You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 04:47:10 UTC
svn commit: r1077158 - in
/hadoop/common/branches/branch-0.20-security-patches/src:
core/org/apache/hadoop/security/token/delegation/
hdfs/org/apache/hadoop/hdfs/ hdfs/org/apache/hadoop/hdfs/protocol/
hdfs/org/apache/hadoop/hdfs/security/token/ hdfs/or...
Author: omalley
Date: Fri Mar 4 03:47:09 2011
New Revision: 1077158
URL: http://svn.apache.org/viewvc?rev=1077158&view=rev
Log:
commit 4cd1cdf6b35ba5c8f50c0614c335076cae814f49
Author: Jitendra Nath Pandey <ji...@yahoo-inc.com>
Date: Tue Feb 9 01:34:27 2010 -0800
HADOOP-6547, HDFS-949, MAPREDUCE-1470 from https://issues.apache.org/jira/secure/attachment/12435271/6547-949-1470-0_20.1.patch
+++ b/YAHOO-CHANGES.txt
+ HADOOP-6547, HDFS-949, MAPREDUCE-1470. Move Delegation token into Common so that we
+ can use it for MapReduce also. It is a combined patch for common, hdfs and mr.
+ (jitendra)
+
Added:
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSelector.java
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/DelegationKey.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenIdentifier.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSelector.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/token/delegation/
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/token/delegation/TestDelegationToken.java
Removed:
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/DelegationKey.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/DelegationTokenSelector.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestDelegationToken.java
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSClient.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DistributedFileSystem.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapreduce/security/TokenCache.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/TestDFSClientRetries.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapreduce/security/TestTokenCache.java
Added: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java?rev=1077158&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java Fri Mar 4 03:47:09 2011
@@ -0,0 +1,166 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.security.token.delegation;
+
+//import org.apache.hadoop.classification.InterfaceAudience;
+//import static org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate.Project.HDFS;
+//import static org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate.Project.MAPREDUCE;
+
+import java.io.DataInput;
+import java.io.DataOutput;
+import java.io.IOException;
+
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.io.WritableUtils;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.TokenIdentifier;
+
+//@InterfaceAudience.LimitedPrivate({HDFS, MAPREDUCE})
+public abstract class AbstractDelegationTokenIdentifier
+extends TokenIdentifier {
+
+ private Text owner;
+ private Text renewer;
+ private Text realUser;
+ private long issueDate;
+ private long maxDate;
+ private int sequenceNumber;
+ private int masterKeyId = 0;
+
+ public AbstractDelegationTokenIdentifier() {
+ this(new Text(), new Text(), new Text());
+ }
+
+ public AbstractDelegationTokenIdentifier(Text owner, Text renewer, Text realUser) {
+ this.owner = owner;
+ this.renewer = renewer;
+ if (realUser == null) {
+ this.realUser = new Text();
+ } else {
+ this.realUser = realUser;
+ }
+ issueDate = 0;
+ maxDate = 0;
+ }
+
+ @Override
+ public abstract Text getKind();
+
+ /**
+ * Get the username encoded in the token identifier
+ *
+ * @return the username or owner
+ */
+ public UserGroupInformation getUser() {
+ if ( (owner == null) || ("".equals(owner.toString()))) {
+ return null;
+ }
+ if ((realUser == null) || ("".equals(realUser.toString()))
+ || realUser.equals(owner)) {
+ return UserGroupInformation.createRemoteUser(owner.toString());
+ } else {
+ UserGroupInformation realUgi = UserGroupInformation
+ .createRemoteUser(realUser.toString());
+ return UserGroupInformation.createProxyUser(owner.toString(), realUgi);
+ }
+ }
+
+ public Text getRenewer() {
+ return renewer;
+ }
+
+ public void setIssueDate(long issueDate) {
+ this.issueDate = issueDate;
+ }
+
+ public long getIssueDate() {
+ return issueDate;
+ }
+
+ public void setMaxDate(long maxDate) {
+ this.maxDate = maxDate;
+ }
+
+ public long getMaxDate() {
+ return maxDate;
+ }
+
+ public void setSequenceNumber(int seqNum) {
+ this.sequenceNumber = seqNum;
+ }
+
+ public int getSequenceNumber() {
+ return sequenceNumber;
+ }
+
+ public void setMasterKeyId(int newId) {
+ masterKeyId = newId;
+ }
+
+ public int getMasterKeyId() {
+ return masterKeyId;
+ }
+
+ static boolean isEqual(Object a, Object b) {
+ return a == null ? b == null : a.equals(b);
+ }
+
+ /** {@inheritDoc} */
+ public boolean equals(Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (obj instanceof AbstractDelegationTokenIdentifier) {
+ AbstractDelegationTokenIdentifier that = (AbstractDelegationTokenIdentifier) obj;
+ return this.sequenceNumber == that.sequenceNumber
+ && this.issueDate == that.issueDate
+ && this.maxDate == that.maxDate
+ && this.masterKeyId == that.masterKeyId
+ && isEqual(this.owner, that.owner)
+ && isEqual(this.renewer, that.renewer)
+ && isEqual(this.realUser, that.realUser);
+ }
+ return false;
+ }
+
+ /** {@inheritDoc} */
+ public int hashCode() {
+ return this.sequenceNumber;
+ }
+
+ public void readFields(DataInput in) throws IOException {
+ owner.readFields(in);
+ renewer.readFields(in);
+ realUser.readFields(in);
+ issueDate = WritableUtils.readVLong(in);
+ maxDate = WritableUtils.readVLong(in);
+ sequenceNumber = WritableUtils.readVInt(in);
+ masterKeyId = WritableUtils.readVInt(in);
+ }
+
+ public void write(DataOutput out) throws IOException {
+ owner.write(out);
+ renewer.write(out);
+ realUser.write(out);
+ WritableUtils.writeVLong(out, issueDate);
+ WritableUtils.writeVLong(out, maxDate);
+ WritableUtils.writeVInt(out, sequenceNumber);
+ WritableUtils.writeVInt(out, masterKeyId);
+ }
+}
Added: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java?rev=1077158&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java Fri Mar 4 03:47:09 2011
@@ -0,0 +1,354 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.security.token.delegation;
+
+//import org.apache.hadoop.classification.InterfaceAudience;
+//import static org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate.Project.HDFS;
+//import static org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate.Project.MAPREDUCE;
+
+import java.io.ByteArrayInputStream;
+import java.io.DataInputStream;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+
+import javax.crypto.SecretKey;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.SecretManager;
+import org.apache.hadoop.util.Daemon;
+import org.apache.hadoop.util.StringUtils;
+
+//@InterfaceAudience.LimitedPrivate({HDFS, MAPREDUCE})
+public abstract
+class AbstractDelegationTokenSecretManager<TokenIdent
+extends AbstractDelegationTokenIdentifier>
+ extends SecretManager<TokenIdent> {
+ private static final Log LOG = LogFactory
+ .getLog(AbstractDelegationTokenSecretManager.class);
+
+ /**
+ * Cache of currently valid tokens, mapping from DelegationTokenIdentifier
+ * to DelegationTokenInformation. Protected by its own lock.
+ */
+ private final Map<TokenIdent, DelegationTokenInformation> currentTokens
+ = new HashMap<TokenIdent, DelegationTokenInformation>();
+
+ /**
+ * Sequence number to create DelegationTokenIdentifier
+ */
+ private int delegationTokenSequenceNumber = 0;
+
+ private final Map<Integer, DelegationKey> allKeys
+ = new HashMap<Integer, DelegationKey>();
+
+ /**
+ * Access to currentId and currentKey is protected by this object lock.
+ */
+ private int currentId = 0;
+ private DelegationKey currentKey;
+
+ private long keyUpdateInterval;
+ private long tokenMaxLifetime;
+ private long tokenRemoverScanInterval;
+ private long tokenRenewInterval;
+ private Thread tokenRemoverThread;
+ private volatile boolean running;
+
+ public AbstractDelegationTokenSecretManager(long delegationKeyUpdateInterval,
+ long delegationTokenMaxLifetime, long delegationTokenRenewInterval,
+ long delegationTokenRemoverScanInterval) {
+ this.keyUpdateInterval = delegationKeyUpdateInterval;
+ this.tokenMaxLifetime = delegationTokenMaxLifetime;
+ this.tokenRenewInterval = delegationTokenRenewInterval;
+ this.tokenRemoverScanInterval = delegationTokenRemoverScanInterval;
+ }
+
+ /** should be called before this object is used */
+ public synchronized void startThreads() throws IOException {
+ updateCurrentKey();
+ running = true;
+ tokenRemoverThread = new Daemon(new ExpiredTokenRemover());
+ tokenRemoverThread.start();
+ }
+
+ /**
+ * Add a previously used master key to cache (when NN restarts),
+ * should be called before activate().
+ * */
+ public synchronized void addKey(DelegationKey key) throws IOException {
+ if (running) // a safety check
+ throw new IOException("Can't add delegation key to a running SecretManager.");
+ if (key.getKeyId() > currentId) {
+ currentId = key.getKeyId();
+ }
+ allKeys.put(key.getKeyId(), key);
+ }
+
+ public synchronized DelegationKey[] getAllKeys() {
+ return allKeys.values().toArray(new DelegationKey[0]);
+ }
+
+ /** Update the current master key */
+ private synchronized void updateCurrentKey() throws IOException {
+ LOG.info("Updating the current master key for generating delegation tokens");
+ /* Create a new currentKey with an estimated expiry date. */
+ currentId++;
+ currentKey = new DelegationKey(currentId, System.currentTimeMillis()
+ + keyUpdateInterval + tokenMaxLifetime, generateSecret());
+ allKeys.put(currentKey.getKeyId(), currentKey);
+ }
+
+ /** Update the current master key for generating delegation tokens */
+ public synchronized void rollMasterKey() throws IOException {
+ removeExpiredKeys();
+ /* set final expiry date for retiring currentKey */
+ currentKey.setExpiryDate(System.currentTimeMillis() + tokenMaxLifetime);
+ /*
+ * currentKey might have been removed by removeExpiredKeys(), if
+ * updateMasterKey() isn't called at expected interval. Add it back to
+ * allKeys just in case.
+ */
+ allKeys.put(currentKey.getKeyId(), currentKey);
+ updateCurrentKey();
+ }
+
+ private synchronized void removeExpiredKeys() {
+ long now = System.currentTimeMillis();
+ for (Iterator<Map.Entry<Integer, DelegationKey>> it = allKeys.entrySet()
+ .iterator(); it.hasNext();) {
+ Map.Entry<Integer, DelegationKey> e = it.next();
+ if (e.getValue().getExpiryDate() < now) {
+ it.remove();
+ }
+ }
+ }
+
+ @Override
+ protected byte[] createPassword(TokenIdent identifier) {
+ int sequenceNum;
+ int id;
+ DelegationKey key;
+ long now = System.currentTimeMillis();
+ synchronized (this) {
+ id = currentId;
+ key = currentKey;
+ sequenceNum = ++delegationTokenSequenceNumber;
+ }
+ identifier.setIssueDate(now);
+ identifier.setMaxDate(now + tokenMaxLifetime);
+ identifier.setMasterKeyId(id);
+ identifier.setSequenceNumber(sequenceNum);
+ byte[] password = createPassword(identifier.getBytes(), key.getKey());
+ synchronized (currentTokens) {
+ currentTokens.put(identifier, new DelegationTokenInformation(now
+ + tokenRenewInterval, password));
+ }
+ return password;
+ }
+
+ @Override
+ public byte[] retrievePassword(TokenIdent identifier
+ ) throws InvalidToken {
+ DelegationTokenInformation info = null;
+ synchronized (currentTokens) {
+ info = currentTokens.get(identifier);
+ }
+ if (info == null) {
+ throw new InvalidToken("token is expired or doesn't exist");
+ }
+ long now = System.currentTimeMillis();
+ if (info.getRenewDate() < now) {
+ throw new InvalidToken("token is expired");
+ }
+ return info.getPassword();
+ }
+
+ /**
+ * Renew a delegation token. Canceled tokens are not renewed. Return true if
+ * the token is successfully renewed; false otherwise.
+ */
+ public Boolean renewToken(Token<TokenIdent> token,
+ String renewer) throws InvalidToken, IOException {
+ long now = System.currentTimeMillis();
+ ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
+ DataInputStream in = new DataInputStream(buf);
+ TokenIdent id = createIdentifier();
+ id.readFields(in);
+ synchronized (currentTokens) {
+ if (currentTokens.get(id) == null) {
+ LOG.warn("Renewal request for unknown token");
+ return false;
+ }
+ }
+ if (id.getMaxDate() < now) {
+ LOG.warn("Client " + renewer + " tries to renew an expired token");
+ return false;
+ }
+ if (id.getRenewer() == null || !id.getRenewer().toString().equals(renewer)) {
+ LOG.warn("Client " + renewer + " tries to renew a token with "
+ + "renewer specified as " + id.getRenewer());
+ return false;
+ }
+ DelegationKey key = null;
+ synchronized (this) {
+ key = allKeys.get(id.getMasterKeyId());
+ }
+ if (key == null) {
+ LOG.warn("Unable to find master key for keyId=" + id.getMasterKeyId()
+ + " from cache. Failed to renew an unexpired token with sequenceNumber="
+ + id.getSequenceNumber() + ", issued by this key");
+ return false;
+ }
+ byte[] password = createPassword(token.getIdentifier(), key.getKey());
+ if (!Arrays.equals(password, token.getPassword())) {
+ LOG.warn("Client " + renewer + " is trying to renew a token with wrong password");
+ return false;
+ }
+ DelegationTokenInformation info = new DelegationTokenInformation(
+ Math.min(id.getMaxDate(), now + tokenRenewInterval), password);
+ synchronized (currentTokens) {
+ currentTokens.put(id, info);
+ }
+ return true;
+ }
+
+ /**
+ * Cancel a token by removing it from cache. Return true if
+ * token exists in cache; false otherwise.
+ */
+ public Boolean cancelToken(Token<TokenIdent> token,
+ String canceller) throws IOException {
+ ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
+ DataInputStream in = new DataInputStream(buf);
+ TokenIdent id = createIdentifier();
+ id.readFields(in);
+ if (id.getRenewer() == null) {
+ LOG.warn("Renewer is null: Invalid Identifier");
+ return false;
+ }
+ if (id.getUser() == null) {
+ LOG.warn("owner is null: Invalid Identifier");
+ return false;
+ }
+ String owner = id.getUser().getUserName();
+ String renewer = id.getRenewer().toString();
+ if (!canceller.equals(owner) && !canceller.equals(renewer)) {
+ LOG.warn(canceller + " is not authorized to cancel the token");
+ return false;
+ }
+ DelegationTokenInformation info = null;
+ synchronized (currentTokens) {
+ info = currentTokens.remove(id);
+ }
+ return info != null;
+ }
+
+ /**
+ * Convert the byte[] to a secret key
+ * @param key the byte[] to create the secret key from
+ * @return the secret key
+ */
+ public static SecretKey createSecretKey(byte[] key) {
+ return SecretManager.createSecretKey(key);
+ }
+
+ /** Utility class to encapsulate a token's renew date and password. */
+ private static class DelegationTokenInformation {
+ long renewDate;
+ byte[] password;
+ DelegationTokenInformation(long renewDate, byte[] password) {
+ this.renewDate = renewDate;
+ this.password = password;
+ }
+ /** returns renew date */
+ long getRenewDate() {
+ return renewDate;
+ }
+ /** returns password */
+ byte[] getPassword() {
+ return password;
+ }
+ }
+
+ /** Remove expired delegation tokens from cache */
+ private void removeExpiredToken() {
+ long now = System.currentTimeMillis();
+ synchronized (currentTokens) {
+ Iterator<DelegationTokenInformation> i = currentTokens.values().iterator();
+ while (i.hasNext()) {
+ long renewDate = i.next().getRenewDate();
+ if (now > renewDate) {
+ i.remove();
+ }
+ }
+ }
+ }
+
+ public synchronized void stopThreads() {
+ if (LOG.isDebugEnabled())
+ LOG.debug("Stopping expired delegation token remover thread");
+ running = false;
+ tokenRemoverThread.interrupt();
+ }
+
+ private class ExpiredTokenRemover extends Thread {
+ private long lastMasterKeyUpdate;
+ private long lastTokenCacheCleanup;
+
+ public void run() {
+ LOG.info("Starting expired delegation token remover thread, "
+ + "tokenRemoverScanInterval=" + tokenRemoverScanInterval
+ / (60 * 1000) + " min(s)");
+ try {
+ while (running) {
+ long now = System.currentTimeMillis();
+ if (lastMasterKeyUpdate + keyUpdateInterval < now) {
+ try {
+ rollMasterKey();
+ lastMasterKeyUpdate = now;
+ } catch (IOException e) {
+ LOG.error("Master key updating failed. "
+ + StringUtils.stringifyException(e));
+ }
+ }
+ if (lastTokenCacheCleanup + tokenRemoverScanInterval < now) {
+ removeExpiredToken();
+ lastTokenCacheCleanup = now;
+ }
+ try {
+ Thread.sleep(5000); // 5 seconds
+ } catch (InterruptedException ie) {
+ LOG
+ .error("InterruptedExcpetion recieved for ExpiredTokenRemover thread "
+ + ie);
+ }
+ }
+ } catch (Throwable t) {
+ LOG.error("ExpiredTokenRemover thread received unexpected exception. "
+ + t);
+ Runtime.getRuntime().exit(-1);
+ }
+ }
+ }
+}
Added: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSelector.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSelector.java?rev=1077158&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSelector.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSelector.java Fri Mar 4 03:47:09 2011
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.security.token.delegation;
+
+import java.util.Collection;
+
+//import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.hadoop.security.token.TokenSelector;
+//import static org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate.Project.HDFS;
+//import static org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate.Project.MAPREDUCE;
+
+/**
+ * Look through tokens to find the first delegation token that matches the
+ * service and return it.
+ */
+//@InterfaceAudience.LimitedPrivate({HDFS, MAPREDUCE})
+public
+class AbstractDelegationTokenSelector<TokenIdent
+extends AbstractDelegationTokenIdentifier>
+ implements TokenSelector<TokenIdent> {
+ private Text kindName;
+
+ protected AbstractDelegationTokenSelector(Text kindName) {
+ this.kindName = kindName;
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public Token<TokenIdent> selectToken(Text service,
+ Collection<Token<? extends TokenIdentifier>> tokens) {
+ if (service == null) {
+ return null;
+ }
+ for (Token<? extends TokenIdentifier> token : tokens) {
+ if (kindName.equals(token.getKind())
+ && service.equals(token.getService())) {
+ return (Token<TokenIdent>) token;
+ }
+ }
+ return null;
+ }
+}
Added: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/DelegationKey.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/DelegationKey.java?rev=1077158&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/DelegationKey.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/token/delegation/DelegationKey.java Fri Mar 4 03:47:09 2011
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.security.token.delegation;
+
+//import org.apache.hadoop.classification.InterfaceAudience;
+import java.io.DataInput;
+import java.io.DataOutput;
+import java.io.IOException;
+
+import javax.crypto.SecretKey;
+
+import org.apache.hadoop.io.Writable;
+import org.apache.hadoop.io.WritableUtils;
+//import static org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate.Project.HDFS;
+//import static org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate.Project.MAPREDUCE;
+
+/**
+ * Key used for generating and verifying delegation tokens
+ */
+//@InterfaceAudience.LimitedPrivate({HDFS, MAPREDUCE})
+public class DelegationKey implements Writable {
+ private int keyId;
+ private long expiryDate;
+ private SecretKey key;
+
+ public DelegationKey() {
+ this(0, 0L, null);
+ }
+
+ public DelegationKey(int keyId, long expiryDate, SecretKey key) {
+ this.keyId = keyId;
+ this.expiryDate = expiryDate;
+ this.key = key;
+ }
+
+ public int getKeyId() {
+ return keyId;
+ }
+
+ public long getExpiryDate() {
+ return expiryDate;
+ }
+
+ public SecretKey getKey() {
+ return key;
+ }
+
+ public void setExpiryDate(long expiryDate) {
+ this.expiryDate = expiryDate;
+ }
+
+ /**
+ */
+ public void write(DataOutput out) throws IOException {
+ WritableUtils.writeVInt(out, keyId);
+ WritableUtils.writeVLong(out, expiryDate);
+ byte[] keyBytes = key.getEncoded();
+ WritableUtils.writeVInt(out, keyBytes.length);
+ out.write(keyBytes);
+ }
+
+ /**
+ */
+ public void readFields(DataInput in) throws IOException {
+ keyId = WritableUtils.readVInt(in);
+ expiryDate = WritableUtils.readVLong(in);
+ int len = WritableUtils.readVInt(in);
+ byte[] keyBytes = new byte[len];
+ in.readFully(keyBytes);
+ key = AbstractDelegationTokenSecretManager.createSecretKey(keyBytes);
+ }
+}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSClient.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSClient.java?rev=1077158&r1=1077157&r2=1077158&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSClient.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DFSClient.java Fri Mar 4 03:47:09 2011
@@ -31,7 +31,7 @@ import org.apache.hadoop.hdfs.Distribute
import org.apache.hadoop.hdfs.protocol.*;
import org.apache.hadoop.hdfs.security.BlockAccessToken;
import org.apache.hadoop.hdfs.security.InvalidAccessTokenException;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.common.HdfsConstants;
import org.apache.hadoop.hdfs.server.common.UpgradeStatusReport;
import org.apache.hadoop.hdfs.server.datanode.DataNode;
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DistributedFileSystem.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DistributedFileSystem.java?rev=1077158&r1=1077157&r2=1077158&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DistributedFileSystem.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/DistributedFileSystem.java Fri Mar 4 03:47:09 2011
@@ -30,12 +30,11 @@ import org.apache.hadoop.hdfs.protocol.B
import org.apache.hadoop.hdfs.protocol.LocatedBlock;
import org.apache.hadoop.hdfs.protocol.FSConstants.DatanodeReportType;
import org.apache.hadoop.hdfs.protocol.FSConstants.UpgradeAction;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.common.UpgradeStatusReport;
import org.apache.hadoop.hdfs.server.namenode.NameNode;
import org.apache.hadoop.hdfs.DFSClient.DFSOutputStream;
import org.apache.hadoop.io.Text;
-import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/protocol/ClientProtocol.java?rev=1077158&r1=1077157&r2=1077158&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/protocol/ClientProtocol.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/protocol/ClientProtocol.java Fri Mar 4 03:47:09 2011
@@ -22,8 +22,6 @@ import java.io.*;
import org.apache.hadoop.ipc.VersionedProtocol;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.hdfs.protocol.FSConstants.UpgradeAction;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenSelector;
import org.apache.hadoop.hdfs.server.common.UpgradeStatusReport;
import org.apache.hadoop.fs.permission.*;
import org.apache.hadoop.hdfs.DFSConfigKeys;
@@ -33,6 +31,8 @@ import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenInfo;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSelector;
/**********************************************************************
* ClientProtocol is used by user code via
Added: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenIdentifier.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenIdentifier.java?rev=1077158&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenIdentifier.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenIdentifier.java Fri Mar 4 03:47:09 2011
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.security.token.delegation;
+
+//import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
+
+/**
+ * A delegation token identifier that is specific to HDFS.
+ */
+//@InterfaceAudience.Private
+public class DelegationTokenIdentifier
+ extends AbstractDelegationTokenIdentifier {
+ static final Text HDFS_DELEGATION_KIND = new Text("HDFS_DELEGATION_TOKEN");
+
+ /**
+ * Create an empty delegation token identifier for reading into.
+ */
+ public DelegationTokenIdentifier() {
+ }
+
+ /**
+ * Create a new delegation token identifier
+ * @param owner the effective username of the token owner
+ * @param renewer the username of the renewer
+ * @param realUser the real username of the token owner
+ */
+ public DelegationTokenIdentifier(Text owner, Text renewer, Text realUser) {
+ super(owner, renewer, realUser);
+ }
+
+ @Override
+ public Text getKind() {
+ return HDFS_DELEGATION_KIND;
+ }
+
+}
Added: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java?rev=1077158&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java Fri Mar 4 03:47:09 2011
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.security.token.delegation;
+
+//import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
+
+/**
+ * A HDFS specific delegation token secret manager.
+ * The secret manager is responsible for generating and accepting the password
+ * for each token.
+ */
+//@InterfaceAudience.Private
+public class DelegationTokenSecretManager
+ extends AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> {
+
+ /**
+ * Create a secret manager
+ * @param delegationKeyUpdateInterval the number of seconds for rolling new
+ * secret keys.
+ * @param delegationTokenMaxLifetime the maximum lifetime of the delegation
+ * tokens
+ * @param delegationTokenRenewInterval how often the tokens must be renewed
+ * @param delegationTokenRemoverScanInterval how often the tokens are scanned
+ * for expired tokens
+ */
+ public DelegationTokenSecretManager(long delegationKeyUpdateInterval,
+ long delegationTokenMaxLifetime,
+ long delegationTokenRenewInterval,
+ long delegationTokenRemoverScanInterval) {
+ super(delegationKeyUpdateInterval, delegationTokenMaxLifetime,
+ delegationTokenRenewInterval, delegationTokenRemoverScanInterval);
+ }
+
+ @Override
+ public DelegationTokenIdentifier createIdentifier() {
+ return new DelegationTokenIdentifier();
+ }
+
+}
Added: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSelector.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSelector.java?rev=1077158&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSelector.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSelector.java Fri Mar 4 03:47:09 2011
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.security.token.delegation;
+
+//import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSelector;
+
+/**
+ * A delegation token that is specialized for HDFS
+ */
+//@InterfaceAudience.Private
+public class DelegationTokenSelector
+ extends AbstractDelegationTokenSelector<DelegationTokenIdentifier>{
+
+ public DelegationTokenSelector() {
+ super(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
+ }
+}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java?rev=1077158&r1=1077157&r2=1077158&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java Fri Mar 4 03:47:09 2011
@@ -35,8 +35,8 @@ import org.apache.hadoop.hdfs.security.E
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenSecretManager;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager;
import org.apache.hadoop.util.*;
import org.apache.hadoop.metrics.util.MBeanUtil;
import org.apache.hadoop.net.CachedDNSToSwitchMapping;
Modified: hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java?rev=1077158&r1=1077157&r2=1077158&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/hdfs/org/apache/hadoop/hdfs/server/namenode/NameNode.java Fri Mar 4 03:47:09 2011
@@ -46,7 +46,6 @@ import org.apache.hadoop.http.HttpServer
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ipc.*;
import org.apache.hadoop.conf.*;
-import org.apache.hadoop.util.ReflectionUtils;
import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.net.NetworkTopology;
@@ -59,7 +58,7 @@ import org.apache.hadoop.security.author
import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.RefreshUserToGroupMappingsProtocol;
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapreduce/security/TokenCache.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapreduce/security/TokenCache.java?rev=1077158&r1=1077157&r2=1077158&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapreduce/security/TokenCache.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapreduce/security/TokenCache.java Fri Mar 4 03:47:09 2011
@@ -29,7 +29,7 @@ import org.apache.hadoop.fs.FSDataInputS
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.DistributedFileSystem;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.namenode.NameNode;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.mapred.JobConf;
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/TestDFSClientRetries.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/TestDFSClientRetries.java?rev=1077158&r1=1077157&r2=1077158&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/TestDFSClientRetries.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/TestDFSClientRetries.java Fri Mar 4 03:47:09 2011
@@ -28,7 +28,6 @@ import org.apache.hadoop.fs.*;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.protocol.*;
import org.apache.hadoop.hdfs.protocol.FSConstants.UpgradeAction;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.common.*;
import org.apache.hadoop.hdfs.server.namenode.NotReplicatedYetException;
import org.apache.hadoop.io.*;
@@ -37,6 +36,7 @@ import org.apache.hadoop.security.Access
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import junit.framework.TestCase;
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java?rev=1077158&r1=1077157&r2=1077158&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestClientProtocolWithDelegationToken.java Fri Mar 4 03:47:09 2011
@@ -38,10 +38,10 @@ import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.hdfs.protocol.ClientProtocol;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenSecretManager;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager;
import org.apache.hadoop.security.SaslInputStream;
import org.apache.hadoop.security.SaslRpcClient;
import org.apache.hadoop.security.SaslRpcServer;
Added: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java?rev=1077158&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/hdfs/security/TestDelegationToken.java Fri Mar 4 03:47:09 2011
@@ -0,0 +1,164 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.security;
+
+
+
+import java.io.ByteArrayInputStream;
+import java.io.DataInputStream;
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
+
+import junit.framework.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mortbay.log.Log;
+
+public class TestDelegationToken {
+ private MiniDFSCluster cluster;
+ Configuration config;
+ final private static String GROUP1_NAME = "group1";
+ final private static String GROUP2_NAME = "group2";
+ final private static String[] GROUP_NAMES = new String[] { GROUP1_NAME,
+ GROUP2_NAME };
+
+ @Before
+ public void setUp() throws Exception {
+ config = new Configuration();
+ config.setLong(DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY, 10000);
+ config.setLong(DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY, 5000);
+ FileSystem.setDefaultUri(config, "hdfs://localhost:" + "0");
+ cluster = new MiniDFSCluster(0, config, 1, true, true, true, null, null, null, null);
+ cluster.waitActive();
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ if(cluster!=null) {
+ cluster.shutdown();
+ }
+ }
+
+ private Token<DelegationTokenIdentifier> generateDelegationToken(
+ String owner, String renewer) {
+ DelegationTokenSecretManager dtSecretManager = cluster.getNameNode()
+ .getNamesystem().getDelegationTokenSecretManager();
+ DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(
+ owner), new Text(renewer), null);
+ return new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
+ }
+
+ @Test
+ public void testDelegationTokenSecretManager() throws Exception {
+ DelegationTokenSecretManager dtSecretManager = cluster.getNameNode()
+ .getNamesystem().getDelegationTokenSecretManager();
+ Token<DelegationTokenIdentifier> token = generateDelegationToken(
+ "SomeUser", "JobTracker");
+ // Fake renewer should not be able to renew
+ Assert.assertFalse(dtSecretManager.renewToken(token, "FakeRenewer"));
+ Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
+ DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
+ byte[] tokenId = token.getIdentifier();
+ identifier.readFields(new DataInputStream(
+ new ByteArrayInputStream(tokenId)));
+ Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
+ Log.info("Sleep to expire the token");
+ Thread.sleep(6000);
+ //Token should be expired
+ try {
+ dtSecretManager.retrievePassword(identifier);
+ //Should not come here
+ Assert.fail("Token should have expired");
+ } catch (InvalidToken e) {
+ //Success
+ }
+ Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
+ Log.info("Sleep beyond the max lifetime");
+ Thread.sleep(5000);
+ Assert.assertFalse(dtSecretManager.renewToken(token, "JobTracker"));
+ }
+
+ @Test
+ public void testCancelDelegationToken() throws Exception {
+ DelegationTokenSecretManager dtSecretManager = cluster.getNameNode()
+ .getNamesystem().getDelegationTokenSecretManager();
+ Token<DelegationTokenIdentifier> token = generateDelegationToken(
+ "SomeUser", "JobTracker");
+ //Fake renewer should not be able to renew
+ Assert.assertFalse(dtSecretManager.cancelToken(token, "FakeCanceller"));
+ Assert.assertTrue(dtSecretManager.cancelToken(token, "JobTracker"));
+ Assert.assertFalse(dtSecretManager.renewToken(token, "JobTracker"));
+ }
+
+ @Test
+ public void testDelegationTokenDFSApi() throws Exception {
+ DelegationTokenSecretManager dtSecretManager = cluster.getNameNode()
+ .getNamesystem().getDelegationTokenSecretManager();
+ DistributedFileSystem dfs = (DistributedFileSystem) cluster.getFileSystem();
+ Token<DelegationTokenIdentifier> token = dfs.getDelegationToken(new Text("JobTracker"));
+ DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
+ byte[] tokenId = token.getIdentifier();
+ identifier.readFields(new DataInputStream(
+ new ByteArrayInputStream(tokenId)));
+ Log.info("A valid token should have non-null password, and should be renewed successfully");
+ Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
+ Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
+ }
+
+ @Test
+ public void testDelegationTokenWithRealUser() throws IOException {
+ UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+ "RealUser", GROUP_NAMES);
+ final UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser(
+ "proxyUser", ugi);
+ try {
+ Token<DelegationTokenIdentifier> token = proxyUgi
+ .doAs(new PrivilegedExceptionAction<Token<DelegationTokenIdentifier>>() {
+ public Token<DelegationTokenIdentifier> run() throws IOException {
+ DistributedFileSystem dfs = (DistributedFileSystem) cluster
+ .getFileSystem();
+ return dfs.getDelegationToken(new Text("RenewerUser"));
+ }
+ });
+ DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
+ byte[] tokenId = token.getIdentifier();
+ identifier.readFields(new DataInputStream(new ByteArrayInputStream(
+ tokenId)));
+ Assert.assertEquals(identifier.getUser().getUserName(), "proxyUser");
+ Assert.assertEquals(identifier.getUser().getRealUser().getUserName(),
+ "RealUser");
+ } catch (InterruptedException e) {
+ //Do Nothing
+ }
+ }
+
+}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapreduce/security/TestTokenCache.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapreduce/security/TestTokenCache.java?rev=1077158&r1=1077157&r2=1077158&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapreduce/security/TestTokenCache.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapreduce/security/TestTokenCache.java Fri Mar 4 03:47:09 2011
@@ -38,7 +38,7 @@ import org.apache.hadoop.examples.SleepJ
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.namenode.NameNode;
import org.apache.hadoop.io.IntWritable;
import org.apache.hadoop.io.NullWritable;
Added: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/token/delegation/TestDelegationToken.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/token/delegation/TestDelegationToken.java?rev=1077158&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/token/delegation/TestDelegationToken.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/token/delegation/TestDelegationToken.java Fri Mar 4 03:47:09 2011
@@ -0,0 +1,262 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.security.token.delegation;
+
+import java.io.ByteArrayInputStream;
+import java.io.DataInput;
+import java.io.DataInputStream;
+import java.io.DataOutput;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+import junit.framework.Assert;
+
+import org.apache.hadoop.io.DataInputBuffer;
+import org.apache.hadoop.io.DataOutputBuffer;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.io.Writable;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
+import org.junit.Test;
+import org.mortbay.log.Log;
+
+import static org.junit.Assert.*;
+
+public class TestDelegationToken {
+ private static final Text KIND = new Text("MY KIND");
+
+ public static class TestDelegationTokenIdentifier
+ extends AbstractDelegationTokenIdentifier
+ implements Writable {
+
+ public TestDelegationTokenIdentifier() {
+ }
+
+ public TestDelegationTokenIdentifier(Text owner, Text renewer, Text realUser) {
+ super(owner, renewer, realUser);
+ }
+
+ @Override
+ public Text getKind() {
+ return KIND;
+ }
+
+ public void write(DataOutput out) throws IOException {
+ super.write(out);
+ }
+ public void readFields(DataInput in) throws IOException {
+ super.readFields(in);
+ }
+ }
+
+ public static class TestDelegationTokenSecretManager
+ extends AbstractDelegationTokenSecretManager<TestDelegationTokenIdentifier> {
+
+ public TestDelegationTokenSecretManager(long delegationKeyUpdateInterval,
+ long delegationTokenMaxLifetime,
+ long delegationTokenRenewInterval,
+ long delegationTokenRemoverScanInterval) {
+ super(delegationKeyUpdateInterval, delegationTokenMaxLifetime,
+ delegationTokenRenewInterval, delegationTokenRemoverScanInterval);
+ }
+
+ @Override
+ public TestDelegationTokenIdentifier createIdentifier() {
+ return new TestDelegationTokenIdentifier();
+ }
+
+ @Override
+ protected byte[] createPassword(TestDelegationTokenIdentifier t) {
+ return super.createPassword(t);
+ }
+ }
+
+ public static class TokenSelector extends
+ AbstractDelegationTokenSelector<TestDelegationTokenIdentifier>{
+
+ protected TokenSelector() {
+ super(KIND);
+ }
+ }
+
+ @Test
+ public void testSerialization() throws Exception {
+ TestDelegationTokenIdentifier origToken = new
+ TestDelegationTokenIdentifier(new Text("alice"),
+ new Text("bob"),
+ new Text("colin"));
+ TestDelegationTokenIdentifier newToken = new TestDelegationTokenIdentifier();
+ origToken.setIssueDate(123);
+ origToken.setMasterKeyId(321);
+ origToken.setMaxDate(314);
+ origToken.setSequenceNumber(12345);
+
+ // clone origToken into newToken
+ DataInputBuffer inBuf = new DataInputBuffer();
+ DataOutputBuffer outBuf = new DataOutputBuffer();
+ origToken.write(outBuf);
+ inBuf.reset(outBuf.getData(), 0, outBuf.getLength());
+ newToken.readFields(inBuf);
+
+ // now test the fields
+ assertEquals("alice", newToken.getUser().getUserName());
+ assertEquals(new Text("bob"), newToken.getRenewer());
+ assertEquals("colin", newToken.getUser().getRealUser().getUserName());
+ assertEquals(123, newToken.getIssueDate());
+ assertEquals(321, newToken.getMasterKeyId());
+ assertEquals(314, newToken.getMaxDate());
+ assertEquals(12345, newToken.getSequenceNumber());
+ assertEquals(origToken, newToken);
+ }
+
+ private Token<TestDelegationTokenIdentifier> generateDelegationToken(
+ TestDelegationTokenSecretManager dtSecretManager,
+ String owner, String renewer) {
+ TestDelegationTokenIdentifier dtId =
+ new TestDelegationTokenIdentifier(new Text(
+ owner), new Text(renewer), null);
+ return new Token<TestDelegationTokenIdentifier>(dtId, dtSecretManager);
+ }
+ @Test
+ public void testDelegationTokenSecretManager() throws Exception {
+ TestDelegationTokenSecretManager dtSecretManager =
+ new TestDelegationTokenSecretManager(24*60*60*1000,
+ 3*1000,1*1000,3600000);
+ try {
+ dtSecretManager.startThreads();
+ Token<TestDelegationTokenIdentifier> token = generateDelegationToken(
+ dtSecretManager, "SomeUser", "JobTracker");
+ // Fake renewer should not be able to renew
+ Assert.assertFalse(dtSecretManager.renewToken(token, "FakeRenewer"));
+ Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
+ TestDelegationTokenIdentifier identifier =
+ new TestDelegationTokenIdentifier();
+ byte[] tokenId = token.getIdentifier();
+ identifier.readFields(new DataInputStream(
+ new ByteArrayInputStream(tokenId)));
+ Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
+ Log.info("Sleep to expire the token");
+ Thread.sleep(2000);
+ //Token should be expired
+ try {
+ dtSecretManager.retrievePassword(identifier);
+ //Should not come here
+ Assert.fail("Token should have expired");
+ } catch (InvalidToken e) {
+ //Success
+ }
+ Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
+ Log.info("Sleep beyond the max lifetime");
+ Thread.sleep(2000);
+ Assert.assertFalse(dtSecretManager.renewToken(token, "JobTracker"));
+ } finally {
+ dtSecretManager.stopThreads();
+ }
+ }
+ @Test
+ public void testCancelDelegationToken() throws Exception {
+ TestDelegationTokenSecretManager dtSecretManager =
+ new TestDelegationTokenSecretManager(24*60*60*1000,
+ 10*1000,1*1000,3600000);
+ try {
+ dtSecretManager.startThreads();
+ Token<TestDelegationTokenIdentifier> token = generateDelegationToken(
+ dtSecretManager, "SomeUser", "JobTracker");
+ //Fake renewer should not be able to renew
+ Assert.assertFalse(dtSecretManager.cancelToken(token, "FakeCanceller"));
+ Assert.assertTrue(dtSecretManager.cancelToken(token, "JobTracker"));
+ Assert.assertFalse(dtSecretManager.renewToken(token, "JobTracker"));
+ } finally {
+ dtSecretManager.stopThreads();
+ }
+ }
+ @Test
+ public void testRollMasterKey() throws Exception {
+ TestDelegationTokenSecretManager dtSecretManager =
+ new TestDelegationTokenSecretManager(24*60*60*1000,
+ 10*1000,1*1000,3600000);
+ try {
+ dtSecretManager.startThreads();
+ //generate a token and store the password
+ Token<TestDelegationTokenIdentifier> token = generateDelegationToken(
+ dtSecretManager, "SomeUser", "JobTracker");
+ byte[] oldPasswd = token.getPassword();
+ //store the length of the keys list
+ int prevNumKeys = dtSecretManager.getAllKeys().length;
+
+ dtSecretManager.rollMasterKey();
+
+ //after rolling, the length of the keys list must increase
+ int currNumKeys = dtSecretManager.getAllKeys().length;
+ Assert.assertEquals((currNumKeys - prevNumKeys) >= 1, true);
+
+ //after rolling, the token that was generated earlier must
+ //still be valid (retrievePassword will fail if the token
+ //is not valid)
+ ByteArrayInputStream bi =
+ new ByteArrayInputStream(token.getIdentifier());
+ TestDelegationTokenIdentifier identifier =
+ dtSecretManager.createIdentifier();
+ identifier.readFields(new DataInputStream(bi));
+ byte[] newPasswd =
+ dtSecretManager.retrievePassword(identifier);
+ //compare the passwords
+ Assert.assertEquals(oldPasswd, newPasswd);
+ } finally {
+ dtSecretManager.stopThreads();
+ }
+ }
+ @Test
+ @SuppressWarnings("unchecked")
+ public void testDelegationTokenSelector() throws Exception {
+ TestDelegationTokenSecretManager dtSecretManager =
+ new TestDelegationTokenSecretManager(24*60*60*1000,
+ 10*1000,1*1000,3600000);
+ try {
+ dtSecretManager.startThreads();
+ AbstractDelegationTokenSelector ds =
+ new AbstractDelegationTokenSelector<TestDelegationTokenIdentifier>(KIND);
+
+ //Creates a collection of tokens
+ Token<TestDelegationTokenIdentifier> token1 = generateDelegationToken(
+ dtSecretManager, "SomeUser1", "JobTracker");
+ token1.setService(new Text("MY-SERVICE1"));
+
+ Token<TestDelegationTokenIdentifier> token2 = generateDelegationToken(
+ dtSecretManager, "SomeUser2", "JobTracker");
+ token2.setService(new Text("MY-SERVICE2"));
+
+ List<Token<TestDelegationTokenIdentifier>> tokens =
+ new ArrayList<Token<TestDelegationTokenIdentifier>>();
+ tokens.add(token1);
+ tokens.add(token2);
+
+ //try to select a token with a given service name (created earlier)
+ Token<TestDelegationTokenIdentifier> t =
+ ds.selectToken(new Text("MY-SERVICE1"), tokens);
+ Assert.assertEquals(t, token1);
+ } finally {
+ dtSecretManager.stopThreads();
+ }
+ }
+}