Package org.apache.hadoop.hdfs.security.token.delegation

Class DelegationTokenSecretManager

java.lang.Object

org.apache.hadoop.security.token.SecretManager<TokenIdent>

org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>

org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager

@Private
public class DelegationTokenSecretManager
extends org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>

A HDFS specific delegation token secret manager. The secret manager is responsible for generating and accepting the password for each token.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	DelegationTokenSecretManager.SecretManagerState

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.DelegationTokenInformation

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

org.apache.hadoop.security.token.SecretManager.InvalidToken

Field Summary

Fields inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

allKeys, currentId, currentTokens, delegationTokenSequenceNumber, noInterruptsLock, running, storeTokenTrackingId, tokenOwnerStats

Constructor Summary

Constructors

Constructor	Description
DelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval, boolean storeTokenTrackingId, FSNamesystem namesystem)	Create a secret manager
DelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval, FSNamesystem namesystem)

Method Summary

Modifier and Type	Method	Description
void	addPersistedDelegationToken(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier, long expiryTime)	This method is intended to be used only while reading edit logs.
static org.apache.hadoop.security.Credentials	createCredentials(NameNode namenode, org.apache.hadoop.security.UserGroupInformation ugi, java.lang.String renewer)	A utility method for creating credentials.
org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier	createIdentifier()
int	getNumberOfKeys()	Returns the number of delegation keys currently stored.
long	getTokenExpiryTime(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier dtId)	Returns expiry time of a token given its identifier.
void	loadSecretManagerState(DelegationTokenSecretManager.SecretManagerState state, StartupProgress.Counter counter)
void	loadSecretManagerStateCompat(java.io.DataInput in)	Load SecretManager state from fsimage.
protected void	logExpireToken(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier dtId)
protected void	logUpdateMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key)	Call namesystem to update editlogs for new master key.
byte[]	retriableRetrievePassword(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier)
byte[]	retrievePassword(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier)
DelegationTokenSecretManager.SecretManagerState	saveSecretManagerState()
void	saveSecretManagerStateCompat(java.io.DataOutputStream out, java.lang.String sdPath)	Store the current state of the SecretManager for persistence
void	updatePersistedMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key)	Add a MasterKey to the list of keys.
void	updatePersistedTokenCancellation(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier)	Update the token cache with the cancel record in edit logs
void	updatePersistedTokenRenewal(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier, long expiryTime)	Update the token cache with renewal record in edit logs.

Methods inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

addKey, addTokenForOwnerStats, cancelToken, checkToken, createPassword, createSecretKey, decodeTokenIdentifier, getAllKeys, getCandidateTokensForCleanup, getCurrentKeyId, getCurrentTokensSize, getDelegationKey, getDelegationTokenSeqNum, getMetrics, getTokenInfo, getTokenRenewInterval, getTokenTrackingId, getTopTokenRealOwners, getTrackingIdIfEnabled, incrementCurrentKeyId, incrementDelegationTokenSeqNum, isRunning, logExpireTokens, removeExpiredStoredToken, removeStoredMasterKey, removeStoredToken, renewToken, reset, rollMasterKey, setCurrentKeyId, setDelegationTokenSeqNum, startThreads, stopThreads, storeDelegationKey, storeNewMasterKey, storeNewToken, storeToken, syncTokenOwnerStats, updateDelegationKey, updateStoredToken, updateToken, verifyToken

Methods inherited from class org.apache.hadoop.security.token.SecretManager

checkAvailableForRead, createPassword, generateSecret, update

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DelegationTokenSecretManager

public DelegationTokenSecretManager(long delegationKeyUpdateInterval,
                                    long delegationTokenMaxLifetime,
                                    long delegationTokenRenewInterval,
                                    long delegationTokenRemoverScanInterval,
                                    FSNamesystem namesystem)

DelegationTokenSecretManager

public DelegationTokenSecretManager(long delegationKeyUpdateInterval,
                                    long delegationTokenMaxLifetime,
                                    long delegationTokenRenewInterval,
                                    long delegationTokenRemoverScanInterval,
                                    boolean storeTokenTrackingId,
                                    FSNamesystem namesystem)

Create a secret manager

Parameters:

delegationKeyUpdateInterval - the number of milliseconds for rolling new secret keys.

delegationTokenMaxLifetime - the maximum lifetime of the delegation tokens in milliseconds

delegationTokenRenewInterval - how often the tokens must be renewed in milliseconds

delegationTokenRemoverScanInterval - how often the tokens are scanned for expired tokens in milliseconds

storeTokenTrackingId - whether to store the token's tracking id

Method Detail

createIdentifier

public org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier createIdentifier()

Specified by:

createIdentifier in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>

retrievePassword

public byte[] retrievePassword(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier)
                        throws org.apache.hadoop.security.token.SecretManager.InvalidToken

Overrides:

retrievePassword in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>

Throws:

org.apache.hadoop.security.token.SecretManager.InvalidToken

retriableRetrievePassword

public byte[] retriableRetrievePassword(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier)
                                 throws org.apache.hadoop.security.token.SecretManager.InvalidToken,
                                        org.apache.hadoop.ipc.StandbyException,
                                        org.apache.hadoop.ipc.RetriableException,
                                        java.io.IOException

Overrides:

retriableRetrievePassword in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>

Throws:

org.apache.hadoop.security.token.SecretManager.InvalidToken

org.apache.hadoop.ipc.StandbyException

org.apache.hadoop.ipc.RetriableException

java.io.IOException

getTokenExpiryTime

public long getTokenExpiryTime(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier dtId)
                        throws java.io.IOException

Returns expiry time of a token given its identifier.

Parameters:

dtId - DelegationTokenIdentifier of a token

Returns:

Expiry time of the token

Throws:

java.io.IOException

loadSecretManagerStateCompat

public void loadSecretManagerStateCompat(java.io.DataInput in)
                                  throws java.io.IOException

Load SecretManager state from fsimage.

Parameters:

in - input stream to read fsimage

Throws:

java.io.IOException

loadSecretManagerState

public void loadSecretManagerState(DelegationTokenSecretManager.SecretManagerState state,
                                   StartupProgress.Counter counter)
                            throws java.io.IOException

Throws:

java.io.IOException

saveSecretManagerStateCompat

public void saveSecretManagerStateCompat(java.io.DataOutputStream out,
                                         java.lang.String sdPath)
                                  throws java.io.IOException

Store the current state of the SecretManager for persistence

Parameters:

out - Output stream for writing into fsimage.

sdPath - String storage directory path

Throws:

java.io.IOException

saveSecretManagerState

public DelegationTokenSecretManager.SecretManagerState saveSecretManagerState()

addPersistedDelegationToken

public void addPersistedDelegationToken(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier,
                                        long expiryTime)
                                 throws java.io.IOException

This method is intended to be used only while reading edit logs.

Overrides:

addPersistedDelegationToken in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>

Parameters:

identifier - DelegationTokenIdentifier read from the edit logs or fsimage

expiryTime - token expiry time

Throws:

java.io.IOException

updatePersistedMasterKey

public void updatePersistedMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key)
                              throws java.io.IOException

Add a MasterKey to the list of keys.

Parameters:

key - DelegationKey

Throws:

java.io.IOException

updatePersistedTokenRenewal

public void updatePersistedTokenRenewal(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier,
                                        long expiryTime)
                                 throws java.io.IOException

Update the token cache with renewal record in edit logs.

Parameters:

identifier - DelegationTokenIdentifier of the renewed token

expiryTime - expirty time in milliseconds

Throws:

java.io.IOException

updatePersistedTokenCancellation

public void updatePersistedTokenCancellation(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier)
                                      throws java.io.IOException

Update the token cache with the cancel record in edit logs

Parameters:

identifier - DelegationTokenIdentifier of the canceled token

Throws:

java.io.IOException

getNumberOfKeys

public int getNumberOfKeys()

Returns the number of delegation keys currently stored.

Returns:

number of delegation keys

logUpdateMasterKey

protected void logUpdateMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key)
                           throws java.io.IOException

Call namesystem to update editlogs for new master key.

Overrides:

logUpdateMasterKey in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>

Throws:

java.io.IOException

logExpireToken

protected void logExpireToken(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier dtId)
                       throws java.io.IOException

Overrides:

logExpireToken in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>

Throws:

java.io.IOException

createCredentials

public static org.apache.hadoop.security.Credentials createCredentials(NameNode namenode,
                                                                       org.apache.hadoop.security.UserGroupInformation ugi,
                                                                       java.lang.String renewer)
                                                                throws java.io.IOException

A utility method for creating credentials.

Throws:

java.io.IOException