org.apache.hadoop.hdfs.security.token.delegation

Class DelegationTokenSecretManager

java.lang.Object

org.apache.hadoop.security.token.SecretManager<TokenIdent>

org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>

org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager

@InterfaceAudience.Private
public class DelegationTokenSecretManager
extends AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>

A HDFS specific delegation token secret manager. The secret manager is responsible for generating and accepting the password for each token.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

AbstractDelegationTokenSecretManager.DelegationTokenInformation

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

SecretManager.InvalidToken

Field Summary

Fields inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

allKeys, currentId, currentTokens, delegationTokenSequenceNumber, noInterruptsLock, running, storeTokenTrackingId

Constructor Summary

Constructors

Constructor and Description
DelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval, boolean storeTokenTrackingId, FSNamesystem namesystem) Create a secret manager
DelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval, FSNamesystem namesystem)

Method Summary

Methods

Modifier and Type	Method and Description
void	addPersistedDelegationToken(DelegationTokenIdentifier identifier, long expiryTime) This method is intended to be used only while reading edit logs.
static Credentials	createCredentials(NameNode namenode, UserGroupInformation ugi, String renewer) A utility method for creating credentials.
DelegationTokenIdentifier	createIdentifier() Create an empty token identifier.
int	getNumberOfKeys() Returns the number of delegation keys currently stored.
long	getTokenExpiryTime(DelegationTokenIdentifier dtId) Returns expiry time of a token given its identifier.
void	loadSecretManagerState(DataInput in) Load SecretManager state from fsimage.
protected void	logExpireToken(DelegationTokenIdentifier dtId)
protected void	logUpdateMasterKey(DelegationKey key) Call namesystem to update editlogs for new master key.
byte[]	retrievePassword(DelegationTokenIdentifier identifier) Retrieve the password for the given token identifier.
void	saveSecretManagerState(DataOutputStream out, String sdPath) Store the current state of the SecretManager for persistence
void	updatePersistedMasterKey(DelegationKey key) Add a MasterKey to the list of keys.
void	updatePersistedTokenCancellation(DelegationTokenIdentifier identifier) Update the token cache with the cancel record in edit logs
void	updatePersistedTokenRenewal(DelegationTokenIdentifier identifier, long expiryTime) Update the token cache with renewal record in edit logs.

Methods inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

addKey, cancelToken, createPassword, createSecretKey, getAllKeys, getTokenTrackingId, getTrackingIdIfEnabled, isRunning, removeStoredMasterKey, removeStoredToken, renewToken, reset, startThreads, stopThreads, storeNewMasterKey, storeNewToken, updateStoredToken, verifyToken

Methods inherited from class org.apache.hadoop.security.token.SecretManager

checkAvailableForRead, createPassword, generateSecret

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DelegationTokenSecretManager

public DelegationTokenSecretManager(long delegationKeyUpdateInterval,
                            long delegationTokenMaxLifetime,
                            long delegationTokenRenewInterval,
                            long delegationTokenRemoverScanInterval,
                            FSNamesystem namesystem)

DelegationTokenSecretManager

public DelegationTokenSecretManager(long delegationKeyUpdateInterval,
                            long delegationTokenMaxLifetime,
                            long delegationTokenRenewInterval,
                            long delegationTokenRemoverScanInterval,
                            boolean storeTokenTrackingId,
                            FSNamesystem namesystem)

Create a secret manager

Parameters:

delegationKeyUpdateInterval - the number of seconds for rolling new secret keys.

delegationTokenMaxLifetime - the maximum lifetime of the delegation tokens

delegationTokenRenewInterval - how often the tokens must be renewed

delegationTokenRemoverScanInterval - how often the tokens are scanned for expired tokens

storeTokenTrackingId - whether to store the token's tracking id

Method Detail

createIdentifier

public DelegationTokenIdentifier createIdentifier()

Description copied from class: SecretManager

Create an empty token identifier.

Specified by:

createIdentifier in class SecretManager<DelegationTokenIdentifier>

Returns:

the newly created empty token identifier

retrievePassword

public byte[] retrievePassword(DelegationTokenIdentifier identifier)
                        throws SecretManager.InvalidToken

Description copied from class: SecretManager

Retrieve the password for the given token identifier. Should check the date or registry to make sure the token hasn't expired or been revoked. Returns the relevant password.

Overrides:

retrievePassword in class AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>

Parameters:

identifier - the identifier to validate

Returns:

the password to use

Throws:

SecretManager.InvalidToken - the token was invalid

getTokenExpiryTime

public long getTokenExpiryTime(DelegationTokenIdentifier dtId)
                        throws IOException

Returns expiry time of a token given its identifier.

Parameters:

dtId - DelegationTokenIdentifier of a token

Returns:

Expiry time of the token

Throws:

IOException

loadSecretManagerState

public void loadSecretManagerState(DataInput in)
                            throws IOException

Load SecretManager state from fsimage.

Parameters:

in - input stream to read fsimage

Throws:

IOException

saveSecretManagerState

public void saveSecretManagerState(DataOutputStream out,
                          String sdPath)
                            throws IOException

Store the current state of the SecretManager for persistence

Parameters:

out - Output stream for writing into fsimage.

sdPath - String storage directory path

Throws:

IOException

addPersistedDelegationToken

public void addPersistedDelegationToken(DelegationTokenIdentifier identifier,
                               long expiryTime)
                                 throws IOException

This method is intended to be used only while reading edit logs.

Overrides:

addPersistedDelegationToken in class AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>

Parameters:

identifier - DelegationTokenIdentifier read from the edit logs or fsimage

expiryTime - token expiry time

Throws:

IOException

updatePersistedMasterKey

public void updatePersistedMasterKey(DelegationKey key)
                              throws IOException

Add a MasterKey to the list of keys.

Parameters:

key - DelegationKey

Throws:

IOException

updatePersistedTokenRenewal

public void updatePersistedTokenRenewal(DelegationTokenIdentifier identifier,
                               long expiryTime)
                                 throws IOException

Update the token cache with renewal record in edit logs.

Parameters:

identifier - DelegationTokenIdentifier of the renewed token

expiryTime -

Throws:

IOException

updatePersistedTokenCancellation

public void updatePersistedTokenCancellation(DelegationTokenIdentifier identifier)
                                      throws IOException

Update the token cache with the cancel record in edit logs

Parameters:

identifier - DelegationTokenIdentifier of the canceled token

Throws:

IOException

getNumberOfKeys

public int getNumberOfKeys()

Returns the number of delegation keys currently stored.

Returns:

number of delegation keys

logUpdateMasterKey

protected void logUpdateMasterKey(DelegationKey key)
                           throws IOException

Call namesystem to update editlogs for new master key.

Overrides:

logUpdateMasterKey in class AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>

Throws:

IOException

logExpireToken

protected void logExpireToken(DelegationTokenIdentifier dtId)
                       throws IOException

Overrides:

logExpireToken in class AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>

Throws:

IOException

createCredentials

public static Credentials createCredentials(NameNode namenode,
                            UserGroupInformation ugi,
                            String renewer)
                                     throws IOException

A utility method for creating credentials.

Throws:

IOException