Search in sources :

Example 1 with DelegationTokenImpl

use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.

the class AbstractInputFormat method setConnectorInfo.

/**
 * Sets the connector information needed to communicate with Accumulo in this job.
 *
 * <p>
 * <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
 * configuration as a means to pass the token to MapReduce tasks. This information is BASE64
 * encoded to provide a charset safe conversion to a string, but this conversion is not intended
 * to be secure. {@link PasswordToken} is one example that is insecure in this way; however
 * {@link DelegationToken}s, acquired using
 * {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
 * concern.
 *
 * @param job
 *          the Hadoop job instance to be configured
 * @param principal
 *          a valid Accumulo user name (user must have Table.CREATE permission)
 * @param token
 *          the user's password
 * @since 1.5.0
 */
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
        log.info("Received KerberosToken, attempting to fetch DelegationToken");
        try {
            ClientContext client = InputConfigurator.client(CLASS, job.getConfiguration());
            token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            log.warn("Failed to automatically obtain DelegationToken, " + "Mappers/Reducers will likely fail to communicate with Accumulo", e);
        }
    }
    // the configuration
    if (token instanceof DelegationTokenImpl) {
        DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
        // Convert it into a Hadoop Token
        AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
        Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
        // Add the Hadoop Token to the Job so it gets serialized and passed along.
        job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }
    InputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}
Also used : DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) ClientContext(org.apache.accumulo.core.clientImpl.ClientContext) AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) DelegationToken(org.apache.accumulo.core.client.security.tokens.DelegationToken) Token(org.apache.hadoop.security.token.Token) TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) IOException(java.io.IOException) AccumuloException(org.apache.accumulo.core.client.AccumuloException)

Example 2 with DelegationTokenImpl

use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.

the class DelegationTokenImplTest method testEquality.

@Test
public void testEquality() {
    AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(createTAuthIdentifier("user", 1, 1000L, 2000L, "instanceid"));
    // We don't need a real serialized Token for the password
    DelegationTokenImpl token = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier);
    AuthenticationTokenIdentifier identifier2 = new AuthenticationTokenIdentifier(createTAuthIdentifier("user1", 1, 1000L, 2000L, "instanceid"));
    // We don't need a real serialized Token for the password
    DelegationTokenImpl token2 = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier2);
    assertNotEquals(token, token2);
    assertNotEquals(token.hashCode(), token2.hashCode());
    // We don't need a real serialized Token for the password
    DelegationTokenImpl token3 = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e', '0' }, identifier);
    assertNotEquals(token, token3);
    assertNotEquals(token.hashCode(), token3.hashCode());
    assertNotEquals(token2, token3);
    assertNotEquals(token2.hashCode(), token3.hashCode());
}
Also used : DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier) Test(org.junit.jupiter.api.Test)

Example 3 with DelegationTokenImpl

use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.

the class KerberosAuthenticator method authenticateUser.

@Override
public boolean authenticateUser(String principal, AuthenticationToken token) throws AccumuloSecurityException {
    final String rpcPrincipal = UGIAssumingProcessor.rpcPrincipal();
    if (!rpcPrincipal.equals(principal)) {
        // KerberosAuthenticator can't do perform this because KerberosToken is just a shim and
        // doesn't contain the actual credentials
        // Double check that the rpc user can impersonate as the requested user.
        UsersWithHosts usersWithHosts = impersonation.get(rpcPrincipal);
        if (usersWithHosts == null) {
            throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
        }
        if (!usersWithHosts.getUsers().contains(principal)) {
            throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
        }
        log.debug("Allowing impersonation of {} by {}", principal, rpcPrincipal);
    }
    // User is authenticated at the transport layer -- nothing extra is necessary
    return token instanceof KerberosToken || token instanceof DelegationTokenImpl;
}
Also used : UsersWithHosts(org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)

Example 4 with DelegationTokenImpl

use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.

the class KerberosIT method testRestartedManagerReusesSecretKey.

@Test
public void testRestartedManagerReusesSecretKey() throws Exception {
    // Login as the "root" user
    UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    // As the "root" user, open up the connection and get a delegation token
    final AuthenticationToken delegationToken1 = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
        log.info("Created client as {}", rootUser.getPrincipal());
        assertEquals(rootUser.getPrincipal(), client.whoami());
        AuthenticationToken token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        assertTrue("Could not get tables with delegation token", !mac.createAccumuloClient(rootUser.getPrincipal(), token).tableOperations().list().isEmpty());
        return token;
    });
    log.info("Stopping manager");
    mac.getClusterControl().stop(ServerType.MANAGER);
    Thread.sleep(5000);
    log.info("Restarting manager");
    mac.getClusterControl().start(ServerType.MANAGER);
    // Make sure our original token is still good
    root.doAs((PrivilegedExceptionAction<Void>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), delegationToken1);
        assertTrue("Could not get tables with delegation token", !client.tableOperations().list().isEmpty());
        return null;
    });
    // Get a new token, so we can compare the keyId on the second to the first
    final AuthenticationToken delegationToken2 = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
        log.info("Created client as {}", rootUser.getPrincipal());
        assertEquals(rootUser.getPrincipal(), client.whoami());
        AuthenticationToken token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        assertTrue("Could not get tables with delegation token", !mac.createAccumuloClient(rootUser.getPrincipal(), token).tableOperations().list().isEmpty());
        return token;
    });
    // A restarted manager should reuse the same secret key after a restart if the secret key hasn't
    // expired (1day by default)
    DelegationTokenImpl dt1 = (DelegationTokenImpl) delegationToken1;
    DelegationTokenImpl dt2 = (DelegationTokenImpl) delegationToken2;
    assertEquals(dt1.getIdentifier().getKeyId(), dt2.getIdentifier().getKeyId());
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 5 with DelegationTokenImpl

use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.

the class KerberosIT method testDelegationTokenWithReducedLifetime.

@Test
public void testDelegationTokenWithReducedLifetime() throws Throwable {
    // Login as the "root" user
    UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    // As the "root" user, open up the connection and get a delegation token
    final AuthenticationToken dt = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
        try (AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken())) {
            log.info("Created client as {}", rootUser.getPrincipal());
            assertEquals(rootUser.getPrincipal(), client.whoami());
            return client.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, MINUTES));
        }
    });
    AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier();
    assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= MINUTES.toMillis(5));
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)14 AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)11 KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)8 IOException (java.io.IOException)6 DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)6 AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)6 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)5 AccumuloException (org.apache.accumulo.core.client.AccumuloException)4 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)4 DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4 ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)4 Token (org.apache.hadoop.security.token.Token)4 Test (org.junit.jupiter.api.Test)4 ByteArrayInputStream (java.io.ByteArrayInputStream)3 DataInputStream (java.io.DataInputStream)3 AccumuloClient (org.apache.accumulo.core.client.AccumuloClient)2 MutationsRejectedException (org.apache.accumulo.core.client.MutationsRejectedException)2 TableExistsException (org.apache.accumulo.core.client.TableExistsException)2 Text (org.apache.hadoop.io.Text)2