Search in sources :

Example 11 with DelegationTokenImpl

use of org.apache.accumulo.core.client.impl.DelegationTokenImpl in project accumulo by apache.

the class AccumuloOutputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
 * information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
 * one example that is insecure in this way; however {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission if {@link #setCreateTables(JobConf, boolean)} is set to true)
 * @param token
 *          the user's password
 * @since 1.5.0
 * @deprecated since 2.0.0, use {@link #setConnectionInfo(JobConf, ConnectionInfo)} instead.
 */
@Deprecated
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            Instance instance = getInstance(job);
            Connector conn = instance.getConnector(principal, token);
            token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
        }
    }
    // DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    OutputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}
Also used : Connector(org.apache.accumulo.core.client.Connector) Instance(org.apache.accumulo.core.client.Instance) ZooKeeperInstance(org.apache.accumulo.core.client.ZooKeeperInstance) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl) AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier) DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) Token(org.apache.hadoop.security.token.Token) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) TableExistsException(org.apache.accumulo.core.client.TableExistsException) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) MutationsRejectedException(org.apache.accumulo.core.client.MutationsRejectedException) IOException(java.io.IOException) AccumuloException(org.apache.accumulo.core.client.AccumuloException)

Example 12 with DelegationTokenImpl

use of org.apache.accumulo.core.client.impl.DelegationTokenImpl in project accumulo by apache.

the class DelegationTokenImplTest method testSerialization.

@Test
public void testSerialization() throws IOException {
    AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier("user", 1, 1000l, 2000l, "instanceid");
    // We don't need a real serialized Token for the password
    DelegationTokenImpl token = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier);
    assertEquals(token, token);
    assertEquals(token.hashCode(), token.hashCode());
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    token.write(new DataOutputStream(baos));
    DelegationTokenImpl copy = new DelegationTokenImpl();
    copy.readFields(new DataInputStream(new ByteArrayInputStream(baos.toByteArray())));
    assertEquals(token, copy);
    assertEquals(token.hashCode(), copy.hashCode());
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl) DataOutputStream(java.io.DataOutputStream) AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier) ByteArrayOutputStream(java.io.ByteArrayOutputStream) DataInputStream(java.io.DataInputStream) Test(org.junit.Test)

Example 13 with DelegationTokenImpl

use of org.apache.accumulo.core.client.impl.DelegationTokenImpl in project accumulo by apache.

the class SaslConnectionParamsTest method testDelegationTokenImpl.

@Test
public void testDelegationTokenImpl() throws Exception {
    final DelegationTokenImpl token = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier("user", 1, 10l, 20l, "instanceid"));
    testUser.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            final SaslConnectionParams saslParams = new SaslConnectionParams(rpcConf, token);
            assertEquals(primary, saslParams.getKerberosServerPrimary());
            final QualityOfProtection defaultQop = QualityOfProtection.get(Property.RPC_SASL_QOP.getDefaultValue());
            assertEquals(defaultQop, saslParams.getQualityOfProtection());
            assertEquals(SaslMechanism.DIGEST_MD5, saslParams.getMechanism());
            assertNotNull(saslParams.getCallbackHandler());
            assertEquals(SaslClientDigestCallbackHandler.class, saslParams.getCallbackHandler().getClass());
            Map<String, String> properties = saslParams.getSaslProperties();
            assertEquals(1, properties.size());
            assertEquals(defaultQop.getQuality(), properties.get(Sasl.QOP));
            assertEquals(username, saslParams.getPrincipal());
            return null;
        }
    });
}
Also used : QualityOfProtection(org.apache.accumulo.core.rpc.SaslConnectionParams.QualityOfProtection) DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl) AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier) Map(java.util.Map) ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration) AccumuloConfiguration(org.apache.accumulo.core.conf.AccumuloConfiguration) Test(org.junit.Test)

Example 14 with DelegationTokenImpl

use of org.apache.accumulo.core.client.impl.DelegationTokenImpl in project accumulo by apache.

the class SaslConnectionParamsTest method testEquality.

@Test
public void testEquality() throws Exception {
    final KerberosToken token = EasyMock.createMock(KerberosToken.class);
    SaslConnectionParams params1 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            return new SaslConnectionParams(rpcConf, token);
        }
    });
    SaslConnectionParams params2 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            return new SaslConnectionParams(rpcConf, token);
        }
    });
    assertEquals(params1, params2);
    assertEquals(params1.hashCode(), params2.hashCode());
    final DelegationTokenImpl delToken1 = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier("user", 1, 10l, 20l, "instanceid"));
    SaslConnectionParams params3 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            return new SaslConnectionParams(rpcConf, delToken1);
        }
    });
    assertNotEquals(params1, params3);
    assertNotEquals(params1.hashCode(), params3.hashCode());
    assertNotEquals(params2, params3);
    assertNotEquals(params2.hashCode(), params3.hashCode());
    final DelegationTokenImpl delToken2 = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier("user", 1, 10l, 20l, "instanceid"));
    SaslConnectionParams params4 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
            // The primary is the first component of the principal
            final String primary = "accumulo";
            clientConf.withSasl(true, primary);
            final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
            assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
            return new SaslConnectionParams(rpcConf, delToken2);
        }
    });
    assertNotEquals(params1, params4);
    assertNotEquals(params1.hashCode(), params4.hashCode());
    assertNotEquals(params2, params4);
    assertNotEquals(params2.hashCode(), params4.hashCode());
    assertEquals(params3, params4);
    assertEquals(params3.hashCode(), params4.hashCode());
}
Also used : KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl) AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier) ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration) AccumuloConfiguration(org.apache.accumulo.core.conf.AccumuloConfiguration) Test(org.junit.Test)

Aggregations

DelegationTokenImpl (org.apache.accumulo.core.client.impl.DelegationTokenImpl)14 AuthenticationTokenIdentifier (org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)11 KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)8 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)7 IOException (java.io.IOException)6 AccumuloException (org.apache.accumulo.core.client.AccumuloException)6 Connector (org.apache.accumulo.core.client.Connector)6 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)6 DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)6 AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)6 Test (org.junit.Test)6 Instance (org.apache.accumulo.core.client.Instance)4 TableExistsException (org.apache.accumulo.core.client.TableExistsException)4 DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4 Token (org.apache.hadoop.security.token.Token)4 ByteArrayInputStream (java.io.ByteArrayInputStream)3 DataInputStream (java.io.DataInputStream)3 UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)2 ClientConfiguration (org.apache.accumulo.core.client.ClientConfiguration)2