You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by wa...@apache.org on 2013/09/11 22:04:51 UTC
svn commit: r1522015 - in
/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token:
TokenIdentifier.java delegation/AbstractDelegationTokenSecretManager.java
Author: wang
Date: Wed Sep 11 20:04:50 2013
New Revision: 1522015
URL: http://svn.apache.org/r1522015
Log:
HDFS-4680. Audit logging of delegation tokens for MR tracing. (Andrew Wang)
Modified:
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/TokenIdentifier.java
hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/TokenIdentifier.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/TokenIdentifier.java?rev=1522015&r1=1522014&r2=1522015&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/TokenIdentifier.java (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/TokenIdentifier.java Wed Sep 11 20:04:50 2013
@@ -21,6 +21,7 @@ package org.apache.hadoop.security.token
import java.io.IOException;
import java.util.Arrays;
+import org.apache.commons.codec.digest.DigestUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.io.DataOutputBuffer;
@@ -35,6 +36,9 @@ import org.apache.hadoop.security.UserGr
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
public abstract class TokenIdentifier implements Writable {
+
+ private String trackingId = null;
+
/**
* Get the token kind
* @return the kind of the token
@@ -62,4 +66,19 @@ public abstract class TokenIdentifier im
}
return Arrays.copyOf(buf.getData(), buf.getLength());
}
+
+ /**
+ * Returns a tracking identifier that can be used to associate usages of a
+ * token across multiple client sessions.
+ *
+ * Currently, this function just returns an MD5 of {{@link #getBytes()}.
+ *
+ * @return tracking identifier
+ */
+ public String getTrackingId() {
+ if (trackingId == null) {
+ trackingId = DigestUtils.md5Hex(getBytes());
+ }
+ return trackingId;
+ }
}
Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java?rev=1522015&r1=1522014&r2=1522015&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java Wed Sep 11 20:04:50 2013
@@ -86,6 +86,11 @@ extends AbstractDelegationTokenIdentifie
private long tokenMaxLifetime;
private long tokenRemoverScanInterval;
private long tokenRenewInterval;
+ /**
+ * Whether to store a token's tracking ID in its TokenInformation.
+ * Can be overridden by a subclass.
+ */
+ protected boolean storeTokenTrackingId;
private Thread tokenRemoverThread;
protected volatile boolean running;
@@ -102,6 +107,7 @@ extends AbstractDelegationTokenIdentifie
this.tokenMaxLifetime = delegationTokenMaxLifetime;
this.tokenRenewInterval = delegationTokenRenewInterval;
this.tokenRemoverScanInterval = delegationTokenRemoverScanInterval;
+ this.storeTokenTrackingId = false;
}
/** should be called before this object is used */
@@ -201,7 +207,7 @@ extends AbstractDelegationTokenIdentifie
}
if (currentTokens.get(identifier) == null) {
currentTokens.put(identifier, new DelegationTokenInformation(renewDate,
- password));
+ password, getTrackingIdIfEnabled(identifier)));
} else {
throw new IOException(
"Same delegation token being added twice.");
@@ -280,7 +286,7 @@ extends AbstractDelegationTokenIdentifie
byte[] password = createPassword(identifier.getBytes(), currentKey.getKey());
storeNewToken(identifier, now + tokenRenewInterval);
currentTokens.put(identifier, new DelegationTokenInformation(now
- + tokenRenewInterval, password));
+ + tokenRenewInterval, password, getTrackingIdIfEnabled(identifier)));
return password;
}
@@ -299,6 +305,21 @@ extends AbstractDelegationTokenIdentifie
return info.getPassword();
}
+ protected String getTrackingIdIfEnabled(TokenIdent ident) {
+ if (storeTokenTrackingId) {
+ return ident.getTrackingId();
+ }
+ return null;
+ }
+
+ public synchronized String getTokenTrackingId(TokenIdent identifier) {
+ DelegationTokenInformation info = currentTokens.get(identifier);
+ if (info == null) {
+ return null;
+ }
+ return info.getTrackingId();
+ }
+
/**
* Verifies that the given identifier and password are valid and match.
* @param identifier Token identifier.
@@ -359,8 +380,9 @@ extends AbstractDelegationTokenIdentifie
+ " is trying to renew a token with " + "wrong password");
}
long renewTime = Math.min(id.getMaxDate(), now + tokenRenewInterval);
+ String trackingId = getTrackingIdIfEnabled(id);
DelegationTokenInformation info = new DelegationTokenInformation(renewTime,
- password);
+ password, trackingId);
if (currentTokens.get(id) == null) {
throw new InvalidToken("Renewal request for unknown token");
@@ -420,9 +442,13 @@ extends AbstractDelegationTokenIdentifie
public static class DelegationTokenInformation {
long renewDate;
byte[] password;
- public DelegationTokenInformation(long renewDate, byte[] password) {
+ String trackingId;
+
+ public DelegationTokenInformation(long renewDate, byte[] password,
+ String trackingId) {
this.renewDate = renewDate;
this.password = password;
+ this.trackingId = trackingId;
}
/** returns renew date */
public long getRenewDate() {
@@ -432,6 +458,10 @@ extends AbstractDelegationTokenIdentifie
byte[] getPassword() {
return password;
}
+ /** returns tracking id */
+ public String getTrackingId() {
+ return trackingId;
+ }
}
/** Remove expired delegation tokens from cache */