[
https://issues.apache.org/jira/browse/HADOOP-11181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14169983#comment-14169983
]
Jing Zhao commented on HADOOP-11181:
------------------------------------
In general if we allow setting external secretManager (which is added by
HADOOP-10771 recently), I think it is reasonable to allow using
AbstractDelegationTokenIdentifier instead of web.DelegationTokenIdentifier
only. For the current patch, some comments:
# I guess we do not need to add "rawtypes", which is used by Eclipse Helios, to
suppress warnings.
# The logic of the following code may have some issue. With this change in the
future if an token's identifier cannot be decoded based on the serviceloader
mechanism, we would assume it is web.DelegationTokenIdentifier. However, since
the user can set his/her own identifier type and secrect manager, there is no
mechanism to guarantee the assumption is correct.
{code}
+ public UserGroupInformation verifyToken(
+ Token<? extends AbstractDelegationTokenIdentifier> token)
+ throws IOException {
+ // If the token identifier has a subclass associated to its kind, we should
+ // use the class's method to do decoding
+ AbstractDelegationTokenIdentifier id = token.decodeIdentifier();
+ // For the web token identifier, id will be null because it's unable to
+ // find the subclass associated to its kind. Instead, we should use web
+ // DelegationTokenIdentifier to decode it.
+ if (id == null) {
+ ByteArrayInputStream buf = new
ByteArrayInputStream(token.getIdentifier());
+ DataInputStream dis = new DataInputStream(buf);
+ id = new DelegationTokenIdentifier(tokenKind);
+ id.readFields(dis);
+ dis.close();
+ }
{code}
# Nit: there is an unused import in DelegationTokenManager
> o.a.h.security.token.delegation.DelegationTokenManager should be more
> generalized to handle other DelegationTokenIdentifier
> ---------------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11181
> URL: https://issues.apache.org/jira/browse/HADOOP-11181
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Zhijie Shen
> Assignee: Zhijie Shen
> Attachments: HADOOP-11181.1.patch
>
>
> While DelegationTokenManager can set external secretManager, it have the
> assumption that the token is going to be
> o.a.h.security.token.delegation.DelegationTokenIdentifier, and use
> DelegationTokenIdentifier method to decode a token.
> {code}
> @SuppressWarnings("unchecked")
> public UserGroupInformation verifyToken(Token<DelegationTokenIdentifier>
> token) throws IOException {
> ByteArrayInputStream buf = new
> ByteArrayInputStream(token.getIdentifier());
> DataInputStream dis = new DataInputStream(buf);
> DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind);
> id.readFields(dis);
> dis.close();
> secretManager.verifyToken(id, token.getPassword());
> return id.getUser();
> }
> {code}
> It's not going to work it the token kind is other than
> web.DelegationTokenIdentifier. For example, RM want to reuse it but hook it
> to RMDelegationTokenSecretManager and RMDelegationTokenIdentifier, which has
> the customized way to decode a token.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
