Search in sources :

Example 1 with DelegationToken

use of org.apache.kafka.common.security.token.delegation.DelegationToken in project kafka by apache.

the class KafkaAdminClient method createDelegationToken.

@Override
public CreateDelegationTokenResult createDelegationToken(final CreateDelegationTokenOptions options) {
    final KafkaFutureImpl<DelegationToken> delegationTokenFuture = new KafkaFutureImpl<>();
    final long now = time.milliseconds();
    List<CreatableRenewers> renewers = new ArrayList<>();
    for (KafkaPrincipal principal : options.renewers()) {
        renewers.add(new CreatableRenewers().setPrincipalName(principal.getName()).setPrincipalType(principal.getPrincipalType()));
    }
    runnable.call(new Call("createDelegationToken", calcDeadlineMs(now, options.timeoutMs()), new LeastLoadedNodeProvider()) {

        @Override
        CreateDelegationTokenRequest.Builder createRequest(int timeoutMs) {
            return new CreateDelegationTokenRequest.Builder(new CreateDelegationTokenRequestData().setRenewers(renewers).setMaxLifetimeMs(options.maxlifeTimeMs()));
        }

        @Override
        void handleResponse(AbstractResponse abstractResponse) {
            CreateDelegationTokenResponse response = (CreateDelegationTokenResponse) abstractResponse;
            if (response.hasError()) {
                delegationTokenFuture.completeExceptionally(response.error().exception());
            } else {
                CreateDelegationTokenResponseData data = response.data();
                TokenInformation tokenInfo = new TokenInformation(data.tokenId(), new KafkaPrincipal(data.principalType(), data.principalName()), options.renewers(), data.issueTimestampMs(), data.maxTimestampMs(), data.expiryTimestampMs());
                DelegationToken token = new DelegationToken(tokenInfo, data.hmac());
                delegationTokenFuture.complete(token);
            }
        }

        @Override
        void handleFailure(Throwable throwable) {
            delegationTokenFuture.completeExceptionally(throwable);
        }
    }, now);
    return new CreateDelegationTokenResult(delegationTokenFuture);
}
Also used : CreateDelegationTokenRequestData(org.apache.kafka.common.message.CreateDelegationTokenRequestData) AbstractResponse(org.apache.kafka.common.requests.AbstractResponse) DelegationToken(org.apache.kafka.common.security.token.delegation.DelegationToken) ChannelBuilder(org.apache.kafka.common.network.ChannelBuilder) ArrayList(java.util.ArrayList) KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal) TokenInformation(org.apache.kafka.common.security.token.delegation.TokenInformation) KafkaFutureImpl(org.apache.kafka.common.internals.KafkaFutureImpl) CreatableRenewers(org.apache.kafka.common.message.CreateDelegationTokenRequestData.CreatableRenewers) CreateDelegationTokenResponseData(org.apache.kafka.common.message.CreateDelegationTokenResponseData) CreateDelegationTokenRequest(org.apache.kafka.common.requests.CreateDelegationTokenRequest) CreateDelegationTokenResponse(org.apache.kafka.common.requests.CreateDelegationTokenResponse)

Example 2 with DelegationToken

use of org.apache.kafka.common.security.token.delegation.DelegationToken in project kafka by apache.

the class RequestResponseTest method createDescribeTokenResponse.

private DescribeDelegationTokenResponse createDescribeTokenResponse() {
    List<KafkaPrincipal> renewers = new ArrayList<>();
    renewers.add(SecurityUtils.parseKafkaPrincipal("User:user1"));
    renewers.add(SecurityUtils.parseKafkaPrincipal("User:user2"));
    List<DelegationToken> tokenList = new LinkedList<>();
    TokenInformation tokenInfo1 = new TokenInformation("1", SecurityUtils.parseKafkaPrincipal("User:owner"), renewers, System.currentTimeMillis(), System.currentTimeMillis(), System.currentTimeMillis());
    TokenInformation tokenInfo2 = new TokenInformation("2", SecurityUtils.parseKafkaPrincipal("User:owner1"), renewers, System.currentTimeMillis(), System.currentTimeMillis(), System.currentTimeMillis());
    tokenList.add(new DelegationToken(tokenInfo1, "test".getBytes()));
    tokenList.add(new DelegationToken(tokenInfo2, "test".getBytes()));
    return new DescribeDelegationTokenResponse(20, Errors.NONE, tokenList);
}
Also used : DelegationToken(org.apache.kafka.common.security.token.delegation.DelegationToken) ArrayList(java.util.ArrayList) KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal) TokenInformation(org.apache.kafka.common.security.token.delegation.TokenInformation) LinkedList(java.util.LinkedList)

Example 3 with DelegationToken

use of org.apache.kafka.common.security.token.delegation.DelegationToken in project hive by apache.

the class DagUtils method getKafkaDelegationTokenForBrokers.

private void getKafkaDelegationTokenForBrokers(DAG dag, JobConf conf, String kafkaBrokers) {
    LOG.info("Getting kafka credentials for brokers: {}", kafkaBrokers);
    String keytab = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB);
    String principal = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);
    try {
        principal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
    Properties config = new Properties();
    config.put(AdminClientConfig.BOOTSTRAP_SERVERS_CONFIG, kafkaBrokers);
    config.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
    String jaasConfig = String.format("%s %s %s %s serviceName=\"%s\" keyTab=\"%s\" principal=\"%s\";", "com.sun.security.auth.module.Krb5LoginModule required", "debug=true", "useKeyTab=true", "storeKey=true", "kafka", keytab, principal);
    config.put(SaslConfigs.SASL_JAAS_CONFIG, jaasConfig);
    LOG.debug("Jaas config for requesting kafka credentials: {}", jaasConfig);
    AdminClient admin = AdminClient.create(config);
    CreateDelegationTokenOptions createDelegationTokenOptions = new CreateDelegationTokenOptions();
    CreateDelegationTokenResult createResult = admin.createDelegationToken(createDelegationTokenOptions);
    DelegationToken token;
    try {
        token = createResult.delegationToken().get();
    } catch (InterruptedException | ExecutionException e) {
        throw new RuntimeException("Exception while getting kafka delegation tokens", e);
    }
    LOG.info("Got kafka delegation token: {}", token);
    dag.getCredentials().addToken(KAFKA_DELEGATION_TOKEN_KEY, new Token<>(token.tokenInfo().tokenId().getBytes(), token.hmac(), null, new Text("kafka")));
}
Also used : DelegationToken(org.apache.kafka.common.security.token.delegation.DelegationToken) CreateDelegationTokenOptions(org.apache.kafka.clients.admin.CreateDelegationTokenOptions) Text(org.apache.hadoop.io.Text) IOException(java.io.IOException) Properties(java.util.Properties) CreateDelegationTokenResult(org.apache.kafka.clients.admin.CreateDelegationTokenResult) ExecutionException(java.util.concurrent.ExecutionException) AdminClient(org.apache.kafka.clients.admin.AdminClient)

Example 4 with DelegationToken

use of org.apache.kafka.common.security.token.delegation.DelegationToken in project apache-kafka-on-k8s by banzaicloud.

the class RequestResponseTest method createDescribeTokenResponse.

private DescribeDelegationTokenResponse createDescribeTokenResponse() {
    List<KafkaPrincipal> renewers = new ArrayList<>();
    renewers.add(SecurityUtils.parseKafkaPrincipal("User:user1"));
    renewers.add(SecurityUtils.parseKafkaPrincipal("User:user2"));
    List<DelegationToken> tokenList = new LinkedList<>();
    TokenInformation tokenInfo1 = new TokenInformation("1", SecurityUtils.parseKafkaPrincipal("User:owner"), renewers, System.currentTimeMillis(), System.currentTimeMillis(), System.currentTimeMillis());
    TokenInformation tokenInfo2 = new TokenInformation("2", SecurityUtils.parseKafkaPrincipal("User:owner1"), renewers, System.currentTimeMillis(), System.currentTimeMillis(), System.currentTimeMillis());
    tokenList.add(new DelegationToken(tokenInfo1, "test".getBytes()));
    tokenList.add(new DelegationToken(tokenInfo2, "test".getBytes()));
    return new DescribeDelegationTokenResponse(20, Errors.NONE, tokenList);
}
Also used : DelegationToken(org.apache.kafka.common.security.token.delegation.DelegationToken) ArrayList(java.util.ArrayList) KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal) TokenInformation(org.apache.kafka.common.security.token.delegation.TokenInformation) LinkedList(java.util.LinkedList)

Example 5 with DelegationToken

use of org.apache.kafka.common.security.token.delegation.DelegationToken in project apache-kafka-on-k8s by banzaicloud.

the class DescribeDelegationTokenResponse method toStruct.

@Override
protected Struct toStruct(short version) {
    Struct struct = new Struct(ApiKeys.DESCRIBE_DELEGATION_TOKEN.responseSchema(version));
    List<Struct> tokenDetailsStructs = new ArrayList<>(tokens.size());
    struct.set(ERROR_CODE, error.code());
    for (DelegationToken token : tokens) {
        TokenInformation tokenInfo = token.tokenInfo();
        Struct singleRequestStruct = struct.instance(TOKEN_DETAILS_KEY_NAME);
        Struct ownerStruct = singleRequestStruct.instance(OWNER_KEY_NAME);
        ownerStruct.set(PRINCIPAL_TYPE, tokenInfo.owner().getPrincipalType());
        ownerStruct.set(PRINCIPAL_NAME, tokenInfo.owner().getName());
        singleRequestStruct.set(OWNER_KEY_NAME, ownerStruct);
        singleRequestStruct.set(ISSUE_TIMESTAMP_KEY_NAME, tokenInfo.issueTimestamp());
        singleRequestStruct.set(EXPIRY_TIMESTAMP_NAME, tokenInfo.expiryTimestamp());
        singleRequestStruct.set(MAX_TIMESTAMP_NAME, tokenInfo.maxTimestamp());
        singleRequestStruct.set(TOKEN_ID_KEY_NAME, tokenInfo.tokenId());
        singleRequestStruct.set(HMAC_KEY_NAME, ByteBuffer.wrap(token.hmac()));
        Object[] renewersArray = new Object[tokenInfo.renewers().size()];
        int i = 0;
        for (KafkaPrincipal principal : tokenInfo.renewers()) {
            Struct renewerStruct = singleRequestStruct.instance(RENEWERS_KEY_NAME);
            renewerStruct.set(PRINCIPAL_TYPE, principal.getPrincipalType());
            renewerStruct.set(PRINCIPAL_NAME, principal.getName());
            renewersArray[i++] = renewerStruct;
        }
        singleRequestStruct.set(RENEWERS_KEY_NAME, renewersArray);
        tokenDetailsStructs.add(singleRequestStruct);
    }
    struct.set(TOKEN_DETAILS_KEY_NAME, tokenDetailsStructs.toArray());
    struct.setIfExists(THROTTLE_TIME_MS, throttleTimeMs);
    return struct;
}
Also used : DelegationToken(org.apache.kafka.common.security.token.delegation.DelegationToken) ArrayList(java.util.ArrayList) TokenInformation(org.apache.kafka.common.security.token.delegation.TokenInformation) KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal) Struct(org.apache.kafka.common.protocol.types.Struct)

Aggregations

DelegationToken (org.apache.kafka.common.security.token.delegation.DelegationToken)5 ArrayList (java.util.ArrayList)4 KafkaPrincipal (org.apache.kafka.common.security.auth.KafkaPrincipal)4 TokenInformation (org.apache.kafka.common.security.token.delegation.TokenInformation)4 LinkedList (java.util.LinkedList)2 IOException (java.io.IOException)1 Properties (java.util.Properties)1 ExecutionException (java.util.concurrent.ExecutionException)1 Text (org.apache.hadoop.io.Text)1 AdminClient (org.apache.kafka.clients.admin.AdminClient)1 CreateDelegationTokenOptions (org.apache.kafka.clients.admin.CreateDelegationTokenOptions)1 CreateDelegationTokenResult (org.apache.kafka.clients.admin.CreateDelegationTokenResult)1 KafkaFutureImpl (org.apache.kafka.common.internals.KafkaFutureImpl)1 CreateDelegationTokenRequestData (org.apache.kafka.common.message.CreateDelegationTokenRequestData)1 CreatableRenewers (org.apache.kafka.common.message.CreateDelegationTokenRequestData.CreatableRenewers)1 CreateDelegationTokenResponseData (org.apache.kafka.common.message.CreateDelegationTokenResponseData)1 ChannelBuilder (org.apache.kafka.common.network.ChannelBuilder)1 Struct (org.apache.kafka.common.protocol.types.Struct)1 AbstractResponse (org.apache.kafka.common.requests.AbstractResponse)1 CreateDelegationTokenRequest (org.apache.kafka.common.requests.CreateDelegationTokenRequest)1