/**
   * Sets the connector information needed to communicate with Accumulo in this job.
   *
   * <p><b>WARNING:</b> Some tokens, when serialized, divulge sensitive information in the
   * configuration as a means to pass the token to MapReduce tasks. This information is BASE64
   * encoded to provide a charset safe conversion to a string, but this conversion is not intended
   * to be secure. {@link PasswordToken} is one example that is insecure in this way; however {@link
   * DelegationToken}s, acquired using {@link
   * SecurityOperations#getDelegationToken(DelegationTokenConfig)}, is not subject to this concern.
   *
   * @param job the Hadoop job instance to be configured
   * @param principal a valid Accumulo user name (user must have Table.CREATE permission)
   * @param token the user's password
   * @since 1.5.0
   */
  public static void setConnectorInfo(JobConf job, String principal, AuthenticationToken token)
      throws AccumuloSecurityException {
    if (token instanceof KerberosToken) {
      log.info("Received KerberosToken, attempting to fetch DelegationToken");
      try {
        Instance instance = getInstance(job);
        Connector conn = instance.getConnector(principal, token);
        token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
      } catch (Exception e) {
        log.warn(
            "Failed to automatically obtain DelegationToken, Mappers/Reducers will likely fail to communicate with Accumulo",
            e);
      }
    }
    // DelegationTokens can be passed securely from user to task without serializing insecurely in
    // the configuration
    if (token instanceof DelegationTokenImpl) {
      DelegationTokenImpl delegationToken = (DelegationTokenImpl) token;

      // Convert it into a Hadoop Token
      AuthenticationTokenIdentifier identifier = delegationToken.getIdentifier();
      Token<AuthenticationTokenIdentifier> hadoopToken =
          new Token<>(
              identifier.getBytes(),
              delegationToken.getPassword(),
              identifier.getKind(),
              delegationToken.getServiceName());

      // Add the Hadoop Token to the Job so it gets serialized and passed along.
      job.getCredentials().addToken(hadoopToken.getService(), hadoopToken);
    }

    InputConfigurator.setConnectorInfo(CLASS, job, principal, token);
  }
Esempio n. 2
0
 @Override
 public void mergeCredentials(JobConf dest, JobConf src) throws IOException {
   dest.getCredentials().mergeAll(src.getCredentials());
 }
Esempio n. 3
0
 // retrieve the password from the credentials object
 public static String getPassword(JobConf configuration) {
   LOG.debug("Fetching password from job credentials store");
   byte[] secret = configuration.getCredentials().getSecretKey(PASSWORD_SECRET_KEY);
   return secret != null ? new String(secret) : null;
 }
Esempio n. 4
0
 @Override
 public void getMergedCredentials(JobConf jobConf) throws IOException {
   jobConf.getCredentials().mergeAll(UserGroupInformation.getCurrentUser().getCredentials());
 }
Esempio n. 5
0
 // set the password in the secure credentials object
 private static void setPassword(JobConf configuration, String password) {
   LOG.debug("Securing password into job credentials store");
   configuration.getCredentials().addSecretKey(PASSWORD_SECRET_KEY, password.getBytes());
 }