Examples with PasswordToken org.apache.accumulo.core.client.security.tokens.PasswordToken used on opensource projects

Example 76 with PasswordToken

use of org.apache.accumulo.core.client.security.tokens.PasswordToken in project accumulo by apache.

the class AbstractInputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the configuration as a means to pass the token to MapReduce tasks. This
 * information is BASE64 encoded to provide a charset safe conversion to a string, but this conversion is not intended to be secure. {@link PasswordToken} is
 * one example that is insecure in this way; however {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission)
 * @param token
 *          the user's password
 * @since 1.5.0
 * @deprecated since 2.0.0; use {@link #setConnectionInfo(Job, ConnectionInfo)} instead.
 */
@Deprecated
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            Instance instance = getInstance(job);
            Connector conn = instance.getConnector(principal, token);
            token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo", e);
        }
    }
    // DelegationTokens can be passed securely from user to task without serializing insecurely in the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    InputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}

Example 77 with PasswordToken

use of org.apache.accumulo.core.client.security.tokens.PasswordToken in project accumulo by apache.

the class TraceServer method ensureTraceTableExists.

/**
 * Exceptions thrown out of here should be things that cause service failure (e.g. misconfigurations that aren't likely to change on retry).
 *
 * @return a working Connection that can be reused
 * @throws ClassNotFoundException
 *           if TRACE_TOKEN_TYPE is set to a class that we can't load.
 * @throws InstantiationException
 *           if we fail to create an instance of TRACE_TOKEN_TYPE.
 * @throws IllegalAccessException
 *           if the class pointed to by TRACE_TOKEN_TYPE is private.
 * @throws AccumuloSecurityException
 *           if the trace user has the wrong permissions
 */
private Connector ensureTraceTableExists(final AccumuloConfiguration conf) throws AccumuloSecurityException, ClassNotFoundException, InstantiationException, IllegalAccessException {
    Connector connector = null;
    while (true) {
        try {
            final boolean isDefaultTokenType = conf.get(Property.TRACE_TOKEN_TYPE).equals(Property.TRACE_TOKEN_TYPE.getDefaultValue());
            String principal = conf.get(Property.TRACE_USER);
            if (conf.getBoolean(Property.INSTANCE_RPC_SASL_ENABLED)) {
                // Make sure that we replace _HOST if it exists in the principal
                principal = SecurityUtil.getServerPrincipal(principal);
            }
            AuthenticationToken at;
            Map<String, String> loginMap = conf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX);
            if (loginMap.isEmpty() && isDefaultTokenType) {
                // Assume the old type of user/password specification
                Property p = Property.TRACE_PASSWORD;
                at = new PasswordToken(conf.get(p).getBytes(UTF_8));
            } else {
                Properties props = new Properties();
                AuthenticationToken token = AccumuloVFSClassLoader.getClassLoader().loadClass(conf.get(Property.TRACE_TOKEN_TYPE)).asSubclass(AuthenticationToken.class).newInstance();
                int prefixLength = Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey().length();
                for (Entry<String, String> entry : loginMap.entrySet()) {
                    props.put(entry.getKey().substring(prefixLength), entry.getValue());
                }
                token.init(props);
                at = token;
            }
            connector = instance.getConnector(principal, at);
            if (!connector.tableOperations().exists(tableName)) {
                connector.tableOperations().create(tableName);
                IteratorSetting setting = new IteratorSetting(10, "ageoff", AgeOffFilter.class.getName());
                AgeOffFilter.setTTL(setting, 7 * 24 * 60 * 60 * 1000l);
                connector.tableOperations().attachIterator(tableName, setting);
            }
            connector.tableOperations().setProperty(tableName, Property.TABLE_FORMATTER_CLASS.getKey(), TraceFormatter.class.getName());
            break;
        } catch (AccumuloException | TableExistsException | TableNotFoundException | IOException | RuntimeException ex) {
            log.info("Waiting to checking/create the trace table.", ex);
            sleepUninterruptibly(1, TimeUnit.SECONDS);
        }
    }
    return connector;
}

Example 78 with PasswordToken

use of org.apache.accumulo.core.client.security.tokens.PasswordToken in project accumulo by apache.

the class ZKAuthenticator method createUser.

@Override
public void createUser(String principal, AuthenticationToken token) throws AccumuloSecurityException {
    try {
        if (!(token instanceof PasswordToken))
            throw new AccumuloSecurityException(principal, SecurityErrorCode.INVALID_TOKEN);
        PasswordToken pt = (PasswordToken) token;
        constructUser(principal, ZKSecurityTool.createPass(pt.getPassword()));
    } catch (KeeperException e) {
        if (e.code().equals(KeeperException.Code.NODEEXISTS))
            throw new AccumuloSecurityException(principal, SecurityErrorCode.USER_EXISTS, e);
        throw new AccumuloSecurityException(principal, SecurityErrorCode.CONNECTION_ERROR, e);
    } catch (InterruptedException e) {
        log.error("{}", e.getMessage(), e);
        throw new RuntimeException(e);
    } catch (AccumuloException e) {
        log.error("{}", e.getMessage(), e);
        throw new AccumuloSecurityException(principal, SecurityErrorCode.DEFAULT_SECURITY_ERROR, e);
    }
}

Example 79 with PasswordToken

use of org.apache.accumulo.core.client.security.tokens.PasswordToken in project accumulo by apache.

the class ShellServerIT method whoami.

@Test
public void whoami() throws Exception {
    AuthenticationToken token = getToken();
    assertTrue(ts.exec("whoami", true).contains(getPrincipal()));
    // Unnecessary with Kerberos enabled, won't prompt for a password
    if (token instanceof PasswordToken) {
        ts.input.set("secret\nsecret\n");
    }
    ts.exec("createuser test_user");
    ts.exec("setauths -u test_user -s 12,3,4");
    String auths = ts.exec("getauths -u test_user");
    assertTrue(auths.contains("3") && auths.contains("12") && auths.contains("4"));
    // No support to switch users within the shell with Kerberos
    if (token instanceof PasswordToken) {
        ts.input.set("secret\n");
        ts.exec("user test_user", true);
        assertTrue(ts.exec("whoami", true).contains("test_user"));
        ts.input.set(getRootPassword() + "\n");
        ts.exec("user root", true);
    }
}

Example 80 with PasswordToken

use of org.apache.accumulo.core.client.security.tokens.PasswordToken in project accumulo by apache.

the class ConditionalWriterIT method testFields.

@Test
public void testFields() throws Exception {
    Connector conn = getConnector();
    String tableName = getUniqueNames(1)[0];
    String user = null;
    ClientConfiguration clientConf = cluster.getClientConfig();
    final boolean saslEnabled = clientConf.hasSasl();
    ClusterUser user1 = getUser(0);
    user = user1.getPrincipal();
    if (saslEnabled) {
        // The token is pointless for kerberos
        conn.securityOperations().createLocalUser(user, null);
    } else {
        conn.securityOperations().createLocalUser(user, new PasswordToken(user1.getPassword()));
    }
    Authorizations auths = new Authorizations("A", "B");
    conn.securityOperations().changeUserAuthorizations(user, auths);
    conn.securityOperations().grantSystemPermission(user, SystemPermission.CREATE_TABLE);
    conn = conn.getInstance().getConnector(user, user1.getToken());
    conn.tableOperations().create(tableName);
    try (ConditionalWriter cw = conn.createConditionalWriter(tableName, new ConditionalWriterConfig().setAuthorizations(auths));
        Scanner scanner = conn.createScanner(tableName, auths)) {
        ColumnVisibility cva = new ColumnVisibility("A");
        ColumnVisibility cvb = new ColumnVisibility("B");
        ConditionalMutation cm0 = new ConditionalMutation("99006", new Condition("tx", "seq").setVisibility(cva));
        cm0.put("name", "last", cva, "doe");
        cm0.put("name", "first", cva, "john");
        cm0.put("tx", "seq", cva, "1");
        Assert.assertEquals(Status.ACCEPTED, cw.write(cm0).getStatus());
        scanner.setRange(new Range("99006"));
        // TODO verify all columns
        scanner.fetchColumn(new Text("tx"), new Text("seq"));
        Entry<Key, Value> entry = Iterables.getOnlyElement(scanner);
        Assert.assertEquals("1", entry.getValue().toString());
        long ts = entry.getKey().getTimestamp();
        // test wrong colf
        ConditionalMutation cm1 = new ConditionalMutation("99006", new Condition("txA", "seq").setVisibility(cva).setValue("1"));
        cm1.put("name", "last", cva, "Doe");
        cm1.put("name", "first", cva, "John");
        cm1.put("tx", "seq", cva, "2");
        Assert.assertEquals(Status.REJECTED, cw.write(cm1).getStatus());
        // test wrong colq
        ConditionalMutation cm2 = new ConditionalMutation("99006", new Condition("tx", "seqA").setVisibility(cva).setValue("1"));
        cm2.put("name", "last", cva, "Doe");
        cm2.put("name", "first", cva, "John");
        cm2.put("tx", "seq", cva, "2");
        Assert.assertEquals(Status.REJECTED, cw.write(cm2).getStatus());
        // test wrong colv
        ConditionalMutation cm3 = new ConditionalMutation("99006", new Condition("tx", "seq").setVisibility(cvb).setValue("1"));
        cm3.put("name", "last", cva, "Doe");
        cm3.put("name", "first", cva, "John");
        cm3.put("tx", "seq", cva, "2");
        Assert.assertEquals(Status.REJECTED, cw.write(cm3).getStatus());
        // test wrong timestamp
        ConditionalMutation cm4 = new ConditionalMutation("99006", new Condition("tx", "seq").setVisibility(cva).setTimestamp(ts + 1).setValue("1"));
        cm4.put("name", "last", cva, "Doe");
        cm4.put("name", "first", cva, "John");
        cm4.put("tx", "seq", cva, "2");
        Assert.assertEquals(Status.REJECTED, cw.write(cm4).getStatus());
        // test wrong timestamp
        ConditionalMutation cm5 = new ConditionalMutation("99006", new Condition("tx", "seq").setVisibility(cva).setTimestamp(ts - 1).setValue("1"));
        cm5.put("name", "last", cva, "Doe");
        cm5.put("name", "first", cva, "John");
        cm5.put("tx", "seq", cva, "2");
        Assert.assertEquals(Status.REJECTED, cw.write(cm5).getStatus());
        // ensure no updates were made
        entry = Iterables.getOnlyElement(scanner);
        Assert.assertEquals("1", entry.getValue().toString());
        // set all columns correctly
        ConditionalMutation cm6 = new ConditionalMutation("99006", new Condition("tx", "seq").setVisibility(cva).setTimestamp(ts).setValue("1"));
        cm6.put("name", "last", cva, "Doe");
        cm6.put("name", "first", cva, "John");
        cm6.put("tx", "seq", cva, "2");
        Assert.assertEquals(Status.ACCEPTED, cw.write(cm6).getStatus());
        entry = Iterables.getOnlyElement(scanner);
        Assert.assertEquals("2", entry.getValue().toString());
    }
}