com.google.cloud.hadoop.util.AccessTokenProvider Java Examples

The following examples show how to use com.google.cloud.hadoop.util.AccessTokenProvider. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: GoogleHadoopFileSystemTest.java    From hadoop-connectors with Apache License 2.0 6 votes vote down vote up 
@Test
public void testImpsersonationServiceAccountUsed() throws Exception {
  Configuration config = new Configuration();
  config.setClass(
      "fs.gs.auth.access.token.provider.impl",
      TestingAccessTokenProvider.class,
      AccessTokenProvider.class);
  config.set(
      GCS_CONFIG_PREFIX + IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.getKey(), "test-service-account");

  URI gsUri = new URI("gs://foobar/");
  GoogleHadoopFileSystem ghfs = new GoogleHadoopFileSystem();

  Exception exception =
      assertThrows(
          GoogleJsonResponseException.class,
          () -> {
            ghfs.initialize(gsUri, config);
          });
  assertThat(exception).hasMessageThat().startsWith("401 Unauthorized");
}
Example #2
Source File: GoogleHadoopFileSystemTest.java    From hadoop-connectors with Apache License 2.0 6 votes vote down vote up 
@Test
public void testImpsersonationUserNameIdentifierUsed() throws Exception {
  Configuration config = new Configuration();
  config.setClass(
      "fs.gs.auth.access.token.provider.impl",
      TestingAccessTokenProvider.class,
      AccessTokenProvider.class);
  config.set(
      GCS_CONFIG_PREFIX
          + USER_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.getKey()
          + UserGroupInformation.getCurrentUser().getShortUserName(),
      "test-service-account");

  URI gsUri = new URI("gs://foobar/");
  GoogleHadoopFileSystem ghfs = new GoogleHadoopFileSystem();

  Exception exception =
      assertThrows(
          GoogleJsonResponseException.class,
          () -> {
            ghfs.initialize(gsUri, config);
          });
  assertThat(exception).hasMessageThat().startsWith("401 Unauthorized");
}
Example #3
Source File: GoogleHadoopFileSystemTest.java    From hadoop-connectors with Apache License 2.0 6 votes vote down vote up 
@Test
public void testImpsersonationGroupNameIdentifierUsed() throws Exception {
  Configuration config = new Configuration();
  config.setClass(
      "fs.gs.auth.access.token.provider.impl",
      TestingAccessTokenProvider.class,
      AccessTokenProvider.class);
  config.set(
      GCS_CONFIG_PREFIX
          + GROUP_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.getKey()
          + UserGroupInformation.getCurrentUser().getGroupNames()[0],
      "test-service-account");

  URI gsUri = new URI("gs://foobar/");
  GoogleHadoopFileSystem ghfs = new GoogleHadoopFileSystem();

  Exception exception =
      assertThrows(
          GoogleJsonResponseException.class,
          () -> {
            ghfs.initialize(gsUri, config);
          });
  assertThat(exception).hasMessageThat().startsWith("401 Unauthorized");
}
Example #4
Source File: GoogleHadoopFileSystemBase.java    From hadoop-connectors with Apache License 2.0 5 votes vote down vote up 
/**
 * Retrieve user's Credential. If user implemented {@link AccessTokenProvider} and provided the
 * class name (See {@link HadoopCredentialConfiguration#ACCESS_TOKEN_PROVIDER_IMPL_SUFFIX} then
 * build a credential with access token provided by this provider; Otherwise obtain credential
 * through {@link HadoopCredentialConfiguration#getCredentialFactory(Configuration, String...)}.
 */
private Credential getCredential(
    Configuration config, GoogleCloudStorageFileSystemOptions gcsFsOptions)
    throws IOException, GeneralSecurityException {
  Credential credential = null;

  // Check if delegation token support is configured
  if (delegationTokens != null) {
    // If so, use the delegation token to acquire the Google credentials
    AccessTokenProvider atp = delegationTokens.getAccessTokenProvider();
    if (atp != null) {
      atp.setConf(config);
      credential =
          CredentialFromAccessTokenProviderClassFactory.credential(
              atp, CredentialFactory.GCS_SCOPES);
    }
  } else {
    // If delegation token support is not configured, check if a
    // custom AccessTokenProvider implementation is configured, and attempt
    // to acquire the Google credentials using it
    credential =
        CredentialFromAccessTokenProviderClassFactory.credential(
            config, ImmutableList.of(GCS_CONFIG_PREFIX), CredentialFactory.GCS_SCOPES);

    if (credential == null) {
      // Finally, if no credentials have been acquired at this point, employ
      // the default mechanism.
      credential =
          HadoopCredentialConfiguration.getCredentialFactory(config, GCS_CONFIG_PREFIX)
              .getCredential(CredentialFactory.GCS_SCOPES);
    }
  }

  // If impersonation service account exists, then use current credential to request access token
  // for the impersonating service account.
  return getImpersonatedCredential(config, gcsFsOptions, credential).orElse(credential);
}
Example #5
Source File: GoogleHadoopFileSystemTest.java    From hadoop-connectors with Apache License 2.0 5 votes vote down vote up 
@Test
public void testImpsersonationUserAndGroupNameIdentifiersUsed() throws Exception {
  Configuration config = new Configuration();
  config.setClass(
      "fs.gs.auth.access.token.provider.impl",
      TestingAccessTokenProvider.class,
      AccessTokenProvider.class);
  config.set(
      GCS_CONFIG_PREFIX
          + USER_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.getKey()
          + UserGroupInformation.getCurrentUser().getShortUserName(),
      "test-service-account1");
  config.set(
      GCS_CONFIG_PREFIX
          + GROUP_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.getKey()
          + UserGroupInformation.getCurrentUser().getGroupNames()[0],
      "test-service-account2");

  URI gsUri = new URI("gs://foobar/");
  GoogleHadoopFileSystem ghfs = new GoogleHadoopFileSystem();

  Exception exception =
      assertThrows(
          GoogleJsonResponseException.class,
          () -> {
            ghfs.initialize(gsUri, config);
          });
  assertThat(exception).hasMessageThat().startsWith("401 Unauthorized");
}
Example #6
Source File: GoogleHadoopFileSystemTest.java    From hadoop-connectors with Apache License 2.0 5 votes vote down vote up 
@Test
public void testImpsersonationServiceAccountAndUserAndGroupNameIdentifierUsed() throws Exception {
  Configuration config = new Configuration();
  config.setClass(
      "fs.gs.auth.access.token.provider.impl",
      TestingAccessTokenProvider.class,
      AccessTokenProvider.class);
  config.set(
      GCS_CONFIG_PREFIX + IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.getKey(), "test-service-account1");
  config.set(
      GCS_CONFIG_PREFIX
          + USER_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.getKey()
          + UserGroupInformation.getCurrentUser().getShortUserName(),
      "test-service-account2");
  config.set(
      GCS_CONFIG_PREFIX
          + GROUP_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.getKey()
          + UserGroupInformation.getCurrentUser().getGroupNames()[0],
      "test-service-account3");

  URI gsUri = new URI("gs://foobar/");
  GoogleHadoopFileSystem ghfs = new GoogleHadoopFileSystem();

  Exception exception =
      assertThrows(
          GoogleJsonResponseException.class,
          () -> {
            ghfs.initialize(gsUri, config);
          });
  assertThat(exception).hasMessageThat().startsWith("401 Unauthorized");
}
Example #7
Source File: GoogleHadoopFileSystemTest.java    From hadoop-connectors with Apache License 2.0 5 votes vote down vote up 
@Test
public void testImpsersonationInvalidUserNameIdentifierUsed() throws Exception {
  Configuration config = new Configuration();
  config.setClass(
      "fs.gs.auth.access.token.provider.impl",
      TestingAccessTokenProvider.class,
      AccessTokenProvider.class);
  config.set(
      GCS_CONFIG_PREFIX + USER_IMPERSONATION_SERVICE_ACCOUNT_SUFFIX.getKey() + "invalid-user",
      "test-service-account");

  URI gsUri = new URI("gs://foobar/");
  GoogleHadoopFileSystem ghfs = new GoogleHadoopFileSystem();
  ghfs.initialize(gsUri, config);
}
Example #8
Source File: GoogleHadoopFileSystemDelegationTokensTest.java    From hadoop-connectors with Apache License 2.0 5 votes vote down vote up 
@Test
public void testTokenAuthValue() throws IOException {
  GoogleHadoopFileSystem fs = new GoogleHadoopFileSystem();
  fs.initialize(new Path("gs://test/").toUri(), loadConfig());

  AccessTokenProvider tokenProvider = fs.delegationTokens.getAccessTokenProvider();
  AccessTokenProvider.AccessToken token = tokenProvider.getAccessToken();

  assertThat(token.getToken()).isEqualTo("qWDAWFA3WWFAWFAWFAW3FAWF3AWF3WFAF33GR5G5");
}
Example #9
Source File: BrokerDelegationTokenBinding.java    From gcp-token-broker with Apache License 2.0 4 votes vote down vote up 
@Override
public AccessTokenProvider deployUnbonded() throws IOException {
    return new BrokerAccessTokenProvider(getService());
}
Example #10
Source File: BrokerDelegationTokenBinding.java    From gcp-token-broker with Apache License 2.0 4 votes vote down vote up 
@Override
public AccessTokenProvider bindToTokenIdentifier(DelegationTokenIdentifier retrievedIdentifier) throws IOException {
    return new BrokerAccessTokenProvider(getService(), (BrokerTokenIdentifier) retrievedIdentifier);
}
Example #11
Source File: GcsDelegationTokens.java    From hadoop-connectors with Apache License 2.0 4 votes vote down vote up 
public AccessTokenProvider getAccessTokenProvider() {
  return accessTokenProvider;
}
Example #12
Source File: TestDelegationTokenBindingImpl.java    From hadoop-connectors with Apache License 2.0 4 votes vote down vote up 
@Override
public AccessTokenProvider deployUnbonded() throws IOException {
  return new TestAccessTokenProviderImpl();
}
Example #13
Source File: TestDelegationTokenBindingImpl.java    From hadoop-connectors with Apache License 2.0 4 votes vote down vote up 
@Override
public AccessTokenProvider bindToTokenIdentifier(DelegationTokenIdentifier retrievedIdentifier)
    throws IOException {
  return deployUnbonded();
}
Example #14
Source File: GcsDelegationTokens.java    From hadoop-connectors with Apache License 2.0 3 votes vote down vote up 
/**
 * Perform the unbonded deployment operations. Create the GCP credential provider chain to use
 * when talking to GCP when there is no delegation token to work with. authenticating this client
 * with GCP services, and saves it to {@link #accessTokenProvider}
 *
 * @throws IOException any failure.
 */
public AccessTokenProvider deployUnbonded() throws IOException {
  checkState(!isBoundToDT(), "Already Bound to a delegation token");
  logger.atFine().log("No delegation tokens present: using direct authentication");
  accessTokenProvider = tokenBinding.deployUnbonded();
  return accessTokenProvider;
}
Example #15
Source File: AbstractDelegationTokenBinding.java    From hadoop-connectors with Apache License 2.0 2 votes vote down vote up 
/**
 * Perform any actions when deploying unbonded, and return a list of credential providers.
 *
 * @throws IOException any failure.
 */
public abstract AccessTokenProvider deployUnbonded() throws IOException;
Example #16
Source File: AbstractDelegationTokenBinding.java    From hadoop-connectors with Apache License 2.0 2 votes vote down vote up 
/**
 * Bind to the token identifier, returning the credential providers to use for the owner to talk
 * to GCP services.
 *
 * @param retrievedIdentifier the unmarshalled data
 * @return non-empty list of GCP credential providers to use for authenticating this client with
 *     GCP services.
 * @throws IOException any failure.
 */
public abstract AccessTokenProvider bindToTokenIdentifier(
    DelegationTokenIdentifier retrievedIdentifier) throws IOException;