public class TokenStoreDelegationTokenSecretManager extends DelegationTokenSecretManager
DelegationTokenSecretManager
to support alternative to default in-memory
token management for fail-over and clustering through plug-able token store (ZooKeeper etc.).
Delegation tokens will be retrieved from the store on-demand and (unlike base class behavior) not
cached in memory. This avoids complexities related to token expiration. The security token is
needed only at the time the transport is opened (as opposed to per interface operation). The
assumption therefore is low cost of interprocess token retrieval (for random read efficient store
such as ZooKeeper) compared to overhead of synchronizing per-process in-memory token caches.
The wrapper incorporates the token store abstraction within the limitations of current
Hive/Hadoop dependency (.20S) with minimum code duplication.
Eventually this should be supported by Hadoop security directly.Modifier and Type | Class and Description |
---|---|
protected class |
TokenStoreDelegationTokenSecretManager.ExpiredTokenRemover
Cloned from
AbstractDelegationTokenSecretManager to deal with private access
restriction (there would not be an need to clone the remove thread if the remove logic was
protected/extensible). |
Constructor and Description |
---|
TokenStoreDelegationTokenSecretManager(long delegationKeyUpdateInterval,
long delegationTokenMaxLifetime,
long delegationTokenRenewInterval,
long delegationTokenRemoverScanInterval,
DelegationTokenStore sharedStore) |
Modifier and Type | Method and Description |
---|---|
DelegationTokenIdentifier |
cancelToken(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token,
String canceller) |
protected byte[] |
createPassword(DelegationTokenIdentifier id)
Create the password and add it to shared store.
|
static void |
decodeWritable(org.apache.hadoop.io.Writable w,
String idStr) |
static String |
encodeWritable(org.apache.hadoop.io.Writable key) |
protected DelegationTokenIdentifier |
getTokenIdentifier(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token) |
protected void |
logUpdateMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key)
Synchronize master key updates / sequence generation for multiple nodes.
|
protected Map<Integer,org.apache.hadoop.security.token.delegation.DelegationKey> |
reloadKeys() |
protected void |
removeExpiredTokens()
Remove expired tokens.
|
long |
renewToken(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token,
String renewer) |
byte[] |
retrievePassword(DelegationTokenIdentifier identifier) |
protected void |
rollMasterKeyExt()
Extension of rollMasterKey to remove expired keys from store.
|
void |
startThreads() |
void |
stopThreads() |
cancelDelegationToken, createIdentifier, getDelegationToken, getUserFromToken, renewDelegationToken
addKey, addPersistedDelegationToken, checkToken, createSecretKey, decodeTokenIdentifier, getAllKeys, getCurrentKeyId, getDelegationKey, getDelegationTokenSeqNum, getTokenInfo, getTokenTrackingId, getTrackingIdIfEnabled, incrementCurrentKeyId, incrementDelegationTokenSeqNum, isRunning, logExpireToken, removeStoredMasterKey, removeStoredToken, reset, setCurrentKeyId, setDelegationTokenSeqNum, storeDelegationKey, storeNewMasterKey, storeNewToken, storeToken, updateDelegationKey, updateStoredToken, updateToken, verifyToken
public TokenStoreDelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval, DelegationTokenStore sharedStore)
protected DelegationTokenIdentifier getTokenIdentifier(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token) throws IOException
IOException
protected Map<Integer,org.apache.hadoop.security.token.delegation.DelegationKey> reloadKeys()
public byte[] retrievePassword(DelegationTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken
retrievePassword
in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>
org.apache.hadoop.security.token.SecretManager.InvalidToken
public DelegationTokenIdentifier cancelToken(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token, String canceller) throws IOException
cancelToken
in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>
IOException
protected byte[] createPassword(DelegationTokenIdentifier id)
createPassword
in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>
public long renewToken(org.apache.hadoop.security.token.Token<DelegationTokenIdentifier> token, String renewer) throws org.apache.hadoop.security.token.SecretManager.InvalidToken, IOException
renewToken
in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>
org.apache.hadoop.security.token.SecretManager.InvalidToken
IOException
public static String encodeWritable(org.apache.hadoop.io.Writable key) throws IOException
IOException
public static void decodeWritable(org.apache.hadoop.io.Writable w, String idStr) throws IOException
IOException
protected void logUpdateMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key) throws IOException
logUpdateMasterKey
in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>
IOException
public void startThreads() throws IOException
startThreads
in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>
IOException
public void stopThreads()
stopThreads
in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>
protected void removeExpiredTokens()
AbstractDelegationTokenSecretManager
that cannot be reused due to private method access. Logic here can more efficiently
deal with external token store by only loading into memory the minimum data needed.protected void rollMasterKeyExt() throws IOException
IOException
Copyright © 2017 The Apache Software Foundation. All rights reserved.