Java Code Examples for org.apache.hadoop.security.token.Token#getIdentifier()

The following examples show how to use org.apache.hadoop.security.token.Token#getIdentifier() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: flink   File: Utils.java    License: Apache License 2.0 6 votes vote down vote up
public static void setTokensFor(ContainerLaunchContext amContainer, List<Path> paths, Configuration conf) throws IOException {
	Credentials credentials = new Credentials();
	// for HDFS
	TokenCache.obtainTokensForNamenodes(credentials, paths.toArray(new Path[0]), conf);
	// for HBase
	obtainTokenForHBase(credentials, conf);
	// for user
	UserGroupInformation currUsr = UserGroupInformation.getCurrentUser();

	Collection<Token<? extends TokenIdentifier>> usrTok = currUsr.getTokens();
	for (Token<? extends TokenIdentifier> token : usrTok) {
		final Text id = new Text(token.getIdentifier());
		LOG.info("Adding user token " + id + " with " + token);
		credentials.addToken(id, token);
	}
	try (DataOutputBuffer dob = new DataOutputBuffer()) {
		credentials.writeTokenStorageToStream(dob);

		if (LOG.isDebugEnabled()) {
			LOG.debug("Wrote tokens. Credentials buffer length: " + dob.getLength());
		}

		ByteBuffer securityTokens = ByteBuffer.wrap(dob.getData(), 0, dob.getLength());
		amContainer.setTokens(securityTokens);
	}
}
 
Example 2
Source Project: stratosphere   File: Utils.java    License: Apache License 2.0 6 votes vote down vote up
public static void setTokensFor(ContainerLaunchContext amContainer, Path[] paths, Configuration conf) throws IOException {
	Credentials credentials = new Credentials();
	// for HDFS
	TokenCache.obtainTokensForNamenodes(credentials, paths, conf);
	// for user
	UserGroupInformation currUsr = UserGroupInformation.getCurrentUser();
	
	Collection<Token<? extends TokenIdentifier>> usrTok = currUsr.getTokens();
	for(Token<? extends TokenIdentifier> token : usrTok) {
		final Text id = new Text(token.getIdentifier());
		LOG.info("Adding user token "+id+" with "+token);
		credentials.addToken(id, token);
	}
	DataOutputBuffer dob = new DataOutputBuffer();
	credentials.writeTokenStorageToStream(dob);
	LOG.debug("Wrote tokens. Credentials buffer length: "+dob.getLength());
	
	ByteBuffer securityTokens = ByteBuffer.wrap(dob.getData(), 0, dob.getLength());
	amContainer.setTokens(securityTokens);
}
 
Example 3
Source Project: flink   File: Utils.java    License: Apache License 2.0 6 votes vote down vote up
public static void setTokensFor(ContainerLaunchContext amContainer, List<Path> paths, Configuration conf) throws IOException {
	Credentials credentials = new Credentials();
	// for HDFS
	TokenCache.obtainTokensForNamenodes(credentials, paths.toArray(new Path[0]), conf);
	// for HBase
	obtainTokenForHBase(credentials, conf);
	// for user
	UserGroupInformation currUsr = UserGroupInformation.getCurrentUser();

	Collection<Token<? extends TokenIdentifier>> usrTok = currUsr.getTokens();
	for (Token<? extends TokenIdentifier> token : usrTok) {
		final Text id = new Text(token.getIdentifier());
		LOG.info("Adding user token " + id + " with " + token);
		credentials.addToken(id, token);
	}
	try (DataOutputBuffer dob = new DataOutputBuffer()) {
		credentials.writeTokenStorageToStream(dob);

		if (LOG.isDebugEnabled()) {
			LOG.debug("Wrote tokens. Credentials buffer length: " + dob.getLength());
		}

		ByteBuffer securityTokens = ByteBuffer.wrap(dob.getData(), 0, dob.getLength());
		amContainer.setTokens(securityTokens);
	}
}
 
Example 4
Source Project: big-c   File: DataNode.java    License: Apache License 2.0 5 votes vote down vote up
private void checkBlockToken(ExtendedBlock block, Token<BlockTokenIdentifier> token,
    AccessMode accessMode) throws IOException {
  if (isBlockTokenEnabled) {
    BlockTokenIdentifier id = new BlockTokenIdentifier();
    ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
    DataInputStream in = new DataInputStream(buf);
    id.readFields(in);
    if (LOG.isDebugEnabled()) {
      LOG.debug("Got: " + id.toString());
    }
    blockPoolTokenSecretManager.checkAccess(id, null, block, accessMode);
  }
}
 
Example 5
Source Project: big-c   File: TestDelegationToken.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testDelegationTokenSecretManager() throws Exception {
  Token<DelegationTokenIdentifier> token = generateDelegationToken(
      "SomeUser", "JobTracker");
  // Fake renewer should not be able to renew
  try {
	  dtSecretManager.renewToken(token, "FakeRenewer");
	  Assert.fail("should have failed");
  } catch (AccessControlException ace) {
    // PASS
  }
 dtSecretManager.renewToken(token, "JobTracker");
  DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
  byte[] tokenId = token.getIdentifier();
  identifier.readFields(new DataInputStream(
           new ByteArrayInputStream(tokenId)));
  Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
  LOG.info("Sleep to expire the token");
 Thread.sleep(6000);
 //Token should be expired
 try {
   dtSecretManager.retrievePassword(identifier);
   //Should not come here
   Assert.fail("Token should have expired");
 } catch (InvalidToken e) {
   //Success
 }
 dtSecretManager.renewToken(token, "JobTracker");
 LOG.info("Sleep beyond the max lifetime");
 Thread.sleep(5000);
 try {
	  dtSecretManager.renewToken(token, "JobTracker");
	  Assert.fail("should have been expired");
 } catch (InvalidToken it) {
   // PASS
 }
}
 
Example 6
Source Project: big-c   File: DelegationTokenManager.java    License: Apache License 2.0 5 votes vote down vote up
private static DelegationTokenIdentifier decodeToken(
    Token<DelegationTokenIdentifier> token, Text tokenKind)
        throws IOException {
  ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
  DataInputStream dis = new DataInputStream(buf);
  DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind);
  id.readFields(dis);
  dis.close();
  return id;
}
 
Example 7
Source Project: big-c   File: DelegationTokenIdentifier.java    License: Apache License 2.0 5 votes vote down vote up
/** @return a string representation of the token */
public static String stringifyToken(final Token<?> token) throws IOException {
  DelegationTokenIdentifier ident = new DelegationTokenIdentifier();
  ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);  
  ident.readFields(in);

  if (token.getService().getLength() > 0) {
    return ident + " on " + token.getService();
  } else {
    return ident.toString();
  }
}
 
Example 8
Source Project: hadoop   File: DataNodeUGIProvider.java    License: Apache License 2.0 5 votes vote down vote up
private UserGroupInformation tokenUGI() throws IOException {
  Token<DelegationTokenIdentifier> token = params.delegationToken();
  ByteArrayInputStream buf =
    new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);
  DelegationTokenIdentifier id = new DelegationTokenIdentifier();
  id.readFields(in);
  UserGroupInformation ugi = id.getUser();
  ugi.addToken(token);
  return ugi;
}
 
Example 9
Source Project: hadoop   File: DataNode.java    License: Apache License 2.0 5 votes vote down vote up
private void checkBlockToken(ExtendedBlock block, Token<BlockTokenIdentifier> token,
    AccessMode accessMode) throws IOException {
  if (isBlockTokenEnabled) {
    BlockTokenIdentifier id = new BlockTokenIdentifier();
    ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
    DataInputStream in = new DataInputStream(buf);
    id.readFields(in);
    if (LOG.isDebugEnabled()) {
      LOG.debug("Got: " + id.toString());
    }
    blockPoolTokenSecretManager.checkAccess(id, null, block, accessMode);
  }
}
 
Example 10
Source Project: hadoop   File: JspHelper.java    License: Apache License 2.0 5 votes vote down vote up
private static UserGroupInformation getTokenUGI(ServletContext context,
                                                HttpServletRequest request,
                                                String tokenString,
                                                Configuration conf)
                                                    throws IOException {
  final Token<DelegationTokenIdentifier> token =
      new Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString(tokenString);
  InetSocketAddress serviceAddress = getNNServiceAddress(context, request);
  if (serviceAddress != null) {
    SecurityUtil.setTokenService(token, serviceAddress);
    token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
  }

  ByteArrayInputStream buf =
      new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);
  DelegationTokenIdentifier id = new DelegationTokenIdentifier();
  id.readFields(in);
  if (context != null) {
    final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
    if (nn != null) {
      // Verify the token.
      nn.getNamesystem().verifyToken(id, token.getPassword());
    }
  }
  UserGroupInformation ugi = id.getUser();
  ugi.addToken(token);
  return ugi;
}
 
Example 11
Source Project: hadoop   File: TestDelegationToken.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testDelegationTokenSecretManager() throws Exception {
  Token<DelegationTokenIdentifier> token = generateDelegationToken(
      "SomeUser", "JobTracker");
  // Fake renewer should not be able to renew
  try {
	  dtSecretManager.renewToken(token, "FakeRenewer");
	  Assert.fail("should have failed");
  } catch (AccessControlException ace) {
    // PASS
  }
 dtSecretManager.renewToken(token, "JobTracker");
  DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
  byte[] tokenId = token.getIdentifier();
  identifier.readFields(new DataInputStream(
           new ByteArrayInputStream(tokenId)));
  Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
  LOG.info("Sleep to expire the token");
 Thread.sleep(6000);
 //Token should be expired
 try {
   dtSecretManager.retrievePassword(identifier);
   //Should not come here
   Assert.fail("Token should have expired");
 } catch (InvalidToken e) {
   //Success
 }
 dtSecretManager.renewToken(token, "JobTracker");
 LOG.info("Sleep beyond the max lifetime");
 Thread.sleep(5000);
 try {
	  dtSecretManager.renewToken(token, "JobTracker");
	  Assert.fail("should have been expired");
 } catch (InvalidToken it) {
   // PASS
 }
}
 
Example 12
Source Project: big-c   File: JspHelper.java    License: Apache License 2.0 5 votes vote down vote up
private static UserGroupInformation getTokenUGI(ServletContext context,
                                                HttpServletRequest request,
                                                String tokenString,
                                                Configuration conf)
                                                    throws IOException {
  final Token<DelegationTokenIdentifier> token =
      new Token<DelegationTokenIdentifier>();
  token.decodeFromUrlString(tokenString);
  InetSocketAddress serviceAddress = getNNServiceAddress(context, request);
  if (serviceAddress != null) {
    SecurityUtil.setTokenService(token, serviceAddress);
    token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
  }

  ByteArrayInputStream buf =
      new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);
  DelegationTokenIdentifier id = new DelegationTokenIdentifier();
  id.readFields(in);
  if (context != null) {
    final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
    if (nn != null) {
      // Verify the token.
      nn.getNamesystem().verifyToken(id, token.getPassword());
    }
  }
  UserGroupInformation ugi = id.getUser();
  ugi.addToken(token);
  return ugi;
}
 
Example 13
Source Project: hadoop   File: DelegationTokenManager.java    License: Apache License 2.0 5 votes vote down vote up
private static DelegationTokenIdentifier decodeToken(
    Token<DelegationTokenIdentifier> token, Text tokenKind)
        throws IOException {
  ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
  DataInputStream dis = new DataInputStream(buf);
  DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind);
  id.readFields(dis);
  dis.close();
  return id;
}
 
Example 14
Source Project: big-c   File: TestDelegationToken.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
private void checkTokenIdentifier(UserGroupInformation ugi, final Token<?> token)
    throws Exception {
  Assert.assertNotNull(token);
  // should be able to use token.decodeIdentifier() but webhdfs isn't
  // registered with the service loader for token decoding
  DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
  byte[] tokenId = token.getIdentifier();
  DataInputStream in = new DataInputStream(new ByteArrayInputStream(tokenId));
  try {
    identifier.readFields(in);
  } finally {
    in.close();
  }
  Assert.assertNotNull(identifier);
  LOG.info("A valid token should have non-null password, and should be renewed successfully");
  Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
  dtSecretManager.renewToken((Token<DelegationTokenIdentifier>) token, "JobTracker");
  ugi.doAs(
      new PrivilegedExceptionAction<Object>() {
        @Override
        public Object run() throws Exception {
          token.renew(config);
          token.cancel(config);
          return null;
        }
      });
}
 
Example 15
Source Project: big-c   File: DataNodeUGIProvider.java    License: Apache License 2.0 5 votes vote down vote up
private UserGroupInformation tokenUGI() throws IOException {
  Token<DelegationTokenIdentifier> token = params.delegationToken();
  ByteArrayInputStream buf =
    new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);
  DelegationTokenIdentifier id = new DelegationTokenIdentifier();
  id.readFields(in);
  UserGroupInformation ugi = id.getUser();
  ugi.addToken(token);
  return ugi;
}
 
Example 16
/**
 * Renew a delegation token.
 *
 * @param token the token to renew
 * @param renewer the full principal name of the user doing the renewal
 * @return the new expiration time
 * @throws InvalidToken if the token is invalid
 * @throws AccessControlException if the user can't renew token
 */
@Override
public synchronized long renewToken(Token<OzoneTokenIdentifier> token,
    String renewer) throws IOException {
  ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
  DataInputStream in = new DataInputStream(buf);
  OzoneTokenIdentifier id = OzoneTokenIdentifier.readProtoBuf(in);
  if (LOG.isDebugEnabled()) {
    LOG.debug("Token renewal for identifier: {}, total currentTokens: {}",
        formatTokenId(id), currentTokens.size());
  }

  long now = Time.now();
  if (id.getMaxDate() < now) {
    throw new OMException(renewer + " tried to renew an expired token "
        + formatTokenId(id) + " max expiration date: "
        + Time.formatTime(id.getMaxDate())
        + " currentTime: " + Time.formatTime(now), TOKEN_EXPIRED);
  }
  validateToken(id);
  if ((id.getRenewer() == null) || (id.getRenewer().toString().isEmpty())) {
    throw new AccessControlException(renewer +
        " tried to renew a token " + formatTokenId(id)
        + " without a renewer");
  }
  if (!id.getRenewer().toString().equals(renewer)) {
    throw new AccessControlException(renewer
        + " tries to renew a token " + formatTokenId(id)
        + " with non-matching renewer " + id.getRenewer());
  }

  long renewTime = Math.min(id.getMaxDate(), now + getTokenRenewInterval());

  // For HA ratis will take care of updating.
  // This will be removed, when HA/Non-HA code is merged.
  if (!isRatisEnabled) {
    try {
      addToTokenStore(id, token.getPassword(), renewTime);
    } catch (IOException e) {
      LOG.error("Unable to update token " + id.getSequenceNumber(), e);
    }
  }
  return renewTime;
}
 
Example 17
Source Project: big-c   File: TestDelegationToken.java    License: Apache License 2.0 4 votes vote down vote up
@Test(timeout = 10000)
public void testRollMasterKey() throws Exception {
  TestDelegationTokenSecretManager dtSecretManager = 
    new TestDelegationTokenSecretManager(800,
      800,1*1000,3600000);
  try {
    dtSecretManager.startThreads();
    //generate a token and store the password
    Token<TestDelegationTokenIdentifier> token = generateDelegationToken(
        dtSecretManager, "SomeUser", "JobTracker");
    byte[] oldPasswd = token.getPassword();
    //store the length of the keys list
    int prevNumKeys = dtSecretManager.getAllKeys().length;
    
    dtSecretManager.rollMasterKey();
    Assert.assertTrue(dtSecretManager.isStoreNewMasterKeyCalled);

    //after rolling, the length of the keys list must increase
    int currNumKeys = dtSecretManager.getAllKeys().length;
    Assert.assertEquals((currNumKeys - prevNumKeys) >= 1, true);
    
    //after rolling, the token that was generated earlier must
    //still be valid (retrievePassword will fail if the token
    //is not valid)
    ByteArrayInputStream bi = 
      new ByteArrayInputStream(token.getIdentifier());
    TestDelegationTokenIdentifier identifier = 
      dtSecretManager.createIdentifier();
    identifier.readFields(new DataInputStream(bi));
    byte[] newPasswd = 
      dtSecretManager.retrievePassword(identifier);
    //compare the passwords
    Assert.assertEquals(oldPasswd, newPasswd);
    // wait for keys to expire
    while(!dtSecretManager.isRemoveStoredMasterKeyCalled) {
      Thread.sleep(200);
    }
  } finally {
    dtSecretManager.stopThreads();
  }
}
 
Example 18
/**
 * Test if StandbyException can be thrown from StandbyNN, when it's requested for 
 * password. (HDFS-6475). With StandbyException, the client can failover to try
 * activeNN.
 */
@Test(timeout = 300000)
public void testDelegationTokenStandbyNNAppearFirst() throws Exception {
  // make nn0 the standby NN, and nn1 the active NN
  cluster.transitionToStandby(0);
  cluster.transitionToActive(1);

  final DelegationTokenSecretManager stSecretManager = 
      NameNodeAdapter.getDtSecretManager(
          nn1.getNamesystem());

  // create token
  final Token<DelegationTokenIdentifier> token =
      getDelegationToken(fs, "JobTracker");
  final DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
  byte[] tokenId = token.getIdentifier();
  identifier.readFields(new DataInputStream(
           new ByteArrayInputStream(tokenId)));

  assertTrue(null != stSecretManager.retrievePassword(identifier));

  final UserGroupInformation ugi = UserGroupInformation
      .createRemoteUser("JobTracker");
  ugi.addToken(token);
  
  ugi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() {
      try {
        try {
          byte[] tmppw = dtSecretManager.retrievePassword(identifier);
          fail("InvalidToken with cause StandbyException is expected"
              + " since nn0 is standby");
          return tmppw;
        } catch (IOException e) {
          // Mimic the UserProvider class logic (server side) by throwing
          // SecurityException here
          throw new SecurityException(
              SecurityUtil.FAILED_TO_GET_UGI_MSG_HEADER + " " + e, e);
        }
      } catch (Exception oe) {
        //
        // The exception oe caught here is
        //     java.lang.SecurityException: Failed to obtain user group
        //     information: org.apache.hadoop.security.token.
        //     SecretManager$InvalidToken: StandbyException
        //
        HttpServletResponse response = mock(HttpServletResponse.class);
        ExceptionHandler eh = new ExceptionHandler();
        eh.initResponse(response);
        
        // The Response (resp) below is what the server will send to client          
        //
        // BEFORE HDFS-6475 fix, the resp.entity is
        //     {"RemoteException":{"exception":"SecurityException",
        //      "javaClassName":"java.lang.SecurityException",
        //      "message":"Failed to obtain user group information: 
        //      org.apache.hadoop.security.token.SecretManager$InvalidToken:
        //        StandbyException"}}
        // AFTER the fix, the resp.entity is
        //     {"RemoteException":{"exception":"StandbyException",
        //      "javaClassName":"org.apache.hadoop.ipc.StandbyException",
        //      "message":"Operation category READ is not supported in
        //       state standby"}}
        //
        Response resp = eh.toResponse(oe);
        
        // Mimic the client side logic by parsing the response from server
        //
        Map<?, ?> m = (Map<?, ?>)JSON.parse(resp.getEntity().toString());
        RemoteException re = JsonUtil.toRemoteException(m);
        Exception unwrapped = ((RemoteException)re).unwrapRemoteException(
            StandbyException.class);
        assertTrue (unwrapped instanceof StandbyException);
        return null;
      }
    }
  });
}
 
Example 19
Source Project: hadoop   File: TestDelegationToken.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void testDelegationTokenSecretManager() throws Exception {
  final TestDelegationTokenSecretManager dtSecretManager = 
    new TestDelegationTokenSecretManager(24*60*60*1000,
        3*1000,1*1000,3600000);
  try {
    dtSecretManager.startThreads();
    final Token<TestDelegationTokenIdentifier> token = 
      generateDelegationToken(
        dtSecretManager, "SomeUser", "JobTracker");
    Assert.assertTrue(dtSecretManager.isStoreNewTokenCalled);
    // Fake renewer should not be able to renew
    shouldThrow(new PrivilegedExceptionAction<Object>() {
      @Override
      public Object run() throws Exception {
        dtSecretManager.renewToken(token, "FakeRenewer");
        return null;
      }
    }, AccessControlException.class);
    long time = dtSecretManager.renewToken(token, "JobTracker");
    Assert.assertTrue(dtSecretManager.isUpdateStoredTokenCalled);
    assertTrue("renew time is in future", time > Time.now());
    TestDelegationTokenIdentifier identifier = 
      new TestDelegationTokenIdentifier();
    byte[] tokenId = token.getIdentifier();
    identifier.readFields(new DataInputStream(
        new ByteArrayInputStream(tokenId)));
    Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
    LOG.info("Sleep to expire the token");
    Thread.sleep(2000);
    //Token should be expired
    try {
      dtSecretManager.retrievePassword(identifier);
      //Should not come here
      Assert.fail("Token should have expired");
    } catch (InvalidToken e) {
      //Success
    }
    dtSecretManager.renewToken(token, "JobTracker");
    LOG.info("Sleep beyond the max lifetime");
    Thread.sleep(2000);
    
    shouldThrow(new PrivilegedExceptionAction<Object>() {
      @Override
      public Object run() throws Exception {
        dtSecretManager.renewToken(token, "JobTracker");
        return null;
      }
    }, InvalidToken.class);
  } finally {
    dtSecretManager.stopThreads();
  }
}
 
Example 20
Source Project: hadoop   File: TestDelegationToken.java    License: Apache License 2.0 4 votes vote down vote up
@Test(timeout = 10000)
public void testRollMasterKey() throws Exception {
  TestDelegationTokenSecretManager dtSecretManager = 
    new TestDelegationTokenSecretManager(800,
      800,1*1000,3600000);
  try {
    dtSecretManager.startThreads();
    //generate a token and store the password
    Token<TestDelegationTokenIdentifier> token = generateDelegationToken(
        dtSecretManager, "SomeUser", "JobTracker");
    byte[] oldPasswd = token.getPassword();
    //store the length of the keys list
    int prevNumKeys = dtSecretManager.getAllKeys().length;
    
    dtSecretManager.rollMasterKey();
    Assert.assertTrue(dtSecretManager.isStoreNewMasterKeyCalled);

    //after rolling, the length of the keys list must increase
    int currNumKeys = dtSecretManager.getAllKeys().length;
    Assert.assertEquals((currNumKeys - prevNumKeys) >= 1, true);
    
    //after rolling, the token that was generated earlier must
    //still be valid (retrievePassword will fail if the token
    //is not valid)
    ByteArrayInputStream bi = 
      new ByteArrayInputStream(token.getIdentifier());
    TestDelegationTokenIdentifier identifier = 
      dtSecretManager.createIdentifier();
    identifier.readFields(new DataInputStream(bi));
    byte[] newPasswd = 
      dtSecretManager.retrievePassword(identifier);
    //compare the passwords
    Assert.assertEquals(oldPasswd, newPasswd);
    // wait for keys to expire
    while(!dtSecretManager.isRemoveStoredMasterKeyCalled) {
      Thread.sleep(200);
    }
  } finally {
    dtSecretManager.stopThreads();
  }
}