/// <summary>
/// This method is intended to be used for recovering persisted delegation
/// tokens
/// This method must be called before this secret manager is activated (before
/// startThreads() is called)
/// </summary>
/// <param name="identifier">identifier read from persistent storage</param>
/// <param name="renewDate">token renew time</param>
/// <exception cref="System.IO.IOException"/>
public virtual void AddPersistedDelegationToken(TokenIdent identifier, long renewDate
)
{
lock (this)
{
if (running)
{
// a safety check
throw new IOException("Can't add persisted delegation token to a running SecretManager."
);
}
int keyId = identifier.GetMasterKeyId();
DelegationKey dKey = allKeys[keyId];
if (dKey == null)
{
Log.Warn("No KEY found for persisted identifier " + identifier.ToString());
return;
}
byte[] password = CreatePassword(identifier.GetBytes(), dKey.GetKey());
if (identifier.GetSequenceNumber() > GetDelegationTokenSeqNum())
{
SetDelegationTokenSeqNum(identifier.GetSequenceNumber());
}
if (GetTokenInfo(identifier) == null)
{
currentTokens[identifier] = new AbstractDelegationTokenSecretManager.DelegationTokenInformation
(renewDate, password, GetTrackingIdIfEnabled(identifier));
}
else
{
throw new IOException("Same delegation token being added twice.");
}
}
}
protected internal override void RemoveStoredMasterKey(DelegationKey key)
{
string nodeRemovePath = GetNodePath(ZkDtsmMasterKeyRoot, DelegationKeyPrefix + key
.GetKeyId());
if (Log.IsDebugEnabled())
{
Log.Debug("Removing ZKDTSMDelegationKey_" + key.GetKeyId());
}
try
{
if (zkClient.CheckExists().ForPath(nodeRemovePath) != null)
{
while (zkClient.CheckExists().ForPath(nodeRemovePath) != null)
{
zkClient.Delete().Guaranteed().ForPath(nodeRemovePath);
}
}
else
{
Log.Debug("Attempted to delete a non-existing znode " + nodeRemovePath);
}
}
catch (Exception)
{
Log.Debug(nodeRemovePath + " znode could not be removed!!");
}
}
/// <exception cref="System.IO.IOException"/>
private DelegationKey GetKeyFromZK(int keyId)
{
string nodePath = GetNodePath(ZkDtsmMasterKeyRoot, DelegationKeyPrefix + keyId);
try
{
byte[] data = zkClient.GetData().ForPath(nodePath);
if ((data == null) || (data.Length == 0))
{
return(null);
}
ByteArrayInputStream bin = new ByteArrayInputStream(data);
DataInputStream din = new DataInputStream(bin);
DelegationKey key = new DelegationKey();
key.ReadFields(din);
return(key);
}
catch (KeeperException.NoNodeException)
{
Log.Error("No node in path [" + nodePath + "]");
}
catch (Exception ex)
{
throw new IOException(ex);
}
return(null);
}
public virtual void TestDelegationKeyEqualAndHash()
{
DelegationKey key1 = new DelegationKey(1111, 2222, Runtime.GetBytesForString
("keyBytes"));
DelegationKey key2 = new DelegationKey(1111, 2222, Runtime.GetBytesForString
("keyBytes"));
DelegationKey key3 = new DelegationKey(3333, 2222, Runtime.GetBytesForString
("keyBytes"));
Assert.Equal(key1, key2);
NUnit.Framework.Assert.IsFalse(key2.Equals(key3));
}
/// <exception cref="System.IO.IOException"/>
private void ProcessKeyAddOrUpdate(byte[] data)
{
ByteArrayInputStream bin = new ByteArrayInputStream(data);
DataInputStream din = new DataInputStream(bin);
DelegationKey key = new DelegationKey();
key.ReadFields(din);
lock (this)
{
allKeys[key.GetKeyId()] = key;
}
}
/// <summary>Renew a delegation token.</summary>
/// <param name="token">the token to renew</param>
/// <param name="renewer">the full principal name of the user doing the renewal</param>
/// <returns>the new expiration time</returns>
/// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken">if the token is invalid
/// </exception>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the user can't renew token
/// </exception>
/// <exception cref="System.IO.IOException"/>
public virtual long RenewToken(Org.Apache.Hadoop.Security.Token.Token <TokenIdent>
token, string renewer)
{
lock (this)
{
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
TokenIdent id = CreateIdentifier();
id.ReadFields(@in);
Log.Info("Token renewal for identifier: " + id + "; total currentTokens " + currentTokens
.Count);
long now = Time.Now();
if (id.GetMaxDate() < now)
{
throw new SecretManager.InvalidToken(renewer + " tried to renew an expired token"
);
}
if ((id.GetRenewer() == null) || (id.GetRenewer().ToString().IsEmpty()))
{
throw new AccessControlException(renewer + " tried to renew a token without a renewer"
);
}
if (!id.GetRenewer().ToString().Equals(renewer))
{
throw new AccessControlException(renewer + " tries to renew a token with renewer "
+ id.GetRenewer());
}
DelegationKey key = GetDelegationKey(id.GetMasterKeyId());
if (key == null)
{
throw new SecretManager.InvalidToken("Unable to find master key for keyId=" + id.
GetMasterKeyId() + " from cache. Failed to renew an unexpired token" + " with sequenceNumber="
+ id.GetSequenceNumber());
}
byte[] password = CreatePassword(token.GetIdentifier(), key.GetKey());
if (!Arrays.Equals(password, token.GetPassword()))
{
throw new AccessControlException(renewer + " is trying to renew a token with wrong password"
);
}
long renewTime = Math.Min(id.GetMaxDate(), now + tokenRenewInterval);
string trackingId = GetTrackingIdIfEnabled(id);
AbstractDelegationTokenSecretManager.DelegationTokenInformation info = new AbstractDelegationTokenSecretManager.DelegationTokenInformation
(renewTime, password, trackingId);
if (GetTokenInfo(id) == null)
{
throw new SecretManager.InvalidToken("Renewal request for unknown token");
}
UpdateToken(id, info);
return(renewTime);
}
}
/// <summary>
/// Add a previously used master key to cache (when NN restarts),
/// should be called before activate().
/// </summary>
/// <exception cref="System.IO.IOException"/>
public virtual void AddKey(DelegationKey key)
{
lock (this)
{
if (running)
{
// a safety check
throw new IOException("Can't add delegation key to a running SecretManager.");
}
if (key.GetKeyId() > GetCurrentKeyId())
{
SetCurrentKeyId(key.GetKeyId());
}
allKeys[key.GetKeyId()] = key;
}
}
/// <exception cref="System.IO.IOException"/>
private void AddOrUpdateDelegationKey(DelegationKey key, bool isUpdate)
{
string nodeCreatePath = GetNodePath(ZkDtsmMasterKeyRoot, DelegationKeyPrefix + key
.GetKeyId());
ByteArrayOutputStream os = new ByteArrayOutputStream();
DataOutputStream fsOut = new DataOutputStream(os);
if (Log.IsDebugEnabled())
{
Log.Debug("Storing ZKDTSMDelegationKey_" + key.GetKeyId());
}
key.Write(fsOut);
try
{
if (zkClient.CheckExists().ForPath(nodeCreatePath) != null)
{
zkClient.SetData().ForPath(nodeCreatePath, os.ToByteArray()).SetVersion(-1);
if (!isUpdate)
{
Log.Debug("Key with path [" + nodeCreatePath + "] already exists.. Updating !!");
}
}
else
{
zkClient.Create().WithMode(CreateMode.Persistent).ForPath(nodeCreatePath, os.ToByteArray
());
if (isUpdate)
{
Log.Debug("Updating non existent Key path [" + nodeCreatePath + "].. Adding new !!"
);
}
}
}
catch (KeeperException.NodeExistsException)
{
Log.Debug(nodeCreatePath + " znode already exists !!");
}
catch (Exception ex)
{
throw new IOException(ex);
}
finally
{
os.Close();
}
}
public virtual void TestParallelDelegationTokenCreation()
{
TestDelegationToken.TestDelegationTokenSecretManager dtSecretManager = new TestDelegationToken.TestDelegationTokenSecretManager
(2000, 24 * 60 * 60 * 1000, 7 * 24 * 60 * 60 * 1000, 2000);
try
{
dtSecretManager.StartThreads();
int numThreads = 100;
int numTokensPerThread = 100;
Thread[] issuers = new Thread[numThreads];
for (int i = 0; i < numThreads; i++)
{
issuers[i] = new Daemon(new _T1720540651(this));
issuers[i].Start();
}
for (int i_1 = 0; i_1 < numThreads; i_1++)
{
issuers[i_1].Join();
}
IDictionary <TestDelegationToken.TestDelegationTokenIdentifier, AbstractDelegationTokenSecretManager.DelegationTokenInformation
> tokenCache = dtSecretManager.GetAllTokens();
Assert.Equal(numTokensPerThread * numThreads, tokenCache.Count
);
IEnumerator <TestDelegationToken.TestDelegationTokenIdentifier> iter = tokenCache.
Keys.GetEnumerator();
while (iter.HasNext())
{
TestDelegationToken.TestDelegationTokenIdentifier id = iter.Next();
AbstractDelegationTokenSecretManager.DelegationTokenInformation info = tokenCache
[id];
Assert.True(info != null);
DelegationKey key = dtSecretManager.GetKey(id);
Assert.True(key != null);
byte[] storedPassword = dtSecretManager.RetrievePassword(id);
byte[] password = dtSecretManager.CreatePassword(id, key);
Assert.True(Arrays.Equals(password, storedPassword));
//verify by secret manager api
dtSecretManager.VerifyToken(id, password);
}
}
finally
{
dtSecretManager.StopThreads();
}
}
/// <summary>
/// Update the current master key
/// This is called once by startThreads before tokenRemoverThread is created,
/// and only by tokenRemoverThread afterwards.
/// </summary>
/// <exception cref="System.IO.IOException"/>
private void UpdateCurrentKey()
{
Log.Info("Updating the current master key for generating delegation tokens");
/* Create a new currentKey with an estimated expiry date. */
int newCurrentId;
lock (this)
{
newCurrentId = IncrementCurrentKeyId();
}
DelegationKey newKey = new DelegationKey(newCurrentId, Runtime.CurrentTimeMillis(
) + keyUpdateInterval + tokenMaxLifetime, GenerateSecret());
//Log must be invoked outside the lock on 'this'
LogUpdateMasterKey(newKey);
lock (this)
{
currentKey = newKey;
StoreDelegationKey(currentKey);
}
}
protected internal override DelegationKey GetDelegationKey(int keyId)
{
// First check if its I already have this key
DelegationKey key = allKeys[keyId];
// Then query ZK
if (key == null)
{
try
{
key = GetKeyFromZK(keyId);
if (key != null)
{
allKeys[keyId] = key;
}
}
catch (IOException e)
{
Log.Error("Error retrieving key [" + keyId + "] from ZK", e);
}
}
return(key);
}
// RM
/// <exception cref="System.IO.IOException"/>
protected internal virtual void StoreNewMasterKey(DelegationKey key)
{
return;
}
public virtual byte[] CreatePassword(TestDelegationToken.TestDelegationTokenIdentifier
t, DelegationKey key)
{
return(SecretManager.CreatePassword(t.GetBytes(), key.GetKey()));
}
/// <exception cref="System.IO.IOException"/>
protected internal override void StoreDelegationKey(DelegationKey key)
{
AddOrUpdateDelegationKey(key, false);
}
/// <summary>
/// For subclasses externalizing the storage, for example Zookeeper
/// based implementations
/// </summary>
/// <exception cref="System.IO.IOException"/>
protected internal virtual void UpdateDelegationKey(DelegationKey key)
{
allKeys[key.GetKeyId()] = key;
}
/// <summary>
/// For subclasses externalizing the storage, for example Zookeeper
/// based implementations
/// </summary>
/// <exception cref="System.IO.IOException"/>
protected internal virtual void StoreDelegationKey(DelegationKey key)
{
allKeys[key.GetKeyId()] = key;
StoreNewMasterKey(key);
}
/// <exception cref="System.IO.IOException"/>
protected internal override void StoreNewMasterKey(DelegationKey key)
{
isStoreNewMasterKeyCalled = true;
base.StoreNewMasterKey(key);
}
// HDFS
/// <exception cref="System.IO.IOException"/>
protected internal virtual void LogUpdateMasterKey(DelegationKey key)
{
return;
}
/// <exception cref="System.IO.IOException"/>
protected internal override void UpdateDelegationKey(DelegationKey key)
{
AddOrUpdateDelegationKey(key, true);
}
protected internal override void RemoveStoredMasterKey(DelegationKey key)
{
isRemoveStoredMasterKeyCalled = true;
NUnit.Framework.Assert.IsFalse(key.Equals(allKeys[currentId]));
}
// RM
protected internal virtual void RemoveStoredMasterKey(DelegationKey key)
{
return;
}
