Examples with DelegationTokenConfig org.apache.accumulo.core.client.admin.DelegationTokenConfig used on opensource projects

Example 6 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class AuthenticationTokenSecretManager method createPassword.

@Override
protected byte[] createPassword(AuthenticationTokenIdentifier identifier) {
    DelegationTokenConfig cfg = identifier.getConfig();
    long now = System.currentTimeMillis();
    final AuthenticationKey secretKey;
    synchronized (this) {
        secretKey = currentKey;
    }
    identifier.setKeyId(secretKey.getKeyId());
    identifier.setIssueDate(now);
    long expiration = now + tokenMaxLifetime;
    // Catch overflow
    if (expiration < now) {
        expiration = Long.MAX_VALUE;
    }
    identifier.setExpirationDate(expiration);
    // Limit the lifetime if the user requests it
    if (null != cfg) {
        long requestedLifetime = cfg.getTokenLifetime(TimeUnit.MILLISECONDS);
        if (0 < requestedLifetime) {
            long requestedExpirationDate = identifier.getIssueDate() + requestedLifetime;
            // Catch overflow again
            if (requestedExpirationDate < identifier.getIssueDate()) {
                requestedExpirationDate = Long.MAX_VALUE;
            }
            // Ensure that the user doesn't try to extend the expiration date -- they may only limit it
            if (requestedExpirationDate > identifier.getExpirationDate()) {
                throw new RuntimeException("Requested token lifetime exceeds configured maximum");
            }
            log.trace("Overriding token expiration date from {} to {}", identifier.getExpirationDate(), requestedExpirationDate);
            identifier.setExpirationDate(requestedExpirationDate);
        }
    }
    identifier.setInstanceId(instance.getInstanceID());
    return createPassword(identifier.getBytes(), secretKey.getKey());
}

Example 7 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class MasterClientServiceHandler method getDelegationToken.

@Override
public TDelegationToken getDelegationToken(TInfo tinfo, TCredentials credentials, TDelegationTokenConfig tConfig) throws ThriftSecurityException, TException {
    if (!master.security.canObtainDelegationToken(credentials)) {
        throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }
    // Round-about way to verify that SASL is also enabled.
    if (!master.delegationTokensAvailable()) {
        throw new TException("Delegation tokens are not available for use");
    }
    final DelegationTokenConfig config = DelegationTokenConfigSerializer.deserialize(tConfig);
    final AuthenticationTokenSecretManager secretManager = master.getSecretManager();
    try {
        Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(credentials.principal, config);
        return new TDelegationToken(ByteBuffer.wrap(pair.getKey().getPassword()), pair.getValue().getThriftIdentifier());
    } catch (Exception e) {
        throw new TException(e.getMessage());
    }
}

Example 8 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class AuthenticationTokenSecretManagerTest method setupMocks.

@Before
public void setupMocks() {
    instance = createMock(Instance.class);
    instanceId = UUID.randomUUID().toString();
    cfg = new DelegationTokenConfig();
    expect(instance.getInstanceID()).andReturn(instanceId).anyTimes();
    replay(instance);
}

Example 9 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class SaslDigestCallbackHandlerTest method setup.

@Before
public void setup() {
    handler = new SaslTestDigestCallbackHandler();
    cfg = new DelegationTokenConfig();
}

Example 10 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class KerberosIT method testDelegationTokenWithReducedLifetime.

@Test
public void testDelegationTokenWithReducedLifetime() throws Throwable {
    // Login as the "root" user
    UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    // As the "root" user, open up the connection and get a delegation token
    final AuthenticationToken dt = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() {

        @Override
        public AuthenticationToken run() throws Exception {
            Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
            log.info("Created connector as {}", rootUser.getPrincipal());
            assertEquals(rootUser.getPrincipal(), conn.whoami());
            return conn.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, TimeUnit.MINUTES));
        }
    });
    AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier();
    assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= (5 * 60 * 1000));
}