org.apache.hadoop.fs.s3a.auth

Class MarshalledCredentials

java.lang.Object

org.apache.hadoop.fs.s3a.auth.MarshalledCredentials

All Implemented Interfaces:

Serializable, org.apache.hadoop.io.Writable

@InterfaceAudience.Private
public final class MarshalledCredentials
extends Object
implements org.apache.hadoop.io.Writable, Serializable

Stores the credentials for a session or for a full login. This structure is Writable, so can be marshalled inside a delegation token. The class is designed so that keys inside are kept non-null; to be unset just set them to the empty string. This is to simplify marshalling. Important: Add no references to any AWS SDK class, to ensure it can be safely deserialized whenever the relevant token identifier of a token type declared in this JAR is examined.

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	MarshalledCredentials.CredentialTypeRequired Enumeration of credential types for use in validation methods.

Field Summary

Fields

Modifier and Type	Field and Description
static String	INVALID_CREDENTIALS Error text on invalid non-empty credentials: "Invalid AWS credentials".

Constructor Summary

Constructors

Constructor and Description
MarshalledCredentials() Constructor.
MarshalledCredentials(String accessKey, String secretKey, String sessionToken) Create from a set of properties.

Method Summary

Modifier and Type	Method and Description
String	buildInvalidCredentialsError(MarshalledCredentials.CredentialTypeRequired typeRequired) Build an error string for when the credentials do not match those required.
static MarshalledCredentials	empty() Return a set of empty credentials.
boolean	equals(Object o)
String	getAccessKey()
long	getExpiration() Expiration; will be 0 for none known.
Optional<OffsetDateTime>	getExpirationDateTime() Get a temporal representing the time of expiration, if there is one.
String	getRoleARN()
String	getSecretKey()
String	getSessionToken()
int	hashCode()
boolean	hasSessionToken() Does this set of credentials have a session token.
boolean	isEmpty() Is this empty: does it contain any credentials at all? This test returns true if either the access key or secret key is empty.
boolean	isValid(MarshalledCredentials.CredentialTypeRequired required) Is this a valid set of credentials tokens?
void	readFields(DataInput in) Read in the fields.
void	setAccessKey(String accessKey)
void	setExpiration(long expiration)
void	setRoleARN(String roleARN)
void	setSecretKey(String secretKey)
void	setSecretsInConfiguration(org.apache.hadoop.conf.Configuration config) Patch a configuration with the secrets.
void	setSessionToken(String sessionToken)
String	toString() String value MUST NOT include any secrets.
void	validate(String message, MarshalledCredentials.CredentialTypeRequired typeRequired) Verify that a set of credentials is valid.
void	write(DataOutput out) Write the token.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

INVALID_CREDENTIALS

@VisibleForTesting
public static final String INVALID_CREDENTIALS

Error text on invalid non-empty credentials: "Invalid AWS credentials".

See Also:

Constant Field Values

Constructor Detail

MarshalledCredentials

public MarshalledCredentials()

Constructor.

MarshalledCredentials

public MarshalledCredentials(String accessKey,
                             String secretKey,
                             String sessionToken)

Create from a set of properties. No expiry time is expected/known here.

Parameters:

accessKey - access key

secretKey - secret key

sessionToken - session token

Method Detail

getAccessKey

public String getAccessKey()

getSecretKey

public String getSecretKey()

getSessionToken

public String getSessionToken()

getExpiration

public long getExpiration()

Expiration; will be 0 for none known.

Returns:

any expiration timestamp

setExpiration

public void setExpiration(long expiration)

getExpirationDateTime

public Optional<OffsetDateTime> getExpirationDateTime()

Get a temporal representing the time of expiration, if there is one. This is here to wrap up expectations about timestamps and zones.

Returns:

the expiration time.

getRoleARN

public String getRoleARN()

setRoleARN

public void setRoleARN(String roleARN)

setAccessKey

public void setAccessKey(String accessKey)

setSecretKey

public void setSecretKey(String secretKey)

setSessionToken

public void setSessionToken(String sessionToken)

equals

public boolean equals(Object o)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

toString

public String toString()

String value MUST NOT include any secrets.

Overrides:

toString in class Object

Returns:

a string value for logging.

isEmpty

public boolean isEmpty()

Is this empty: does it contain any credentials at all? This test returns true if either the access key or secret key is empty.

Returns:

true if there are no credentials.

isValid

public boolean isValid(MarshalledCredentials.CredentialTypeRequired required)

Is this a valid set of credentials tokens?

Parameters:

required - credential type required.

Returns:

true if the requirements are met.

hasSessionToken

public boolean hasSessionToken()

Does this set of credentials have a session token.

Returns:

true if there's a session token.

write

public void write(DataOutput out)
           throws IOException

Write the token. Only works if valid.

Specified by:

write in interface org.apache.hadoop.io.Writable

Parameters:

out - stream to serialize to.

Throws:

IOException - if the serialization failed.

readFields

public void readFields(DataInput in)
                throws IOException

Read in the fields.

Specified by:

readFields in interface org.apache.hadoop.io.Writable

Throws:

IOException - IO problem

validate

public void validate(String message,
                     MarshalledCredentials.CredentialTypeRequired typeRequired)
              throws IOException

Verify that a set of credentials is valid.

Parameters:

message - message to prefix errors;

typeRequired - credential type required.

Throws:

DelegationTokenIOException - if they aren't

IOException

buildInvalidCredentialsError

public String buildInvalidCredentialsError(MarshalledCredentials.CredentialTypeRequired typeRequired)

Build an error string for when the credentials do not match those required.

Parameters:

typeRequired - credential type required.

Returns:

an error string.

setSecretsInConfiguration

public void setSecretsInConfiguration(org.apache.hadoop.conf.Configuration config)

Patch a configuration with the secrets. This does not set any per-bucket options (it doesn't know the bucket...). Warning: once done the configuration must be considered sensitive.

Parameters:

config - configuration to patch

empty

public static MarshalledCredentials empty()

Return a set of empty credentials. These can be marshalled, but not used for login.

Returns:

a new set of credentials.