001    /**
002    * Licensed to the Apache Software Foundation (ASF) under one
003    * or more contributor license agreements.  See the NOTICE file
004    * distributed with this work for additional information
005    * regarding copyright ownership.  The ASF licenses this file
006    * to you under the Apache License, Version 2.0 (the
007    * "License"); you may not use this file except in compliance
008    * with the License.  You may obtain a copy of the License at
009    *
010    *     http://www.apache.org/licenses/LICENSE-2.0
011    *
012    * Unless required by applicable law or agreed to in writing, software
013    * distributed under the License is distributed on an "AS IS" BASIS,
014    * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015    * See the License for the specific language governing permissions and
016    * limitations under the License.
017    */
018    
019    package org.apache.hadoop.yarn.security.client;
020    
021    import javax.crypto.SecretKey;
022    
023    import org.apache.hadoop.classification.InterfaceAudience.Private;
024    import org.apache.hadoop.classification.InterfaceAudience.Public;
025    import org.apache.hadoop.classification.InterfaceStability.Evolving;
026    import org.apache.hadoop.security.token.SecretManager;
027    import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
028    
029    /**
030     * A base {@link SecretManager} for AMs to extend and validate Client-RM tokens
031     * issued to clients by the RM using the underlying master-key shared by RM to
032     * the AMs on their launch. All the methods are called by either Hadoop RPC or
033     * YARN, so this class is strictly for the purpose of inherit/extend and
034     * register with Hadoop RPC.
035     */
036    @Public
037    @Evolving
038    public abstract class BaseClientToAMTokenSecretManager extends
039        SecretManager<ClientToAMTokenIdentifier> {
040    
041      @Private
042      public abstract SecretKey getMasterKey(
043          ApplicationAttemptId applicationAttemptId);
044    
045      @Private
046      @Override
047      public synchronized byte[] createPassword(
048          ClientToAMTokenIdentifier identifier) {
049        return createPassword(identifier.getBytes(),
050          getMasterKey(identifier.getApplicationAttemptID()));
051      }
052    
053      @Private
054      @Override
055      public byte[] retrievePassword(ClientToAMTokenIdentifier identifier)
056          throws SecretManager.InvalidToken {
057        SecretKey masterKey = getMasterKey(identifier.getApplicationAttemptID());
058        if (masterKey == null) {
059          throw new SecretManager.InvalidToken("Illegal client-token!");
060        }
061        return createPassword(identifier.getBytes(), masterKey);
062      }
063    
064      @Private
065      @Override
066      public ClientToAMTokenIdentifier createIdentifier() {
067        return new ClientToAMTokenIdentifier();
068      }
069    
070    }