001/**
002* Licensed to the Apache Software Foundation (ASF) under one
003* or more contributor license agreements.  See the NOTICE file
004* distributed with this work for additional information
005* regarding copyright ownership.  The ASF licenses this file
006* to you under the Apache License, Version 2.0 (the
007* "License"); you may not use this file except in compliance
008* with the License.  You may obtain a copy of the License at
009*
010*     http://www.apache.org/licenses/LICENSE-2.0
011*
012* Unless required by applicable law or agreed to in writing, software
013* distributed under the License is distributed on an "AS IS" BASIS,
014* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015* See the License for the specific language governing permissions and
016* limitations under the License.
017*/
018
019package org.apache.hadoop.yarn.security.client;
020
021import javax.crypto.SecretKey;
022
023import org.apache.hadoop.classification.InterfaceAudience.Private;
024import org.apache.hadoop.classification.InterfaceAudience.Public;
025import org.apache.hadoop.classification.InterfaceStability.Evolving;
026import org.apache.hadoop.security.token.SecretManager;
027import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
028
029/**
030 * A base {@link SecretManager} for AMs to extend and validate Client-RM tokens
031 * issued to clients by the RM using the underlying master-key shared by RM to
032 * the AMs on their launch. All the methods are called by either Hadoop RPC or
033 * YARN, so this class is strictly for the purpose of inherit/extend and
034 * register with Hadoop RPC.
035 */
036@Public
037@Evolving
038public abstract class BaseClientToAMTokenSecretManager extends
039    SecretManager<ClientToAMTokenIdentifier> {
040
041  @Private
042  public abstract SecretKey getMasterKey(
043      ApplicationAttemptId applicationAttemptId);
044
045  @Private
046  @Override
047  public synchronized byte[] createPassword(
048      ClientToAMTokenIdentifier identifier) {
049    return createPassword(identifier.getBytes(),
050      getMasterKey(identifier.getApplicationAttemptID()));
051  }
052
053  @Private
054  @Override
055  public byte[] retrievePassword(ClientToAMTokenIdentifier identifier)
056      throws SecretManager.InvalidToken {
057    SecretKey masterKey = getMasterKey(identifier.getApplicationAttemptID());
058    if (masterKey == null) {
059      throw new SecretManager.InvalidToken("Illegal client-token!");
060    }
061    return createPassword(identifier.getBytes(), masterKey);
062  }
063
064  @Private
065  @Override
066  public ClientToAMTokenIdentifier createIdentifier() {
067    return new ClientToAMTokenIdentifier();
068  }
069
070}