Package org.apache.hadoop.hdfs.protocol.datatransfer.sasl

Class SaslDataTransferClient

java.lang.Object
org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient
@Private public class SaslDataTransferClient extends Object
Negotiates SASL for DataTransferProtocol on behalf of a client. There are two possible supported variants of SASL negotiation: either a general-purpose negotiation supporting any quality of protection, or a specialized negotiation that enforces privacy as the quality of protection using a cryptographically strong encryption key. This class is used in both the HDFS client and the DataNode. The DataNode needs it, because it acts as a client to other DataNodes during write pipelines and block transfers.

  • Constructor Details

    • SaslDataTransferClient

      public SaslDataTransferClient(org.apache.hadoop.conf.Configuration conf, org.apache.hadoop.security.SaslPropertiesResolver saslPropsResolver, TrustedChannelResolver trustedChannelResolver)
      Creates a new SaslDataTransferClient. This constructor is used in cases where it is not relevant to track if a secure client did a fallback to simple auth. For intra-cluster connections between data nodes in the same cluster, we can assume that all run under the same security configuration.
      Parameters:
      conf - the configuration
      saslPropsResolver - for determining properties of SASL negotiation
      trustedChannelResolver - for identifying trusted connections that do not require SASL negotiation

    • SaslDataTransferClient

      public SaslDataTransferClient(org.apache.hadoop.conf.Configuration conf, org.apache.hadoop.security.SaslPropertiesResolver saslPropsResolver, TrustedChannelResolver trustedChannelResolver, AtomicBoolean fallbackToSimpleAuth)
      Creates a new SaslDataTransferClient.
      Parameters:
      conf - the configuration
      saslPropsResolver - for determining properties of SASL negotiation
      trustedChannelResolver - for identifying trusted connections that do not require SASL negotiation
      fallbackToSimpleAuth - checked on each attempt at general SASL handshake, if true forces use of simple auth

  • Method Details

    • newSocketSend

      public IOStreamPair newSocketSend(Socket socket, OutputStream underlyingOut, InputStream underlyingIn, DataEncryptionKeyFactory encryptionKeyFactory, org.apache.hadoop.security.token.Token<BlockTokenIdentifier> accessToken, DatanodeID datanodeId) throws IOException
      Sends client SASL negotiation for a newly allocated socket if required.
      Parameters:
      socket - connection socket
      underlyingOut - connection output stream
      underlyingIn - connection input stream
      encryptionKeyFactory - for creation of an encryption key
      accessToken - connection block access token
      datanodeId - ID of destination DataNode
      Returns:
      new pair of streams, wrapped after SASL negotiation
      Throws:
      IOException - for any error

    • peerSend

      public Peer peerSend(Peer peer, DataEncryptionKeyFactory encryptionKeyFactory, org.apache.hadoop.security.token.Token<BlockTokenIdentifier> accessToken, DatanodeID datanodeId) throws IOException
      Sends client SASL negotiation for a peer if required.
      Parameters:
      peer - connection peer
      encryptionKeyFactory - for creation of an encryption key
      accessToken - connection block access token
      datanodeId - ID of destination DataNode
      Returns:
      new pair of streams, wrapped after SASL negotiation
      Throws:
      IOException - for any error

    • socketSend

      public IOStreamPair socketSend(Socket socket, OutputStream underlyingOut, InputStream underlyingIn, DataEncryptionKeyFactory encryptionKeyFactory, org.apache.hadoop.security.token.Token<BlockTokenIdentifier> accessToken, DatanodeID datanodeId) throws IOException
      Sends client SASL negotiation for a socket if required.
      Parameters:
      socket - connection socket
      underlyingOut - connection output stream
      underlyingIn - connection input stream
      encryptionKeyFactory - for creation of an encryption key
      accessToken - connection block access token
      datanodeId - ID of destination DataNode
      Returns:
      new pair of streams, wrapped after SASL negotiation
      Throws:
      IOException - for any error

    • socketSend

      public IOStreamPair socketSend(Socket socket, OutputStream underlyingOut, InputStream underlyingIn, DataEncryptionKeyFactory encryptionKeyFactory, org.apache.hadoop.security.token.Token<BlockTokenIdentifier> accessToken, DatanodeID datanodeId, SecretKey secretKey) throws IOException
      Throws:
      IOException

    • getTargetQOP

      @VisibleForTesting public String getTargetQOP()