Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.apache.hadoop.security.authentication.util
Class ZKSignerSecretProvider

java.lang.Object
  extended by org.apache.hadoop.security.authentication.util.SignerSecretProvider
      extended by org.apache.hadoop.security.authentication.util.RolloverSignerSecretProvider
          extended by org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider

@InterfaceStability.Unstable
@InterfaceAudience.Private
public class ZKSignerSecretProvider
extends RolloverSignerSecretProvider

A SignerSecretProvider that synchronizes a rolling random secret between multiple servers using ZooKeeper.

It works by storing the secrets and next rollover time in a ZooKeeper znode. All ZKSignerSecretProviders looking at that znode will use those secrets and next rollover time to ensure they are synchronized. There is no "leader" -- any of the ZKSignerSecretProviders can choose the next secret; which one is indeterminate. Kerberos-based ACLs can also be enforced to prevent a malicious third-party from getting or setting the secrets. It uses its own CuratorFramework client for talking to ZooKeeper. If you want to use your own Curator client, you can pass it to ZKSignerSecretProvider; see AuthenticationFilter for more details.

The supported configuration properties are:

The following attribute in the ServletContext can also be set if desired:
  • signer.secret.provider.zookeeper.curator.client: A CuratorFramework client object can be passed here. If given, the "zookeeper" implementation will use this Curator client instead of creating its own, which is useful if you already have a Curator client or want more control over its configuration.

    • Nested Class Summary
    static class ZKSignerSecretProvider.JaasConfiguration
              Creates a programmatic version of a jaas.conf file.
     
    Field Summary
    static String DISCONNECT_FROM_ZOOKEEPER_ON_SHUTDOWN
              Constant for the property that specifies whether or not the Curator client should disconnect from ZooKeeper on shutdown.
    static String ZOOKEEPER_AUTH_TYPE
              Constant for the property that specifies the auth type to use.
    static String ZOOKEEPER_CONNECTION_STRING
              Constant for the property that specifies the ZooKeeper connection string.
    static String ZOOKEEPER_KERBEROS_KEYTAB
              Constant for the property that specifies the Kerberos keytab file.
    static String ZOOKEEPER_KERBEROS_PRINCIPAL
              Constant for the property that specifies the Kerberos principal.
    static String ZOOKEEPER_PATH
              Constant for the property that specifies the ZooKeeper path.
    static String ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE
              Constant for the ServletContext attribute that can be used for providing a custom CuratorFramework client.
     
    Constructor Summary
    ZKSignerSecretProvider()
               
    ZKSignerSecretProvider(long seed)
              This constructor lets you set the seed of the Random Number Generator and is meant for testing.
     
    Method Summary
    protected  org.apache.curator.framework.CuratorFramework createCuratorClient(Properties config)
              This method creates the Curator client and connects to ZooKeeper.
     void destroy()
              Disconnects from ZooKeeper unless told not to.
    protected  byte[] generateNewSecret()
              Subclasses should implement this to return a new secret.
     void init(Properties config, javax.servlet.ServletContext servletContext, long tokenValidity)
              Initialize the SignerSecretProvider.
    protected  void rollSecret()
              Rolls the secret.
     
    Methods inherited from class org.apache.hadoop.security.authentication.util.RolloverSignerSecretProvider
    getAllSecrets, getCurrentSecret, initSecrets, startScheduler
     
    Methods inherited from class java.lang.Object
    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
     

    Field Detail

    ZOOKEEPER_CONNECTION_STRING

    public static final String ZOOKEEPER_CONNECTION_STRING
    Constant for the property that specifies the ZooKeeper connection string.

    See Also:
    Constant Field Values

    ZOOKEEPER_PATH

    public static final String ZOOKEEPER_PATH
    Constant for the property that specifies the ZooKeeper path.

    See Also:
    Constant Field Values

    ZOOKEEPER_AUTH_TYPE

    public static final String ZOOKEEPER_AUTH_TYPE
    Constant for the property that specifies the auth type to use. Supported values are "none" and "sasl". The default value is "none".

    See Also:
    Constant Field Values

    ZOOKEEPER_KERBEROS_KEYTAB

    public static final String ZOOKEEPER_KERBEROS_KEYTAB
    Constant for the property that specifies the Kerberos keytab file.

    See Also:
    Constant Field Values

    ZOOKEEPER_KERBEROS_PRINCIPAL

    public static final String ZOOKEEPER_KERBEROS_PRINCIPAL
    Constant for the property that specifies the Kerberos principal.

    See Also:
    Constant Field Values

    DISCONNECT_FROM_ZOOKEEPER_ON_SHUTDOWN

    public static final String DISCONNECT_FROM_ZOOKEEPER_ON_SHUTDOWN
    Constant for the property that specifies whether or not the Curator client should disconnect from ZooKeeper on shutdown. The default is "true". Only set this to "false" if a custom Curator client is being provided and the disconnection is being handled elsewhere.

    See Also:
    Constant Field Values

    ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE

    public static final String ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE
    Constant for the ServletContext attribute that can be used for providing a custom CuratorFramework client. If set ZKSignerSecretProvider will use this Curator client instead of creating a new one. The providing class is responsible for creating and configuring the Curator client (including security and ACLs) in this case.

    See Also:
    Constant Field Values
    Constructor Detail

    ZKSignerSecretProvider

    public ZKSignerSecretProvider()

    ZKSignerSecretProvider

    public ZKSignerSecretProvider(long seed)
    This constructor lets you set the seed of the Random Number Generator and is meant for testing.

    Parameters:
    seed - the seed for the random number generator
    Method Detail

    init

    public void init(Properties config,
                 javax.servlet.ServletContext servletContext,
                 long tokenValidity)
          throws Exception
    Description copied from class: RolloverSignerSecretProvider
    Initialize the SignerSecretProvider. It initializes the current secret and starts the scheduler for the rollover to run at an interval of tokenValidity.

    Overrides:
    init in class RolloverSignerSecretProvider
    Parameters:
    config - configuration properties
    servletContext - servlet context
    tokenValidity - The amount of time a token is valid for
    Throws:
    Exception

    destroy

    public void destroy()
    Disconnects from ZooKeeper unless told not to.

    Overrides:
    destroy in class RolloverSignerSecretProvider

    rollSecret

    protected void rollSecret()
    Description copied from class: RolloverSignerSecretProvider
    Rolls the secret. It is called automatically at the rollover interval.

    Overrides:
    rollSecret in class RolloverSignerSecretProvider

    generateNewSecret

    protected byte[] generateNewSecret()
    Description copied from class: RolloverSignerSecretProvider
    Subclasses should implement this to return a new secret. It will be called automatically at the secret rollover interval. It should never return null.

    Specified by:
    generateNewSecret in class RolloverSignerSecretProvider
    Returns:
    a new secret

    createCuratorClient

    protected org.apache.curator.framework.CuratorFramework createCuratorClient(Properties config)
                                                                     throws Exception
    This method creates the Curator client and connects to ZooKeeper.

    Parameters:
    config - configuration properties
    Returns:
    A Curator client
    Throws:
    Exception
    Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
     PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
    SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
    Copyright © 2014 Apache Software Foundation. All Rights Reserved.