From 2c2e77b3bbed571eb1681f158c4280be0dba2dfc Mon Sep 17 00:00:00 2001
From: Steve Loughran <stevel@apache.org>
Date: Thu, 24 Nov 2016 17:51:49 +0000
Subject: [PATCH] HADOOP-10776 Open up already widely-used APIs for
 delegation-token fetching & renewal to ecosystem projects. Contributed by
 Vinod Kumar Vavilapalli

---
 .../src/main/java/org/apache/hadoop/fs/FileSystem.java |  6 ++++--
 .../apache/hadoop/security/AccessControlException.java |  2 +-
 .../java/org/apache/hadoop/security/Credentials.java   |  4 ++--
 .../java/org/apache/hadoop/security/SecurityUtil.java  | 10 ++++++++--
 .../apache/hadoop/security/UserGroupInformation.java   | 10 +++++-----
 .../security/authorize/AuthorizationException.java     |  2 +-
 .../java/org/apache/hadoop/security/token/Token.java   |  4 ++--
 .../delegation/AbstractDelegationTokenIdentifier.java  |  2 +-
 .../AbstractDelegationTokenSecretManager.java          |  2 +-
 9 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java
index ab7cd6a8186..80f1d09127f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileSystem.java
@@ -377,7 +377,8 @@ protected static FileSystem getFSofPath(final Path absOrFqPath,
    *         if the filesystem does not implement tokens
    * @see SecurityUtil#buildDTServiceName(URI, int)
    */
-  @InterfaceAudience.LimitedPrivate({ "HDFS", "MapReduce" })
+  @InterfaceAudience.Public
+  @InterfaceStability.Evolving
   public String getCanonicalServiceName() {
     return (getChildFileSystems() == null)
       ? SecurityUtil.buildDTServiceName(getUri(), getDefaultPort())
@@ -611,7 +612,8 @@ public Token<?> getDelegationToken(String renewer) throws IOException {
    * @return list of new delegation tokens
    * @throws IOException
    */
-  @InterfaceAudience.LimitedPrivate({ "HDFS", "MapReduce" })
+  @InterfaceAudience.Public
+  @InterfaceStability.Evolving
   public Token<?>[] addDelegationTokens(
       final String renewer, Credentials credentials) throws IOException {
     if (credentials == null) {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AccessControlException.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AccessControlException.java
index 5f0faa68800..aff28060d93 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AccessControlException.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AccessControlException.java
@@ -23,7 +23,7 @@
 /**
  * An exception class for access control related issues.
  */
-@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
+@InterfaceAudience.Public
 @InterfaceStability.Evolving
 public class AccessControlException 
     extends org.apache.hadoop.fs.permission.AccessControlException {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java
index c4acac99106..465f4a8ad01 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java
@@ -50,10 +50,10 @@
 import org.apache.hadoop.security.token.TokenIdentifier;
 
 /**
- * A class that provides the facilities of reading and writing 
+ * A class that provides the facilities of reading and writing
  * secret keys and Tokens.
  */
-@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
+@InterfaceAudience.Public
 @InterfaceStability.Evolving
 public class Credentials implements Writable {
   private static final Log LOG = LogFactory.getLog(Credentials.class);
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
index 42abe0ed3bc..b7d1ec04825 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
@@ -58,14 +58,20 @@
 
 import com.google.common.annotations.VisibleForTesting;
 
-@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
+/**
+ * Security Utils.
+ */
+@InterfaceAudience.Public
 @InterfaceStability.Evolving
-public class SecurityUtil {
+public final class SecurityUtil {
   public static final Log LOG = LogFactory.getLog(SecurityUtil.class);
   public static final String HOSTNAME_PATTERN = "_HOST";
   public static final String FAILED_TO_GET_UGI_MSG_HEADER = 
       "Failed to obtain user group information:";
 
+  private SecurityUtil() {
+  }
+
   // controls whether buildTokenService will use an ip or host/ip as given
   // by the user
   @VisibleForTesting
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
index 64c8460a01f..f874b921882 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
@@ -87,7 +87,7 @@
  * user's username and groups. It supports both the Windows, Unix and Kerberos 
  * login modules.
  */
-@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "HBase", "Hive", "Oozie"})
+@InterfaceAudience.Public
 @InterfaceStability.Evolving
 public class UserGroupInformation {
   @VisibleForTesting
@@ -716,7 +716,7 @@ public static UserGroupInformation getBestUGI(
    * 
    * @param user                The principal name to load from the ticket
    *                            cache
-   * @param ticketCachePath     the path to the ticket cache file
+   * @param ticketCache     the path to the ticket cache file
    *
    * @throws IOException        if the kerberos login fails
    */
@@ -779,7 +779,7 @@ public static UserGroupInformation getUGIFromTicketCache(
    /**
    * Create a UserGroupInformation from a Subject with Kerberos principal.
    *
-   * @param user                The KerberosPrincipal to use in UGI
+   * @param subject                The KerberosPrincipal to use in UGI
    *
    * @throws IOException
    * @throws KerberosAuthException if the kerberos login fails
@@ -838,7 +838,7 @@ public static String trimLoginMethod(String userName) {
 
   /**
    * Log in a user using the given subject
-   * @parma subject the subject to use when logging in a user, or null to 
+   * @param subject the subject to use when logging in a user, or null to
    * create a new subject.
    * @throws IOException if login fails
    */
@@ -1692,7 +1692,7 @@ private synchronized Credentials getCredentialsInternal() {
   }
 
   /**
-   * Get the group names for this user. {@ #getGroups(String)} is less
+   * Get the group names for this user. {@link #getGroups()} is less
    * expensive alternative when checking for a contained element.
    * @return the list of users with the primary group first. If the command
    *    fails, it returns an empty list.
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AuthorizationException.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AuthorizationException.java
index 07f03211915..03f4d9971bb 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AuthorizationException.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AuthorizationException.java
@@ -29,7 +29,7 @@
  * 
  * This class <em>does not</em> provide the stack trace for security purposes.
  */
-@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "YARN"})
+@InterfaceAudience.Public
 @InterfaceStability.Evolving
 public class AuthorizationException extends AccessControlException {
   private static final long serialVersionUID = 1L;
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
index 9d5f205a71f..ed699a74dcb 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
@@ -472,10 +472,10 @@ public void cancel(Configuration conf
    * A trivial renewer for token kinds that aren't managed. Sub-classes need
    * to implement getKind for their token kind.
    */
-  @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
+  @InterfaceAudience.Public
   @InterfaceStability.Evolving
   public static class TrivialRenewer extends TokenRenewer {
-    
+
     // define the kind for this renewer
     protected Text getKind() {
       return null;
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java
index 5a9d076d8a6..7dad0871dec 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenIdentifier.java
@@ -34,7 +34,7 @@
 
 import com.google.common.annotations.VisibleForTesting;
 
-@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
+@InterfaceAudience.Public
 @InterfaceStability.Evolving
 public abstract class AbstractDelegationTokenIdentifier 
 extends TokenIdentifier {
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
index 0e311ddeb2a..21d3dd6e9df 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
@@ -44,7 +44,7 @@
 
 import com.google.common.base.Preconditions;
 
-@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "Hive"})
+@InterfaceAudience.Public
 @InterfaceStability.Evolving
 public abstract 
 class AbstractDelegationTokenSecretManager<TokenIdent