Examples with KerberosToken org.apache.accumulo.core.client.security.tokens.KerberosToken used on opensource projects

Example 41 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class SaslConnectionParamsTest method testEquality.

@Test
public void testEquality() throws Exception {
    final KerberosToken token = EasyMock.createMock(KerberosToken.class);
    SaslConnectionParams params1 = testUser.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
    SaslConnectionParams params2 = testUser.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
    assertEquals(params1, params2);
    assertEquals(params1.hashCode(), params2.hashCode());
    final DelegationTokenImpl delToken1 = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier(createTAuthIdentifier("user", 1, 10L, 20L, "instanceid")));
    SaslConnectionParams params3 = testUser.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(delToken1));
    assertNotEquals(params1, params3);
    assertNotEquals(params1.hashCode(), params3.hashCode());
    assertNotEquals(params2, params3);
    assertNotEquals(params2.hashCode(), params3.hashCode());
    final DelegationTokenImpl delToken2 = new DelegationTokenImpl(new byte[0], new AuthenticationTokenIdentifier(createTAuthIdentifier("user", 1, 10L, 20L, "instanceid")));
    SaslConnectionParams params4 = testUser.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(delToken2));
    assertNotEquals(params1, params4);
    assertNotEquals(params1.hashCode(), params4.hashCode());
    assertNotEquals(params2, params4);
    assertNotEquals(params2.hashCode(), params4.hashCode());
    assertEquals(params3, params4);
    assertEquals(params3.hashCode(), params4.hashCode());
}

Example 42 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class MapReduceClientOpts method getClientProps.

@Override
public Properties getClientProps() {
    Properties props = super.getClientProps();
    // For MapReduce, Kerberos credentials don't make it to the Mappers and Reducers,
    // so we need to request a delegation token and use that instead.
    AuthenticationToken authToken = ClientProperty.getAuthenticationToken(props);
    if (authToken instanceof KerberosToken) {
        log.info("Received KerberosToken, fetching DelegationToken for MapReduce");
        final KerberosToken krbToken = (KerberosToken) authToken;
        try {
            UserGroupInformation user = UserGroupInformation.getCurrentUser();
            if (!user.hasKerberosCredentials()) {
                throw new IllegalStateException("Expected current user to have Kerberos credentials");
            }
            String newPrincipal = user.getUserName();
            log.info("Obtaining delegation token for {}", newPrincipal);
            try (AccumuloClient client = Accumulo.newClient().from(props).as(newPrincipal, krbToken).build()) {
                // Do the explicit check to see if the user has the permission to get a delegation token
                if (!client.securityOperations().hasSystemPermission(client.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) {
                    log.error("{} doesn't have the {} SystemPermission necessary to obtain a delegation" + " token. MapReduce tasks cannot automatically use the client's" + " credentials on remote servers. Delegation tokens provide a means to run" + " MapReduce without distributing the user's credentials.", user.getUserName(), SystemPermission.OBTAIN_DELEGATION_TOKEN.name());
                    throw new IllegalStateException(client.whoami() + " does not have permission to obtain a delegation token");
                }
                // Get the delegation token from Accumulo
                AuthenticationToken token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
                props.setProperty(ClientProperty.AUTH_PRINCIPAL.getKey(), newPrincipal);
                ClientProperty.setAuthenticationToken(props, token);
            }
        } catch (IOException | AccumuloException | AccumuloSecurityException e) {
            final String msg = "Failed to acquire DelegationToken for use with MapReduce";
            log.error(msg, e);
            throw new RuntimeException(msg, e);
        }
    }
    return props;
}

Example 43 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class AbstractInputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
 * configuration as a means to pass the token to MapReduce tasks. This information is BASE64
 * encoded to provide a charset safe conversion to a string, but this conversion is not intended
 * to be secure. {@link PasswordToken} is one example that is insecure in this way; however
 * {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
 * concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission)
 * @param token
 *          the user's password
 * @since 1.5.0
 */
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            ClientContext client = InputConfigurator.client(CLASS, job);
            token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely" + " fail to communicate with Accumulo", e);
        }
    }
    // the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    InputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}

Example 44 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class AccumuloOutputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
 * configuration as a means to pass the token to MapReduce tasks. This information is BASE64
 * encoded to provide a charset safe conversion to a string, but this conversion is not intended
 * to be secure. {@link PasswordToken} is one example that is insecure in this way; however
 * {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
 * concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission if
 *          {@link #setCreateTables(JobConf, boolean)} is set to true)
 * @param token
 *          the user's password
 * @since 1.5.0
 */
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            ClientContext client = OutputConfigurator.client(CLASS, job);
            token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, " + "Mappers/Reducers will likely fail to communicate with Accumulo", e);
        }
    }
    // the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    OutputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}

Example 45 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class AccumuloOutputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
 * configuration as a means to pass the token to MapReduce tasks. This information is BASE64
 * encoded to provide a charset safe conversion to a string, but this conversion is not intended
 * to be secure. {@link PasswordToken} is one example that is insecure in this way; however
 * {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
 * concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission if
 *          {@link #setCreateTables(Job, boolean)} is set to true)
 * @param token
 *          the user's password
 * @since 1.5.0
 */
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            ClientContext client = OutputConfigurator.client(CLASS, job.getConfiguration());
            token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, " + "Mappers/Reducers will likely fail to communicate with Accumulo", e);
        }
    }
    // the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    OutputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}