[
https://issues.apache.org/jira/browse/HADOOP-11181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14170081#comment-14170081
]
Zhijie Shen commented on HADOOP-11181:
--------------------------------------
[~jingzhao], thanks for the comments.
bq. I guess we do not need to add "rawtypes", which is used by Eclipse Helios,
to suppress warnings.
Nice to know. Remove the "rawtypes" in the new patch.
bq. However, since the user can set his/her own identifier type and secrect
manager, there is no mechanism to guarantee the assumption is correct.
That's correct. I was aware of it, but want to minimize the change while it
seems that only web.DelegationTokenIdentifier fails into the other category. As
the decoded token is verified by the secret manager, hopefully it's the fair
point that the secret manager should know best about how to decode the token.
Therefore, I add a method "decodeToken" for AbstractDelegationTokenIdentifier
(to limit the problem to delegation token only but not others), and make it
simply call token.decodeIdentifier(). On the other side, I make the secret
manager that works with web.DelegationTokenIdentifier override the method to
use the previous decoding method in verifyToken(). Please let me know how you
think about the new approach.
bq. Nit: there is an unused import in DelegationTokenManager
Good catch. Fix it.
> o.a.h.security.token.delegation.DelegationTokenManager should be more
> generalized to handle other DelegationTokenIdentifier
> ---------------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11181
> URL: https://issues.apache.org/jira/browse/HADOOP-11181
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Zhijie Shen
> Assignee: Zhijie Shen
> Attachments: HADOOP-11181.1.patch, HADOOP-11181.2.patch
>
>
> While DelegationTokenManager can set external secretManager, it have the
> assumption that the token is going to be
> o.a.h.security.token.delegation.DelegationTokenIdentifier, and use
> DelegationTokenIdentifier method to decode a token.
> {code}
> @SuppressWarnings("unchecked")
> public UserGroupInformation verifyToken(Token<DelegationTokenIdentifier>
> token) throws IOException {
> ByteArrayInputStream buf = new
> ByteArrayInputStream(token.getIdentifier());
> DataInputStream dis = new DataInputStream(buf);
> DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind);
> id.readFields(dis);
> dis.close();
> secretManager.verifyToken(id, token.getPassword());
> return id.getUser();
> }
> {code}
> It's not going to work it the token kind is other than
> web.DelegationTokenIdentifier. For example, RM want to reuse it but hook it
> to RMDelegationTokenSecretManager and RMDelegationTokenIdentifier, which has
> the customized way to decode a token.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
