public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer) throws IOException, InterruptedException { Token<DelegationTokenIdentifier> result = jobSubmitClient.getDelegationToken(renewer); String jtAddress = getConf().get("mapred.job.tracker"); if (!HAUtil.isHAEnabled(getConf(), jtAddress)) { InetSocketAddress addr = JobTracker.getAddress(getConf()); StringBuilder service = new StringBuilder(); service.append(NetUtils.normalizeHostName(addr.getAddress(). getHostAddress())); service.append(':'); service.append(addr.getPort()); result.setService(new Text(service.toString())); } else { result.setService(HAUtil.buildTokenServiceForLogicalAddress(jtAddress)); } return result; }
public static void cloneDelegationTokenForLogicalAddress( UserGroupInformation ugi, String haJtAddress, Collection<InetSocketAddress> jtAddresses) { Text haService = HAUtil.buildTokenServiceForLogicalAddress(haJtAddress); Token<DelegationTokenIdentifier> haToken = tokenSelector.selectToken(haService, ugi.getTokens()); if (haToken != null) { for (InetSocketAddress singleJtAddr : jtAddresses) { Token<DelegationTokenIdentifier> specificToken = new Token<DelegationTokenIdentifier>(haToken); SecurityUtil.setTokenService(specificToken, singleJtAddr); ugi.addToken(specificToken); LOG.debug("Mapped HA service delegation token for logical address " + haJtAddress + " to jt " + singleJtAddr); } } else { LOG.debug("No HA service delegation token found for logical address " + haJtAddress); } }
/** * Get a new delegation token. */ @Override public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer )throws IOException, InterruptedException { if (!isAllowedDelegationTokenOp()) { throw new IOException( "Delegation Token can be issued only with kerberos authentication"); } UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); Text owner = new Text(ugi.getUserName()); Text realUser = null; if (ugi.getRealUser() != null) { realUser = new Text(ugi.getRealUser().getUserName()); } DelegationTokenIdentifier ident = new DelegationTokenIdentifier(owner, renewer, realUser); return new Token<DelegationTokenIdentifier>(ident, secretManager); }
private static void getJtToken(Credentials cred) throws IOException { try { JobConf jobConf = new JobConf(); JobClient jobClient = new JobClient(jobConf); LOG.info("Pre-fetching JT token from JobTracker"); Token<DelegationTokenIdentifier> mrdt = jobClient.getDelegationToken(getMRTokenRenewerInternal(jobConf)); if (mrdt == null) { LOG.error("Failed to fetch JT token"); throw new IOException("Failed to fetch JT token."); } LOG.info("Created JT token: " + mrdt.toString()); LOG.info("Token kind: " + mrdt.getKind()); LOG.info("Token id: " + Arrays.toString(mrdt.getIdentifier())); LOG.info("Token service: " + mrdt.getService()); cred.addToken(mrdt.getService(), mrdt); } catch (InterruptedException ie) { throw new IOException(ie); } }
private void cancelMRJobTrackerToken( final Token<? extends TokenIdentifier> t, String userToProxy) throws HadoopSecurityManagerException { try { getProxiedUser(userToProxy).doAs(new PrivilegedExceptionAction<Void>() { @SuppressWarnings("unchecked") @Override public Void run() throws Exception { cancelToken((Token<DelegationTokenIdentifier>) t); return null; } private void cancelToken(Token<DelegationTokenIdentifier> jt) throws IOException, InterruptedException { JobConf jc = new JobConf(conf); JobClient jobClient = new JobClient(jc); jobClient.cancelDelegationToken(jt); } }); } catch (Exception e) { throw new HadoopSecurityManagerException("Failed to cancel token. " + e.getMessage() + e.getCause(), e); } }
private void cancelMRJobTrackerToken( final Token<? extends TokenIdentifier> t, String userToProxy) throws HadoopSecurityManagerException { try { getProxiedUser(userToProxy).doAs(new PrivilegedExceptionAction<Void>() { @SuppressWarnings("unchecked") @Override public Void run() throws Exception { cancelToken((Token<DelegationTokenIdentifier>) t); return null; } private void cancelToken(Token<DelegationTokenIdentifier> jt) throws IOException, InterruptedException { JobConf jc = new JobConf(conf); JobClient jobClient = new JobClient(jc); jobClient.cancelDelegationToken(jt); } }); } catch (Exception e) { e.printStackTrace(); throw new HadoopSecurityManagerException("Failed to cancel Token. " + e.getMessage() + e.getCause()); } }
@Override public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer) throws IOException, InterruptedException { // The token is only used for serialization. So the type information // mismatch should be fine. return resMgrDelegate.getDelegationToken(renewer); }
/** * Get a delegation token for the user from the JobTracker. * @param renewer the user who can renew the token * @return the new token * @throws IOException */ public Token<DelegationTokenIdentifier> getDelegationToken(final Text renewer) throws IOException, InterruptedException { return clientUgi.doAs(new PrivilegedExceptionAction<Token<DelegationTokenIdentifier>>() { public Token<DelegationTokenIdentifier> run() throws IOException, InterruptedException { return cluster.getDelegationToken(renewer); } }); }
@SuppressWarnings("unchecked") @Override public long renew(Token<?> token, Configuration conf ) throws IOException, InterruptedException { JobSubmissionProtocol jt = createJTProxy(token, conf); return jt.renewDelegationToken((Token<DelegationTokenIdentifier>) token); }
@SuppressWarnings("unchecked") @Override public void cancel(Token<?> token, Configuration conf ) throws IOException, InterruptedException { JobSubmissionProtocol jt = createJTProxy(token, conf); jt.cancelDelegationToken((Token<DelegationTokenIdentifier>) token); }
@Override public boolean isManaged(Token<?> token) throws IOException { ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.readFields(new DataInputStream(buf)); // AbstractDelegationToken converts given renewer to a short name, but // AbstractDelegationTokenSecretManager does not, so we have to do it String loginUser = UserGroupInformation.getLoginUser().getShortUserName(); return loginUser.equals(id.getRenewer().toString()); }
@SuppressWarnings("unchecked") private void printTokens(JobID jobId, Credentials credentials) throws IOException { if (LOG.isDebugEnabled()) { LOG.debug("Printing tokens for job: " + jobId); for(Token<?> token: credentials.getAllTokens()) { if (token.getKind().toString().equals("HDFS_DELEGATION_TOKEN")) { LOG.debug("Submitting with " + org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier.stringifyToken( (Token<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>) token)); } } } }
/** * Renew a delegation token * @param token the token to renew * @return the new expiration time * @throws InvalidToken * @throws IOException */ public long renewDelegationToken(Token<DelegationTokenIdentifier> token) throws InvalidToken, IOException, InterruptedException { try { return jobSubmitClient.renewDelegationToken(token); } catch (RemoteException re) { throw re.unwrapRemoteException(InvalidToken.class, AccessControlException.class); } }
/** * Cancel a delegation token from the JobTracker * @param token the token to cancel * @throws IOException */ public void cancelDelegationToken(Token<DelegationTokenIdentifier> token ) throws IOException, InterruptedException { try { jobSubmitClient.cancelDelegationToken(token); } catch (RemoteException re) { throw re.unwrapRemoteException(InvalidToken.class, AccessControlException.class); } }
/** * Discard a current delegation token. */ @Override public void cancelDelegationToken(Token<DelegationTokenIdentifier> token ) throws IOException, InterruptedException { String user = UserGroupInformation.getCurrentUser().getUserName(); secretManager.cancelToken(token, user); }
/** * Renew a delegation token to extend its lifetime. */ @Override public long renewDelegationToken(Token<DelegationTokenIdentifier> token ) throws IOException, InterruptedException { if (!isAllowedDelegationTokenOp()) { throw new IOException( "Delegation Token can be issued only with kerberos authentication"); } String user = UserGroupInformation.getCurrentUser().getShortUserName(); return secretManager.renewToken(token, user); }
/** * * @param userToProxy The user that hiveClient is impersonating as to fetch the delegation tokens. * @param ugi The {@link UserGroupInformation} that to be added with negotiated credentials. */ public static void getHiveToken(final State state, IMetaStoreClient hiveClient, Credentials cred, final String userToProxy, UserGroupInformation ugi) { try { // Fetch the delegation token with "service" field overwritten with the metastore.uri configuration. // org.apache.gobblin.hive.HiveMetaStoreClientFactory.getHiveConf(com.google.common.base.Optional<java.lang.String>) // sets the signature field to the same value to retrieve the token correctly. HiveConf hiveConf = new HiveConf(); Token<DelegationTokenIdentifier> hcatToken = fetchHcatToken(userToProxy, hiveConf, hiveConf.get(HiveConf.ConfVars.METASTOREURIS.varname), hiveClient); cred.addToken(hcatToken.getService(), hcatToken); ugi.addToken(hcatToken); // Fetch extra Hcat location user specified. final List<String> extraHcatLocations = state.contains(USER_DEFINED_HIVE_LOCATIONS) ? state.getPropAsList(USER_DEFINED_HIVE_LOCATIONS) : Collections.EMPTY_LIST; if (!extraHcatLocations.isEmpty()) { LOG.info("Need to fetch extra metaStore tokens from hive."); // start to process the user inputs. for (final String thriftUrl : extraHcatLocations) { LOG.info("Fetching metaStore token from : " + thriftUrl); hiveConf = new HiveConf(); hiveConf.set(HiveConf.ConfVars.METASTOREURIS.varname, thriftUrl); hcatToken = fetchHcatToken(userToProxy, hiveConf, thriftUrl, hiveClient); cred.addToken(hcatToken.getService(), hcatToken); ugi.addToken(hcatToken); LOG.info("Successfully fetched token for:" + thriftUrl); } } } catch (final Throwable t) { final String message = "Failed to get hive metastore token." + t.getMessage() + t.getCause(); LOG.error(message, t); throw new RuntimeException(message); } }
/** * function to fetch hcat token as per the specified hive configuration and then store the token * in to the credential store specified . * * @param userToProxy String value indicating the name of the user the token will be fetched for. * @param hiveConf the configuration based off which the hive client will be initialized. */ private static Token<DelegationTokenIdentifier> fetchHcatToken(final String userToProxy, final HiveConf hiveConf, final String tokenSignatureOverwrite, final IMetaStoreClient hiveClient) throws IOException, TException, InterruptedException { LOG.info(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname + ": " + hiveConf.get( HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname)); LOG.info(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname + ": " + hiveConf.get( HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname)); final Token<DelegationTokenIdentifier> hcatToken = new Token<>(); hcatToken.decodeFromUrlString( hiveClient.getDelegationToken(userToProxy, UserGroupInformation.getLoginUser().getShortUserName())); // overwrite the value of the service property of the token if the signature // override is specified. // If the service field is set, do not overwrite that if (hcatToken.getService().getLength() <= 0 && tokenSignatureOverwrite != null && tokenSignatureOverwrite.trim().length() > 0) { hcatToken.setService(new Text(tokenSignatureOverwrite.trim().toLowerCase())); LOG.info(HIVE_TOKEN_SIGNATURE_KEY + ":" + tokenSignatureOverwrite); } LOG.info("Created hive metastore token for user:" + userToProxy + " with kind[" + hcatToken.getKind() + "]" + " and service[" + hcatToken.getService() + "]"); return hcatToken; }
