org.apache.hadoop.security.token.delegation.web
Class DelegationTokenAuthenticatedURL

java.lang.Object
  extended by org.apache.hadoop.security.authentication.client.AuthenticatedURL
      extended by org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL

@InterfaceAudience.Public
@InterfaceStability.Unstable
public class DelegationTokenAuthenticatedURL
extends org.apache.hadoop.security.authentication.client.AuthenticatedURL

The DelegationTokenAuthenticatedURL is a AuthenticatedURL sub-class with built-in Hadoop Delegation Token functionality.

The authentication mechanisms supported by default are Hadoop Simple authentication (also known as pseudo authentication) and Kerberos SPNEGO authentication.

Additional authentication mechanisms can be supported via DelegationTokenAuthenticator implementations.

The default DelegationTokenAuthenticator is the KerberosDelegationTokenAuthenticator class which supports automatic fallback from Kerberos SPNEGO to Hadoop Simple authentication via the PseudoDelegationTokenAuthenticator class.

AuthenticatedURL instances are not thread-safe.


Nested Class Summary
static class DelegationTokenAuthenticatedURL.Token
          Client side authentication token that handles Delegation Tokens.
 
Field Summary
 
Fields inherited from class org.apache.hadoop.security.authentication.client.AuthenticatedURL
AUTH_COOKIE
 
Constructor Summary
DelegationTokenAuthenticatedURL()
          Creates an DelegationTokenAuthenticatedURL.
DelegationTokenAuthenticatedURL(org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator)
          Creates an DelegationTokenAuthenticatedURL using the default DelegationTokenAuthenticator class.
DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator)
          Creates an DelegationTokenAuthenticatedURL.
DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator, org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator)
          Creates an DelegationTokenAuthenticatedURL.
 
Method Summary
 void cancelDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token)
          Cancels a delegation token from the server end-point.
 void cancelDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String doAsUser)
          Cancels a delegation token from the server end-point.
static Class<? extends DelegationTokenAuthenticator> getDefaultDelegationTokenAuthenticator()
          Returns the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one.
 org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier> getDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String renewer)
          Requests a delegation token using the configured Authenticator for authentication.
 org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier> getDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String renewer, String doAsUser)
          Requests a delegation token using the configured Authenticator for authentication.
 HttpURLConnection openConnection(URL url, org.apache.hadoop.security.authentication.client.AuthenticatedURL.Token token)
          Returns an authenticated HttpURLConnection, it uses a Delegation Token only if the given auth token is an instance of DelegationTokenAuthenticatedURL.Token and it contains a Delegation Token, otherwise use the configured DelegationTokenAuthenticator to authenticate the connection.
 HttpURLConnection openConnection(URL url, DelegationTokenAuthenticatedURL.Token token)
          Returns an authenticated HttpURLConnection.
 HttpURLConnection openConnection(URL url, DelegationTokenAuthenticatedURL.Token token, String doAs)
          Returns an authenticated HttpURLConnection.
 long renewDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token)
          Renews a delegation token from the server end-point using the configured Authenticator for authentication.
 long renewDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String doAsUser)
          Renews a delegation token from the server end-point using the configured Authenticator for authentication.
static void setDefaultDelegationTokenAuthenticator(Class<? extends DelegationTokenAuthenticator> authenticator)
          Sets the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one.
protected  void setUseQueryStringForDelegationToken(boolean useQueryString)
          Deprecated. 
 boolean useQueryStringForDelegationToken()
          Returns if delegation token is transmitted as a HTTP header.
 
Methods inherited from class org.apache.hadoop.security.authentication.client.AuthenticatedURL
extractToken, getAuthenticator, getDefaultAuthenticator, injectToken, setDefaultAuthenticator
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

DelegationTokenAuthenticatedURL

public DelegationTokenAuthenticatedURL()
Creates an DelegationTokenAuthenticatedURL.

An instance of the default DelegationTokenAuthenticator will be used.


DelegationTokenAuthenticatedURL

public DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator)
Creates an DelegationTokenAuthenticatedURL.

Parameters:
authenticator - the DelegationTokenAuthenticator instance to use, if null the default one will be used.

DelegationTokenAuthenticatedURL

public DelegationTokenAuthenticatedURL(org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator)
Creates an DelegationTokenAuthenticatedURL using the default DelegationTokenAuthenticator class.

Parameters:
connConfigurator - a connection configurator.

DelegationTokenAuthenticatedURL

public DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator,
                                       org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator)
Creates an DelegationTokenAuthenticatedURL.

Parameters:
authenticator - the DelegationTokenAuthenticator instance to use, if null the default one will be used.
connConfigurator - a connection configurator.
Method Detail

setDefaultDelegationTokenAuthenticator

public static void setDefaultDelegationTokenAuthenticator(Class<? extends DelegationTokenAuthenticator> authenticator)
Sets the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one. The default class is KerberosDelegationTokenAuthenticator

Parameters:
authenticator - the authenticator class to use as default.

getDefaultDelegationTokenAuthenticator

public static Class<? extends DelegationTokenAuthenticator> getDefaultDelegationTokenAuthenticator()
Returns the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one.

The default class is KerberosDelegationTokenAuthenticator

Returns:
the delegation token authenticator class to use as default.

setUseQueryStringForDelegationToken

@Deprecated
protected void setUseQueryStringForDelegationToken(boolean useQueryString)
Deprecated. 

Sets if delegation token should be transmitted in the URL query string. By default it is transmitted using the DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER HTTP header.

This method is provided to enable WebHDFS backwards compatibility.

Parameters:
useQueryString - TRUE if the token is transmitted in the URL query string, FALSE if the delegation token is transmitted using the DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER HTTP header.

useQueryStringForDelegationToken

public boolean useQueryStringForDelegationToken()
Returns if delegation token is transmitted as a HTTP header.

Returns:
TRUE if the token is transmitted in the URL query string, FALSE if the delegation token is transmitted using the DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER HTTP header.

openConnection

public HttpURLConnection openConnection(URL url,
                                        org.apache.hadoop.security.authentication.client.AuthenticatedURL.Token token)
                                 throws IOException,
                                        org.apache.hadoop.security.authentication.client.AuthenticationException
Returns an authenticated HttpURLConnection, it uses a Delegation Token only if the given auth token is an instance of DelegationTokenAuthenticatedURL.Token and it contains a Delegation Token, otherwise use the configured DelegationTokenAuthenticator to authenticate the connection.

Overrides:
openConnection in class org.apache.hadoop.security.authentication.client.AuthenticatedURL
Parameters:
url - the URL to connect to. Only HTTP/S URLs are supported.
token - the authentication token being used for the user.
Returns:
an authenticated HttpURLConnection.
Throws:
IOException - if an IO error occurred.
org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

openConnection

public HttpURLConnection openConnection(URL url,
                                        DelegationTokenAuthenticatedURL.Token token)
                                 throws IOException,
                                        org.apache.hadoop.security.authentication.client.AuthenticationException
Returns an authenticated HttpURLConnection. If the Delegation Token is present, it will be used taking precedence over the configured Authenticator.

Parameters:
url - the URL to connect to. Only HTTP/S URLs are supported.
token - the authentication token being used for the user.
Returns:
an authenticated HttpURLConnection.
Throws:
IOException - if an IO error occurred.
org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

openConnection

public HttpURLConnection openConnection(URL url,
                                        DelegationTokenAuthenticatedURL.Token token,
                                        String doAs)
                                 throws IOException,
                                        org.apache.hadoop.security.authentication.client.AuthenticationException
Returns an authenticated HttpURLConnection. If the Delegation Token is present, it will be used taking precedence over the configured Authenticator. If the doAs parameter is not NULL, the request will be done on behalf of the specified doAs user.

Parameters:
url - the URL to connect to. Only HTTP/S URLs are supported.
token - the authentication token being used for the user.
doAs - user to do the the request on behalf of, if NULL the request is as self.
Returns:
an authenticated HttpURLConnection.
Throws:
IOException - if an IO error occurred.
org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

getDelegationToken

public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier> getDelegationToken(URL url,
                                                                                                                                                DelegationTokenAuthenticatedURL.Token token,
                                                                                                                                                String renewer)
                                                                                                                                         throws IOException,
                                                                                                                                                org.apache.hadoop.security.authentication.client.AuthenticationException
Requests a delegation token using the configured Authenticator for authentication.

Parameters:
url - the URL to get the delegation token from. Only HTTP/S URLs are supported.
token - the authentication token being used for the user where the Delegation token will be stored.
renewer - the renewer user.
Returns:
a delegation token.
Throws:
IOException - if an IO error occurred.
org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

getDelegationToken

public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier> getDelegationToken(URL url,
                                                                                                                                                DelegationTokenAuthenticatedURL.Token token,
                                                                                                                                                String renewer,
                                                                                                                                                String doAsUser)
                                                                                                                                         throws IOException,
                                                                                                                                                org.apache.hadoop.security.authentication.client.AuthenticationException
Requests a delegation token using the configured Authenticator for authentication.

Parameters:
url - the URL to get the delegation token from. Only HTTP/S URLs are supported.
token - the authentication token being used for the user where the Delegation token will be stored.
renewer - the renewer user.
doAsUser - the user to do as, which will be the token owner.
Returns:
a delegation token.
Throws:
IOException - if an IO error occurred.
org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

renewDelegationToken

public long renewDelegationToken(URL url,
                                 DelegationTokenAuthenticatedURL.Token token)
                          throws IOException,
                                 org.apache.hadoop.security.authentication.client.AuthenticationException
Renews a delegation token from the server end-point using the configured Authenticator for authentication.

Parameters:
url - the URL to renew the delegation token from. Only HTTP/S URLs are supported.
token - the authentication token with the Delegation Token to renew.
Throws:
IOException - if an IO error occurred.
org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

renewDelegationToken

public long renewDelegationToken(URL url,
                                 DelegationTokenAuthenticatedURL.Token token,
                                 String doAsUser)
                          throws IOException,
                                 org.apache.hadoop.security.authentication.client.AuthenticationException
Renews a delegation token from the server end-point using the configured Authenticator for authentication.

Parameters:
url - the URL to renew the delegation token from. Only HTTP/S URLs are supported.
token - the authentication token with the Delegation Token to renew.
doAsUser - the user to do as, which will be the token owner.
Throws:
IOException - if an IO error occurred.
org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

cancelDelegationToken

public void cancelDelegationToken(URL url,
                                  DelegationTokenAuthenticatedURL.Token token)
                           throws IOException
Cancels a delegation token from the server end-point. It does not require being authenticated by the configured Authenticator.

Parameters:
url - the URL to cancel the delegation token from. Only HTTP/S URLs are supported.
token - the authentication token with the Delegation Token to cancel.
Throws:
IOException - if an IO error occurred.

cancelDelegationToken

public void cancelDelegationToken(URL url,
                                  DelegationTokenAuthenticatedURL.Token token,
                                  String doAsUser)
                           throws IOException
Cancels a delegation token from the server end-point. It does not require being authenticated by the configured Authenticator.

Parameters:
url - the URL to cancel the delegation token from. Only HTTP/S URLs are supported.
token - the authentication token with the Delegation Token to cancel.
doAsUser - the user to do as, which will be the token owner.
Throws:
IOException - if an IO error occurred.


Copyright © 2014 Apache Software Foundation. All Rights Reserved.