Package org.apache.hadoop.security.token.delegation

Class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

java.lang.Object

org.apache.hadoop.security.token.SecretManager<TokenIdent>

org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<TokenIdent>

Direct Known Subclasses:

SQLDelegationTokenSecretManager, ZKDelegationTokenSecretManager

@Public
@Evolving
public abstract class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>
extends SecretManager<TokenIdent>

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	AbstractDelegationTokenSecretManager.DelegationTokenInformation	Class to encapsulate a token's renew date and password.

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

SecretManager.InvalidToken

Field Summary

Fields

Modifier and Type	Field	Description
protected java.util.Map<java.lang.Integer,DelegationKey>	allKeys	Access to allKeys is protected by this object lock
protected int	currentId	Access to currentId is protected by this object lock.
protected java.util.Map<TokenIdent,AbstractDelegationTokenSecretManager.DelegationTokenInformation>	currentTokens	Cache of currently valid tokens, mapping from DelegationTokenIdentifier to DelegationTokenInformation.
protected int	delegationTokenSequenceNumber	Sequence number to create DelegationTokenIdentifier.
protected java.lang.Object	noInterruptsLock	If the delegation token update thread holds this lock, it will not get interrupted.
protected boolean	running
protected boolean	storeTokenTrackingId	Whether to store a token's tracking ID in its TokenInformation.
protected java.util.Map<java.lang.String,java.lang.Long>	tokenOwnerStats	Map of token real owners to its token count.

Constructor Summary

Constructors

Constructor	Description
AbstractDelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval)	Create a secret manager

Method Summary

Modifier and Type	Method	Description
void	addKey(DelegationKey key)	Add a previously used master key to cache (when NN restarts), should be called before activate().
void	addPersistedDelegationToken(TokenIdent identifier, long renewDate)	This method is intended to be used for recovering persisted delegation tokens.
protected void	addTokenForOwnerStats(TokenIdent id)	Add token stats to the owner to token count mapping.
TokenIdent	cancelToken(Token<TokenIdent> token, java.lang.String canceller)	Cancel a token by removing it from cache.
protected AbstractDelegationTokenSecretManager.DelegationTokenInformation	checkToken(TokenIdent identifier)	Find the DelegationTokenInformation for the given token id, and verify that if the token is expired.
protected byte[]	createPassword(TokenIdent identifier)	Create the password for the given identifier.
static javax.crypto.SecretKey	createSecretKey(byte[] key)	Convert the byte[] to a secret key
TokenIdent	decodeTokenIdentifier(Token<TokenIdent> token)	Decode the token identifier.
DelegationKey[]	getAllKeys()
protected java.util.Map<TokenIdent,AbstractDelegationTokenSecretManager.DelegationTokenInformation>	getCandidateTokensForCleanup()
protected int	getCurrentKeyId()	For subclasses externalizing the storage, for example Zookeeper based implementations.
long	getCurrentTokensSize()	Total count of active delegation tokens.
protected DelegationKey	getDelegationKey(int keyId)	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected int	getDelegationTokenSeqNum()	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.DelegationTokenSecretManagerMetrics	getMetrics()
protected AbstractDelegationTokenSecretManager.DelegationTokenInformation	getTokenInfo(TokenIdent ident)	For subclasses externalizing the storage, for example Zookeeper based implementations
protected long	getTokenRenewInterval()	Interval for tokens to be renewed.
java.lang.String	getTokenTrackingId(TokenIdent identifier)
java.util.List<Metrics2Util.NameValuePair>	getTopTokenRealOwners(int n)	Return top token real owners list as well as the tokens count.
protected java.lang.String	getTrackingIdIfEnabled(TokenIdent ident)
protected int	incrementCurrentKeyId()	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected int	incrementDelegationTokenSeqNum()	For subclasses externalizing the storage, for example Zookeeper based implementations.
boolean	isRunning()	is secretMgr running
protected void	logExpireToken(TokenIdent ident)
protected void	logExpireTokens(java.util.Collection<TokenIdent> expiredTokens)
protected void	logUpdateMasterKey(DelegationKey key)
protected void	removeExpiredStoredToken(TokenIdent ident)
protected void	removeStoredMasterKey(DelegationKey key)
protected void	removeStoredToken(TokenIdent ident)
long	renewToken(Token<TokenIdent> token, java.lang.String renewer)	Renew a delegation token.
void	reset()	Reset all data structures and mutable state.
byte[]	retrievePassword(TokenIdent identifier)	Retrieve the password for the given token identifier.
protected void	rollMasterKey()	Update the current master key for generating delegation tokens It should be called only by tokenRemoverThread.
protected void	setCurrentKeyId(int keyId)	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected void	setDelegationTokenSeqNum(int seqNum)	For subclasses externalizing the storage, for example Zookeeper based implementations.
void	startThreads()	should be called before this object is used.
void	stopThreads()
protected void	storeDelegationKey(DelegationKey key)	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected void	storeNewMasterKey(DelegationKey key)
protected void	storeNewToken(TokenIdent ident, long renewDate)
protected void	storeToken(TokenIdent ident, AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo)	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected void	syncTokenOwnerStats()	This method syncs token information from currentTokens to tokenOwnerStats.
protected void	updateDelegationKey(DelegationKey key)	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected void	updateStoredToken(TokenIdent ident, long renewDate)
protected void	updateToken(TokenIdent ident, AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo)	For subclasses externalizing the storage, for example Zookeeper based implementations.
void	verifyToken(TokenIdent identifier, byte[] password)	Verifies that the given identifier and password are valid and match.

Methods inherited from class org.apache.hadoop.security.token.SecretManager

checkAvailableForRead, createIdentifier, createPassword, generateSecret, retriableRetrievePassword

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

currentTokens

protected java.util.Map<TokenIdent extends AbstractDelegationTokenIdentifier,AbstractDelegationTokenSecretManager.DelegationTokenInformation> currentTokens

Cache of currently valid tokens, mapping from DelegationTokenIdentifier to DelegationTokenInformation. Protected by this object lock.

tokenOwnerStats

protected final java.util.Map<java.lang.String,java.lang.Long> tokenOwnerStats

Map of token real owners to its token count. This is used to generate metrics of top users by owned tokens.

delegationTokenSequenceNumber

protected int delegationTokenSequenceNumber

Sequence number to create DelegationTokenIdentifier. Protected by this object lock.

allKeys

protected final java.util.Map<java.lang.Integer,DelegationKey> allKeys

Access to allKeys is protected by this object lock

currentId

protected int currentId

Access to currentId is protected by this object lock.

storeTokenTrackingId

protected boolean storeTokenTrackingId

Whether to store a token's tracking ID in its TokenInformation. Can be overridden by a subclass.

running

protected volatile boolean running

noInterruptsLock

protected java.lang.Object noInterruptsLock

If the delegation token update thread holds this lock, it will not get interrupted.

Constructor Detail

AbstractDelegationTokenSecretManager

public AbstractDelegationTokenSecretManager(long delegationKeyUpdateInterval,
                                            long delegationTokenMaxLifetime,
                                            long delegationTokenRenewInterval,
                                            long delegationTokenRemoverScanInterval)

Create a secret manager

Parameters:

delegationKeyUpdateInterval - the number of milliseconds for rolling new secret keys.

delegationTokenMaxLifetime - the maximum lifetime of the delegation tokens in milliseconds

delegationTokenRenewInterval - how often the tokens must be renewed in milliseconds

delegationTokenRemoverScanInterval - how often the tokens are scanned for expired tokens in milliseconds

Method Detail

startThreads

public void startThreads()
                  throws java.io.IOException

should be called before this object is used.

Throws:

java.io.IOException - raised on errors performing I/O.

reset

public void reset()

Reset all data structures and mutable state.

getCurrentTokensSize

public long getCurrentTokensSize()

Total count of active delegation tokens.

Returns:

currentTokens.size.

getTokenRenewInterval

protected long getTokenRenewInterval()

Interval for tokens to be renewed.

Returns:

Renew interval in milliseconds.

addKey

public void addKey(DelegationKey key)
            throws java.io.IOException

Add a previously used master key to cache (when NN restarts), should be called before activate().

Parameters:

key - delegation key.

Throws:

java.io.IOException - raised on errors performing I/O.

getAllKeys

public DelegationKey[] getAllKeys()

logUpdateMasterKey

protected void logUpdateMasterKey(DelegationKey key)
                           throws java.io.IOException

Throws:

java.io.IOException

logExpireToken

protected void logExpireToken(TokenIdent ident)
                       throws java.io.IOException

Throws:

java.io.IOException

storeNewMasterKey

protected void storeNewMasterKey(DelegationKey key)
                          throws java.io.IOException

Throws:

java.io.IOException

removeStoredMasterKey

protected void removeStoredMasterKey(DelegationKey key)

storeNewToken

protected void storeNewToken(TokenIdent ident,
                             long renewDate)
                      throws java.io.IOException

Throws:

java.io.IOException

removeStoredToken

protected void removeStoredToken(TokenIdent ident)
                          throws java.io.IOException

Throws:

java.io.IOException

updateStoredToken

protected void updateStoredToken(TokenIdent ident,
                                 long renewDate)
                          throws java.io.IOException

Throws:

java.io.IOException

getCurrentKeyId

protected int getCurrentKeyId()

For subclasses externalizing the storage, for example Zookeeper based implementations.

Returns:

currentId.

incrementCurrentKeyId

protected int incrementCurrentKeyId()

For subclasses externalizing the storage, for example Zookeeper based implementations.

Returns:

currentId.

setCurrentKeyId

protected void setCurrentKeyId(int keyId)

For subclasses externalizing the storage, for example Zookeeper based implementations.

Parameters:

keyId - keyId.

getDelegationTokenSeqNum

protected int getDelegationTokenSeqNum()

For subclasses externalizing the storage, for example Zookeeper based implementations.

Returns:

delegationTokenSequenceNumber.

incrementDelegationTokenSeqNum

protected int incrementDelegationTokenSeqNum()

For subclasses externalizing the storage, for example Zookeeper based implementations.

Returns:

delegationTokenSequenceNumber.

setDelegationTokenSeqNum

protected void setDelegationTokenSeqNum(int seqNum)

For subclasses externalizing the storage, for example Zookeeper based implementations.

Parameters:

seqNum - seqNum.

getDelegationKey

protected DelegationKey getDelegationKey(int keyId)

For subclasses externalizing the storage, for example Zookeeper based implementations.

Parameters:

keyId - keyId.

Returns:

DelegationKey.

storeDelegationKey

protected void storeDelegationKey(DelegationKey key)
                           throws java.io.IOException

For subclasses externalizing the storage, for example Zookeeper based implementations.

Parameters:

key - DelegationKey.

Throws:

java.io.IOException - raised on errors performing I/O.

updateDelegationKey

protected void updateDelegationKey(DelegationKey key)
                            throws java.io.IOException

For subclasses externalizing the storage, for example Zookeeper based implementations.

Parameters:

key - DelegationKey.

Throws:

java.io.IOException - raised on errors performing I/O.

getTokenInfo

protected AbstractDelegationTokenSecretManager.DelegationTokenInformation getTokenInfo(TokenIdent ident)

For subclasses externalizing the storage, for example Zookeeper based implementations

Parameters:

ident - ident.

Returns:

DelegationTokenInformation.

storeToken

protected void storeToken(TokenIdent ident,
                          AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo)
                   throws java.io.IOException

For subclasses externalizing the storage, for example Zookeeper based implementations.

Parameters:

ident - ident.

tokenInfo - tokenInfo.

Throws:

java.io.IOException - raised on errors performing I/O.

updateToken

protected void updateToken(TokenIdent ident,
                           AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo)
                    throws java.io.IOException

For subclasses externalizing the storage, for example Zookeeper based implementations.

Parameters:

ident - ident.

tokenInfo - tokenInfo.

Throws:

java.io.IOException - raised on errors performing I/O.

addPersistedDelegationToken

public void addPersistedDelegationToken(TokenIdent identifier,
                                        long renewDate)
                                 throws java.io.IOException

This method is intended to be used for recovering persisted delegation tokens. Tokens that have an unknown DelegationKey are marked as expired and automatically cleaned up. This method must be called before this secret manager is activated (before startThreads() is called)

Parameters:

identifier - identifier read from persistent storage

renewDate - token renew time

Throws:

java.io.IOException - raised on errors performing I/O.

rollMasterKey

protected void rollMasterKey()
                      throws java.io.IOException

Update the current master key for generating delegation tokens It should be called only by tokenRemoverThread.

Throws:

java.io.IOException - raised on errors performing I/O.

createPassword

protected byte[] createPassword(TokenIdent identifier)

Description copied from class: SecretManager

Create the password for the given identifier. identifier may be modified inside this method.

Specified by:

createPassword in class SecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

identifier - the identifier to use

Returns:

the new password

checkToken

protected AbstractDelegationTokenSecretManager.DelegationTokenInformation checkToken(TokenIdent identifier)
                                                                              throws SecretManager.InvalidToken

Find the DelegationTokenInformation for the given token id, and verify that if the token is expired. Note that this method should be called with acquiring the secret manager's monitor.

Parameters:

identifier - identifier.

Returns:

DelegationTokenInformation.

Throws:

SecretManager.InvalidToken - invalid token exception.

retrievePassword

public byte[] retrievePassword(TokenIdent identifier)
                        throws SecretManager.InvalidToken

Description copied from class: SecretManager

Retrieve the password for the given token identifier. Should check the date or registry to make sure the token hasn't expired or been revoked. Returns the relevant password.

Specified by:

retrievePassword in class SecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

identifier - the identifier to validate

Returns:

the password to use

Throws:

SecretManager.InvalidToken - the token was invalid

getTrackingIdIfEnabled

protected java.lang.String getTrackingIdIfEnabled(TokenIdent ident)

getTokenTrackingId

public java.lang.String getTokenTrackingId(TokenIdent identifier)

verifyToken

public void verifyToken(TokenIdent identifier,
                        byte[] password)
                 throws SecretManager.InvalidToken

Verifies that the given identifier and password are valid and match.

Parameters:

identifier - Token identifier.

password - Password in the token.

Throws:

SecretManager.InvalidToken - InvalidToken.

renewToken

public long renewToken(Token<TokenIdent> token,
                       java.lang.String renewer)
                throws SecretManager.InvalidToken,
                       java.io.IOException

Renew a delegation token.

Parameters:

token - the token to renew

renewer - the full principal name of the user doing the renewal

Returns:

the new expiration time

Throws:

SecretManager.InvalidToken - if the token is invalid

AccessControlException - if the user can't renew token

java.io.IOException

cancelToken

public TokenIdent cancelToken(Token<TokenIdent> token,
                              java.lang.String canceller)
                       throws java.io.IOException

Cancel a token by removing it from cache.

Parameters:

token - token.

canceller - canceller.

Returns:

Identifier of the canceled token

Throws:

SecretManager.InvalidToken - for invalid token

AccessControlException - if the user isn't allowed to cancel

java.io.IOException

createSecretKey

public static javax.crypto.SecretKey createSecretKey(byte[] key)

Convert the byte[] to a secret key

Parameters:

key - the byte[] to create the secret key from

Returns:

the secret key

getCandidateTokensForCleanup

protected java.util.Map<TokenIdent,AbstractDelegationTokenSecretManager.DelegationTokenInformation> getCandidateTokensForCleanup()

logExpireTokens

protected void logExpireTokens(java.util.Collection<TokenIdent> expiredTokens)
                        throws java.io.IOException

Throws:

java.io.IOException

removeExpiredStoredToken

protected void removeExpiredStoredToken(TokenIdent ident)
                                 throws java.io.IOException

Throws:

java.io.IOException

stopThreads

public void stopThreads()

isRunning

public boolean isRunning()

is secretMgr running

Returns:

true if secret mgr is running

decodeTokenIdentifier

public TokenIdent decodeTokenIdentifier(Token<TokenIdent> token)
                                 throws java.io.IOException

Decode the token identifier. The subclass can customize the way to decode the token identifier.

Parameters:

token - the token where to extract the identifier

Returns:

the delegation token identifier

Throws:

java.io.IOException - raised on errors performing I/O.

getTopTokenRealOwners

public java.util.List<Metrics2Util.NameValuePair> getTopTokenRealOwners(int n)

Return top token real owners list as well as the tokens count.

Parameters:

n - top number of users

Returns:

map of owners to counts

addTokenForOwnerStats

protected void addTokenForOwnerStats(TokenIdent id)

Add token stats to the owner to token count mapping.

Parameters:

id - token id.

syncTokenOwnerStats

protected void syncTokenOwnerStats()

This method syncs token information from currentTokens to tokenOwnerStats. It is used when the currentTokens is initialized or refreshed. This is called from a single thread thus no synchronization is needed.

getMetrics

protected org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.DelegationTokenSecretManagerMetrics getMetrics()