Search in sources :

Example 6 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class AuthenticationTokenSecretManager method createPassword.

@Override
protected byte[] createPassword(AuthenticationTokenIdentifier identifier) {
    DelegationTokenConfig cfg = identifier.getConfig();
    long now = System.currentTimeMillis();
    final AuthenticationKey secretKey;
    synchronized (this) {
        secretKey = currentKey;
    }
    identifier.setKeyId(secretKey.getKeyId());
    identifier.setIssueDate(now);
    long expiration = now + tokenMaxLifetime;
    // Catch overflow
    if (expiration < now) {
        expiration = Long.MAX_VALUE;
    }
    identifier.setExpirationDate(expiration);
    // Limit the lifetime if the user requests it
    if (null != cfg) {
        long requestedLifetime = cfg.getTokenLifetime(TimeUnit.MILLISECONDS);
        if (0 < requestedLifetime) {
            long requestedExpirationDate = identifier.getIssueDate() + requestedLifetime;
            // Catch overflow again
            if (requestedExpirationDate < identifier.getIssueDate()) {
                requestedExpirationDate = Long.MAX_VALUE;
            }
            // Ensure that the user doesn't try to extend the expiration date -- they may only limit it
            if (requestedExpirationDate > identifier.getExpirationDate()) {
                throw new RuntimeException("Requested token lifetime exceeds configured maximum");
            }
            log.trace("Overriding token expiration date from {} to {}", identifier.getExpirationDate(), requestedExpirationDate);
            identifier.setExpirationDate(requestedExpirationDate);
        }
    }
    identifier.setInstanceId(instance.getInstanceID());
    return createPassword(identifier.getBytes(), secretKey.getKey());
}
Also used : DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)

Example 7 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class MasterClientServiceHandler method getDelegationToken.

@Override
public TDelegationToken getDelegationToken(TInfo tinfo, TCredentials credentials, TDelegationTokenConfig tConfig) throws ThriftSecurityException, TException {
    if (!master.security.canObtainDelegationToken(credentials)) {
        throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }
    // Round-about way to verify that SASL is also enabled.
    if (!master.delegationTokensAvailable()) {
        throw new TException("Delegation tokens are not available for use");
    }
    final DelegationTokenConfig config = DelegationTokenConfigSerializer.deserialize(tConfig);
    final AuthenticationTokenSecretManager secretManager = master.getSecretManager();
    try {
        Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(credentials.principal, config);
        return new TDelegationToken(ByteBuffer.wrap(pair.getKey().getPassword()), pair.getValue().getThriftIdentifier());
    } catch (Exception e) {
        throw new TException(e.getMessage());
    }
}
Also used : TException(org.apache.thrift.TException) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) TDelegationTokenConfig(org.apache.accumulo.core.security.thrift.TDelegationTokenConfig) AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier) AuthenticationTokenSecretManager(org.apache.accumulo.server.security.delegation.AuthenticationTokenSecretManager) TDelegationToken(org.apache.accumulo.core.security.thrift.TDelegationToken) TDelegationToken(org.apache.accumulo.core.security.thrift.TDelegationToken) Token(org.apache.hadoop.security.token.Token) ThriftSecurityException(org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException) ThriftSecurityException(org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) TabletDeletedException(org.apache.accumulo.server.util.TabletIterator.TabletDeletedException) KeeperException(org.apache.zookeeper.KeeperException) TException(org.apache.thrift.TException) AccumuloException(org.apache.accumulo.core.client.AccumuloException) NoNodeException(org.apache.zookeeper.KeeperException.NoNodeException) ThriftTableOperationException(org.apache.accumulo.core.client.impl.thrift.ThriftTableOperationException)

Example 8 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class AuthenticationTokenSecretManagerTest method setupMocks.

@Before
public void setupMocks() {
    instance = createMock(Instance.class);
    instanceId = UUID.randomUUID().toString();
    cfg = new DelegationTokenConfig();
    expect(instance.getInstanceID()).andReturn(instanceId).anyTimes();
    replay(instance);
}
Also used : Instance(org.apache.accumulo.core.client.Instance) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) Before(org.junit.Before)

Example 9 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class SaslDigestCallbackHandlerTest method setup.

@Before
public void setup() {
    handler = new SaslTestDigestCallbackHandler();
    cfg = new DelegationTokenConfig();
}
Also used : DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) Before(org.junit.Before)

Example 10 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class KerberosIT method testDelegationTokenWithReducedLifetime.

@Test
public void testDelegationTokenWithReducedLifetime() throws Throwable {
    // Login as the "root" user
    UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    // As the "root" user, open up the connection and get a delegation token
    final AuthenticationToken dt = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() {

        @Override
        public AuthenticationToken run() throws Exception {
            Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
            log.info("Created connector as {}", rootUser.getPrincipal());
            assertEquals(rootUser.getPrincipal(), conn.whoami());
            return conn.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, TimeUnit.MINUTES));
        }
    });
    AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier();
    assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= (5 * 60 * 1000));
}
Also used : Connector(org.apache.accumulo.core.client.Connector) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl) AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) TableExistsException(org.apache.accumulo.core.client.TableExistsException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) AccumuloException(org.apache.accumulo.core.client.AccumuloException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)17 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)13 Connector (org.apache.accumulo.core.client.Connector)12 KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)12 AccumuloException (org.apache.accumulo.core.client.AccumuloException)11 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)11 AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)11 TableExistsException (org.apache.accumulo.core.client.TableExistsException)8 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)8 Test (org.junit.Test)7 UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)6 AuthenticationTokenIdentifier (org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)6 DelegationTokenImpl (org.apache.accumulo.core.client.impl.DelegationTokenImpl)6 Instance (org.apache.accumulo.core.client.Instance)5 Token (org.apache.hadoop.security.token.Token)5 IOException (java.io.IOException)4 DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4 MutationsRejectedException (org.apache.accumulo.core.client.MutationsRejectedException)2 TableDeletedException (org.apache.accumulo.core.client.TableDeletedException)2