/**
* Cancel a token by removing it from cache.
*
* @return Identifier of the canceled token
* @throws InvalidToken for invalid token
* @throws AccessControlException if the user isn't allowed to cancel
*/
public synchronized TokenIdent cancelToken(Token<TokenIdent> token, String canceller)
throws IOException {
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
TokenIdent id = createIdentifier();
id.readFields(in);
LOG.info("Token cancelation requested for identifier: " + id);
if (id.getUser() == null) {
throw new InvalidToken("Token with no owner");
}
String owner = id.getUser().getUserName();
Text renewer = id.getRenewer();
KerberosName cancelerKrbName = new KerberosName(canceller);
String cancelerShortName = cancelerKrbName.getShortName();
if (!canceller.equals(owner)
&& (renewer == null
|| "".equals(renewer.toString())
|| !cancelerShortName.equals(renewer.toString()))) {
throw new AccessControlException(canceller + " is not authorized to cancel the token");
}
DelegationTokenInformation info = null;
info = currentTokens.remove(id);
if (info == null) {
throw new InvalidToken("Token not found");
}
return id;
}
@Override
public synchronized byte[] retrievePassword(TokenIdent identifier) throws InvalidToken {
DelegationTokenInformation info = currentTokens.get(identifier);
if (info == null) {
throw new InvalidToken("token (" + identifier.toString() + ") can't be found in cache");
}
long now = System.currentTimeMillis();
if (info.getRenewDate() < now) {
throw new InvalidToken("token (" + identifier.toString() + ") is expired");
}
return info.getPassword();
}
@Override
protected synchronized byte[] createPassword(TokenIdent identifier) {
LOG.info("Creating password for identifier: " + identifier);
int sequenceNum;
long now = System.currentTimeMillis();
sequenceNum = ++delegationTokenSequenceNumber;
identifier.setIssueDate(now);
identifier.setMaxDate(now + tokenMaxLifetime);
identifier.setMasterKeyId(currentId);
identifier.setSequenceNumber(sequenceNum);
byte[] password = createPassword(identifier.getBytes(), currentKey.getKey());
currentTokens.put(
identifier, new DelegationTokenInformation(now + tokenRenewInterval, password));
return password;
}
/**
* Renew a delegation token.
*
* @param token the token to renew
* @param renewer the full principal name of the user doing the renewal
* @return the new expiration time
* @throws InvalidToken if the token is invalid
* @throws AccessControlException if the user can't renew token
*/
public synchronized long renewToken(Token<TokenIdent> token, String renewer)
throws InvalidToken, IOException {
long now = System.currentTimeMillis();
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
TokenIdent id = createIdentifier();
id.readFields(in);
LOG.info("Token renewal requested for identifier: " + id);
if (id.getMaxDate() < now) {
throw new InvalidToken("User " + renewer + " tried to renew an expired token");
}
if ((id.getRenewer() == null) || ("".equals(id.getRenewer().toString()))) {
throw new AccessControlException(
"User " + renewer + " tried to renew a token without " + "a renewer");
}
if (!id.getRenewer().toString().equals(renewer)) {
throw new AccessControlException(
"Client "
+ renewer
+ " tries to renew a token with "
+ "renewer specified as "
+ id.getRenewer());
}
DelegationKey key = allKeys.get(id.getMasterKeyId());
if (key == null) {
throw new InvalidToken(
"Unable to find master key for keyId="
+ id.getMasterKeyId()
+ " from cache. Failed to renew an unexpired token"
+ " with sequenceNumber="
+ id.getSequenceNumber());
}
byte[] password = createPassword(token.getIdentifier(), key.getKey());
if (!Arrays.equals(password, token.getPassword())) {
throw new AccessControlException(
"Client " + renewer + " is trying to renew a token with " + "wrong password");
}
long renewTime = Math.min(id.getMaxDate(), now + tokenRenewInterval);
DelegationTokenInformation info = new DelegationTokenInformation(renewTime, password);
if (currentTokens.get(id) == null) {
throw new InvalidToken("Renewal request for unknown token");
}
currentTokens.put(id, info);
return renewTime;
}
