List of usage examples for org.apache.hadoop.security.token Token Token
public Token()
From source file:azkaban.security.HadoopSecurityManager_H_1_0.java
License:Apache License
@Override public synchronized void prefetchToken(final File tokenFile, final Props props, final Logger logger) throws HadoopSecurityManagerException { final String userToProxy = props.getString(USER_TO_PROXY); logger.info("Getting hadoop tokens for " + userToProxy); final Credentials cred = new Credentials(); if (props.getBoolean(OBTAIN_HCAT_TOKEN, false)) { try {//from w w w . j av a 2s. c o m logger.info("Pre-fetching Hive MetaStore token from hive"); HiveConf hiveConf = new HiveConf(); logger.info("HiveConf.ConfVars.METASTOREURIS.varname " + hiveConf.get(HiveConf.ConfVars.METASTOREURIS.varname)); logger.info("HIVE_METASTORE_SASL_ENABLED " + hiveConf.get(HIVE_METASTORE_SASL_ENABLED)); logger.info("HIVE_METASTORE_KERBEROS_PRINCIPAL " + hiveConf.get(HIVE_METASTORE_KERBEROS_PRINCIPAL)); logger.info("HIVE_METASTORE_LOCAL " + hiveConf.get(HIVE_METASTORE_LOCAL)); HiveMetaStoreClient hiveClient = new HiveMetaStoreClient(hiveConf); String hcatTokenStr = hiveClient.getDelegationToken(userToProxy, UserGroupInformation.getLoginUser().getShortUserName()); Token<DelegationTokenIdentifier> hcatToken = new Token<DelegationTokenIdentifier>(); hcatToken.decodeFromUrlString(hcatTokenStr); logger.info("Created hive metastore token: " + hcatTokenStr); logger.info("Token kind: " + hcatToken.getKind()); logger.info("Token id: " + hcatToken.getIdentifier()); logger.info("Token service: " + hcatToken.getService()); cred.addToken(hcatToken.getService(), hcatToken); } catch (Exception e) { e.printStackTrace(); logger.error("Failed to get hive metastore token." + e.getMessage() + e.getCause()); } catch (Throwable t) { t.printStackTrace(); logger.error("Failed to get hive metastore token." + t.getMessage() + t.getCause()); } } try { getProxiedUser(userToProxy).doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { getToken(userToProxy); return null; } private void getToken(String userToProxy) throws InterruptedException, IOException, HadoopSecurityManagerException { logger.info("Here is the props for " + OBTAIN_NAMENODE_TOKEN + ": " + props.getBoolean(OBTAIN_NAMENODE_TOKEN)); if (props.getBoolean(OBTAIN_NAMENODE_TOKEN, false)) { FileSystem fs = FileSystem.get(conf); // check if we get the correct FS, and most importantly, the // conf logger.info("Getting DFS token from " + fs.getUri()); Token<?> fsToken = fs.getDelegationToken(userToProxy); if (fsToken == null) { logger.error("Failed to fetch DFS token for "); throw new HadoopSecurityManagerException( "Failed to fetch DFS token for " + userToProxy); } logger.info("Created DFS token: " + fsToken.toString()); logger.info("Token kind: " + fsToken.getKind()); logger.info("Token id: " + fsToken.getIdentifier()); logger.info("Token service: " + fsToken.getService()); cred.addToken(fsToken.getService(), fsToken); } if (props.getBoolean(OBTAIN_JOBTRACKER_TOKEN, false)) { JobClient jobClient = new JobClient(new JobConf()); logger.info("Pre-fetching JT token from JobTracker"); Token<DelegationTokenIdentifier> mrdt = jobClient.getDelegationToken(new Text("mr token")); if (mrdt == null) { logger.error("Failed to fetch JT token"); throw new HadoopSecurityManagerException("Failed to fetch JT token for " + userToProxy); } logger.info("Created JT token: " + mrdt.toString()); logger.info("Token kind: " + mrdt.getKind()); logger.info("Token id: " + mrdt.getIdentifier()); logger.info("Token service: " + mrdt.getService()); cred.addToken(mrdt.getService(), mrdt); } } }); FileOutputStream fos = null; DataOutputStream dos = null; try { fos = new FileOutputStream(tokenFile); dos = new DataOutputStream(fos); cred.writeTokenStorageToStream(dos); } finally { if (dos != null) { dos.close(); } if (fos != null) { fos.close(); } } // stash them to cancel after use. logger.info("Tokens loaded in " + tokenFile.getAbsolutePath()); } catch (Exception e) { e.printStackTrace(); throw new HadoopSecurityManagerException( "Failed to get hadoop tokens! " + e.getMessage() + e.getCause()); } catch (Throwable t) { t.printStackTrace(); throw new HadoopSecurityManagerException( "Failed to get hadoop tokens! " + t.getMessage() + t.getCause()); } }
From source file:azkaban.security.HadoopSecurityManager_H_2_0.java
License:Apache License
/** * function to fetch hcat token as per the specified hive configuration and * then store the token in to the credential store specified . * * @param userToProxy String value indicating the name of the user the token * will be fetched for./*from w w w . ja va 2 s . c om*/ * @param hiveConf the configuration based off which the hive client will be * initialized. * @param logger the logger instance which writes the logging content to the * job logs. * * @throws IOException * @throws TException * @throws MetaException * * */ private Token<DelegationTokenIdentifier> fetchHcatToken(String userToProxy, HiveConf hiveConf, String tokenSignatureOverwrite, final Logger logger) throws IOException, MetaException, TException { logger.info(HiveConf.ConfVars.METASTOREURIS.varname + ": " + hiveConf.get(HiveConf.ConfVars.METASTOREURIS.varname)); logger.info(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname + ": " + hiveConf.get(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname)); logger.info(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname + ": " + hiveConf.get(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname)); HiveMetaStoreClient hiveClient = new HiveMetaStoreClient(hiveConf); String hcatTokenStr = hiveClient.getDelegationToken(userToProxy, UserGroupInformation.getLoginUser().getShortUserName()); Token<DelegationTokenIdentifier> hcatToken = new Token<DelegationTokenIdentifier>(); hcatToken.decodeFromUrlString(hcatTokenStr); // overwrite the value of the service property of the token if the signature // override is specified. if (tokenSignatureOverwrite != null && tokenSignatureOverwrite.trim().length() > 0) { hcatToken.setService(new Text(tokenSignatureOverwrite.trim().toLowerCase())); logger.info(HIVE_TOKEN_SIGNATURE_KEY + ":" + (tokenSignatureOverwrite == null ? "" : tokenSignatureOverwrite)); } logger.info("Created hive metastore token: " + hcatTokenStr); logger.info("Token kind: " + hcatToken.getKind()); logger.info("Token id: " + hcatToken.getIdentifier()); logger.info("Token service: " + hcatToken.getService()); return hcatToken; }
From source file:co.cask.cdap.explore.security.HiveTokenUtils.java
License:Apache License
public static Credentials obtainToken(Credentials credentials) { ClassLoader hiveClassloader = ExploreServiceUtils.getExploreClassLoader(); ClassLoader contextClassloader = Thread.currentThread().getContextClassLoader(); Thread.currentThread().setContextClassLoader(hiveClassloader); try {//from w w w.j a va 2s . com LOG.info("Obtaining delegation token for Hive"); Class hiveConfClass = hiveClassloader.loadClass("org.apache.hadoop.hive.conf.HiveConf"); Object hiveConf = hiveConfClass.newInstance(); Class hiveClass = hiveClassloader.loadClass("org.apache.hadoop.hive.ql.metadata.Hive"); @SuppressWarnings("unchecked") Method hiveGet = hiveClass.getMethod("get", hiveConfClass); Object hiveObject = hiveGet.invoke(null, hiveConf); String user = UserGroupInformation.getCurrentUser().getShortUserName(); @SuppressWarnings("unchecked") Method getDelegationToken = hiveClass.getMethod("getDelegationToken", String.class, String.class); String tokenStr = (String) getDelegationToken.invoke(hiveObject, user, user); Token<DelegationTokenIdentifier> delegationToken = new Token<>(); delegationToken.decodeFromUrlString(tokenStr); delegationToken.setService(new Text(HiveAuthFactory.HS2_CLIENT_TOKEN)); LOG.info("Adding delegation token {} from MetaStore for service {} for user {}", delegationToken, delegationToken.getService(), user); credentials.addToken(delegationToken.getService(), delegationToken); return credentials; } catch (Exception e) { LOG.error("Exception when fetching delegation token from Hive MetaStore", e); throw Throwables.propagate(e); } finally { Thread.currentThread().setContextClassLoader(contextClassloader); } }
From source file:co.cask.cdap.security.hive.HiveTokenUtils.java
License:Apache License
public static Credentials obtainToken(Credentials credentials) { ClassLoader hiveClassloader = ExploreUtils.getExploreClassloader(); ClassLoader contextClassloader = Thread.currentThread().getContextClassLoader(); Thread.currentThread().setContextClassLoader(hiveClassloader); try {// w w w.j a v a 2 s. com LOG.info("Obtaining delegation token for Hive"); Class hiveConfClass = hiveClassloader.loadClass("org.apache.hadoop.hive.conf.HiveConf"); Object hiveConf = hiveConfClass.newInstance(); Class hiveClass = hiveClassloader.loadClass("org.apache.hadoop.hive.ql.metadata.Hive"); @SuppressWarnings("unchecked") Method hiveGet = hiveClass.getMethod("get", hiveConfClass); Object hiveObject = hiveGet.invoke(null, hiveConf); String user = UserGroupInformation.getCurrentUser().getShortUserName(); @SuppressWarnings("unchecked") Method getDelegationToken = hiveClass.getMethod("getDelegationToken", String.class, String.class); String tokenStr = (String) getDelegationToken.invoke(hiveObject, user, user); Token<DelegationTokenIdentifier> delegationToken = new Token<>(); delegationToken.decodeFromUrlString(tokenStr); delegationToken.setService(new Text(HiveAuthFactory.HS2_CLIENT_TOKEN)); LOG.info("Adding delegation token {} from MetaStore for service {} for user {}", delegationToken, delegationToken.getService(), user); credentials.addToken(delegationToken.getService(), delegationToken); return credentials; } catch (Exception e) { LOG.error("Exception when fetching delegation token from Hive MetaStore", e); throw Throwables.propagate(e); } finally { Thread.currentThread().setContextClassLoader(contextClassloader); } }
From source file:com.bigstep.datalake.JsonUtil.java
License:Apache License
/** * Convert a Json map to a Token./*w w w .j av a 2s .c o m*/ * @param m json map of the input * @return the token * @throws IOException */ public static Token<? extends TokenIdentifier> toToken(final Map<?, ?> m) throws IOException { if (m == null) { return null; } final Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(); token.decodeFromUrlString((String) m.get("urlString")); return token; }
From source file:com.cloudera.hue.CredentialsMerger.java
License:Apache License
/** * Merge several credentials files into one. Give the desired output file * first, followed by all of the input files. * * <p>File formats are tried in this order: TokenStorageFile, urlEncodedString. * </p>/*w ww. j a v a 2s. com*/ * * @param args <out> <in1> ... * @throws IOException in the event of an error reading or writing files. */ public static void main(String[] args) throws IOException { if (args.length < 2) { printUsage(); System.exit(1); } Path outputFile = new Path("file://" + new File(args[0]).getAbsolutePath()); Configuration conf = new Configuration(); Credentials credentials = new Credentials(); for (int i = 1; i < args.length; i++) { try { Credentials singleFileCredentials = Credentials .readTokenStorageFile(new Path("file://" + new File(args[i]).getAbsolutePath()), conf); credentials.addAll(singleFileCredentials); } catch (IOException e) { BufferedReader reader = new BufferedReader(new FileReader(args[i])); try { // Retry to read the token with an encodedUrl format Token<?> token = new Token(); String encodedtoken = reader.readLine(); token.decodeFromUrlString(encodedtoken); credentials.addToken(new Text(args[i]), token); } finally { reader.close(); } } } credentials.writeTokenStorageFile(outputFile, conf); }
From source file:com.cloudera.impala.security.DelegationTokenSecretManager.java
License:Apache License
public Token<DelegationTokenIdentifier> tokenFromString(String tokenStr) throws IOException { Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(); try {/*from w w w . j av a 2 s .co m*/ token.decodeFromUrlString(tokenStr); } catch (IOException e) { throw new InvalidToken("Token is corrupt."); } return token; }
From source file:com.cloudera.impala.security.DelegationTokenTest.java
License:Apache License
@Test public void TestStartSecretManager() throws IOException { DelegationTokenSecretManager mgr = new DelegationTokenSecretManager(0, 60 * 60 * 1000, 60 * 60 * 1000, 0); mgr.startThreads();//from w w w . j a v a2 s . c om String userName = UserGroupInformation.getCurrentUser().getUserName(); // Create a token for user. String tokenStrForm = mgr.getDelegationToken(userName); Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>(); t.decodeFromUrlString(tokenStrForm); // Check the token contains the proper username. DelegationTokenIdentifier d = new DelegationTokenIdentifier(); d.readFields(new DataInputStream(new ByteArrayInputStream(t.getIdentifier()))); assertTrue("Usernames don't match", userName.equals(d.getUser().getShortUserName())); assertEquals(d.getSequenceNumber(), 1); byte[] password = mgr.retrievePassword(d); assertEquals(password.length, t.getPassword().length); for (int i = 0; i < t.getPassword().length; ++i) { assertEquals(t.getPassword()[i], password[i]); } mgr.stopThreads(); }
From source file:com.cloudera.impala.security.DelegationTokenTest.java
License:Apache License
private void testTokenManager(boolean useZK) throws IOException { String userName = UserGroupInformation.getCurrentUser().getUserName(); Configuration config = new Configuration(); ZooKeeperSession zk = null;//ww w . ja va2 s . c o m if (useZK) { config.set(ZooKeeperSession.ZOOKEEPER_CONNECTION_STRING_CONF, ZOOKEEPER_HOSTPORT); config.set(ZooKeeperSession.ZOOKEEPER_STORE_ACL_CONF, ZOOKEEPER_ACL); zk = new ZooKeeperSession(config, "test", 1, 1); } DelegationTokenManager mgr = new DelegationTokenManager(config, true, zk); // Create two tokens byte[] token1 = mgr.getToken(userName, userName, userName).token; byte[] token2 = mgr.getToken(userName, userName, null).token; // Retrieve the passwords by token. Although the token contains the // password, this retrieves it using just the identifier. byte[] password1 = mgr.getPasswordByToken(token1); byte[] password2 = mgr.getPasswordByToken(token2); // Make sure it matches the password in token and doesn't match the password for // the other token. Token<DelegationTokenIdentifier> t1 = new Token<DelegationTokenIdentifier>(); t1.decodeFromUrlString(new String(token1)); assertTrue(Arrays.equals(t1.getPassword(), password1)); assertFalse(Arrays.equals(t1.getPassword(), password2)); // Get the password from just the identifier. This does not contain the password // but the server stores it. DelegationTokenIdentifier id1 = new DelegationTokenIdentifier(); id1.readFields(new DataInputStream(new ByteArrayInputStream(t1.getIdentifier()))); byte[] serializedId1 = Base64.encodeBase64(id1.serialize()); assertTrue(serializedId1.length < token1.length); // Retrieve the password from the manager by serialized id. DelegationTokenManager.UserPassword userPw = mgr.retrieveUserPassword(new String(serializedId1)); assertTrue(Arrays.equals(password1, Base64.decodeBase64(userPw.password))); assertEquals(userName, userPw.user); // Cancel token2, token1 should continue to work fine. mgr.cancelToken(userName, token2); assertTrue(Arrays.equals(mgr.getPasswordByToken(token1), password1)); // Renew token1, should continue to work. mgr.renewToken(userName, token1); assertTrue(Arrays.equals(mgr.getPasswordByToken(token1), password1)); // Cancel token1, should fail to get password for it. mgr.cancelToken(userName, token1); boolean exceptionThrown = false; try { mgr.getPasswordByToken(token1); } catch (IOException e) { exceptionThrown = true; assertTrue(e.getMessage().contains("can't be found")); } catch (TokenStoreException e) { exceptionThrown = true; assertTrue(e.getMessage(), e.getMessage().contains("Token does not exist")); } assertTrue(exceptionThrown); // Try to renew. exceptionThrown = false; try { mgr.renewToken(userName, token1); } catch (IOException e) { exceptionThrown = true; assertTrue(e.getMessage().contains("Renewal request for unknown token")); } catch (TokenStoreException e) { exceptionThrown = true; assertTrue(e.getMessage(), e.getMessage().contains("Token does not exist")); } assertTrue(exceptionThrown); // Try to cancel. try { mgr.cancelToken(userName, token1); } catch (IOException e) { // Depending on the underlying store (ZK vs in mem), we will throw an exception // or silently fail. Having cancel be idempotent is reasonable and the ZK // behavior. assertTrue(e.getMessage().contains("Token not found")); } // Try a corrupt token. exceptionThrown = false; try { mgr.cancelToken(userName, new byte[100]); } catch (IOException e) { exceptionThrown = true; assertTrue(e.getMessage().contains("Token is corrupt.")); } assertTrue(exceptionThrown); }
From source file:com.cloudera.recordservice.hcatalog.common.TestHCatRSUtil.java
License:Apache License
@Test public void copyCredentialsToJobConfTest() { JobConf conf = new JobConf(); Credentials cred = new Credentials(); cred.addToken(new Text("Alias"), new Token<TokenIdentifier>()); HCatRSUtil.copyCredentialsToJobConf(cred, conf); assertEquals(1, conf.getCredentials().numberOfTokens()); }