accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ktur...@apache.org
Subject [32/50] ACCUMULO-1132 Provide AuthenticationToken type for system user
Date Tue, 23 Jul 2013 16:54:57 GMT
http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java b/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
index e948894..2b98331 100644
--- a/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
+++ b/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
@@ -103,12 +103,7 @@ public class SecurityOperation {
     return toRet;
   }
   
-  /**
-   * 
-   * @deprecated not for client use
-   */
-  @Deprecated
-  public SecurityOperation(String instanceId) {
+  protected SecurityOperation(String instanceId) {
     ZKUserPath = Constants.ZROOT + "/" + instanceId + "/users";
     zooCache = new ZooCache();
   }
@@ -128,7 +123,7 @@ public class SecurityOperation {
   public void initializeSecurity(TCredentials credentials, String rootPrincipal, byte[] token) throws AccumuloSecurityException, ThriftSecurityException {
     authenticate(credentials);
     
-    if (!credentials.getPrincipal().equals(SecurityConstants.SYSTEM_PRINCIPAL))
+    if (!isSystemUser(credentials))
       throw new AccumuloSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
     
     authenticator.initializeSecurity(credentials, rootPrincipal, token);
@@ -148,27 +143,34 @@ public class SecurityOperation {
     return rootUserName;
   }
   
+  public boolean isSystemUser(TCredentials credentials) {
+    return SystemCredentials.get().getToken().getClass().getName().equals(credentials.getTokenClassName());
+  }
+  
   private void authenticate(TCredentials credentials) throws ThriftSecurityException {
     if (!credentials.getInstanceId().equals(HdfsZooInstance.getInstance().getInstanceID()))
       throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.INVALID_INSTANCEID);
     
-    if (SecurityConstants.getSystemCredentials().equals(credentials))
-      return;
-    else if (credentials.getPrincipal().equals(SecurityConstants.SYSTEM_PRINCIPAL)) {
-      throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
-    }
-    
-    try {
-      AuthenticationToken token = reassembleToken(credentials);
-      if (!authenticator.authenticateUser(credentials.getPrincipal(), token)) {
-        throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
+    if (isSystemUser(credentials)) {
+      authenticateSystemUser(credentials);
+    } else {
+      try {
+        AuthenticationToken token = reassembleToken(credentials);
+        if (!authenticator.authenticateUser(credentials.getPrincipal(), token)) {
+          throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
+        }
+      } catch (AccumuloSecurityException e) {
+        log.debug(e);
+        throw e.asThriftException();
       }
-    } catch (AccumuloSecurityException e) {
-      log.debug(e);
-      throw e.asThriftException();
     }
   }
   
+  private void authenticateSystemUser(TCredentials credentials) throws ThriftSecurityException {
+    if (SystemCredentials.get().getToken().equals(credentials.getToken()))
+      throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
+  }
+  
   public boolean canAskAboutUser(TCredentials credentials, String user) throws ThriftSecurityException {
     // Authentication done in canPerformSystemActions
     if (!(canPerformSystemActions(credentials) || credentials.getPrincipal().equals(user)))
@@ -178,7 +180,7 @@ public class SecurityOperation {
   
   public boolean authenticateUser(TCredentials credentials, TCredentials toAuth) throws ThriftSecurityException {
     canAskAboutUser(credentials, toAuth.getPrincipal());
-    // User is already authenticated from canAskAboutUser, this gets around issues with !SYSTEM user
+    // User is already authenticated from canAskAboutUser
     if (credentials.equals(toAuth))
       return true;
     try {
@@ -189,11 +191,6 @@ public class SecurityOperation {
     }
   }
   
-  /**
-   * @param toAuth
-   * @return
-   * @throws AccumuloSecurityException
-   */
   private AuthenticationToken reassembleToken(TCredentials toAuth) throws AccumuloSecurityException {
     String tokenClass = toAuth.getTokenClassName();
     if (authenticator.validTokenClass(tokenClass)) {
@@ -207,13 +204,9 @@ public class SecurityOperation {
     
     targetUserExists(user);
     
-    if (!credentials.getPrincipal().equals(user) && !hasSystemPermission(credentials.getPrincipal(), SystemPermission.SYSTEM, false))
+    if (!credentials.getPrincipal().equals(user) && !hasSystemPermission(credentials, SystemPermission.SYSTEM, false))
       throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
     
-    // system user doesn't need record-level authorizations for the tables it reads (for now)
-    if (user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
-      return Authorizations.EMPTY;
-    
     try {
       return authorizor.getCachedUserAuthorizations(user);
     } catch (AccumuloSecurityException e) {
@@ -222,6 +215,11 @@ public class SecurityOperation {
   }
   
   public Authorizations getUserAuthorizations(TCredentials credentials) throws ThriftSecurityException {
+    // system user doesn't need record-level authorizations for the tables it reads
+    if (isSystemUser(credentials)) {
+      authenticate(credentials);
+      return Authorizations.EMPTY;
+    }
     return getUserAuthorizations(credentials, credentials.getPrincipal());
   }
   
@@ -230,8 +228,20 @@ public class SecurityOperation {
    * 
    * @return true if a user exists and has permission; false otherwise
    */
-  private boolean hasSystemPermission(String user, SystemPermission permission, boolean useCached) throws ThriftSecurityException {
-    if (user.equals(getRootUsername()) || user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
+  private boolean hasSystemPermission(TCredentials credentials, SystemPermission permission, boolean useCached) throws ThriftSecurityException {
+    if (isSystemUser(credentials))
+      return true;
+    return _hasSystemPermission(credentials.getPrincipal(), permission, useCached);
+  }
+  
+  /**
+   * Checks if a user has a system permission<br/>
+   * This cannot check if a system user has permission.
+   * 
+   * @return true if a user exists and has permission; false otherwise
+   */
+  private boolean _hasSystemPermission(String user, SystemPermission permission, boolean useCached) throws ThriftSecurityException {
+    if (user.equals(getRootUsername()))
       return true;
     
     targetUserExists(user);
@@ -250,10 +260,19 @@ public class SecurityOperation {
    * 
    * @return true if a user exists and has permission; false otherwise
    */
-  protected boolean hasTablePermission(String user, String table, TablePermission permission, boolean useCached) throws ThriftSecurityException {
-    if (user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
+  protected boolean hasTablePermission(TCredentials credentials, String table, TablePermission permission, boolean useCached) throws ThriftSecurityException {
+    if (isSystemUser(credentials))
       return true;
-    
+    return _hasTablePermission(credentials.getPrincipal(), table, permission, useCached);
+  }
+  
+  /**
+   * Checks if a user has a table permission<br/>
+   * This cannot check if a system user has permission.
+   * 
+   * @return true if a user exists and has permission; false otherwise
+   */
+  protected boolean _hasTablePermission(String user, String table, TablePermission permission, boolean useCached) throws ThriftSecurityException {
     targetUserExists(user);
     
     if ((table.equals(MetadataTable.ID) || table.equals(RootTable.ID)) && permission.equals(TablePermission.READ))
@@ -273,16 +292,14 @@ public class SecurityOperation {
   // some people just aren't allowed to ask about other users; here are those who can ask
   private boolean canAskAboutOtherUsers(TCredentials credentials, String user) throws ThriftSecurityException {
     authenticate(credentials);
-    return credentials.getPrincipal().equals(user) || hasSystemPermission(credentials.getPrincipal(), SystemPermission.SYSTEM, false)
-        || hasSystemPermission(credentials.getPrincipal(), SystemPermission.CREATE_USER, false)
-        || hasSystemPermission(credentials.getPrincipal(), SystemPermission.ALTER_USER, false)
-        || hasSystemPermission(credentials.getPrincipal(), SystemPermission.DROP_USER, false);
+    return credentials.getPrincipal().equals(user) || hasSystemPermission(credentials, SystemPermission.SYSTEM, false)
+        || hasSystemPermission(credentials, SystemPermission.CREATE_USER, false) || hasSystemPermission(credentials, SystemPermission.ALTER_USER, false)
+        || hasSystemPermission(credentials, SystemPermission.DROP_USER, false);
   }
   
   private void targetUserExists(String user) throws ThriftSecurityException {
-    if (user.equals(SecurityConstants.SYSTEM_PRINCIPAL) || user.equals(getRootUsername()))
+    if (user.equals(getRootUsername()))
       return;
-    
     try {
       if (!authenticator.userExists(user))
         throw new ThriftSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST);
@@ -293,7 +310,7 @@ public class SecurityOperation {
   
   public boolean canScan(TCredentials credentials, String table) throws ThriftSecurityException {
     authenticate(credentials);
-    return hasTablePermission(credentials.getPrincipal(), table, TablePermission.READ, true);
+    return hasTablePermission(credentials, table, TablePermission.READ, true);
   }
   
   public boolean canScan(TCredentials credentials, String table, TRange range, List<TColumn> columns, List<IterInfo> ssiList,
@@ -308,14 +325,13 @@ public class SecurityOperation {
   
   public boolean canWrite(TCredentials credentials, String table) throws ThriftSecurityException {
     authenticate(credentials);
-    return hasTablePermission(credentials.getPrincipal(), table, TablePermission.WRITE, true);
+    return hasTablePermission(credentials, table, TablePermission.WRITE, true);
   }
   
   public boolean canSplitTablet(TCredentials credentials, String table) throws ThriftSecurityException {
     authenticate(credentials);
-    return hasSystemPermission(credentials.getPrincipal(), SystemPermission.ALTER_TABLE, false)
-        || hasSystemPermission(credentials.getPrincipal(), SystemPermission.SYSTEM, false)
-        || hasTablePermission(credentials.getPrincipal(), table, TablePermission.ALTER_TABLE, false);
+    return hasSystemPermission(credentials, SystemPermission.ALTER_TABLE, false) || hasSystemPermission(credentials, SystemPermission.SYSTEM, false)
+        || hasTablePermission(credentials, table, TablePermission.ALTER_TABLE, false);
   }
   
   /**
@@ -323,19 +339,17 @@ public class SecurityOperation {
    */
   public boolean canPerformSystemActions(TCredentials credentials) throws ThriftSecurityException {
     authenticate(credentials);
-    return hasSystemPermission(credentials.getPrincipal(), SystemPermission.SYSTEM, false);
+    return hasSystemPermission(credentials, SystemPermission.SYSTEM, false);
   }
   
   public boolean canFlush(TCredentials c, String tableId) throws ThriftSecurityException {
     authenticate(c);
-    return hasTablePermission(c.getPrincipal(), tableId, TablePermission.WRITE, false)
-        || hasTablePermission(c.getPrincipal(), tableId, TablePermission.ALTER_TABLE, false);
+    return hasTablePermission(c, tableId, TablePermission.WRITE, false) || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
   }
   
   public boolean canAlterTable(TCredentials c, String tableId) throws ThriftSecurityException {
     authenticate(c);
-    return hasTablePermission(c.getPrincipal(), tableId, TablePermission.ALTER_TABLE, false)
-        || hasSystemPermission(c.getPrincipal(), SystemPermission.ALTER_TABLE, false);
+    return hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false) || hasSystemPermission(c, SystemPermission.ALTER_TABLE, false);
   }
   
   public boolean canCreateTable(TCredentials c, String tableName) throws ThriftSecurityException {
@@ -344,42 +358,39 @@ public class SecurityOperation {
   
   public boolean canCreateTable(TCredentials c) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.CREATE_TABLE, false);
+    return hasSystemPermission(c, SystemPermission.CREATE_TABLE, false);
   }
   
   public boolean canRenameTable(TCredentials c, String tableId, String oldTableName, String newTableName) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.ALTER_TABLE, false)
-        || hasTablePermission(c.getPrincipal(), tableId, TablePermission.ALTER_TABLE, false);
+    return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
   }
   
   public boolean canCloneTable(TCredentials c, String tableId, String tableName) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.CREATE_TABLE, false)
-        && hasTablePermission(c.getPrincipal(), tableId, TablePermission.READ, false);
+    return hasSystemPermission(c, SystemPermission.CREATE_TABLE, false) && hasTablePermission(c, tableId, TablePermission.READ, false);
   }
   
   public boolean canDeleteTable(TCredentials c, String tableId) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.DROP_TABLE, false)
-        || hasTablePermission(c.getPrincipal(), tableId, TablePermission.DROP_TABLE, false);
+    return hasSystemPermission(c, SystemPermission.DROP_TABLE, false) || hasTablePermission(c, tableId, TablePermission.DROP_TABLE, false);
   }
   
   public boolean canOnlineOfflineTable(TCredentials c, String tableId, TableOperation op) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.SYSTEM, false) || hasSystemPermission(c.getPrincipal(), SystemPermission.ALTER_TABLE, false)
-        || hasTablePermission(c.getPrincipal(), tableId, TablePermission.ALTER_TABLE, false);
+    return hasSystemPermission(c, SystemPermission.SYSTEM, false) || hasSystemPermission(c, SystemPermission.ALTER_TABLE, false)
+        || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
   }
   
   public boolean canMerge(TCredentials c, String tableId) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.SYSTEM, false) || hasSystemPermission(c.getPrincipal(), SystemPermission.ALTER_TABLE, false)
-        || hasTablePermission(c.getPrincipal(), tableId, TablePermission.ALTER_TABLE, false);
+    return hasSystemPermission(c, SystemPermission.SYSTEM, false) || hasSystemPermission(c, SystemPermission.ALTER_TABLE, false)
+        || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false);
   }
   
   public boolean canDeleteRange(TCredentials c, String tableId, String tableName, Text startRow, Text endRow) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.SYSTEM, false) || hasTablePermission(c.getPrincipal(), tableId, TablePermission.WRITE, false);
+    return hasSystemPermission(c, SystemPermission.SYSTEM, false) || hasTablePermission(c, tableId, TablePermission.WRITE, false);
   }
   
   public boolean canBulkImport(TCredentials c, String tableId, String tableName, String dir, String failDir) throws ThriftSecurityException {
@@ -388,98 +399,66 @@ public class SecurityOperation {
   
   public boolean canBulkImport(TCredentials c, String tableId) throws ThriftSecurityException {
     authenticate(c);
-    return hasTablePermission(c.getPrincipal(), tableId, TablePermission.BULK_IMPORT, false);
+    return hasTablePermission(c, tableId, TablePermission.BULK_IMPORT, false);
   }
   
   public boolean canCompact(TCredentials c, String tableId) throws ThriftSecurityException {
     authenticate(c);
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.ALTER_TABLE, false)
-        || hasTablePermission(c.getPrincipal(), tableId, TablePermission.ALTER_TABLE, false)
-        || hasTablePermission(c.getPrincipal(), tableId, TablePermission.WRITE, false);
+    return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c, tableId, TablePermission.ALTER_TABLE, false)
+        || hasTablePermission(c, tableId, TablePermission.WRITE, false);
   }
   
   public boolean canChangeAuthorizations(TCredentials c, String user) throws ThriftSecurityException {
     authenticate(c);
-    if (user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
-      throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.ALTER_USER, false);
+    return hasSystemPermission(c, SystemPermission.ALTER_USER, false);
   }
   
   public boolean canChangePassword(TCredentials c, String user) throws ThriftSecurityException {
     authenticate(c);
-    if (user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
-      throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-    return c.getPrincipal().equals(user) || hasSystemPermission(c.getPrincipal(), SystemPermission.ALTER_USER, false);
+    return c.getPrincipal().equals(user) || hasSystemPermission(c, SystemPermission.ALTER_USER, false);
   }
   
   public boolean canCreateUser(TCredentials c, String user) throws ThriftSecurityException {
     authenticate(c);
-    
-    // don't allow creating a user with the same name as system user
-    if (user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
-      throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-    
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.CREATE_USER, false);
+    return hasSystemPermission(c, SystemPermission.CREATE_USER, false);
   }
   
   public boolean canDropUser(TCredentials c, String user) throws ThriftSecurityException {
     authenticate(c);
-    
-    // can't delete root or system users
-    if (user.equals(getRootUsername()) || user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
+    if (user.equals(getRootUsername()))
       throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-    
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.DROP_USER, false);
+    return hasSystemPermission(c, SystemPermission.DROP_USER, false);
   }
   
   public boolean canGrantSystem(TCredentials c, String user, SystemPermission sysPerm) throws ThriftSecurityException {
     authenticate(c);
-    
-    // can't modify system user
-    if (user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
-      throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-    
     // can't grant GRANT
     if (sysPerm.equals(SystemPermission.GRANT))
       throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.GRANT_INVALID);
-    
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.GRANT, false);
+    return hasSystemPermission(c, SystemPermission.GRANT, false);
   }
   
   public boolean canGrantTable(TCredentials c, String user, String table) throws ThriftSecurityException {
     authenticate(c);
-    
-    // can't modify system user
-    if (user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
-      throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-    
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.ALTER_TABLE, false)
-        || hasTablePermission(c.getPrincipal(), table, TablePermission.GRANT, false);
+    return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c, table, TablePermission.GRANT, false);
   }
   
   public boolean canRevokeSystem(TCredentials c, String user, SystemPermission sysPerm) throws ThriftSecurityException {
     authenticate(c);
-    
-    // can't modify system or root user
-    if (user.equals(getRootUsername()) || user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
+    // can't modify root user
+    if (user.equals(getRootUsername()))
       throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
     
     // can't revoke GRANT
     if (sysPerm.equals(SystemPermission.GRANT))
       throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.GRANT_INVALID);
     
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.GRANT, false);
+    return hasSystemPermission(c, SystemPermission.GRANT, false);
   }
   
   public boolean canRevokeTable(TCredentials c, String user, String table) throws ThriftSecurityException {
     authenticate(c);
-    
-    // can't modify system user
-    if (user.equals(SecurityConstants.SYSTEM_PRINCIPAL))
-      throw new ThriftSecurityException(c.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-    
-    return hasSystemPermission(c.getPrincipal(), SystemPermission.ALTER_TABLE, false)
-        || hasTablePermission(c.getPrincipal(), table, TablePermission.GRANT, false);
+    return hasSystemPermission(c, SystemPermission.ALTER_TABLE, false) || hasTablePermission(c, table, TablePermission.GRANT, false);
   }
   
   public void changeAuthorizations(TCredentials credentials, String user, Authorizations authorizations) throws ThriftSecurityException {
@@ -602,13 +581,13 @@ public class SecurityOperation {
   public boolean hasSystemPermission(TCredentials credentials, String user, SystemPermission permissionById) throws ThriftSecurityException {
     if (!canAskAboutOtherUsers(credentials, user))
       throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-    return hasSystemPermission(user, permissionById, false);
+    return _hasSystemPermission(user, permissionById, false);
   }
   
   public boolean hasTablePermission(TCredentials credentials, String user, String tableId, TablePermission permissionById) throws ThriftSecurityException {
     if (!canAskAboutOtherUsers(credentials, user))
       throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-    return hasTablePermission(user, tableId, permissionById, false);
+    return _hasTablePermission(user, tableId, permissionById, false);
   }
   
   public Set<String> listUsers(TCredentials credentials) throws ThriftSecurityException {
@@ -635,11 +614,11 @@ public class SecurityOperation {
   
   public boolean canExport(TCredentials credentials, String tableId, String tableName, String exportDir) throws ThriftSecurityException {
     authenticate(credentials);
-    return hasTablePermission(credentials.getPrincipal(), tableId, TablePermission.READ, false);
+    return hasTablePermission(credentials, tableId, TablePermission.READ, false);
   }
   
   public boolean canImport(TCredentials credentials, String tableName, String importDir) throws ThriftSecurityException {
     authenticate(credentials);
-    return hasSystemPermission(credentials.getPrincipal(), SystemPermission.CREATE_TABLE, false);
+    return hasSystemPermission(credentials, SystemPermission.CREATE_TABLE, false);
   }
 }

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/main/java/org/apache/accumulo/server/security/SystemCredentials.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/accumulo/server/security/SystemCredentials.java b/server/src/main/java/org/apache/accumulo/server/security/SystemCredentials.java
new file mode 100644
index 0000000..f30419a
--- /dev/null
+++ b/server/src/main/java/org/apache/accumulo/server/security/SystemCredentials.java
@@ -0,0 +1,132 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.accumulo.server.security;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecurityPermission;
+import java.util.Map.Entry;
+
+import org.apache.accumulo.core.Constants;
+import org.apache.accumulo.core.client.security.tokens.AuthenticationToken;
+import org.apache.accumulo.core.client.security.tokens.PasswordToken;
+import org.apache.accumulo.core.conf.Property;
+import org.apache.accumulo.core.security.Credentials;
+import org.apache.accumulo.core.security.thrift.TCredentials;
+import org.apache.accumulo.server.ServerConstants;
+import org.apache.accumulo.server.client.HdfsZooInstance;
+import org.apache.accumulo.server.conf.ServerConfiguration;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.io.Writable;
+
+/**
+ * Credentials for the system services.
+ * 
+ * @since 1.6.0
+ */
+public final class SystemCredentials extends Credentials {
+  
+  private static final SecurityPermission SYSTEM_CREDENTIALS_PERMISSION = new SecurityPermission("systemCredentialsPermission");
+  
+  private static SystemCredentials SYSTEM_CREDS = null;
+  private static final String SYSTEM_PRINCIPAL = "!SYSTEM";
+  private static final SystemToken SYSTEM_TOKEN = SystemToken.get();
+  
+  private final TCredentials AS_THRIFT;
+  
+  private SystemCredentials() {
+    super(SYSTEM_PRINCIPAL, SYSTEM_TOKEN);
+    AS_THRIFT = toThrift(HdfsZooInstance.getInstance());
+  }
+  
+  public static SystemCredentials get() {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null) {
+      sm.checkPermission(SYSTEM_CREDENTIALS_PERMISSION);
+    }
+    if (SYSTEM_CREDS == null) {
+      SYSTEM_CREDS = new SystemCredentials();
+      
+    }
+    return SYSTEM_CREDS;
+  }
+  
+  public TCredentials getAsThrift() {
+    return AS_THRIFT;
+  }
+  
+  /**
+   * An {@link AuthenticationToken} type for Accumulo servers for inter-server communication.
+   * 
+   * @since 1.6.0
+   */
+  public static final class SystemToken extends PasswordToken {
+    
+    /**
+     * A Constructor for {@link Writable}.
+     */
+    public SystemToken() {}
+    
+    private SystemToken(byte[] systemPassword) {
+      super(systemPassword);
+    }
+    
+    private static SystemToken get() {
+      byte[] confChecksum;
+      MessageDigest md;
+      try {
+        md = MessageDigest.getInstance(Constants.PW_HASH_ALGORITHM);
+      } catch (NoSuchAlgorithmException e) {
+        throw new RuntimeException("Failed to compute configuration checksum", e);
+      }
+      
+      // seed the config with the version and instance id, so at least it's not empty
+      md.update(ServerConstants.WIRE_VERSION.toString().getBytes(Constants.UTF8));
+      md.update(HdfsZooInstance.getInstance().getInstanceID().getBytes(Constants.UTF8));
+      
+      for (Entry<String,String> entry : ServerConfiguration.getSiteConfiguration()) {
+        // only include instance properties
+        if (entry.getKey().startsWith(Property.INSTANCE_PREFIX.toString())) {
+          md.update(entry.getKey().getBytes(Constants.UTF8));
+          md.update(entry.getValue().getBytes(Constants.UTF8));
+        }
+      }
+      confChecksum = md.digest();
+      
+      int wireVersion = ServerConstants.WIRE_VERSION;
+      byte[] inst = HdfsZooInstance.getInstance().getInstanceID().getBytes(Constants.UTF8);
+      
+      ByteArrayOutputStream bytes = new ByteArrayOutputStream(3 * (Integer.SIZE / Byte.SIZE) + inst.length + confChecksum.length);
+      DataOutputStream out = new DataOutputStream(bytes);
+      try {
+        out.write(wireVersion * -1);
+        out.write(inst.length);
+        out.write(inst);
+        out.write(confChecksum.length);
+        out.write(confChecksum);
+      } catch (IOException e) {
+        // this is impossible with ByteArrayOutputStream; crash hard if this happens
+        throw new RuntimeException(e);
+      }
+      return new SystemToken(Base64.encodeBase64(bytes.toByteArray()));
+    }
+  }
+  
+}

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/main/java/org/apache/accumulo/server/tabletserver/Tablet.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/accumulo/server/tabletserver/Tablet.java b/server/src/main/java/org/apache/accumulo/server/tabletserver/Tablet.java
index 1305be6..e9b973a 100644
--- a/server/src/main/java/org/apache/accumulo/server/tabletserver/Tablet.java
+++ b/server/src/main/java/org/apache/accumulo/server/tabletserver/Tablet.java
@@ -106,7 +106,7 @@ import org.apache.accumulo.server.master.tableOps.CompactRange.CompactionIterato
 import org.apache.accumulo.server.problems.ProblemReport;
 import org.apache.accumulo.server.problems.ProblemReports;
 import org.apache.accumulo.server.problems.ProblemType;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.server.tabletserver.Compactor.CompactionCanceledException;
 import org.apache.accumulo.server.tabletserver.Compactor.CompactionEnv;
 import org.apache.accumulo.server.tabletserver.FileManager.ScanFileManager;
@@ -583,7 +583,7 @@ public class Tablet {
       
       if (filesToDelete.size() > 0) {
         log.debug("Removing scan refs from metadata " + extent + " " + filesToDelete);
-        MetadataTableUtil.removeScanFiles(extent, filesToDelete, SecurityConstants.getSystemCredentials(), tabletServer.getLock());
+        MetadataTableUtil.removeScanFiles(extent, filesToDelete, SystemCredentials.get().getAsThrift(), tabletServer.getLock());
       }
     }
     
@@ -604,7 +604,7 @@ public class Tablet {
       
       if (filesToDelete.size() > 0) {
         log.debug("Removing scan refs from metadata " + extent + " " + filesToDelete);
-        MetadataTableUtil.removeScanFiles(extent, filesToDelete, SecurityConstants.getSystemCredentials(), tabletServer.getLock());
+        MetadataTableUtil.removeScanFiles(extent, filesToDelete, SystemCredentials.get().getAsThrift(), tabletServer.getLock());
       }
     }
     
@@ -680,7 +680,7 @@ public class Tablet {
       }
       
       synchronized (bulkFileImportLock) {
-        TCredentials auths = SecurityConstants.getSystemCredentials();
+        TCredentials auths = SystemCredentials.get().getAsThrift();
         Connector conn;
         try {
           conn = HdfsZooInstance.getInstance().getConnector(auths.getPrincipal(), CredentialHelper.extractToken(auths));
@@ -838,7 +838,7 @@ public class Tablet {
       // very important to write delete entries outside of log lock, because
       // this !METADATA write does not go up... it goes sideways or to itself
       if (absMergeFile != null)
-        MetadataTableUtil.addDeleteEntries(extent, Collections.singleton(absMergeFile), SecurityConstants.getSystemCredentials());
+        MetadataTableUtil.addDeleteEntries(extent, Collections.singleton(absMergeFile), SystemCredentials.get().getAsThrift());
       
       Set<String> unusedWalLogs = beginClearingUnusedLogs();
       try {
@@ -846,7 +846,7 @@ public class Tablet {
         // need to write to !METADATA before writing to walog, when things are done in the reverse order
         // data could be lost... the minor compaction start even should be written before the following metadata
         // write is made
-        TCredentials creds = SecurityConstants.getSystemCredentials();
+        TCredentials creds = SystemCredentials.get().getAsThrift();
         
         synchronized (timeLock) {
           if (commitSession.getMaxCommittedTime() > persistedTime)
@@ -1037,7 +1037,7 @@ public class Tablet {
         Set<FileRef> filesInUseByScans = waitForScansToFinish(oldDatafiles, false, 10000);
         if (filesInUseByScans.size() > 0)
           log.debug("Adding scan refs to metadata " + extent + " " + filesInUseByScans);
-        MetadataTableUtil.replaceDatafiles(extent, oldDatafiles, filesInUseByScans, newDatafile, compactionId, dfv, SecurityConstants.getSystemCredentials(),
+        MetadataTableUtil.replaceDatafiles(extent, oldDatafiles, filesInUseByScans, newDatafile, compactionId, dfv, SystemCredentials.get().getAsThrift(),
             tabletServer.getClientAddressString(), lastLocation, tabletServer.getLock());
         removeFilesAfterScan(filesInUseByScans);
       }
@@ -1131,7 +1131,7 @@ public class Tablet {
       Text rowName = extent.getMetadataEntry();
       
       String tableId = extent.isMeta() ? RootTable.ID : MetadataTable.ID;
-      ScannerImpl mdScanner = new ScannerImpl(HdfsZooInstance.getInstance(), SecurityConstants.getSystemCredentials(), tableId, Authorizations.EMPTY);
+      ScannerImpl mdScanner = new ScannerImpl(HdfsZooInstance.getInstance(), SystemCredentials.get().getAsThrift(), tableId, Authorizations.EMPTY);
       
       // Commented out because when no data file is present, each tablet will scan through metadata table and return nothing
       // reduced batch size to improve performance
@@ -1161,7 +1161,7 @@ public class Tablet {
     
     if (ke.isMeta()) {
       try {
-        logEntries = MetadataTableUtil.getLogEntries(SecurityConstants.getSystemCredentials(), ke);
+        logEntries = MetadataTableUtil.getLogEntries(SystemCredentials.get().getAsThrift(), ke);
       } catch (Exception ex) {
         throw new RuntimeException("Unable to read tablet log entries", ex);
       }
@@ -2213,7 +2213,7 @@ public class Tablet {
       }
       
       if (updateMetadata) {
-        TCredentials creds = SecurityConstants.getSystemCredentials();
+        TCredentials creds = SystemCredentials.get().getAsThrift();
         // if multiple threads were allowed to update this outside of a sync block, then it would be
         // a race condition
         MetadataTableUtil.updateTabletFlushID(extent, tableFlushID, creds, tabletServer.getLock());
@@ -2729,7 +2729,7 @@ public class Tablet {
     }
     
     try {
-      Pair<List<LogEntry>,SortedMap<FileRef,DataFileValue>> fileLog = MetadataTableUtil.getFileAndLogEntries(SecurityConstants.getSystemCredentials(), extent);
+      Pair<List<LogEntry>,SortedMap<FileRef,DataFileValue>> fileLog = MetadataTableUtil.getFileAndLogEntries(SystemCredentials.get().getAsThrift(), extent);
       
       if (fileLog.getFirst().size() != 0) {
         String msg = "Closed tablet " + extent + " has walog entries in " + MetadataTable.NAME + " " + fileLog.getFirst();
@@ -3516,12 +3516,12 @@ public class Tablet {
       // it is possible that some of the bulk loading flags will be deleted after being read below because the bulk load
       // finishes.... therefore split could propogate load flags for a finished bulk load... there is a special iterator
       // on the !METADATA table to clean up this type of garbage
-      Map<FileRef,Long> bulkLoadedFiles = MetadataTableUtil.getBulkFilesLoaded(SecurityConstants.getSystemCredentials(), extent);
+      Map<FileRef,Long> bulkLoadedFiles = MetadataTableUtil.getBulkFilesLoaded(SystemCredentials.get().getAsThrift(), extent);
       
-      MetadataTableUtil.splitTablet(high, extent.getPrevEndRow(), splitRatio, SecurityConstants.getSystemCredentials(), tabletServer.getLock());
-      MetadataTableUtil.addNewTablet(low, lowDirectory, tabletServer.getTabletSession(), lowDatafileSizes, bulkLoadedFiles,
-          SecurityConstants.getSystemCredentials(), time, lastFlushID, lastCompactID, tabletServer.getLock());
-      MetadataTableUtil.finishSplit(high, highDatafileSizes, highDatafilesToRemove, SecurityConstants.getSystemCredentials(), tabletServer.getLock());
+      MetadataTableUtil.splitTablet(high, extent.getPrevEndRow(), splitRatio, SystemCredentials.get().getAsThrift(), tabletServer.getLock());
+      MetadataTableUtil.addNewTablet(low, lowDirectory, tabletServer.getTabletSession(), lowDatafileSizes, bulkLoadedFiles, SystemCredentials.get()
+          .getAsThrift(), time, lastFlushID, lastCompactID, tabletServer.getLock());
+      MetadataTableUtil.finishSplit(high, highDatafileSizes, highDatafilesToRemove, SystemCredentials.get().getAsThrift(), tabletServer.getLock());
       
       log.log(TLevel.TABLET_HIST, extent + " split " + low + " " + high);
       
@@ -3807,7 +3807,7 @@ public class Tablet {
       try {
         // if multiple threads were allowed to update this outside of a sync block, then it would be
         // a race condition
-        MetadataTableUtil.updateTabletCompactID(extent, compactionId, SecurityConstants.getSystemCredentials(), tabletServer.getLock());
+        MetadataTableUtil.updateTabletCompactID(extent, compactionId, SystemCredentials.get().getAsThrift(), tabletServer.getLock());
       } finally {
         synchronized (this) {
           majorCompactionInProgress = false;

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java b/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java
index 9d50f07..ceed0ee 100644
--- a/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java
+++ b/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java
@@ -156,8 +156,8 @@ import org.apache.accumulo.server.metrics.AbstractMetricsImpl;
 import org.apache.accumulo.server.problems.ProblemReport;
 import org.apache.accumulo.server.problems.ProblemReports;
 import org.apache.accumulo.server.security.AuditedSecurityOperation;
-import org.apache.accumulo.server.security.SecurityConstants;
 import org.apache.accumulo.server.security.SecurityOperation;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.server.tabletserver.Compactor.CompactionInfo;
 import org.apache.accumulo.server.tabletserver.Tablet.CommitSession;
 import org.apache.accumulo.server.tabletserver.Tablet.KVEntry;
@@ -228,7 +228,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
   private static long gcTimeIncreasedCount;
   
   private static final long MAX_TIME_TO_WAIT_FOR_SCAN_RESULT_MILLIS = 1000;
-  private static final long RECENTLY_SPLIT_MILLIES = 60*1000;
+  private static final long RECENTLY_SPLIT_MILLIES = 60 * 1000;
   
   private TabletServerLogger logger;
   
@@ -1749,31 +1749,29 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     
     private ZooCache masterLockCache = new ZooCache();
     
-    private void checkPermission(TCredentials credentials, String lock, boolean requiresSystemPermission, final String request) throws ThriftSecurityException {
-      if (requiresSystemPermission) {
-        boolean fatal = false;
-        try {
-          log.debug("Got " + request + " message from user: " + credentials.getPrincipal());
-          if (!security.canPerformSystemActions(credentials)) {
-            log.warn("Got " + request + " message from user: " + credentials.getPrincipal());
-            throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-          }
-        } catch (ThriftSecurityException e) {
-          log.warn("Got " + request + " message from unauthenticatable user: " + e.getUser());
-          if (e.getUser().equals(SecurityConstants.SYSTEM_PRINCIPAL)) {
-            log.fatal("Got message from a service with a mismatched configuration. Please ensure a compatible configuration.", e);
-            fatal = true;
-          }
-          throw e;
-        } finally {
-          if (fatal) {
-            Halt.halt(1, new Runnable() {
-              @Override
-              public void run() {
-                logGCInfo(getSystemConfiguration());
-              }
-            });
-          }
+    private void checkPermission(TCredentials credentials, String lock, final String request) throws ThriftSecurityException {
+      boolean fatal = false;
+      try {
+        log.debug("Got " + request + " message from user: " + credentials.getPrincipal());
+        if (!security.canPerformSystemActions(credentials)) {
+          log.warn("Got " + request + " message from user: " + credentials.getPrincipal());
+          throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
+        }
+      } catch (ThriftSecurityException e) {
+        log.warn("Got " + request + " message from unauthenticatable user: " + e.getUser());
+        if (SystemCredentials.get().getAsThrift().getTokenClassName().equals(credentials.getTokenClassName())) {
+          log.fatal("Got message from a service with a mismatched configuration. Please ensure a compatible configuration.", e);
+          fatal = true;
+        }
+        throw e;
+      } finally {
+        if (fatal) {
+          Halt.halt(1, new Runnable() {
+            @Override
+            public void run() {
+              logGCInfo(getSystemConfiguration());
+            }
+          });
         }
       }
       
@@ -1815,7 +1813,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     public void loadTablet(TInfo tinfo, TCredentials credentials, String lock, final TKeyExtent textent) {
       
       try {
-        checkPermission(credentials, lock, true, "loadTablet");
+        checkPermission(credentials, lock, "loadTablet");
       } catch (ThriftSecurityException e) {
         log.error(e, e);
         throw new RuntimeException(e);
@@ -1891,7 +1889,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     @Override
     public void unloadTablet(TInfo tinfo, TCredentials credentials, String lock, TKeyExtent textent, boolean save) {
       try {
-        checkPermission(credentials, lock, true, "unloadTablet");
+        checkPermission(credentials, lock, "unloadTablet");
       } catch (ThriftSecurityException e) {
         log.error(e, e);
         throw new RuntimeException(e);
@@ -1905,7 +1903,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     @Override
     public void flush(TInfo tinfo, TCredentials credentials, String lock, String tableId, ByteBuffer startRow, ByteBuffer endRow) {
       try {
-        checkPermission(credentials, lock, true, "flush");
+        checkPermission(credentials, lock, "flush");
       } catch (ThriftSecurityException e) {
         log.error(e, e);
         throw new RuntimeException(e);
@@ -1942,7 +1940,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     @Override
     public void flushTablet(TInfo tinfo, TCredentials credentials, String lock, TKeyExtent textent) throws TException {
       try {
-        checkPermission(credentials, lock, true, "flushTablet");
+        checkPermission(credentials, lock, "flushTablet");
       } catch (ThriftSecurityException e) {
         log.error(e, e);
         throw new RuntimeException(e);
@@ -1962,7 +1960,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     @Override
     public void halt(TInfo tinfo, TCredentials credentials, String lock) throws ThriftSecurityException {
       
-      checkPermission(credentials, lock, true, "halt");
+      checkPermission(credentials, lock, "halt");
       
       Halt.halt(0, new Runnable() {
         @Override
@@ -1996,7 +1994,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     @Override
     public List<ActiveScan> getActiveScans(TInfo tinfo, TCredentials credentials) throws ThriftSecurityException, TException {
       try {
-        checkPermission(credentials, null, true, "getScans");
+        checkPermission(credentials, null, "getScans");
       } catch (ThriftSecurityException e) {
         log.error(e, e);
         throw new RuntimeException(e);
@@ -2008,7 +2006,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     @Override
     public void chop(TInfo tinfo, TCredentials credentials, String lock, TKeyExtent textent) throws TException {
       try {
-        checkPermission(credentials, lock, true, "chop");
+        checkPermission(credentials, lock, "chop");
       } catch (ThriftSecurityException e) {
         log.error(e, e);
         throw new RuntimeException(e);
@@ -2025,7 +2023,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     @Override
     public void compact(TInfo tinfo, TCredentials credentials, String lock, String tableId, ByteBuffer startRow, ByteBuffer endRow) throws TException {
       try {
-        checkPermission(credentials, lock, true, "compact");
+        checkPermission(credentials, lock, "compact");
       } catch (ThriftSecurityException e) {
         log.error(e, e);
         throw new RuntimeException(e);
@@ -2115,7 +2113,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     @Override
     public List<ActiveCompaction> getActiveCompactions(TInfo tinfo, TCredentials credentials) throws ThriftSecurityException, TException {
       try {
-        checkPermission(credentials, null, true, "getActiveCompactions");
+        checkPermission(credentials, null, "getActiveCompactions");
       } catch (ThriftSecurityException e) {
         log.error(e, e);
         throw new RuntimeException(e);
@@ -2612,7 +2610,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
     entry.server = logs.get(0).getLogger();
     entry.filename = logs.get(0).getFileName();
     entry.logSet = logSet;
-    MetadataTableUtil.addLogEntry(SecurityConstants.getSystemCredentials(), entry, getLock());
+    MetadataTableUtil.addLogEntry(SystemCredentials.get().getAsThrift(), entry, getLock());
   }
   
   private int startServer(AccumuloConfiguration conf, Property portHint, TProcessor processor, String threadName) throws UnknownHostException {
@@ -2792,7 +2790,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
           while (!serverStopRequested && mm != null && client != null && client.getOutputProtocol() != null
               && client.getOutputProtocol().getTransport() != null && client.getOutputProtocol().getTransport().isOpen()) {
             try {
-              mm.send(SecurityConstants.getSystemCredentials(), getClientAddressString(), iface);
+              mm.send(SystemCredentials.get().getAsThrift(), getClientAddressString(), iface);
               mm = null;
             } catch (TException ex) {
               log.warn("Error sending message: queuing message again");
@@ -2899,7 +2897,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
         TabletsSection.TabletColumnFamily.PREV_ROW_COLUMN, TabletsSection.TabletColumnFamily.SPLIT_RATIO_COLUMN,
         TabletsSection.TabletColumnFamily.OLD_PREV_ROW_COLUMN, TabletsSection.ServerColumnFamily.TIME_COLUMN});
     
-    ScannerImpl scanner = new ScannerImpl(HdfsZooInstance.getInstance(), SecurityConstants.getSystemCredentials(), tableToVerify, Authorizations.EMPTY);
+    ScannerImpl scanner = new ScannerImpl(HdfsZooInstance.getInstance(), SystemCredentials.get().getAsThrift(), tableToVerify, Authorizations.EMPTY);
     scanner.setRange(extent.toMetadataRange());
     
     TreeMap<Key,Value> tkv = new TreeMap<Key,Value>();
@@ -2933,7 +2931,7 @@ public class TabletServer extends AbstractMetricsImpl implements org.apache.accu
       
       KeyExtent fke;
       try {
-        fke = MetadataTableUtil.fixSplit(metadataEntry, tabletEntries.get(metadataEntry), instance, SecurityConstants.getSystemCredentials(), lock);
+        fke = MetadataTableUtil.fixSplit(metadataEntry, tabletEntries.get(metadataEntry), instance, SystemCredentials.get().getAsThrift(), lock);
       } catch (IOException e) {
         log.error("Error fixing split " + metadataEntry);
         throw new AccumuloException(e.toString());

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/main/java/org/apache/accumulo/server/util/Admin.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/accumulo/server/util/Admin.java b/server/src/main/java/org/apache/accumulo/server/util/Admin.java
index fca811e..215b9c7 100644
--- a/server/src/main/java/org/apache/accumulo/server/util/Admin.java
+++ b/server/src/main/java/org/apache/accumulo/server/util/Admin.java
@@ -36,7 +36,7 @@ import org.apache.accumulo.core.security.CredentialHelper;
 import org.apache.accumulo.core.security.thrift.TCredentials;
 import org.apache.accumulo.server.cli.ClientOpts;
 import org.apache.accumulo.server.client.HdfsZooInstance;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.trace.instrument.Tracer;
 import org.apache.log4j.Logger;
 
@@ -88,8 +88,8 @@ public class Admin {
       String principal;
       AuthenticationToken token;
       if (opts.getToken() == null) {
-        principal = SecurityConstants.getSystemPrincipal();
-        token = SecurityConstants.getSystemToken();
+        principal = SystemCredentials.get().getPrincipal();
+        token = SystemCredentials.get().getToken();
       } else {
         principal = opts.principal;
         token = opts.getToken();

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/main/java/org/apache/accumulo/server/util/FindOfflineTablets.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/accumulo/server/util/FindOfflineTablets.java b/server/src/main/java/org/apache/accumulo/server/util/FindOfflineTablets.java
index de27112..f180ccd 100644
--- a/server/src/main/java/org/apache/accumulo/server/util/FindOfflineTablets.java
+++ b/server/src/main/java/org/apache/accumulo/server/util/FindOfflineTablets.java
@@ -33,7 +33,7 @@ import org.apache.accumulo.server.master.state.TServerInstance;
 import org.apache.accumulo.server.master.state.TabletLocationState;
 import org.apache.accumulo.server.master.state.TabletState;
 import org.apache.accumulo.server.master.state.tables.TableManager;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.commons.collections.iterators.IteratorChain;
 import org.apache.log4j.Logger;
 
@@ -48,8 +48,8 @@ public class FindOfflineTablets {
     opts.parseArgs(FindOfflineTablets.class.getName(), args);
     final AtomicBoolean scanning = new AtomicBoolean(false);
     Instance instance = opts.getInstance();
-    MetaDataTableScanner rootScanner = new MetaDataTableScanner(instance, SecurityConstants.getSystemCredentials(), MetadataSchema.TabletsSection.getRange());
-    MetaDataTableScanner metaScanner = new MetaDataTableScanner(instance, SecurityConstants.getSystemCredentials(), MetadataSchema.TabletsSection.getRange());
+    MetaDataTableScanner rootScanner = new MetaDataTableScanner(instance, SystemCredentials.get().getAsThrift(), MetadataSchema.TabletsSection.getRange());
+    MetaDataTableScanner metaScanner = new MetaDataTableScanner(instance, SystemCredentials.get().getAsThrift(), MetadataSchema.TabletsSection.getRange());
     @SuppressWarnings("unchecked")
     Iterator<TabletLocationState> scanner = new IteratorChain(rootScanner, metaScanner);
     LiveTServerSet tservers = new LiveTServerSet(instance, DefaultConfiguration.getDefaultConfiguration(), new Listener() {

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/main/java/org/apache/accumulo/server/util/Initialize.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/accumulo/server/util/Initialize.java b/server/src/main/java/org/apache/accumulo/server/util/Initialize.java
index 7d4e6f2..843184d 100644
--- a/server/src/main/java/org/apache/accumulo/server/util/Initialize.java
+++ b/server/src/main/java/org/apache/accumulo/server/util/Initialize.java
@@ -64,7 +64,7 @@ import org.apache.accumulo.server.fs.VolumeManagerImpl;
 import org.apache.accumulo.server.iterators.MetadataBulkLoadFilter;
 import org.apache.accumulo.server.master.state.tables.TableManager;
 import org.apache.accumulo.server.security.AuditedSecurityOperation;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.server.tabletserver.TabletTime;
 import org.apache.accumulo.server.zookeeper.ZooReaderWriter;
 import org.apache.hadoop.conf.Configuration;
@@ -439,7 +439,7 @@ public class Initialize {
   }
   
   private static void initSecurity(Opts opts, String iid) throws AccumuloSecurityException, ThriftSecurityException {
-    AuditedSecurityOperation.getInstance(iid, true).initializeSecurity(SecurityConstants.getSystemCredentials(), DEFAULT_ROOT_USER, opts.rootpass);
+    AuditedSecurityOperation.getInstance(iid, true).initializeSecurity(SystemCredentials.get().getAsThrift(), DEFAULT_ROOT_USER, opts.rootpass);
   }
   
   protected static void initMetadataConfig() throws IOException {

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/main/java/org/apache/accumulo/server/util/MetadataTableUtil.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/accumulo/server/util/MetadataTableUtil.java b/server/src/main/java/org/apache/accumulo/server/util/MetadataTableUtil.java
index 816df8b..b2cd114 100644
--- a/server/src/main/java/org/apache/accumulo/server/util/MetadataTableUtil.java
+++ b/server/src/main/java/org/apache/accumulo/server/util/MetadataTableUtil.java
@@ -81,7 +81,7 @@ import org.apache.accumulo.server.fs.FileRef;
 import org.apache.accumulo.server.fs.VolumeManager;
 import org.apache.accumulo.server.fs.VolumeManagerImpl;
 import org.apache.accumulo.server.master.state.TServerInstance;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.server.zookeeper.ZooLock;
 import org.apache.accumulo.server.zookeeper.ZooReaderWriter;
 import org.apache.hadoop.fs.FileStatus;
@@ -490,7 +490,7 @@ public class MetadataTableUtil {
   }
   
   public static void addDeleteEntry(String tableId, String path) throws IOException {
-    update(SecurityConstants.getSystemCredentials(), createDeleteMutation(tableId, path), new KeyExtent(new Text(tableId), null, null));
+    update(SystemCredentials.get().getAsThrift(), createDeleteMutation(tableId, path), new KeyExtent(new Text(tableId), null, null));
   }
   
   public static Mutation createDeleteMutation(String tableId, String pathToRemove) throws IOException {
@@ -975,7 +975,7 @@ public class MetadataTableUtil {
       } else {
         Mutation m = new Mutation(entry.extent.getMetadataEntry());
         m.putDelete(LogColumnFamily.NAME, new Text(entry.server + "/" + entry.filename));
-        update(SecurityConstants.getSystemCredentials(), zooLock, m, entry.extent);
+        update(SystemCredentials.get().getAsThrift(), zooLock, m, entry.extent);
       }
     }
   }
@@ -1126,7 +1126,7 @@ public class MetadataTableUtil {
   
   public static void cloneTable(Instance instance, String srcTableId, String tableId) throws Exception {
     
-    Connector conn = instance.getConnector(SecurityConstants.SYSTEM_PRINCIPAL, SecurityConstants.getSystemToken());
+    Connector conn = instance.getConnector(SystemCredentials.get().getPrincipal(), SystemCredentials.get().getToken());
     BatchWriter bw = conn.createBatchWriter(MetadataTable.NAME, new BatchWriterConfig());
     
     while (true) {
@@ -1151,7 +1151,7 @@ public class MetadataTableUtil {
         bw.flush();
         
         // delete what we have cloned and try again
-        deleteTable(tableId, false, SecurityConstants.getSystemCredentials(), null);
+        deleteTable(tableId, false, SystemCredentials.get().getAsThrift(), null);
         
         log.debug("Tablets merged in table " + srcTableId + " while attempting to clone, trying again");
         
@@ -1181,7 +1181,7 @@ public class MetadataTableUtil {
   public static void chopped(KeyExtent extent, ZooLock zooLock) {
     Mutation m = new Mutation(extent.getMetadataEntry());
     ChoppedColumnFamily.CHOPPED_COLUMN.put(m, new Value("chopped".getBytes()));
-    update(SecurityConstants.getSystemCredentials(), zooLock, m, extent);
+    update(SystemCredentials.get().getAsThrift(), zooLock, m, extent);
   }
   
   public static void removeBulkLoadEntries(Connector conn, String tableId, long tid) throws Exception {
@@ -1242,7 +1242,7 @@ public class MetadataTableUtil {
     
     // new KeyExtent is only added to force update to write to the metadata table, not the root table
     // because bulk loads aren't supported to the metadata table
-    update(SecurityConstants.getSystemCredentials(), m, new KeyExtent(new Text("anythingNotMetadata"), null, null));
+    update(SystemCredentials.get().getAsThrift(), m, new KeyExtent(new Text("anythingNotMetadata"), null, null));
   }
   
   public static void removeBulkLoadInProgressFlag(String path) {
@@ -1252,7 +1252,7 @@ public class MetadataTableUtil {
     
     // new KeyExtent is only added to force update to write to the metadata table, not the root table
     // because bulk loads aren't supported to the metadata table
-    update(SecurityConstants.getSystemCredentials(), m, new KeyExtent(new Text("anythingNotMetadata"), null, null));
+    update(SystemCredentials.get().getAsThrift(), m, new KeyExtent(new Text("anythingNotMetadata"), null, null));
   }
   
   public static void moveMetaDeleteMarkers(Instance instance, TCredentials creds) {

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/test/java/org/apache/accumulo/server/security/SystemCredentialsTest.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/accumulo/server/security/SystemCredentialsTest.java b/server/src/test/java/org/apache/accumulo/server/security/SystemCredentialsTest.java
new file mode 100644
index 0000000..f422ecb
--- /dev/null
+++ b/server/src/test/java/org/apache/accumulo/server/security/SystemCredentialsTest.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.accumulo.server.security;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.UUID;
+
+import org.apache.accumulo.core.client.Instance;
+import org.apache.accumulo.core.client.impl.ConnectorImpl;
+import org.apache.accumulo.core.security.Credentials;
+import org.apache.accumulo.core.security.thrift.TCredentials;
+import org.apache.accumulo.server.security.SystemCredentials.SystemToken;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ * 
+ */
+public class SystemCredentialsTest {
+  
+  @BeforeClass
+  public static void setUp() throws IOException {
+    File testInstanceId = new File(new File(new File(new File("target"), "instanceTest"), "instance_id"), UUID.fromString(
+        "00000000-0000-0000-0000-000000000000").toString());
+    if (!testInstanceId.exists()) {
+      testInstanceId.getParentFile().mkdirs();
+      testInstanceId.createNewFile();
+    }
+  }
+  
+  /**
+   * This is a test to ensure the string literal in {@link ConnectorImpl#ConnectorImpl(Instance, TCredentials)} is kept up-to-date if we move the
+   * {@link SystemToken}<br/>
+   * This check will not be needed after ACCUMULO-1578
+   */
+  @Test
+  public void testSystemToken() {
+    assertEquals("org.apache.accumulo.server.security.SystemCredentials$SystemToken", SystemToken.class.getName());
+    assertEquals(SystemCredentials.get().getToken().getClass(), SystemToken.class);
+    assertEquals(SystemCredentials.get().getAsThrift().getTokenClassName(), SystemToken.class.getName());
+  }
+  
+  @Test
+  public void testSystemCredentials() {
+    Credentials a = SystemCredentials.get();
+    Credentials b = SystemCredentials.get();
+    assertTrue(a == b);
+  }
+}

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/server/src/test/resources/accumulo-site.xml
----------------------------------------------------------------------
diff --git a/server/src/test/resources/accumulo-site.xml b/server/src/test/resources/accumulo-site.xml
new file mode 100644
index 0000000..2aa9fff
--- /dev/null
+++ b/server/src/test/resources/accumulo-site.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+
+<configuration>
+
+  <property>
+    <name>instance.dfs.dir</name>
+    <value>${project.build.directory}/instanceTest</value>
+  </property>
+
+  <property>
+    <name>instance.secret</name>
+    <value>TEST_SYSTEM_SECRET</value>
+  </property>
+
+</configuration>

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/test/src/main/java/org/apache/accumulo/test/GetMasterStats.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/GetMasterStats.java b/test/src/main/java/org/apache/accumulo/test/GetMasterStats.java
index 65cf80c..caef670 100644
--- a/test/src/main/java/org/apache/accumulo/test/GetMasterStats.java
+++ b/test/src/main/java/org/apache/accumulo/test/GetMasterStats.java
@@ -19,7 +19,6 @@ package org.apache.accumulo.test;
 import java.io.IOException;
 import java.util.Map.Entry;
 
-import org.apache.accumulo.trace.instrument.Tracer;
 import org.apache.accumulo.core.client.impl.MasterClient;
 import org.apache.accumulo.core.master.MasterNotRunningException;
 import org.apache.accumulo.core.master.thrift.MasterClientService;
@@ -29,7 +28,8 @@ import org.apache.accumulo.core.master.thrift.TableInfo;
 import org.apache.accumulo.core.master.thrift.TabletServerStatus;
 import org.apache.accumulo.server.client.HdfsZooInstance;
 import org.apache.accumulo.server.monitor.Monitor;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
+import org.apache.accumulo.trace.instrument.Tracer;
 import org.apache.thrift.transport.TTransportException;
 
 public class GetMasterStats {
@@ -44,7 +44,7 @@ public class GetMasterStats {
     MasterMonitorInfo stats = null;
     try {
       client = MasterClient.getConnectionWithRetry(HdfsZooInstance.getInstance());
-      stats = client.getMasterStats(Tracer.traceInfo(), SecurityConstants.getSystemCredentials());
+      stats = client.getMasterStats(Tracer.traceInfo(), SystemCredentials.get().getAsThrift());
     } finally {
       if (client != null)
         MasterClient.close(client);

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/test/src/main/java/org/apache/accumulo/test/continuous/ContinuousStatsCollector.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/continuous/ContinuousStatsCollector.java b/test/src/main/java/org/apache/accumulo/test/continuous/ContinuousStatsCollector.java
index ea677da..8345ac4 100644
--- a/test/src/main/java/org/apache/accumulo/test/continuous/ContinuousStatsCollector.java
+++ b/test/src/main/java/org/apache/accumulo/test/continuous/ContinuousStatsCollector.java
@@ -45,7 +45,7 @@ import org.apache.accumulo.server.cli.ClientOnRequiredTable;
 import org.apache.accumulo.server.fs.VolumeManager;
 import org.apache.accumulo.server.fs.VolumeManagerImpl;
 import org.apache.accumulo.server.monitor.Monitor;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.trace.instrument.Tracer;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.ContentSummary;
@@ -134,7 +134,7 @@ public class ContinuousStatsCollector {
       MasterClientService.Iface client = null;
       try {
         client = MasterClient.getConnectionWithRetry(opts.getInstance());
-        MasterMonitorInfo stats = client.getMasterStats(Tracer.traceInfo(), SecurityConstants.getSystemCredentials());
+        MasterMonitorInfo stats = client.getMasterStats(Tracer.traceInfo(), SystemCredentials.get().getAsThrift());
         
         TableInfo all = new TableInfo();
         Map<String,TableInfo> tableSummaries = new HashMap<String,TableInfo>();
@@ -177,8 +177,7 @@ public class ContinuousStatsCollector {
     
   }
   
-  static class Opts extends ClientOnRequiredTable {
-  }
+  static class Opts extends ClientOnRequiredTable {}
   
   public static void main(String[] args) {
     Opts opts = new Opts();

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/test/src/main/java/org/apache/accumulo/test/functional/SplitRecoveryTest.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/functional/SplitRecoveryTest.java b/test/src/main/java/org/apache/accumulo/test/functional/SplitRecoveryTest.java
index 8cb79c3..802d942 100644
--- a/test/src/main/java/org/apache/accumulo/test/functional/SplitRecoveryTest.java
+++ b/test/src/main/java/org/apache/accumulo/test/functional/SplitRecoveryTest.java
@@ -52,7 +52,7 @@ import org.apache.accumulo.server.client.HdfsZooInstance;
 import org.apache.accumulo.server.fs.FileRef;
 import org.apache.accumulo.server.master.state.Assignment;
 import org.apache.accumulo.server.master.state.TServerInstance;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.server.tabletserver.TabletServer;
 import org.apache.accumulo.server.tabletserver.TabletTime;
 import org.apache.accumulo.server.util.FileUtil;
@@ -140,7 +140,7 @@ public class SplitRecoveryTest extends FunctionalTest {
       KeyExtent extent = extents[i];
       
       String tdir = ServerConstants.getTablesDirs()[0] + "/" + extent.getTableId().toString() + "/dir_" + i;
-      MetadataTableUtil.addTablet(extent, tdir, SecurityConstants.getSystemCredentials(), TabletTime.LOGICAL_TIME_ID, zl);
+      MetadataTableUtil.addTablet(extent, tdir, SystemCredentials.get().getAsThrift(), TabletTime.LOGICAL_TIME_ID, zl);
       SortedMap<FileRef,DataFileValue> mapFiles = new TreeMap<FileRef,DataFileValue>();
       mapFiles.put(new FileRef(tdir + "/" + RFile.EXTENSION + "_000_000"), new DataFileValue(1000017 + i, 10000 + i));
       
@@ -149,7 +149,7 @@ public class SplitRecoveryTest extends FunctionalTest {
       }
       int tid = 0;
       TransactionWatcher.ZooArbitrator.start(Constants.BULK_ARBITRATOR_TYPE, tid);
-      MetadataTableUtil.updateTabletDataFile(tid, extent, mapFiles, "L0", SecurityConstants.getSystemCredentials(), zl);
+      MetadataTableUtil.updateTabletDataFile(tid, extent, mapFiles, "L0", SystemCredentials.get().getAsThrift(), zl);
     }
     
     KeyExtent extent = extents[extentToSplit];
@@ -170,21 +170,21 @@ public class SplitRecoveryTest extends FunctionalTest {
     MetadataTableUtil.splitDatafiles(extent.getTableId(), midRow, splitRatio, new HashMap<FileRef,FileUtil.FileInfo>(), mapFiles, lowDatafileSizes,
         highDatafileSizes, highDatafilesToRemove);
     
-    MetadataTableUtil.splitTablet(high, extent.getPrevEndRow(), splitRatio, SecurityConstants.getSystemCredentials(), zl);
+    MetadataTableUtil.splitTablet(high, extent.getPrevEndRow(), splitRatio, SystemCredentials.get().getAsThrift(), zl);
     TServerInstance instance = new TServerInstance(location, zl.getSessionId());
-    Writer writer = new Writer(HdfsZooInstance.getInstance(), SecurityConstants.getSystemCredentials(), MetadataTable.ID);
+    Writer writer = new Writer(HdfsZooInstance.getInstance(), SystemCredentials.get().getAsThrift(), MetadataTable.ID);
     Assignment assignment = new Assignment(high, instance);
     Mutation m = new Mutation(assignment.tablet.getMetadataEntry());
     m.put(TabletsSection.FutureLocationColumnFamily.NAME, assignment.server.asColumnQualifier(), assignment.server.asMutationValue());
     writer.update(m);
     
     if (steps >= 1) {
-      Map<FileRef,Long> bulkFiles = MetadataTableUtil.getBulkFilesLoaded(SecurityConstants.getSystemCredentials(), extent);
-      MetadataTableUtil.addNewTablet(low, "/lowDir", instance, lowDatafileSizes, bulkFiles, SecurityConstants.getSystemCredentials(),
-          TabletTime.LOGICAL_TIME_ID + "0", -1l, -1l, zl);
+      Map<FileRef,Long> bulkFiles = MetadataTableUtil.getBulkFilesLoaded(SystemCredentials.get().getAsThrift(), extent);
+      MetadataTableUtil.addNewTablet(low, "/lowDir", instance, lowDatafileSizes, bulkFiles, SystemCredentials.get().getAsThrift(), TabletTime.LOGICAL_TIME_ID
+          + "0", -1l, -1l, zl);
     }
     if (steps >= 2)
-      MetadataTableUtil.finishSplit(high, highDatafileSizes, highDatafilesToRemove, SecurityConstants.getSystemCredentials(), zl);
+      MetadataTableUtil.finishSplit(high, highDatafileSizes, highDatafilesToRemove, SystemCredentials.get().getAsThrift(), zl);
     
     TabletServer.verifyTabletInformation(high, instance, null, "127.0.0.1:0", zl);
     
@@ -192,8 +192,8 @@ public class SplitRecoveryTest extends FunctionalTest {
       ensureTabletHasNoUnexpectedMetadataEntries(low, lowDatafileSizes);
       ensureTabletHasNoUnexpectedMetadataEntries(high, highDatafileSizes);
       
-      Map<FileRef,Long> lowBulkFiles = MetadataTableUtil.getBulkFilesLoaded(SecurityConstants.getSystemCredentials(), low);
-      Map<FileRef,Long> highBulkFiles = MetadataTableUtil.getBulkFilesLoaded(SecurityConstants.getSystemCredentials(), high);
+      Map<FileRef,Long> lowBulkFiles = MetadataTableUtil.getBulkFilesLoaded(SystemCredentials.get().getAsThrift(), low);
+      Map<FileRef,Long> highBulkFiles = MetadataTableUtil.getBulkFilesLoaded(SystemCredentials.get().getAsThrift(), high);
       
       if (!lowBulkFiles.equals(highBulkFiles)) {
         throw new Exception(" " + lowBulkFiles + " != " + highBulkFiles + " " + low + " " + high);
@@ -208,7 +208,7 @@ public class SplitRecoveryTest extends FunctionalTest {
   }
   
   private void ensureTabletHasNoUnexpectedMetadataEntries(KeyExtent extent, SortedMap<FileRef,DataFileValue> expectedMapFiles) throws Exception {
-    Scanner scanner = new ScannerImpl(HdfsZooInstance.getInstance(), SecurityConstants.getSystemCredentials(), MetadataTable.ID, Authorizations.EMPTY);
+    Scanner scanner = new ScannerImpl(HdfsZooInstance.getInstance(), SystemCredentials.get().getAsThrift(), MetadataTable.ID, Authorizations.EMPTY);
     scanner.setRange(extent.toMetadataRange());
     
     HashSet<ColumnFQ> expectedColumns = new HashSet<ColumnFQ>();
@@ -247,7 +247,7 @@ public class SplitRecoveryTest extends FunctionalTest {
       throw new Exception("Not all expected columns seen " + extent + " " + expectedColumns);
     }
     
-    SortedMap<FileRef,DataFileValue> fixedMapFiles = MetadataTableUtil.getDataFileSizes(extent, SecurityConstants.getSystemCredentials());
+    SortedMap<FileRef,DataFileValue> fixedMapFiles = MetadataTableUtil.getDataFileSizes(extent, SystemCredentials.get().getAsThrift());
     verifySame(expectedMapFiles, fixedMapFiles);
   }
   

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/test/src/main/java/org/apache/accumulo/test/performance/metadata/MetadataBatchScanTest.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/performance/metadata/MetadataBatchScanTest.java b/test/src/main/java/org/apache/accumulo/test/performance/metadata/MetadataBatchScanTest.java
index 5602f14..3545170 100644
--- a/test/src/main/java/org/apache/accumulo/test/performance/metadata/MetadataBatchScanTest.java
+++ b/test/src/main/java/org/apache/accumulo/test/performance/metadata/MetadataBatchScanTest.java
@@ -42,7 +42,7 @@ import org.apache.accumulo.core.security.Authorizations;
 import org.apache.accumulo.core.util.AddressUtil;
 import org.apache.accumulo.core.util.Stat;
 import org.apache.accumulo.server.master.state.TServerInstance;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.hadoop.io.Text;
 
 /**
@@ -56,8 +56,8 @@ public class MetadataBatchScanTest {
   
   public static void main(String[] args) throws Exception {
     
-    final Connector connector = new ZooKeeperInstance("acu14", "localhost")
-        .getConnector(SecurityConstants.SYSTEM_PRINCIPAL, SecurityConstants.getSystemToken());
+    final Connector connector = new ZooKeeperInstance("acu14", "localhost").getConnector(SystemCredentials.get().getPrincipal(), SystemCredentials.get()
+        .getToken());
     
     TreeSet<Long> splits = new TreeSet<Long>();
     Random r = new Random(42);

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/test/src/main/java/org/apache/accumulo/test/performance/thrift/NullTserver.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/performance/thrift/NullTserver.java b/test/src/main/java/org/apache/accumulo/test/performance/thrift/NullTserver.java
index d4b1c8e..41a4d54 100644
--- a/test/src/main/java/org/apache/accumulo/test/performance/thrift/NullTserver.java
+++ b/test/src/main/java/org/apache/accumulo/test/performance/thrift/NullTserver.java
@@ -62,7 +62,7 @@ import org.apache.accumulo.server.master.state.MetaDataStateStore;
 import org.apache.accumulo.server.master.state.MetaDataTableScanner;
 import org.apache.accumulo.server.master.state.TServerInstance;
 import org.apache.accumulo.server.master.state.TabletLocationState;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.server.util.TServerUtils;
 import org.apache.accumulo.server.zookeeper.TransactionWatcher;
 import org.apache.accumulo.trace.thrift.TInfo;
@@ -230,7 +230,7 @@ public class NullTserver {
     
     // read the locations for the table
     Range tableRange = new KeyExtent(new Text(tableId), null, null).toMetadataRange();
-    MetaDataTableScanner s = new MetaDataTableScanner(zki, SecurityConstants.getSystemCredentials(), tableRange);
+    MetaDataTableScanner s = new MetaDataTableScanner(zki, SystemCredentials.get().getAsThrift(), tableRange);
     long randomSessionID = opts.port;
     TServerInstance instance = new TServerInstance(addr, randomSessionID);
     List<Assignment> assignments = new ArrayList<Assignment>();

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/Shutdown.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/Shutdown.java b/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/Shutdown.java
index b283752..aa4c619 100644
--- a/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/Shutdown.java
+++ b/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/Shutdown.java
@@ -24,7 +24,7 @@ import org.apache.accumulo.core.master.thrift.MasterGoalState;
 import org.apache.accumulo.core.util.UtilWaitThread;
 import org.apache.accumulo.server.client.HdfsZooInstance;
 import org.apache.accumulo.server.master.state.SetGoalState;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.test.randomwalk.State;
 import org.apache.accumulo.test.randomwalk.Test;
 import org.apache.accumulo.trace.instrument.Tracer;
@@ -32,25 +32,25 @@ import org.apache.accumulo.trace.instrument.Tracer;
 public class Shutdown extends Test {
   
   @Override
-  public void visit(State state, Properties props) throws Exception  {
+  public void visit(State state, Properties props) throws Exception {
     log.debug("shutting down");
-    SetGoalState.main(new String[]{MasterGoalState.CLEAN_STOP.name()});
+    SetGoalState.main(new String[] {MasterGoalState.CLEAN_STOP.name()});
     
     while (!state.getConnector().instanceOperations().getTabletServers().isEmpty()) {
       UtilWaitThread.sleep(1000);
     }
     
     while (true) {
-        try {
-          Client client = MasterClient.getConnection(HdfsZooInstance.getInstance());
-          client.getMasterStats(Tracer.traceInfo(), SecurityConstants.getSystemCredentials());
-        } catch (Exception e) {
-          // assume this is due to server shutdown
-          break;
-        }
-        UtilWaitThread.sleep(1000);
+      try {
+        Client client = MasterClient.getConnection(HdfsZooInstance.getInstance());
+        client.getMasterStats(Tracer.traceInfo(), SystemCredentials.get().getAsThrift());
+      } catch (Exception e) {
+        // assume this is due to server shutdown
+        break;
+      }
+      UtilWaitThread.sleep(1000);
     }
-
+    
     log.debug("tablet servers stopped");
   }
   

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/StartAll.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/StartAll.java b/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/StartAll.java
index 8b99a55..45844b0 100644
--- a/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/StartAll.java
+++ b/test/src/main/java/org/apache/accumulo/test/randomwalk/concurrent/StartAll.java
@@ -25,7 +25,7 @@ import org.apache.accumulo.core.master.thrift.MasterMonitorInfo;
 import org.apache.accumulo.core.util.UtilWaitThread;
 import org.apache.accumulo.server.client.HdfsZooInstance;
 import org.apache.accumulo.server.master.state.SetGoalState;
-import org.apache.accumulo.server.security.SecurityConstants;
+import org.apache.accumulo.server.security.SystemCredentials;
 import org.apache.accumulo.test.randomwalk.State;
 import org.apache.accumulo.test.randomwalk.Test;
 import org.apache.accumulo.trace.instrument.Tracer;
@@ -35,13 +35,13 @@ public class StartAll extends Test {
   @Override
   public void visit(State state, Properties props) throws Exception {
     log.info("Starting all servers");
-    SetGoalState.main(new String[]{MasterGoalState.NORMAL.name()});
-    Process exec = Runtime.getRuntime().exec(new String[]{System.getenv().get("ACCUMULO_HOME") + "/bin/start-all.sh"});
+    SetGoalState.main(new String[] {MasterGoalState.NORMAL.name()});
+    Process exec = Runtime.getRuntime().exec(new String[] {System.getenv().get("ACCUMULO_HOME") + "/bin/start-all.sh"});
     exec.waitFor();
     while (true) {
       try {
         Client client = MasterClient.getConnection(HdfsZooInstance.getInstance());
-        MasterMonitorInfo masterStats = client.getMasterStats(Tracer.traceInfo(), SecurityConstants.getSystemCredentials());
+        MasterMonitorInfo masterStats = client.getMasterStats(Tracer.traceInfo(), SystemCredentials.get().getAsThrift());
         if (!masterStats.tServerInfo.isEmpty())
           break;
       } catch (Exception ex) {

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a943f323/test/src/main/java/org/apache/accumulo/test/randomwalk/security/WalkingSecurity.java
----------------------------------------------------------------------
diff --git a/test/src/main/java/org/apache/accumulo/test/randomwalk/security/WalkingSecurity.java b/test/src/main/java/org/apache/accumulo/test/randomwalk/security/WalkingSecurity.java
index bd97dd4..9cff8f7 100644
--- a/test/src/main/java/org/apache/accumulo/test/randomwalk/security/WalkingSecurity.java
+++ b/test/src/main/java/org/apache/accumulo/test/randomwalk/security/WalkingSecurity.java
@@ -69,7 +69,6 @@ public class WalkingSecurity extends SecurityOperation implements Authorizor, Au
     super(author, authent, pm, instanceId);
   }
   
-  @SuppressWarnings("deprecation")
   public WalkingSecurity(State state2) {
     super(state2.getInstance().getInstanceID());
     this.state = state2;
@@ -401,7 +400,7 @@ public class WalkingSecurity extends SecurityOperation implements Authorizor, Au
   public boolean validTokenClass(String tokenClass) {
     return tokenClass.equals(PasswordToken.class.getCanonicalName());
   }
-
+  
   public static void clearInstance() {
     instance = null;
   }


Mime
View raw message