org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier Java Examples

The following examples show how to use org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TimelineClientImpl.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public Token<TimelineDelegationTokenIdentifier> getDelegationToken(
    final String renewer) throws IOException, YarnException {
  PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>> getDTAction =
      new PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>>() {

        @Override
        public Token<TimelineDelegationTokenIdentifier> run()
            throws Exception {
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          return (Token) authUrl.getDelegationToken(
              resURI.toURL(), token, renewer, doAsUser);
        }
      };
  return (Token<TimelineDelegationTokenIdentifier>) operateDelegationToken(getDTAction);
}
 
Example #2
Source File: TimelineClientImpl.java    From big-c with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public Token<TimelineDelegationTokenIdentifier> getDelegationToken(
    final String renewer) throws IOException, YarnException {
  PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>> getDTAction =
      new PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>>() {

        @Override
        public Token<TimelineDelegationTokenIdentifier> run()
            throws Exception {
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          return (Token) authUrl.getDelegationToken(
              resURI.toURL(), token, renewer, doAsUser);
        }
      };
  return (Token<TimelineDelegationTokenIdentifier>) operateDelegationToken(getDTAction);
}
 
Example #3
Source File: LeveldbTimelineStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public void updateToken(TimelineDelegationTokenIdentifier tokenId,
    Long renewDate) throws IOException {
  try {
    byte[] k = createTokenEntryKey(tokenId.getSequenceNumber());
    if (db.get(k) == null) {
      throw new IOException(tokenId + " doesn't exist");
    }
    byte[] v = buildTokenData(tokenId, renewDate);
    db.put(k, v);
  } catch (DBException e) {
    throw new IOException(e);
  }
}
 
Example #4
Source File: YarnClientImpl.java    From big-c with Apache License 2.0 5 votes vote down vote up
@VisibleForTesting
org.apache.hadoop.security.token.Token<TimelineDelegationTokenIdentifier>
    getTimelineDelegationToken() throws IOException, YarnException {
      try {
        return timelineClient.getDelegationToken(timelineDTRenewer);
      } catch (Exception e ) {
        if (timelineServiceBestEffort) {
          LOG.warn("Failed to get delegation token from the timeline server: "
              + e.getMessage());
          return null;
        }
        throw e;
      }
}
 
Example #5
Source File: LeveldbTimelineStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public void removeToken(TimelineDelegationTokenIdentifier tokenId)
    throws IOException {
  try {
    byte[] key = createTokenEntryKey(tokenId.getSequenceNumber());
    db.delete(key);
  } catch (DBException e) {
    throw new IOException(e);
  }
}
 
Example #6
Source File: LeveldbTimelineStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private static byte[] buildTokenData(
    TimelineDelegationTokenIdentifier tokenId, Long renewDate)
    throws IOException {
  TimelineDelegationTokenIdentifierData data =
      new TimelineDelegationTokenIdentifierData(tokenId, renewDate);
  return data.toByteArray();
}
 
Example #7
Source File: MemoryTimelineStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public void storeToken(TimelineDelegationTokenIdentifier tokenId,
    Long renewDate) throws IOException {
  if (state.tokenState.containsKey(tokenId)) {
    throw new IOException("token " + tokenId + " was stored twice");
  }
  state.tokenState.put(tokenId, renewDate);
  state.latestSequenceNumber = tokenId.getSequenceNumber();
}
 
Example #8
Source File: MemoryTimelineStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public void updateToken(TimelineDelegationTokenIdentifier tokenId,
    Long renewDate) throws IOException {
  if (!state.tokenState.containsKey(tokenId)) {
    throw new IOException("token " + tokenId + " not in store");
  }
  state.tokenState.put(tokenId, renewDate);
}
 
Example #9
Source File: YarnClientImpl.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private void addTimelineDelegationToken(
    ContainerLaunchContext clc) throws YarnException, IOException {
  Credentials credentials = new Credentials();
  DataInputByteBuffer dibb = new DataInputByteBuffer();
  ByteBuffer tokens = clc.getTokens();
  if (tokens != null) {
    dibb.reset(tokens);
    credentials.readTokenStorageStream(dibb);
    tokens.rewind();
  }
  // If the timeline delegation token is already in the CLC, no need to add
  // one more
  for (org.apache.hadoop.security.token.Token<? extends TokenIdentifier> token : credentials
      .getAllTokens()) {
    if (token.getKind().equals(TimelineDelegationTokenIdentifier.KIND_NAME)) {
      return;
    }
  }
  org.apache.hadoop.security.token.Token<TimelineDelegationTokenIdentifier>
      timelineDelegationToken = getTimelineDelegationToken();
  if (timelineDelegationToken == null) {
    return;
  }
  credentials.addToken(timelineService, timelineDelegationToken);
  if (LOG.isDebugEnabled()) {
    LOG.debug("Add timline delegation token into credentials: "
        + timelineDelegationToken);
  }
  DataOutputBuffer dob = new DataOutputBuffer();
  credentials.writeTokenStorageToStream(dob);
  tokens = ByteBuffer.wrap(dob.getData(), 0, dob.getLength());
  clc.setTokens(tokens);
}
 
Example #10
Source File: YarnClientImpl.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@VisibleForTesting
org.apache.hadoop.security.token.Token<TimelineDelegationTokenIdentifier>
    getTimelineDelegationToken() throws IOException, YarnException {
      try {
        return timelineClient.getDelegationToken(timelineDTRenewer);
      } catch (Exception e ) {
        if (timelineServiceBestEffort) {
          LOG.warn("Failed to get delegation token from the timeline server: "
              + e.getMessage());
          return null;
        }
        throw e;
      }
}
 
Example #11
Source File: LeveldbTimelineStateStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
private static byte[] buildTokenData(
    TimelineDelegationTokenIdentifier tokenId, Long renewDate)
    throws IOException {
  TimelineDelegationTokenIdentifierData data =
      new TimelineDelegationTokenIdentifierData(tokenId, renewDate);
  return data.toByteArray();
}
 
Example #12
Source File: LeveldbTimelineStateStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public void removeToken(TimelineDelegationTokenIdentifier tokenId)
    throws IOException {
  try {
    byte[] key = createTokenEntryKey(tokenId.getSequenceNumber());
    db.delete(key);
  } catch (DBException e) {
    throw new IOException(e);
  }
}
 
Example #13
Source File: LeveldbTimelineStateStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public void updateToken(TimelineDelegationTokenIdentifier tokenId,
    Long renewDate) throws IOException {
  try {
    byte[] k = createTokenEntryKey(tokenId.getSequenceNumber());
    if (db.get(k) == null) {
      throw new IOException(tokenId + " doesn't exist");
    }
    byte[] v = buildTokenData(tokenId, renewDate);
    db.put(k, v);
  } catch (DBException e) {
    throw new IOException(e);
  }
}
 
Example #14
Source File: TimelineClientImpl.java    From big-c with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public long renewDelegationToken(
    final Token<TimelineDelegationTokenIdentifier> timelineDT)
        throws IOException, YarnException {
  final boolean isTokenServiceAddrEmpty =
      timelineDT.getService().toString().isEmpty();
  final String scheme = isTokenServiceAddrEmpty ? null
      : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
  final InetSocketAddress address = isTokenServiceAddrEmpty ? null
      : SecurityUtil.getTokenServiceAddr(timelineDT);
  PrivilegedExceptionAction<Long> renewDTAction =
      new PrivilegedExceptionAction<Long>() {

        @Override
        public Long run() throws Exception {
          // If the timeline DT to renew is different than cached, replace it.
          // Token to set every time for retry, because when exception happens,
          // DelegationTokenAuthenticatedURL will reset it to null;
          if (!timelineDT.equals(token.getDelegationToken())) {
            token.setDelegationToken((Token) timelineDT);
          }
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          // If the token service address is not available, fall back to use
          // the configured service address.
          final URI serviceURI = isTokenServiceAddrEmpty ? resURI
              : new URI(scheme, null, address.getHostName(),
              address.getPort(), RESOURCE_URI_STR, null, null);
          return authUrl
              .renewDelegationToken(serviceURI.toURL(), token, doAsUser);
        }
      };
  return (Long) operateDelegationToken(renewDTAction);
}
 
Example #15
Source File: TimelineClientImpl.java    From big-c with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public void cancelDelegationToken(
    final Token<TimelineDelegationTokenIdentifier> timelineDT)
        throws IOException, YarnException {
  final boolean isTokenServiceAddrEmpty =
      timelineDT.getService().toString().isEmpty();
  final String scheme = isTokenServiceAddrEmpty ? null
      : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
  final InetSocketAddress address = isTokenServiceAddrEmpty ? null
      : SecurityUtil.getTokenServiceAddr(timelineDT);
  PrivilegedExceptionAction<Void> cancelDTAction =
      new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
          // If the timeline DT to cancel is different than cached, replace it.
          // Token to set every time for retry, because when exception happens,
          // DelegationTokenAuthenticatedURL will reset it to null;
          if (!timelineDT.equals(token.getDelegationToken())) {
            token.setDelegationToken((Token) timelineDT);
          }
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          // If the token service address is not available, fall back to use
          // the configured service address.
          final URI serviceURI = isTokenServiceAddrEmpty ? resURI
              : new URI(scheme, null, address.getHostName(),
              address.getPort(), RESOURCE_URI_STR, null, null);
          authUrl.cancelDelegationToken(serviceURI.toURL(), token, doAsUser);
          return null;
        }
      };
  operateDelegationToken(cancelDTAction);
}
 
Example #16
Source File: TestYARNTokenIdentifier.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testParseTimelineDelegationTokenIdentifierRenewer() throws IOException {
  // Server side when generation a timeline DT
  Configuration conf = new YarnConfiguration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL,
      "RULE:[2:$1@$0]([nr]m@.*EXAMPLE.COM)s/.*/yarn/");
  HadoopKerberosName.setConfiguration(conf);
  Text owner = new Text("owner");
  Text renewer = new Text("rm/[email protected]");
  Text realUser = new Text("realUser");
  TimelineDelegationTokenIdentifier token =
      new TimelineDelegationTokenIdentifier(owner, renewer, realUser);
  Assert.assertEquals(new Text("yarn"), token.getRenewer());
}
 
Example #17
Source File: TimelineDelegationTokenSecretManagerService.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
protected void storeNewToken(TimelineDelegationTokenIdentifier tokenId,
    long renewDate) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Storing token " + tokenId.getSequenceNumber());
  }
  try {
    if (stateStore != null) {
      stateStore.storeToken(tokenId, renewDate);
    }
  } catch (IOException e) {
    LOG.error("Unable to store token " + tokenId.getSequenceNumber(), e);
  }
}
 
Example #18
Source File: TimelineDelegationTokenSecretManagerService.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
protected void removeStoredToken(TimelineDelegationTokenIdentifier tokenId)
    throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Storing token " + tokenId.getSequenceNumber());
  }
  try {
    if (stateStore != null) {
      stateStore.removeToken(tokenId);
    }
  } catch (IOException e) {
    LOG.error("Unable to remove token " + tokenId.getSequenceNumber(), e);
  }
}
 
Example #19
Source File: TimelineDelegationTokenSecretManagerService.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
protected void updateStoredToken(TimelineDelegationTokenIdentifier tokenId,
    long renewDate) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Updating token " + tokenId.getSequenceNumber());
  }
  try {
    if (stateStore != null) {
      stateStore.updateToken(tokenId, renewDate);
    }
  } catch (IOException e) {
    LOG.error("Unable to update token " + tokenId.getSequenceNumber(), e);
  }
}
 
Example #20
Source File: TimelineDelegationTokenSecretManagerService.java    From big-c with Apache License 2.0 5 votes vote down vote up
public void recover(TimelineServiceState state) throws IOException {
  LOG.info("Recovering " + getClass().getSimpleName());
  for (DelegationKey key : state.getTokenMasterKeyState()) {
    addKey(key);
  }
  this.delegationTokenSequenceNumber = state.getLatestSequenceNumber();
  for (Entry<TimelineDelegationTokenIdentifier, Long> entry :
      state.getTokenState().entrySet()) {
    addPersistedDelegationToken(entry.getKey(), entry.getValue());
  }
}
 
Example #21
Source File: TimelineDelegationTokenIdentifierData.java    From big-c with Apache License 2.0 5 votes vote down vote up
public TimelineDelegationTokenIdentifier getTokenIdentifier()
    throws IOException {
  ByteArrayInputStream in =
      new ByteArrayInputStream(builder.getTokenIdentifier().toByteArray());
  TimelineDelegationTokenIdentifier identifer =
      new TimelineDelegationTokenIdentifier();
  identifer.readFields(new DataInputStream(in));
  return identifer;
}
 
Example #22
Source File: MemoryTimelineStateStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public void updateToken(TimelineDelegationTokenIdentifier tokenId,
    Long renewDate) throws IOException {
  if (!state.tokenState.containsKey(tokenId)) {
    throw new IOException("token " + tokenId + " not in store");
  }
  state.tokenState.put(tokenId, renewDate);
}
 
Example #23
Source File: TestYARNTokenIdentifier.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testParseTimelineDelegationTokenIdentifierRenewer() throws IOException {
  // Server side when generation a timeline DT
  Configuration conf = new YarnConfiguration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL,
      "RULE:[2:$1@$0]([nr]m@.*EXAMPLE.COM)s/.*/yarn/");
  HadoopKerberosName.setConfiguration(conf);
  Text owner = new Text("owner");
  Text renewer = new Text("rm/[email protected]");
  Text realUser = new Text("realUser");
  TimelineDelegationTokenIdentifier token =
      new TimelineDelegationTokenIdentifier(owner, renewer, realUser);
  Assert.assertEquals(new Text("yarn"), token.getRenewer());
}
 
Example #24
Source File: MemoryTimelineStateStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public void storeToken(TimelineDelegationTokenIdentifier tokenId,
    Long renewDate) throws IOException {
  if (state.tokenState.containsKey(tokenId)) {
    throw new IOException("token " + tokenId + " was stored twice");
  }
  state.tokenState.put(tokenId, renewDate);
  state.latestSequenceNumber = tokenId.getSequenceNumber();
}
 
Example #25
Source File: TimelineClientImpl.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public void cancelDelegationToken(
    final Token<TimelineDelegationTokenIdentifier> timelineDT)
        throws IOException, YarnException {
  final boolean isTokenServiceAddrEmpty =
      timelineDT.getService().toString().isEmpty();
  final String scheme = isTokenServiceAddrEmpty ? null
      : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
  final InetSocketAddress address = isTokenServiceAddrEmpty ? null
      : SecurityUtil.getTokenServiceAddr(timelineDT);
  PrivilegedExceptionAction<Void> cancelDTAction =
      new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
          // If the timeline DT to cancel is different than cached, replace it.
          // Token to set every time for retry, because when exception happens,
          // DelegationTokenAuthenticatedURL will reset it to null;
          if (!timelineDT.equals(token.getDelegationToken())) {
            token.setDelegationToken((Token) timelineDT);
          }
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          // If the token service address is not available, fall back to use
          // the configured service address.
          final URI serviceURI = isTokenServiceAddrEmpty ? resURI
              : new URI(scheme, null, address.getHostName(),
              address.getPort(), RESOURCE_URI_STR, null, null);
          authUrl.cancelDelegationToken(serviceURI.toURL(), token, doAsUser);
          return null;
        }
      };
  operateDelegationToken(cancelDTAction);
}
 
Example #26
Source File: TimelineDelegationTokenSecretManagerService.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
protected void storeNewToken(TimelineDelegationTokenIdentifier tokenId,
    long renewDate) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Storing token " + tokenId.getSequenceNumber());
  }
  try {
    if (stateStore != null) {
      stateStore.storeToken(tokenId, renewDate);
    }
  } catch (IOException e) {
    LOG.error("Unable to store token " + tokenId.getSequenceNumber(), e);
  }
}
 
Example #27
Source File: TimelineDelegationTokenSecretManagerService.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
protected void removeStoredToken(TimelineDelegationTokenIdentifier tokenId)
    throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Storing token " + tokenId.getSequenceNumber());
  }
  try {
    if (stateStore != null) {
      stateStore.removeToken(tokenId);
    }
  } catch (IOException e) {
    LOG.error("Unable to remove token " + tokenId.getSequenceNumber(), e);
  }
}
 
Example #28
Source File: TimelineDelegationTokenSecretManagerService.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
protected void updateStoredToken(TimelineDelegationTokenIdentifier tokenId,
    long renewDate) {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Updating token " + tokenId.getSequenceNumber());
  }
  try {
    if (stateStore != null) {
      stateStore.updateToken(tokenId, renewDate);
    }
  } catch (IOException e) {
    LOG.error("Unable to update token " + tokenId.getSequenceNumber(), e);
  }
}
 
Example #29
Source File: TimelineDelegationTokenSecretManagerService.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public void recover(TimelineServiceState state) throws IOException {
  LOG.info("Recovering " + getClass().getSimpleName());
  for (DelegationKey key : state.getTokenMasterKeyState()) {
    addKey(key);
  }
  this.delegationTokenSequenceNumber = state.getLatestSequenceNumber();
  for (Entry<TimelineDelegationTokenIdentifier, Long> entry :
      state.getTokenState().entrySet()) {
    addPersistedDelegationToken(entry.getKey(), entry.getValue());
  }
}
 
Example #30
Source File: TimelineClientImpl.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
@Override
public long renewDelegationToken(
    final Token<TimelineDelegationTokenIdentifier> timelineDT)
        throws IOException, YarnException {
  final boolean isTokenServiceAddrEmpty =
      timelineDT.getService().toString().isEmpty();
  final String scheme = isTokenServiceAddrEmpty ? null
      : (YarnConfiguration.useHttps(this.getConfig()) ? "https" : "http");
  final InetSocketAddress address = isTokenServiceAddrEmpty ? null
      : SecurityUtil.getTokenServiceAddr(timelineDT);
  PrivilegedExceptionAction<Long> renewDTAction =
      new PrivilegedExceptionAction<Long>() {

        @Override
        public Long run() throws Exception {
          // If the timeline DT to renew is different than cached, replace it.
          // Token to set every time for retry, because when exception happens,
          // DelegationTokenAuthenticatedURL will reset it to null;
          if (!timelineDT.equals(token.getDelegationToken())) {
            token.setDelegationToken((Token) timelineDT);
          }
          DelegationTokenAuthenticatedURL authUrl =
              new DelegationTokenAuthenticatedURL(authenticator,
                  connConfigurator);
          // If the token service address is not available, fall back to use
          // the configured service address.
          final URI serviceURI = isTokenServiceAddrEmpty ? resURI
              : new URI(scheme, null, address.getHostName(),
              address.getPort(), RESOURCE_URI_STR, null, null);
          return authUrl
              .renewDelegationToken(serviceURI.toURL(), token, doAsUser);
        }
      };
  return (Long) operateDelegationToken(renewDTAction);
}