Class AuthenticationTokenSecretManager
java.lang.Object
org.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>
org.apache.hadoop.hbase.security.token.AuthenticationTokenSecretManager
@Private
public class AuthenticationTokenSecretManager
extends org.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>
Manages an internal list of secret keys used to sign new authentication tokens as they are
generated, and to valid existing tokens used for authentication.
A single instance of AuthenticationTokenSecretManager
will be running as the "leader" in
a given HBase cluster. The leader is responsible for periodically generating new secret keys,
which are then distributed to followers via ZooKeeper, and for expiring previously used secret
keys that are no longer needed (as any tokens using them have expired).
-
Nested Class Summary
Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager
org.apache.hadoop.security.token.SecretManager.InvalidToken
-
Field Summary
Modifier and TypeFieldDescriptionprivate Map<Integer,
AuthenticationKey> private ZKClusterId
private AuthenticationKey
private int
private long
private long
private static final org.slf4j.Logger
private String
(package private) static final String
private long
private AtomicLong
private ZKSecretWatcher
-
Constructor Summary
ConstructorDescriptionAuthenticationTokenSecretManager
(org.apache.hadoop.conf.Configuration conf, ZKWatcher zk, String serverName, long keyUpdateInterval, long tokenMaxLifetime) Create a new secret manager instance for generating keys. -
Method Summary
Modifier and TypeMethodDescriptionvoid
addKey
(AuthenticationKey key) protected byte[]
createPassword
(AuthenticationTokenIdentifier identifier) static SecretKey
createSecretKey
(byte[] raw) org.apache.hadoop.security.token.Token<AuthenticationTokenIdentifier>
generateToken
(String username) (package private) AuthenticationKey
(package private) AuthenticationKey
getKey
(int keyId) (package private) long
getName()
(package private) boolean
boolean
isMaster()
(package private) void
(package private) boolean
byte[]
retrievePassword
(AuthenticationTokenIdentifier identifier) (package private) void
void
start()
void
stop()
Methods inherited from class org.apache.hadoop.security.token.SecretManager
checkAvailableForRead, createPassword, generateSecret, retriableRetrievePassword
-
Field Details
-
NAME_PREFIX
- See Also:
-
LOG
-
lastKeyUpdate
-
keyUpdateInterval
-
tokenMaxLifetime
-
zkWatcher
-
leaderElector
-
clusterId
-
allKeys
-
currentKey
-
idSeq
-
tokenSeq
-
name
-
-
Constructor Details
-
AuthenticationTokenSecretManager
public AuthenticationTokenSecretManager(org.apache.hadoop.conf.Configuration conf, ZKWatcher zk, String serverName, long keyUpdateInterval, long tokenMaxLifetime) Create a new secret manager instance for generating keys.- Parameters:
conf
- Configuration to usezk
- Connection to zookeeper for handling leader electionskeyUpdateInterval
- Time (in milliseconds) between rolling a new master key for token signingtokenMaxLifetime
- Maximum age (in milliseconds) before a token expires and is no longer valid
-
-
Method Details
-
start
-
stop
-
isMaster
-
getName
-
createPassword
- Specified by:
createPassword
in classorg.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>
-
retrievePassword
public byte[] retrievePassword(AuthenticationTokenIdentifier identifier) throws org.apache.hadoop.security.token.SecretManager.InvalidToken - Specified by:
retrievePassword
in classorg.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>
- Throws:
org.apache.hadoop.security.token.SecretManager.InvalidToken
-
createIdentifier
- Specified by:
createIdentifier
in classorg.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>
-
generateToken
public org.apache.hadoop.security.token.Token<AuthenticationTokenIdentifier> generateToken(String username) -
addKey
- Throws:
IOException
-
removeKey
-
getCurrentKey
-
getKey
-
removeExpiredKeys
void removeExpiredKeys() -
isCurrentKeyRolled
boolean isCurrentKeyRolled() -
rollCurrentKey
void rollCurrentKey() -
getLastKeyUpdate
long getLastKeyUpdate() -
createSecretKey
-