HDDS-1183. Override getDelegationToken API for OzoneFileSystem. Contributed by Xiaoyu Yao. (#545)

hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenIdentifier.java

@@ -28,6 +28,7 @@ import org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.Bu
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.hadoop.security.token.Token.TrivialRenewer;
 
 import java.io.DataInput;
 import java.io.DataInputStream;
@@ -195,5 +196,17 @@ public class OzoneBlockTokenIdentifier extends TokenIdentifier {
     }
     out.write(builder.build().toByteArray());
   }
+
+  /**
+   * Default TrivialRenewer.
+   */
+  @InterfaceAudience.Private
+  public static class Renewer extends TrivialRenewer {
+
+    @Override
+    protected Text getKind() {
+      return KIND_NAME;
+    }
+  }
 }
 

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java

@@ -29,7 +29,6 @@ import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto;
 import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
-import org.apache.hadoop.security.token.Token;
 
 /**
  * The token identifier for Ozone Master.
@@ -68,18 +67,6 @@ public class OzoneTokenIdentifier extends
     return KIND_NAME;
   }
 
-  /**
-   * Default TrivialRenewer.
-   */
-  @InterfaceAudience.Private
-  public static class Renewer extends Token.TrivialRenewer {
-
-    @Override
-    protected Text getKind() {
-      return KIND_NAME;
-    }
-  }
-
   /**
    * Overrides default implementation to write using Protobuf.
    *

hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapter.java

@@ -17,6 +17,9 @@
  */
 package org.apache.hadoop.fs.ozone;
 
+import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
+import org.apache.hadoop.security.token.Token;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Iterator;
@@ -52,4 +55,6 @@ public interface OzoneClientAdapter {
 
   Iterator<BasicKeyInfo> listKeys(String pathKey);
 
+  Token<OzoneTokenIdentifier> getDelegationToken(String renewer)
+      throws IOException;
 }

hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneClientAdapterImpl.java

@@ -22,9 +22,12 @@ import java.io.InputStream;
 import java.util.HashMap;
 import java.util.Iterator;
 
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hdds.client.ReplicationFactor;
 import org.apache.hadoop.hdds.client.ReplicationType;
 import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.io.Text;
 import org.apache.hadoop.ozone.OzoneConfigKeys;
 import org.apache.hadoop.ozone.client.ObjectStore;
 import org.apache.hadoop.ozone.client.OzoneBucket;
@@ -35,6 +38,10 @@ import org.apache.hadoop.ozone.client.OzoneVolume;
 import org.apache.hadoop.ozone.client.io.OzoneOutputStream;
 
 import static org.apache.hadoop.ozone.OzoneConsts.OZONE_URI_DELIMITER;
+
+import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.TokenRenewer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -251,8 +258,64 @@ public class OzoneClientAdapterImpl implements OzoneClientAdapter {
     return new IteratorAdapter(bucket.listKeys(pathKey));
   }
 
+  @Override
+  public Token<OzoneTokenIdentifier> getDelegationToken(String renewer)
+      throws IOException {
+    Token<OzoneTokenIdentifier> token =
+        ozoneClient.getObjectStore().getDelegationToken(new Text(renewer));
+    token.setKind(OzoneTokenIdentifier.KIND_NAME);
+    return token;
+  }
+
+  /**
+   * Ozone Delegation Token Renewer.
+   */
+  @InterfaceAudience.Private
+  public static class Renewer extends TokenRenewer {
+
+    //Ensure that OzoneConfiguration files are loaded before trying to use
+    // the renewer.
+    static {
+      OzoneConfiguration.activate();
+    }
+
+    public Text getKind() {
+      return OzoneTokenIdentifier.KIND_NAME;
+    }
+
+    @Override
+    public boolean handleKind(Text kind) {
+      return getKind().equals(kind);
+    }
+
+    @Override
+    public boolean isManaged(Token<?> token) throws IOException {
+      return true;
+    }
+
+    @Override
+    public long renew(Token<?> token, Configuration conf)
+        throws IOException, InterruptedException {
+      Token<OzoneTokenIdentifier> ozoneDt =
+          (Token<OzoneTokenIdentifier>) token;
+      OzoneClient ozoneClient =
+          OzoneClientFactory.getRpcClient(conf);
+      return ozoneClient.getObjectStore().renewDelegationToken(ozoneDt);
+    }
+
+    @Override
+    public void cancel(Token<?> token, Configuration conf)
+        throws IOException, InterruptedException {
+      Token<OzoneTokenIdentifier> ozoneDt =
+          (Token<OzoneTokenIdentifier>) token;
+      OzoneClient ozoneClient =
+          OzoneClientFactory.getRpcClient(conf);
+      ozoneClient.getObjectStore().cancelDelegationToken(ozoneDt);
+    }
+  }
+
   /**
-   * Adapter to conver OzoneKey to a safe and simple Key implementation.
+   * Adapter to convert OzoneKey to a safe and simple Key implementation.
    */
   public static class IteratorAdapter implements Iterator<BasicKeyInfo> {
 

hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/OzoneFileSystem.java

@@ -48,7 +48,9 @@ import org.apache.hadoop.fs.PathIsNotEmptyDirectoryException;
 import org.apache.hadoop.fs.GlobalStorageStatistics;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.security.x509.SecurityConfig;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.util.Progressable;
 
 import com.google.common.base.Preconditions;
@@ -84,6 +86,7 @@ public class OzoneFileSystem extends FileSystem {
   private Path workingDir;
 
   private OzoneClientAdapter adapter;
+  private boolean securityEnabled;
 
 
   private OzoneFSStorageStatistics storageStatistics;
@@ -156,6 +159,10 @@ public class OzoneFileSystem extends FileSystem {
         } else {
           ozoneConfiguration = new OzoneConfiguration(conf);
         }
+        SecurityConfig secConfig = new SecurityConfig(ozoneConfiguration);
+        if (secConfig.isSecurityEnabled()) {
+          this.securityEnabled = true;
+        }
         this.adapter = new OzoneClientAdapterImpl(ozoneConfiguration,
             volumeStr, bucketStr, storageStatistics);
       }
@@ -669,6 +676,12 @@ public class OzoneFileSystem extends FileSystem {
     return workingDir;
   }
 
+  @Override
+  public Token<?> getDelegationToken(String renewer) throws IOException {
+    return securityEnabled? adapter.getDelegationToken(renewer) :
+        super.getDelegationToken(renewer);
+  }
+
   /**
    * Get the username of the FS.
    *