http://www.apache.org/licenses/LICENSE-2.0 + * + *
Unless required by applicable law or agreed to in writing, software + * distributed under the + * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and + * limitations under the License. + */ +package org.apache.hadoop.hdds.scm.server; + +import org.apache.hadoop.hdds.conf.Config; +import org.apache.hadoop.hdds.conf.ConfigGroup; +import org.apache.hadoop.hdds.conf.ConfigTag; +import org.apache.hadoop.hdds.conf.ConfigType; + +/** + * SCM HTTP Server configuration in Java style configuration class. + */ +@ConfigGroup(prefix = "hdds.scm.http") +public class SCMHTTPServerConfig { + + private String principal = ""; + private String keytab = ""; + + @Config(key = "kerberos.principal", + type = ConfigType.STRING, + defaultValue = "", + tags = { ConfigTag.SECURITY }, + description = "This Kerberos principal is used when communicating to " + + "the HTTP server of SCM.The protocol used is SPNEGO." + ) + public void setKerberosPrincipal(String kerberosPrincipal) { + this.principal = kerberosPrincipal; + } + + @Config(key = "kerberos.keytab", + type = ConfigType.STRING, + defaultValue = "", + tags = { ConfigTag.SECURITY }, + description = "The keytab file used by SCM http server to login" + + " as its service principal." + ) + public void setKerberosKeytab(String kerberosKeytab) { + this.keytab = kerberosKeytab; + } + + public String getKerberosPrincipal() { + return this.principal; + } + + public String getKerberosKeytab() { + return this.keytab; + } + + /** + * This static class is required to support other classes + * that reference the key names and also require attributes. + * Example: SCMSecurityProtocol where the KerberosInfo references + * the old configuration with the annotation shown below:- + * @KerberosInfo(serverPrincipal = + * ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + */ + public static class ConfigStrings { + public static final String HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY = + "hdds.scm.http.kerberos.principal"; + public static final String HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY = + "hdds.scm.http.kerberos.keytab"; + } +} diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java index c4b4efd30e0a..86fd46801f5b 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java @@ -35,6 +35,7 @@ import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolPB; import org.apache.hadoop.hdds.scm.protocol.SCMSecurityProtocolServerSideTranslatorPB; import org.apache.hadoop.hdds.scm.HddsServerUtil; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol; import org.apache.hadoop.hdds.security.x509.SecurityConfig; @@ -55,7 +56,7 @@ * The protocol used to perform security related operations with SCM. */ @KerberosInfo( - serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) @InterfaceAudience.Private public class SCMSecurityProtocolServer implements SCMSecurityProtocol { diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java index 7a375fcd039e..21127f4daec0 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java @@ -36,6 +36,7 @@ import org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeState; import org.apache.hadoop.hdds.ratis.RatisHelper; import org.apache.hadoop.hdds.scm.HddsServerUtil; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.hdds.scm.block.BlockManager; import org.apache.hadoop.hdds.scm.block.BlockManagerImpl; @@ -115,8 +116,6 @@ import java.util.concurrent.ConcurrentMap; import java.util.concurrent.TimeUnit; -import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY; -import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY; import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_SCM_WATCHER_TIMEOUT_DEFAULT; /** @@ -494,10 +493,11 @@ private void initalizeMetadataStore(OzoneConfiguration conf, private void loginAsSCMUser(Configuration conf) throws IOException, AuthenticationException { if (LOG.isDebugEnabled()) { + ScmConfig scmConfig = configuration.getObject(ScmConfig.class); LOG.debug("Ozone security is enabled. Attempting login for SCM user. " + "Principal: {}, keytab: {}", - conf.get(HDDS_SCM_KERBEROS_PRINCIPAL_KEY), - conf.get(HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY)); + scmConfig.getKerberosPrincipal(), + scmConfig.getKerberosKeytab()); } if (SecurityUtil.getAuthenticationMethod(conf).equals( @@ -505,8 +505,10 @@ private void loginAsSCMUser(Configuration conf) UserGroupInformation.setConfiguration(conf); InetSocketAddress socAddr = HddsServerUtil .getScmBlockClientBindAddress(conf); - SecurityUtil.login(conf, HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, - HDDS_SCM_KERBEROS_PRINCIPAL_KEY, socAddr.getHostName()); + SecurityUtil.login(conf, + ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, + ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, + socAddr.getHostName()); } else { throw new AuthenticationException(SecurityUtil.getAuthenticationMethod( conf) + " authentication method not support. " diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java index dce2a45e87c4..b04267ae6f88 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java @@ -62,11 +62,13 @@ public StorageContainerManagerHttpServer(Configuration conf) } @Override protected String getKeytabFile() { - return ScmConfigKeys.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY; + return SCMHTTPServerConfig.ConfigStrings + .HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY; } @Override protected String getSpnegoPrincipal() { - return ScmConfigKeys.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY; + return SCMHTTPServerConfig.ConfigStrings + .HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY; } @Override protected String getEnabledKey() { diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java index b38a7cbb5b1f..7163bb10881c 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java @@ -36,9 +36,11 @@ import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol; import org.apache.hadoop.hdds.scm.HddsTestUtils; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.hdds.scm.ScmInfo; import org.apache.hadoop.hdds.scm.client.HddsClientUtils; +import org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig; import org.apache.hadoop.hdds.scm.server.SCMStorageConfig; import org.apache.hadoop.hdds.scm.server.StorageContainerManager; import org.apache.hadoop.hdds.security.x509.SecurityConfig; @@ -205,11 +207,14 @@ public void stop() { private void createCredentialsInKDC(Configuration configuration, MiniKdc kdc) throws Exception { + OzoneConfiguration ozoneConfiguration = + new OzoneConfiguration(configuration); + SCMHTTPServerConfig httpServerConfig = + ozoneConfiguration.getObject(SCMHTTPServerConfig.class); createPrincipal(scmKeytab, - configuration.get(ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY)); + httpServerConfig.getKerberosPrincipal()); createPrincipal(spnegoKeytab, - configuration.get(ScmConfigKeys - .HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY)); + httpServerConfig.getKerberosKeytab()); createPrincipal(testUserKeytab, testUserPrincipal); createPrincipal(omKeyTab, configuration.get(OMConfigKeys.OZONE_OM_KERBEROS_PRINCIPAL_KEY)); @@ -233,6 +238,9 @@ private void stopMiniKdc() { } private void setSecureConfig(Configuration configuration) throws IOException { + SCMHTTPServerConfig httpServerConfig = + conf.getObject(SCMHTTPServerConfig.class); + ScmConfig scmConfig = conf.getObject(ScmConfig.class); configuration.setBoolean(OZONE_SECURITY_ENABLED_KEY, true); host = InetAddress.getLocalHost().getCanonicalHostName() .toLowerCase(); @@ -244,9 +252,10 @@ private void setSecureConfig(Configuration configuration) throws IOException { "kerberos"); configuration.set(OZONE_ADMINISTRATORS, curUser); - configuration.set(ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, + configuration.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, "scm/" + host + "@" + realm); - configuration.set(ScmConfigKeys.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY, + configuration.set(SCMHTTPServerConfig.ConfigStrings + .HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY, "HTTP_SCM/" + host + "@" + realm); configuration.set(OMConfigKeys.OZONE_OM_KERBEROS_PRINCIPAL_KEY, @@ -260,10 +269,11 @@ private void setSecureConfig(Configuration configuration) throws IOException { testUserKeytab = new File(workDir, "testuser.keytab"); testUserPrincipal = "test@" + realm; - configuration.set(ScmConfigKeys.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, + configuration.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, scmKeytab.getAbsolutePath()); configuration.set( - ScmConfigKeys.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY, + SCMHTTPServerConfig.ConfigStrings + .HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY, spnegoKeytab.getAbsolutePath()); configuration.set(OMConfigKeys.OZONE_OM_KERBEROS_KEYTAB_FILE_KEY, omKeyTab.getAbsolutePath()); @@ -347,7 +357,7 @@ private void initSCM() @Test public void testSecureScmStartupFailure() throws Exception { initSCM(); - conf.set(ScmConfigKeys.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, ""); + conf.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, ""); conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); @@ -357,9 +367,9 @@ public void testSecureScmStartupFailure() throws Exception { StorageContainerManager.createSCM(conf); }); - conf.set(ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, + conf.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, "scm/_HOST@EXAMPLE.com"); - conf.set(ScmConfigKeys.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, + conf.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, "/etc/security/keytabs/scm.keytab"); testCommonKerberosFailures(