Class DelegationTokenAuthenticationHandler
java.lang.Object
org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler
- All Implemented Interfaces:
org.apache.hadoop.security.authentication.server.AuthenticationHandler
- Direct Known Subclasses:
KerberosDelegationTokenAuthenticationHandler,MultiSchemeDelegationTokenAuthenticationHandler,PseudoDelegationTokenAuthenticationHandler
@Private
@Evolving
public abstract class DelegationTokenAuthenticationHandler
extends Object
implements org.apache.hadoop.security.authentication.server.AuthenticationHandler
An
AuthenticationHandler that implements Kerberos SPNEGO mechanism
for HTTP and supports Delegation Token functionality.
In addition to the wrapped AuthenticationHandler configuration
properties, this handler supports the following properties prefixed
with the type of the wrapped AuthenticationHandler:
- delegation-token.token-kind: the token kind for generated tokens (no default, required property).
- delegation-token.update-interval.sec: secret manager master key update interval in seconds (default 1 day).
- delegation-token.max-lifetime.sec: maximum life of a delegation token in seconds (default 7 days).
- delegation-token.renewal-interval.sec: renewal interval for delegation tokens in seconds (default 1 day).
- delegation-token.removal-scan-interval.sec: delegation tokens removal scan interval in seconds (default 1 hour).
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final Stringstatic final Stringstatic final Stringprotected static final StringFields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler
WWW_AUTHENTICATE -
Constructor Summary
ConstructorsConstructorDescriptionDelegationTokenAuthenticationHandler(org.apache.hadoop.security.authentication.server.AuthenticationHandler handler) -
Method Summary
Modifier and TypeMethodDescriptionorg.apache.hadoop.security.authentication.server.AuthenticationTokenauthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Authenticates a request looking for thedelegationquery-string parameter and verifying it is a valid token.voiddestroy()getType()voidinit(Properties config) voidinitJsonFactory(Properties config) voidinitTokenManager(Properties config) protected final booleanisManagementOperation(javax.servlet.http.HttpServletRequest request) This method checks if the given HTTP request corresponds to a management operation.booleanmanagementOperation(org.apache.hadoop.security.authentication.server.AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) voidSets an externalDelegationTokenSecretManagerinstance to manage creation and verification of Delegation Tokens.
-
Field Details
-
TYPE_POSTFIX
- See Also:
-
PREFIX
- See Also:
-
TOKEN_KIND
- See Also:
-
DELEGATION_TOKEN_UGI_ATTRIBUTE
- See Also:
-
JSON_MAPPER_PREFIX
- See Also:
-
-
Constructor Details
-
DelegationTokenAuthenticationHandler
public DelegationTokenAuthenticationHandler(org.apache.hadoop.security.authentication.server.AuthenticationHandler handler)
-
-
Method Details
-
init
- Specified by:
initin interfaceorg.apache.hadoop.security.authentication.server.AuthenticationHandler- Throws:
javax.servlet.ServletException
-
setExternalDelegationTokenSecretManager
public void setExternalDelegationTokenSecretManager(AbstractDelegationTokenSecretManager secretManager) Sets an externalDelegationTokenSecretManagerinstance to manage creation and verification of Delegation Tokens.This is useful for use cases where secrets must be shared across multiple services.
- Parameters:
secretManager- aDelegationTokenSecretManagerinstance
-
initTokenManager
-
initJsonFactory
-
destroy
public void destroy()- Specified by:
destroyin interfaceorg.apache.hadoop.security.authentication.server.AuthenticationHandler
-
getType
- Specified by:
getTypein interfaceorg.apache.hadoop.security.authentication.server.AuthenticationHandler
-
isManagementOperation
protected final boolean isManagementOperation(javax.servlet.http.HttpServletRequest request) throws IOException This method checks if the given HTTP request corresponds to a management operation.- Parameters:
request- The HTTP request- Returns:
- true if the given HTTP request corresponds to a management operation false otherwise
- Throws:
IOException- In case of I/O error.
-
managementOperation
public boolean managementOperation(org.apache.hadoop.security.authentication.server.AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException - Specified by:
managementOperationin interfaceorg.apache.hadoop.security.authentication.server.AuthenticationHandler- Throws:
IOExceptionorg.apache.hadoop.security.authentication.client.AuthenticationException
-
authenticate
public org.apache.hadoop.security.authentication.server.AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException Authenticates a request looking for thedelegationquery-string parameter and verifying it is a valid token. If there is notdelegationquery-string parameter, it delegates the authentication to theKerberosAuthenticationHandlerunless it is disabled.- Specified by:
authenticatein interfaceorg.apache.hadoop.security.authentication.server.AuthenticationHandler- Parameters:
request- the HTTP client request.response- the HTTP client response.- Returns:
- the authentication token for the authenticated request.
- Throws:
IOException- thrown if an IO error occurred.org.apache.hadoop.security.authentication.client.AuthenticationException- thrown if the authentication failed.
-