Package org.apache.hadoop.security.token.delegation.web

Class DelegationTokenAuthenticationHandler

java.lang.Object

org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler

All Implemented Interfaces:

org.apache.hadoop.security.authentication.server.AuthenticationHandler

Direct Known Subclasses:

KerberosDelegationTokenAuthenticationHandler, MaprDelegationTokenAuthenticationHandler, MultiSchemeDelegationTokenAuthenticationHandler, PseudoDelegationTokenAuthenticationHandler

@Private
@Evolving
public abstract class DelegationTokenAuthenticationHandler
extends java.lang.Object
implements org.apache.hadoop.security.authentication.server.AuthenticationHandler

An AuthenticationHandler that implements Kerberos SPNEGO mechanism for HTTP and supports Delegation Token functionality.

In addition to the wrapped AuthenticationHandler configuration properties, this handler supports the following properties prefixed with the type of the wrapped AuthenticationHandler:

• delegation-token.token-kind: the token kind for generated tokens (no default, required property).
• delegation-token.update-interval.sec: secret manager master key update interval in seconds (default 1 day).
• delegation-token.max-lifetime.sec: maximum life of a delegation token in seconds (default 7 days).
• delegation-token.renewal-interval.sec: renewal interval for delegation tokens in seconds (default 1 day).
• delegation-token.removal-scan-interval.sec: delegation tokens removal scan interval in seconds (default 1 hour).

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	DELEGATION_TOKEN_UGI_ATTRIBUTE
static java.lang.String	JSON_MAPPER_PREFIX
static java.lang.String	PREFIX
static java.lang.String	TOKEN_KIND
protected static java.lang.String	TYPE_POSTFIX

Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

WWW_AUTHENTICATE

Constructor Summary

Constructors

Constructor	Description
DelegationTokenAuthenticationHandler(org.apache.hadoop.security.authentication.server.AuthenticationHandler handler)

Method Summary

Modifier and Type	Method	Description
org.apache.hadoop.security.authentication.server.AuthenticationToken	authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Authenticates a request looking for the delegation query-string parameter and verifying it is a valid token.
void	destroy()
java.lang.String	getType()
void	init(java.util.Properties config)
void	initJsonFactory(java.util.Properties config)
void	initTokenManager(java.util.Properties config)
protected boolean	isManagementOperation(javax.servlet.http.HttpServletRequest request)	This method checks if the given HTTP request corresponds to a management operation.
boolean	managementOperation(org.apache.hadoop.security.authentication.server.AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
void	setExternalDelegationTokenSecretManager(AbstractDelegationTokenSecretManager secretManager)	Sets an external DelegationTokenSecretManager instance to manage creation and verification of Delegation Tokens.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

TYPE_POSTFIX

protected static final java.lang.String TYPE_POSTFIX

See Also:

Constant Field Values

PREFIX

public static final java.lang.String PREFIX

See Also:

Constant Field Values

TOKEN_KIND

public static final java.lang.String TOKEN_KIND

See Also:

Constant Field Values

DELEGATION_TOKEN_UGI_ATTRIBUTE

public static final java.lang.String DELEGATION_TOKEN_UGI_ATTRIBUTE

See Also:

Constant Field Values

JSON_MAPPER_PREFIX

public static final java.lang.String JSON_MAPPER_PREFIX

See Also:

Constant Field Values

Constructor Detail

DelegationTokenAuthenticationHandler

public DelegationTokenAuthenticationHandler(org.apache.hadoop.security.authentication.server.AuthenticationHandler handler)

Method Detail

init

public void init(java.util.Properties config)
          throws javax.servlet.ServletException

Specified by:

init in interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

Throws:

javax.servlet.ServletException

setExternalDelegationTokenSecretManager

public void setExternalDelegationTokenSecretManager(AbstractDelegationTokenSecretManager secretManager)

Sets an external DelegationTokenSecretManager instance to manage creation and verification of Delegation Tokens.

This is useful for use cases where secrets must be shared across multiple services.

Parameters:

secretManager - a DelegationTokenSecretManager instance

initTokenManager

@VisibleForTesting
public void initTokenManager(java.util.Properties config)

initJsonFactory

@VisibleForTesting
public void initJsonFactory(java.util.Properties config)

destroy

public void destroy()

Specified by:

destroy in interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

getType

public java.lang.String getType()

Specified by:

getType in interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

isManagementOperation

protected final boolean isManagementOperation(javax.servlet.http.HttpServletRequest request)
                                       throws java.io.IOException

This method checks if the given HTTP request corresponds to a management operation.

Parameters:

request - The HTTP request

Returns:

true if the given HTTP request corresponds to a management operation false otherwise

Throws:

java.io.IOException - In case of I/O error.

managementOperation

public boolean managementOperation(org.apache.hadoop.security.authentication.server.AuthenticationToken token,
                                   javax.servlet.http.HttpServletRequest request,
                                   javax.servlet.http.HttpServletResponse response)
                            throws java.io.IOException,
                                   org.apache.hadoop.security.authentication.client.AuthenticationException

Specified by:

managementOperation in interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

Throws:

java.io.IOException

org.apache.hadoop.security.authentication.client.AuthenticationException

authenticate

public org.apache.hadoop.security.authentication.server.AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request,
                                                                                         javax.servlet.http.HttpServletResponse response)
                                                                                  throws java.io.IOException,
                                                                                         org.apache.hadoop.security.authentication.client.AuthenticationException

Authenticates a request looking for the delegation query-string parameter and verifying it is a valid token. If there is not delegation query-string parameter, it delegates the authentication to the KerberosAuthenticationHandler unless it is disabled.

Specified by:

authenticate in interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

Parameters:

request - the HTTP client request.

response - the HTTP client response.

Returns:

the authentication token for the authenticated request.

Throws:

java.io.IOException - thrown if an IO error occurred.

org.apache.hadoop.security.authentication.client.AuthenticationException - thrown if the authentication failed.