Package org.apache.hadoop.security.token.delegation.web

Class DelegationTokenAuthenticatedURL

java.lang.Object
org.apache.hadoop.security.authentication.client.AuthenticatedURL
org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL
@Public @Unstable public class DelegationTokenAuthenticatedURL extends org.apache.hadoop.security.authentication.client.AuthenticatedURL
The DelegationTokenAuthenticatedURL is a AuthenticatedURL sub-class with built-in Hadoop Delegation Token functionality.

The authentication mechanisms supported by default are Hadoop Simple authentication (also known as pseudo authentication) and Kerberos SPNEGO authentication.

Additional authentication mechanisms can be supported via DelegationTokenAuthenticator implementations.

The default DelegationTokenAuthenticator is the KerberosDelegationTokenAuthenticator class which supports automatic fallback from Kerberos SPNEGO to Hadoop Simple authentication via the PseudoDelegationTokenAuthenticator class.

AuthenticatedURL instances are not thread-safe.

  • Constructor Details

    • DelegationTokenAuthenticatedURL

      public DelegationTokenAuthenticatedURL()
      Creates an DelegationTokenAuthenticatedURL.

      An instance of the default DelegationTokenAuthenticator will be used.

    • DelegationTokenAuthenticatedURL

      public DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator)
      Creates an DelegationTokenAuthenticatedURL.
      Parameters:
      authenticator - the DelegationTokenAuthenticator instance to use, if null the default one will be used.

    • DelegationTokenAuthenticatedURL

      public DelegationTokenAuthenticatedURL(org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator)
      Creates an DelegationTokenAuthenticatedURL using the default DelegationTokenAuthenticator class.
      Parameters:
      connConfigurator - a connection configurator.

    • DelegationTokenAuthenticatedURL

      public DelegationTokenAuthenticatedURL(DelegationTokenAuthenticator authenticator, org.apache.hadoop.security.authentication.client.ConnectionConfigurator connConfigurator)
      Creates an DelegationTokenAuthenticatedURL.
      Parameters:
      authenticator - the DelegationTokenAuthenticator instance to use, if null the default one will be used.
      connConfigurator - a connection configurator.

  • Method Details

    • setDefaultDelegationTokenAuthenticator

      public static void setDefaultDelegationTokenAuthenticator(Class<? extends DelegationTokenAuthenticator> authenticator)
      Sets the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one. The default class is KerberosDelegationTokenAuthenticator
      Parameters:
      authenticator - the authenticator class to use as default.

    • getDefaultDelegationTokenAuthenticator

      public static Class<? extends DelegationTokenAuthenticator> getDefaultDelegationTokenAuthenticator()
      Returns the default DelegationTokenAuthenticator class to use when an DelegationTokenAuthenticatedURL instance is created without specifying one.

      The default class is KerberosDelegationTokenAuthenticator

      Returns:
      the delegation token authenticator class to use as default.

    • setUseQueryStringForDelegationToken

      @Deprecated protected void setUseQueryStringForDelegationToken(boolean useQueryString)
      Deprecated.
      Sets if delegation token should be transmitted in the URL query string. By default it is transmitted using the DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER HTTP header.

      This method is provided to enable WebHDFS backwards compatibility.

      Parameters:
      useQueryString - TRUE if the token is transmitted in the URL query string, FALSE if the delegation token is transmitted using the DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER HTTP header.

    • useQueryStringForDelegationToken

      public boolean useQueryStringForDelegationToken()
      Returns if delegation token is transmitted as a HTTP header.
      Returns:
      TRUE if the token is transmitted in the URL query string, FALSE if the delegation token is transmitted using the DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER HTTP header.

    • openConnection

      public HttpURLConnection openConnection(URL url, org.apache.hadoop.security.authentication.client.AuthenticatedURL.Token token) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException
      Returns an authenticated HttpURLConnection, it uses a Delegation Token only if the given auth token is an instance of DelegationTokenAuthenticatedURL.Token and it contains a Delegation Token, otherwise use the configured DelegationTokenAuthenticator to authenticate the connection.
      Overrides:
      openConnection in class org.apache.hadoop.security.authentication.client.AuthenticatedURL
      Parameters:
      url - the URL to connect to. Only HTTP/S URLs are supported.
      token - the authentication token being used for the user.
      Returns:
      an authenticated HttpURLConnection.
      Throws:
      IOException - if an IO error occurred.
      org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

    • openConnection

      public HttpURLConnection openConnection(URL url, DelegationTokenAuthenticatedURL.Token token) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException
      Returns an authenticated HttpURLConnection. If the Delegation Token is present, it will be used taking precedence over the configured Authenticator.
      Parameters:
      url - the URL to connect to. Only HTTP/S URLs are supported.
      token - the authentication token being used for the user.
      Returns:
      an authenticated HttpURLConnection.
      Throws:
      IOException - if an IO error occurred.
      org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

    • openConnection

      public HttpURLConnection openConnection(URL url, DelegationTokenAuthenticatedURL.Token token, String doAs) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException
      Returns an authenticated HttpURLConnection. If the Delegation Token is present, it will be used taking precedence over the configured Authenticator. If the doAs parameter is not NULL, the request will be done on behalf of the specified doAs user.
      Parameters:
      url - the URL to connect to. Only HTTP/S URLs are supported.
      token - the authentication token being used for the user.
      doAs - user to do the the request on behalf of, if NULL the request is as self.
      Returns:
      an authenticated HttpURLConnection.
      Throws:
      IOException - if an IO error occurred.
      org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

    • selectDelegationToken

      @Private public Token<? extends TokenIdentifier> selectDelegationToken(URL url, Credentials creds)
      Select a delegation token from all tokens in credentials, based on url.
      Parameters:
      url - url.
      creds - credentials.
      Returns:
      token.

    • getDelegationToken

      public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String renewer) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException
      Requests a delegation token using the configured Authenticator for authentication.
      Parameters:
      url - the URL to get the delegation token from. Only HTTP/S URLs are supported.
      token - the authentication token being used for the user where the Delegation token will be stored.
      renewer - the renewer user.
      Returns:
      a delegation token.
      Throws:
      IOException - if an IO error occurred.
      org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

    • getDelegationToken

      public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String renewer, String doAsUser) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException
      Requests a delegation token using the configured Authenticator for authentication.
      Parameters:
      url - the URL to get the delegation token from. Only HTTP/S URLs are supported.
      token - the authentication token being used for the user where the Delegation token will be stored.
      renewer - the renewer user.
      doAsUser - the user to do as, which will be the token owner.
      Returns:
      a delegation token.
      Throws:
      IOException - if an IO error occurred.
      org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

    • renewDelegationToken

      public long renewDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException
      Renews a delegation token from the server end-point using the configured Authenticator for authentication.
      Parameters:
      url - the URL to renew the delegation token from. Only HTTP/S URLs are supported.
      token - the authentication token with the Delegation Token to renew.
      Returns:
      delegation token long value.
      Throws:
      IOException - if an IO error occurred.
      org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

    • renewDelegationToken

      public long renewDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String doAsUser) throws IOException, org.apache.hadoop.security.authentication.client.AuthenticationException
      Renews a delegation token from the server end-point using the configured Authenticator for authentication.
      Parameters:
      url - the URL to renew the delegation token from. Only HTTP/S URLs are supported.
      token - the authentication token with the Delegation Token to renew.
      doAsUser - the user to do as, which will be the token owner.
      Returns:
      delegation token long value.
      Throws:
      IOException - if an IO error occurred.
      org.apache.hadoop.security.authentication.client.AuthenticationException - if an authentication exception occurred.

    • cancelDelegationToken

      public void cancelDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token) throws IOException
      Cancels a delegation token from the server end-point. It does not require being authenticated by the configured Authenticator.
      Parameters:
      url - the URL to cancel the delegation token from. Only HTTP/S URLs are supported.
      token - the authentication token with the Delegation Token to cancel.
      Throws:
      IOException - if an IO error occurred.

    • cancelDelegationToken

      public void cancelDelegationToken(URL url, DelegationTokenAuthenticatedURL.Token token, String doAsUser) throws IOException
      Cancels a delegation token from the server end-point. It does not require being authenticated by the configured Authenticator.
      Parameters:
      url - the URL to cancel the delegation token from. Only HTTP/S URLs are supported.
      token - the authentication token with the Delegation Token to cancel.
      doAsUser - the user to do as, which will be the token owner.
      Throws:
      IOException - if an IO error occurred.