Package org.apache.hadoop.hbase.security.token

Class AuthenticationTokenSecretManager

java.lang.Object

org.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>

org.apache.hadoop.hbase.security.token.AuthenticationTokenSecretManager

@Private
public class AuthenticationTokenSecretManager
extends org.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>

Manages an internal list of secret keys used to sign new authentication tokens as they are generated, and to valid existing tokens used for authentication.

A single instance of AuthenticationTokenSecretManager will be running as the "leader" in a given HBase cluster. The leader is responsible for periodically generating new secret keys, which are then distributed to followers via ZooKeeper, and for expiring previously used secret keys that are no longer needed (as any tokens using them have expired).

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
private class	AuthenticationTokenSecretManager.LeaderElector

Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager

org.apache.hadoop.security.token.SecretManager.InvalidToken

Field Summary

Fields

Modifier and Type	Field	Description
private Map<Integer,AuthenticationKey>	allKeys
private ZKClusterId	clusterId
private AuthenticationKey	currentKey
private int	idSeq
private long	keyUpdateInterval
private long	lastKeyUpdate
private AuthenticationTokenSecretManager.LeaderElector	leaderElector
private static final org.slf4j.Logger	LOG
private String	name
(package private) static final String	NAME_PREFIX
private long	tokenMaxLifetime
private AtomicLong	tokenSeq
private ZKSecretWatcher	zkWatcher

Constructor Summary

Constructors

Constructor	Description
AuthenticationTokenSecretManager(org.apache.hadoop.conf.Configuration conf, ZKWatcher zk, String serverName, long keyUpdateInterval, long tokenMaxLifetime)	Create a new secret manager instance for generating keys.

Method Summary

Modifier and Type	Method	Description
void	addKey(AuthenticationKey key)
AuthenticationTokenIdentifier	createIdentifier()
protected byte[]	createPassword(AuthenticationTokenIdentifier identifier)
static SecretKey	createSecretKey(byte[] raw)
org.apache.hadoop.security.token.Token<AuthenticationTokenIdentifier>	generateToken(String username)
(package private) AuthenticationKey	getCurrentKey()
(package private) AuthenticationKey	getKey(int keyId)
(package private) long	getLastKeyUpdate()
String	getName()
(package private) boolean	isCurrentKeyRolled()
boolean	isMaster()
(package private) void	removeExpiredKeys()
(package private) boolean	removeKey(Integer keyId)
byte[]	retrievePassword(AuthenticationTokenIdentifier identifier)
(package private) void	rollCurrentKey()
void	start()
void	stop()

Methods inherited from class org.apache.hadoop.security.token.SecretManager

checkAvailableForRead, createPassword, generateSecret, retriableRetrievePassword

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

NAME_PREFIX

static final String NAME_PREFIX

See Also:

• Constant Field Values

LOG

private static final org.slf4j.Logger LOG

lastKeyUpdate

private long lastKeyUpdate

keyUpdateInterval

private long keyUpdateInterval

tokenMaxLifetime

private long tokenMaxLifetime

zkWatcher

private ZKSecretWatcher zkWatcher

leaderElector

private AuthenticationTokenSecretManager.LeaderElector leaderElector

clusterId

private ZKClusterId clusterId

allKeys

private Map<Integer,AuthenticationKey> allKeys

currentKey

private AuthenticationKey currentKey

idSeq

private int idSeq

tokenSeq

private AtomicLong tokenSeq

name

private String name

Constructor Details

AuthenticationTokenSecretManager

public AuthenticationTokenSecretManager(org.apache.hadoop.conf.Configuration conf,
 ZKWatcher zk,
 String serverName,
 long keyUpdateInterval,
 long tokenMaxLifetime)

Create a new secret manager instance for generating keys.

Parameters:

conf - Configuration to use

zk - Connection to zookeeper for handling leader elections

keyUpdateInterval - Time (in milliseconds) between rolling a new master key for token signing

tokenMaxLifetime - Maximum age (in milliseconds) before a token expires and is no longer valid

Method Details

start

public void start()

stop

public void stop()

isMaster

public boolean isMaster()

getName

public String getName()

createPassword

protected byte[] createPassword(AuthenticationTokenIdentifier identifier)

Specified by:

createPassword in class org.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>

retrievePassword

public byte[] retrievePassword(AuthenticationTokenIdentifier identifier)
                        throws org.apache.hadoop.security.token.SecretManager.InvalidToken

Specified by:

retrievePassword in class org.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>

Throws:

org.apache.hadoop.security.token.SecretManager.InvalidToken

createIdentifier

public AuthenticationTokenIdentifier createIdentifier()

Specified by:

createIdentifier in class org.apache.hadoop.security.token.SecretManager<AuthenticationTokenIdentifier>

generateToken

public org.apache.hadoop.security.token.Token<AuthenticationTokenIdentifier> generateToken(String username)

addKey

public void addKey(AuthenticationKey key)
            throws IOException

Throws:

IOException

removeKey

boolean removeKey(Integer keyId)

getCurrentKey

AuthenticationKey getCurrentKey()

getKey

AuthenticationKey getKey(int keyId)

removeExpiredKeys

void removeExpiredKeys()

isCurrentKeyRolled

boolean isCurrentKeyRolled()

rollCurrentKey

void rollCurrentKey()

getLastKeyUpdate

long getLastKeyUpdate()

createSecretKey

public static SecretKey createSecretKey(byte[] raw)