Example 1 with DelegationToken
use of org.apache.accumulo.core.client.security.tokens.DelegationToken in project accumulo by apache.
the class AbstractInputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
* information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
* one example that is insecure in this way; however {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission)
* @param token
* the user's password
* @since 1.5.0
* @deprecated since 2.0.0; use {@link #setConnectionInfo(Job, ConnectionInfo)} instead.
*/
@Deprecated
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
Instance instance = getInstance(job);
Connector conn = instance.getConnector(principal, token);
token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
InputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
Instance(org.apache.accumulo.core.client.Instance)
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken)
Token(org.apache.hadoop.security.token.Token)
TableOfflineException(org.apache.accumulo.core.client.TableOfflineException)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
TableDeletedException(org.apache.accumulo.core.client.TableDeletedException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
IOException(java.io.IOException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
Example 2 with DelegationToken
use of org.apache.accumulo.core.client.security.tokens.DelegationToken in project accumulo by apache.
the class AccumuloOutputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
* information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
* one example that is insecure in this way; however {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission if {@link #setCreateTables(Job, boolean)} is set to true)
* @param token
* the user's password
* @since 1.5.0
* @deprecated since 2.0.0, replaced by {@link #setConnectionInfo(Job, ConnectionInfo)}
*/
@Deprecated
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
Instance instance = getInstance(job);
Connector conn = instance.getConnector(principal, token);
token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
OutputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
Instance(org.apache.accumulo.core.client.Instance)
ZooKeeperInstance(org.apache.accumulo.core.client.ZooKeeperInstance)
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
Token(org.apache.hadoop.security.token.Token)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
TableExistsException(org.apache.accumulo.core.client.TableExistsException)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
MutationsRejectedException(org.apache.accumulo.core.client.MutationsRejectedException)
IOException(java.io.IOException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
Example 3 with DelegationToken
use of org.apache.accumulo.core.client.security.tokens.DelegationToken in project accumulo by apache.
the class AbstractInputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
* information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
* one example that is insecure in this way; however {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission)
* @param token
* the user's password
* @since 1.5.0
* @deprecated since 2.0.0, use {@link #setConnectionInfo(JobConf, ConnectionInfo)} instead
*/
@Deprecated
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
Instance instance = getInstance(job);
Connector conn = instance.getConnector(principal, token);
token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
InputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
Instance(org.apache.accumulo.core.client.Instance)
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken)
Token(org.apache.hadoop.security.token.Token)
TableOfflineException(org.apache.accumulo.core.client.TableOfflineException)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
TableDeletedException(org.apache.accumulo.core.client.TableDeletedException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
IOException(java.io.IOException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
Example 4 with DelegationToken
use of org.apache.accumulo.core.client.security.tokens.DelegationToken in project accumulo by apache.
the class AccumuloOutputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
* information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
* one example that is insecure in this way; however {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission if {@link #setCreateTables(JobConf, boolean)} is set to true)
* @param token
* the user's password
* @since 1.5.0
* @deprecated since 2.0.0, use {@link #setConnectionInfo(JobConf, ConnectionInfo)} instead.
*/
@Deprecated
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
Instance instance = getInstance(job);
Connector conn = instance.getConnector(principal, token);
token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
OutputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
Instance(org.apache.accumulo.core.client.Instance)
ZooKeeperInstance(org.apache.accumulo.core.client.ZooKeeperInstance)
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
Token(org.apache.hadoop.security.token.Token)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
TableExistsException(org.apache.accumulo.core.client.TableExistsException)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
MutationsRejectedException(org.apache.accumulo.core.client.MutationsRejectedException)
IOException(java.io.IOException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
Aggregations
IOException (java.io.IOException)4
AccumuloException (org.apache.accumulo.core.client.AccumuloException)4
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)4
Connector (org.apache.accumulo.core.client.Connector)4
Instance (org.apache.accumulo.core.client.Instance)4
TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)4
DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)4
AuthenticationTokenIdentifier (org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)4
DelegationTokenImpl (org.apache.accumulo.core.client.impl.DelegationTokenImpl)4
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)4
DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)4
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4
Token (org.apache.hadoop.security.token.Token)4
MutationsRejectedException (org.apache.accumulo.core.client.MutationsRejectedException)2
TableDeletedException (org.apache.accumulo.core.client.TableDeletedException)2
TableExistsException (org.apache.accumulo.core.client.TableExistsException)2
TableOfflineException (org.apache.accumulo.core.client.TableOfflineException)2
ZooKeeperInstance (org.apache.accumulo.core.client.ZooKeeperInstance)2
