use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.
the class AuthenticationTokenSecretManager method createPassword.
@Override
protected byte[] createPassword(AuthenticationTokenIdentifier identifier) {
DelegationTokenConfig cfg = identifier.getConfig();
long now = System.currentTimeMillis();
final AuthenticationKey secretKey;
synchronized (this) {
secretKey = currentKey;
}
identifier.setKeyId(secretKey.getKeyId());
identifier.setIssueDate(now);
long expiration = now + tokenMaxLifetime;
// Catch overflow
if (expiration < now) {
expiration = Long.MAX_VALUE;
}
identifier.setExpirationDate(expiration);
// Limit the lifetime if the user requests it
if (null != cfg) {
long requestedLifetime = cfg.getTokenLifetime(TimeUnit.MILLISECONDS);
if (0 < requestedLifetime) {
long requestedExpirationDate = identifier.getIssueDate() + requestedLifetime;
// Catch overflow again
if (requestedExpirationDate < identifier.getIssueDate()) {
requestedExpirationDate = Long.MAX_VALUE;
}
// Ensure that the user doesn't try to extend the expiration date -- they may only limit it
if (requestedExpirationDate > identifier.getExpirationDate()) {
throw new RuntimeException("Requested token lifetime exceeds configured maximum");
}
log.trace("Overriding token expiration date from {} to {}", identifier.getExpirationDate(), requestedExpirationDate);
identifier.setExpirationDate(requestedExpirationDate);
}
}
identifier.setInstanceId(instance.getInstanceID());
return createPassword(identifier.getBytes(), secretKey.getKey());
}
use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.
the class MasterClientServiceHandler method getDelegationToken.
@Override
public TDelegationToken getDelegationToken(TInfo tinfo, TCredentials credentials, TDelegationTokenConfig tConfig) throws ThriftSecurityException, TException {
if (!master.security.canObtainDelegationToken(credentials)) {
throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
}
// Round-about way to verify that SASL is also enabled.
if (!master.delegationTokensAvailable()) {
throw new TException("Delegation tokens are not available for use");
}
final DelegationTokenConfig config = DelegationTokenConfigSerializer.deserialize(tConfig);
final AuthenticationTokenSecretManager secretManager = master.getSecretManager();
try {
Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(credentials.principal, config);
return new TDelegationToken(ByteBuffer.wrap(pair.getKey().getPassword()), pair.getValue().getThriftIdentifier());
} catch (Exception e) {
throw new TException(e.getMessage());
}
}
use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.
the class AuthenticationTokenSecretManagerTest method setupMocks.
@Before
public void setupMocks() {
instance = createMock(Instance.class);
instanceId = UUID.randomUUID().toString();
cfg = new DelegationTokenConfig();
expect(instance.getInstanceID()).andReturn(instanceId).anyTimes();
replay(instance);
}
use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.
the class SaslDigestCallbackHandlerTest method setup.
@Before
public void setup() {
handler = new SaslTestDigestCallbackHandler();
cfg = new DelegationTokenConfig();
}
use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.
the class KerberosIT method testDelegationTokenWithReducedLifetime.
@Test
public void testDelegationTokenWithReducedLifetime() throws Throwable {
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken dt = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() {
@Override
public AuthenticationToken run() throws Exception {
Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
log.info("Created connector as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), conn.whoami());
return conn.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, TimeUnit.MINUTES));
}
});
AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier();
assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= (5 * 60 * 1000));
}
Aggregations