Example 6 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenSecretManagerTest method testVerifyPassword.
@Test
public void testVerifyPassword() throws Exception {
// start of the test
long then = System.currentTimeMillis();
// 1 minute
long tokenLifetime = MINUTES.toMillis(1);
AuthenticationTokenSecretManager secretManager = new AuthenticationTokenSecretManager(instanceId, tokenLifetime);
// Add a current key
secretManager.addKey(new AuthenticationKey(1, then, then + tokenLifetime, keyGen.generateKey()));
String principal = "user@EXAMPLE.COM";
Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(principal, cfg);
Token<AuthenticationTokenIdentifier> token = pair.getKey();
AuthenticationTokenIdentifier id = new AuthenticationTokenIdentifier();
id.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
byte[] password = secretManager.retrievePassword(id);
// The passwords line up against multiple calls with the same ID
assertArrayEquals(password, secretManager.retrievePassword(id));
// Make a second token for the same user
Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair2 = secretManager.generateToken(principal, cfg);
Token<AuthenticationTokenIdentifier> token2 = pair2.getKey();
// Reconstitute the token identifier (will happen when clients are involved)
AuthenticationTokenIdentifier id2 = new AuthenticationTokenIdentifier();
id2.readFields(new DataInputStream(new ByteArrayInputStream(token2.getIdentifier())));
// Get the password
byte[] password2 = secretManager.retrievePassword(id2);
// It should be different than the password for the first user.
assertFalse("Different tokens for the same user shouldn't have the same password", Arrays.equals(password, password2));
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DataInputStream(java.io.DataInputStream)
Test(org.junit.Test)
Example 7 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class SaslDigestCallbackHandlerTest method testTokenAndIdentifierSerialization.
@Test
public void testTokenAndIdentifierSerialization() throws Exception {
var secretManager = new AuthenticationTokenSecretManager(InstanceId.of("instanceid"), 1000L);
var key = new AuthenticationKey(1, 0L, 100_000L, keyGen.generateKey());
secretManager.addKey(key);
var entry = secretManager.generateToken("user", cfg);
byte[] password = entry.getKey().getPassword();
char[] encodedPassword = handler.encodePassword(password);
String name = handler.encodeIdentifier(entry.getValue().getBytes());
byte[] decodedIdentifier = handler.decodeIdentifier(name);
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier();
identifier.readFields(new DataInputStream(new ByteArrayInputStream(decodedIdentifier)));
char[] computedPassword = handler.getPassword(secretManager, identifier);
assertArrayEquals(computedPassword, encodedPassword);
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
AuthenticationKey(org.apache.accumulo.server.security.delegation.AuthenticationKey)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
AuthenticationTokenSecretManager(org.apache.accumulo.server.security.delegation.AuthenticationTokenSecretManager)
DataInputStream(java.io.DataInputStream)
Test(org.junit.Test)
Example 8 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class SaslServerDigestCallbackHandler method getIdentifier.
private AuthenticationTokenIdentifier getIdentifier(String id, AuthenticationTokenSecretManager secretManager) throws InvalidToken {
byte[] tokenId = decodeIdentifier(id);
AuthenticationTokenIdentifier tokenIdentifier = secretManager.createIdentifier();
try {
tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
} catch (IOException e) {
throw (InvalidToken) new InvalidToken("Can't de-serialize tokenIdentifier").initCause(e);
}
return tokenIdentifier;
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
IOException(java.io.IOException)
DataInputStream(java.io.DataInputStream)
Example 9 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenSecretManager method generateToken.
/**
* Generates a delegation token for the user with the provided {@code username}.
*
* @param username
* The client to generate the delegation token for.
* @param cfg
* A configuration object for obtaining the delegation token
* @return A delegation token for {@code username} created using the {@link #currentKey}.
*/
public Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> generateToken(String username, DelegationTokenConfig cfg) throws AccumuloException {
requireNonNull(username);
requireNonNull(cfg);
var id = new AuthenticationTokenIdentifier(new TAuthenticationTokenIdentifier(username));
final StringBuilder svcName = new StringBuilder(DelegationTokenImpl.SERVICE_NAME);
if (id.getInstanceId() != null) {
svcName.append("-").append(id.getInstanceId());
}
// Create password will update the state on the identifier given currentKey. Need to call this
// before serializing the identifier
byte[] password;
try {
password = createPassword(id, cfg);
} catch (RuntimeException e) {
throw new AccumuloException(e.getMessage());
}
// The use of the ServiceLoader inside Token doesn't work to automatically get the Identifier
// Explicitly returning the identifier also saves an extra deserialization
Token<AuthenticationTokenIdentifier> token = new Token<>(id.getBytes(), password, id.getKind(), new Text(svcName.toString()));
return Maps.immutableEntry(token, id);
}
Also used :
TAuthenticationTokenIdentifier(org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
TAuthenticationTokenIdentifier(org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
Token(org.apache.hadoop.security.token.Token)
Text(org.apache.hadoop.io.Text)
Example 10 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class KerberosIT method testDelegationTokenWithReducedLifetime.
@Test
public void testDelegationTokenWithReducedLifetime() throws Throwable {
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken dt = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
try (AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken())) {
log.info("Created client as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), client.whoami());
return client.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, MINUTES));
}
});
AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier();
assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= MINUTES.toMillis(5));
}
Also used :
AccumuloClient(org.apache.accumulo.core.client.AccumuloClient)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Aggregations
AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)29
ByteArrayInputStream (java.io.ByteArrayInputStream)13
DataInputStream (java.io.DataInputStream)13
DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)11
Token (org.apache.hadoop.security.token.Token)11
Test (org.junit.jupiter.api.Test)11
TAuthenticationTokenIdentifier (org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)8
Test (org.junit.Test)8
IOException (java.io.IOException)7
DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)6
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)6
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)6
AccumuloException (org.apache.accumulo.core.client.AccumuloException)5
TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)5
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)5
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)4
DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4
ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)3
