Java Code Examples for org.apache.hadoop.security.Credentials#getSecretKey()

The following examples show how to use org.apache.hadoop.security.Credentials#getSecretKey() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RMAppAttemptImpl.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private void recoverAppAttemptCredentials(Credentials appAttemptTokens,
    RMAppAttemptState state) {
  if (appAttemptTokens == null || state == RMAppAttemptState.FAILED
      || state == RMAppAttemptState.FINISHED
      || state == RMAppAttemptState.KILLED) {
    return;
  }

  if (UserGroupInformation.isSecurityEnabled()) {
    byte[] clientTokenMasterKeyBytes = appAttemptTokens.getSecretKey(
        RMStateStore.AM_CLIENT_TOKEN_MASTER_KEY_NAME);
    if (clientTokenMasterKeyBytes != null) {
      clientTokenMasterKey = rmContext.getClientToAMTokenSecretManager()
          .registerMasterKey(applicationAttemptId, clientTokenMasterKeyBytes);
    }
  }

  setAMRMToken(rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
      applicationAttemptId));
}
 
Example 2
Source File: CredentialsTestJob.java    From hadoop with Apache License 2.0 6 votes vote down vote up
private static void checkSecrets(Credentials ts) {
  if  ( ts == null){
    throw new RuntimeException("The credentials are not available"); 
    // fail the test
  }

  for(int i=0; i<NUM_OF_KEYS; i++) {
    String secretName = "alias"+i;
    // get token storage and a key
    byte[] secretValue =  ts.getSecretKey(new Text(secretName));
    System.out.println(secretValue);

    if (secretValue == null){
      throw new RuntimeException("The key "+ secretName + " is not available. "); 
      // fail the test
    }

    String secretValueStr = new String (secretValue);

    if  ( !("password"+i).equals(secretValueStr)){
      throw new RuntimeException("The key "+ secretName +
          " is not correct. Expected value is "+ ("password"+i) +
          ". Actual value is " + secretValueStr); // fail the test
    }        
  }
}
 
Example 3
Source File: RMAppAttemptImpl.java    From big-c with Apache License 2.0 6 votes vote down vote up
private void recoverAppAttemptCredentials(Credentials appAttemptTokens,
    RMAppAttemptState state) {
  if (appAttemptTokens == null || state == RMAppAttemptState.FAILED
      || state == RMAppAttemptState.FINISHED
      || state == RMAppAttemptState.KILLED) {
    return;
  }

  if (UserGroupInformation.isSecurityEnabled()) {
    byte[] clientTokenMasterKeyBytes = appAttemptTokens.getSecretKey(
        RMStateStore.AM_CLIENT_TOKEN_MASTER_KEY_NAME);
    if (clientTokenMasterKeyBytes != null) {
      clientTokenMasterKey = rmContext.getClientToAMTokenSecretManager()
          .registerMasterKey(applicationAttemptId, clientTokenMasterKeyBytes);
    }
  }

  setAMRMToken(rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(
      applicationAttemptId));
}
 
Example 4
Source File: CredentialsTestJob.java    From big-c with Apache License 2.0 6 votes vote down vote up
private static void checkSecrets(Credentials ts) {
  if  ( ts == null){
    throw new RuntimeException("The credentials are not available"); 
    // fail the test
  }

  for(int i=0; i<NUM_OF_KEYS; i++) {
    String secretName = "alias"+i;
    // get token storage and a key
    byte[] secretValue =  ts.getSecretKey(new Text(secretName));
    System.out.println(secretValue);

    if (secretValue == null){
      throw new RuntimeException("The key "+ secretName + " is not available. "); 
      // fail the test
    }

    String secretValueStr = new String (secretValue);

    if  ( !("password"+i).equals(secretValueStr)){
      throw new RuntimeException("The key "+ secretName +
          " is not correct. Expected value is "+ ("password"+i) +
          ". Actual value is " + secretValueStr); // fail the test
    }        
  }
}
 
Example 5
Source File: OzoneKMSUtil.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
public static URI getKeyProviderUri(UserGroupInformation ugi,
    URI namespaceUri, String kmsUriSrv, ConfigurationSource conf)
    throws IOException {
  URI keyProviderUri = null;
  Credentials credentials = ugi.getCredentials();
  Text credsKey = null;
  if (namespaceUri != null) {
    // from ugi
    credsKey = getKeyProviderMapKey(namespaceUri);
    byte[] keyProviderUriBytes = credentials.getSecretKey(credsKey);
    if (keyProviderUriBytes != null) {
      keyProviderUri = URI.create(bytes2String(keyProviderUriBytes));
    }
  }
  if (keyProviderUri == null) {
    // from client conf
    if (kmsUriSrv == null) {
      Configuration hadoopConfig =
          LegacyHadoopConfigurationSource.asHadoopConfiguration(conf);
      keyProviderUri = KMSUtil.getKeyProviderUri(
          hadoopConfig, keyProviderUriKeyName);
    } else if (!kmsUriSrv.isEmpty()) {
      // from om server
      keyProviderUri = URI.create(kmsUriSrv);
    }
  }
  // put back into UGI
  if (keyProviderUri != null && credsKey != null) {
    credentials.addSecretKey(
        credsKey, StringUtils.string2Bytes(keyProviderUri.toString()));
  }

  return keyProviderUri;
}
 
Example 6
Source File: TestMRAppMaster.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testMRAppMasterCredentials() throws Exception {

  Logger rootLogger = LogManager.getRootLogger();
  rootLogger.setLevel(Level.DEBUG);

  // Simulate credentials passed to AM via client->RM->NM
  Credentials credentials = new Credentials();
  byte[] identifier = "MyIdentifier".getBytes();
  byte[] password = "MyPassword".getBytes();
  Text kind = new Text("MyTokenKind");
  Text service = new Text("host:port");
  Token<? extends TokenIdentifier> myToken =
      new Token<TokenIdentifier>(identifier, password, kind, service);
  Text tokenAlias = new Text("myToken");
  credentials.addToken(tokenAlias, myToken);

  Text appTokenService = new Text("localhost:0");
  Token<AMRMTokenIdentifier> appToken =
      new Token<AMRMTokenIdentifier>(identifier, password,
          AMRMTokenIdentifier.KIND_NAME, appTokenService);
  credentials.addToken(appTokenService, appToken);
  
  Text keyAlias = new Text("mySecretKeyAlias");
  credentials.addSecretKey(keyAlias, "mySecretKey".getBytes());
  Token<? extends TokenIdentifier> storedToken =
      credentials.getToken(tokenAlias);

  JobConf conf = new JobConf();

  Path tokenFilePath = new Path(testDir.getAbsolutePath(), "tokens-file");
  Map<String, String> newEnv = new HashMap<String, String>();
  newEnv.put(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION, tokenFilePath
    .toUri().getPath());
  setNewEnvironmentHack(newEnv);
  credentials.writeTokenStorageFile(tokenFilePath, conf);

  ApplicationId appId = ApplicationId.newInstance(12345, 56);
  ApplicationAttemptId applicationAttemptId =
      ApplicationAttemptId.newInstance(appId, 1);
  ContainerId containerId =
      ContainerId.newContainerId(applicationAttemptId, 546);
  String userName = UserGroupInformation.getCurrentUser().getShortUserName();

  // Create staging dir, so MRAppMaster doesn't barf.
  File stagingDir =
      new File(MRApps.getStagingAreaDir(conf, userName).toString());
  stagingDir.mkdirs();

  // Set login-user to null as that is how real world MRApp starts with.
  // This is null is the reason why token-file is read by UGI.
  UserGroupInformation.setLoginUser(null);

  MRAppMasterTest appMaster =
      new MRAppMasterTest(applicationAttemptId, containerId, "host", -1, -1,
        System.currentTimeMillis(), false, true);
  MRAppMaster.initAndStartAppMaster(appMaster, conf, userName);

  // Now validate the task credentials
  Credentials appMasterCreds = appMaster.getCredentials();
  Assert.assertNotNull(appMasterCreds);
  Assert.assertEquals(1, appMasterCreds.numberOfSecretKeys());
  Assert.assertEquals(1, appMasterCreds.numberOfTokens());

  // Validate the tokens - app token should not be present
  Token<? extends TokenIdentifier> usedToken =
      appMasterCreds.getToken(tokenAlias);
  Assert.assertNotNull(usedToken);
  Assert.assertEquals(storedToken, usedToken);

  // Validate the keys
  byte[] usedKey = appMasterCreds.getSecretKey(keyAlias);
  Assert.assertNotNull(usedKey);
  Assert.assertEquals("mySecretKey", new String(usedKey));

  // The credentials should also be added to conf so that OuputCommitter can
  // access it - app token should not be present
  Credentials confCredentials = conf.getCredentials();
  Assert.assertEquals(1, confCredentials.numberOfSecretKeys());
  Assert.assertEquals(1, confCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, confCredentials.getToken(tokenAlias));
  Assert.assertEquals("mySecretKey",
    new String(confCredentials.getSecretKey(keyAlias)));
  
  // Verify the AM's ugi - app token should be present
  Credentials ugiCredentials = appMaster.getUgi().getCredentials();
  Assert.assertEquals(1, ugiCredentials.numberOfSecretKeys());
  Assert.assertEquals(2, ugiCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, ugiCredentials.getToken(tokenAlias));
  Assert.assertEquals(appToken, ugiCredentials.getToken(appTokenService));
  Assert.assertEquals("mySecretKey",
    new String(ugiCredentials.getSecretKey(keyAlias)));


}
 
Example 7
Source File: TokenCache.java    From hadoop with Apache License 2.0 4 votes vote down vote up
/**
 * auxiliary method to get user's secret keys..
 * @param alias
 * @return secret key from the storage
 */
public static byte[] getSecretKey(Credentials credentials, Text alias) {
  if(credentials == null)
    return null;
  return credentials.getSecretKey(alias);
}
 
Example 8
Source File: TestMRAppMaster.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testMRAppMasterCredentials() throws Exception {

  Logger rootLogger = LogManager.getRootLogger();
  rootLogger.setLevel(Level.DEBUG);

  // Simulate credentials passed to AM via client->RM->NM
  Credentials credentials = new Credentials();
  byte[] identifier = "MyIdentifier".getBytes();
  byte[] password = "MyPassword".getBytes();
  Text kind = new Text("MyTokenKind");
  Text service = new Text("host:port");
  Token<? extends TokenIdentifier> myToken =
      new Token<TokenIdentifier>(identifier, password, kind, service);
  Text tokenAlias = new Text("myToken");
  credentials.addToken(tokenAlias, myToken);

  Text appTokenService = new Text("localhost:0");
  Token<AMRMTokenIdentifier> appToken =
      new Token<AMRMTokenIdentifier>(identifier, password,
          AMRMTokenIdentifier.KIND_NAME, appTokenService);
  credentials.addToken(appTokenService, appToken);
  
  Text keyAlias = new Text("mySecretKeyAlias");
  credentials.addSecretKey(keyAlias, "mySecretKey".getBytes());
  Token<? extends TokenIdentifier> storedToken =
      credentials.getToken(tokenAlias);

  JobConf conf = new JobConf();

  Path tokenFilePath = new Path(testDir.getAbsolutePath(), "tokens-file");
  Map<String, String> newEnv = new HashMap<String, String>();
  newEnv.put(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION, tokenFilePath
    .toUri().getPath());
  setNewEnvironmentHack(newEnv);
  credentials.writeTokenStorageFile(tokenFilePath, conf);

  ApplicationId appId = ApplicationId.newInstance(12345, 56);
  ApplicationAttemptId applicationAttemptId =
      ApplicationAttemptId.newInstance(appId, 1);
  ContainerId containerId =
      ContainerId.newContainerId(applicationAttemptId, 546);
  String userName = UserGroupInformation.getCurrentUser().getShortUserName();

  // Create staging dir, so MRAppMaster doesn't barf.
  File stagingDir =
      new File(MRApps.getStagingAreaDir(conf, userName).toString());
  stagingDir.mkdirs();

  // Set login-user to null as that is how real world MRApp starts with.
  // This is null is the reason why token-file is read by UGI.
  UserGroupInformation.setLoginUser(null);

  MRAppMasterTest appMaster =
      new MRAppMasterTest(applicationAttemptId, containerId, "host", -1, -1,
        System.currentTimeMillis(), false, true);
  MRAppMaster.initAndStartAppMaster(appMaster, conf, userName);

  // Now validate the task credentials
  Credentials appMasterCreds = appMaster.getCredentials();
  Assert.assertNotNull(appMasterCreds);
  Assert.assertEquals(1, appMasterCreds.numberOfSecretKeys());
  Assert.assertEquals(1, appMasterCreds.numberOfTokens());

  // Validate the tokens - app token should not be present
  Token<? extends TokenIdentifier> usedToken =
      appMasterCreds.getToken(tokenAlias);
  Assert.assertNotNull(usedToken);
  Assert.assertEquals(storedToken, usedToken);

  // Validate the keys
  byte[] usedKey = appMasterCreds.getSecretKey(keyAlias);
  Assert.assertNotNull(usedKey);
  Assert.assertEquals("mySecretKey", new String(usedKey));

  // The credentials should also be added to conf so that OuputCommitter can
  // access it - app token should not be present
  Credentials confCredentials = conf.getCredentials();
  Assert.assertEquals(1, confCredentials.numberOfSecretKeys());
  Assert.assertEquals(1, confCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, confCredentials.getToken(tokenAlias));
  Assert.assertEquals("mySecretKey",
    new String(confCredentials.getSecretKey(keyAlias)));
  
  // Verify the AM's ugi - app token should be present
  Credentials ugiCredentials = appMaster.getUgi().getCredentials();
  Assert.assertEquals(1, ugiCredentials.numberOfSecretKeys());
  Assert.assertEquals(2, ugiCredentials.numberOfTokens());
  Assert.assertEquals(storedToken, ugiCredentials.getToken(tokenAlias));
  Assert.assertEquals(appToken, ugiCredentials.getToken(appTokenService));
  Assert.assertEquals("mySecretKey",
    new String(ugiCredentials.getSecretKey(keyAlias)));


}
 
Example 9
Source File: TokenCache.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * auxiliary method to get user's secret keys..
 * @param alias
 * @return secret key from the storage
 */
public static byte[] getSecretKey(Credentials credentials, Text alias) {
  if(credentials == null)
    return null;
  return credentials.getSecretKey(alias);
}
 
Example 10
Source File: TokenCache.java    From incubator-tez with Apache License 2.0 4 votes vote down vote up
/**
 * auxiliary method to get user's secret keys..
 * @param alias
 * @return secret key from the storage
 */
public static byte[] getSecretKey(Credentials credentials, Text alias) {
  if(credentials == null)
    return null;
  return credentials.getSecretKey(alias);
}
 
Example 11
Source File: TokenCache.java    From tez with Apache License 2.0 4 votes vote down vote up
/**
 * auxiliary method to get user's secret keys..
 * @param alias
 * @return secret key from the storage
 */
public static byte[] getSecretKey(Credentials credentials, Text alias) {
  if(credentials == null)
    return null;
  return credentials.getSecretKey(alias);
}