use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.
the class AbstractInputFormat method setConnectorInfo.
/**
* Sets the connector information needed to communicate with Accumulo in this job.
*
* <p>
* <b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
* configuration as a means to pass the token to MapReduce tasks. This information is BASE64
* encoded to provide a charset safe conversion to a string, but this conversion is not intended
* to be secure. {@link PasswordToken} is one example that is insecure in this way; however
* {@link DelegationToken}s, acquired using
* {@link SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this
* concern.
*
* @param job
* the Hadoop job instance to be configured
* @param principal
* a valid Accumulo user name (user must have Table.CREATE permission)
* @param token
* the user's password
* @since 1.5.0
*/
public static void setConnectorInfo(Job job, String principal, AuthenticationToken token) throws AccumuloSecurityException {
if (token instanceof KerberosToken) {
log.info("Received KerberosToken, attempting to fetch DelegationToken");
try {
ClientContext client = InputConfigurator.client(CLASS, job.getConfiguration());
token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
log.warn("Failed to automatically obtain DelegationToken, " + "Mappers/Reducers will likely fail to communicate with Accumulo", e);
}
}
// the configuration
if (token instanceof DelegationTokenImpl) {
DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;
// Convert it into a Hadoop Token
AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
Token<AuthenticationTokenIdentifier> hadoopToken = new Token<>(identifier.getBytes(), delegationToken.getPassword(), identifier.getKind(), delegationToken.getServiceName());
// Add the Hadoop Token to the Job so it gets serialized and passed along.
job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
}
InputConfigurator.setConnectorInfo(CLASS, job.getConfiguration(), principal, token);
}
use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.
the class DelegationTokenImplTest method testEquality.
@Test
public void testEquality() {
AuthenticationTokenIdentifier identifier = new AuthenticationTokenIdentifier(createTAuthIdentifier("user", 1, 1000L, 2000L, "instanceid"));
// We don't need a real serialized Token for the password
DelegationTokenImpl token = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier);
AuthenticationTokenIdentifier identifier2 = new AuthenticationTokenIdentifier(createTAuthIdentifier("user1", 1, 1000L, 2000L, "instanceid"));
// We don't need a real serialized Token for the password
DelegationTokenImpl token2 = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e' }, identifier2);
assertNotEquals(token, token2);
assertNotEquals(token.hashCode(), token2.hashCode());
// We don't need a real serialized Token for the password
DelegationTokenImpl token3 = new DelegationTokenImpl(new byte[] { 'f', 'a', 'k', 'e', '0' }, identifier);
assertNotEquals(token, token3);
assertNotEquals(token.hashCode(), token3.hashCode());
assertNotEquals(token2, token3);
assertNotEquals(token2.hashCode(), token3.hashCode());
}
use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.
the class KerberosAuthenticator method authenticateUser.
@Override
public boolean authenticateUser(String principal, AuthenticationToken token) throws AccumuloSecurityException {
final String rpcPrincipal = UGIAssumingProcessor.rpcPrincipal();
if (!rpcPrincipal.equals(principal)) {
// KerberosAuthenticator can't do perform this because KerberosToken is just a shim and
// doesn't contain the actual credentials
// Double check that the rpc user can impersonate as the requested user.
UsersWithHosts usersWithHosts = impersonation.get(rpcPrincipal);
if (usersWithHosts == null) {
throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
}
if (!usersWithHosts.getUsers().contains(principal)) {
throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
}
log.debug("Allowing impersonation of {} by {}", principal, rpcPrincipal);
}
// User is authenticated at the transport layer -- nothing extra is necessary
return token instanceof KerberosToken || token instanceof DelegationTokenImpl;
}
use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.
the class KerberosIT method testRestartedManagerReusesSecretKey.
@Test
public void testRestartedManagerReusesSecretKey() throws Exception {
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken delegationToken1 = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
log.info("Created client as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), client.whoami());
AuthenticationToken token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
assertTrue("Could not get tables with delegation token", !mac.createAccumuloClient(rootUser.getPrincipal(), token).tableOperations().list().isEmpty());
return token;
});
log.info("Stopping manager");
mac.getClusterControl().stop(ServerType.MANAGER);
Thread.sleep(5000);
log.info("Restarting manager");
mac.getClusterControl().start(ServerType.MANAGER);
// Make sure our original token is still good
root.doAs((PrivilegedExceptionAction<Void>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), delegationToken1);
assertTrue("Could not get tables with delegation token", !client.tableOperations().list().isEmpty());
return null;
});
// Get a new token, so we can compare the keyId on the second to the first
final AuthenticationToken delegationToken2 = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
log.info("Created client as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), client.whoami());
AuthenticationToken token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
assertTrue("Could not get tables with delegation token", !mac.createAccumuloClient(rootUser.getPrincipal(), token).tableOperations().list().isEmpty());
return token;
});
// A restarted manager should reuse the same secret key after a restart if the secret key hasn't
// expired (1day by default)
DelegationTokenImpl dt1 = (DelegationTokenImpl) delegationToken1;
DelegationTokenImpl dt2 = (DelegationTokenImpl) delegationToken2;
assertEquals(dt1.getIdentifier().getKeyId(), dt2.getIdentifier().getKeyId());
}
use of org.apache.accumulo.core.clientImpl.DelegationTokenImpl in project accumulo by apache.
the class KerberosIT method testDelegationTokenWithReducedLifetime.
@Test
public void testDelegationTokenWithReducedLifetime() throws Throwable {
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken dt = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
try (AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken())) {
log.info("Created client as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), client.whoami());
return client.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, MINUTES));
}
});
AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier();
assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= MINUTES.toMillis(5));
}
Aggregations