Example 1 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AbstractInputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
* configuration as a means to pass the token to MapReduce tasks. This information is BASE64
* encoded to provide a charset safe conversion to a string, but this conversion is not intended
* to be secure. {@link PasswordToken} is one example that is insecure in this way; however
* {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
* concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission)
* @param token
* the user's password
* @since 1.5.0
*/
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
ClientContext client = InputConfigurator.client(CLASS, job.getConfiguration());
token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, " + "Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
InputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}
Also used :
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl)
ClientContext(org.apache.accumulo.core.clientImpl.ClientContext)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken)
Token(org.apache.hadoop.security.token.Token)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
IOException(java.io.IOException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
Example 2 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class DelegationTokenImplTest method testEquality.
@Test
public void testEquality() {
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(createTAuthIdentifier("user", 1, 1000L, 2000L, "instanceid"));
// We don't need a real serialized Token for the password
DelegationTokenImpl token = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier);
AuthenticationTokenIdentifier identifier2 = new AuthenticationTokenIdentifier(createTAuthIdentifier("user1", 1, 1000L, 2000L, "instanceid"));
// We don't need a real serialized Token for the password
DelegationTokenImpl token2 = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier2);
assertNotEquals(token, token2);
assertNotEquals(token.hashCode(), token2.hashCode());
// We don't need a real serialized Token for the password
DelegationTokenImpl token3 = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e', '0' }, identifier);
assertNotEquals(token, token3);
assertNotEquals(token.hashCode(), token3.hashCode());
assertNotEquals(token2, token3);
assertNotEquals(token2.hashCode(), token3.hashCode());
}
Also used :
DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
Test(org.junit.jupiter.api.Test)
Example 3 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenIdentifierTest method testTokenKind.
@Test
public void testTokenKind() {
String principal = "my_special_principal";
var token = new AuthenticationTokenIdentifier(new TAuthenticationTokenIdentifier(principal));
assertEquals(AuthenticationTokenIdentifier.TOKEN_KIND, token.getKind());
}
Also used :
TAuthenticationTokenIdentifier(org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)
TAuthenticationTokenIdentifier(org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
Test(org.junit.jupiter.api.Test)
Example 4 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenIdentifierTest method testSerialization.
@Test
public void testSerialization() throws IOException {
String principal = "my_special_principal";
var token = new AuthenticationTokenIdentifier(new TAuthenticationTokenIdentifier(principal));
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream out = new DataOutputStream(baos);
token.write(out);
DataInputStream in = new DataInputStream(new ByteArrayInputStream(baos.toByteArray()));
AuthenticationTokenIdentifier deserializedToken = new AuthenticationTokenIdentifier();
deserializedToken.readFields(in);
assertEquals(token, deserializedToken);
assertEquals(token.hashCode(), deserializedToken.hashCode());
assertEquals(token.toString(), deserializedToken.toString());
}
Also used :
TAuthenticationTokenIdentifier(org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DataOutputStream(java.io.DataOutputStream)
TAuthenticationTokenIdentifier(org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
DataInputStream(java.io.DataInputStream)
Test(org.junit.jupiter.api.Test)
Example 5 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenSecretManagerTest method testTokenIssuedInFuture.
@Test
public void testTokenIssuedInFuture() throws Exception {
// start of the test
long then = System.currentTimeMillis();
long tokenLifetime = MINUTES.toMillis(1);
AuthenticationTokenSecretManager secretManager = new AuthenticationTokenSecretManager(instanceId, tokenLifetime);
// Add a current key
secretManager.addKey(new AuthenticationKey(1, then, then + tokenLifetime, keyGen.generateKey()));
String principal = "user@EXAMPLE.COM";
Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(principal, cfg);
Token<AuthenticationTokenIdentifier> token = pair.getKey();
// Reconstitute the token identifier (will happen when clients are involved)
AuthenticationTokenIdentifier id = new AuthenticationTokenIdentifier();
id.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
// Increase the value of issueDate
id.setIssueDate(Long.MAX_VALUE);
assertThrows(InvalidToken.class, () -> secretManager.retrievePassword(id));
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DataInputStream(java.io.DataInputStream)
Test(org.junit.Test)
Aggregations
AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)29
ByteArrayInputStream (java.io.ByteArrayInputStream)13
DataInputStream (java.io.DataInputStream)13
DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)11
Token (org.apache.hadoop.security.token.Token)11
Test (org.junit.jupiter.api.Test)11
TAuthenticationTokenIdentifier (org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)8
Test (org.junit.Test)8
IOException (java.io.IOException)7
DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)6
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)6
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)6
AccumuloException (org.apache.accumulo.core.client.AccumuloException)5
TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)5
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)5
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)4
DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4
ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)3
