001/** 002* Licensed to the Apache Software Foundation (ASF) under one 003* or more contributor license agreements. See the NOTICE file 004* distributed with this work for additional information 005* regarding copyright ownership. The ASF licenses this file 006* to you under the Apache License, Version 2.0 (the 007* "License"); you may not use this file except in compliance 008* with the License. You may obtain a copy of the License at 009* 010* http://www.apache.org/licenses/LICENSE-2.0 011* 012* Unless required by applicable law or agreed to in writing, software 013* distributed under the License is distributed on an "AS IS" BASIS, 014* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015* See the License for the specific language governing permissions and 016* limitations under the License. 017*/ 018 019package org.apache.hadoop.yarn.security.client; 020 021import javax.crypto.SecretKey; 022 023import org.apache.hadoop.classification.InterfaceAudience.Private; 024import org.apache.hadoop.classification.InterfaceAudience.Public; 025import org.apache.hadoop.classification.InterfaceStability.Evolving; 026import org.apache.hadoop.security.token.SecretManager; 027import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; 028 029/** 030 * A base {@link SecretManager} for AMs to extend and validate Client-RM tokens 031 * issued to clients by the RM using the underlying master-key shared by RM to 032 * the AMs on their launch. All the methods are called by either Hadoop RPC or 033 * YARN, so this class is strictly for the purpose of inherit/extend and 034 * register with Hadoop RPC. 035 */ 036@Public 037@Evolving 038public abstract class BaseClientToAMTokenSecretManager extends 039 SecretManager<ClientToAMTokenIdentifier> { 040 041 @Private 042 public abstract SecretKey getMasterKey( 043 ApplicationAttemptId applicationAttemptId); 044 045 @Private 046 @Override 047 public synchronized byte[] createPassword( 048 ClientToAMTokenIdentifier identifier) { 049 return createPassword(identifier.getBytes(), 050 getMasterKey(identifier.getApplicationAttemptID())); 051 } 052 053 @Private 054 @Override 055 public byte[] retrievePassword(ClientToAMTokenIdentifier identifier) 056 throws SecretManager.InvalidToken { 057 SecretKey masterKey = getMasterKey(identifier.getApplicationAttemptID()); 058 if (masterKey == null) { 059 throw new SecretManager.InvalidToken("Illegal client-token!"); 060 } 061 return createPassword(identifier.getBytes(), masterKey); 062 } 063 064 @Private 065 @Override 066 public ClientToAMTokenIdentifier createIdentifier() { 067 return new ClientToAMTokenIdentifier(); 068 } 069 070}