use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenIdentifierTest method testEquality.
@Test
public void testEquality() {
String principal = "user";
var token = new AuthenticationTokenIdentifier(new TAuthenticationTokenIdentifier(principal));
assertEquals(token, token);
var newToken = new AuthenticationTokenIdentifier(new TAuthenticationTokenIdentifier(principal));
assertEquals(token, newToken);
assertEquals(token.hashCode(), newToken.hashCode());
}
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenIdentifierTest method testNullMsg.
@Test
public void testNullMsg() throws IOException {
AuthenticationTokenIdentifier token = new AuthenticationTokenIdentifier();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream out = new DataOutputStream(baos);
token.write(out);
DataInputStream in = new DataInputStream(new ByteArrayInputStream(baos.toByteArray()));
AuthenticationTokenIdentifier deserializedToken = new AuthenticationTokenIdentifier();
deserializedToken.readFields(in);
assertEquals(token, deserializedToken);
assertEquals(token.hashCode(), deserializedToken.hashCode());
assertEquals(token.toString(), deserializedToken.toString());
}
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class ManagerClientServiceHandler method getDelegationToken.
@Override
public TDelegationToken getDelegationToken(TInfo tinfo, TCredentials credentials, TDelegationTokenConfig tConfig) throws ThriftSecurityException, TException {
if (!manager.security.canObtainDelegationToken(credentials)) {
throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
}
// Round-about way to verify that SASL is also enabled.
if (!manager.delegationTokensAvailable()) {
throw new TException("Delegation tokens are not available for use");
}
final DelegationTokenConfig config = DelegationTokenConfigSerializer.deserialize(tConfig);
final AuthenticationTokenSecretManager secretManager = manager.getContext().getSecretManager();
try {
Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(credentials.principal, config);
return new TDelegationToken(ByteBuffer.wrap(pair.getKey().getPassword()), pair.getValue().getThriftIdentifier());
} catch (Exception e) {
throw new TException(e.getMessage());
}
}
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AbstractInputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
* configuration as a means to pass the token to MapReduce tasks. This information is BASE64
* encoded to provide a charset safe conversion to a string, but this conversion is not intended
* to be secure. {@link PasswordToken} is one example that is insecure in this way; however
* {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
* concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission)
* @param token
* the user's password
* @since 1.5.0
*/
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
ClientContext client = InputConfigurator.client(CLASS, job);
token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, Mappers/Reducers will likely" + " fail to communicate with Accumulo", e);
}
}
// the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
InputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AccumuloOutputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
* configuration as a means to pass the token to MapReduce tasks. This information is BASE64
* encoded to provide a charset safe conversion to a string, but this conversion is not intended
* to be secure. {@link PasswordToken} is one example that is insecure in this way; however
* {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
* concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission if
* {@link #setCreateTables(JobConf, boolean)} is set to true)
* @param token
* the user's password
* @since 1.5.0
*/
public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
ClientContext client = OutputConfigurator.client(CLASS, job);
token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, " + "Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
OutputConfigurator.setConnectorInfo(CLASS, job, principal, token);
}
Aggregations