001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.hadoop.security.alias;
020
021import java.io.IOException;
022import java.util.List;
023
024import org.apache.hadoop.classification.InterfaceAudience;
025import org.apache.hadoop.classification.InterfaceStability;
026
027/**
028 * A provider of credentials or password for Hadoop applications. Provides an
029 * abstraction to separate credential storage from users of them. It
030 * is intended to support getting or storing passwords in a variety of ways,
031 * including third party bindings.
032 */
033@InterfaceAudience.Public
034@InterfaceStability.Unstable
035public abstract class CredentialProvider {
036  public static final String CLEAR_TEXT_FALLBACK 
037      = "hadoop.security.credential.clear-text-fallback";
038
039  /**
040   * The combination of both the alias and the actual credential value.
041   */
042  public static class CredentialEntry {
043    private final String alias;
044    private final char[] credential;
045
046    protected CredentialEntry(String alias,
047                         char[] credential) {
048      this.alias = alias;
049      this.credential = credential;
050    }
051
052    public String getAlias() {
053      return alias;
054    }
055
056    public char[] getCredential() {
057      return credential;
058    }
059
060    public String toString() {
061      StringBuilder buf = new StringBuilder();
062      buf.append("alias(");
063      buf.append(alias);
064      buf.append(")=");
065      if (credential == null) {
066        buf.append("null");
067      } else {
068        for(char c: credential) {
069          buf.append(c);
070        }
071      }
072      return buf.toString();
073    }
074  }
075
076  /**
077   * Indicates whether this provider represents a store
078   * that is intended for transient use - such as the UserProvider
079   * is. These providers are generally used to provide job access to
080   * passwords rather than for long term storage.
081   * @return true if transient, false otherwise
082   */
083  public boolean isTransient() {
084    return false;
085  }
086
087  /**
088   * Ensures that any changes to the credentials are written to persistent
089   * store.
090   * @throws IOException
091   */
092  public abstract void flush() throws IOException;
093
094  /**
095   * Get the credential entry for a specific alias.
096   * @param alias the name of a specific credential
097   * @return the credentialEntry
098   * @throws IOException
099   */
100  public abstract CredentialEntry getCredentialEntry(String alias) 
101      throws IOException;
102
103  /**
104   * Get the aliases for all credentials.
105   * @return the list of alias names
106   * @throws IOException
107   */
108  public abstract List<String> getAliases() throws IOException;
109
110  /**
111   * Create a new credential. The given alias must not already exist.
112   * @param name the alias of the credential
113   * @param credential the credential value for the alias.
114   * @throws IOException
115   */
116  public abstract CredentialEntry createCredentialEntry(String name, 
117      char[] credential) throws IOException;
118
119  /**
120   * Delete the given credential.
121   * @param name the alias of the credential to delete
122   * @throws IOException
123   */
124  public abstract void deleteCredentialEntry(String name) throws IOException;
125
126  /**
127   * Does this provider require a password? This means that a password is
128   * required for normal operation, and it has not been found through normal
129   * means. If true, the password should be provided by the caller using
130   * setPassword().
131   * @return Whether or not the provider requires a password
132   * @throws IOException
133   */
134  public boolean needsPassword() throws IOException {
135    return false;
136  }
137
138  /**
139   * If a password for the provider is needed, but is not provided, this will
140   * return a warning and instructions for supplying said password to the
141   * provider.
142   * @return A warning and instructions for supplying the password
143   */
144  public String noPasswordWarning() {
145    return null;
146  }
147
148  /**
149   * If a password for the provider is needed, but is not provided, this will
150   * return an error message and instructions for supplying said password to
151   * the provider.
152   * @return An error message and instructions for supplying the password
153   */
154  public String noPasswordError() {
155    return null;
156  }
157}