public class TokenStoreDelegationTokenSecretManager extends DelegationTokenSecretManager
DelegationTokenSecretManager to support alternative to default in-memory
token management for fail-over and clustering through plug-able token store (ZooKeeper etc.).
Delegation tokens will be retrieved from the store on-demand and (unlike base class behavior) not
cached in memory. This avoids complexities related to token expiration. The security token is
needed only at the time the transport is opened (as opposed to per interface operation). The
assumption therefore is low cost of interprocess token retrieval (for random read efficient store
such as ZooKeeper) compared to overhead of synchronizing per-process in-memory token caches.
The wrapper incorporates the token store abstraction within the limitations of current
Hive/Hadoop dependency (.20S) with minimum code duplication.
Eventually this should be supported by Hadoop security directly.| Modifier and Type | Class and Description |
|---|---|
protected class |
TokenStoreDelegationTokenSecretManager.ExpiredTokenRemover
Cloned from
AbstractDelegationTokenSecretManager to deal with private access
restriction (there would not be an need to clone the remove thread if the remove logic was
protected/extensible). |
| Constructor and Description |
|---|
TokenStoreDelegationTokenSecretManager(long delegationKeyUpdateInterval,
long delegationTokenMaxLifetime,
long delegationTokenRenewInterval,
long delegationTokenRemoverScanInterval,
DelegationTokenStore sharedStore) |
| Modifier and Type | Method and Description |
|---|---|
DelegationTokenIdentifier |
cancelToken(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token,
String canceller) |
protected byte[] |
createPassword(DelegationTokenIdentifier id)
Create the password and add it to shared store.
|
static void |
decodeWritable(org.apache.hadoop.io.Writable w,
String idStr) |
static String |
encodeWritable(org.apache.hadoop.io.Writable key) |
protected void |
logUpdateMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key)
Synchronize master key updates / sequence generation for multiple nodes.
|
protected Map<Integer,org.apache.hadoop.security.token.delegation.DelegationKey> |
reloadKeys() |
protected void |
removeExpiredTokens()
Remove expired tokens.
|
long |
renewToken(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token,
String renewer) |
byte[] |
retrievePassword(DelegationTokenIdentifier identifier) |
protected void |
rollMasterKeyExt()
Extension of rollMasterKey to remove expired keys from store.
|
void |
startThreads() |
void |
stopThreads() |
cancelDelegationToken, createIdentifier, getDelegationToken, getTokenIdentifier, getUserFromToken, renewDelegationToken, verifyDelegationTokenaddKey, addPersistedDelegationToken, checkToken, createSecretKey, decodeTokenIdentifier, getAllKeys, getCurrentKeyId, getDelegationKey, getDelegationTokenSeqNum, getTokenInfo, getTokenTrackingId, getTrackingIdIfEnabled, incrementCurrentKeyId, incrementDelegationTokenSeqNum, isRunning, logExpireToken, logExpireTokens, removeStoredMasterKey, removeStoredToken, reset, setCurrentKeyId, setDelegationTokenSeqNum, storeDelegationKey, storeNewMasterKey, storeNewToken, storeToken, updateDelegationKey, updateStoredToken, updateToken, verifyTokenpublic TokenStoreDelegationTokenSecretManager(long delegationKeyUpdateInterval,
long delegationTokenMaxLifetime,
long delegationTokenRenewInterval,
long delegationTokenRemoverScanInterval,
DelegationTokenStore sharedStore)
protected Map<Integer,org.apache.hadoop.security.token.delegation.DelegationKey> reloadKeys()
public byte[] retrievePassword(DelegationTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken
retrievePassword in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>org.apache.hadoop.security.token.SecretManager.InvalidTokenpublic DelegationTokenIdentifier cancelToken(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token, String canceller) throws IOException
cancelToken in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>IOExceptionprotected byte[] createPassword(DelegationTokenIdentifier id)
createPassword in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>public long renewToken(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token, String renewer) throws IOException
renewToken in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>IOExceptionpublic static String encodeWritable(org.apache.hadoop.io.Writable key) throws IOException
IOExceptionpublic static void decodeWritable(org.apache.hadoop.io.Writable w,
String idStr)
throws IOException
IOExceptionprotected void logUpdateMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key)
throws IOException
AbstractDelegationTokenSecretManager keeps currentKey private, so we need
to utilize this "hook" to manipulate the key through the object reference.
This .20S workaround should cease to exist when Hadoop supports token store.logUpdateMasterKey in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>IOExceptionpublic void startThreads()
throws IOException
startThreads in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>IOExceptionpublic void stopThreads()
stopThreads in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>protected void removeExpiredTokens()
AbstractDelegationTokenSecretManager
that cannot be reused due to private method access. Logic here can more efficiently
deal with external token store by only loading into memory the minimum data needed.protected void rollMasterKeyExt()
throws IOException
IOExceptionCopyright © 2019 The Apache Software Foundation. All Rights Reserved.