Package org.apache.hadoop.security.authentication.util

Class ZKSignerSecretProvider

java.lang.Object
org.apache.hadoop.security.authentication.util.SignerSecretProvider
org.apache.hadoop.security.authentication.util.RolloverSignerSecretProvider
org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider
@Unstable @Private public class ZKSignerSecretProvider extends RolloverSignerSecretProvider
A SignerSecretProvider that synchronizes a rolling random secret between multiple servers using ZooKeeper.

It works by storing the secrets and next rollover time in a ZooKeeper znode. All ZKSignerSecretProviders looking at that znode will use those secrets and next rollover time to ensure they are synchronized. There is no "leader" -- any of the ZKSignerSecretProviders can choose the next secret; which one is indeterminate. Kerberos-based ACLs can also be enforced to prevent a malicious third-party from getting or setting the secrets. It uses its own CuratorFramework client for talking to ZooKeeper. If you want to use your own Curator client, you can pass it to ZKSignerSecretProvider; see AuthenticationFilter for more details.

Details of the configurations are listed on Configuration Page

  • Field Details

    • ZOOKEEPER_CONNECTION_STRING

      public static final String ZOOKEEPER_CONNECTION_STRING
      Constant for the property that specifies the ZooKeeper connection string.
      See Also:

    • ZOOKEEPER_PATH

      public static final String ZOOKEEPER_PATH
      Constant for the property that specifies the ZooKeeper path.
      See Also:

    • ZOOKEEPER_AUTH_TYPE

      public static final String ZOOKEEPER_AUTH_TYPE
      Constant for the property that specifies the auth type to use. Supported values are "none" and "sasl". The default value is "none".
      See Also:

    • ZOOKEEPER_KERBEROS_KEYTAB

      public static final String ZOOKEEPER_KERBEROS_KEYTAB
      Constant for the property that specifies the Kerberos keytab file.
      See Also:

    • ZOOKEEPER_KERBEROS_PRINCIPAL

      public static final String ZOOKEEPER_KERBEROS_PRINCIPAL
      Constant for the property that specifies the Kerberos principal.
      See Also:

    • ZOOKEEPER_SSL_ENABLED

      public static final String ZOOKEEPER_SSL_ENABLED
      See Also:

    • ZOOKEEPER_SSL_KEYSTORE_LOCATION

      public static final String ZOOKEEPER_SSL_KEYSTORE_LOCATION
      See Also:

    • ZOOKEEPER_SSL_KEYSTORE_PASSWORD

      public static final String ZOOKEEPER_SSL_KEYSTORE_PASSWORD
      See Also:

    • ZOOKEEPER_SSL_TRUSTSTORE_LOCATION

      public static final String ZOOKEEPER_SSL_TRUSTSTORE_LOCATION
      See Also:

    • ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD

      public static final String ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD
      See Also:

    • DISCONNECT_FROM_ZOOKEEPER_ON_SHUTDOWN

      public static final String DISCONNECT_FROM_ZOOKEEPER_ON_SHUTDOWN
      Constant for the property that specifies whether or not the Curator client should disconnect from ZooKeeper on shutdown. The default is "true". Only set this to "false" if a custom Curator client is being provided and the disconnection is being handled elsewhere.
      See Also:

    • ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE

      public static final String ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE
      Constant for the ServletContext attribute that can be used for providing a custom CuratorFramework client. If set ZKSignerSecretProvider will use this Curator client instead of creating a new one. The providing class is responsible for creating and configuring the Curator client (including security and ACLs) in this case.
      See Also:

  • Constructor Details

    • ZKSignerSecretProvider

      public ZKSignerSecretProvider()

    • ZKSignerSecretProvider

      @VisibleForTesting public ZKSignerSecretProvider(long seed)
      This constructor lets you set the seed of the Random Number Generator and is meant for testing.
      Parameters:
      seed - the seed for the random number generator

  • Method Details

    • init

      public void init(Properties config, javax.servlet.ServletContext servletContext, long tokenValidity) throws Exception
      Description copied from class: RolloverSignerSecretProvider
      Initialize the SignerSecretProvider. It initializes the current secret and starts the scheduler for the rollover to run at an interval of tokenValidity.
      Overrides:
      init in class RolloverSignerSecretProvider
      Parameters:
      config - configuration properties
      servletContext - servlet context
      tokenValidity - The amount of time a token is valid for
      Throws:
      Exception - thrown if an error occurred

    • destroy

      public void destroy()
      Disconnects from ZooKeeper unless told not to.
      Overrides:
      destroy in class RolloverSignerSecretProvider

    • rollSecret

      protected void rollSecret()
      Description copied from class: RolloverSignerSecretProvider
      Rolls the secret. It is called automatically at the rollover interval.
      Overrides:
      rollSecret in class RolloverSignerSecretProvider

    • generateNewSecret

      protected byte[] generateNewSecret()
      Description copied from class: RolloverSignerSecretProvider
      Subclasses should implement this to return a new secret. It will be called automatically at the secret rollover interval. It should never return null.
      Specified by:
      generateNewSecret in class RolloverSignerSecretProvider
      Returns:
      a new secret

    • generateRandomSecret

      @VisibleForTesting protected byte[] generateRandomSecret()

    • createCuratorClient

      protected org.apache.curator.framework.CuratorFramework createCuratorClient(Properties config)
      This method creates the Curator client and connects to ZooKeeper.
      Parameters:
      config - configuration properties
      Returns:
      A Curator client