org.apache.hadoop.fs.s3a.auth.delegation

Class SessionTokenBinding

java.lang.Object

org.apache.hadoop.service.AbstractService

org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService

org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding

org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding

All Implemented Interfaces:

Closeable, AutoCloseable, org.apache.hadoop.service.Service

Direct Known Subclasses:

RoleTokenBinding

public class SessionTokenBinding
extends AbstractDelegationTokenBinding

The session token DT binding: creates an AWS session token for the DT, extracts and serves it up afterwards.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding

AbstractDelegationTokenBinding.TokenSecretManager

Nested classes/interfaces inherited from interface org.apache.hadoop.service.Service

org.apache.hadoop.service.Service.STATE

Field Summary

Fields

Modifier and Type	Field and Description
static String	CREDENTIALS_CONVERTED_TO_DELEGATION_TOKEN A message added to the standard origin string when the DT is built from session credentials passed in.
static Invoker.Retried	LOG_EVENT Log retries at debug.
static String	SESSION_TOKEN

Constructor Summary

Constructors

Modifier	Constructor and Description
	SessionTokenBinding() Constructor for reflection.
protected	SessionTokenBinding(String name, org.apache.hadoop.io.Text kind) Constructor for subclasses.

Method Summary

Modifier and Type	Method and Description
protected String	bindingName() Get the role of this token; subclasses should override this for better logging.
AWSCredentialProviderList	bindToTokenIdentifier(AbstractS3ATokenIdentifier retrievedIdentifier) Sets the field tokenIdentifier to the extracted/cast session token identifier, and expirationDateTime to any expiration passed in.
SessionTokenIdentifier	createEmptyIdentifier() Create a new subclass of AbstractS3ATokenIdentifier.
SessionTokenIdentifier	createTokenIdentifier(Optional<RoleModel.Policy> policy, EncryptionSecrets encryptionSecrets, org.apache.hadoop.io.Text renewer) Create a token identifier with all the information needed to be included in a delegation token.
AWSCredentialProviderList	deployUnbonded() Return an unbonded provider chain.
String	getDescription() Return a description.
long	getDuration() Duration of sessions.
protected Optional<OffsetDateTime>	getExpirationDateTime() Expiration date time as passed in from source.
protected Invoker	getInvoker() Get the invoker for STS calls.
protected Optional<SessionTokenIdentifier>	getTokenIdentifier() Token identifier bound to.
String	getUserAgentField() UA field contains the UUID of the token if present.
protected Optional<STSClientFactory.STSClient>	prepareSTSClient() Get the client to AWS STS.
protected void	serviceStart() Service start will read in all configuration options then build that client.
protected void	serviceStop()
protected void	setExpirationDateTime(Optional<OffsetDateTime> expirationDateTime)
protected void	setTokenIdentifier(Optional<SessionTokenIdentifier> tokenIdentifier)

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding

convertTokenIdentifier, createDelegationToken, createSecretMananger, getKind, getOwnerText, getSecretManagerPasssword, getTokenIssuingPolicy, toString

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService

bindToFileSystem, getCanonicalUri, getOwner, getPolicyProvider, getStoreContext, requireServiceStarted, requireServiceState, serviceInit

Methods inherited from class org.apache.hadoop.service.AbstractService

close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, setConfig, start, stop, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

CREDENTIALS_CONVERTED_TO_DELEGATION_TOKEN

public static final String CREDENTIALS_CONVERTED_TO_DELEGATION_TOKEN

A message added to the standard origin string when the DT is built from session credentials passed in.

See Also:

Constant Field Values

SESSION_TOKEN

public static final String SESSION_TOKEN

See Also:

Constant Field Values

LOG_EVENT

public static final Invoker.Retried LOG_EVENT

Log retries at debug.

Constructor Detail

SessionTokenBinding

public SessionTokenBinding()

Constructor for reflection.

SessionTokenBinding

protected SessionTokenBinding(String name,
                              org.apache.hadoop.io.Text kind)

Constructor for subclasses.

Parameters:

name - binding name.

kind - token kind.

Method Detail

serviceStart

protected void serviceStart()
                     throws Exception

Service start will read in all configuration options then build that client.

Overrides:

serviceStart in class AbstractDelegationTokenBinding

Throws:

Exception - failure.

serviceStop

protected void serviceStop()
                    throws Exception

Overrides:

serviceStop in class org.apache.hadoop.service.AbstractService

Throws:

Exception

deployUnbonded

public AWSCredentialProviderList deployUnbonded()
                                         throws IOException

Return an unbonded provider chain.

Specified by:

deployUnbonded in class AbstractDelegationTokenBinding

Returns:

the auth chain built from the assumed role credentials

Throws:

IOException - any failure.

getInvoker

protected Invoker getInvoker()

Get the invoker for STS calls.

Returns:

the invoker

bindToTokenIdentifier

public AWSCredentialProviderList bindToTokenIdentifier(AbstractS3ATokenIdentifier retrievedIdentifier)
                                                throws IOException

Sets the field tokenIdentifier to the extracted/cast session token identifier, and expirationDateTime to any expiration passed in.

Specified by:

bindToTokenIdentifier in class AbstractDelegationTokenBinding

Parameters:

retrievedIdentifier - the unmarshalled data

Returns:

the provider list

Throws:

IOException - failure

getDescription

public String getDescription()

Description copied from class: AbstractDelegationTokenBinding

Return a description. This is logged during after service start and binding: it should be as informative as possible.

Overrides:

getDescription in class AbstractDelegationTokenBinding

Returns:

a description to log.

bindingName

protected String bindingName()

Get the role of this token; subclasses should override this for better logging.

Returns:

the role of this token

getUserAgentField

public String getUserAgentField()

UA field contains the UUID of the token if present.

Overrides:

getUserAgentField in class AbstractDelegationTokenBinding

Returns:

a string for the S3 logs.

prepareSTSClient

protected Optional<STSClientFactory.STSClient> prepareSTSClient()
                                                         throws IOException

Get the client to AWS STS.

Returns:

the STS client, when successfully inited.

Throws:

IOException - any failure to bind to STS.

getDuration

public long getDuration()

Duration of sessions.

Returns:

duration in seconds.

createTokenIdentifier

@Retries.RetryTranslated
public SessionTokenIdentifier createTokenIdentifier(Optional<RoleModel.Policy> policy,
                                                                             EncryptionSecrets encryptionSecrets,
                                                                             org.apache.hadoop.io.Text renewer)
                                                                      throws IOException

Description copied from class: AbstractDelegationTokenBinding

Create a token identifier with all the information needed to be included in a delegation token. This is where session credentials need to be extracted, etc. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbonded. If AbstractDelegationTokenBinding.createDelegationToken(Optional, EncryptionSecrets, Text) is overridden, this method can be replaced with a stub.

Specified by:

createTokenIdentifier in class AbstractDelegationTokenBinding

Parameters:

policy - minimum policy to use, if known.

encryptionSecrets - encryption secrets for the token.

renewer - the principal permitted to renew the token.

Returns:

the token data to include in the token identifier.

Throws:

IOException - failure creating the token data.

createEmptyIdentifier

public SessionTokenIdentifier createEmptyIdentifier()

Description copied from class: AbstractDelegationTokenBinding

Create a new subclass of AbstractS3ATokenIdentifier. This is used in the secret manager.

Specified by:

createEmptyIdentifier in class AbstractDelegationTokenBinding

Returns:

an empty identifier.

getExpirationDateTime

protected Optional<OffsetDateTime> getExpirationDateTime()

Expiration date time as passed in from source. If unset, either we are unbound, or the token which came in does not know its expiry.

Returns:

expiration data time.

setExpirationDateTime

protected void setExpirationDateTime(Optional<OffsetDateTime> expirationDateTime)

getTokenIdentifier

protected Optional<SessionTokenIdentifier> getTokenIdentifier()

Token identifier bound to.

Returns:

token identifier.

setTokenIdentifier

protected void setTokenIdentifier(Optional<SessionTokenIdentifier> tokenIdentifier)