HADOOP-17050 S3A to support additional token issuers

Contributed by Steve Loughran.

S3A delegation token providers will be asked for any additional
token issuers, an array can be returned,
each one will be asked for tokens when DelegationTokenIssuer collects
all the tokens for a filesystem.
This commit is contained in:
Steve Loughran 2020-06-09 14:39:06 +01:00 committed by GitHub
parent 8525874561
commit ac5d899d40
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 0 deletions

View File

@ -114,6 +114,7 @@ import org.apache.hadoop.fs.s3a.s3guard.BulkOperationState;
import org.apache.hadoop.fs.s3a.select.InternalSelectConstants; import org.apache.hadoop.fs.s3a.select.InternalSelectConstants;
import org.apache.hadoop.io.IOUtils; import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.token.DelegationTokenIssuer;
import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.util.DurationInfo; import org.apache.hadoop.util.DurationInfo;
import org.apache.hadoop.util.LambdaUtils; import org.apache.hadoop.util.LambdaUtils;
@ -3377,6 +3378,25 @@ public class S3AFileSystem extends FileSystem implements StreamCapabilities,
} }
} }
/**
* Ask any DT plugin for any extra token issuers.
* These do not get told of the encryption secrets and can
* return any type of token.
* This allows DT plugins to issue extra tokens for
* ancillary services.
*/
@Override
public DelegationTokenIssuer[] getAdditionalTokenIssuers()
throws IOException {
if (delegationTokens.isPresent()) {
return delegationTokens.get().getAdditionalTokenIssuers();
} else {
// Delegation token support is not set up
LOG.debug("Token support is not enabled");
return null;
}
}
/** /**
* Build the AWS policy for restricted access to the resources needed * Build the AWS policy for restricted access to the resources needed
* by this bucket. * by this bucket.

View File

@ -40,6 +40,7 @@ import org.apache.hadoop.fs.s3a.impl.StoreContext;
import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.DelegationTokenIssuer;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.service.ServiceOperations; import org.apache.hadoop.service.ServiceOperations;
import org.apache.hadoop.util.DurationInfo; import org.apache.hadoop.util.DurationInfo;
@ -447,6 +448,19 @@ public class S3ADelegationTokens extends AbstractDTService {
stats.tokenIssued(); stats.tokenIssued();
} }
/**
* Get a null/possibly empty list of extra delegation token issuers.
* These will be asked for tokens when
* {@link DelegationTokenIssuer#getAdditionalTokenIssuers()} recursively
* collects all DTs a filesystem can offer.
* @return a null or empty array. Default implementation: null
* @throws IOException failure
*/
public DelegationTokenIssuer[] getAdditionalTokenIssuers()
throws IOException {
return null;
}
/** /**
* Get the AWS credential provider. * Get the AWS credential provider.
* @return the DT credential provider * @return the DT credential provider