Example 21 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AccumuloOutputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
* configuration as a means to pass the token to MapReduce tasks. This information is BASE64
* encoded to provide a charset safe conversion to a string, but this conversion is not intended
* to be secure. {@link PasswordToken} is one example that is insecure in this way; however
* {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
* concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission if
* {@link #setCreateTables(Job, boolean)} is set to true)
* @param token
* the user's password
* @since 1.5.0
*/
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
ClientContext client = OutputConfigurator.client(CLASS, job.getConfiguration());
token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, " + "Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
OutputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}
Also used :
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl)
ClientContext(org.apache.accumulo.core.clientImpl.ClientContext)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
Token(org.apache.hadoop.security.token.Token)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
TableExistsException(org.apache.accumulo.core.client.TableExistsException)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
MutationsRejectedException(org.apache.accumulo.core.client.MutationsRejectedException)
IOException(java.io.IOException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
Example 22 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class ConfiguratorBase method unwrapAuthenticationToken.
/**
* Unwraps the provided {@link AuthenticationToken} if it is an instance of DelegationTokenStub,
* reconstituting it from the provided {@link JobConf}.
*
* @param job
* The job
* @param token
* The authentication token
*/
public static AuthenticationToken unwrapAuthenticationToken(JobContext job, AuthenticationToken token) {
requireNonNull(job);
requireNonNull(token);
if (token instanceof org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) {
org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub delTokenStub = (org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) token;
Token<? extends TokenIdentifier> hadoopToken = job.getCredentials().getToken(new Text(delTokenStub.getServiceName()));
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier();
try {
identifier.readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier())));
return new DelegationTokenImpl(hadoopToken.getPassword(), identifier);
} catch (IOException e) {
throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e);
}
}
return token;
}
Also used :
Text(org.apache.hadoop.io.Text)
IOException(java.io.IOException)
DataInputStream(java.io.DataInputStream)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
Example 23 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class ConfiguratorBase method unwrapAuthenticationToken.
/**
* Unwraps the provided {@link AuthenticationToken} if it is an instance of DelegationTokenStub,
* reconstituting it from the provided {@link JobConf}.
*
* @param job
* The job
* @param token
* The authentication token
*/
public static AuthenticationToken unwrapAuthenticationToken(JobConf job, AuthenticationToken token) {
requireNonNull(job);
requireNonNull(token);
if (token instanceof org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) {
org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub delTokenStub = (org.apache.accumulo.core.clientImpl.mapreduce.DelegationTokenStub) token;
Token<? extends TokenIdentifier> hadoopToken = job.getCredentials().getToken(new Text(delTokenStub.getServiceName()));
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier();
try {
identifier.readFields(new DataInputStream(new ByteArrayInputStream(hadoopToken.getIdentifier())));
return new DelegationTokenImpl(hadoopToken.getPassword(), identifier);
} catch (IOException e) {
throw new RuntimeException("Could not construct DelegationToken from JobConf Credentials", e);
}
}
return token;
}
Also used :
Text(org.apache.hadoop.io.Text)
IOException(java.io.IOException)
DataInputStream(java.io.DataInputStream)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
Example 24 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class DelegationTokenImplTest method testSerialization.
@Test
public void testSerialization() throws IOException {
byte[] passBytes = new byte[] { 'f', 'a', 'k', 'e' };
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(createTAuthIdentifier("user", 1, 1000L, 2000L, "instanceid"));
DelegationTokenImpl token = new DelegationTokenImpl(passBytes, identifier);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
token.write(new DataOutputStream(baos));
DelegationTokenImpl copy = new DelegationTokenImpl();
copy.readFields(new DataInputStream(new ByteArrayInputStream(baos.toByteArray())));
assertEquals(token.getServiceName(), copy.getServiceName());
assertEquals(token, copy);
assertEquals(token.hashCode(), copy.hashCode());
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl)
DataOutputStream(java.io.DataOutputStream)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
DataInputStream(java.io.DataInputStream)
Test(org.junit.jupiter.api.Test)
Example 25 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier in project accumulo by apache.
the class SaslServerDigestCallbackHandler method handle.
@Override
public void handle(Callback[] callbacks) throws InvalidToken, UnsupportedCallbackException {
NameCallback nc = null;
PasswordCallback pc = null;
AuthorizeCallback ac = null;
for (Callback callback : callbacks) {
if (callback instanceof AuthorizeCallback) {
ac = (AuthorizeCallback) callback;
} else if (callback instanceof NameCallback) {
nc = (NameCallback) callback;
} else if (callback instanceof PasswordCallback) {
pc = (PasswordCallback) callback;
} else if (callback instanceof RealmCallback) {
// realm is ignored
continue;
} else {
throw new UnsupportedCallbackException(callback, "Unrecognized SASL DIGEST-MD5 Callback");
}
}
if (pc != null) {
AuthenticationTokenIdentifier tokenIdentifier = getIdentifier(nc.getDefaultName(), secretManager);
char[] password = getPassword(secretManager, tokenIdentifier);
UserGroupInformation user = null;
user = tokenIdentifier.getUser();
// Set the principal since we already deserialized the token identifier
UGIAssumingProcessor.getRpcPrincipalThreadLocal().set(user.getUserName());
log.trace("SASL server DIGEST-MD5 callback: setting password for client: {}", tokenIdentifier.getUser());
pc.setPassword(password);
}
if (ac != null) {
String authid = ac.getAuthenticationID();
String authzid = ac.getAuthorizationID();
if (authid.equals(authzid)) {
ac.setAuthorized(true);
} else {
ac.setAuthorized(false);
}
if (ac.isAuthorized()) {
String username = getIdentifier(authzid, secretManager).getUser().getUserName();
log.trace("SASL server DIGEST-MD5 callback: setting canonicalized client ID: {}", username);
ac.setAuthorizedID(authzid);
}
}
}
Also used :
NameCallback(javax.security.auth.callback.NameCallback)
RealmCallback(javax.security.sasl.RealmCallback)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
NameCallback(javax.security.auth.callback.NameCallback)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Callback(javax.security.auth.callback.Callback)
AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
RealmCallback(javax.security.sasl.RealmCallback)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Aggregations
AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)29
ByteArrayInputStream (java.io.ByteArrayInputStream)13
DataInputStream (java.io.DataInputStream)13
DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)11
Token (org.apache.hadoop.security.token.Token)11
Test (org.junit.jupiter.api.Test)11
TAuthenticationTokenIdentifier (org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier)8
Test (org.junit.Test)8
IOException (java.io.IOException)7
DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)6
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)6
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)6
AccumuloException (org.apache.accumulo.core.client.AccumuloException)5
TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)5
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)5
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)4
DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4
ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)3
