RoleTokenBinding (Apache Hadoop Amazon Web Services support 3.3.4 API)

java.lang.Object
- org.apache.hadoop.service.AbstractService
- - org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService
  - - org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
    - - org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding
      - org.apache.hadoop.fs.s3a.auth.delegation.RoleTokenBinding

All Implemented Interfaces:

Closeable, AutoCloseable, org.apache.hadoop.service.Service
```
public class RoleTokenBinding
extends SessionTokenBinding
```
Role Token support requests an explicit role and automatically restricts that role to the given policy of the binding. The session is locked down as much as possible.

Nested Class Summary
- Nested classes/interfaces inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
  AbstractDelegationTokenBinding.TokenSecretManager
- Nested classes/interfaces inherited from interface org.apache.hadoop.service.Service
  org.apache.hadoop.service.Service.STATE

Field Summary

Fields
Modifier and Type Field and Description

static String COMPONENT

static String E_NO_ARN
Error message when there is no Role ARN.
- Fields inherited from class org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding
  CREDENTIALS_CONVERTED_TO_DELEGATION_TOKEN, LOG_EVENT, SESSION_TOKEN

Fields
Modifier and Type	Field and Description
`static String`	`COMPONENT`
`static String`	`E_NO_ARN` Error message when there is no Role ARN.

Constructor Summary

Constructors
Constructor and Description

RoleTokenBinding()
Constructor.

Constructors
Constructor and Description
`RoleTokenBinding()` Constructor.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`protected String`	`bindingName()` Get the role of this token; subclasses should override this for better logging.
`AWSCredentialProviderList`	`bindToTokenIdentifier(AbstractS3ATokenIdentifier retrievedIdentifier)` Returns a (wrapped) `MarshalledCredentialProvider` which requires the marshalled credentials to contain session secrets.
`RoleTokenIdentifier`	`createEmptyIdentifier()` Create a new subclass of `AbstractS3ATokenIdentifier`.
`RoleTokenIdentifier`	`createTokenIdentifier(Optional<RoleModel.Policy> policy, EncryptionSecrets encryptionSecrets, org.apache.hadoop.io.Text renewer)` Create the Token Identifier.
`String`	`getDescription()` Return a description.
`protected void`	`serviceInit(org.apache.hadoop.conf.Configuration conf)`

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding
deployUnbonded, getDuration, getExpirationDateTime, getInvoker, getTokenIdentifier, getUserAgentField, prepareSTSClient, serviceStart, serviceStop, setExpirationDateTime, setTokenIdentifier

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding
convertTokenIdentifier, createDelegationToken, createSecretMananger, getKind, getOwnerText, getSecretManagerPasssword, getTokenIssuingPolicy, toString

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService
bindToFileSystem, getCanonicalUri, getOwner, getPolicyProvider, getStoreContext, requireServiceStarted, requireServiceState

Methods inherited from class org.apache.hadoop.service.AbstractService
close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, setConfig, start, stop, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

- Field Detail
  - E_NO_ARN
```
public static final String E_NO_ARN
```
    Error message when there is no Role ARN.
    
    See Also:
    
    Constant Field Values
  - COMPONENT
```
public static final String COMPONENT
```
    See Also:
    
    Constant Field Values
- Constructor Detail
  - RoleTokenBinding
```
public RoleTokenBinding()
```
    Constructor. Name is NAME; token kind is DelegationConstants.ROLE_TOKEN_KIND.
- Method Detail
  - serviceInit
```
protected void serviceInit(org.apache.hadoop.conf.Configuration conf)
                    throws Exception
```
    Overrides:
    
    serviceInit in class AbstractDTService
    
    Throws:
    
    Exception
  - bindToTokenIdentifier
```
public AWSCredentialProviderList bindToTokenIdentifier(AbstractS3ATokenIdentifier retrievedIdentifier)
                                                throws IOException
```
    Returns a (wrapped) MarshalledCredentialProvider which requires the marshalled credentials to contain session secrets.
    
    Overrides:
    
    bindToTokenIdentifier in class SessionTokenBinding
    
    Parameters:
    
    retrievedIdentifier - the incoming identifier.
    
    Returns:
    
    the provider chain.
    
    Throws:
    
    IOException - on failure
  - createTokenIdentifier
```
@Retries.RetryTranslated
public RoleTokenIdentifier createTokenIdentifier(Optional<RoleModel.Policy> policy,
                                                                          EncryptionSecrets encryptionSecrets,
                                                                          org.apache.hadoop.io.Text renewer)
                                                                   throws IOException
```
    Create the Token Identifier. Looks for the option DelegationConstants.DELEGATION_TOKEN_ROLE_ARN in the config and fail if it is not set.
    
    Overrides:
    
    createTokenIdentifier in class SessionTokenBinding
    
    Parameters:
    
    policy - the policy which will be used for the requested token.
    
    encryptionSecrets - encryption secrets.
    
    renewer - the principal permitted to renew the token.
    
    Returns:
    
    the token.
    
    Throws:
    
    IllegalArgumentException - if there is no role defined.
    
    IOException - any problem acquiring the role.
  - createEmptyIdentifier
```
public RoleTokenIdentifier createEmptyIdentifier()
```
    Description copied from class: AbstractDelegationTokenBinding
    
    Create a new subclass of AbstractS3ATokenIdentifier. This is used in the secret manager.
    
    Overrides:
    
    createEmptyIdentifier in class SessionTokenBinding
    
    Returns:
    
    an empty identifier.
  - getDescription
```
public String getDescription()
```
    Description copied from class: AbstractDelegationTokenBinding
    
    Return a description. This is logged during after service start and binding: it should be as informative as possible.
    
    Overrides:
    
    getDescription in class SessionTokenBinding
    
    Returns:
    
    a description to log.
  - bindingName
```
protected String bindingName()
```
    Description copied from class: SessionTokenBinding
    
    Get the role of this token; subclasses should override this for better logging.
    
    Overrides:
    
    bindingName in class SessionTokenBinding
    
    Returns:
    
    the role of this token

Class RoleTokenBinding

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding

Nested classes/interfaces inherited from interface org.apache.hadoop.service.Service

Field Summary

Fields inherited from class org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding

Constructor Summary

Method Summary

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService

Methods inherited from class org.apache.hadoop.service.AbstractService

Methods inherited from class java.lang.Object

Field Detail

E_NO_ARN

COMPONENT

Constructor Detail

RoleTokenBinding

Method Detail

serviceInit

bindToTokenIdentifier

createTokenIdentifier

createEmptyIdentifier

getDescription

bindingName