Package org.apache.hadoop.security.token.delegation

Class ZKDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

java.lang.Object

org.apache.hadoop.security.token.SecretManager<TokenIdent>

org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<TokenIdent>

org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager<TokenIdent>

@Private
public abstract class ZKDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>
extends AbstractDelegationTokenSecretManager<TokenIdent>

An implementation of AbstractDelegationTokenSecretManager that persists TokenIdentifiers and DelegationKeys in Zookeeper. This class can be used by HA (Highly available) services that consists of multiple nodes. This class ensures that Identifiers and Keys are replicated to all nodes of the service.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

AbstractDelegationTokenSecretManager.DelegationTokenInformation

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

SecretManager.InvalidToken

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	ZK_CONF_PREFIX
static java.lang.String	ZK_DTSM_TOKEN_SEQNUM_BATCH_SIZE
static int	ZK_DTSM_TOKEN_SEQNUM_BATCH_SIZE_DEFAULT
static java.lang.String	ZK_DTSM_TOKEN_WATCHER_ENABLED
static boolean	ZK_DTSM_TOKEN_WATCHER_ENABLED_DEFAULT
protected static java.lang.String	ZK_DTSM_TOKENS_ROOT
static java.lang.String	ZK_DTSM_ZK_AUTH_TYPE
static java.lang.String	ZK_DTSM_ZK_CONNECTION_STRING
static java.lang.String	ZK_DTSM_ZK_CONNECTION_TIMEOUT
static int	ZK_DTSM_ZK_CONNECTION_TIMEOUT_DEFAULT
static java.lang.String	ZK_DTSM_ZK_KERBEROS_KEYTAB
static java.lang.String	ZK_DTSM_ZK_KERBEROS_PRINCIPAL
static java.lang.String	ZK_DTSM_ZK_KERBEROS_SERVER_PRINCIPAL
static java.lang.String	ZK_DTSM_ZK_NUM_RETRIES
static int	ZK_DTSM_ZK_NUM_RETRIES_DEFAULT
static java.lang.String	ZK_DTSM_ZK_SESSION_TIMEOUT
static int	ZK_DTSM_ZK_SESSION_TIMEOUT_DEFAULT
static java.lang.String	ZK_DTSM_ZK_SHUTDOWN_TIMEOUT
static int	ZK_DTSM_ZK_SHUTDOWN_TIMEOUT_DEFAULT
static java.lang.String	ZK_DTSM_ZK_SSL_ENABLED
static java.lang.String	ZK_DTSM_ZK_SSL_KEYSTORE_LOCATION
static java.lang.String	ZK_DTSM_ZK_SSL_KEYSTORE_PASSWORD
static java.lang.String	ZK_DTSM_ZK_SSL_TRUSTSTORE_LOCATION
static java.lang.String	ZK_DTSM_ZK_SSL_TRUSTSTORE_PASSWORD
static java.lang.String	ZK_DTSM_ZNODE_WORKING_PATH
static java.lang.String	ZK_DTSM_ZNODE_WORKING_PATH_DEAFULT
protected org.apache.curator.framework.CuratorFramework	zkClient

Fields inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

allKeys, currentId, currentTokens, delegationTokenSequenceNumber, noInterruptsLock, running, storeTokenTrackingId, tokenOwnerStats

Constructor Summary

Constructors

Constructor	Description
ZKDelegationTokenSecretManager(Configuration conf)

Method Summary

Modifier and Type	Method	Description
protected void	addOrUpdateToken(TokenIdent ident, AbstractDelegationTokenSecretManager.DelegationTokenInformation info, boolean isUpdate)
TokenIdent	cancelToken(Token<TokenIdent> token, java.lang.String canceller)	Cancel a token by removing it from cache.
protected static org.apache.curator.framework.CuratorFramework	getCurator()
protected int	getCurrentKeyId()	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected DelegationKey	getDelegationKey(int keyId)	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected int	getDelegationTokenSeqNum()	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected AbstractDelegationTokenSecretManager.DelegationTokenInformation	getTokenInfo(TokenIdent ident)	For subclasses externalizing the storage, for example Zookeeper based implementations
protected AbstractDelegationTokenSecretManager.DelegationTokenInformation	getTokenInfoFromZK(java.lang.String nodePath, boolean quiet)
protected AbstractDelegationTokenSecretManager.DelegationTokenInformation	getTokenInfoFromZK(TokenIdent ident)
protected AbstractDelegationTokenSecretManager.DelegationTokenInformation	getTokenInfoFromZK(TokenIdent ident, boolean quiet)
protected int	incrementCurrentKeyId()	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected int	incrementDelegationTokenSeqNum()	For subclasses externalizing the storage, for example Zookeeper based implementations.
boolean	isTokenWatcherEnabled()
protected TokenIdent	processTokenAddOrUpdate(byte[] data)
protected void	removeStoredMasterKey(DelegationKey key)
protected void	removeStoredToken(TokenIdent ident)
protected void	removeStoredToken(TokenIdent ident, boolean checkAgainstZkBeforeDeletion)
static void	setCurator(org.apache.curator.framework.CuratorFramework curator)
protected void	setDelegationTokenSeqNum(int seqNum)	For subclasses externalizing the storage, for example Zookeeper based implementations.
void	startThreads()	should be called before this object is used.
void	stopThreads()
protected void	storeDelegationKey(DelegationKey key)	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected void	storeToken(TokenIdent ident, AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo)	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected void	syncLocalCacheWithZk(TokenIdent ident)	This method synchronizes the state of a delegation token information in local cache with its actual value in Zookeeper.
protected void	updateDelegationKey(DelegationKey key)	For subclasses externalizing the storage, for example Zookeeper based implementations.
protected void	updateToken(TokenIdent ident, AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo)	For subclasses externalizing the storage, for example Zookeeper based implementations.

Methods inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

addKey, addPersistedDelegationToken, addTokenForOwnerStats, checkToken, createPassword, createSecretKey, decodeTokenIdentifier, getAllKeys, getCandidateTokensForCleanup, getCurrentTokensSize, getMetrics, getTokenRenewInterval, getTokenTrackingId, getTopTokenRealOwners, getTrackingIdIfEnabled, isRunning, logExpireToken, logExpireTokens, logUpdateMasterKey, removeExpiredStoredToken, renewToken, reset, retrievePassword, rollMasterKey, setCurrentKeyId, storeNewMasterKey, storeNewToken, syncTokenOwnerStats, updateStoredToken, verifyToken

Methods inherited from class org.apache.hadoop.security.token.SecretManager

checkAvailableForRead, createIdentifier, createPassword, generateSecret, retriableRetrievePassword, update

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ZK_CONF_PREFIX

public static final java.lang.String ZK_CONF_PREFIX

See Also:

Constant Field Values

ZK_DTSM_ZK_NUM_RETRIES

public static final java.lang.String ZK_DTSM_ZK_NUM_RETRIES

See Also:

Constant Field Values

ZK_DTSM_ZK_SESSION_TIMEOUT

public static final java.lang.String ZK_DTSM_ZK_SESSION_TIMEOUT

See Also:

Constant Field Values

ZK_DTSM_ZK_CONNECTION_TIMEOUT

public static final java.lang.String ZK_DTSM_ZK_CONNECTION_TIMEOUT

See Also:

Constant Field Values

ZK_DTSM_ZK_SHUTDOWN_TIMEOUT

public static final java.lang.String ZK_DTSM_ZK_SHUTDOWN_TIMEOUT

See Also:

Constant Field Values

ZK_DTSM_ZNODE_WORKING_PATH

public static final java.lang.String ZK_DTSM_ZNODE_WORKING_PATH

See Also:

Constant Field Values

ZK_DTSM_ZK_AUTH_TYPE

public static final java.lang.String ZK_DTSM_ZK_AUTH_TYPE

See Also:

Constant Field Values

ZK_DTSM_ZK_CONNECTION_STRING

public static final java.lang.String ZK_DTSM_ZK_CONNECTION_STRING

See Also:

Constant Field Values

ZK_DTSM_ZK_KERBEROS_KEYTAB

public static final java.lang.String ZK_DTSM_ZK_KERBEROS_KEYTAB

See Also:

Constant Field Values

ZK_DTSM_ZK_KERBEROS_PRINCIPAL

public static final java.lang.String ZK_DTSM_ZK_KERBEROS_PRINCIPAL

See Also:

Constant Field Values

ZK_DTSM_ZK_KERBEROS_SERVER_PRINCIPAL

public static final java.lang.String ZK_DTSM_ZK_KERBEROS_SERVER_PRINCIPAL

See Also:

Constant Field Values

ZK_DTSM_TOKEN_SEQNUM_BATCH_SIZE

public static final java.lang.String ZK_DTSM_TOKEN_SEQNUM_BATCH_SIZE

See Also:

Constant Field Values

ZK_DTSM_TOKEN_WATCHER_ENABLED

public static final java.lang.String ZK_DTSM_TOKEN_WATCHER_ENABLED

See Also:

Constant Field Values

ZK_DTSM_TOKEN_WATCHER_ENABLED_DEFAULT

public static final boolean ZK_DTSM_TOKEN_WATCHER_ENABLED_DEFAULT

See Also:

Constant Field Values

ZK_DTSM_ZK_SSL_ENABLED

public static final java.lang.String ZK_DTSM_ZK_SSL_ENABLED

See Also:

Constant Field Values

ZK_DTSM_ZK_SSL_KEYSTORE_LOCATION

public static final java.lang.String ZK_DTSM_ZK_SSL_KEYSTORE_LOCATION

See Also:

Constant Field Values

ZK_DTSM_ZK_SSL_KEYSTORE_PASSWORD

public static final java.lang.String ZK_DTSM_ZK_SSL_KEYSTORE_PASSWORD

See Also:

Constant Field Values

ZK_DTSM_ZK_SSL_TRUSTSTORE_LOCATION

public static final java.lang.String ZK_DTSM_ZK_SSL_TRUSTSTORE_LOCATION

See Also:

Constant Field Values

ZK_DTSM_ZK_SSL_TRUSTSTORE_PASSWORD

public static final java.lang.String ZK_DTSM_ZK_SSL_TRUSTSTORE_PASSWORD

See Also:

Constant Field Values

ZK_DTSM_ZK_NUM_RETRIES_DEFAULT

public static final int ZK_DTSM_ZK_NUM_RETRIES_DEFAULT

See Also:

Constant Field Values

ZK_DTSM_ZK_SESSION_TIMEOUT_DEFAULT

public static final int ZK_DTSM_ZK_SESSION_TIMEOUT_DEFAULT

See Also:

Constant Field Values

ZK_DTSM_ZK_CONNECTION_TIMEOUT_DEFAULT

public static final int ZK_DTSM_ZK_CONNECTION_TIMEOUT_DEFAULT

See Also:

Constant Field Values

ZK_DTSM_ZK_SHUTDOWN_TIMEOUT_DEFAULT

public static final int ZK_DTSM_ZK_SHUTDOWN_TIMEOUT_DEFAULT

See Also:

Constant Field Values

ZK_DTSM_ZNODE_WORKING_PATH_DEAFULT

public static final java.lang.String ZK_DTSM_ZNODE_WORKING_PATH_DEAFULT

See Also:

Constant Field Values

ZK_DTSM_TOKEN_SEQNUM_BATCH_SIZE_DEFAULT

public static final int ZK_DTSM_TOKEN_SEQNUM_BATCH_SIZE_DEFAULT

See Also:

Constant Field Values

ZK_DTSM_TOKENS_ROOT

protected static final java.lang.String ZK_DTSM_TOKENS_ROOT

See Also:

Constant Field Values

zkClient

protected final org.apache.curator.framework.CuratorFramework zkClient

Constructor Detail

ZKDelegationTokenSecretManager

public ZKDelegationTokenSecretManager(Configuration conf)

Method Detail

setCurator

public static void setCurator(org.apache.curator.framework.CuratorFramework curator)

getCurator

@VisibleForTesting
protected static org.apache.curator.framework.CuratorFramework getCurator()

startThreads

public void startThreads()
                  throws java.io.IOException

Description copied from class: AbstractDelegationTokenSecretManager

should be called before this object is used.

Overrides:

startThreads in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Throws:

java.io.IOException - raised on errors performing I/O.

processTokenAddOrUpdate

protected TokenIdent processTokenAddOrUpdate(byte[] data)
                                      throws java.io.IOException

Throws:

java.io.IOException

stopThreads

public void stopThreads()

Overrides:

stopThreads in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

getDelegationTokenSeqNum

protected int getDelegationTokenSeqNum()

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

getDelegationTokenSeqNum in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Returns:

delegationTokenSequenceNumber.

incrementDelegationTokenSeqNum

protected int incrementDelegationTokenSeqNum()

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

incrementDelegationTokenSeqNum in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Returns:

delegationTokenSequenceNumber.

setDelegationTokenSeqNum

protected void setDelegationTokenSeqNum(int seqNum)

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

setDelegationTokenSeqNum in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

seqNum - seqNum.

getCurrentKeyId

protected int getCurrentKeyId()

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

getCurrentKeyId in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Returns:

currentId.

incrementCurrentKeyId

protected int incrementCurrentKeyId()

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

incrementCurrentKeyId in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Returns:

currentId.

getDelegationKey

protected DelegationKey getDelegationKey(int keyId)

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

getDelegationKey in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

keyId - keyId.

Returns:

DelegationKey.

getTokenInfo

protected AbstractDelegationTokenSecretManager.DelegationTokenInformation getTokenInfo(TokenIdent ident)

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations

Overrides:

getTokenInfo in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

ident - ident.

Returns:

DelegationTokenInformation.

syncLocalCacheWithZk

protected void syncLocalCacheWithZk(TokenIdent ident)

This method synchronizes the state of a delegation token information in local cache with its actual value in Zookeeper.

Parameters:

ident - Identifier of the token

getTokenInfoFromZK

protected AbstractDelegationTokenSecretManager.DelegationTokenInformation getTokenInfoFromZK(TokenIdent ident)
                                                                                      throws java.io.IOException

Throws:

java.io.IOException

getTokenInfoFromZK

protected AbstractDelegationTokenSecretManager.DelegationTokenInformation getTokenInfoFromZK(TokenIdent ident,
                                                                                             boolean quiet)
                                                                                      throws java.io.IOException

Throws:

java.io.IOException

getTokenInfoFromZK

protected AbstractDelegationTokenSecretManager.DelegationTokenInformation getTokenInfoFromZK(java.lang.String nodePath,
                                                                                             boolean quiet)
                                                                                      throws java.io.IOException

Throws:

java.io.IOException

storeDelegationKey

protected void storeDelegationKey(DelegationKey key)
                           throws java.io.IOException

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

storeDelegationKey in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

key - DelegationKey.

Throws:

java.io.IOException - raised on errors performing I/O.

updateDelegationKey

protected void updateDelegationKey(DelegationKey key)
                            throws java.io.IOException

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

updateDelegationKey in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

key - DelegationKey.

Throws:

java.io.IOException - raised on errors performing I/O.

removeStoredMasterKey

protected void removeStoredMasterKey(DelegationKey key)

Overrides:

removeStoredMasterKey in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

storeToken

protected void storeToken(TokenIdent ident,
                          AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo)
                   throws java.io.IOException

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

storeToken in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

ident - ident.

tokenInfo - tokenInfo.

Throws:

java.io.IOException - raised on errors performing I/O.

updateToken

protected void updateToken(TokenIdent ident,
                           AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo)
                    throws java.io.IOException

Description copied from class: AbstractDelegationTokenSecretManager

For subclasses externalizing the storage, for example Zookeeper based implementations.

Overrides:

updateToken in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

ident - ident.

tokenInfo - tokenInfo.

Throws:

java.io.IOException - raised on errors performing I/O.

removeStoredToken

protected void removeStoredToken(TokenIdent ident)
                          throws java.io.IOException

Overrides:

removeStoredToken in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Throws:

java.io.IOException

removeStoredToken

protected void removeStoredToken(TokenIdent ident,
                                 boolean checkAgainstZkBeforeDeletion)
                          throws java.io.IOException

Throws:

java.io.IOException

cancelToken

public TokenIdent cancelToken(Token<TokenIdent> token,
                              java.lang.String canceller)
                       throws java.io.IOException

Description copied from class: AbstractDelegationTokenSecretManager

Cancel a token by removing it from cache.

Overrides:

cancelToken in class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>

Parameters:

token - token.

canceller - canceller.

Returns:

Identifier of the canceled token

Throws:

SecretManager.InvalidToken - for invalid token

AccessControlException - if the user isn't allowed to cancel

java.io.IOException

addOrUpdateToken

protected void addOrUpdateToken(TokenIdent ident,
                                AbstractDelegationTokenSecretManager.DelegationTokenInformation info,
                                boolean isUpdate)
                         throws java.lang.Exception

Throws:

java.lang.Exception

isTokenWatcherEnabled

public boolean isTokenWatcherEnabled()