org.apache.hadoop.fs.s3a.auth.delegation

Class FullCredentialsTokenBinding

java.lang.Object

org.apache.hadoop.service.AbstractService

org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService

org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding

org.apache.hadoop.fs.s3a.auth.delegation.FullCredentialsTokenBinding

All Implemented Interfaces:

Closeable, AutoCloseable, org.apache.hadoop.service.Service

public class FullCredentialsTokenBinding
extends AbstractDelegationTokenBinding

Full credentials: they are simply passed as-is, rather than converted to a session. These aren't as secure; this class exists to (a) support deployments where there is not STS service and (b) validate the design of S3A DT support to support different managers.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding

AbstractDelegationTokenBinding.TokenSecretManager

Nested classes/interfaces inherited from interface org.apache.hadoop.service.Service

org.apache.hadoop.service.Service.STATE

Field Summary

Fields

Modifier and Type	Field and Description
static String	FULL_TOKEN

Constructor Summary

Constructors

Constructor and Description
FullCredentialsTokenBinding() Constructor, uses name of NAME and token kind of DelegationConstants.FULL_TOKEN_KIND.

Method Summary

Modifier and Type	Method and Description
AWSCredentialProviderList	bindToTokenIdentifier(AbstractS3ATokenIdentifier retrievedIdentifier) Bind to the token identifier, returning the credential providers to use for the owner to talk to S3 and related AWS Services.
AbstractS3ATokenIdentifier	createEmptyIdentifier() Create a new subclass of AbstractS3ATokenIdentifier.
AbstractS3ATokenIdentifier	createTokenIdentifier(Optional<RoleModel.Policy> policy, EncryptionSecrets encryptionSecrets, org.apache.hadoop.io.Text renewer) Create a new delegation token.
AWSCredentialProviderList	deployUnbonded() Serve up the credentials retrieved from configuration/environment in loadAWSCredentials().
protected void	serviceStart() Service startup: create the secret manager.

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding

convertTokenIdentifier, createDelegationToken, createSecretMananger, deploy, getDescription, getKind, getOwnerText, getSecretManagerPasssword, getTokenIssuingPolicy, getUserAgentField, toString

Methods inherited from class org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService

bindToFileSystem, getCanonicalUri, getOwner, getPolicyProvider, getStoreContext, requireServiceStarted, requireServiceState, serviceInit

Methods inherited from class org.apache.hadoop.service.AbstractService

close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, serviceStop, setConfig, start, stop, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

FULL_TOKEN

public static final String FULL_TOKEN

See Also:

Constant Field Values

Constructor Detail

FullCredentialsTokenBinding

public FullCredentialsTokenBinding()

Constructor, uses name of NAME and token kind of DelegationConstants.FULL_TOKEN_KIND.

Method Detail

serviceStart

protected void serviceStart()
                     throws Exception

Description copied from class: AbstractDelegationTokenBinding

Service startup: create the secret manager.

Overrides:

serviceStart in class AbstractDelegationTokenBinding

Throws:

Exception - failure.

deployUnbonded

public AWSCredentialProviderList deployUnbonded()
                                         throws IOException

Serve up the credentials retrieved from configuration/environment in loadAWSCredentials().

Overrides:

deployUnbonded in class AbstractDelegationTokenBinding

Returns:

a credential provider for the unbonded instance.

Throws:

IOException - failure to load

createTokenIdentifier

public AbstractS3ATokenIdentifier createTokenIdentifier(Optional<RoleModel.Policy> policy,
                                                        EncryptionSecrets encryptionSecrets,
                                                        org.apache.hadoop.io.Text renewer)
                                                 throws IOException

Create a new delegation token. It's slightly inefficient to create a new one every time, but it avoids concurrency problems with managing any singleton.

Specified by:

createTokenIdentifier in class AbstractDelegationTokenBinding

Parameters:

policy - minimum policy to use, if known.

encryptionSecrets - encryption secrets.

renewer - the principal permitted to renew the token.

Returns:

a DT identifier

Throws:

IOException - failure

bindToTokenIdentifier

public AWSCredentialProviderList bindToTokenIdentifier(AbstractS3ATokenIdentifier retrievedIdentifier)
                                                throws IOException

Description copied from class: AbstractDelegationTokenBinding

Bind to the token identifier, returning the credential providers to use for the owner to talk to S3 and related AWS Services.

Overrides:

bindToTokenIdentifier in class AbstractDelegationTokenBinding

Parameters:

retrievedIdentifier - the unmarshalled data

Returns:

non-empty list of AWS credential providers to use for authenticating this client with AWS services.

Throws:

IOException - any failure

createEmptyIdentifier

public AbstractS3ATokenIdentifier createEmptyIdentifier()

Description copied from class: AbstractDelegationTokenBinding

Create a new subclass of AbstractS3ATokenIdentifier. This is used in the secret manager.

Specified by:

createEmptyIdentifier in class AbstractDelegationTokenBinding

Returns:

an empty identifier.