com.google.cloud.hadoop.fs.gcs.auth

Class AbstractDelegationTokenBinding

java.lang.Object

org.apache.hadoop.service.AbstractService

com.google.cloud.hadoop.fs.gcs.auth.AbstractDelegationTokenBinding

All Implemented Interfaces:

Closeable, AutoCloseable, org.apache.hadoop.service.Service

public abstract class AbstractDelegationTokenBinding
extends org.apache.hadoop.service.AbstractService

Binds file system with service and access token provider

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected class	AbstractDelegationTokenBinding.TokenSecretManager The secret manager always uses the same secret; the factory for new identifiers is that of the token manager.

Nested classes/interfaces inherited from interface org.apache.hadoop.service.Service

org.apache.hadoop.service.Service.STATE

Field Summary

Fields

Modifier and Type	Field and Description
protected org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>	secretManager

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	AbstractDelegationTokenBinding(String name, org.apache.hadoop.io.Text kind)
protected	AbstractDelegationTokenBinding(org.apache.hadoop.io.Text kind)

Method Summary

Modifier and Type	Method and Description
void	bindToFileSystem(GoogleHadoopFileSystemBase fs, org.apache.hadoop.io.Text service) Bind to the filesystem.
abstract AccessTokenProvider	bindToTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier retrievedIdentifier) Bind to the token identifier, returning the credential providers to use for the owner to talk to GCP services.
protected <T extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> T	convertTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier identifier, Class<T> expectedClass) Verify that a token identifier is of a specific class.
org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>	createDelegationToken(String renewer) Create a delegation token for the user.
abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier	createEmptyIdentifier() Create a new "empty" token identifier.
abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier	createTokenIdentifier() Create a token identifier with all the information needed to be included in a delegation token.
abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier	createTokenIdentifier(org.apache.hadoop.io.Text renewer) Create a token identifier with all the information needed to be included in a delegation token.
abstract AccessTokenProvider	deployUnbonded() Perform any actions when deploying unbonded, and return a list of credential providers.
GoogleHadoopFileSystemBase	getFileSystem() Returns the bound file system
org.apache.hadoop.io.Text	getKind()
org.apache.hadoop.io.Text	getService()

Methods inherited from class org.apache.hadoop.service.AbstractService

close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, serviceInit, serviceStart, serviceStop, setConfig, start, stop, toString, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

secretManager

protected org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> secretManager

Constructor Detail

AbstractDelegationTokenBinding

protected AbstractDelegationTokenBinding(org.apache.hadoop.io.Text kind)

AbstractDelegationTokenBinding

protected AbstractDelegationTokenBinding(String name,
                                         org.apache.hadoop.io.Text kind)

Method Detail

getKind

public org.apache.hadoop.io.Text getKind()

getFileSystem

public GoogleHadoopFileSystemBase getFileSystem()

Returns the bound file system

getService

public org.apache.hadoop.io.Text getService()

deployUnbonded

public abstract AccessTokenProvider deployUnbonded()
                                            throws IOException

Perform any actions when deploying unbonded, and return a list of credential providers.

Throws:

IOException - any failure.

bindToTokenIdentifier

public abstract AccessTokenProvider bindToTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier retrievedIdentifier)
                                                   throws IOException

Bind to the token identifier, returning the credential providers to use for the owner to talk to GCP services.

Parameters:

retrievedIdentifier - the unmarshalled data

Returns:

non-empty list of GCP credential providers to use for authenticating this client with GCP services.

Throws:

IOException - any failure.

bindToFileSystem

public void bindToFileSystem(GoogleHadoopFileSystemBase fs,
                             org.apache.hadoop.io.Text service)

Bind to the filesystem. Subclasses can use this to perform their own binding operations - but they must always call their superclass implementation. This Must be called before calling init().

Important: This binding will happen during FileSystem.initialize(); the FS is not live for actual use and will not yet have interacted with GCS services.

Parameters:

fs - owning FS.

service - name of the service (i.e. bucket name) for the FS.

createDelegationToken

public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> createDelegationToken(String renewer)
                                                                                                                                        throws IOException

Create a delegation token for the user. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbound.

Returns:

the token

Throws:

IOException - if one cannot be created

createTokenIdentifier

public abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createTokenIdentifier(org.apache.hadoop.io.Text renewer)
                                                                                                         throws IOException

Create a token identifier with all the information needed to be included in a delegation token. This is where session credentials need to be extracted, etc. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbound.

If createDelegationToken(java.lang.String) is overridden, this method can be replaced with a stub.

Returns:

the token data to include in the token identifier.

Throws:

IOException - failure creating the token data.

createTokenIdentifier

public abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createTokenIdentifier()
                                                                                                         throws IOException

Create a token identifier with all the information needed to be included in a delegation token. This is where session credentials need to be extracted, etc. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbound.

If createDelegationToken(java.lang.String) is overridden, this method can be replaced with a stub.

Returns:

the token data to include in the token identifier.

Throws:

IOException - failure creating the token data.

createEmptyIdentifier

public abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createEmptyIdentifier()

Create a new "empty" token identifier. It is used by the "dummy" SecretManager, which requires a token identifier (even one that's not real) to satisfy the contract.

Returns:

an empty identifier.

convertTokenIdentifier

protected <T extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> T convertTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier identifier,
                                                                                                                         Class<T> expectedClass)
                                                                                                                  throws DelegationTokenIOException

Verify that a token identifier is of a specific class. This will reject subclasses (i.e. it is stricter than instanceof, then cast it to that type.

Parameters:

identifier - identifier to validate

expectedClass - class of the expected token identifier.

Throws:

DelegationTokenIOException - If the wrong class was found.