use of org.apache.accumulo.core.client.impl.DelegationTokenImpl in project accumulo by apache.
the class AccumuloOutputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
* information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
* one example that is insecure in this way; however {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission if {@link #setCreateTables(JobConf, boolean)} is set to true)
* @param token
* the user's password
* @since 1.5.0
* @deprecated since 2.0.0, use {@link #setConnectionInfo(JobConf, ConnectionInfo)} instead.
*/
@Deprecated
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
Instance instance = getInstance(job);
Connector conn = instance.getConnector(principal, token);
token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
OutputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}
use of org.apache.accumulo.core.client.impl.DelegationTokenImpl in project accumulo by apache.
the class DelegationTokenImplTest method testSerialization.
@Test
public void testSerialization() throws IOException {
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier("user", 1, 1000l, 2000l, "instanceid");
// We don't need a real serialized Token for the password
DelegationTokenImpl token = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier);
assertEquals(token, token);
assertEquals(token.hashCode(), token.hashCode());
ByteArrayOutputStream baos = new ByteArrayOutputStream();
token.write(new DataOutputStream(baos));
DelegationTokenImpl copy = new DelegationTokenImpl();
copy.readFields(new DataInputStream(new ByteArrayInputStream(baos.toByteArray())));
assertEquals(token, copy);
assertEquals(token.hashCode(), copy.hashCode());
}
use of org.apache.accumulo.core.client.impl.DelegationTokenImpl in project accumulo by apache.
the class SaslConnectionParamsTest method testDelegationTokenImpl.
@Test
public void testDelegationTokenImpl() throws Exception {
final DelegationTokenImpl token = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier("user", 1, 10l, 20l, "instanceid"));
testUser.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
// The primary is the first component of the principal
final String primary = "accumulo";
clientConf.withSasl(true, primary);
final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
final SaslConnectionParams saslParams = new SaslConnectionParams(rpcConf, token);
assertEquals(primary, saslParams.getKerberosServerPrimary());
final QualityOfProtection defaultQop = QualityOfProtection.get(Property.RPC_SASL_QOP.getDefaultValue());
assertEquals(defaultQop, saslParams.getQualityOfProtection());
assertEquals(SaslMechanism.DIGEST_MD5, saslParams.getMechanism());
assertNotNull(saslParams.getCallbackHandler());
assertEquals(SaslClientDigestCallbackHandler.class, saslParams.getCallbackHandler().getClass());
Map<String, String> properties = saslParams.getSaslProperties();
assertEquals(1, properties.size());
assertEquals(defaultQop.getQuality(), properties.get(Sasl.QOP));
assertEquals(username, saslParams.getPrincipal());
return null;
}
});
}
use of org.apache.accumulo.core.client.impl.DelegationTokenImpl in project accumulo by apache.
the class SaslConnectionParamsTest method testEquality.
@Test
public void testEquality() throws Exception {
final KerberosToken token = EasyMock.createMock(KerberosToken.class);
SaslConnectionParams params1 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {
@Override
public SaslConnectionParams run() throws Exception {
final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
// The primary is the first component of the principal
final String primary = "accumulo";
clientConf.withSasl(true, primary);
final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
return new SaslConnectionParams(rpcConf, token);
}
});
SaslConnectionParams params2 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {
@Override
public SaslConnectionParams run() throws Exception {
final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
// The primary is the first component of the principal
final String primary = "accumulo";
clientConf.withSasl(true, primary);
final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
return new SaslConnectionParams(rpcConf, token);
}
});
assertEquals(params1, params2);
assertEquals(params1.hashCode(), params2.hashCode());
final DelegationTokenImpl delToken1 = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier("user", 1, 10l, 20l, "instanceid"));
SaslConnectionParams params3 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {
@Override
public SaslConnectionParams run() throws Exception {
final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
// The primary is the first component of the principal
final String primary = "accumulo";
clientConf.withSasl(true, primary);
final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
return new SaslConnectionParams(rpcConf, delToken1);
}
});
assertNotEquals(params1, params3);
assertNotEquals(params1.hashCode(), params3.hashCode());
assertNotEquals(params2, params3);
assertNotEquals(params2.hashCode(), params3.hashCode());
final DelegationTokenImpl delToken2 = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier("user", 1, 10l, 20l, "instanceid"));
SaslConnectionParams params4 = testUser.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {
@Override
public SaslConnectionParams run() throws Exception {
final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
// The primary is the first component of the principal
final String primary = "accumulo";
clientConf.withSasl(true, primary);
final AccumuloConfiguration rpcConf = ClientContext.convertClientConfig(clientConf);
assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
return new SaslConnectionParams(rpcConf, delToken2);
}
});
assertNotEquals(params1, params4);
assertNotEquals(params1.hashCode(), params4.hashCode());
assertNotEquals(params2, params4);
assertNotEquals(params2.hashCode(), params4.hashCode());
assertEquals(params3, params4);
assertEquals(params3.hashCode(), params4.hashCode());
}
Aggregations