[java] KUDU-2873: attach authz tokens to SplitKeyRangeRequests

This adds the fetching of the token, and tests to make sure that it exercises the same token reacquisition logic we have for writes and scans. Note: tserver-side testing for the endpoint can be found in tablet_server_authorization-test.cc. Change-Id: I2b4140076206f25b34d8025b45118e3ff7b4b826 Reviewed-on: http://gerrit.cloudera.org:8080/13692 Tested-by: Kudu Jenkins Reviewed-by: Alexey Serbin <[email protected]>
mojiahe · Jun 21, 2019 · 8c68c94 · 8c68c94
1 parent 648b5b8
commit 8c68c94
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/java/kudu-client/src/main/java/org/apache/kudu/client/SplitKeyRangeRequest.java b/java/kudu-client/src/main/java/org/apache/kudu/client/SplitKeyRangeRequest.java
@@ -26,6 +26,7 @@
 import org.jboss.netty.util.Timer;
 
 import org.apache.kudu.Common.KeyRangePB;
+import org.apache.kudu.security.Token;
 import org.apache.kudu.tserver.Tserver;
 import org.apache.kudu.util.Pair;
 
@@ -40,6 +41,9 @@ class SplitKeyRangeRequest extends KuduRpc<SplitKeyRangeResponse> {
   private final byte[] partitionKey;
   private final long splitSizeBytes;
 
+  /** The token with which to authorize this RPC. */
+  private Token.SignedTokenPB authzToken;
+
   /**
    * Create a new RPC request
    * @param table table to lookup
@@ -81,10 +85,23 @@ Message createRequestPB() {
       builder.setStopPrimaryKey(UnsafeByteOperations.unsafeWrap(endPrimaryKey));
     }
     builder.setTargetChunkSizeBytes(splitSizeBytes);
+    if (authzToken != null) {
+      builder.setAuthzToken(authzToken);
+    }
 
     return builder.build();
   }
 
+  @Override
+  boolean needsAuthzToken() {
+    return true;
+  }
+
+  @Override
+  void bindAuthzToken(Token.SignedTokenPB token) {
+    authzToken = token;
+  }
+
   @Override
   String serviceName() {
     return TABLET_SERVER_SERVICE_NAME;
@@ -116,4 +133,4 @@ Pair<SplitKeyRangeResponse, Object> deserialize(CallResponse callResponse, Strin
   byte[] partitionKey() {
     return this.partitionKey;
   }
-}
+}
diff --git a/java/kudu-client/src/test/java/org/apache/kudu/client/TestAuthTokenReacquire.java b/java/kudu-client/src/test/java/org/apache/kudu/client/TestAuthTokenReacquire.java
@@ -20,6 +20,7 @@
 import static org.apache.kudu.test.ClientTestUtil.countRowsInScan;
 import static org.apache.kudu.test.ClientTestUtil.createBasicSchemaInsert;
 import static org.apache.kudu.test.ClientTestUtil.getBasicCreateTableOptions;
+import static org.apache.kudu.test.KuduTestHarness.DEFAULT_SLEEP;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
@@ -190,6 +191,11 @@ private void insertRowWithKey(KuduSession session, KuduTable table, int key) thr
     assertEquals(0, session.countPendingErrors());
   }
 
+  private List<KeyRange> splitKeyRange(KuduTable table) throws Exception {
+    // Note: the nulls are for key bounds; we don't really care about them.
+    return table.getAsyncClient().getTableKeyRanges(table, null, null, null, null,
+        AsyncKuduClient.FETCH_TABLETS_PER_RANGE_LOOKUP, 1, DEFAULT_SLEEP).join();
+  }
 
   @Test
   public void testBasicWorkflow() throws Exception {
@@ -229,6 +235,13 @@ public void testBasicWorkflow() throws Exception {
     assertEquals(key, countRowsInTable(scanTable));
     assertFalse(asyncClient.getAuthzToken(tableId).equals(originalToken));
 
+    // Now wait for the authz token to expire and send a request to split the
+    // key range. It should succeed and get a new authz token.
+    originalToken = asyncClient.getAuthzToken(tableId);
+    expireTokens();
+    assertFalse(splitKeyRange(scanTable).isEmpty());
+    assertFalse(asyncClient.getAuthzToken(tableId).equals(originalToken));
+
     // Force the client to get a new authn token and delete the table.
     originalToken = asyncClient.securityContext.getAuthenticationToken();
     dropConnectionsAndExpireTokens();