Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B32D2200BB1 for ; Thu, 3 Nov 2016 21:10:26 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id B1C56160AFF; Thu, 3 Nov 2016 20:10:26 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id AA9AC160AE5 for ; Thu, 3 Nov 2016 21:10:25 +0100 (CET) Received: (qmail 51068 invoked by uid 500); 3 Nov 2016 20:10:24 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 51059 invoked by uid 99); 3 Nov 2016 20:10:24 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Nov 2016 20:10:24 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 9B3CBE04EE; Thu, 3 Nov 2016 20:10:24 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: xiao@apache.org To: common-commits@hadoop.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: hadoop git commit: HADOOP-12453. Support decoding KMS Delegation Token with its own Identifier. Contributed by Xiaoyu Yao. Date: Thu, 3 Nov 2016 20:10:24 +0000 (UTC) archived-at: Thu, 03 Nov 2016 20:10:26 -0000 Repository: hadoop Updated Branches: refs/heads/trunk 20c4d8efa -> 7154a20bc HADOOP-12453. Support decoding KMS Delegation Token with its own Identifier. Contributed by Xiaoyu Yao. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/7154a20b Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/7154a20b Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/7154a20b Branch: refs/heads/trunk Commit: 7154a20bcb1559c23aeb3b78b920bed03d834cb5 Parents: 20c4d8e Author: Xiao Chen Authored: Thu Nov 3 13:09:03 2016 -0700 Committer: Xiao Chen Committed: Thu Nov 3 13:09:03 2016 -0700 ---------------------------------------------------------------------- .../crypto/key/kms/KMSClientProvider.java | 4 +- .../crypto/key/kms/KMSDelegationToken.java | 52 ++++++++++++++++++++ ...apache.hadoop.security.token.TokenIdentifier | 14 ++++++ .../key/kms/server/KMSAuthenticationFilter.java | 4 +- .../hadoop/crypto/key/kms/server/TestKMS.java | 17 ++++--- 5 files changed, 79 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/7154a20b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index db0ee85..2b6ae9e 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -98,8 +98,8 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, private static final String ANONYMOUS_REQUESTS_DISALLOWED = "Anonymous requests are disallowed"; - public static final String TOKEN_KIND_STR = "kms-dt"; - public static final Text TOKEN_KIND = new Text(TOKEN_KIND_STR); + public static final String TOKEN_KIND_STR = KMSDelegationToken.TOKEN_KIND_STR; + public static final Text TOKEN_KIND = KMSDelegationToken.TOKEN_KIND; public static final String SCHEME_NAME = "kms"; http://git-wip-us.apache.org/repos/asf/hadoop/blob/7154a20b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSDelegationToken.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSDelegationToken.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSDelegationToken.java new file mode 100644 index 0000000..adeebf2 --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSDelegationToken.java @@ -0,0 +1,52 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.crypto.key.kms; + +import org.apache.hadoop.classification.InterfaceAudience; +import org.apache.hadoop.io.Text; +import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier; + +/** + * Holder class for KMS delegation tokens. + */ +@InterfaceAudience.Private +public final class KMSDelegationToken { + + public static final String TOKEN_KIND_STR = "kms-dt"; + public static final Text TOKEN_KIND = new Text(TOKEN_KIND_STR); + + // Utility class is not supposed to be instantiated. + private KMSDelegationToken() { + } + + /** + * DelegationTokenIdentifier used for the KMS. + */ + public static class KMSDelegationTokenIdentifier + extends DelegationTokenIdentifier { + + public KMSDelegationTokenIdentifier() { + super(TOKEN_KIND); + } + + @Override + public Text getKind() { + return TOKEN_KIND; + } + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/hadoop/blob/7154a20b/hadoop-common-project/hadoop-common/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenIdentifier ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenIdentifier b/hadoop-common-project/hadoop-common/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenIdentifier new file mode 100644 index 0000000..b65f151 --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenIdentifier @@ -0,0 +1,14 @@ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +org.apache.hadoop.crypto.key.kms.KMSDelegationToken$KMSDelegationTokenIdentifier http://git-wip-us.apache.org/repos/asf/hadoop/blob/7154a20b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java index 8efef73..45e48e9 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java @@ -19,7 +19,7 @@ package org.apache.hadoop.crypto.key.kms.server; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.crypto.key.kms.KMSClientProvider; +import org.apache.hadoop.crypto.key.kms.KMSDelegationToken; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter; @@ -72,7 +72,7 @@ public class KMSAuthenticationFilter KerberosDelegationTokenAuthenticationHandler.class.getName()); } props.setProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND, - KMSClientProvider.TOKEN_KIND_STR); + KMSDelegationToken.TOKEN_KIND_STR); return props; } http://git-wip-us.apache.org/repos/asf/hadoop/blob/7154a20b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java index de600f8..384d11a 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java @@ -28,6 +28,7 @@ import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension; import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion; import org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension; import org.apache.hadoop.crypto.key.kms.KMSClientProvider; +import org.apache.hadoop.crypto.key.kms.KMSDelegationToken; import org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider; import org.apache.hadoop.fs.CommonConfigurationKeysPublic; import org.apache.hadoop.fs.Path; @@ -1804,13 +1805,13 @@ public class TestKMS { InetSocketAddress kmsAddr = new InetSocketAddress(getKMSUrl().getHost(), getKMSUrl().getPort()); - Assert.assertEquals(KMSClientProvider.TOKEN_KIND, + Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, credentials.getToken(SecurityUtil.buildTokenService(kmsAddr)). getKind()); // Test non-renewer user cannot renew. for (Token token : tokens) { - if (!(token.getKind().equals(KMSClientProvider.TOKEN_KIND))) { + if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) { LOG.info("Skipping token {}", token); continue; } @@ -1843,7 +1844,7 @@ public class TestKMS { boolean renewed = false; for (Token token : tokens) { if (!(token.getKind() - .equals(KMSClientProvider.TOKEN_KIND))) { + .equals(KMSDelegationToken.TOKEN_KIND))) { LOG.info("Skipping token {}", token); continue; } @@ -1863,7 +1864,7 @@ public class TestKMS { // test delegation token cancellation for (Token token : tokens) { if (!(token.getKind() - .equals(KMSClientProvider.TOKEN_KIND))) { + .equals(KMSDelegationToken.TOKEN_KIND))) { LOG.info("Skipping token {}", token); continue; } @@ -1927,7 +1928,7 @@ public class TestKMS { final Credentials credentials = new Credentials(); kpdte.addDelegationTokens("client", credentials); Assert.assertEquals(1, credentials.getAllTokens().size()); - Assert.assertEquals(KMSClientProvider.TOKEN_KIND, credentials. + Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, credentials. getToken(SecurityUtil.buildTokenService(kmsAddr)).getKind()); UserGroupInformation.getCurrentUser().addCredentials(credentials); LOG.info("Added kms dt to credentials: {}", UserGroupInformation. @@ -1971,14 +1972,14 @@ public class TestKMS { final Credentials newCreds = new Credentials(); kpdte.addDelegationTokens("client", newCreds); Assert.assertEquals(1, newCreds.getAllTokens().size()); - Assert.assertEquals(KMSClientProvider.TOKEN_KIND, + Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, newCreds.getToken(SecurityUtil.buildTokenService(kmsAddr)). getKind()); // Using job 1's DT should fail. final Credentials oldCreds = new Credentials(); for (Token token : job1Token) { - if (token.getKind().equals(KMSClientProvider.TOKEN_KIND)) { + if (token.getKind().equals(KMSDelegationToken.TOKEN_KIND)) { oldCreds .addToken(SecurityUtil.buildTokenService(kmsAddr), token); } @@ -1995,7 +1996,7 @@ public class TestKMS { // Using the new DT should succeed. Assert.assertEquals(1, newCreds.getAllTokens().size()); - Assert.assertEquals(KMSClientProvider.TOKEN_KIND, + Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, newCreds.getToken(SecurityUtil.buildTokenService(kmsAddr)). getKind()); UserGroupInformation.getCurrentUser().addCredentials(newCreds); --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-commits-help@hadoop.apache.org