Class GcsDelegationTokens
- java.lang.Object
-
- org.apache.hadoop.service.AbstractService
-
- com.google.cloud.hadoop.fs.gcs.auth.GcsDelegationTokens
-
- All Implemented Interfaces:
Closeable
,AutoCloseable
,org.apache.hadoop.service.Service
public class GcsDelegationTokens extends org.apache.hadoop.service.AbstractService
Manages delegation tokens for files system
-
-
Constructor Summary
Constructors Constructor Description GcsDelegationTokens()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
bindToAnyDelegationToken()
Attempt to bind to any existing DT, including unmarshalling its contents and creating the GCP credentials provider used to authenticate the client.void
bindToDelegationToken(org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token)
Bind to a delegation token retrieved for this filesystem.void
bindToFileSystem(GoogleHadoopFileSystem fileSystem, org.apache.hadoop.io.Text service)
Bind to the filesystem.AccessTokenProvider
deployUnbonded()
Perform the unbonded deployment operations.static org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier
extractIdentifier(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token)
From a token, get the session token identifier.AccessTokenProvider
getAccessTokenProvider()
org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>
getBoundDT()
Get any bound DT.org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>
getBoundOrNewDT(String renewer)
Get any bound DT or create a new one.org.apache.hadoop.io.Text
getService()
boolean
isBoundToDT()
Predicate: is there a bound DT?org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>
selectTokenFromFsOwner()
Find a token for the FS user and service name.void
serviceInit(org.apache.hadoop.conf.Configuration conf)
protected void
serviceStart()
protected void
serviceStop()
-
Methods inherited from class org.apache.hadoop.service.AbstractService
close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, setConfig, start, stop, toString, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop
-
-
-
-
Constructor Detail
-
GcsDelegationTokens
public GcsDelegationTokens() throws IOException
- Throws:
IOException
-
-
Method Detail
-
serviceInit
public void serviceInit(org.apache.hadoop.conf.Configuration conf)
- Overrides:
serviceInit
in classorg.apache.hadoop.service.AbstractService
-
serviceStart
protected void serviceStart() throws Exception
- Overrides:
serviceStart
in classorg.apache.hadoop.service.AbstractService
- Throws:
Exception
-
serviceStop
protected void serviceStop() throws Exception
- Overrides:
serviceStop
in classorg.apache.hadoop.service.AbstractService
- Throws:
Exception
-
getService
public org.apache.hadoop.io.Text getService()
-
getAccessTokenProvider
public AccessTokenProvider getAccessTokenProvider()
-
deployUnbonded
public AccessTokenProvider deployUnbonded() throws IOException
Perform the unbonded deployment operations. Create the GCP credentials provider chain to use when talking to GCP when there is no delegation token to work with. authenticating this client with GCP services, and saves it toaccessTokenProvider
- Throws:
IOException
- any failure.
-
bindToAnyDelegationToken
public void bindToAnyDelegationToken() throws IOException
Attempt to bind to any existing DT, including unmarshalling its contents and creating the GCP credentials provider used to authenticate the client.If successful:
boundDT
is set to the retrieved token.accessTokenProvider
is set to the credentials provider(s) returned by the token binding.
deployUnbonded()
is called for the unbonded codepath instead, which will setaccessTokenProvider
to its value.This means after this call (and only after) the token operations can be invoked.
- Throws:
IOException
- selection/extraction/validation failure.
-
selectTokenFromFsOwner
public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> selectTokenFromFsOwner() throws IOException
Find a token for the FS user and service name.- Returns:
- the token, or null if one cannot be found.
- Throws:
IOException
- on a failure to unmarshall the token.
-
bindToFileSystem
public void bindToFileSystem(GoogleHadoopFileSystem fileSystem, org.apache.hadoop.io.Text service)
Bind to the filesystem. Subclasses can use this to perform their own binding operations - but they must always call their superclass implementation. This Must be called before callinginit()
.Important: This binding will happen during FileSystem.initialize(); the FS is not live for actual use and will not yet have interacted with GCS services.
- Parameters:
fileSystem
- owning FS.
-
bindToDelegationToken
public void bindToDelegationToken(org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token) throws IOException
Bind to a delegation token retrieved for this filesystem. Extract the secrets from the token and set internal fields to the values.boundDT
is set totoken
.accessTokenProvider
is set to the credentials provider(s) returned by the token binding.
- Parameters:
token
- token to decode and bind to.- Throws:
IOException
- selection/extraction/validation failure.
-
isBoundToDT
public boolean isBoundToDT()
Predicate: is there a bound DT?- Returns:
- true if there's a value in
boundDT
.
-
getBoundDT
public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> getBoundDT()
Get any bound DT.- Returns:
- a delegation token if this instance was bound to it.
-
getBoundOrNewDT
public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> getBoundOrNewDT(String renewer) throws IOException
Get any bound DT or create a new one.- Returns:
- a delegation token.
- Throws:
IOException
- if one cannot be created
-
extractIdentifier
public static org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier extractIdentifier(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token) throws IOException
From a token, get the session token identifier.- Parameters:
token
- token to process- Returns:
- the session token identifier
- Throws:
IOException
- failure to validate/read data encoded in identifier.IllegalArgumentException
- if the token isn't an GCP session token
-
-