HDFS-10683. Make class Token$PrivateToken private. Contributed by John Zhuge.

This commit is contained in:
Wei-Chiu Chuang 2016-10-05 17:35:43 -07:00
parent e68c7b96c7
commit c5ca216915
5 changed files with 61 additions and 20 deletions

View File

@ -104,12 +104,8 @@ public void addToken(Text alias, Token<? extends TokenIdentifier> t) {
for (Map.Entry<Text, Token<? extends TokenIdentifier>> e : for (Map.Entry<Text, Token<? extends TokenIdentifier>> e :
tokenMap.entrySet()) { tokenMap.entrySet()) {
Token<? extends TokenIdentifier> token = e.getValue(); Token<? extends TokenIdentifier> token = e.getValue();
if (token instanceof Token.PrivateToken && if (token.isPrivateCloneOf(alias)) {
((Token.PrivateToken) token).getPublicService().equals(alias)) { tokensToAdd.put(e.getKey(), t.privateClone(token.getService()));
Token<? extends TokenIdentifier> privateToken =
new Token.PrivateToken<>(t);
privateToken.setService(token.getService());
tokensToAdd.put(e.getKey(), privateToken);
} }
} }
tokenMap.putAll(tokensToAdd); tokenMap.putAll(tokensToAdd);

View File

@ -1584,7 +1584,7 @@ public Credentials getCredentials() {
Credentials creds = new Credentials(getCredentialsInternal()); Credentials creds = new Credentials(getCredentialsInternal());
Iterator<Token<?>> iter = creds.getAllTokens().iterator(); Iterator<Token<?>> iter = creds.getAllTokens().iterator();
while (iter.hasNext()) { while (iter.hasNext()) {
if (iter.next() instanceof Token.PrivateToken) { if (iter.next().isPrivate()) {
iter.remove(); iter.remove();
} }
} }

View File

@ -222,23 +222,67 @@ public void setService(Text newService) {
service = newService; service = newService;
} }
/**
* Whether this is a private token.
* @return false always for non-private tokens
*/
public boolean isPrivate() {
return false;
}
/**
* Whether this is a private clone of a public token.
* @param thePublicService the public service name
* @return false always for non-private tokens
*/
public boolean isPrivateCloneOf(Text thePublicService) {
return false;
}
/**
* Create a private clone of a public token.
* @param newService the new service name
* @return a private token
*/
public Token<T> privateClone(Text newService) {
return new PrivateToken<>(this, newService);
}
/** /**
* Indicates whether the token is a clone. Used by HA failover proxy * Indicates whether the token is a clone. Used by HA failover proxy
* to indicate a token should not be visible to the user via * to indicate a token should not be visible to the user via
* UGI.getCredentials() * UGI.getCredentials()
*/ */
@InterfaceAudience.Private static class PrivateToken<T extends TokenIdentifier> extends Token<T> {
@InterfaceStability.Unstable
public static class PrivateToken<T extends TokenIdentifier> extends Token<T> {
final private Text publicService; final private Text publicService;
public PrivateToken(Token<T> token) { PrivateToken(Token<T> publicToken, Text newService) {
super(token); super(publicToken.identifier, publicToken.password, publicToken.kind,
publicService = new Text(token.getService()); newService);
assert !publicToken.isPrivate();
publicService = publicToken.service;
if (LOG.isDebugEnabled()) {
LOG.debug("Cloned private token " + this + " from " + publicToken);
}
} }
public Text getPublicService() { /**
return publicService; * Whether this is a private token.
* @return true always for private tokens
*/
@Override
public boolean isPrivate() {
return true;
}
/**
* Whether this is a private clone of a public token.
* @param thePublicService the public service name
* @return true when the public service is the same as specified
*/
@Override
public boolean isPrivateCloneOf(Text thePublicService) {
return publicService.equals(thePublicService);
} }
@Override @Override

View File

@ -890,8 +890,10 @@ public void testPrivateTokenExclusion() throws Exception {
ugi.addToken(new Text("regular-token"), token); ugi.addToken(new Text("regular-token"), token);
// Now add cloned private token // Now add cloned private token
ugi.addToken(new Text("private-token"), new Token.PrivateToken<TestTokenIdentifier>(token)); Text service = new Text("private-token");
ugi.addToken(new Text("private-token1"), new Token.PrivateToken<TestTokenIdentifier>(token)); ugi.addToken(service, token.privateClone(service));
Text service1 = new Text("private-token1");
ugi.addToken(service1, token.privateClone(service1));
// Ensure only non-private tokens are returned // Ensure only non-private tokens are returned
Collection<Token<? extends TokenIdentifier>> tokens = ugi.getCredentials().getAllTokens(); Collection<Token<? extends TokenIdentifier>> tokens = ugi.getCredentials().getAllTokens();

View File

@ -29,6 +29,7 @@
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_ADDRESS_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_ADDRESS_KEY;
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_BIND_HOST_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_BIND_HOST_KEY;
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SHARED_EDITS_DIR_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SHARED_EDITS_DIR_KEY;
import static org.apache.hadoop.security.SecurityUtil.buildTokenService;
import java.io.IOException; import java.io.IOException;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
@ -56,7 +57,6 @@
import org.apache.hadoop.ipc.RPC; import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.RemoteException; import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.ipc.StandbyException; import org.apache.hadoop.ipc.StandbyException;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
@ -281,8 +281,7 @@ public static void cloneDelegationTokenForLogicalUri(
// exposed to the user via UGI.getCredentials(), otherwise these // exposed to the user via UGI.getCredentials(), otherwise these
// cloned tokens may be inadvertently propagated to jobs // cloned tokens may be inadvertently propagated to jobs
Token<DelegationTokenIdentifier> specificToken = Token<DelegationTokenIdentifier> specificToken =
new Token.PrivateToken<DelegationTokenIdentifier>(haToken); haToken.privateClone(buildTokenService(singleNNAddr));
SecurityUtil.setTokenService(specificToken, singleNNAddr);
Text alias = new Text( Text alias = new Text(
HAUtilClient.buildTokenServicePrefixForLogicalUri( HAUtilClient.buildTokenServicePrefixForLogicalUri(
HdfsConstants.HDFS_URI_SCHEME) HdfsConstants.HDFS_URI_SCHEME)