You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by st...@apache.org on 2020/06/09 13:39:16 UTC

[hadoop] branch trunk updated: HADOOP-17050 S3A to support additional token issuers

This is an automated email from the ASF dual-hosted git repository.

stevel pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git


The following commit(s) were added to refs/heads/trunk by this push:
     new ac5d899  HADOOP-17050 S3A to support additional token issuers
ac5d899 is described below

commit ac5d899d40d7b50ba73c400a708f59fb128e6e30
Author: Steve Loughran <st...@cloudera.com>
AuthorDate: Tue Jun 9 14:39:06 2020 +0100

    HADOOP-17050 S3A to support additional token issuers
    
    
    Contributed by Steve Loughran.
    
    S3A delegation token providers will be asked for any additional
    token issuers, an array can be returned,
    each one will be asked for tokens when DelegationTokenIssuer collects
    all the tokens for a filesystem.
---
 .../java/org/apache/hadoop/fs/s3a/S3AFileSystem.java | 20 ++++++++++++++++++++
 .../fs/s3a/auth/delegation/S3ADelegationTokens.java  | 14 ++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java
index 6d2b3a8..fa0251a 100644
--- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java
+++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java
@@ -114,6 +114,7 @@ import org.apache.hadoop.fs.s3a.s3guard.BulkOperationState;
 import org.apache.hadoop.fs.s3a.select.InternalSelectConstants;
 import org.apache.hadoop.io.IOUtils;
 import org.apache.hadoop.io.Text;
+import org.apache.hadoop.security.token.DelegationTokenIssuer;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.util.DurationInfo;
 import org.apache.hadoop.util.LambdaUtils;
@@ -3378,6 +3379,25 @@ public class S3AFileSystem extends FileSystem implements StreamCapabilities,
   }
 
   /**
+   * Ask any DT plugin for any extra token issuers.
+   * These do not get told of the encryption secrets and can
+   * return any type of token.
+   * This allows DT plugins to issue extra tokens for
+   * ancillary services.
+   */
+  @Override
+  public DelegationTokenIssuer[] getAdditionalTokenIssuers()
+      throws IOException {
+    if (delegationTokens.isPresent()) {
+      return delegationTokens.get().getAdditionalTokenIssuers();
+    } else {
+      // Delegation token support is not set up
+      LOG.debug("Token support is not enabled");
+      return null;
+    }
+  }
+
+  /**
    * Build the AWS policy for restricted access to the resources needed
    * by this bucket.
    * The policy generated includes S3 access, S3Guard access
diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens.java
index 5005436..ef0b129 100644
--- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens.java
+++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens.java
@@ -40,6 +40,7 @@ import org.apache.hadoop.fs.s3a.impl.StoreContext;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.DelegationTokenIssuer;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.service.ServiceOperations;
 import org.apache.hadoop.util.DurationInfo;
@@ -448,6 +449,19 @@ public class S3ADelegationTokens extends AbstractDTService {
   }
 
   /**
+   * Get a null/possibly empty list of extra delegation token issuers.
+   * These will be asked for tokens when
+   * {@link DelegationTokenIssuer#getAdditionalTokenIssuers()} recursively
+   * collects all DTs a filesystem can offer.
+   * @return a null or empty array. Default implementation: null
+   * @throws IOException failure
+   */
+  public DelegationTokenIssuer[] getAdditionalTokenIssuers()
+      throws IOException {
+    return null;
+  }
+
+  /**
    * Get the AWS credential provider.
    * @return the DT credential provider
    * @throws IOException failure to parse the DT


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org