  credentials.addToken(tokenAlias, myToken);

  Text appTokenService = new Text("localhost:0");
  Token<AMRMTokenIdentifier> appToken =
      new Token<AMRMTokenIdentifier>(identifier, password,
          AMRMTokenIdentifier.KIND_NAME, appTokenService);
  credentials.addToken(appTokenService, appToken);
  
  Text keyAlias = new Text("mySecretKeyAlias");
  credentials.addSecretKey(keyAlias, "mySecretKey".getBytes());
  Token<? extends TokenIdentifier> storedToken =
      credentials.getToken(tokenAlias);

  JobConf conf = new JobConf();

  Path tokenFilePath = new Path(testDir.getAbsolutePath(), "tokens-file");
  Map<String, String> newEnv = new HashMap<String, String>();
  newEnv.put(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION, tokenFilePath
    .toUri().getPath());
  setNewEnvironmentHack(newEnv);
  credentials.writeTokenStorageFile(tokenFilePath, conf);

  ApplicationId appId = ApplicationId.newInstance(12345, 56);
  ApplicationAttemptId applicationAttemptId =
      ApplicationAttemptId.newInstance(appId, 1);
  ContainerId containerId =
      ContainerId.newContainerId(applicationAttemptId, 546);
  String userName = UserGroupInformation.getCurrentUser().getShortUserName();

  // Create staging dir, so MRAppMaster doesn't barf.
  File stagingDir =
      new File(MRApps.getStagingAreaDir(conf, userName).toString());
  stagingDir.mkdirs();

  // Set login-user to null as that is how real world MRApp starts with.
  // This is null is the reason why token-file is read by UGI.
  UserGroupInformation.setLoginUser(null);

  MRAppMasterTest appMaster =
      new MRAppMasterTest(applicationAttemptId, containerId, "host", -1, -1,
        System.currentTimeMillis(), false, true);
  MRAppMaster.initAndStartAppMaster(appMaster, conf, userName);

  // Now validate the task credentials
  Credentials appMasterCreds = appMaster.getCredentials();
  Assert.assertNotNull(appMasterCreds);
  Assert.assertEquals(1, appMasterCreds.numberOfSecretKeys());
  Assert.assertEquals(1, appMasterCreds.numberOfTokens());

  // Validate the tokens - app token should not be present
  Token<? extends TokenIdentifier> usedToken =
      appMasterCreds.getToken(tokenAlias);
  Assert.assertNotNull(usedToken);
  Assert.assertEquals(storedToken, usedToken);

  // Validate the keys
  byte[] usedKey = appMasterCreds.getSecretKey(keyAlias);
  Assert.assertNotNull(usedKey);
  Assert.assertEquals("mySecretKey", new String(usedKey));

  // The credentials should also be added to conf so that OuputCommitter can
  // access it - app token should not be present
  Credentials confCredentials = conf.getCredentials();
  Assert.assertEquals(1, confCredentials.numberOfSecretKeys());
  Assert.assertEquals(1, confCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, confCredentials.getToken(tokenAlias));
  Assert.assertEquals("mySecretKey",
    new String(confCredentials.getSecretKey(keyAlias)));
  
  // Verify the AM's ugi - app token should be present
  Credentials ugiCredentials = appMaster.getUgi().getCredentials();
  Assert.assertEquals(1, ugiCredentials.numberOfSecretKeys());
  Assert.assertEquals(2, ugiCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, ugiCredentials.getToken(tokenAlias));
  Assert.assertEquals(appToken, ugiCredentials.getToken(appTokenService));
  Assert.assertEquals("mySecretKey",
    new String(ugiCredentials.getSecretKey(keyAlias)));


}
 

/**
 * auxiliary method to get user's secret keys..
 * @param alias
 * @return secret key from the storage
 */
public static byte[] getSecretKey(Credentials credentials, Text alias) {
  if(credentials == null)
    return null;
  return credentials.getSecretKey(alias);
}
 

@Test
public void testMRAppMasterCredentials() throws Exception {

  Logger rootLogger = LogManager.getRootLogger();
  rootLogger.setLevel(Level.DEBUG);

  // Simulate credentials passed to AM via client->RM->NM
  Credentials credentials = new Credentials();
  byte[] identifier = "MyIdentifier".getBytes();
  byte[] password = "MyPassword".getBytes();
  Text kind = new Text("MyTokenKind");
  Text service = new Text("host:port");
  Token<? extends TokenIdentifier> myToken =
      new Token<TokenIdentifier>(identifier, password, kind, service);
  Text tokenAlias = new Text("myToken");
  credentials.addToken(tokenAlias, myToken);

  Text appTokenService = new Text("localhost:0");
  Token<AMRMTokenIdentifier> appToken =
      new Token<AMRMTokenIdentifier>(identifier, password,
          AMRMTokenIdentifier.KIND_NAME, appTokenService);
  credentials.addToken(appTokenService, appToken);
  
  Text keyAlias = new Text("mySecretKeyAlias");
  credentials.addSecretKey(keyAlias, "mySecretKey".getBytes());
  Token<? extends TokenIdentifier> storedToken =
      credentials.getToken(tokenAlias);

  JobConf conf = new JobConf();

  Path tokenFilePath = new Path(testDir.getAbsolutePath(), "tokens-file");
  Map<String, String> newEnv = new HashMap<String, String>();
  newEnv.put(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION, tokenFilePath
    .toUri().getPath());
  setNewEnvironmentHack(newEnv);
  credentials.writeTokenStorageFile(tokenFilePath, conf);

  ApplicationId appId = ApplicationId.newInstance(12345, 56);
  ApplicationAttemptId applicationAttemptId =
      ApplicationAttemptId.newInstance(appId, 1);
  ContainerId containerId =
      ContainerId.newContainerId(applicationAttemptId, 546);
  String userName = UserGroupInformation.getCurrentUser().getShortUserName();

  // Create staging dir, so MRAppMaster doesn't barf.
  File stagingDir =
      new File(MRApps.getStagingAreaDir(conf, userName).toString());
  stagingDir.mkdirs();

  // Set login-user to null as that is how real world MRApp starts with.
  // This is null is the reason why token-file is read by UGI.
  UserGroupInformation.setLoginUser(null);

  MRAppMasterTest appMaster =
      new MRAppMasterTest(applicationAttemptId, containerId, "host", -1, -1,
        System.currentTimeMillis(), false, true);
  MRAppMaster.initAndStartAppMaster(appMaster, conf, userName);

  // Now validate the task credentials
  Credentials appMasterCreds = appMaster.getCredentials();
  Assert.assertNotNull(appMasterCreds);
  Assert.assertEquals(1, appMasterCreds.numberOfSecretKeys());
  Assert.assertEquals(1, appMasterCreds.numberOfTokens());

  // Validate the tokens - app token should not be present
  Token<? extends TokenIdentifier> usedToken =
      appMasterCreds.getToken(tokenAlias);
  Assert.assertNotNull(usedToken);
  Assert.assertEquals(storedToken, usedToken);

  // Validate the keys
  byte[] usedKey = appMasterCreds.getSecretKey(keyAlias);
  Assert.assertNotNull(usedKey);
  Assert.assertEquals("mySecretKey", new String(usedKey));

  // The credentials should also be added to conf so that OuputCommitter can
  // access it - app token should not be present
  Credentials confCredentials = conf.getCredentials();
  Assert.assertEquals(1, confCredentials.numberOfSecretKeys());
  Assert.assertEquals(1, confCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, confCredentials.getToken(tokenAlias));
  Assert.assertEquals("mySecretKey",
    new String(confCredentials.getSecretKey(keyAlias)));
  
  // Verify the AM's ugi - app token should be present
  Credentials ugiCredentials = appMaster.getUgi().getCredentials();
  Assert.assertEquals(1, ugiCredentials.numberOfSecretKeys());
  Assert.assertEquals(2, ugiCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, ugiCredentials.getToken(tokenAlias));
  Assert.assertEquals(appToken, ugiCredentials.getToken(appTokenService));
  Assert.assertEquals("mySecretKey",
    new String(ugiCredentials.getSecretKey(keyAlias)));


}
 

/**
 * auxiliary method to get user's secret keys..
 * @param alias
 * @return secret key from the storage
 */
public static byte[] getSecretKey(Credentials credentials, Text alias) {
  if(credentials == null)
    return null;
  return credentials.getSecretKey(alias);
}
 

/**
 * auxiliary method to get user's secret keys..
 * @param alias
 * @return secret key from the storage
 */
public static byte[] getSecretKey(Credentials credentials, Text alias) {
  if(credentials == null)
    return null;
  return credentials.getSecretKey(alias);
}
 

/**
 * auxiliary method to get user's secret keys..
 * @param alias
 * @return secret key from the storage
 */
public static byte[] getSecretKey(Credentials credentials, Text alias) {
  if(credentials == null)
    return null;
  return credentials.getSecretKey(alias);
}