Skip to content

Commit c5ca216

Browse files
committed
HDFS-10683. Make class Token$PrivateToken private. Contributed by John Zhuge.
1 parent e68c7b9 commit c5ca216

File tree

5 files changed

+61
-20
lines changed

5 files changed

+61
-20
lines changed

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/Credentials.java

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -104,12 +104,8 @@ public void addToken(Text alias, Token<? extends TokenIdentifier> t) {
104104
for (Map.Entry<Text, Token<? extends TokenIdentifier>> e :
105105
tokenMap.entrySet()) {
106106
Token<? extends TokenIdentifier> token = e.getValue();
107-
if (token instanceof Token.PrivateToken &&
108-
((Token.PrivateToken) token).getPublicService().equals(alias)) {
109-
Token<? extends TokenIdentifier> privateToken =
110-
new Token.PrivateToken<>(t);
111-
privateToken.setService(token.getService());
112-
tokensToAdd.put(e.getKey(), privateToken);
107+
if (token.isPrivateCloneOf(alias)) {
108+
tokensToAdd.put(e.getKey(), t.privateClone(token.getService()));
113109
}
114110
}
115111
tokenMap.putAll(tokensToAdd);

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1584,7 +1584,7 @@ public Credentials getCredentials() {
15841584
Credentials creds = new Credentials(getCredentialsInternal());
15851585
Iterator<Token<?>> iter = creds.getAllTokens().iterator();
15861586
while (iter.hasNext()) {
1587-
if (iter.next() instanceof Token.PrivateToken) {
1587+
if (iter.next().isPrivate()) {
15881588
iter.remove();
15891589
}
15901590
}

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java

Lines changed: 52 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -222,23 +222,67 @@ public void setService(Text newService) {
222222
service = newService;
223223
}
224224

225+
/**
226+
* Whether this is a private token.
227+
* @return false always for non-private tokens
228+
*/
229+
public boolean isPrivate() {
230+
return false;
231+
}
232+
233+
/**
234+
* Whether this is a private clone of a public token.
235+
* @param thePublicService the public service name
236+
* @return false always for non-private tokens
237+
*/
238+
public boolean isPrivateCloneOf(Text thePublicService) {
239+
return false;
240+
}
241+
242+
/**
243+
* Create a private clone of a public token.
244+
* @param newService the new service name
245+
* @return a private token
246+
*/
247+
public Token<T> privateClone(Text newService) {
248+
return new PrivateToken<>(this, newService);
249+
}
250+
225251
/**
226252
* Indicates whether the token is a clone. Used by HA failover proxy
227253
* to indicate a token should not be visible to the user via
228254
* UGI.getCredentials()
229255
*/
230-
@InterfaceAudience.Private
231-
@InterfaceStability.Unstable
232-
public static class PrivateToken<T extends TokenIdentifier> extends Token<T> {
256+
static class PrivateToken<T extends TokenIdentifier> extends Token<T> {
233257
final private Text publicService;
234258

235-
public PrivateToken(Token<T> token) {
236-
super(token);
237-
publicService = new Text(token.getService());
259+
PrivateToken(Token<T> publicToken, Text newService) {
260+
super(publicToken.identifier, publicToken.password, publicToken.kind,
261+
newService);
262+
assert !publicToken.isPrivate();
263+
publicService = publicToken.service;
264+
if (LOG.isDebugEnabled()) {
265+
LOG.debug("Cloned private token " + this + " from " + publicToken);
266+
}
238267
}
239268

240-
public Text getPublicService() {
241-
return publicService;
269+
/**
270+
* Whether this is a private token.
271+
* @return true always for private tokens
272+
*/
273+
@Override
274+
public boolean isPrivate() {
275+
return true;
276+
}
277+
278+
/**
279+
* Whether this is a private clone of a public token.
280+
* @param thePublicService the public service name
281+
* @return true when the public service is the same as specified
282+
*/
283+
@Override
284+
public boolean isPrivateCloneOf(Text thePublicService) {
285+
return publicService.equals(thePublicService);
242286
}
243287

244288
@Override

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -890,8 +890,10 @@ public void testPrivateTokenExclusion() throws Exception {
890890
ugi.addToken(new Text("regular-token"), token);
891891

892892
// Now add cloned private token
893-
ugi.addToken(new Text("private-token"), new Token.PrivateToken<TestTokenIdentifier>(token));
894-
ugi.addToken(new Text("private-token1"), new Token.PrivateToken<TestTokenIdentifier>(token));
893+
Text service = new Text("private-token");
894+
ugi.addToken(service, token.privateClone(service));
895+
Text service1 = new Text("private-token1");
896+
ugi.addToken(service1, token.privateClone(service1));
895897

896898
// Ensure only non-private tokens are returned
897899
Collection<Token<? extends TokenIdentifier>> tokens = ugi.getCredentials().getAllTokens();

hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/HAUtil.java

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_ADDRESS_KEY;
3030
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SERVICE_RPC_BIND_HOST_KEY;
3131
import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NAMENODE_SHARED_EDITS_DIR_KEY;
32+
import static org.apache.hadoop.security.SecurityUtil.buildTokenService;
3233

3334
import java.io.IOException;
3435
import java.net.InetSocketAddress;
@@ -56,7 +57,6 @@
5657
import org.apache.hadoop.ipc.RPC;
5758
import org.apache.hadoop.ipc.RemoteException;
5859
import org.apache.hadoop.ipc.StandbyException;
59-
import org.apache.hadoop.security.SecurityUtil;
6060
import org.apache.hadoop.security.UserGroupInformation;
6161
import org.apache.hadoop.security.token.Token;
6262

@@ -281,8 +281,7 @@ public static void cloneDelegationTokenForLogicalUri(
281281
// exposed to the user via UGI.getCredentials(), otherwise these
282282
// cloned tokens may be inadvertently propagated to jobs
283283
Token<DelegationTokenIdentifier> specificToken =
284-
new Token.PrivateToken<DelegationTokenIdentifier>(haToken);
285-
SecurityUtil.setTokenService(specificToken, singleNNAddr);
284+
haToken.privateClone(buildTokenService(singleNNAddr));
286285
Text alias = new Text(
287286
HAUtilClient.buildTokenServicePrefixForLogicalUri(
288287
HdfsConstants.HDFS_URI_SCHEME)

0 commit comments

Comments
 (0)