Example 6 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class DelegationTokenImplTest method testEquality.
@Test
public void testEquality() throws IOException {
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier("user", 1, 1000l, 2000l, "instanceid");
// We don't need a real serialized Token for the password
DelegationTokenImpl token = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier);
AuthenticationTokenIdentifier identifier2 = new AuthenticationTokenIdentifier("user1", 1, 1000l, 2000l, "instanceid");
// We don't need a real serialized Token for the password
DelegationTokenImpl token2 = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier2);
assertNotEquals(token, token2);
assertNotEquals(token.hashCode(), token2.hashCode());
// We don't need a real serialized Token for the password
DelegationTokenImpl token3 = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e', '0' }, identifier);
assertNotEquals(token, token3);
assertNotEquals(token.hashCode(), token3.hashCode());
assertNotEquals(token2, token3);
assertNotEquals(token2.hashCode(), token3.hashCode());
}
Also used :
DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
Test(org.junit.Test)
Example 7 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenIdentifierTest method testTokenKind.
@Test
public void testTokenKind() {
String principal = "my_special_principal";
AuthenticationTokenIdentifier token = new AuthenticationTokenIdentifier(principal);
assertEquals(AuthenticationTokenIdentifier.TOKEN_KIND, token.getKind());
}
Also used :
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
Test(org.junit.Test)
Example 8 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenIdentifierTest method testSerialization.
@Test
public void testSerialization() throws IOException {
String principal = "my_special_principal";
AuthenticationTokenIdentifier token = new AuthenticationTokenIdentifier(principal);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream out = new DataOutputStream(baos);
token.write(out);
DataInputStream in = new DataInputStream(new ByteArrayInputStream(baos.toByteArray()));
AuthenticationTokenIdentifier deserializedToken = new AuthenticationTokenIdentifier();
deserializedToken.readFields(in);
assertEquals(token, deserializedToken);
assertEquals(token.hashCode(), deserializedToken.hashCode());
assertEquals(token.toString(), deserializedToken.toString());
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
DataOutputStream(java.io.DataOutputStream)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
DataInputStream(java.io.DataInputStream)
Test(org.junit.Test)
Example 9 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AbstractInputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
* information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
* one example that is insecure in this way; however {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission)
* @param token
* the user's password
* @since 1.5.0
* @deprecated since 2.0.0; use {@link #setConnectionInfo(Job, ConnectionInfo)} instead.
*/
@Deprecated
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
Instance instance = getInstance(job);
Connector conn = instance.getConnector(principal, token);
token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
InputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
Instance(org.apache.accumulo.core.client.Instance)
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken)
Token(org.apache.hadoop.security.token.Token)
TableOfflineException(org.apache.accumulo.core.client.TableOfflineException)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
TableDeletedException(org.apache.accumulo.core.client.TableDeletedException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
IOException(java.io.IOException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
Example 10 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenSecretManager method generateToken.
/**
* Generates a delegation token for the user with the provided {@code username}.
*
* @param username
* The client to generate the delegation token for.
* @param cfg
* A configuration object for obtaining the delegation token
* @return A delegation token for {@code username} created using the {@link #currentKey}.
*/
public Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> generateToken(String username, DelegationTokenConfig cfg) throws AccumuloException {
requireNonNull(username);
requireNonNull(cfg);
final AuthenticationTokenIdentifier id = new AuthenticationTokenIdentifier(username, cfg);
final StringBuilder svcName = new StringBuilder(DelegationTokenImpl.SERVICE_NAME);
if (null != id.getInstanceId()) {
svcName.append("-").append(id.getInstanceId());
}
// Create password will update the state on the identifier given currentKey. Need to call this before serializing the identifier
byte[] password;
try {
password = createPassword(id);
} catch (RuntimeException e) {
throw new AccumuloException(e.getMessage());
}
// The use of the ServiceLoader inside Token doesn't work to automatically get the Identifier
// Explicitly returning the identifier also saves an extra deserialization
Token<AuthenticationTokenIdentifier> token = new Token<>(id.getBytes(), password, id.getKind(), new Text(svcName.toString()));
return Maps.immutableEntry(token, id);
}
Also used :
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
Token(org.apache.hadoop.security.token.Token)
Text(org.apache.hadoop.io.Text)
Aggregations
AuthenticationTokenIdentifier (org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)30
Test (org.junit.Test)20
ByteArrayInputStream (java.io.ByteArrayInputStream)13
DataInputStream (java.io.DataInputStream)13
Token (org.apache.hadoop.security.token.Token)13
DelegationTokenImpl (org.apache.accumulo.core.client.impl.DelegationTokenImpl)11
IOException (java.io.IOException)7
AccumuloException (org.apache.accumulo.core.client.AccumuloException)7
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)6
Instance (org.apache.accumulo.core.client.Instance)6
TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)6
DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)6
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)6
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)6
Connector (org.apache.accumulo.core.client.Connector)5
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)5
DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)3
DataOutputStream (java.io.DataOutputStream)3
