Package org.apache.hadoop.hdfs.security.token.delegation

Class DelegationTokenSecretManager

java.lang.Object
org.apache.hadoop.security.token.SecretManager<TokenIdent>
org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>
org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager
@Private public class DelegationTokenSecretManager extends org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>
A HDFS specific delegation token secret manager. The secret manager is responsible for generating and accepting the password for each token.

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    static class 
    DelegationTokenSecretManager.SecretManagerState
     

    Nested classes/interfaces inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

    org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager.DelegationTokenInformation

    Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

    org.apache.hadoop.security.token.SecretManager.InvalidToken

  • Field Summary

    Fields inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

    allKeys, currentId, currentTokens, delegationTokenSequenceNumber, noInterruptsLock, running, storeTokenTrackingId, tokenOwnerStats

  • Constructor Summary

    Constructors
    Constructor
    Description
    DelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval, boolean storeTokenTrackingId, FSNamesystem namesystem)
    Create a secret manager
    DelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval, FSNamesystem namesystem)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    addPersistedDelegationToken(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier, long expiryTime)
    This method is intended to be used only while reading edit logs.
    static org.apache.hadoop.security.Credentials
    createCredentials(NameNode namenode, org.apache.hadoop.security.UserGroupInformation ugi, String renewer)
    A utility method for creating credentials.
    org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier
    createIdentifier()
     
    int
    getNumberOfKeys()
    Returns the number of delegation keys currently stored.
    long
    getTokenExpiryTime(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier dtId)
    Returns expiry time of a token given its identifier.
    void
    loadSecretManagerState(DelegationTokenSecretManager.SecretManagerState state, StartupProgress.Counter counter)
     
    void
    loadSecretManagerStateCompat(DataInput in)
    Load SecretManager state from fsimage.
    protected void
    logExpireToken(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier dtId)
     
    protected void
    logUpdateMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key)
    Call namesystem to update editlogs for new master key.
    byte[]
    retriableRetrievePassword(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier)
     
    byte[]
    retrievePassword(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier)
     
    DelegationTokenSecretManager.SecretManagerState
    saveSecretManagerState()
     
    void
    saveSecretManagerStateCompat(DataOutputStream out, String sdPath)
    Store the current state of the SecretManager for persistence
    void
    updatePersistedMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key)
    Add a MasterKey to the list of keys.
    void
    updatePersistedTokenCancellation(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier)
    Update the token cache with the cancel record in edit logs
    void
    updatePersistedTokenRenewal(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier, long expiryTime)
    Update the token cache with renewal record in edit logs.

    Methods inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager

    addKey, addTokenForOwnerStats, cancelToken, checkToken, createPassword, createSecretKey, decodeTokenIdentifier, getAllKeys, getCandidateTokensForCleanup, getCurrentKeyId, getCurrentTokensSize, getDelegationKey, getDelegationTokenSeqNum, getMetrics, getTokenInfo, getTokenRenewInterval, getTokenTrackingId, getTopTokenRealOwners, getTrackingIdIfEnabled, incrementCurrentKeyId, incrementDelegationTokenSeqNum, isRunning, logExpireTokens, removeExpiredStoredToken, removeStoredMasterKey, removeStoredToken, renewToken, reset, rollMasterKey, setCurrentKeyId, setDelegationTokenSeqNum, startThreads, stopThreads, storeDelegationKey, storeNewMasterKey, storeNewToken, storeToken, syncTokenOwnerStats, updateDelegationKey, updateStoredToken, updateToken, verifyToken

    Methods inherited from class org.apache.hadoop.security.token.SecretManager

    checkAvailableForRead, createPassword, generateSecret, update, validateSecretKeyLength

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • DelegationTokenSecretManager

      public DelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval, FSNamesystem namesystem)

    • DelegationTokenSecretManager

      public DelegationTokenSecretManager(long delegationKeyUpdateInterval, long delegationTokenMaxLifetime, long delegationTokenRenewInterval, long delegationTokenRemoverScanInterval, boolean storeTokenTrackingId, FSNamesystem namesystem)
      Create a secret manager
      Parameters:
      delegationKeyUpdateInterval - the number of milliseconds for rolling new secret keys.
      delegationTokenMaxLifetime - the maximum lifetime of the delegation tokens in milliseconds
      delegationTokenRenewInterval - how often the tokens must be renewed in milliseconds
      delegationTokenRemoverScanInterval - how often the tokens are scanned for expired tokens in milliseconds
      storeTokenTrackingId - whether to store the token's tracking id

  • Method Details

    • createIdentifier

      public org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier createIdentifier()
      Specified by:
      createIdentifier in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>

    • retrievePassword

      public byte[] retrievePassword(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken
      Overrides:
      retrievePassword in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>
      Throws:
      org.apache.hadoop.security.token.SecretManager.InvalidToken

    • retriableRetrievePassword

      public byte[] retriableRetrievePassword(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken, org.apache.hadoop.ipc.StandbyException, org.apache.hadoop.ipc.RetriableException, IOException
      Overrides:
      retriableRetrievePassword in class org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>
      Throws:
      org.apache.hadoop.security.token.SecretManager.InvalidToken
      org.apache.hadoop.ipc.StandbyException
      org.apache.hadoop.ipc.RetriableException
      IOException

    • getTokenExpiryTime

      public long getTokenExpiryTime(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier dtId) throws IOException
      Returns expiry time of a token given its identifier.
      Parameters:
      dtId - DelegationTokenIdentifier of a token
      Returns:
      Expiry time of the token
      Throws:
      IOException

    • loadSecretManagerStateCompat

      public void loadSecretManagerStateCompat(DataInput in) throws IOException
      Load SecretManager state from fsimage.
      Parameters:
      in - input stream to read fsimage
      Throws:
      IOException

    • loadSecretManagerState

      public void loadSecretManagerState(DelegationTokenSecretManager.SecretManagerState state, StartupProgress.Counter counter) throws IOException
      Throws:
      IOException

    • saveSecretManagerStateCompat

      public void saveSecretManagerStateCompat(DataOutputStream out, String sdPath) throws IOException
      Store the current state of the SecretManager for persistence
      Parameters:
      out - Output stream for writing into fsimage.
      sdPath - String storage directory path
      Throws:
      IOException

    • saveSecretManagerState

      public DelegationTokenSecretManager.SecretManagerState saveSecretManagerState()

    • addPersistedDelegationToken

      public void addPersistedDelegationToken(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier, long expiryTime) throws IOException
      This method is intended to be used only while reading edit logs.
      Overrides:
      addPersistedDelegationToken in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>
      Parameters:
      identifier - DelegationTokenIdentifier read from the edit logs or fsimage
      expiryTime - token expiry time
      Throws:
      IOException

    • updatePersistedMasterKey

      public void updatePersistedMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key) throws IOException
      Add a MasterKey to the list of keys.
      Parameters:
      key - DelegationKey
      Throws:
      IOException

    • updatePersistedTokenRenewal

      public void updatePersistedTokenRenewal(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier, long expiryTime) throws IOException
      Update the token cache with renewal record in edit logs.
      Parameters:
      identifier - DelegationTokenIdentifier of the renewed token
      expiryTime - expirty time in milliseconds
      Throws:
      IOException

    • updatePersistedTokenCancellation

      public void updatePersistedTokenCancellation(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier identifier) throws IOException
      Update the token cache with the cancel record in edit logs
      Parameters:
      identifier - DelegationTokenIdentifier of the canceled token
      Throws:
      IOException

    • getNumberOfKeys

      public int getNumberOfKeys()
      Returns the number of delegation keys currently stored.
      Returns:
      number of delegation keys

    • logUpdateMasterKey

      protected void logUpdateMasterKey(org.apache.hadoop.security.token.delegation.DelegationKey key) throws IOException
      Call namesystem to update editlogs for new master key.
      Overrides:
      logUpdateMasterKey in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>
      Throws:
      IOException

    • logExpireToken

      protected void logExpireToken(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier dtId) throws IOException
      Overrides:
      logExpireToken in class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier>
      Throws:
      IOException

    • createCredentials

      public static org.apache.hadoop.security.Credentials createCredentials(NameNode namenode, org.apache.hadoop.security.UserGroupInformation ugi, String renewer) throws IOException
      A utility method for creating credentials.
      Throws:
      IOException