/** * Cancel a token by removing it from cache. * * @return Identifier of the canceled token * @throws InvalidToken for invalid token * @throws AccessControlException if the user isn't allowed to cancel */ public synchronized TokenIdent cancelToken(Token<TokenIdent> token, String canceller) throws IOException { ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); TokenIdent id = createIdentifier(); id.readFields(in); LOG.info("Token cancelation requested for identifier: " + id); if (id.getUser() == null) { throw new InvalidToken("Token with no owner"); } String owner = id.getUser().getUserName(); Text renewer = id.getRenewer(); KerberosName cancelerKrbName = new KerberosName(canceller); String cancelerShortName = cancelerKrbName.getShortName(); if (!canceller.equals(owner) && (renewer == null || "".equals(renewer.toString()) || !cancelerShortName.equals(renewer.toString()))) { throw new AccessControlException(canceller + " is not authorized to cancel the token"); } DelegationTokenInformation info = null; info = currentTokens.remove(id); if (info == null) { throw new InvalidToken("Token not found"); } return id; }
@Override public synchronized byte[] retrievePassword(TokenIdent identifier) throws InvalidToken { DelegationTokenInformation info = currentTokens.get(identifier); if (info == null) { throw new InvalidToken("token (" + identifier.toString() + ") can't be found in cache"); } long now = System.currentTimeMillis(); if (info.getRenewDate() < now) { throw new InvalidToken("token (" + identifier.toString() + ") is expired"); } return info.getPassword(); }
@Override protected synchronized byte[] createPassword(TokenIdent identifier) { LOG.info("Creating password for identifier: " + identifier); int sequenceNum; long now = System.currentTimeMillis(); sequenceNum = ++delegationTokenSequenceNumber; identifier.setIssueDate(now); identifier.setMaxDate(now + tokenMaxLifetime); identifier.setMasterKeyId(currentId); identifier.setSequenceNumber(sequenceNum); byte[] password = createPassword(identifier.getBytes(), currentKey.getKey()); currentTokens.put( identifier, new DelegationTokenInformation(now + tokenRenewInterval, password)); return password; }
/** * Renew a delegation token. * * @param token the token to renew * @param renewer the full principal name of the user doing the renewal * @return the new expiration time * @throws InvalidToken if the token is invalid * @throws AccessControlException if the user can't renew token */ public synchronized long renewToken(Token<TokenIdent> token, String renewer) throws InvalidToken, IOException { long now = System.currentTimeMillis(); ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); TokenIdent id = createIdentifier(); id.readFields(in); LOG.info("Token renewal requested for identifier: " + id); if (id.getMaxDate() < now) { throw new InvalidToken("User " + renewer + " tried to renew an expired token"); } if ((id.getRenewer() == null) || ("".equals(id.getRenewer().toString()))) { throw new AccessControlException( "User " + renewer + " tried to renew a token without " + "a renewer"); } if (!id.getRenewer().toString().equals(renewer)) { throw new AccessControlException( "Client " + renewer + " tries to renew a token with " + "renewer specified as " + id.getRenewer()); } DelegationKey key = allKeys.get(id.getMasterKeyId()); if (key == null) { throw new InvalidToken( "Unable to find master key for keyId=" + id.getMasterKeyId() + " from cache. Failed to renew an unexpired token" + " with sequenceNumber=" + id.getSequenceNumber()); } byte[] password = createPassword(token.getIdentifier(), key.getKey()); if (!Arrays.equals(password, token.getPassword())) { throw new AccessControlException( "Client " + renewer + " is trying to renew a token with " + "wrong password"); } long renewTime = Math.min(id.getMaxDate(), now + tokenRenewInterval); DelegationTokenInformation info = new DelegationTokenInformation(renewTime, password); if (currentTokens.get(id) == null) { throw new InvalidToken("Renewal request for unknown token"); } currentTokens.put(id, info); return renewTime; }