Search in sources :

Example 16 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.

the class AuthenticationTokenIdentifierTest method testEquality.

@Test
public void testEquality() {
    String principal = "user";
    var token = new AuthenticationTokenIdentifier(new TAuthenticationTokenIdentifier(principal));
    assertEquals(token, token);
    var newToken = new AuthenticationTokenIdentifier(new TAuthenticationTokenIdentifier(principal));
    assertEquals(token, newToken);
    assertEquals(token.hashCode(), newToken.hashCode());
}
Also used : TAuthenticationTokenIdentifier(org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier) TAuthenticationTokenIdentifier(org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier) AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier) Test(org.junit.jupiter.api.Test)

Example 17 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.

the class AuthenticationTokenIdentifierTest method testNullMsg.

@Test
public void testNullMsg() throws IOException {
    AuthenticationTokenIdentifier token = new AuthenticationTokenIdentifier();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    DataOutputStream out = new DataOutputStream(baos);
    token.write(out);
    DataInputStream in = new DataInputStream(new ByteArrayInputStream(baos.toByteArray()));
    AuthenticationTokenIdentifier deserializedToken = new AuthenticationTokenIdentifier();
    deserializedToken.readFields(in);
    assertEquals(token, deserializedToken);
    assertEquals(token.hashCode(), deserializedToken.hashCode());
    assertEquals(token.toString(), deserializedToken.toString());
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) DataOutputStream(java.io.DataOutputStream) TAuthenticationTokenIdentifier(org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier) AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier) ByteArrayOutputStream(java.io.ByteArrayOutputStream) DataInputStream(java.io.DataInputStream) Test(org.junit.jupiter.api.Test)

Example 18 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.

the class ManagerClientServiceHandler method getDelegationToken.

@Override
public TDelegationToken getDelegationToken(TInfo tinfo, TCredentials credentials, TDelegationTokenConfig tConfig) throws ThriftSecurityException, TException {
    if (!manager.security.canObtainDelegationToken(credentials)) {
        throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }
    // Round-about way to verify that SASL is also enabled.
    if (!manager.delegationTokensAvailable()) {
        throw new TException("Delegation tokens are not available for use");
    }
    final DelegationTokenConfig config = DelegationTokenConfigSerializer.deserialize(tConfig);
    final AuthenticationTokenSecretManager secretManager = manager.getContext().getSecretManager();
    try {
        Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(credentials.principal, config);
        return new TDelegationToken(ByteBuffer.wrap(pair.getKey().getPassword()), pair.getValue().getThriftIdentifier());
    } catch (Exception e) {
        throw new TException(e.getMessage());
    }
}
Also used : TException(org.apache.thrift.TException) TDelegationTokenConfig(org.apache.accumulo.core.securityImpl.thrift.TDelegationTokenConfig) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier) AuthenticationTokenSecretManager(org.apache.accumulo.server.security.delegation.AuthenticationTokenSecretManager) TDelegationToken(org.apache.accumulo.core.securityImpl.thrift.TDelegationToken) TDelegationToken(org.apache.accumulo.core.securityImpl.thrift.TDelegationToken) Token(org.apache.hadoop.security.token.Token) ThriftSecurityException(org.apache.accumulo.core.clientImpl.thrift.ThriftSecurityException) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException) ThriftSecurityException(org.apache.accumulo.core.clientImpl.thrift.ThriftSecurityException) TabletDeletedException(org.apache.accumulo.core.metadata.schema.TabletDeletedException) KeeperException(org.apache.zookeeper.KeeperException) TException(org.apache.thrift.TException) ThriftTableOperationException(org.apache.accumulo.core.clientImpl.thrift.ThriftTableOperationException) NoNodeException(org.apache.zookeeper.KeeperException.NoNodeException)

Example 19 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.

the class AbstractInputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
 * configuration as a means to pass the token to MapReduce tasks. This information is BASE64
 * encoded to provide a charset safe conversion to a string, but this conversion is not intended
 * to be secure. {@link PasswordToken} is one example that is insecure in this way; however
 * {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
 * concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission)
 * @param token
 *          the user's password
 * @since 1.5.0
 */
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            ClientContext client = InputConfigurator.client(CLASS, job);
            token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely" + " fail to communicate with Accumulo", e);
        }
    }
    // the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    InputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}
Also used : DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) ClientContext(org.apache.accumulo.core.clientImpl.ClientContext) AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken) Token(org.apache.hadoop.security.token.Token) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) IOException(java.io.IOException) AccumuloException(org.apache.accumulo.core.client.AccumuloException)

Example 20 with AuthenticationTokenIdentifier

use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.

the class AccumuloOutputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
 * configuration as a means to pass the token to MapReduce tasks. This information is BASE64
 * encoded to provide a charset safe conversion to a string, but this conversion is not intended
 * to be secure. {@link PasswordToken} is one example that is insecure in this way; however
 * {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
 * concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission if
 *          {@link #setCreateTables(JobConf, boolean)} is set to true)
 * @param token
 *          the user's password
 * @since 1.5.0
 */
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            ClientContext client = OutputConfigurator.client(CLASS, job);
            token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, " + "Mappers/Reducers will likely fail to communicate with Accumulo", e);
        }
    }
    // the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    OutputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}
Also used : DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) ClientContext(org.apache.accumulo.core.clientImpl.ClientContext) AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier) DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) Token(org.apache.hadoop.security.token.Token) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) TableExistsException(org.apache.accumulo.core.client.TableExistsException) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) MutationsRejectedException(org.apache.accumulo.core.client.MutationsRejectedException) IOException(java.io.IOException) AccumuloException(org.apache.accumulo.core.client.AccumuloException)

Aggregations

AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)29 ByteArrayInputStream (java.io.ByteArrayInputStream)13 DataInputStream (java.io.DataInputStream)13 DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)11 Token (org.apache.hadoop.security.token.Token)11 Test (org.junit.jupiter.api.Test)11 TAuthenticationTokenIdentifier (org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)8 Test (org.junit.Test)8 IOException (java.io.IOException)7 DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)6 KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)6 InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)6 AccumuloException (org.apache.accumulo.core.client.AccumuloException)5 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)5 AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)5 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)4 DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4 ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)4 ByteArrayOutputStream (java.io.ByteArrayOutputStream)3