org.apache.hadoop.hdfs.security.token.block
Class BlockTokenSecretManager

java.lang.Object
  extended by org.apache.hadoop.security.token.SecretManager<BlockTokenIdentifier>
      extended by org.apache.hadoop.hdfs.security.token.block.BlockTokenSecretManager

@InterfaceAudience.Private
public class BlockTokenSecretManager
extends org.apache.hadoop.security.token.SecretManager<BlockTokenIdentifier>

BlockTokenSecretManager can be instantiated in 2 modes, master mode and slave mode. Master can generate new block keys and export block keys to slaves, while slaves can only import and use block keys received from master. Both master and slave can generate and verify block tokens. Typically, master mode is used by NN and slave mode is used by DN.


Nested Class Summary
static class BlockTokenSecretManager.AccessMode
           
 
Nested classes/interfaces inherited from class org.apache.hadoop.security.token.SecretManager
org.apache.hadoop.security.token.SecretManager.InvalidToken
 
Field Summary
static org.apache.hadoop.security.token.Token<BlockTokenIdentifier> DUMMY_TOKEN
           
static org.apache.commons.logging.Log LOG
           
 
Constructor Summary
BlockTokenSecretManager(boolean isMaster, long keyUpdateInterval, long tokenLifetime)
          Constructor
 
Method Summary
 void checkAccess(BlockTokenIdentifier id, String userId, Block block, BlockTokenSecretManager.AccessMode mode)
          Check if access should be allowed.
 void checkAccess(org.apache.hadoop.security.token.Token<BlockTokenIdentifier> token, String userId, Block block, BlockTokenSecretManager.AccessMode mode)
          Check if access should be allowed.
 BlockTokenIdentifier createIdentifier()
          Create an empty block token identifier
protected  byte[] createPassword(BlockTokenIdentifier identifier)
          Create a new password/secret for the given block token identifier.
 ExportedBlockKeys exportKeys()
          Export block keys, only to be used in master mode
 org.apache.hadoop.security.token.Token<BlockTokenIdentifier> generateToken(Block block, EnumSet<BlockTokenSecretManager.AccessMode> modes)
          Generate an block token for current user
 org.apache.hadoop.security.token.Token<BlockTokenIdentifier> generateToken(String userId, Block block, EnumSet<BlockTokenSecretManager.AccessMode> modes)
          Generate a block token for a specified user
 byte[] retrievePassword(BlockTokenIdentifier identifier)
          Look up the token password/secret for the given block token identifier.
 void setKeys(ExportedBlockKeys exportedKeys)
          Set block keys, only to be used in slave mode
 void setTokenLifetime(long tokenLifetime)
          set token lifetime.
 void updateKeys()
          Update block keys, only to be used in master mode
 
Methods inherited from class org.apache.hadoop.security.token.SecretManager
createPassword, createSecretKey, generateSecret
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

LOG

public static final org.apache.commons.logging.Log LOG

DUMMY_TOKEN

public static final org.apache.hadoop.security.token.Token<BlockTokenIdentifier> DUMMY_TOKEN
Constructor Detail

BlockTokenSecretManager

public BlockTokenSecretManager(boolean isMaster,
                               long keyUpdateInterval,
                               long tokenLifetime)
                        throws IOException
Constructor

Parameters:
isMaster -
keyUpdateInterval -
tokenLifetime -
Throws:
IOException
Method Detail

exportKeys

public ExportedBlockKeys exportKeys()
Export block keys, only to be used in master mode


setKeys

public void setKeys(ExportedBlockKeys exportedKeys)
             throws IOException
Set block keys, only to be used in slave mode

Throws:
IOException

updateKeys

public void updateKeys()
                throws IOException
Update block keys, only to be used in master mode

Throws:
IOException

generateToken

public org.apache.hadoop.security.token.Token<BlockTokenIdentifier> generateToken(Block block,
                                                                                  EnumSet<BlockTokenSecretManager.AccessMode> modes)
                                                                           throws IOException
Generate an block token for current user

Throws:
IOException

generateToken

public org.apache.hadoop.security.token.Token<BlockTokenIdentifier> generateToken(String userId,
                                                                                  Block block,
                                                                                  EnumSet<BlockTokenSecretManager.AccessMode> modes)
                                                                           throws IOException
Generate a block token for a specified user

Throws:
IOException

checkAccess

public void checkAccess(BlockTokenIdentifier id,
                        String userId,
                        Block block,
                        BlockTokenSecretManager.AccessMode mode)
                 throws org.apache.hadoop.security.token.SecretManager.InvalidToken
Check if access should be allowed. userID is not checked if null. This method doesn't check if token password is correct. It should be used only when token password has already been verified (e.g., in the RPC layer).

Throws:
org.apache.hadoop.security.token.SecretManager.InvalidToken

checkAccess

public void checkAccess(org.apache.hadoop.security.token.Token<BlockTokenIdentifier> token,
                        String userId,
                        Block block,
                        BlockTokenSecretManager.AccessMode mode)
                 throws org.apache.hadoop.security.token.SecretManager.InvalidToken
Check if access should be allowed. userID is not checked if null

Throws:
org.apache.hadoop.security.token.SecretManager.InvalidToken

setTokenLifetime

public void setTokenLifetime(long tokenLifetime)
set token lifetime.


createIdentifier

public BlockTokenIdentifier createIdentifier()
Create an empty block token identifier

Specified by:
createIdentifier in class org.apache.hadoop.security.token.SecretManager<BlockTokenIdentifier>
Returns:
a newly created empty block token identifier

createPassword

protected byte[] createPassword(BlockTokenIdentifier identifier)
Create a new password/secret for the given block token identifier.

Specified by:
createPassword in class org.apache.hadoop.security.token.SecretManager<BlockTokenIdentifier>
Parameters:
identifier - the block token identifier
Returns:
token password/secret

retrievePassword

public byte[] retrievePassword(BlockTokenIdentifier identifier)
                        throws org.apache.hadoop.security.token.SecretManager.InvalidToken
Look up the token password/secret for the given block token identifier.

Specified by:
retrievePassword in class org.apache.hadoop.security.token.SecretManager<BlockTokenIdentifier>
Parameters:
identifier - the block token identifier to look up
Returns:
token password/secret as byte[]
Throws:
InvalidToken
org.apache.hadoop.security.token.SecretManager.InvalidToken


Copyright © 2009 The Apache Software Foundation