Class SQLDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>
java.lang.Object
org.apache.hadoop.security.token.SecretManager<TokenIdent>
org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<TokenIdent>
org.apache.hadoop.security.token.delegation.SQLDelegationTokenSecretManager<TokenIdent>
public abstract class SQLDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>
extends AbstractDelegationTokenSecretManager<TokenIdent>
An implementation of
AbstractDelegationTokenSecretManager that
persists TokenIdentifiers and DelegationKeys in an existing SQL database.-
Nested Class Summary
Nested classes/interfaces inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager
AbstractDelegationTokenSecretManager.DelegationTokenInformationNested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager
SecretManager.InvalidToken -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final intstatic final Stringstatic final Stringstatic final longstatic final Stringstatic final longstatic final Stringstatic final intFields inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager
allKeys, currentId, currentTokens, delegationTokenSequenceNumber, noInterruptsLock, running, storeTokenTrackingId, tokenOwnerStats -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptioncancelToken(Token<TokenIdent> token, String canceller) Cancels a token by removing it from the SQL database.protected abstract voiddeleteDelegationKey(int keyId) protected abstract voiddeleteToken(int sequenceNum, byte[] tokenIdentifier) Obtain a list of tokens that will be considered for cleanup, based on the last time the token was updated in SQL.intObtains the value of the last delegation key id.protected DelegationKeygetDelegationKey(int keyId) Obtains the DelegationKey from the SQL database.intObtains the value of the last reserved sequence number.getTokenInfoFromSQL(TokenIdent ident) Obtains the DelegationTokenInformation associated with the given TokenIdentifier in the SQL database.intObtains the next available delegation key id that can be allocated to a DelegationKey.intObtains the next available sequence number that can be allocated to a Token.protected abstract intincrementKeyId(int amount) protected abstract intincrementSequenceNum(int amount) protected abstract voidinsertDelegationKey(int keyId, byte[] delegationKey) protected abstract voidinsertToken(int sequenceNum, byte[] tokenIdentifier, byte[] tokenInfo) protected voidprotected voidRemoves the existing DelegationKey from the SQL database to invalidate it.protected voidremoveStoredToken(TokenIdent ident) Removes the existing TokenInformation from the SQL database to invalidate it.protected abstract byte[]selectDelegationKey(int keyId) protected abstract intprotected abstract intprotected abstract Map<byte[],byte[]> selectStaleTokenInfos(long maxModifiedTime, int maxResults) protected abstract byte[]selectTokenInfo(int sequenceNum, byte[] tokenIdentifier) voidsetCurrentKeyId(int keyId) Updates the value of the last delegation key id.voidsetDelegationTokenSeqNum(int seqNum) Updates the value of the last reserved sequence number.protected voidPersists a DelegationKey into the SQL database.protected voidstoreToken(TokenIdent ident, AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo) Persists a TokenIdentifier and its corresponding TokenInformation into the SQL database.protected abstract voidupdateDelegationKey(int keyId, byte[] delegationKey) protected voidUpdates an existing DelegationKey in the SQL database.protected abstract voidupdateKeyId(int value) protected abstract voidupdateSequenceNum(int value) protected abstract voidupdateToken(int sequenceNum, byte[] tokenIdentifier, byte[] tokenInfo) protected voidupdateToken(TokenIdent ident, AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo) Updates the TokenInformation of an existing TokenIdentifier in the SQL database.Methods inherited from class org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager
addKey, addPersistedDelegationToken, addTokenForOwnerStats, checkToken, createPassword, createSecretKey, decodeTokenIdentifier, getAllKeys, getCurrentTokensSize, getMetrics, getTokenInfo, getTokenRenewInterval, getTokenTrackingId, getTopTokenRealOwners, getTrackingIdIfEnabled, isRunning, logExpireToken, logExpireTokens, logUpdateMasterKey, renewToken, reset, retrievePassword, rollMasterKey, startThreads, stopThreads, storeNewMasterKey, storeNewToken, syncTokenOwnerStats, updateStoredToken, verifyTokenMethods inherited from class org.apache.hadoop.security.token.SecretManager
checkAvailableForRead, createIdentifier, createPassword, generateSecret, retriableRetrievePassword, update, validateSecretKeyLength
-
Field Details
-
SQL_DTSM_CONF_PREFIX
- See Also:
-
DEFAULT_SEQ_NUM_BATCH_SIZE
public static final int DEFAULT_SEQ_NUM_BATCH_SIZE- See Also:
-
SQL_DTSM_TOKEN_MAX_CLEANUP_RESULTS
- See Also:
-
SQL_DTSM_TOKEN_MAX_CLEANUP_RESULTS_DEFAULT
public static final int SQL_DTSM_TOKEN_MAX_CLEANUP_RESULTS_DEFAULT- See Also:
-
SQL_DTSM_TOKEN_LOADING_CACHE_EXPIRATION
- See Also:
-
SQL_DTSM_TOKEN_LOADING_CACHE_EXPIRATION_DEFAULT
public static final long SQL_DTSM_TOKEN_LOADING_CACHE_EXPIRATION_DEFAULT -
SQL_DTSM_TOKEN_LOADING_CACHE_MAX_SIZE
- See Also:
-
SQL_DTSM_TOKEN_LOADING_CACHE_MAX_SIZE_DEFAULT
public static final long SQL_DTSM_TOKEN_LOADING_CACHE_MAX_SIZE_DEFAULT- See Also:
-
-
Constructor Details
-
SQLDelegationTokenSecretManager
-
-
Method Details
-
storeToken
protected void storeToken(TokenIdent ident, AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo) throws IOException Persists a TokenIdentifier and its corresponding TokenInformation into the SQL database. The TokenIdentifier is expected to be unique and any duplicate token attempts will result in an IOException.- Overrides:
storeTokenin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
ident- TokenIdentifier to persist.tokenInfo- DelegationTokenInformation associated with the TokenIdentifier.- Throws:
IOException- raised on errors performing I/O.
-
updateToken
protected void updateToken(TokenIdent ident, AbstractDelegationTokenSecretManager.DelegationTokenInformation tokenInfo) throws IOException Updates the TokenInformation of an existing TokenIdentifier in the SQL database.- Overrides:
updateTokenin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
ident- Existing TokenIdentifier in the SQL database.tokenInfo- Updated DelegationTokenInformation associated with the TokenIdentifier.- Throws:
IOException- raised on errors performing I/O.
-
cancelToken
Cancels a token by removing it from the SQL database. This will call the corresponding method inAbstractDelegationTokenSecretManagerto perform validation and remove the token from the cache.- Overrides:
cancelTokenin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
token- token.canceller- canceller.- Returns:
- Identifier of the canceled token
- Throws:
InvalidToken- for invalid tokenAccessControlException- if the user isn't allowed to cancelIOException
-
getCandidateTokensForCleanup
protected Map<TokenIdent,AbstractDelegationTokenSecretManager.DelegationTokenInformation> getCandidateTokensForCleanup()Obtain a list of tokens that will be considered for cleanup, based on the last time the token was updated in SQL. This list may include tokens that are not expired and should not be deleted (e.g. if the token was last renewed using a higher renewal interval). The number of results is limited to reduce performance impact. Some level of contention is expected when multiple routers run cleanup simultaneously.- Overrides:
getCandidateTokensForCleanupin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Returns:
- Map of tokens that have not been updated in SQL after the token renewal period.
-
removeStoredToken
Removes the existing TokenInformation from the SQL database to invalidate it.- Overrides:
removeStoredTokenin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
ident- TokenInformation to remove from the SQL database.- Throws:
IOException
-
removeExpiredStoredToken
- Overrides:
removeExpiredStoredTokenin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>
-
getTokenInfoFromSQL
@VisibleForTesting protected AbstractDelegationTokenSecretManager.DelegationTokenInformation getTokenInfoFromSQL(TokenIdent ident) Obtains the DelegationTokenInformation associated with the given TokenIdentifier in the SQL database.- Parameters:
ident- Existing TokenIdentifier in the SQL database.- Returns:
- DelegationTokenInformation that matches the given TokenIdentifier or null if it doesn't exist in the database.
-
getDelegationTokenSeqNum
public int getDelegationTokenSeqNum()Obtains the value of the last reserved sequence number.- Overrides:
getDelegationTokenSeqNumin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Returns:
- Last reserved sequence number.
-
setDelegationTokenSeqNum
public void setDelegationTokenSeqNum(int seqNum) Updates the value of the last reserved sequence number.- Overrides:
setDelegationTokenSeqNumin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
seqNum- Value to update the sequence number to.
-
incrementDelegationTokenSeqNum
public int incrementDelegationTokenSeqNum()Obtains the next available sequence number that can be allocated to a Token. Sequence numbers need to be reserved using the shared sequenceNumberCounter once the local batch has been exhausted, which handles sequenceNumber allocation concurrently with other secret managers. This method ensures that sequence numbers are incremental in a single secret manager, but not across secret managers.- Overrides:
incrementDelegationTokenSeqNumin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Returns:
- Next available sequence number.
-
storeDelegationKey
Persists a DelegationKey into the SQL database. The delegation keyId is expected to be unique and any duplicate key attempts will result in an IOException.- Overrides:
storeDelegationKeyin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
key- DelegationKey to persist into the SQL database.- Throws:
IOException- raised on errors performing I/O.
-
updateDelegationKey
Updates an existing DelegationKey in the SQL database.- Overrides:
updateDelegationKeyin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
key- Updated DelegationKey.- Throws:
IOException- raised on errors performing I/O.
-
removeStoredMasterKey
Removes the existing DelegationKey from the SQL database to invalidate it.- Overrides:
removeStoredMasterKeyin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
key- DelegationKey to remove from the SQL database.
-
getDelegationKey
Obtains the DelegationKey from the SQL database.- Overrides:
getDelegationKeyin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
keyId- KeyId of the DelegationKey to obtain.- Returns:
- DelegationKey that matches the given keyId or null if it doesn't exist in the database.
-
getCurrentKeyId
public int getCurrentKeyId()Obtains the value of the last delegation key id.- Overrides:
getCurrentKeyIdin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Returns:
- Last delegation key id.
-
setCurrentKeyId
public void setCurrentKeyId(int keyId) Updates the value of the last delegation key id.- Overrides:
setCurrentKeyIdin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Parameters:
keyId- Value to update the delegation key id to.
-
incrementCurrentKeyId
public int incrementCurrentKeyId()Obtains the next available delegation key id that can be allocated to a DelegationKey. Delegation key id need to be reserved using the shared delegationKeyIdCounter, which handles keyId allocation concurrently with other secret managers.- Overrides:
incrementCurrentKeyIdin classAbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier>- Returns:
- Next available delegation key id.
-
selectTokenInfo
protected abstract byte[] selectTokenInfo(int sequenceNum, byte[] tokenIdentifier) throws SQLException - Throws:
SQLException
-
selectStaleTokenInfos
protected abstract Map<byte[],byte[]> selectStaleTokenInfos(long maxModifiedTime, int maxResults) throws SQLException - Throws:
SQLException
-
insertToken
protected abstract void insertToken(int sequenceNum, byte[] tokenIdentifier, byte[] tokenInfo) throws SQLException - Throws:
SQLException
-
updateToken
protected abstract void updateToken(int sequenceNum, byte[] tokenIdentifier, byte[] tokenInfo) throws SQLException - Throws:
SQLException
-
deleteToken
- Throws:
SQLException
-
selectDelegationKey
- Throws:
SQLException
-
insertDelegationKey
- Throws:
SQLException
-
updateDelegationKey
- Throws:
SQLException
-
deleteDelegationKey
- Throws:
SQLException
-
selectSequenceNum
- Throws:
SQLException
-
updateSequenceNum
- Throws:
SQLException
-
incrementSequenceNum
- Throws:
SQLException
-
selectKeyId
- Throws:
SQLException
-
updateKeyId
- Throws:
SQLException
-
incrementKeyId
- Throws:
SQLException
-