use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class SaslDigestCallbackHandlerTest method testIdentifierSerialization.
@Test
public void testIdentifierSerialization() throws IOException {
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier("user", 1, 100l, 1000l, "instanceid");
byte[] serialized = identifier.getBytes();
String name = handler.encodeIdentifier(serialized);
byte[] reserialized = handler.decodeIdentifier(name);
assertArrayEquals(serialized, reserialized);
AuthenticationTokenIdentifier copy = new AuthenticationTokenIdentifier();
copy.readFields(new DataInputStream(new ByteArrayInputStream(reserialized)));
assertEquals(identifier, copy);
}
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class KerberosIT method testDelegationTokenWithReducedLifetime.
@Test
public void testDelegationTokenWithReducedLifetime() throws Throwable {
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken dt = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() {
@Override
public AuthenticationToken run() throws Exception {
Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
log.info("Created connector as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), conn.whoami());
return conn.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, TimeUnit.MINUTES));
}
});
AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier();
assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= (5 * 60 * 1000));
}
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class ConfiguratorBase method unwrapAuthenticationToken.
/**
* Unwraps the provided {@link AuthenticationToken} if it is an instance of {@link DelegationTokenStub}, reconstituting it from the provided {@link JobConf}.
*
* @param job
* The job
* @param token
* The authentication token
*/
public static AuthenticationToken unwrapAuthenticationToken(JobConf job, AuthenticationToken token) {
requireNonNull(job);
requireNonNull(token);
if (token instanceof DelegationTokenStub) {
DelegationTokenStub delTokenStub = (DelegationTokenStub) token;
Token<? extends TokenIdentifier> hadoopToken = job.getCredentials().getToken(new Text(delTokenStub.getServiceName()));
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier();
try {
identifier.readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier())));
return new DelegationTokenImpl(hadoopToken.getPassword(), identifier);
} catch (IOException e) {
throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e);
}
}
return token;
}
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AccumuloOutputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
* information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
* one example that is insecure in this way; however {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission if {@link #setCreateTables(Job, boolean)} is set to true)
* @param token
* the user's password
* @since 1.5.0
* @deprecated since 2.0.0, replaced by {@link #setConnectionInfo(Job, ConnectionInfo)}
*/
@Deprecated
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
Instance instance = getInstance(job);
Connector conn = instance.getConnector(principal, token);
token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
OutputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class ConfiguratorBase method unwrapAuthenticationToken.
/**
* Unwraps the provided {@link AuthenticationToken} if it is an instance of {@link DelegationTokenStub}, reconstituting it from the provided {@link JobConf}.
*
* @param job
* The job
* @param token
* The authentication token
*/
public static AuthenticationToken unwrapAuthenticationToken(JobContext job, AuthenticationToken token) {
requireNonNull(job);
requireNonNull(token);
if (token instanceof DelegationTokenStub) {
DelegationTokenStub delTokenStub = (DelegationTokenStub) token;
Token<? extends TokenIdentifier> hadoopToken = job.getCredentials().getToken(new Text(delTokenStub.getServiceName()));
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier();
try {
identifier.readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier())));
return new DelegationTokenImpl(hadoopToken.getPassword(), identifier);
} catch (IOException e) {
throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e);
}
}
return token;
}
Aggregations