From 35b42f2c808e6e76c9cac56ea9101d802564d6af Mon Sep 17 00:00:00 2001 From: Chris Teoh Date: Sat, 2 Nov 2019 10:28:11 +1100 Subject: [PATCH 1/5] refactored HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY and HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY into separate configuration files --- .../hdds/protocol/SCMSecurityProtocol.java | 3 +- .../protocolPB/SCMSecurityProtocolPB.java | 4 +- .../org/apache/hadoop/hdds/scm/ScmConfig.java | 41 ++++++++++++ .../apache/hadoop/hdds/scm/ScmConfigKeys.java | 11 +--- .../protocol/ScmBlockLocationProtocol.java | 4 +- .../StorageContainerLocationProtocol.java | 4 +- .../ScmBlockLocationProtocolPB.java | 4 +- .../StorageContainerLocationProtocolPB.java | 4 +- .../StorageContainerDatanodeProtocol.java | 5 +- .../StorageContainerDatanodeProtocolPB.java | 4 +- .../hdds/scm/server/SCMHTTPServerConfig.java | 63 +++++++++++++++++++ .../scm/server/SCMSecurityProtocolServer.java | 3 +- .../scm/server/StorageContainerManager.java | 12 ++-- .../StorageContainerManagerHttpServer.java | 9 ++- .../hadoop/ozone/TestSecureOzoneCluster.java | 25 +++++--- 15 files changed, 152 insertions(+), 44 deletions(-) create mode 100644 hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java create mode 100644 hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocol/SCMSecurityProtocol.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocol/SCMSecurityProtocol.java index 4036cb17b847..f58374df6627 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocol/SCMSecurityProtocol.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocol/SCMSecurityProtocol.java @@ -20,6 +20,7 @@ import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.hdds.protocol.proto.HddsProtos.DatanodeDetailsProto; import org.apache.hadoop.hdds.protocol.proto.HddsProtos.OzoneManagerDetailsProto; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.security.KerberosInfo; @@ -27,7 +28,7 @@ * The protocol used to perform security related operations with SCM. */ @KerberosInfo( - serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) @InterfaceAudience.Private public interface SCMSecurityProtocol { diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolPB.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolPB.java index 41b0332d6d3c..98e4483d7f41 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolPB.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolPB.java @@ -17,7 +17,7 @@ package org.apache.hadoop.hdds.protocolPB; import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMSecurityProtocolService; -import org.apache.hadoop.hdds.scm.ScmConfigKeys; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.ipc.ProtocolInfo; import org.apache.hadoop.security.KerberosInfo; @@ -28,7 +28,7 @@ @ProtocolInfo(protocolName = "org.apache.hadoop.hdds.protocol.SCMSecurityProtocol", protocolVersion = 1) -@KerberosInfo(serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) +@KerberosInfo(serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) public interface SCMSecurityProtocolPB extends SCMSecurityProtocolService.BlockingInterface { diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java new file mode 100644 index 000000000000..1318dce0af70 --- /dev/null +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java @@ -0,0 +1,41 @@ +package org.apache.hadoop.hdds.scm; + +import org.apache.hadoop.hdds.conf.Config; +import org.apache.hadoop.hdds.conf.ConfigGroup; +import org.apache.hadoop.hdds.conf.ConfigTag; +import org.apache.hadoop.hdds.conf.ConfigType; + +@ConfigGroup(prefix = "hdds.scm") +public class ScmConfig { + private String principal; + private String keytab; + + @Config(key = "kerberos.principal", + type = ConfigType.STRING, + defaultValue = "", + tags = { ConfigTag.SECURITY }, + description = "This Kerberos principal is used by the SCM service." + ) + public void setKerberosPrincipal(String kerberosPrincipal) { this.principal = kerberosPrincipal; } + + @Config(key = "kerberos.keytab.file", + type = ConfigType.STRING, + defaultValue = "", + tags = { ConfigTag.SECURITY }, + description = "The keytab file used by SCM daemon to login as its service principal." + ) + public void setKerberosKeytab(String kerberosKeytab) { this.keytab = kerberosKeytab; } + + public String getKerberosPrincipal() { return this.principal; } + + public String getKerberosKeytab() { return this.keytab; } + + public static class ConfigStrings { + /* required for SCMSecurityProtocol where the KerberosInfo references the old configuration with + * the annotation shown below:- + * @KerberosInfo(serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + */ + public static final String HDDS_SCM_KERBEROS_PRINCIPAL_KEY = "hdds.scm.kerberos.principal"; + public static final String HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY = "hdds.scm.kerberos.keytab.file"; + } +} diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java index 161780668ab0..3c35e5603b65 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfigKeys.java @@ -220,10 +220,7 @@ public final class ScmConfigKeys { "ozone.scm.http-address"; public static final String OZONE_SCM_HTTPS_ADDRESS_KEY = "ozone.scm.https-address"; - public static final String HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY = - "hdds.scm.kerberos.keytab.file"; - public static final String HDDS_SCM_KERBEROS_PRINCIPAL_KEY = - "hdds.scm.kerberos.principal"; + public static final String OZONE_SCM_HTTP_BIND_HOST_DEFAULT = "0.0.0.0"; public static final int OZONE_SCM_HTTP_BIND_PORT_DEFAULT = 9876; public static final int OZONE_SCM_HTTPS_BIND_PORT_DEFAULT = 9877; @@ -350,12 +347,6 @@ public final class ScmConfigKeys { public static final String HDDS_SCM_WATCHER_TIMEOUT_DEFAULT = "10m"; - public static final String - HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY = - "hdds.scm.http.kerberos.principal"; - public static final String - HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY = - "hdds.scm.http.kerberos.keytab"; // Network topology public static final String OZONE_SCM_NETWORK_TOPOLOGY_SCHEMA_FILE = diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java index 18045f88cbd2..0953cde8acca 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java @@ -18,7 +18,7 @@ package org.apache.hadoop.hdds.scm.protocol; import org.apache.hadoop.hdds.protocol.DatanodeDetails; -import org.apache.hadoop.hdds.scm.ScmConfigKeys; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.container.common.helpers.ExcludeList; import org.apache.hadoop.security.KerberosInfo; import org.apache.hadoop.hdds.scm.ScmInfo; @@ -36,7 +36,7 @@ * ScmBlockLocationProtocol is used by an HDFS node to find the set of nodes * to read/write a block. */ -@KerberosInfo(serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) +@KerberosInfo(serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) public interface ScmBlockLocationProtocol extends Closeable { @SuppressWarnings("checkstyle:ConstantName") diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java index 88db8205a408..4d25916185b5 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java @@ -17,7 +17,7 @@ package org.apache.hadoop.hdds.scm.protocol; -import org.apache.hadoop.hdds.scm.ScmConfigKeys; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.ScmInfo; import org.apache.hadoop.hdds.scm.container.common.helpers.ContainerWithPipeline; import org.apache.hadoop.hdds.scm.container.ContainerInfo; @@ -35,7 +35,7 @@ * ContainerLocationProtocol is used by an HDFS node to find the set of nodes * that currently host a container. */ -@KerberosInfo(serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) +@KerberosInfo(serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) public interface StorageContainerLocationProtocol extends Closeable { @SuppressWarnings("checkstyle:ConstantName") diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/ScmBlockLocationProtocolPB.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/ScmBlockLocationProtocolPB.java index 1ba698bf0e30..32713b7e461f 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/ScmBlockLocationProtocolPB.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/ScmBlockLocationProtocolPB.java @@ -20,7 +20,7 @@ import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.hdds.protocol.proto.ScmBlockLocationProtocolProtos .ScmBlockLocationProtocolService; -import org.apache.hadoop.hdds.scm.ScmConfigKeys; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.ipc.ProtocolInfo; import org.apache.hadoop.security.KerberosInfo; @@ -33,7 +33,7 @@ protocolVersion = 1) @InterfaceAudience.Private @KerberosInfo( - serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) public interface ScmBlockLocationProtocolPB extends ScmBlockLocationProtocolService.BlockingInterface { } diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/StorageContainerLocationProtocolPB.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/StorageContainerLocationProtocolPB.java index f0af7aaed872..c42a1f79410b 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/StorageContainerLocationProtocolPB.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocolPB/StorageContainerLocationProtocolPB.java @@ -21,7 +21,7 @@ import org.apache.hadoop.hdds.protocol.proto .StorageContainerLocationProtocolProtos .StorageContainerLocationProtocolService; -import org.apache.hadoop.hdds.scm.ScmConfigKeys; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.ipc.ProtocolInfo; import org.apache.hadoop.security.KerberosInfo; @@ -33,7 +33,7 @@ "org.apache.hadoop.hdds.scm.protocol.StorageContainerLocationProtocol", protocolVersion = 1) @KerberosInfo( - serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) @InterfaceAudience.Private public interface StorageContainerLocationProtocolPB extends StorageContainerLocationProtocolService.BlockingInterface { diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocol/StorageContainerDatanodeProtocol.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocol/StorageContainerDatanodeProtocol.java index 61bdb27f4cdc..3e0450ffa978 100644 --- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocol/StorageContainerDatanodeProtocol.java +++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocol/StorageContainerDatanodeProtocol.java @@ -36,7 +36,8 @@ .StorageContainerDatanodeProtocolProtos.SCMVersionResponseProto; import java.io.IOException; -import org.apache.hadoop.hdds.scm.ScmConfigKeys; + +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.security.KerberosInfo; /** @@ -44,7 +45,7 @@ * Protoc file that defines this protocol. */ @KerberosInfo( - serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) @InterfaceAudience.Private public interface StorageContainerDatanodeProtocol { diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocolPB/StorageContainerDatanodeProtocolPB.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocolPB/StorageContainerDatanodeProtocolPB.java index 9006e9175acb..680f393b07fd 100644 --- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocolPB/StorageContainerDatanodeProtocolPB.java +++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/protocolPB/StorageContainerDatanodeProtocolPB.java @@ -19,7 +19,7 @@ import org.apache.hadoop.hdds.protocol.proto .StorageContainerDatanodeProtocolProtos .StorageContainerDatanodeProtocolService; -import org.apache.hadoop.hdds.scm.ScmConfigKeys; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdfs.DFSConfigKeys; import org.apache.hadoop.ipc.ProtocolInfo; import org.apache.hadoop.security.KerberosInfo; @@ -33,7 +33,7 @@ "org.apache.hadoop.ozone.protocol.StorageContainerDatanodeProtocol", protocolVersion = 1) @KerberosInfo( - serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, + serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, clientPrincipal = DFSConfigKeys.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY) public interface StorageContainerDatanodeProtocolPB extends StorageContainerDatanodeProtocolService.BlockingInterface { diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java new file mode 100644 index 000000000000..7561bc9ef493 --- /dev/null +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java @@ -0,0 +1,63 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license + * agreements. See the NOTICE file distributed with this work for additional + * information regarding + * copyright ownership. The ASF licenses this file to you under the Apache + * License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the + * License. You may obtain a + * copy of the License at + * + *

http://www.apache.org/licenses/LICENSE-2.0 + * + *

Unless required by applicable law or agreed to in writing, software + * distributed under the + * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR + * CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and + * limitations under the License. + */ +package org.apache.hadoop.hdds.scm.server; + +import org.apache.hadoop.hdds.conf.Config; +import org.apache.hadoop.hdds.conf.ConfigGroup; +import org.apache.hadoop.hdds.conf.ConfigTag; +import org.apache.hadoop.hdds.conf.ConfigType; + +@ConfigGroup(prefix = "hdds.scm.http") +public class SCMHTTPServerConfig { + + private String principal; + private String keytab; + + @Config(key = "kerberos.principal", + type = ConfigType.STRING, + defaultValue = "", + tags = { ConfigTag.SECURITY }, + description = "This Kerberos principal is used when communicating to " + + "the HTTP server of SCM.The protocol used is SPNEGO." + ) + public void setKerberosPrincipal(String kerberosPrincipal) { this.principal = kerberosPrincipal; } + + @Config(key = "kerberos.keytab", + type = ConfigType.STRING, + defaultValue = "", + tags = { ConfigTag.SECURITY }, + description = "The keytab file used by SCM http server to login as its service principal." + ) + public void setKerberosKeytab(String kerberosKeytab) { this.keytab = kerberosKeytab; } + + public String getKerberosPrincipal() { return this.principal; } + + public String getKerberosKeytab() { return this.keytab; } + public static class ConfigStrings { + /* required for SCMSecurityProtocol where the KerberosInfo references the old configuration with + * the annotation shown below:- + * @KerberosInfo(serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + */ + public static final String HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY = "hdds.scm.http.kerberos.principal"; + public static final String HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY = "hdds.scm.http.kerberos.keytab"; + } +} diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java index c4b4efd30e0a..86fd46801f5b 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java @@ -35,6 +35,7 @@ import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolPB; import org.apache.hadoop.hdds.scm.protocol.SCMSecurityProtocolServerSideTranslatorPB; import org.apache.hadoop.hdds.scm.HddsServerUtil; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol; import org.apache.hadoop.hdds.security.x509.SecurityConfig; @@ -55,7 +56,7 @@ * The protocol used to perform security related operations with SCM. */ @KerberosInfo( - serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) @InterfaceAudience.Private public class SCMSecurityProtocolServer implements SCMSecurityProtocol { diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java index 7a375fcd039e..48faeaf5170f 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java @@ -36,6 +36,7 @@ import org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeState; import org.apache.hadoop.hdds.ratis.RatisHelper; import org.apache.hadoop.hdds.scm.HddsServerUtil; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.hdds.scm.block.BlockManager; import org.apache.hadoop.hdds.scm.block.BlockManagerImpl; @@ -115,8 +116,6 @@ import java.util.concurrent.ConcurrentMap; import java.util.concurrent.TimeUnit; -import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY; -import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY; import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_SCM_WATCHER_TIMEOUT_DEFAULT; /** @@ -494,10 +493,11 @@ private void initalizeMetadataStore(OzoneConfiguration conf, private void loginAsSCMUser(Configuration conf) throws IOException, AuthenticationException { if (LOG.isDebugEnabled()) { + ScmConfig scmConfig = configuration.getObject(ScmConfig.class); LOG.debug("Ozone security is enabled. Attempting login for SCM user. " + "Principal: {}, keytab: {}", - conf.get(HDDS_SCM_KERBEROS_PRINCIPAL_KEY), - conf.get(HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY)); + scmConfig.getKerberosPrincipal(), + scmConfig.getKerberosKeytab()); } if (SecurityUtil.getAuthenticationMethod(conf).equals( @@ -505,8 +505,8 @@ private void loginAsSCMUser(Configuration conf) UserGroupInformation.setConfiguration(conf); InetSocketAddress socAddr = HddsServerUtil .getScmBlockClientBindAddress(conf); - SecurityUtil.login(conf, HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, - HDDS_SCM_KERBEROS_PRINCIPAL_KEY, socAddr.getHostName()); + SecurityUtil.login(conf, ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, + ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, socAddr.getHostName()); } else { throw new AuthenticationException(SecurityUtil.getAuthenticationMethod( conf) + " authentication method not support. " diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java index dce2a45e87c4..5b6e808e39f3 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java @@ -18,6 +18,7 @@ package org.apache.hadoop.hdds.scm.server; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.hdds.server.BaseHttpServer; @@ -28,9 +29,13 @@ */ public class StorageContainerManagerHttpServer extends BaseHttpServer { + OzoneConfiguration ozoneConfiguration; + SCMHTTPServerConfig httpServerConfig; public StorageContainerManagerHttpServer(Configuration conf) throws IOException { super(conf, "scm"); + ozoneConfiguration = new OzoneConfiguration(conf); + httpServerConfig = ozoneConfiguration.getObject(SCMHTTPServerConfig.class); } @Override protected String getHttpAddressKey() { @@ -62,11 +67,11 @@ public StorageContainerManagerHttpServer(Configuration conf) } @Override protected String getKeytabFile() { - return ScmConfigKeys.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY; + return httpServerConfig.getKerberosKeytab(); } @Override protected String getSpnegoPrincipal() { - return ScmConfigKeys.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY; + return httpServerConfig.getKerberosPrincipal(); } @Override protected String getEnabledKey() { diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java index b38a7cbb5b1f..1b59b01cbb9d 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java @@ -36,9 +36,11 @@ import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol; import org.apache.hadoop.hdds.scm.HddsTestUtils; +import org.apache.hadoop.hdds.scm.ScmConfig; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.hdds.scm.ScmInfo; import org.apache.hadoop.hdds.scm.client.HddsClientUtils; +import org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig; import org.apache.hadoop.hdds.scm.server.SCMStorageConfig; import org.apache.hadoop.hdds.scm.server.StorageContainerManager; import org.apache.hadoop.hdds.security.x509.SecurityConfig; @@ -205,11 +207,12 @@ public void stop() { private void createCredentialsInKDC(Configuration configuration, MiniKdc kdc) throws Exception { + OzoneConfiguration ozoneConfiguration = new OzoneConfiguration(configuration); + SCMHTTPServerConfig httpServerConfig = ozoneConfiguration.getObject(SCMHTTPServerConfig.class); createPrincipal(scmKeytab, - configuration.get(ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY)); + httpServerConfig.getKerberosPrincipal()); createPrincipal(spnegoKeytab, - configuration.get(ScmConfigKeys - .HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY)); + httpServerConfig.getKerberosKeytab()); createPrincipal(testUserKeytab, testUserPrincipal); createPrincipal(omKeyTab, configuration.get(OMConfigKeys.OZONE_OM_KERBEROS_PRINCIPAL_KEY)); @@ -233,6 +236,8 @@ private void stopMiniKdc() { } private void setSecureConfig(Configuration configuration) throws IOException { + SCMHTTPServerConfig httpServerConfig = conf.getObject(SCMHTTPServerConfig.class); + ScmConfig scmConfig = conf.getObject(ScmConfig.class); configuration.setBoolean(OZONE_SECURITY_ENABLED_KEY, true); host = InetAddress.getLocalHost().getCanonicalHostName() .toLowerCase(); @@ -244,9 +249,9 @@ private void setSecureConfig(Configuration configuration) throws IOException { "kerberos"); configuration.set(OZONE_ADMINISTRATORS, curUser); - configuration.set(ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, + configuration.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, "scm/" + host + "@" + realm); - configuration.set(ScmConfigKeys.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY, + configuration.set(SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY, "HTTP_SCM/" + host + "@" + realm); configuration.set(OMConfigKeys.OZONE_OM_KERBEROS_PRINCIPAL_KEY, @@ -260,10 +265,10 @@ private void setSecureConfig(Configuration configuration) throws IOException { testUserKeytab = new File(workDir, "testuser.keytab"); testUserPrincipal = "test@" + realm; - configuration.set(ScmConfigKeys.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, + configuration.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, scmKeytab.getAbsolutePath()); configuration.set( - ScmConfigKeys.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY, + SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY, spnegoKeytab.getAbsolutePath()); configuration.set(OMConfigKeys.OZONE_OM_KERBEROS_KEYTAB_FILE_KEY, omKeyTab.getAbsolutePath()); @@ -347,7 +352,7 @@ private void initSCM() @Test public void testSecureScmStartupFailure() throws Exception { initSCM(); - conf.set(ScmConfigKeys.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, ""); + conf.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, ""); conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); @@ -357,9 +362,9 @@ public void testSecureScmStartupFailure() throws Exception { StorageContainerManager.createSCM(conf); }); - conf.set(ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, + conf.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, "scm/_HOST@EXAMPLE.com"); - conf.set(ScmConfigKeys.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, + conf.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, "/etc/security/keytabs/scm.keytab"); testCommonKerberosFailures( From 234e27b659c75cd7cd830d994456e4e581591533 Mon Sep 17 00:00:00 2001 From: Chris Teoh Date: Fri, 1 Nov 2019 10:46:43 +1100 Subject: [PATCH 2/5] Fixed NullPointerException due to constructor calling function that accessed uninitialised object --- .../hadoop/hdds/scm/server/SCMHTTPServerConfig.java | 4 ++-- .../scm/server/StorageContainerManagerHttpServer.java | 9 ++------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java index 7561bc9ef493..03f057b47e5b 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java @@ -29,8 +29,8 @@ @ConfigGroup(prefix = "hdds.scm.http") public class SCMHTTPServerConfig { - private String principal; - private String keytab; + private String principal = ""; + private String keytab = ""; @Config(key = "kerberos.principal", type = ConfigType.STRING, diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java index 5b6e808e39f3..c9c6c5d462e0 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java @@ -18,7 +18,6 @@ package org.apache.hadoop.hdds.scm.server; import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.hdds.server.BaseHttpServer; @@ -29,13 +28,9 @@ */ public class StorageContainerManagerHttpServer extends BaseHttpServer { - OzoneConfiguration ozoneConfiguration; - SCMHTTPServerConfig httpServerConfig; public StorageContainerManagerHttpServer(Configuration conf) throws IOException { super(conf, "scm"); - ozoneConfiguration = new OzoneConfiguration(conf); - httpServerConfig = ozoneConfiguration.getObject(SCMHTTPServerConfig.class); } @Override protected String getHttpAddressKey() { @@ -67,11 +62,11 @@ public StorageContainerManagerHttpServer(Configuration conf) } @Override protected String getKeytabFile() { - return httpServerConfig.getKerberosKeytab(); + return SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY; } @Override protected String getSpnegoPrincipal() { - return httpServerConfig.getKerberosPrincipal(); + return SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY; } @Override protected String getEnabledKey() { From 7beac0a1d163b0ea7dc45a740fce0abda0204125 Mon Sep 17 00:00:00 2001 From: Chris Teoh Date: Sat, 2 Nov 2019 10:50:59 +1100 Subject: [PATCH 3/5] Added license --- .../org/apache/hadoop/hdds/scm/ScmConfig.java | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java index 1318dce0af70..cb33c7a782f9 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java @@ -1,3 +1,20 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.hadoop.hdds.scm; import org.apache.hadoop.hdds.conf.Config; From 941de022e6c63f86cd232da7cabdec1c05462f04 Mon Sep 17 00:00:00 2001 From: Chris Teoh Date: Mon, 4 Nov 2019 23:19:03 +1100 Subject: [PATCH 4/5] Tidied up checkstyle requirements --- .../hdds/protocol/SCMSecurityProtocol.java | 1 - .../protocolPB/SCMSecurityProtocolPB.java | 3 +- .../org/apache/hadoop/hdds/scm/ScmConfig.java | 54 ++++++++++++------- .../protocol/ScmBlockLocationProtocol.java | 3 +- .../StorageContainerLocationProtocol.java | 3 +- .../hdds/scm/server/SCMHTTPServerConfig.java | 43 ++++++++++----- .../scm/server/StorageContainerManager.java | 6 ++- .../StorageContainerManagerHttpServer.java | 6 ++- .../hadoop/ozone/TestSecureOzoneCluster.java | 15 ++++-- 9 files changed, 91 insertions(+), 43 deletions(-) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocol/SCMSecurityProtocol.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocol/SCMSecurityProtocol.java index f58374df6627..4a20f2b94bdd 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocol/SCMSecurityProtocol.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocol/SCMSecurityProtocol.java @@ -21,7 +21,6 @@ import org.apache.hadoop.hdds.protocol.proto.HddsProtos.DatanodeDetailsProto; import org.apache.hadoop.hdds.protocol.proto.HddsProtos.OzoneManagerDetailsProto; import org.apache.hadoop.hdds.scm.ScmConfig; -import org.apache.hadoop.hdds.scm.ScmConfigKeys; import org.apache.hadoop.security.KerberosInfo; /** diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolPB.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolPB.java index 98e4483d7f41..ccc5593ffb9f 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolPB.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolPB.java @@ -28,7 +28,8 @@ @ProtocolInfo(protocolName = "org.apache.hadoop.hdds.protocol.SCMSecurityProtocol", protocolVersion = 1) -@KerberosInfo(serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) +@KerberosInfo(serverPrincipal = ScmConfig.ConfigStrings + .HDDS_SCM_KERBEROS_PRINCIPAL_KEY) public interface SCMSecurityProtocolPB extends SCMSecurityProtocolService.BlockingInterface { diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java index cb33c7a782f9..65c73aa59383 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java @@ -22,37 +22,55 @@ import org.apache.hadoop.hdds.conf.ConfigTag; import org.apache.hadoop.hdds.conf.ConfigType; +/** + * The configuration class for the SCM service. + */ @ConfigGroup(prefix = "hdds.scm") public class ScmConfig { private String principal; private String keytab; @Config(key = "kerberos.principal", - type = ConfigType.STRING, - defaultValue = "", - tags = { ConfigTag.SECURITY }, - description = "This Kerberos principal is used by the SCM service." + type = ConfigType.STRING, + defaultValue = "", + tags = { ConfigTag.SECURITY }, + description = "This Kerberos principal is used by the SCM service." ) - public void setKerberosPrincipal(String kerberosPrincipal) { this.principal = kerberosPrincipal; } + public void setKerberosPrincipal(String kerberosPrincipal) { + this.principal = kerberosPrincipal; + } @Config(key = "kerberos.keytab.file", - type = ConfigType.STRING, - defaultValue = "", - tags = { ConfigTag.SECURITY }, - description = "The keytab file used by SCM daemon to login as its service principal." + type = ConfigType.STRING, + defaultValue = "", + tags = { ConfigTag.SECURITY }, + description = "The keytab file used by SCM daemon to login as "+ + "its service principal." ) - public void setKerberosKeytab(String kerberosKeytab) { this.keytab = kerberosKeytab; } + public void setKerberosKeytab(String kerberosKeytab) { + this.keytab = kerberosKeytab; + } - public String getKerberosPrincipal() { return this.principal; } + public String getKerberosPrincipal() { + return this.principal; + } - public String getKerberosKeytab() { return this.keytab; } + public String getKerberosKeytab() { + return this.keytab; + } + /** + * Configuration strings class. + * required for SCMSecurityProtocol where the KerberosInfo references + * the old configuration with + * the annotation shown below:- + * @KerberosInfo(serverPrincipal = ScmConfigKeys + * .HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + */ public static class ConfigStrings { - /* required for SCMSecurityProtocol where the KerberosInfo references the old configuration with - * the annotation shown below:- - * @KerberosInfo(serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) - */ - public static final String HDDS_SCM_KERBEROS_PRINCIPAL_KEY = "hdds.scm.kerberos.principal"; - public static final String HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY = "hdds.scm.kerberos.keytab.file"; + public static final String HDDS_SCM_KERBEROS_PRINCIPAL_KEY = + "hdds.scm.kerberos.principal"; + public static final String HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY = + "hdds.scm.kerberos.keytab.file"; } } diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java index 0953cde8acca..9c9ba50d2c5e 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/ScmBlockLocationProtocol.java @@ -36,7 +36,8 @@ * ScmBlockLocationProtocol is used by an HDFS node to find the set of nodes * to read/write a block. */ -@KerberosInfo(serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) +@KerberosInfo(serverPrincipal = ScmConfig.ConfigStrings + .HDDS_SCM_KERBEROS_PRINCIPAL_KEY) public interface ScmBlockLocationProtocol extends Closeable { @SuppressWarnings("checkstyle:ConstantName") diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java index 4d25916185b5..e6d71ede7b51 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/protocol/StorageContainerLocationProtocol.java @@ -35,7 +35,8 @@ * ContainerLocationProtocol is used by an HDFS node to find the set of nodes * that currently host a container. */ -@KerberosInfo(serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) +@KerberosInfo(serverPrincipal = ScmConfig.ConfigStrings + .HDDS_SCM_KERBEROS_PRINCIPAL_KEY) public interface StorageContainerLocationProtocol extends Closeable { @SuppressWarnings("checkstyle:ConstantName") diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java index 03f057b47e5b..c3cfcadc9c3c 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java @@ -26,6 +26,9 @@ import org.apache.hadoop.hdds.conf.ConfigTag; import org.apache.hadoop.hdds.conf.ConfigType; +/** + * SCM HTTP Server configuration in Java style configuration class. + */ @ConfigGroup(prefix = "hdds.scm.http") public class SCMHTTPServerConfig { @@ -37,27 +40,43 @@ public class SCMHTTPServerConfig { defaultValue = "", tags = { ConfigTag.SECURITY }, description = "This Kerberos principal is used when communicating to " + - "the HTTP server of SCM.The protocol used is SPNEGO." + "the HTTP server of SCM.The protocol used is SPNEGO." ) - public void setKerberosPrincipal(String kerberosPrincipal) { this.principal = kerberosPrincipal; } + public void setKerberosPrincipal(String kerberosPrincipal) { + this.principal = kerberosPrincipal; + } @Config(key = "kerberos.keytab", type = ConfigType.STRING, defaultValue = "", tags = { ConfigTag.SECURITY }, - description = "The keytab file used by SCM http server to login as its service principal." + description = "The keytab file used by SCM http server to login" + + " as its service principal." ) - public void setKerberosKeytab(String kerberosKeytab) { this.keytab = kerberosKeytab; } + public void setKerberosKeytab(String kerberosKeytab) { + this.keytab = kerberosKeytab; + } - public String getKerberosPrincipal() { return this.principal; } + public String getKerberosPrincipal() { + return this.principal; + } + + public String getKerberosKeytab() { + return this.keytab; + } - public String getKerberosKeytab() { return this.keytab; } + /** + * This static class is required to support other classes + * that reference the key names and also require attributes. + * Example: SCMSecurityProtocol where the KerberosInfo references + * the old configuration with the annotation shown below:- + * @KerberosInfo(serverPrincipal = + * ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) + */ public static class ConfigStrings { - /* required for SCMSecurityProtocol where the KerberosInfo references the old configuration with - * the annotation shown below:- - * @KerberosInfo(serverPrincipal = ScmConfigKeys.HDDS_SCM_KERBEROS_PRINCIPAL_KEY) - */ - public static final String HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY = "hdds.scm.http.kerberos.principal"; - public static final String HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY = "hdds.scm.http.kerberos.keytab"; + public static final String HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY = + "hdds.scm.http.kerberos.principal"; + public static final String HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY = + "hdds.scm.http.kerberos.keytab"; } } diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java index 48faeaf5170f..21127f4daec0 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java @@ -505,8 +505,10 @@ private void loginAsSCMUser(Configuration conf) UserGroupInformation.setConfiguration(conf); InetSocketAddress socAddr = HddsServerUtil .getScmBlockClientBindAddress(conf); - SecurityUtil.login(conf, ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, - ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, socAddr.getHostName()); + SecurityUtil.login(conf, + ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, + ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, + socAddr.getHostName()); } else { throw new AuthenticationException(SecurityUtil.getAuthenticationMethod( conf) + " authentication method not support. " diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java index c9c6c5d462e0..b04267ae6f88 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManagerHttpServer.java @@ -62,11 +62,13 @@ public StorageContainerManagerHttpServer(Configuration conf) } @Override protected String getKeytabFile() { - return SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY; + return SCMHTTPServerConfig.ConfigStrings + .HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY; } @Override protected String getSpnegoPrincipal() { - return SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY; + return SCMHTTPServerConfig.ConfigStrings + .HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY; } @Override protected String getEnabledKey() { diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java index 1b59b01cbb9d..7163bb10881c 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java @@ -207,8 +207,10 @@ public void stop() { private void createCredentialsInKDC(Configuration configuration, MiniKdc kdc) throws Exception { - OzoneConfiguration ozoneConfiguration = new OzoneConfiguration(configuration); - SCMHTTPServerConfig httpServerConfig = ozoneConfiguration.getObject(SCMHTTPServerConfig.class); + OzoneConfiguration ozoneConfiguration = + new OzoneConfiguration(configuration); + SCMHTTPServerConfig httpServerConfig = + ozoneConfiguration.getObject(SCMHTTPServerConfig.class); createPrincipal(scmKeytab, httpServerConfig.getKerberosPrincipal()); createPrincipal(spnegoKeytab, @@ -236,7 +238,8 @@ private void stopMiniKdc() { } private void setSecureConfig(Configuration configuration) throws IOException { - SCMHTTPServerConfig httpServerConfig = conf.getObject(SCMHTTPServerConfig.class); + SCMHTTPServerConfig httpServerConfig = + conf.getObject(SCMHTTPServerConfig.class); ScmConfig scmConfig = conf.getObject(ScmConfig.class); configuration.setBoolean(OZONE_SECURITY_ENABLED_KEY, true); host = InetAddress.getLocalHost().getCanonicalHostName() @@ -251,7 +254,8 @@ private void setSecureConfig(Configuration configuration) throws IOException { configuration.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY, "scm/" + host + "@" + realm); - configuration.set(SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY, + configuration.set(SCMHTTPServerConfig.ConfigStrings + .HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY, "HTTP_SCM/" + host + "@" + realm); configuration.set(OMConfigKeys.OZONE_OM_KERBEROS_PRINCIPAL_KEY, @@ -268,7 +272,8 @@ private void setSecureConfig(Configuration configuration) throws IOException { configuration.set(ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY, scmKeytab.getAbsolutePath()); configuration.set( - SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY, + SCMHTTPServerConfig.ConfigStrings + .HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY, spnegoKeytab.getAbsolutePath()); configuration.set(OMConfigKeys.OZONE_OM_KERBEROS_KEYTAB_FILE_KEY, omKeyTab.getAbsolutePath()); From 41199b867e7f6f5f545f8c3a6ee52026ab3b07a4 Mon Sep 17 00:00:00 2001 From: Chris Teoh Date: Tue, 5 Nov 2019 08:53:47 +1100 Subject: [PATCH 5/5] Removed refactored configurations out of ozone-default.xml and added some more ConfigTags to the configurations --- .../org/apache/hadoop/hdds/scm/ScmConfig.java | 4 +-- .../src/main/resources/ozone-default.xml | 26 ------------------- 2 files changed, 2 insertions(+), 28 deletions(-) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java index 65c73aa59383..3efa6cfe485f 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/ScmConfig.java @@ -33,7 +33,7 @@ public class ScmConfig { @Config(key = "kerberos.principal", type = ConfigType.STRING, defaultValue = "", - tags = { ConfigTag.SECURITY }, + tags = { ConfigTag.SECURITY, ConfigTag.OZONE }, description = "This Kerberos principal is used by the SCM service." ) public void setKerberosPrincipal(String kerberosPrincipal) { @@ -43,7 +43,7 @@ public void setKerberosPrincipal(String kerberosPrincipal) { @Config(key = "kerberos.keytab.file", type = ConfigType.STRING, defaultValue = "", - tags = { ConfigTag.SECURITY }, + tags = { ConfigTag.SECURITY, ConfigTag.OZONE }, description = "The keytab file used by SCM daemon to login as "+ "its service principal." ) diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index 331f489a0dd0..3fe51972675f 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -1741,22 +1741,6 @@ OZONE, SECURITY, ACL Key to enable/disable ozone acls. - - hdds.scm.kerberos.keytab.file - - OZONE, SECURITY - The keytab file used by each SCM daemon to login as its - service principal. The principal name is configured with - hdds.scm.kerberos.principal. - - - - hdds.scm.kerberos.principal - - OZONE, SECURITY - The SCM service principal. Ex scm/_HOST@REALM.COM - - ozone.om.kerberos.keytab.file @@ -1772,16 +1756,6 @@ OZONE, SECURITY The OzoneManager service principal. Ex om/_HOST@REALM.COM - - - hdds.scm.http.kerberos.principal - HTTP/_HOST@EXAMPLE.COM - - - hdds.scm.http.kerberos.keytab - /etc/security/keytabs/HTTP.keytab - - ozone.om.http.kerberos.principal HTTP/_HOST@EXAMPLE.COM