From ac5d899d40d7b50ba73c400a708f59fb128e6e30 Mon Sep 17 00:00:00 2001 From: Steve Loughran Date: Tue, 9 Jun 2020 14:39:06 +0100 Subject: [PATCH] HADOOP-17050 S3A to support additional token issuers Contributed by Steve Loughran. S3A delegation token providers will be asked for any additional token issuers, an array can be returned, each one will be asked for tokens when DelegationTokenIssuer collects all the tokens for a filesystem. --- .../apache/hadoop/fs/s3a/S3AFileSystem.java | 20 +++++++++++++++++++ .../auth/delegation/S3ADelegationTokens.java | 14 +++++++++++++ 2 files changed, 34 insertions(+) diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java index 6d2b3a84ca..fa0251aa73 100644 --- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java +++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java @@ -114,6 +114,7 @@ import org.apache.hadoop.fs.s3a.select.InternalSelectConstants; import org.apache.hadoop.io.IOUtils; import org.apache.hadoop.io.Text; +import org.apache.hadoop.security.token.DelegationTokenIssuer; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.util.DurationInfo; import org.apache.hadoop.util.LambdaUtils; @@ -3377,6 +3378,25 @@ public Token getDelegationToken(String renewer) } } + /** + * Ask any DT plugin for any extra token issuers. + * These do not get told of the encryption secrets and can + * return any type of token. + * This allows DT plugins to issue extra tokens for + * ancillary services. + */ + @Override + public DelegationTokenIssuer[] getAdditionalTokenIssuers() + throws IOException { + if (delegationTokens.isPresent()) { + return delegationTokens.get().getAdditionalTokenIssuers(); + } else { + // Delegation token support is not set up + LOG.debug("Token support is not enabled"); + return null; + } + } + /** * Build the AWS policy for restricted access to the resources needed * by this bucket. diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens.java index 5005436c82..ef0b129e6e 100644 --- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens.java +++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens.java @@ -40,6 +40,7 @@ import org.apache.hadoop.io.Text; import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.token.DelegationTokenIssuer; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.service.ServiceOperations; import org.apache.hadoop.util.DurationInfo; @@ -447,6 +448,19 @@ private void noteTokenCreated(final Token token) { stats.tokenIssued(); } + /** + * Get a null/possibly empty list of extra delegation token issuers. + * These will be asked for tokens when + * {@link DelegationTokenIssuer#getAdditionalTokenIssuers()} recursively + * collects all DTs a filesystem can offer. + * @return a null or empty array. Default implementation: null + * @throws IOException failure + */ + public DelegationTokenIssuer[] getAdditionalTokenIssuers() + throws IOException { + return null; + } + /** * Get the AWS credential provider. * @return the DT credential provider