com.google.cloud.hadoop.fs.gcs.auth

Class GcsDelegationTokens

java.lang.Object

org.apache.hadoop.service.AbstractService

com.google.cloud.hadoop.fs.gcs.auth.GcsDelegationTokens

All Implemented Interfaces:

Closeable, AutoCloseable, org.apache.hadoop.service.Service

public class GcsDelegationTokens
extends org.apache.hadoop.service.AbstractService

Manages delegation tokens for files system

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.hadoop.service.Service

org.apache.hadoop.service.Service.STATE

Constructor Summary

Constructors

Constructor and Description
GcsDelegationTokens()

Method Summary

Modifier and Type	Method and Description
void	bindToAnyDelegationToken() Attempt to bind to any existing DT, including unmarshalling its contents and creating the GCP credential provider used to authenticate the client.
void	bindToDelegationToken(org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token) Bind to a delegation token retrieved for this filesystem.
void	bindToFileSystem(GoogleHadoopFileSystemBase fs, org.apache.hadoop.io.Text service) Bind to the filesystem.
AccessTokenProvider	deployUnbonded() Perform the unbonded deployment operations.
static org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier	extractIdentifier(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token) From a token, get the session token identifier.
AccessTokenProvider	getAccessTokenProvider()
org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>	getBoundDT() Get any bound DT.
org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>	getBoundOrNewDT(String renewer) Get any bound DT or create a new one.
org.apache.hadoop.io.Text	getService()
boolean	isBoundToDT() Predicate: is there a bound DT?
org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>	selectTokenFromFsOwner() Find a token for the FS user and service name.
void	serviceInit(org.apache.hadoop.conf.Configuration conf)
protected void	serviceStart()
protected void	serviceStop()

Methods inherited from class org.apache.hadoop.service.AbstractService

close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, setConfig, start, stop, toString, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

GcsDelegationTokens

public GcsDelegationTokens()
                    throws IOException

Throws:

IOException

Method Detail

serviceInit

public void serviceInit(org.apache.hadoop.conf.Configuration conf)
                 throws Exception

Overrides:

serviceInit in class org.apache.hadoop.service.AbstractService

Throws:

Exception

serviceStart

protected void serviceStart()
                     throws Exception

Overrides:

serviceStart in class org.apache.hadoop.service.AbstractService

Throws:

Exception

serviceStop

protected void serviceStop()
                    throws Exception

Overrides:

serviceStop in class org.apache.hadoop.service.AbstractService

Throws:

Exception

getService

public org.apache.hadoop.io.Text getService()

getAccessTokenProvider

public AccessTokenProvider getAccessTokenProvider()

deployUnbonded

public AccessTokenProvider deployUnbonded()
                                   throws IOException

Perform the unbonded deployment operations. Create the GCP credential provider chain to use when talking to GCP when there is no delegation token to work with. authenticating this client with GCP services, and saves it to accessTokenProvider

Throws:

IOException - any failure.

bindToAnyDelegationToken

public void bindToAnyDelegationToken()
                              throws IOException

Attempt to bind to any existing DT, including unmarshalling its contents and creating the GCP credential provider used to authenticate the client.

If successful:

1. boundDT is set to the retrieved token.
2. accessTokenProvider is set to the credential provider(s) returned by the token binding.

If unsuccessful, deployUnbonded() is called for the unbonded codepath instead, which will set accessTokenProvider to its value.

This means after this call (and only after) the token operations can be invoked.

Throws:

IOException - selection/extraction/validation failure.

selectTokenFromFsOwner

public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> selectTokenFromFsOwner()
                                                                                                                                         throws IOException

Find a token for the FS user and service name.

Returns:

the token, or null if one cannot be found.

Throws:

IOException - on a failure to unmarshall the token.

bindToFileSystem

public void bindToFileSystem(GoogleHadoopFileSystemBase fs,
                             org.apache.hadoop.io.Text service)
                      throws IOException

Bind to the filesystem. Subclasses can use this to perform their own binding operations - but they must always call their superclass implementation. This Must be called before calling init().

Important: This binding will happen during FileSystem.initialize(); the FS is not live for actual use and will not yet have interacted with GCS services.

Parameters:

fs - owning FS.

Throws:

IOException - failure.

bindToDelegationToken

public void bindToDelegationToken(org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token)
                           throws IOException

Bind to a delegation token retrieved for this filesystem. Extract the secrets from the token and set internal fields to the values.

1. boundDT is set to token.
2. accessTokenProvider is set to the credential provider(s) returned by the token binding.

Parameters:

token - token to decode and bind to.

Throws:

IOException - selection/extraction/validation failure.

isBoundToDT

public boolean isBoundToDT()

Predicate: is there a bound DT?

Returns:

true if there's a value in boundDT.

getBoundDT

public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> getBoundDT()

Get any bound DT.

Returns:

a delegation token if this instance was bound to it.

getBoundOrNewDT

public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> getBoundOrNewDT(String renewer)
                                                                                                                                  throws IOException

Get any bound DT or create a new one.

Returns:

a delegation token.

Throws:

IOException - if one cannot be created

extractIdentifier

public static org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier extractIdentifier(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> token)
                                                                                                   throws IOException

From a token, get the session token identifier.

Parameters:

token - token to process

Returns:

the session token identifier

Throws:

IOException - failure to validate/read data encoded in identifier.

IllegalArgumentException - if the token isn't an GCP session token