org.apache.hadoop.security.token.SecretManager Java Examples

The following examples show how to use org.apache.hadoop.security.token.SecretManager. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TokenProvider.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public void start(CoprocessorEnvironment env) {
  // if running at region
  if (env instanceof RegionCoprocessorEnvironment) {
    RegionCoprocessorEnvironment regionEnv = (RegionCoprocessorEnvironment)env;
    /* Getting the RpcServer from a RegionCE is wrong. There cannot be an expectation that Region
     is hosted inside a RegionServer. If you need RpcServer, then pass in a RegionServerCE.
     TODO: FIX.
     */
    RegionServerServices rss = ((HasRegionServerServices)regionEnv).getRegionServerServices();
    RpcServerInterface server = rss.getRpcServer();
    SecretManager<?> mgr = ((RpcServer)server).getSecretManager();
    if (mgr instanceof AuthenticationTokenSecretManager) {
      secretManager = (AuthenticationTokenSecretManager)mgr;
    }
  }
}
 
Example #2
Source File: TestZKDelegationTokenSecretManager.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
@Test
public void testCancelTokenSingleManager() throws Exception {
  for (int i = 0; i < TEST_RETRIES; i++) {
    DelegationTokenManager tm1 = null;
    String connectString = zkServer.getConnectString();
    Configuration conf = getSecretConf(connectString);
    tm1 = new DelegationTokenManager(conf, new Text("foo"));
    tm1.init();

    Token<DelegationTokenIdentifier> token =
        (Token<DelegationTokenIdentifier>)
        tm1.createToken(UserGroupInformation.getCurrentUser(), "foo");
    Assert.assertNotNull(token);
    tm1.cancelToken(token, "foo");
    try {
      verifyTokenFail(tm1, token);
      fail("Expected InvalidToken");
    } catch (SecretManager.InvalidToken it) {
      it.printStackTrace();
    }
    verifyDestroy(tm1, conf);
  }
}
 
Example #3
Source File: Server.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager,
                                           Configuration conf) {
  AuthenticationMethod confAuthenticationMethod =
      SecurityUtil.getAuthenticationMethod(conf);        
  List<AuthMethod> authMethods = new ArrayList<AuthMethod>();
  if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
    if (secretManager == null) {
      throw new IllegalArgumentException(AuthenticationMethod.TOKEN +
          " authentication requires a secret manager");
    } 
  } else if (secretManager != null) {
    LOG.debug(AuthenticationMethod.TOKEN +
        " authentication enabled for secret manager");
    // most preferred, go to the front of the line!
    authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
  }
  authMethods.add(confAuthenticationMethod.getAuthMethod());        
  
  LOG.debug("Server accepts auth methods:" + authMethods);
  return authMethods;
}
 
Example #4
Source File: Hadoop3OmTransport.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
/**
 * Unwrap exception to check if it is some kind of access control problem
 * ({@link AccessControlException} or {@link SecretManager.InvalidToken}).
 */
private boolean isAccessControlException(Exception ex) {
  if (ex instanceof ServiceException) {
    Throwable t = ex.getCause();
    if (t instanceof RemoteException) {
      t = ((RemoteException) t).unwrapRemoteException();
    }
    while (t != null) {
      if (t instanceof AccessControlException ||
          t instanceof SecretManager.InvalidToken) {
        return true;
      }
      t = t.getCause();
    }
  }
  return false;
}
 
Example #5
Source File: TestZKDelegationTokenSecretManager.java    From big-c with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
@Test
public void testCancelTokenSingleManager() throws Exception {
  for (int i = 0; i < TEST_RETRIES; i++) {
    DelegationTokenManager tm1 = null;
    String connectString = zkServer.getConnectString();
    Configuration conf = getSecretConf(connectString);
    tm1 = new DelegationTokenManager(conf, new Text("foo"));
    tm1.init();

    Token<DelegationTokenIdentifier> token =
        (Token<DelegationTokenIdentifier>)
        tm1.createToken(UserGroupInformation.getCurrentUser(), "foo");
    Assert.assertNotNull(token);
    tm1.cancelToken(token, "foo");
    try {
      verifyTokenFail(tm1, token);
      fail("Expected InvalidToken");
    } catch (SecretManager.InvalidToken it) {
      it.printStackTrace();
    }
    verifyDestroy(tm1, conf);
  }
}
 
Example #6
Source File: GssSaslServerAuthenticationProvider.java    From hbase with Apache License 2.0 6 votes vote down vote up
@Override
public AttemptingUserProvidingSaslServer createServer(
    SecretManager<TokenIdentifier> secretManager,
    Map<String, String> saslProps) throws IOException {
  UserGroupInformation current = UserGroupInformation.getCurrentUser();
  String fullName = current.getUserName();
  LOG.debug("Server's Kerberos principal name is {}", fullName);
  String[] names = SaslUtil.splitKerberosName(fullName);
  if (names.length != 3) {
    throw new AccessDeniedException(
        "Kerberos principal does NOT contain an instance (hostname): " + fullName);
  }
  try {
    return current.doAs(new PrivilegedExceptionAction<AttemptingUserProvidingSaslServer>() {
      @Override
      public AttemptingUserProvidingSaslServer run() throws SaslException {
        return new AttemptingUserProvidingSaslServer(Sasl.createSaslServer(
            getSaslAuthMethod().getSaslMechanism(), names[0], names[1], saslProps,
            new SaslGssCallbackHandler()), () -> null);
      }
    });
  } catch (InterruptedException e) {
    Thread.currentThread().interrupt();
    throw new RuntimeException("Failed to construct GSS SASL server");
  }
}
 
Example #7
Source File: Server.java    From big-c with Apache License 2.0 6 votes vote down vote up
private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager,
                                           Configuration conf) {
  AuthenticationMethod confAuthenticationMethod =
      SecurityUtil.getAuthenticationMethod(conf);        
  List<AuthMethod> authMethods = new ArrayList<AuthMethod>();
  if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
    if (secretManager == null) {
      throw new IllegalArgumentException(AuthenticationMethod.TOKEN +
          " authentication requires a secret manager");
    } 
  } else if (secretManager != null) {
    LOG.debug(AuthenticationMethod.TOKEN +
        " authentication enabled for secret manager");
    // most preferred, go to the front of the line!
    authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
  }
  authMethods.add(confAuthenticationMethod.getAuthMethod());        
  
  LOG.debug("Server accepts auth methods:" + authMethods);
  return authMethods;
}
 
Example #8
Source File: DigestSaslServerAuthenticationProvider.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public UserGroupInformation getAuthorizedUgi(String authzId,
    SecretManager<TokenIdentifier> secretManager) throws IOException {
  UserGroupInformation authorizedUgi;
  TokenIdentifier tokenId = HBaseSaslRpcServer.getIdentifier(authzId, secretManager);
  authorizedUgi = tokenId.getUser();
  if (authorizedUgi == null) {
    throw new AccessDeniedException(
        "Can't retrieve username from tokenIdentifier.");
  }
  authorizedUgi.addTokenIdentifier(tokenId);
  authorizedUgi.setAuthenticationMethod(getSaslAuthMethod().getAuthMethod());
  return authorizedUgi;
}
 
Example #9
Source File: ProtobufRpcEngine.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public RPC.Server getServer(Class<?> protocol, Object protocolImpl,
    String bindAddress, int port, int numHandlers, int numReaders,
    int queueSizePerHandler, boolean verbose, Configuration conf,
    SecretManager<? extends TokenIdentifier> secretManager,
    String portRangeConfig)
    throws IOException {
  return new Server(protocol, protocolImpl, conf, bindAddress, port,
      numHandlers, numReaders, queueSizePerHandler, verbose, secretManager,
      portRangeConfig);
}
 
Example #10
Source File: RPCService.java    From varOne with MIT License 5 votes vote down vote up
private Server createServer(Class<?> pbProtocol, InetSocketAddress addr, Configuration conf, 
    SecretManager<? extends TokenIdentifier> secretManager, int numHandlers, 
    BlockingService blockingService, String portRangeConfig) throws IOException {
  RPC.setProtocolEngine(conf, pbProtocol, ProtobufRpcEngine.class);
  RPC.Server server = new RPC.Builder(conf).setProtocol(pbProtocol)
      .setInstance(blockingService).setBindAddress(addr.getHostName())
      .setPort(addr.getPort()).setNumHandlers(numHandlers).setVerbose(false)
      .setSecretManager(secretManager).setPortRangeConfig(portRangeConfig)
      .build();
  System.out.println("Adding protocol "+pbProtocol.getCanonicalName()+" to the server");
  server.addProtocol(RPC.RpcKind.RPC_PROTOCOL_BUFFER, pbProtocol, blockingService);
  return server;
}
 
Example #11
Source File: ProtobufRpcEngineShaded.java    From ratis with Apache License 2.0 5 votes vote down vote up
/**
 * Construct an RPC server.
 *
 * @param protocolClass the class of protocol
 * @param protocolImpl the protocolImpl whose methods will be called
 * @param conf the configuration to use
 * @param bindAddress the address to bind on to listen for connection
 * @param port the port to listen for connections on
 * @param numHandlers the number of method handler threads to run
 * @param verbose whether each call should be logged
 * @param portRangeConfig A config parameter that can be used to restrict
 * the range of ports used when port is 0 (an ephemeral port)
 */
public Server(Class<?> protocolClass, Object protocolImpl,
    Configuration conf, String bindAddress, int port, int numHandlers,
    int numReaders, int queueSizePerHandler, boolean verbose,
    SecretManager<? extends TokenIdentifier> secretManager,
    String portRangeConfig)
    throws IOException {
  super(bindAddress, port, null, numHandlers,
      numReaders, queueSizePerHandler, conf, classNameBase(protocolImpl
          .getClass().getName()), secretManager, portRangeConfig);
  this.verbose = verbose;
  registerProtocolAndImpl(RPC.RpcKind.RPC_PROTOCOL_BUFFER, protocolClass,
      protocolImpl);
}
 
Example #12
Source File: GssSaslServerAuthenticationProvider.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public UserGroupInformation getAuthorizedUgi(String authzId,
    SecretManager<TokenIdentifier> secretManager) throws IOException {
  UserGroupInformation ugi = UserGroupInformation.createRemoteUser(authzId);
  ugi.setAuthenticationMethod(getSaslAuthMethod().getAuthMethod());
  return ugi;
}
 
Example #13
Source File: TestRPC.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public org.apache.hadoop.ipc.RPC.Server getServer(Class<?> protocol,
    Object instance, String bindAddress, int port, int numHandlers,
    int numReaders, int queueSizePerHandler, boolean verbose, Configuration conf,
    SecretManager<? extends TokenIdentifier> secretManager, 
    String portRangeConfig) throws IOException {
  return null;
}
 
Example #14
Source File: TestZKDelegationTokenSecretManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void verifyTokenFailWithRetry(DelegationTokenManager tm,
    Token<DelegationTokenIdentifier> token, int retryCount)
    throws IOException, InterruptedException {
  try {
    tm.verifyToken(token);
  } catch (SecretManager.InvalidToken er) {
    throw er;
  }
  if (retryCount > 0) {
    Thread.sleep(RETRY_WAIT);
    verifyTokenFailWithRetry(tm, token, retryCount - 1);
  }
}
 
Example #15
Source File: ShadeSaslServerAuthenticationProvider.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public AttemptingUserProvidingSaslServer createServer(
    SecretManager<TokenIdentifier> secretManager, Map<String, String> saslProps)
        throws IOException {
  return new AttemptingUserProvidingSaslServer(
      new SaslPlainServer(
          new ShadeSaslServerCallbackHandler(attemptingUser, passwordDatabase)),
    () -> attemptingUser.get());
}
 
Example #16
Source File: SaslRpcServer.java    From big-c with Apache License 2.0 5 votes vote down vote up
public static <T extends TokenIdentifier> T getIdentifier(String id,
    SecretManager<T> secretManager) throws InvalidToken {
  byte[] tokenId = decodeIdentifier(id);
  T tokenIdentifier = secretManager.createIdentifier();
  try {
    tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(
        tokenId)));
  } catch (IOException e) {
    throw (InvalidToken) new InvalidToken(
        "Can't de-serialize tokenIdentifier").initCause(e);
  }
  return tokenIdentifier;
}
 
Example #17
Source File: WritableRpcEngine.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public RPC.Server getServer(Class<?> protocolClass,
                    Object protocolImpl, String bindAddress, int port,
                    int numHandlers, int numReaders, int queueSizePerHandler,
                    boolean verbose, Configuration conf,
                    SecretManager<? extends TokenIdentifier> secretManager,
                    String portRangeConfig) 
  throws IOException {
  return new Server(protocolClass, protocolImpl, conf, bindAddress, port,
      numHandlers, numReaders, queueSizePerHandler, verbose, secretManager,
      portRangeConfig);
}
 
Example #18
Source File: TestClientRMTokens.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public Server getServer(Class protocol, Object instance,
    InetSocketAddress addr, Configuration conf,
    SecretManager<? extends TokenIdentifier> secretManager,
    int numHandlers, String portRangeConfig) {
  throw new RuntimeException("getServer");
}
 
Example #19
Source File: RPC.java    From hadoop with Apache License 2.0 5 votes vote down vote up
protected Server(String bindAddress, int port, 
                 Class<? extends Writable> paramClass, int handlerCount,
                 int numReaders, int queueSizePerHandler,
                 Configuration conf, String serverName, 
                 SecretManager<? extends TokenIdentifier> secretManager,
                 String portRangeConfig) throws IOException {
  super(bindAddress, port, paramClass, handlerCount, numReaders, queueSizePerHandler,
        conf, serverName, secretManager, portRangeConfig);
  initProtocolMetaInfo(conf);
}
 
Example #20
Source File: RPC.java    From big-c with Apache License 2.0 5 votes vote down vote up
protected Server(String bindAddress, int port, 
                 Class<? extends Writable> paramClass, int handlerCount,
                 int numReaders, int queueSizePerHandler,
                 Configuration conf, String serverName, 
                 SecretManager<? extends TokenIdentifier> secretManager,
                 String portRangeConfig) throws IOException {
  super(bindAddress, port, paramClass, handlerCount, numReaders, queueSizePerHandler,
        conf, serverName, secretManager, portRangeConfig);
  initProtocolMetaInfo(conf);
}
 
Example #21
Source File: NMContainerTokenSecretManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Override of this is to validate ContainerTokens generated by using
 * different {@link MasterKey}s.
 */
@Override
public synchronized byte[] retrievePassword(
    ContainerTokenIdentifier identifier) throws SecretManager.InvalidToken {
  int keyId = identifier.getMasterKeyId();

  MasterKeyData masterKeyToUse = null;
  if (this.previousMasterKey != null
      && keyId == this.previousMasterKey.getMasterKey().getKeyId()) {
    // A container-launch has come in with a token generated off the last
    // master-key
    masterKeyToUse = this.previousMasterKey;
  } else if (keyId == super.currentMasterKey.getMasterKey().getKeyId()) {
    // A container-launch has come in with a token generated off the current
    // master-key
    masterKeyToUse = super.currentMasterKey;
  }

  if (nodeHostAddr != null
      && !identifier.getNmHostAddress().equals(nodeHostAddr)) {
    // Valid container token used for incorrect node.
    throw new SecretManager.InvalidToken("Given Container "
        + identifier.getContainerID().toString()
        + " identifier is not valid for current Node manager. Expected : "
        + nodeHostAddr + " Found : " + identifier.getNmHostAddress());
  }
  
  if (masterKeyToUse != null) {
    return retrievePasswordInternal(identifier, masterKeyToUse);
  }

  // Invalid request. Like startContainer() with token generated off
  // old-master-keys.
  throw new SecretManager.InvalidToken("Given Container "
      + identifier.getContainerID().toString()
      + " seems to have an illegally generated token.");
}
 
Example #22
Source File: BaseContainerTokenSecretManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
protected byte[] retrievePasswordInternal(ContainerTokenIdentifier identifier,
    MasterKeyData masterKey)
    throws org.apache.hadoop.security.token.SecretManager.InvalidToken {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Retrieving password for " + identifier.getContainerID()
        + " for user " + identifier.getUser() + " to be run on NM "
        + identifier.getNmHostAddress());
  }
  return createPassword(identifier.getBytes(), masterKey.getSecretKey());
}
 
Example #23
Source File: BaseContainerTokenSecretManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public byte[] retrievePassword(ContainerTokenIdentifier identifier)
    throws SecretManager.InvalidToken {
  this.readLock.lock();
  try {
    return retrievePasswordInternal(identifier, this.currentMasterKey);
  } finally {
    this.readLock.unlock();
  }
}
 
Example #24
Source File: BaseNMTokenSecretManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public byte[] retrievePassword(NMTokenIdentifier identifier)
    throws org.apache.hadoop.security.token.SecretManager.InvalidToken {
  readLock.lock();
  try {
    return retrivePasswordInternal(identifier, currentMasterKey);
  } finally {
    readLock.unlock();
  }
}
 
Example #25
Source File: YarnRPC.java    From big-c with Apache License 2.0 5 votes vote down vote up
public Server getServer(Class protocol, Object instance,
    InetSocketAddress addr, Configuration conf,
    SecretManager<? extends TokenIdentifier> secretManager,
    int numHandlers) {
  return getServer(protocol, instance, addr, conf, secretManager, numHandlers,
      null);
}
 
Example #26
Source File: HadoopYarnProtoRPC.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public Server getServer(Class protocol, Object instance,
    InetSocketAddress addr, Configuration conf,
    SecretManager<? extends TokenIdentifier> secretManager,
    int numHandlers, String portRangeConfig) {
  LOG.debug("Creating a HadoopYarnProtoRpc server for protocol " + protocol + 
      " with " + numHandlers + " handlers");
  
  return RpcFactoryProvider.getServerFactory(conf).getServer(protocol, 
      instance, addr, conf, secretManager, numHandlers, portRangeConfig);

}
 
Example #27
Source File: RpcServerFactoryPBImpl.java    From big-c with Apache License 2.0 5 votes vote down vote up
private Server createServer(Class<?> pbProtocol, InetSocketAddress addr, Configuration conf, 
    SecretManager<? extends TokenIdentifier> secretManager, int numHandlers, 
    BlockingService blockingService, String portRangeConfig) throws IOException {
  RPC.setProtocolEngine(conf, pbProtocol, ProtobufRpcEngine.class);
  RPC.Server server = new RPC.Builder(conf).setProtocol(pbProtocol)
      .setInstance(blockingService).setBindAddress(addr.getHostName())
      .setPort(addr.getPort()).setNumHandlers(numHandlers).setVerbose(false)
      .setSecretManager(secretManager).setPortRangeConfig(portRangeConfig)
      .build();
  LOG.info("Adding protocol "+pbProtocol.getCanonicalName()+" to the server");
  server.addProtocol(RPC.RpcKind.RPC_PROTOCOL_BUFFER, pbProtocol, blockingService);
  return server;
}
 
Example #28
Source File: ClientToAMTokenSecretManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
public ClientToAMTokenSecretManager(
    ApplicationAttemptId applicationAttemptID, byte[] key) {
  super();
  if (key !=  null) {
    this.masterKey = SecretManager.createSecretKey(key);
  } else {
    this.masterKey = null;
  }
  
}
 
Example #29
Source File: TestRPC.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public org.apache.hadoop.ipc.RPC.Server getServer(Class<?> protocol,
    Object instance, String bindAddress, int port, int numHandlers,
    int numReaders, int queueSizePerHandler, boolean verbose, Configuration conf,
    SecretManager<? extends TokenIdentifier> secretManager, 
    String portRangeConfig) throws IOException {
  return null;
}
 
Example #30
Source File: BaseClientToAMTokenSecretManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Private
@Override
public byte[] retrievePassword(ClientToAMTokenIdentifier identifier)
    throws SecretManager.InvalidToken {
  SecretKey masterKey = getMasterKey(identifier.getApplicationAttemptID());
  if (masterKey == null) {
    throw new SecretManager.InvalidToken("Illegal client-token!");
  }
  return createPassword(identifier.getBytes(), masterKey);
}