Examples with AuthenticationTokenIdentifier org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier used on opensource projects

Example 21 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.

the class AbstractInputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
 * information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
 * one example that is insecure in this way; however {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission)
 * @param token
 *          the user's password
 * @since 1.5.0
 * @deprecated since 2.0.0, use {@link #setConnectionInfo(JobConf, ConnectionInfo)} instead
 */
@Deprecated
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            Instance instance = getInstance(job);
            Connector conn = instance.getConnector(principal, token);
            token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
        }
    }
    // DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    InputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}

Example 22 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.

the class AccumuloOutputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
 * information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
 * one example that is insecure in this way; however {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission if {@link #setCreateTables(JobConf, boolean)} is set to true)
 * @param token
 *          the user's password
 * @since 1.5.0
 * @deprecated since 2.0.0, use {@link #setConnectionInfo(JobConf, ConnectionInfo)} instead.
 */
@Deprecated
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            Instance instance = getInstance(job);
            Connector conn = instance.getConnector(principal, token);
            token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
        }
    }
    // DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    OutputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}

Example 23 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.

the class DelegationTokenImplTest method testSerialization.

@Test
public void testSerialization() throws IOException {
    AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier("user", 1, 1000l, 2000l, "instanceid");
    // We don't need a real serialized Token for the password
    DelegationTokenImpl token = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier);
    assertEquals(token, token);
    assertEquals(token.hashCode(), token.hashCode());
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    token.write(new DataOutputStream(baos));
    DelegationTokenImpl copy = new DelegationTokenImpl();
    copy.readFields(new DataInputStream(new ByteArrayInputStream(baos.toByteArray())));
    assertEquals(token, copy);
    assertEquals(token.hashCode(), copy.hashCode());
}

Example 24 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.

the class SaslConnectionParamsTest method testDelegationTokenImpl.

@Test
public void testDelegationTokenImpl() throws Exception {
    final DelegationTokenImpl token = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier("user", 1, 10l, 20l, "instanceid"));
    testUser.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            final SaslConnectionParams saslParams = new SaslConnectionParams(rpcConf, token);
            assertEquals(primary, saslParams.getKerberosServerPrimary());
            final QualityOfProtection defaultQop = QualityOfProtection.get(Property.RPC_SASL_QOP.getDefaultValue());
            assertEquals(defaultQop, saslParams.getQualityOfProtection());
            assertEquals(SaslMechanism.DIGEST_MD5, saslParams.getMechanism());
            assertNotNull(saslParams.getCallbackHandler());
            assertEquals(SaslClientDigestCallbackHandler.class, saslParams.getCallbackHandler().getClass());
            Map<String, String> properties = saslParams.getSaslProperties();
            assertEquals(1, properties.size());
            assertEquals(defaultQop.getQuality(), properties.get(Sasl.QOP));
            assertEquals(username, saslParams.getPrincipal());
            return null;
        }
    });
}

Example 25 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.

the class SaslConnectionParamsTest method testEquality.

@Test
public void testEquality() throws Exception {
    final KerberosToken token = EasyMock.createMock(KerberosToken.class);
    SaslConnectionParams params1 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            return new SaslConnectionParams(rpcConf, token);
        }
    });
    SaslConnectionParams params2 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            return new SaslConnectionParams(rpcConf, token);
        }
    });
    assertEquals(params1, params2);
    assertEquals(params1.hashCode(), params2.hashCode());
    final DelegationTokenImpl delToken1 = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier("user", 1, 10l, 20l, "instanceid"));
    SaslConnectionParams params3 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            return new SaslConnectionParams(rpcConf, delToken1);
        }
    });
    assertNotEquals(params1, params3);
    assertNotEquals(params1.hashCode(), params3.hashCode());
    assertNotEquals(params2, params3);
    assertNotEquals(params2.hashCode(), params3.hashCode());
    final DelegationTokenImpl delToken2 = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier("user", 1, 10l, 20l, "instanceid"));
    SaslConnectionParams params4 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            return new SaslConnectionParams(rpcConf, delToken2);
        }
    });
    assertNotEquals(params1, params4);
    assertNotEquals(params1.hashCode(), params4.hashCode());
    assertNotEquals(params2, params4);
    assertNotEquals(params2.hashCode(), params4.hashCode());
    assertEquals(params3, params4);
    assertEquals(params3.hashCode(), params4.hashCode());
}