diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenIdentifier.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenIdentifier.java index 89457fda49c..54cf18002c3 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenIdentifier.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenIdentifier.java @@ -28,6 +28,7 @@ import org.apache.hadoop.io.Text; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.TokenIdentifier; +import org.apache.hadoop.security.token.Token.TrivialRenewer; import java.io.DataInput; import java.io.DataInputStream; @@ -195,5 +196,17 @@ void writeProtobuf(DataOutput out) throws IOException { } out.write(builder.build().toByteArray()); } + + /** + * Default TrivialRenewer. + */ + @InterfaceAudience.Private + public static class Renewer extends TrivialRenewer { + + @Override + protected Text getKind() { + return KIND_NAME; + } + } } diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java index 88b0b9c71a2..330788dcb0a 100644 --- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java +++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java @@ -29,7 +29,6 @@ import org.apache.hadoop.io.Text; import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto; import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier; -import org.apache.hadoop.security.token.Token; /** * The token identifier for Ozone Master. @@ -68,18 +67,6 @@ public Text getKind() { return KIND_NAME; } - /** - * Default TrivialRenewer. - */ - @InterfaceAudience.Private - public static class Renewer extends Token.TrivialRenewer { - - @Override - protected Text getKind() { - return KIND_NAME; - } - } - /** * Overrides default implementation to write using Protobuf. * diff --git a/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapter.java b/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapter.java index 59f3f7a97c1..d7fc7d89854 100644 --- a/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapter.java +++ b/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapter.java @@ -17,6 +17,9 @@ */ package org.apache.hadoop.fs.ozone; +import org.apache.hadoop.ozone.security.OzoneTokenIdentifier; +import org.apache.hadoop.security.token.Token; + import java.io.IOException; import java.io.InputStream; import java.util.Iterator; @@ -52,4 +55,6 @@ public interface OzoneClientAdapter { Iterator listKeys(String pathKey); + Token getDelegationToken(String renewer) + throws IOException; } diff --git a/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapterImpl.java b/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapterImpl.java index 8c698492d0d..3b034ed5ff7 100644 --- a/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapterImpl.java +++ b/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapterImpl.java @@ -22,9 +22,12 @@ import java.util.HashMap; import java.util.Iterator; +import org.apache.hadoop.classification.InterfaceAudience; +import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hdds.client.ReplicationFactor; import org.apache.hadoop.hdds.client.ReplicationType; import org.apache.hadoop.hdds.conf.OzoneConfiguration; +import org.apache.hadoop.io.Text; import org.apache.hadoop.ozone.OzoneConfigKeys; import org.apache.hadoop.ozone.client.ObjectStore; import org.apache.hadoop.ozone.client.OzoneBucket; @@ -35,6 +38,10 @@ import org.apache.hadoop.ozone.client.io.OzoneOutputStream; import static org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER; + +import org.apache.hadoop.ozone.security.OzoneTokenIdentifier; +import org.apache.hadoop.security.token.Token; +import org.apache.hadoop.security.token.TokenRenewer; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -251,8 +258,64 @@ public Iterator listKeys(String pathKey) { return new IteratorAdapter(bucket.listKeys(pathKey)); } + @Override + public Token getDelegationToken(String renewer) + throws IOException { + Token token = + ozoneClient.getObjectStore().getDelegationToken(new Text(renewer)); + token.setKind(OzoneTokenIdentifier.KIND_NAME); + return token; + } + /** - * Adapter to conver OzoneKey to a safe and simple Key implementation. + * Ozone Delegation Token Renewer. + */ + @InterfaceAudience.Private + public static class Renewer extends TokenRenewer { + + //Ensure that OzoneConfiguration files are loaded before trying to use + // the renewer. + static { + OzoneConfiguration.activate(); + } + + public Text getKind() { + return OzoneTokenIdentifier.KIND_NAME; + } + + @Override + public boolean handleKind(Text kind) { + return getKind().equals(kind); + } + + @Override + public boolean isManaged(Token token) throws IOException { + return true; + } + + @Override + public long renew(Token token, Configuration conf) + throws IOException, InterruptedException { + Token ozoneDt = + (Token) token; + OzoneClient ozoneClient = + OzoneClientFactory.getRpcClient(conf); + return ozoneClient.getObjectStore().renewDelegationToken(ozoneDt); + } + + @Override + public void cancel(Token token, Configuration conf) + throws IOException, InterruptedException { + Token ozoneDt = + (Token) token; + OzoneClient ozoneClient = + OzoneClientFactory.getRpcClient(conf); + ozoneClient.getObjectStore().cancelDelegationToken(ozoneDt); + } + } + + /** + * Adapter to convert OzoneKey to a safe and simple Key implementation. */ public static class IteratorAdapter implements Iterator { diff --git a/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneFileSystem.java b/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneFileSystem.java index ad6de8afc0c..13b7ddaccd5 100644 --- a/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneFileSystem.java +++ b/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneFileSystem.java @@ -48,7 +48,9 @@ import org.apache.hadoop.fs.GlobalStorageStatistics; import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.hdds.conf.OzoneConfiguration; +import org.apache.hadoop.hdds.security.x509.SecurityConfig; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.token.Token; import org.apache.hadoop.util.Progressable; import com.google.common.base.Preconditions; @@ -84,6 +86,7 @@ public class OzoneFileSystem extends FileSystem { private Path workingDir; private OzoneClientAdapter adapter; + private boolean securityEnabled; private OzoneFSStorageStatistics storageStatistics; @@ -156,6 +159,10 @@ public void initialize(URI name, Configuration conf) throws IOException { } else { ozoneConfiguration = new OzoneConfiguration(conf); } + SecurityConfig secConfig = new SecurityConfig(ozoneConfiguration); + if (secConfig.isSecurityEnabled()) { + this.securityEnabled = true; + } this.adapter = new OzoneClientAdapterImpl(ozoneConfiguration, volumeStr, bucketStr, storageStatistics); } @@ -669,6 +676,12 @@ public Path getWorkingDirectory() { return workingDir; } + @Override + public Token getDelegationToken(String renewer) throws IOException { + return securityEnabled? adapter.getDelegationToken(renewer) : + super.getDelegationToken(renewer); + } + /** * Get the username of the FS. *