org.apache.hadoop.security.token.delegation.web

Class DelegationTokenAuthenticatedURL

java.lang.Object

org.apache.hadoop.security.authentication.client.AuthenticatedURL

org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL

@InterfaceAudience.Public
 @InterfaceStability.Unstable
public class DelegationTokenAuthenticatedURL
extends org.apache.hadoop.security.authentication.client.AuthenticatedURL

The DelegationTokenAuthenticatedURL is a AuthenticatedURL sub-class with built-in Hadoop Delegation Token functionality.

The authentication mechanisms supported by default are Hadoop Simple authentication (also known as pseudo authentication) and Kerberos SPNEGO authentication.

Additional authentication mechanisms can be supported via DelegationTokenAuthenticator implementations.

The default DelegationTokenAuthenticator is the KerberosDelegationTokenAuthenticator class which supports automatic fallback from Kerberos SPNEGO to Hadoop Simple authentication via the PseudoDelegationTokenAuthenticator class.

AuthenticatedURL instances are not thread-safe.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	DelegationTokenAuthenticatedURL.Token Client side authentication token that handles Delegation Tokens.

Field Summary

Fields inherited from class org.apache.hadoop.security.authentication.client.AuthenticatedURL

AUTH_COOKIE

Constructor Summary

Constructors

Constructor and Description
DelegationTokenAuthenticatedURL() Creates an DelegationTokenAuthenticatedURL.
DelegationTokenAuthenticatedURL(org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator) Creates an DelegationTokenAuthenticatedURL using the default DelegationTokenAuthenticator class.
DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator) Creates an DelegationTokenAuthenticatedURL.
DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator, org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator) Creates an DelegationTokenAuthenticatedURL.

Method Summary

Modifier and Type	Method and Description
void	cancelDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token) Cancels a delegation token from the server end-point.
void	cancelDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String doAsUser) Cancels a delegation token from the server end-point.
static Class<? extends DelegationTokenAuthenticator>	getDefaultDelegationTokenAuthenticator() Returns the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one.
Token<AbstractDelegationTokenIdentifier>	getDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String renewer) Requests a delegation token using the configured Authenticator for authentication.
Token<AbstractDelegationTokenIdentifier>	getDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String renewer, String doAsUser) Requests a delegation token using the configured Authenticator for authentication.
HttpURLConnection	openConnection(URL url, org.apache.hadoop.security.authentication.client.AuthenticatedURL.Token token) Returns an authenticated HttpURLConnection, it uses a Delegation Token only if the given auth token is an instance of DelegationTokenAuthenticatedURL.Token and it contains a Delegation Token, otherwise use the configured DelegationTokenAuthenticator to authenticate the connection.
HttpURLConnection	openConnection(URL url, DelegationTokenAuthenticatedURL.Token token) Returns an authenticated HttpURLConnection.
HttpURLConnection	openConnection(URL url, DelegationTokenAuthenticatedURL.Token token, String doAs) Returns an authenticated HttpURLConnection.
long	renewDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token) Renews a delegation token from the server end-point using the configured Authenticator for authentication.
long	renewDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String doAsUser) Renews a delegation token from the server end-point using the configured Authenticator for authentication.
static void	setDefaultDelegationTokenAuthenticator(Class<? extends DelegationTokenAuthenticator> authenticator) Sets the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one.
protected void	setUseQueryStringForDelegationToken(boolean useQueryString) Deprecated.
boolean	useQueryStringForDelegationToken() Returns if delegation token is transmitted as a HTTP header.

Methods inherited from class org.apache.hadoop.security.authentication.client.AuthenticatedURL

extractToken, getAuthenticator, getDefaultAuthenticator, injectToken, setDefaultAuthenticator

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DelegationTokenAuthenticatedURL

public DelegationTokenAuthenticatedURL()

Creates an DelegationTokenAuthenticatedURL.

An instance of the default DelegationTokenAuthenticator will be used.

DelegationTokenAuthenticatedURL

public DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator)

Creates an DelegationTokenAuthenticatedURL.

Parameters:

authenticator - the DelegationTokenAuthenticator instance to use, if null the default one will be used.

DelegationTokenAuthenticatedURL

public DelegationTokenAuthenticatedURL(org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator)

Creates an DelegationTokenAuthenticatedURL using the default DelegationTokenAuthenticator class.

Parameters:

connConfigurator - a connection configurator.

DelegationTokenAuthenticatedURL

public DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator,
                                       org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator)

Creates an DelegationTokenAuthenticatedURL.

Parameters:

authenticator - the DelegationTokenAuthenticator instance to use, if null the default one will be used.

connConfigurator - a connection configurator.

Method Detail

setDefaultDelegationTokenAuthenticator

public static void setDefaultDelegationTokenAuthenticator(Class<? extends DelegationTokenAuthenticator> authenticator)

Sets the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one. The default class is KerberosDelegationTokenAuthenticator

Parameters:

authenticator - the authenticator class to use as default.

getDefaultDelegationTokenAuthenticator

public static Class<? extends DelegationTokenAuthenticator> getDefaultDelegationTokenAuthenticator()

Returns the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one.

The default class is KerberosDelegationTokenAuthenticator

Returns:

the delegation token authenticator class to use as default.

setUseQueryStringForDelegationToken

@Deprecated
protected void setUseQueryStringForDelegationToken(boolean useQueryString)

Deprecated.

Sets if delegation token should be transmitted in the URL query string. By default it is transmitted using the DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER HTTP header.

This method is provided to enable WebHDFS backwards compatibility.

Parameters:

useQueryString - TRUE if the token is transmitted in the URL query string, FALSE if the delegation token is transmitted using the DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER HTTP header.

useQueryStringForDelegationToken

public boolean useQueryStringForDelegationToken()

Returns if delegation token is transmitted as a HTTP header.

Returns:

TRUE if the token is transmitted in the URL query string, FALSE if the delegation token is transmitted using the DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER HTTP header.

openConnection

public HttpURLConnection openConnection(URL url,
                                        org.apache.hadoop.security.authentication.client.AuthenticatedURL.Token token)
                                 throws IOException,
                                        org.apache.hadoop.security.authentication.client.AuthenticationException

Returns an authenticated HttpURLConnection, it uses a Delegation Token only if the given auth token is an instance of DelegationTokenAuthenticatedURL.Token and it contains a Delegation Token, otherwise use the configured DelegationTokenAuthenticator to authenticate the connection.

Overrides:

openConnection in class org.apache.hadoop.security.authentication.client.AuthenticatedURL

Parameters:

url - the URL to connect to. Only HTTP/S URLs are supported.

token - the authentication token being used for the user.

Returns:

an authenticated HttpURLConnection.

Throws:

IOException - if an IO error occurred.

org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

openConnection

public HttpURLConnection openConnection(URL url,
                                        DelegationTokenAuthenticatedURL.Token token)
                                 throws IOException,
                                        org.apache.hadoop.security.authentication.client.AuthenticationException

Returns an authenticated HttpURLConnection. If the Delegation Token is present, it will be used taking precedence over the configured Authenticator.

Parameters:

url - the URL to connect to. Only HTTP/S URLs are supported.

token - the authentication token being used for the user.

Returns:

an authenticated HttpURLConnection.

Throws:

IOException - if an IO error occurred.

org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

openConnection

public HttpURLConnection openConnection(URL url,
                                        DelegationTokenAuthenticatedURL.Token token,
                                        String doAs)
                                 throws IOException,
                                        org.apache.hadoop.security.authentication.client.AuthenticationException

Returns an authenticated HttpURLConnection. If the Delegation Token is present, it will be used taking precedence over the configured Authenticator. If the doAs parameter is not NULL, the request will be done on behalf of the specified doAs user.

Parameters:

url - the URL to connect to. Only HTTP/S URLs are supported.

token - the authentication token being used for the user.

doAs - user to do the the request on behalf of, if NULL the request is as self.

Returns:

an authenticated HttpURLConnection.

Throws:

IOException - if an IO error occurred.

org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

getDelegationToken

public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url,
                                                                   DelegationTokenAuthenticatedURL.Token token,
                                                                   String renewer)
                                                            throws IOException,
                                                                   org.apache.hadoop.security.authentication.client.AuthenticationException

Requests a delegation token using the configured Authenticator for authentication.

Parameters:

url - the URL to get the delegation token from. Only HTTP/S URLs are supported.

token - the authentication token being used for the user where the Delegation token will be stored.

renewer - the renewer user.

Returns:

a delegation token.

Throws:

IOException - if an IO error occurred.

org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

getDelegationToken

public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url,
                                                                   DelegationTokenAuthenticatedURL.Token token,
                                                                   String renewer,
                                                                   String doAsUser)
                                                            throws IOException,
                                                                   org.apache.hadoop.security.authentication.client.AuthenticationException

Requests a delegation token using the configured Authenticator for authentication.

Parameters:

url - the URL to get the delegation token from. Only HTTP/S URLs are supported.

token - the authentication token being used for the user where the Delegation token will be stored.

renewer - the renewer user.

doAsUser - the user to do as, which will be the token owner.

Returns:

a delegation token.

Throws:

IOException - if an IO error occurred.

org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

renewDelegationToken

public long renewDelegationToken(URL url,
                                 DelegationTokenAuthenticatedURL.Token token)
                          throws IOException,
                                 org.apache.hadoop.security.authentication.client.AuthenticationException

Renews a delegation token from the server end-point using the configured Authenticator for authentication.

Parameters:

url - the URL to renew the delegation token from. Only HTTP/S URLs are supported.

token - the authentication token with the Delegation Token to renew.

Throws:

IOException - if an IO error occurred.

org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

renewDelegationToken

public long renewDelegationToken(URL url,
                                 DelegationTokenAuthenticatedURL.Token token,
                                 String doAsUser)
                          throws IOException,
                                 org.apache.hadoop.security.authentication.client.AuthenticationException

Renews a delegation token from the server end-point using the configured Authenticator for authentication.

Parameters:

url - the URL to renew the delegation token from. Only HTTP/S URLs are supported.

token - the authentication token with the Delegation Token to renew.

doAsUser - the user to do as, which will be the token owner.

Throws:

IOException - if an IO error occurred.

org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

cancelDelegationToken

public void cancelDelegationToken(URL url,
                                  DelegationTokenAuthenticatedURL.Token token)
                           throws IOException

Cancels a delegation token from the server end-point. It does not require being authenticated by the configured Authenticator.

Parameters:

url - the URL to cancel the delegation token from. Only HTTP/S URLs are supported.

token - the authentication token with the Delegation Token to cancel.

Throws:

IOException - if an IO error occurred.

cancelDelegationToken

public void cancelDelegationToken(URL url,
                                  DelegationTokenAuthenticatedURL.Token token,
                                  String doAsUser)
                           throws IOException

Cancels a delegation token from the server end-point. It does not require being authenticated by the configured Authenticator.

Parameters:

url - the URL to cancel the delegation token from. Only HTTP/S URLs are supported.

token - the authentication token with the Delegation Token to cancel.

doAsUser - the user to do as, which will be the token owner.

Throws:

IOException - if an IO error occurred.