hadoop-hdfs-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bor...@apache.org
Subject svn commit: r903379 - in /hadoop/hdfs/trunk: ./ src/java/ src/java/org/apache/hadoop/hdfs/ src/java/org/apache/hadoop/hdfs/protocol/ src/java/org/apache/hadoop/hdfs/security/token/ src/java/org/apache/hadoop/hdfs/server/namenode/ src/test/hdfs/org/apac...
Date Tue, 26 Jan 2010 19:34:08 GMT
Author: boryas
Date: Tue Jan 26 19:34:06 2010
New Revision: 903379

URL: http://svn.apache.org/viewvc?rev=903379&view=rev
Log:
HDFS-899. Delegation Token Implementation

Added:
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationKey.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java
    hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java
Modified:
    hadoop/hdfs/trunk/CHANGES.txt
    hadoop/hdfs/trunk/src/java/hdfs-default.xml
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSClient.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
    hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/TestDFSClientRetries.java

Modified: hadoop/hdfs/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/CHANGES.txt?rev=903379&r1=903378&r2=903379&view=diff
==============================================================================
--- hadoop/hdfs/trunk/CHANGES.txt (original)
+++ hadoop/hdfs/trunk/CHANGES.txt Tue Jan 26 19:34:06 2010
@@ -42,6 +42,10 @@
     COMPLETE state in response to getAdditionalBlock or completeFileInternal.
     (hairong)
 
+    HDFS-899. Delegation Token Implementation
+     and corresponding changes in Namenode and DFS Api to issue, 
+    renew and cancel delegation tokens. (jnp via boryas)
+
   OPTIMIZATIONS
 
   BUG FIXES

Modified: hadoop/hdfs/trunk/src/java/hdfs-default.xml
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/hdfs-default.xml?rev=903379&r1=903378&r2=903379&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/hdfs-default.xml (original)
+++ hadoop/hdfs/trunk/src/java/hdfs-default.xml Tue Jan 26 19:34:06 2010
@@ -481,4 +481,26 @@
   </description>
 </property>
 
+<property>
+  <name>dfs.namenode.delegation.key.update-interval</name>
+  <value>86400</value>
+  <description>The update frequency of master key for delegation tokens 
+       in the namenode.
+  </description>
+</property>
+
+<property>
+  <name>dfs.namenode.delegation.token.max-lifetime</name>
+  <value>604800</value>
+  <description>The maximum lifetime for which a delegation token is valid.
+  </description>
+</property>
+
+<property>
+  <name>dfs.namenode.delegation.token.renew-interval</name>
+  <value>86400</value>
+  <description>The frequency of renewal of delegation token.
+  </description>
+</property>
+
 </configuration>

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSClient.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSClient.java?rev=903379&r1=903378&r2=903379&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSClient.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSClient.java Tue Jan 26 19:34:06 2010
@@ -90,6 +90,7 @@
 import org.apache.hadoop.hdfs.protocol.DataTransferProtocol.PipelineAck;
 import org.apache.hadoop.hdfs.security.BlockAccessToken;
 import org.apache.hadoop.hdfs.security.InvalidAccessTokenException;
+import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
 import org.apache.hadoop.hdfs.server.common.HdfsConstants;
 import org.apache.hadoop.hdfs.server.common.UpgradeStatusReport;
 import org.apache.hadoop.hdfs.server.datanode.DataNode;
@@ -110,6 +111,9 @@
 import org.apache.hadoop.net.NodeBase;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.UnixUserGroupInformation;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 import org.apache.hadoop.util.Daemon;
 import org.apache.hadoop.util.DataChecksum;
 import org.apache.hadoop.util.Progressable;
@@ -348,6 +352,25 @@
     return serverDefaults;
   }
 
+  public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer)
+      throws IOException {
+    return namenode.getDelegationToken(renewer);
+  }
+
+  public Boolean renewDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws InvalidToken, IOException {
+    try {
+      return namenode.renewDelegationToken(token);
+    } catch (RemoteException re) {
+      throw re.unwrapRemoteException(InvalidToken.class);
+    }
+  }
+
+  public Boolean cancelDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws IOException {
+    return namenode.cancelDelegationToken(token);
+  }
+  
   /**
    * Report corrupt blocks that were discovered by the client.
    */

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java?rev=903379&r1=903378&r2=903379&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DFSConfigKeys.java Tue Jan 26 19:34:06
2010
@@ -88,6 +88,14 @@
   public static final String  DFS_NAMENODE_NAME_DIR_RESTORE_KEY = "dfs.namenode.name.dir.restore";
   public static final boolean DFS_NAMENODE_NAME_DIR_RESTORE_DEFAULT = false;
 
+  //Delegation token related keys
+  public static final String  DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_KEY = "dfs.namenode.delegation.key.update-interval";
+  public static final long    DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT = 86400;
+  public static final String  DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY = "dfs.namenode.delegation.token.renew-interval";
+  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_DEFAULT = 86400;
+  public static final String  DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY = "dfs.namenode.delegation.token.max-lifetime";
+  public static final long    DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT = 604800;
+
   //Following keys have no defaults
   public static final String  DFS_DATANODE_DATA_DIR_KEY = "dfs.datanode.data.dir";
   public static final String  DFS_NAMENODE_HTTPS_ADDRESS_KEY = "dfs.namenode.https-address";

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DistributedFileSystem.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DistributedFileSystem.java?rev=903379&r1=903378&r2=903379&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DistributedFileSystem.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/DistributedFileSystem.java Tue Jan 26
19:34:06 2010
@@ -31,11 +31,16 @@
 import org.apache.hadoop.hdfs.protocol.LocatedBlock;
 import org.apache.hadoop.hdfs.protocol.FSConstants.DatanodeReportType;
 import org.apache.hadoop.hdfs.protocol.FSConstants.UpgradeAction;
+import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
 import org.apache.hadoop.hdfs.server.common.UpgradeStatusReport;
 import org.apache.hadoop.hdfs.server.namenode.NameNode;
 import org.apache.hadoop.hdfs.DFSClient.DFSDataInputStream;
 import org.apache.hadoop.hdfs.DFSClient.DFSOutputStream;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.ipc.RemoteException;
 import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 import org.apache.hadoop.util.Progressable;
 import org.apache.hadoop.fs.Options;
 
@@ -599,5 +604,44 @@
     dfs.setTimes(getPathName(p), mtime, atime);
   }
   
+  /** 
+   * Delegation Token Operations
+   * These are DFS only operations.
+   */
   
+  /**
+   * Get a valid Delegation Token.
+   * 
+   * @param renewer Name of the designated renewer for the token
+   * @return Token<DelegationTokenIdentifier>
+   * @throws IOException
+   */
+  public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer)
+      throws IOException {
+    return dfs.getDelegationToken(renewer);
+  }
+
+  /**
+   * Renew an existing delegation token.
+   * 
+   * @param token delegation token obtained earlier
+   * @return True if renewed successfully else false
+   * @throws IOException
+   */
+  public Boolean renewDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws InvalidToken, IOException {
+    return dfs.renewDelegationToken(token);
+  }
+
+  /**
+   * Cancel an existing delegation token.
+   * 
+   * @param token delegation token
+   * @return True if canceled successfully else false
+   * @throws IOException
+   */
+  public Boolean cancelDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws IOException {
+    return dfs.cancelDelegationToken(token);
+  }
 }

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java?rev=903379&r1=903378&r2=903379&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/protocol/ClientProtocol.java Tue Jan
26 19:34:06 2010
@@ -28,10 +28,13 @@
 import org.apache.hadoop.fs.Options;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.protocol.FSConstants.UpgradeAction;
+import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
 import org.apache.hadoop.hdfs.server.common.UpgradeStatusReport;
 import org.apache.hadoop.io.EnumSetWritable;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.ipc.VersionedProtocol;
 import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.token.Token;
 
 /**********************************************************************
  * ClientProtocol is used by user code via 
@@ -46,9 +49,9 @@
    * Compared to the previous version the following changes have been introduced:
    * (Only the latest change is reflected.
    * The log of historical changes can be retrieved from the svn).
-   * 54: changed addBlock to include a list of excluded datanodes.
+   * 55: Adding Delegation Token related APIs
    */
-  public static final long versionID = 54L;
+  public static final long versionID = 55L;
   
   ///////////////////////////////////////
   // File contents
@@ -579,4 +582,33 @@
   public void updatePipeline(String clientName, Block oldBlock, 
       Block newBlock, DatanodeID[] newNodes)
   throws IOException;
+
+  /**
+   * Get a valid Delegation Token.
+   * 
+   * @param renewer the designated renewer for the token
+   * @return Token<DelegationTokenIdentifier>
+   * @throws IOException
+   */
+  public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer) throws IOException;
+
+  /**
+   * Renew an existing delegation token.
+   * 
+   * @param token delegation token obtained earlier
+   * @return True if renewed successfully else false
+   * @throws IOException
+   */
+  public Boolean renewDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws IOException;
+  
+  /**
+   * Cancel an existing delegation token.
+   * 
+   * @param token delegation token
+   * @return True if canceled successfully else false
+   * @throws IOException
+   */
+  public Boolean cancelDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws IOException;
 }

Added: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationKey.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationKey.java?rev=903379&view=auto
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationKey.java (added)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationKey.java Tue
Jan 26 19:34:06 2010
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.security.token;
+
+import java.io.DataInput;
+import java.io.DataOutput;
+import java.io.IOException;
+
+import javax.crypto.SecretKey;
+
+import org.apache.hadoop.io.Writable;
+import org.apache.hadoop.io.WritableUtils;
+
+/**
+ * Key used for generating and verifying delegation tokens
+ */
+public class DelegationKey implements Writable {
+  private int keyId;
+  private long expiryDate;
+  private SecretKey key;
+
+  public DelegationKey() {
+    this(0, 0L, null);
+  }
+
+  public DelegationKey(int keyId, long expiryDate, SecretKey key) {
+    this.keyId = keyId;
+    this.expiryDate = expiryDate;
+    this.key = key;
+  }
+
+  public int getKeyId() {
+    return keyId;
+  }
+
+  public long getExpiryDate() {
+    return expiryDate;
+  }
+
+  public SecretKey getKey() {
+    return key;
+  }
+
+  public void setExpiryDate(long expiryDate) {
+    this.expiryDate = expiryDate;
+  }
+
+  /**
+   */
+  public void write(DataOutput out) throws IOException {
+    WritableUtils.writeVInt(out, keyId);
+    WritableUtils.writeVLong(out, expiryDate);
+    byte[] keyBytes = key.getEncoded();
+    WritableUtils.writeVInt(out, keyBytes.length);
+    out.write(keyBytes);
+  }
+
+  /**
+   */
+  public void readFields(DataInput in) throws IOException {
+    keyId = WritableUtils.readVInt(in);
+    expiryDate = WritableUtils.readVLong(in);
+    int len = WritableUtils.readVInt(in);
+    byte[] keyBytes = new byte[len];
+    in.readFully(keyBytes);
+    key = DelegationTokenSecretManager.createSecretKey(keyBytes);
+  }
+}

Added: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java?rev=903379&view=auto
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java
(added)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenIdentifier.java
Tue Jan 26 19:34:06 2010
@@ -0,0 +1,146 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.security.token;
+
+import java.io.DataInput;
+import java.io.DataOutput;
+import java.io.IOException;
+
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.io.Writable;
+import org.apache.hadoop.io.WritableFactories;
+import org.apache.hadoop.io.WritableFactory;
+import org.apache.hadoop.io.WritableUtils;
+import org.apache.hadoop.security.token.TokenIdentifier;
+
+public class DelegationTokenIdentifier extends TokenIdentifier {
+  static final Text KIND_NAME = new Text("HDFS_DELEGATION_TOKEN");
+
+  private Text owner;
+  private Text renewer;
+  private long issueDate;
+  private long maxDate;
+  private int sequenceNumber;
+  private int masterKeyId = 0;
+  
+  public DelegationTokenIdentifier() {
+    this(new Text(), new Text());
+  }
+  
+  public DelegationTokenIdentifier(Text owner, Text renewer) {
+    this.owner = owner;
+    this.renewer = renewer;
+    issueDate = 0;
+    maxDate = 0;
+  }
+
+  @Override
+  public Text getKind() {
+    return KIND_NAME;
+  }
+  
+  /**
+   * Get the username encoded in the token identifier
+   * 
+   * @return the username or owner
+   */
+  public Text getUsername() {
+    return owner;
+  }
+  
+  public Text getRenewer() {
+    return renewer;
+  }
+  
+  public void setIssueDate(long issueDate) {
+    this.issueDate = issueDate;
+  }
+  
+  public long getIssueDate() {
+    return issueDate;
+  }
+  
+  public void setMaxDate(long maxDate) {
+    this.maxDate = maxDate;
+  }
+  
+  public long getMaxDate() {
+    return maxDate;
+  }
+
+  public void setSequenceNumber(int seqNum) {
+    this.sequenceNumber = seqNum;
+  }
+  
+  public int getSequenceNumber() {
+    return sequenceNumber;
+  }
+
+  public void setMasterKeyId(int newId) {
+    masterKeyId = newId;
+  }
+
+  public int getMasterKeyId() {
+    return masterKeyId;
+  }
+
+  static boolean isEqual(Object a, Object b) {
+    return a == null ? b == null : a.equals(b);
+  }
+  
+  /** {@inheritDoc} */
+  public boolean equals(Object obj) {
+    if (obj == this) {
+      return true;
+    }
+    if (obj instanceof DelegationTokenIdentifier) {
+      DelegationTokenIdentifier that = (DelegationTokenIdentifier) obj;
+      return this.sequenceNumber == that.sequenceNumber 
+          && this.issueDate == that.issueDate 
+          && this.maxDate == that.maxDate
+          && this.masterKeyId == that.masterKeyId
+          && isEqual(this.owner, that.owner) 
+          && isEqual(this.renewer, that.renewer);
+    }
+    return false;
+  }
+
+  /** {@inheritDoc} */
+  public int hashCode() {
+    return this.sequenceNumber;
+  }
+  
+  public void readFields(DataInput in) throws IOException {
+    owner.readFields(in);
+    renewer.readFields(in);
+    issueDate = WritableUtils.readVLong(in);
+    maxDate = WritableUtils.readVLong(in);
+    sequenceNumber = WritableUtils.readVInt(in);
+    masterKeyId = WritableUtils.readVInt(in);
+  }
+
+  public void write(DataOutput out) throws IOException {
+    owner.write(out);
+    renewer.write(out);
+    WritableUtils.writeVLong(out, issueDate);
+    WritableUtils.writeVLong(out, maxDate);
+    WritableUtils.writeVInt(out, sequenceNumber);
+    WritableUtils.writeVInt(out, masterKeyId);
+  }
+}

Added: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java?rev=903379&view=auto
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java
(added)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/security/token/DelegationTokenSecretManager.java
Tue Jan 26 19:34:06 2010
@@ -0,0 +1,352 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.security.token;
+
+import java.io.ByteArrayInputStream;
+import java.io.DataInputStream;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+
+import javax.crypto.SecretKey;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.SecretManager;
+import org.apache.hadoop.util.Daemon;
+import org.apache.hadoop.util.StringUtils;
+
+public class DelegationTokenSecretManager 
+   extends SecretManager<DelegationTokenIdentifier> {
+  private static final Log LOG = LogFactory
+      .getLog(DelegationTokenSecretManager.class);
+
+  /** 
+   * Cache of currently valid tokens, mapping from DelegationTokenIdentifier 
+   * to DelegationTokenInformation. Protected by its own lock.
+   */
+  private final Map<DelegationTokenIdentifier, DelegationTokenInformation> currentTokens

+      = new HashMap<DelegationTokenIdentifier, DelegationTokenInformation>();
+  
+  /**
+   * Sequence number to create DelegationTokenIdentifier
+   */
+  private int delegationTokenSequenceNumber = 0;
+  
+  private final Map<Integer, DelegationKey> allKeys 
+      = new HashMap<Integer, DelegationKey>();
+  
+  /**
+   * Access to currentId and currentKey is protected by this object lock.
+   */
+  private int currentId = 0;
+  private DelegationKey currentKey;
+  
+  private long keyUpdateInterval;
+  private long tokenMaxLifetime;
+  private long tokenRemoverScanInterval;
+  private long tokenRenewInterval;
+  private Thread tokenRemoverThread;
+  private volatile boolean running;
+  
+
+  public DelegationTokenSecretManager(long delegationKeyUpdateInterval,
+      long delegationTokenMaxLifetime, long delegationTokenRenewInterval,
+      long delegationTokenRemoverScanInterval) {
+    this.keyUpdateInterval = delegationKeyUpdateInterval;
+    this.tokenMaxLifetime = delegationTokenMaxLifetime;
+    this.tokenRenewInterval = delegationTokenRenewInterval;
+    this.tokenRemoverScanInterval = delegationTokenRemoverScanInterval;
+  }
+  
+  /** should be called before this object is used */
+  public synchronized void startThreads() throws IOException {
+    updateCurrentKey();
+    running = true;
+    tokenRemoverThread = new Daemon(new ExpiredTokenRemover());
+    tokenRemoverThread.start();
+  }
+  
+  /** 
+   * Add a previously used master key to cache (when NN restarts), 
+   * should be called before activate().
+   * */
+  public synchronized void addKey(DelegationKey key) throws IOException {
+    if (running) // a safety check
+      throw new IOException("Can't add delegation key to a running SecretManager.");
+    if (key.getKeyId() > currentId) {
+      currentId = key.getKeyId();
+    }
+    allKeys.put(key.getKeyId(), key);
+  }
+
+  public synchronized DelegationKey[] getAllKeys() {
+    return allKeys.values().toArray(new DelegationKey[0]);
+  }
+  
+  /** Update the current master key */
+  private synchronized void updateCurrentKey() throws IOException {
+    LOG.info("Updating the current master key for generating delegation tokens");
+    /* Create a new currentKey with an estimated expiry date. */
+    currentId++;
+    currentKey = new DelegationKey(currentId, System.currentTimeMillis()
+        + keyUpdateInterval + tokenMaxLifetime, generateSecret());
+    allKeys.put(currentKey.getKeyId(), currentKey);
+  }
+  
+  /** Update the current master key for generating delegation tokens */
+  public synchronized void rollMasterKey() throws IOException {
+    removeExpiredKeys();
+    /* set final expiry date for retiring currentKey */
+    currentKey.setExpiryDate(System.currentTimeMillis() + tokenMaxLifetime);
+    /*
+     * currentKey might have been removed by removeExpiredKeys(), if
+     * updateMasterKey() isn't called at expected interval. Add it back to
+     * allKeys just in case.
+     */
+    allKeys.put(currentKey.getKeyId(), currentKey);
+    updateCurrentKey();
+  }
+
+  private synchronized void removeExpiredKeys() {
+    long now = System.currentTimeMillis();
+    for (Iterator<Map.Entry<Integer, DelegationKey>> it = allKeys.entrySet()
+        .iterator(); it.hasNext();) {
+      Map.Entry<Integer, DelegationKey> e = it.next();
+      if (e.getValue().getExpiryDate() < now) {
+        it.remove();
+      }
+    }
+  }
+  
+  @Override
+  protected byte[] createPassword(DelegationTokenIdentifier identifier) {
+    int sequenceNum;
+    int id;
+    DelegationKey key;
+    long now = System.currentTimeMillis();    
+    synchronized (this) {
+      id = currentId;
+      key = currentKey;
+      sequenceNum = ++delegationTokenSequenceNumber;
+    }
+    identifier.setIssueDate(now);
+    identifier.setMaxDate(now + tokenMaxLifetime);
+    identifier.setMasterKeyId(id);
+    identifier.setSequenceNumber(sequenceNum);
+    byte[] password = createPassword(identifier.getBytes(), key.getKey());
+    synchronized (currentTokens) {
+      currentTokens.put(identifier, new DelegationTokenInformation(now
+          + tokenRenewInterval, password));
+    }
+    return password;
+  }
+
+  @Override
+  public byte[] retrievePassword(DelegationTokenIdentifier identifier
+                                 ) throws InvalidToken {
+    DelegationTokenInformation info = null;
+    synchronized (currentTokens) {
+      info = currentTokens.get(identifier);
+    }
+    if (info == null) {
+      throw new InvalidToken("token is expired or doesn't exist");
+    }
+    long now = System.currentTimeMillis();
+    if (info.getRenewDate() < now) {
+      throw new InvalidToken("token is expired");
+    }
+    return info.getPassword();
+  }
+
+  /**
+   * Renew a delegation token. Canceled tokens are not renewed. Return true if
+   * the token is successfully renewed; false otherwise.
+   */
+  public Boolean renewToken(Token<DelegationTokenIdentifier> token,
+      String renewer) throws InvalidToken, IOException {
+    long now = System.currentTimeMillis();
+    ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
+    DataInputStream in = new DataInputStream(buf);
+    DelegationTokenIdentifier id = new DelegationTokenIdentifier();
+    id.readFields(in);
+    synchronized (currentTokens) {
+      if (currentTokens.get(id) == null) {
+        LOG.warn("Renewal request for unknown token");
+        return false;
+      }
+    }
+    if (id.getMaxDate() < now) {
+      LOG.warn("Client " + renewer + " tries to renew an expired token");
+      return false;
+    }
+    if (id.getRenewer() == null || !id.getRenewer().toString().equals(renewer)) {
+      LOG.warn("Client " + renewer + " tries to renew a token with "
+          + "renewer specified as " + id.getRenewer());
+      return false;
+    }
+    DelegationKey key = null;
+    synchronized (this) {
+      key = allKeys.get(id.getMasterKeyId());
+    }
+    if (key == null) {
+      LOG.warn("Unable to find master key for keyId=" + id.getMasterKeyId() 
+          + " from cache. Failed to renew an unexpired token with sequenceNumber=" 
+          + id.getSequenceNumber() + ", issued by this key");
+      return false;
+    }
+    byte[] password = createPassword(token.getIdentifier(), key.getKey());
+    if (!Arrays.equals(password, token.getPassword())) {
+      LOG.warn("Client " + renewer + " is trying to renew a token with wrong password");
+      return false;
+    }
+    DelegationTokenInformation info = new DelegationTokenInformation(
+        Math.min(id.getMaxDate(), now + tokenRenewInterval), password);
+    synchronized (currentTokens) {
+      currentTokens.put(id, info);
+    }
+    return true;
+  }
+  
+  /**
+   * Cancel a token by removing it from cache. Return true if 
+   * token exists in cache; false otherwise.
+   */
+  public Boolean cancelToken(Token<DelegationTokenIdentifier> token,
+      String canceller) throws IOException {
+    ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
+    DataInputStream in = new DataInputStream(buf);
+    DelegationTokenIdentifier id = new DelegationTokenIdentifier();
+    id.readFields(in);
+    if (id.getRenewer() == null) {
+      LOG.warn("Renewer is null: Invalid Identifier");
+      return false;
+    }
+    if (id.getUsername() == null) {
+      LOG.warn("owner is null: Invalid Identifier");
+      return false;
+    }
+    String owner = id.getUsername().toString();
+    String renewer = id.getRenewer().toString();
+    if (!canceller.equals(owner) && !canceller.equals(renewer)) {
+      LOG.warn(canceller + " is not authorized to cancel the token");
+      return false;
+    }
+    DelegationTokenInformation info = null;
+    synchronized (currentTokens) {
+      info = currentTokens.remove(id);
+    }
+    return info != null;
+  }
+  
+  /**
+   * Convert the byte[] to a secret key
+   * @param key the byte[] to create the secret key from
+   * @return the secret key
+   */
+  public static SecretKey createSecretKey(byte[] key) {
+    return SecretManager.createSecretKey(key);
+  }
+
+
+  /** Utility class to encapsulate a token's renew date and password. */
+  private static class DelegationTokenInformation {
+    long renewDate;
+    byte[] password;
+    DelegationTokenInformation(long renewDate, byte[] password) {
+      this.renewDate = renewDate;
+      this.password = password;
+    }
+    /** returns renew date */
+    long getRenewDate() {
+      return renewDate;
+    }
+    /** returns password */
+    byte[] getPassword() {
+      return password;
+    }
+  }
+  
+  /** Remove expired delegation tokens from cache */
+  private void removeExpiredToken() {
+    long now = System.currentTimeMillis();
+    synchronized (currentTokens) {
+      Iterator<DelegationTokenInformation> i = currentTokens.values().iterator();
+      while (i.hasNext()) {
+        long renewDate = i.next().getRenewDate();
+        if (now > renewDate) {
+          i.remove();
+        }
+      }
+    }
+  }
+
+  public synchronized void stopThreads() {
+    if (LOG.isDebugEnabled())
+      LOG.debug("Stopping expired delegation token remover thread");
+    running = false;
+    tokenRemoverThread.interrupt();
+    try {
+      tokenRemoverThread.join();
+    } catch (InterruptedException e) {
+    }
+  }
+  
+  private class ExpiredTokenRemover extends Thread {
+    private long lastMasterKeyUpdate;
+    private long lastTokenCacheCleanup;
+
+    public void run() {
+      LOG.info("Starting expired delegation token remover thread, "
+          + "tokenRemoverScanInterval=" + tokenRemoverScanInterval
+          / (60 * 1000) + " min(s)");
+      try {
+        while (running) {
+          long now = System.currentTimeMillis();
+          if (lastMasterKeyUpdate + keyUpdateInterval < now) {
+            try {
+              rollMasterKey();
+              lastMasterKeyUpdate = now;
+            } catch (IOException e) {
+              LOG.error("Master key updating failed. "
+                  + StringUtils.stringifyException(e));
+            }
+          }
+          if (lastTokenCacheCleanup + tokenRemoverScanInterval < now) {
+            removeExpiredToken();
+            lastTokenCacheCleanup = now;
+          }
+          Thread.sleep(5000); // 5 seconds
+        }
+      } catch (InterruptedException ie) {
+        LOG
+            .error("InterruptedExcpetion recieved for ExpiredTokenRemover thread "
+                + ie);
+      } catch (Throwable t) {
+        LOG.error("ExpiredTokenRemover thread received unexpected exception. "
+            + t);
+        Runtime.getRuntime().exit(-1);
+      }
+    }
+  }
+}

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java?rev=903379&r1=903378&r2=903379&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java Tue
Jan 26 19:34:06 2010
@@ -36,6 +36,10 @@
 import org.apache.hadoop.security.PermissionChecker;
 import org.apache.hadoop.security.UnixUserGroupInformation;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
+import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.DelegationTokenSecretManager;
 import org.apache.hadoop.util.*;
 import org.apache.hadoop.metrics.util.MBeanUtil;
 import org.apache.hadoop.net.CachedDNSToSwitchMapping;
@@ -68,6 +72,7 @@
 import org.apache.hadoop.fs.permission.*;
 import org.apache.hadoop.ipc.Server;
 import org.apache.hadoop.io.IOUtils;
+import org.apache.hadoop.io.Text;
 
 import java.io.BufferedWriter;
 import java.io.File;
@@ -145,6 +150,10 @@
   AccessTokenHandler accessTokenHandler;
   private long accessKeyUpdateInterval;
   private long accessTokenLifetime;
+  
+  // Scan interval is not configurable.
+  private final long DELEGATION_TOKEN_REMOVER_SCAN_INTERVAL = 3600000; // 1 hour
+  private DelegationTokenSecretManager dtSecretManager;
 
   //
   // Stores the correct file name hierarchy
@@ -256,6 +265,7 @@
     this.systemStart = now();
     this.blockManager = new BlockManager(this, conf);
     setConfigurationParameters(conf);
+    dtSecretManager = createDelegationTokenSecretManager(conf);
     this.registerMBean(conf); // register the MBean for the FSNamesystemStutus
     if(fsImage == null) {
       this.dir = new FSDirectory(this, conf);
@@ -276,6 +286,7 @@
       accessTokenHandler = new AccessTokenHandler(true,
           accessKeyUpdateInterval, accessTokenLifetime);
     }
+    dtSecretManager.startThreads();
   }
 
   /**
@@ -4309,5 +4320,47 @@
       }
     }
     return decommissioningNodes;
-  }  
+  }
+
+  /*
+   * Delegation Token
+   */
+   
+  private DelegationTokenSecretManager createDelegationTokenSecretManager(
+      Configuration conf) {
+    return new DelegationTokenSecretManager(conf.getLong(
+        DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_KEY,
+        DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT),
+        conf.getLong(
+            DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY,
+            DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT),
+        conf.getLong(
+            DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY,
+            DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT),
+        DELEGATION_TOKEN_REMOVER_SCAN_INTERVAL);
+  }
+
+  public DelegationTokenSecretManager getDelegationTokenSecretManager() {
+    return dtSecretManager;
+  }
+
+  public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer)
+      throws IOException {
+    String user = UserGroupInformation.getCurrentUGI().getUserName();
+    Text owner = new Text(user);
+    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, renewer);
+    return new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
+  }
+
+  public Boolean renewDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws InvalidToken, IOException {
+    String renewer = UserGroupInformation.getCurrentUGI().getUserName();
+    return dtSecretManager.renewToken(token, renewer);
+  }
+
+  public Boolean cancelDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws IOException {
+    String canceller = UserGroupInformation.getCurrentUGI().getUserName();
+    return dtSecretManager.cancelToken(token, canceller);
+  }
 }

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java?rev=903379&r1=903378&r2=903379&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/namenode/NameNode.java Tue Jan
26 19:34:06 2010
@@ -71,6 +71,7 @@
 import org.apache.hadoop.hdfs.HdfsConfiguration;
 import org.apache.hadoop.http.HttpServer;
 import org.apache.hadoop.io.EnumSetWritable;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.ipc.RPC;
 import org.apache.hadoop.ipc.Server;
 import org.apache.hadoop.net.NetUtils;
@@ -84,6 +85,9 @@
 import org.apache.hadoop.security.authorize.PolicyProvider;
 import org.apache.hadoop.security.authorize.RefreshAuthorizationPolicyProtocol;
 import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
+import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
 import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.util.ServicePlugin;
 import org.apache.hadoop.util.StringUtils;
@@ -547,6 +551,22 @@
   /////////////////////////////////////////////////////
   // ClientProtocol
   /////////////////////////////////////////////////////
+  
+  public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer)
+      throws IOException {
+    return namesystem.getDelegationToken(renewer);
+  }
+
+  public Boolean renewDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws InvalidToken, IOException {
+    return namesystem.renewDelegationToken(token);
+  }
+
+  public Boolean cancelDelegationToken(Token<DelegationTokenIdentifier> token)
+      throws IOException {
+    return namesystem.cancelDelegationToken(token);
+  }
+  
   /** {@inheritDoc} */
   public LocatedBlocks   getBlockLocations(String src, 
                                           long offset, 

Modified: hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/TestDFSClientRetries.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/TestDFSClientRetries.java?rev=903379&r1=903378&r2=903379&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/TestDFSClientRetries.java (original)
+++ hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/TestDFSClientRetries.java Tue Jan
26 19:34:06 2010
@@ -31,11 +31,15 @@
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.protocol.*;
 import org.apache.hadoop.hdfs.protocol.FSConstants.UpgradeAction;
+import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
 import org.apache.hadoop.hdfs.server.common.*;
 import org.apache.hadoop.hdfs.server.namenode.NotReplicatedYetException;
 import org.apache.hadoop.io.*;
 import org.apache.hadoop.ipc.RemoteException;
 import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 
 import junit.framework.TestCase;
 
@@ -185,6 +189,22 @@
 
     public void reportBadBlocks(LocatedBlock[] blocks) throws IOException {}
 
+    public Token<DelegationTokenIdentifier> getDelegationToken(Text renewer)
+        throws IOException {
+      return null;
+    }
+    
+    public Boolean renewDelegationToken(Token<DelegationTokenIdentifier> token)
+        throws InvalidToken, IOException {
+      return false;
+    }
+
+    public Boolean cancelDelegationToken(Token<DelegationTokenIdentifier> token)
+        throws IOException {
+      return false;
+    }
+    
+    
     @Deprecated
     public boolean rename(String src, String dst) throws IOException { return false; }
     

Added: hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java?rev=903379&view=auto
==============================================================================
--- hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java (added)
+++ hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/security/TestDelegationToken.java Tue
Jan 26 19:34:06 2010
@@ -0,0 +1,130 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.security;
+
+
+
+import java.io.ByteArrayInputStream;
+import java.io.DataInputStream;
+
+import junit.framework.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.io.Text;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
+import org.apache.hadoop.hdfs.security.token.DelegationTokenIdentifier;
+import org.apache.hadoop.hdfs.security.token.DelegationTokenSecretManager;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mortbay.log.Log;
+
+public class TestDelegationToken {
+  private MiniDFSCluster cluster;
+  Configuration config;
+  
+  @Before
+  public void setUp() throws Exception {
+    config = new HdfsConfiguration();
+    config.setLong(DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY, 10000);
+    config.setLong(DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY, 5000);
+    FileSystem.setDefaultUri(config, "hdfs://localhost:" + "0");
+    cluster = new MiniDFSCluster(0, config, 1, true, true, true,  null, null, null, null);
+    cluster.waitActive();
+  }
+
+  @After
+  public void tearDown() throws Exception {
+    if(cluster!=null) {
+      cluster.shutdown();
+    }
+  }
+
+  private Token<DelegationTokenIdentifier> generateDelegationToken(
+      String owner, String renewer) {
+    DelegationTokenSecretManager dtSecretManager = cluster.getNamesystem()
+        .getDelegationTokenSecretManager();
+    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(
+        owner), new Text(renewer));
+    return new Token<DelegationTokenIdentifier>(dtId, dtSecretManager);
+  }
+  
+  @Test
+  public void testDelegationTokenSecretManager() throws Exception {
+    DelegationTokenSecretManager dtSecretManager = cluster.getNamesystem()
+        .getDelegationTokenSecretManager();
+    Token<DelegationTokenIdentifier> token = generateDelegationToken(
+        "SomeUser", "JobTracker");
+    // Fake renewer should not be able to renew
+	  Assert.assertFalse(dtSecretManager.renewToken(token, "FakeRenewer"));
+	  Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
+    DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
+    byte[] tokenId = token.getIdentifier();
+    identifier.readFields(new DataInputStream(
+             new ByteArrayInputStream(tokenId)));
+    Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
+    Log.info("Sleep to expire the token");
+	  Thread.sleep(6000);
+	  //Token should be expired
+	  try {
+	    dtSecretManager.retrievePassword(identifier);
+	    //Should not come here
+	    Assert.fail("Token should have expired");
+	  } catch (InvalidToken e) {
+	    //Success
+	  }
+	  Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
+	  Log.info("Sleep beyond the max lifetime");
+	  Thread.sleep(5000);
+	  Assert.assertFalse(dtSecretManager.renewToken(token, "JobTracker"));
+  }
+  
+  @Test 
+  public void testCancelDelegationToken() throws Exception {
+    DelegationTokenSecretManager dtSecretManager = cluster.getNamesystem()
+        .getDelegationTokenSecretManager();
+    Token<DelegationTokenIdentifier> token = generateDelegationToken(
+        "SomeUser", "JobTracker");
+    //Fake renewer should not be able to renew
+    Assert.assertFalse(dtSecretManager.cancelToken(token, "FakeCanceller"));
+    Assert.assertTrue(dtSecretManager.cancelToken(token, "JobTracker"));
+    Assert.assertFalse(dtSecretManager.renewToken(token, "JobTracker"));
+  }
+  
+  @Test
+  public void testDelegationTokenDFSApi() throws Exception {
+    DelegationTokenSecretManager dtSecretManager = cluster.getNamesystem().getDelegationTokenSecretManager();
+    DistributedFileSystem dfs = (DistributedFileSystem) cluster.getFileSystem();
+    Token<DelegationTokenIdentifier> token = dfs.getDelegationToken(new Text("JobTracker"));
+    DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
+    byte[] tokenId = token.getIdentifier();
+    identifier.readFields(new DataInputStream(
+             new ByteArrayInputStream(tokenId)));
+    Log.info("A valid token should have non-null password, and should be renewed successfully");
+    Assert.assertTrue(null != dtSecretManager.retrievePassword(identifier));
+    Assert.assertTrue(dtSecretManager.renewToken(token, "JobTracker"));
+  }
+  
+}



Mime
View raw message