[jira] [Commented] (HADOOP-11181) o.a.h.security.token.delegation.DelegationTokenManager should be more generalized to handle other DelegationTokenIdentifier

Mon, 13 Oct 2014 16:15:58 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14170194#comment-14170194
 ] 

Zhijie Shen commented on HADOOP-11181:
--------------------------------------

bq. maybe we can rename the new decodeToken method to decodeTokenIdentifier

Changed it accordingly

bq. It will be good to have an extra unit test for this new method, covering 
several different subclasses of AbstractDelegationTokenSecretManager.

For decoding web.DelegationTokenIdentifier, the code path 
inTestDelegationTokenManager has already covered it:
{code}
    try {
      tm.verifyToken(token);
      Assert.fail();
    } catch (IOException ex) {
{code}
Anyway, I enhance the test case to run through both ZKSecretManager and 
DelegationTokenSecretManager, which are the two using 
web.DelegationTokenIdentifier right now.

On the other side, I changed TestRMWebServicesDelegationTokens to use the 
inherited AbstractDelegationTokenIdentifier.decodeTokenIdentifier to do the 
decoding.

> o.a.h.security.token.delegation.DelegationTokenManager should be more 
> generalized to handle other DelegationTokenIdentifier
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11181
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11181
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>         Attachments: HADOOP-11181.1.patch, HADOOP-11181.2.patch
>
>
> While DelegationTokenManager can set external secretManager, it have the 
> assumption that the token is going to be 
> o.a.h.security.token.delegation.DelegationTokenIdentifier, and use 
> DelegationTokenIdentifier method to decode a token. 
> {code}
>   @SuppressWarnings("unchecked")
>   public UserGroupInformation verifyToken(Token<DelegationTokenIdentifier>
>       token) throws IOException {
>     ByteArrayInputStream buf = new 
> ByteArrayInputStream(token.getIdentifier());
>     DataInputStream dis = new DataInputStream(buf);
>     DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind);
>     id.readFields(dis);
>     dis.close();
>     secretManager.verifyToken(id, token.getPassword());
>     return id.getUser();
>   }
> {code}
> It's not going to work it the token kind is other than 
> web.DelegationTokenIdentifier. For example, RM want to reuse it but hook it 
> to RMDelegationTokenSecretManager and RMDelegationTokenIdentifier, which has 
> the customized way to decode a token.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to