Package com.google.cloud.hadoop.fs.gcs.auth

Class GcsDelegationTokens

  • All Implemented Interfaces:
    Closeable, AutoCloseable, org.apache.hadoop.service.Service
    public class GcsDelegationTokens
extends org.apache.hadoop.service.AbstractService
    Manages delegation tokens for files system

    • Nested Class Summary

      • Nested classes/interfaces inherited from interface org.apache.hadoop.service.Service

        org.apache.hadoop.service.Service.STATE

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void bindToAnyDelegationToken()
      Attempt to bind to any existing DT, including unmarshalling its contents and creating the GCP credentials provider used to authenticate the client.
      void bindToDelegationToken​(org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token)
      Bind to a delegation token retrieved for this filesystem.
      void bindToFileSystem​(GoogleHadoopFileSystem fileSystem, org.apache.hadoop.io.Text service)
      Bind to the filesystem.
      AccessTokenProvider deployUnbonded()
      Perform the unbonded deployment operations.
      static org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier extractIdentifier​(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token)
      From a token, get the session token identifier.
      AccessTokenProvider getAccessTokenProvider()  
      org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> getBoundDT()
      Get any bound DT.
      org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> getBoundOrNewDT​(String renewer)
      Get any bound DT or create a new one.
      org.apache.hadoop.io.Text getService()  
      boolean isBoundToDT()
      Predicate: is there a bound DT?
      org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> selectTokenFromFsOwner()
      Find a token for the FS user and service name.
      void serviceInit​(org.apache.hadoop.conf.Configuration conf)  
      protected void serviceStart()  
      protected void serviceStop()  

      • Methods inherited from class org.apache.hadoop.service.AbstractService

        close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, setConfig, start, stop, toString, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop

    • Method Detail

      • serviceInit

        public void serviceInit​(org.apache.hadoop.conf.Configuration conf)
        Overrides:
        serviceInit in class org.apache.hadoop.service.AbstractService

      • serviceStart

        protected void serviceStart()
                     throws Exception
        Overrides:
        serviceStart in class org.apache.hadoop.service.AbstractService
        Throws:
        Exception

      • serviceStop

        protected void serviceStop()
                    throws Exception
        Overrides:
        serviceStop in class org.apache.hadoop.service.AbstractService
        Throws:
        Exception

      • getService

        public org.apache.hadoop.io.Text getService()

      • deployUnbonded

        public AccessTokenProvider deployUnbonded()
                                   throws IOException
        Perform the unbonded deployment operations. Create the GCP credentials provider chain to use when talking to GCP when there is no delegation token to work with. authenticating this client with GCP services, and saves it to accessTokenProvider
        Throws:
        IOException - any failure.

      • bindToAnyDelegationToken

        public void bindToAnyDelegationToken()
                              throws IOException
        Attempt to bind to any existing DT, including unmarshalling its contents and creating the GCP credentials provider used to authenticate the client.

        If successful:

        1. boundDT is set to the retrieved token.
        2. accessTokenProvider is set to the credentials provider(s) returned by the token binding.
        If unsuccessful, deployUnbonded() is called for the unbonded codepath instead, which will set accessTokenProvider to its value.

        This means after this call (and only after) the token operations can be invoked.

        Throws:
        IOException - selection/extraction/validation failure.

      • selectTokenFromFsOwner

        public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> selectTokenFromFsOwner()
                                                                                                                                         throws IOException
        Find a token for the FS user and service name.
        Returns:
        the token, or null if one cannot be found.
        Throws:
        IOException - on a failure to unmarshall the token.

      • bindToFileSystem

        public void bindToFileSystem​(GoogleHadoopFileSystem fileSystem,
                             org.apache.hadoop.io.Text service)
        Bind to the filesystem. Subclasses can use this to perform their own binding operations - but they must always call their superclass implementation. This Must be called before calling init().

        Important: This binding will happen during FileSystem.initialize(); the FS is not live for actual use and will not yet have interacted with GCS services.

        Parameters:
        fileSystem - owning FS.

      • bindToDelegationToken

        public void bindToDelegationToken​(org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token)
                           throws IOException
        Bind to a delegation token retrieved for this filesystem. Extract the secrets from the token and set internal fields to the values.
        1. boundDT is set to token.
        2. accessTokenProvider is set to the credentials provider(s) returned by the token binding.
        Parameters:
        token - token to decode and bind to.
        Throws:
        IOException - selection/extraction/validation failure.

      • isBoundToDT

        public boolean isBoundToDT()
        Predicate: is there a bound DT?
        Returns:
        true if there's a value in boundDT.

      • getBoundDT

        public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> getBoundDT()
        Get any bound DT.
        Returns:
        a delegation token if this instance was bound to it.

      • getBoundOrNewDT

        public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> getBoundOrNewDT​(String renewer)
                                                                                                                                  throws IOException
        Get any bound DT or create a new one.
        Returns:
        a delegation token.
        Throws:
        IOException - if one cannot be created

      • extractIdentifier

        public static org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier extractIdentifier​(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token)
                                                                                                   throws IOException
        From a token, get the session token identifier.
        Parameters:
        token - token to process
        Returns:
        the session token identifier
        Throws:
        IOException - failure to validate/read data encoded in identifier.
        IllegalArgumentException - if the token isn't an GCP session token