From eff4b2fa077d650aa41044678f31643798e196c0 Mon Sep 17 00:00:00 2001 From: Wei-Chiu Chuang Date: Wed, 5 Oct 2016 17:35:43 -0700 Subject: [PATCH] HDFS-10683. Make class Token$PrivateToken private. Contributed by John Zhuge. (cherry picked from commit c5ca2169151a5eec57152775789b6f53664e102c) (cherry picked from commit 434403a2a0863e4d572e04e05e85d4f333bd6339) --- .../apache/hadoop/security/Credentials.java | 8 +-- .../hadoop/security/UserGroupInformation.java | 2 +- .../apache/hadoop/security/token/Token.java | 60 ++++++++++++++++--- .../security/TestUserGroupInformation.java | 6 +- .../java/org/apache/hadoop/hdfs/HAUtil.java | 5 +- 5 files changed, 61 insertions(+), 20 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java index 504c9f2c09f..465f4a8ad01 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java @@ -100,12 +100,8 @@ public class Credentials implements Writable { for (Map.Entry> e : tokenMap.entrySet()) { Token token = e.getValue(); - if (token instanceof Token.PrivateToken && - ((Token.PrivateToken) token).getPublicService().equals(alias)) { - Token privateToken = - new Token.PrivateToken<>(t); - privateToken.setService(token.getService()); - tokensToAdd.put(e.getKey(), privateToken); + if (token.isPrivateCloneOf(alias)) { + tokensToAdd.put(e.getKey(), t.privateClone(token.getService())); } } tokenMap.putAll(tokensToAdd); diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 7bdbad4cb6b..8d10d5aa6c4 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -1644,7 +1644,7 @@ public class UserGroupInformation { Credentials creds = new Credentials(getCredentialsInternal()); Iterator> iter = creds.getAllTokens().iterator(); while (iter.hasNext()) { - if (iter.next() instanceof Token.PrivateToken) { + if (iter.next().isPrivate()) { iter.remove(); } } diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java index 024b142d1fe..ed699a74dcb 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java @@ -190,23 +190,67 @@ public class Token implements Writable { service = newService; } + /** + * Whether this is a private token. + * @return false always for non-private tokens + */ + public boolean isPrivate() { + return false; + } + + /** + * Whether this is a private clone of a public token. + * @param thePublicService the public service name + * @return false always for non-private tokens + */ + public boolean isPrivateCloneOf(Text thePublicService) { + return false; + } + + /** + * Create a private clone of a public token. + * @param newService the new service name + * @return a private token + */ + public Token privateClone(Text newService) { + return new PrivateToken<>(this, newService); + } + /** * Indicates whether the token is a clone. Used by HA failover proxy * to indicate a token should not be visible to the user via * UGI.getCredentials() */ - @InterfaceAudience.Private - @InterfaceStability.Unstable - public static class PrivateToken extends Token { + static class PrivateToken extends Token { final private Text publicService; - public PrivateToken(Token token) { - super(token); - publicService = new Text(token.getService()); + PrivateToken(Token publicToken, Text newService) { + super(publicToken.identifier, publicToken.password, publicToken.kind, + newService); + assert !publicToken.isPrivate(); + publicService = publicToken.service; + if (LOG.isDebugEnabled()) { + LOG.debug("Cloned private token " + this + " from " + publicToken); + } } - public Text getPublicService() { - return publicService; + /** + * Whether this is a private token. + * @return true always for private tokens + */ + @Override + public boolean isPrivate() { + return true; + } + + /** + * Whether this is a private clone of a public token. + * @param thePublicService the public service name + * @return true when the public service is the same as specified + */ + @Override + public boolean isPrivateCloneOf(Text thePublicService) { + return publicService.equals(thePublicService); } @Override diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java index 4fe753ef1b4..9f5de141fe0 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java @@ -846,8 +846,10 @@ public class TestUserGroupInformation { ugi.addToken(new Text("regular-token"), token); // Now add cloned private token - ugi.addToken(new Text("private-token"), new Token.PrivateToken(token)); - ugi.addToken(new Text("private-token1"), new Token.PrivateToken(token)); + Text service = new Text("private-token"); + ugi.addToken(service, token.privateClone(service)); + Text service1 = new Text("private-token1"); + ugi.addToken(service1, token.privateClone(service1)); // Ensure only non-private tokens are returned Collection> tokens = ugi.getCredentials().getAllTokens(); diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java index 91853953f38..72d69588fdf 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java @@ -29,6 +29,7 @@ import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_RPC_BIND_HOST_KE import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_ADDRESS_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_BIND_HOST_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SHARED_EDITS_DIR_KEY; +import static org.apache.hadoop.security.SecurityUtil.buildTokenService; import java.io.IOException; import java.net.InetSocketAddress; @@ -56,7 +57,6 @@ import org.apache.hadoop.io.Text; import org.apache.hadoop.ipc.RPC; import org.apache.hadoop.ipc.RemoteException; import org.apache.hadoop.ipc.StandbyException; -import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.Token; @@ -276,8 +276,7 @@ public class HAUtil { // exposed to the user via UGI.getCredentials(), otherwise these // cloned tokens may be inadvertently propagated to jobs Token specificToken = - new Token.PrivateToken(haToken); - SecurityUtil.setTokenService(specificToken, singleNNAddr); + haToken.privateClone(buildTokenService(singleNNAddr)); Text alias = new Text( HAUtilClient.buildTokenServicePrefixForLogicalUri( HdfsConstants.HDFS_URI_SCHEME)