diff --git a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
index f178a7c7dea4..4d6c4ccfd34e 100644
--- a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
+++ b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
@@ -45,8 +45,8 @@
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.tracing.GrpcClientInterceptor;
import org.apache.hadoop.hdds.tracing.TracingUtil;
import org.apache.hadoop.ozone.OzoneConfigKeys;
diff --git a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientRatis.java b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientRatis.java
index 58492c10d127..cdcf2b39417d 100644
--- a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientRatis.java
+++ b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientRatis.java
@@ -46,7 +46,7 @@
import org.apache.hadoop.hdds.ratis.RatisHelper;
import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.tracing.TracingUtil;
import com.google.common.annotations.VisibleForTesting;
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/ratis/RatisHelper.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/ratis/RatisHelper.java
index d26e48ea9295..a3aff9b80b19 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/ratis/RatisHelper.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/ratis/RatisHelper.java
@@ -39,7 +39,7 @@
import org.apache.hadoop.hdds.ratis.retrypolicy.RetryPolicyCreator;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.ratis.RaftConfigKeys;
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
similarity index 85%
rename from hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
index 46d01b18c69c..543d59348c3e 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
@@ -17,7 +17,7 @@
*
*/
-package org.apache.hadoop.hdds.security.x509;
+package org.apache.hadoop.hdds.security;
import java.nio.file.Path;
import java.nio.file.Paths;
@@ -29,9 +29,13 @@
import java.util.regex.Pattern;
import org.apache.hadoop.hdds.conf.ConfigurationSource;
-import org.apache.hadoop.ozone.OzoneConfigKeys;
import com.google.common.base.Preconditions;
+import org.apache.hadoop.hdds.HddsConfigKeys;
+import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslProvider;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED_DEFAULT;
@@ -84,22 +88,17 @@
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
-import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslProvider;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
/**
* A class that deals with all Security related configs in HDDS.
*
* This class allows security configs to be read and used consistently across
- * all of security related code base.
+ * all security related code base.
*/
public class SecurityConfig {
private static final Logger LOG =
LoggerFactory.getLogger(SecurityConfig.class);
private static volatile Provider provider;
- private final ConfigurationSource configuration;
private final int size;
private final String keyAlgo;
private final String providerString;
@@ -110,6 +109,8 @@ public class SecurityConfig {
private final Duration maxCertDuration;
private final String x509SignatureAlgo;
private final boolean blockTokenEnabled;
+ private final long blockTokenExpiryDurationMs;
+ private final boolean tokenSanityChecksEnabled;
private final boolean containerTokenEnabled;
private final String certificateDir;
private final String certificateFileName;
@@ -118,7 +119,7 @@ public class SecurityConfig {
private final Duration renewalGracePeriod;
private final boolean isSecurityEnabled;
private final String crlName;
- private boolean grpcTlsUseTestCert;
+ private final boolean grpcTlsUseTestCert;
private final String externalRootCaPublicKeyPath;
private final String externalRootCaPrivateKeyPath;
private final String externalRootCaCert;
@@ -126,6 +127,7 @@ public class SecurityConfig {
private final String caRotationTimeOfDay;
private final Pattern caRotationTimeOfDayPattern =
Pattern.compile("\\d{2}:\\d{2}:\\d{2}");
+ private final SslProvider grpcSSLProvider;
/**
* Constructs a SecurityConfig.
@@ -134,58 +136,67 @@ public class SecurityConfig {
*/
public SecurityConfig(ConfigurationSource configuration) {
Preconditions.checkNotNull(configuration, "Configuration cannot be null");
- this.configuration = configuration;
- this.size = this.configuration.getInt(HDDS_KEY_LEN, HDDS_DEFAULT_KEY_LEN);
- this.keyAlgo = this.configuration.get(HDDS_KEY_ALGORITHM,
+ this.size = configuration.getInt(HDDS_KEY_LEN, HDDS_DEFAULT_KEY_LEN);
+ this.keyAlgo = configuration.get(HDDS_KEY_ALGORITHM,
HDDS_DEFAULT_KEY_ALGORITHM);
- this.providerString = this.configuration.get(HDDS_SECURITY_PROVIDER,
+ this.providerString = configuration.get(HDDS_SECURITY_PROVIDER,
HDDS_DEFAULT_SECURITY_PROVIDER);
// Please Note: To make it easy for our customers we will attempt to read
// HDDS metadata dir and if that is not set, we will use Ozone directory.
- this.metadataDir = this.configuration.get(HDDS_METADATA_DIR_NAME,
+ this.metadataDir = configuration.get(HDDS_METADATA_DIR_NAME,
configuration.get(OZONE_METADATA_DIRS));
- this.keyDir = this.configuration.get(HDDS_KEY_DIR_NAME,
+ this.keyDir = configuration.get(HDDS_KEY_DIR_NAME,
HDDS_KEY_DIR_NAME_DEFAULT);
- this.privateKeyFileName = this.configuration.get(HDDS_PRIVATE_KEY_FILE_NAME,
+ this.privateKeyFileName = configuration.get(HDDS_PRIVATE_KEY_FILE_NAME,
HDDS_PRIVATE_KEY_FILE_NAME_DEFAULT);
- this.publicKeyFileName = this.configuration.get(HDDS_PUBLIC_KEY_FILE_NAME,
+ this.publicKeyFileName = configuration.get(HDDS_PUBLIC_KEY_FILE_NAME,
HDDS_PUBLIC_KEY_FILE_NAME_DEFAULT);
- String durationString = this.configuration.get(HDDS_X509_MAX_DURATION,
+ String durationString = configuration.get(HDDS_X509_MAX_DURATION,
HDDS_X509_MAX_DURATION_DEFAULT);
this.maxCertDuration = Duration.parse(durationString);
- this.x509SignatureAlgo = this.configuration.get(HDDS_X509_SIGNATURE_ALGO,
+ this.x509SignatureAlgo = configuration.get(HDDS_X509_SIGNATURE_ALGO,
HDDS_X509_SIGNATURE_ALGO_DEFAULT);
- this.certificateDir = this.configuration.get(HDDS_X509_DIR_NAME,
+ this.certificateDir = configuration.get(HDDS_X509_DIR_NAME,
HDDS_X509_DIR_NAME_DEFAULT);
- this.certificateFileName = this.configuration.get(HDDS_X509_FILE_NAME,
+ this.certificateFileName = configuration.get(HDDS_X509_FILE_NAME,
HDDS_X509_FILE_NAME_DEFAULT);
- this.blockTokenEnabled = this.configuration.getBoolean(
+ this.blockTokenEnabled = configuration.getBoolean(
HDDS_BLOCK_TOKEN_ENABLED,
HDDS_BLOCK_TOKEN_ENABLED_DEFAULT);
- this.containerTokenEnabled = this.configuration.getBoolean(
+ this.blockTokenExpiryDurationMs = configuration.getTimeDuration(
+ HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
+ HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
+ TimeUnit.MILLISECONDS);
+ tokenSanityChecksEnabled = configuration.getBoolean(
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED,
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED_DEFAULT);
+
+ this.containerTokenEnabled = configuration.getBoolean(
HDDS_CONTAINER_TOKEN_ENABLED,
HDDS_CONTAINER_TOKEN_ENABLED_DEFAULT);
- this.grpcTlsEnabled = this.configuration.getBoolean(HDDS_GRPC_TLS_ENABLED,
+ this.grpcTlsEnabled = configuration.getBoolean(HDDS_GRPC_TLS_ENABLED,
HDDS_GRPC_TLS_ENABLED_DEFAULT);
if (grpcTlsEnabled) {
- this.grpcTlsUseTestCert = this.configuration.getBoolean(
+ this.grpcTlsUseTestCert = configuration.getBoolean(
HDDS_GRPC_TLS_TEST_CERT, HDDS_GRPC_TLS_TEST_CERT_DEFAULT);
+ } else {
+ this.grpcTlsUseTestCert = false;
}
- this.isSecurityEnabled = this.configuration.getBoolean(
+ this.isSecurityEnabled = configuration.getBoolean(
OZONE_SECURITY_ENABLED_KEY,
OZONE_SECURITY_ENABLED_DEFAULT);
String certDurationString =
- this.configuration.get(HDDS_X509_DEFAULT_DURATION,
+ configuration.get(HDDS_X509_DEFAULT_DURATION,
HDDS_X509_DEFAULT_DURATION_DEFAULT);
defaultCertDuration = Duration.parse(certDurationString);
- String renewalGraceDurationString = this.configuration.get(
+ String renewalGraceDurationString = configuration.get(
HDDS_X509_RENEW_GRACE_DURATION,
HDDS_X509_RENEW_GRACE_DURATION_DEFAULT);
renewalGracePeriod = Duration.parse(renewalGraceDurationString);
@@ -209,19 +220,23 @@ public SecurityConfig(ConfigurationSource configuration) {
validateCertificateValidityConfig();
- this.externalRootCaCert = this.configuration.get(
+ this.externalRootCaCert = configuration.get(
HDDS_X509_ROOTCA_CERTIFICATE_FILE,
HDDS_X509_ROOTCA_CERTIFICATE_FILE_DEFAULT);
- this.externalRootCaPublicKeyPath = this.configuration.get(
+ this.externalRootCaPublicKeyPath = configuration.get(
HDDS_X509_ROOTCA_PUBLIC_KEY_FILE,
HDDS_X509_ROOTCA_PUBLIC_KEY_FILE_DEFAULT);
- this.externalRootCaPrivateKeyPath = this.configuration.get(
+ this.externalRootCaPrivateKeyPath = configuration.get(
HDDS_X509_ROOTCA_PRIVATE_KEY_FILE,
HDDS_X509_ROOTCA_PRIVATE_KEY_FILE_DEFAULT);
- this.crlName = this.configuration.get(HDDS_X509_CRL_NAME,
+ this.crlName = configuration.get(HDDS_X509_CRL_NAME,
HDDS_X509_CRL_NAME_DEFAULT);
+ this.grpcSSLProvider = SslProvider.valueOf(
+ configuration.get(HDDS_GRPC_TLS_PROVIDER,
+ HDDS_GRPC_TLS_PROVIDER_DEFAULT));
+
// First Startup -- if the provider is null, check for the provider.
if (SecurityConfig.provider == null) {
synchronized (SecurityConfig.class) {
@@ -277,6 +292,14 @@ private void validateCertificateValidityConfig() {
HDDS_X509_CA_ROTATION_CHECK_INTERNAL +
" should be smaller than " + HDDS_X509_RENEW_GRACE_DURATION);
}
+
+ if (tokenSanityChecksEnabled
+ && blockTokenExpiryDurationMs > renewalGracePeriod.toMillis()) {
+ throw new IllegalArgumentException(" Certificate grace period " +
+ HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION +
+ " should be greater than maximum block/container token lifetime " +
+ HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME);
+ }
}
/**
@@ -415,15 +438,6 @@ public String getSignatureAlgo() {
return x509SignatureAlgo;
}
- /**
- * Returns the Configuration used for initializing this SecurityConfig.
- *
- * @return Configuration
- */
- public ConfigurationSource getConfiguration() {
- return configuration;
- }
-
/**
* Returns the maximum length a certificate can be valid in SCM. The default
* value is 5 years. This can be changed by setting "hdds.x509.max.duration"
@@ -445,6 +459,10 @@ public boolean isBlockTokenEnabled() {
return this.blockTokenEnabled;
}
+ public long getBlockTokenExpiryDurationMs() {
+ return blockTokenExpiryDurationMs;
+ }
+
/**
* Whether to require short-lived tokens for container operations.
*/
@@ -467,8 +485,7 @@ public boolean isGrpcTlsEnabled() {
* @return the gRPC TLS Provider.
*/
public SslProvider getGrpcSslProvider() {
- return SslProvider.valueOf(configuration.get(HDDS_GRPC_TLS_PROVIDER,
- HDDS_GRPC_TLS_PROVIDER_DEFAULT));
+ return grpcSSLProvider;
}
public String getExternalRootCaPrivateKeyPath() {
@@ -509,24 +526,12 @@ public boolean useTestCert() {
* @param providerName - name of the provider.
*/
private Provider initSecurityProvider(String providerName) {
- switch (providerName) {
- case "BC":
+ if ("BC".equals(providerName)) {
Security.addProvider(new BouncyCastleProvider());
return Security.getProvider(providerName);
- default:
- LOG.error("Security Provider:{} is unknown", provider);
- throw new SecurityException("Unknown security provider:" + provider);
}
- }
-
- /**
- * Returns max date for which S3 auth info objects will be valid.
- */
- public long getS3AuthInfoMaxDate() {
- return getConfiguration().getTimeDuration(
- OzoneConfigKeys.OZONE_S3_AUTHINFO_MAX_LIFETIME_KEY,
- OzoneConfigKeys.OZONE_S3_AUTHINFO_MAX_LIFETIME_KEY_DEFAULT,
- TimeUnit.MICROSECONDS);
+ LOG.error("Security Provider:{} is unknown", provider);
+ throw new SecurityException("Unknown security provider:" + provider);
}
public boolean isTokenEnabled() {
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecurityException.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/exception/OzoneSecurityException.java
similarity index 98%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecurityException.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/exception/OzoneSecurityException.java
index a7d9718d4b39..ccde7f66f341 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecurityException.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/exception/OzoneSecurityException.java
@@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package org.apache.hadoop.hdds.security;
+package org.apache.hadoop.hdds.security.exception;
import java.io.IOException;
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/package-info.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/package-info.java
new file mode 100644
index 000000000000..f4b53a4a638c
--- /dev/null
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/package-info.java
@@ -0,0 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Security-related classes for HDDS.
+ */
+package org.apache.hadoop.hdds.security;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/KeyStoresFactory.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/KeyStoresFactory.java
similarity index 100%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/KeyStoresFactory.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/KeyStoresFactory.java
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java
similarity index 93%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java
index a37f143de828..25bec2145f02 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java
@@ -17,10 +17,9 @@
*/
package org.apache.hadoop.hdds.security.ssl;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateNotification;
import org.slf4j.Logger;
@@ -135,19 +134,21 @@ public synchronized void destroy() {
/**
* Returns the keymanagers for owned certificates.
*/
- @SuppressFBWarnings("EI_EXPOSE_REP")
@Override
public synchronized KeyManager[] getKeyManagers() {
- return keyManagers;
+ KeyManager[] copy = new KeyManager[keyManagers.length];
+ System.arraycopy(keyManagers, 0, copy, 0, keyManagers.length);
+ return copy;
}
/**
* Returns the trustmanagers for trusted certificates.
*/
- @SuppressFBWarnings("EI_EXPOSE_REP")
@Override
public synchronized TrustManager[] getTrustManagers() {
- return trustManagers;
+ TrustManager[] copy = new TrustManager[trustManagers.length];
+ System.arraycopy(trustManagers, 0, copy, 0, trustManagers.length);
+ return copy;
}
@Override
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java
similarity index 100%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java
similarity index 100%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/package-info.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/package-info.java
similarity index 100%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/package-info.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/package-info.java
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CAType.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CAType.java
similarity index 100%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CAType.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CAType.java
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/package-info.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/package-info.java
new file mode 100644
index 000000000000..b8ba02b863b4
--- /dev/null
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/package-info.java
@@ -0,0 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+/**
+ * Classes related to Certificate Life Cycle or Certificate Authority Server.
+ */
+package org.apache.hadoop.hdds.security.x509.certificate.authority;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
similarity index 97%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
index 29b0f999fe4d..12a47712c5bb 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
@@ -19,7 +19,7 @@
package org.apache.hadoop.hdds.security.x509.certificate.client;
-import org.apache.hadoop.hdds.security.OzoneSecurityException;
+import org.apache.hadoop.hdds.security.exception.OzoneSecurityException;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
@@ -36,7 +36,7 @@
import java.util.Objects;
import java.util.Set;
-import static org.apache.hadoop.hdds.security.OzoneSecurityException.ResultCodes.OM_PUBLIC_PRIVATE_KEY_FILE_NOT_EXIST;
+import static org.apache.hadoop.hdds.security.exception.OzoneSecurityException.ResultCodes.OM_PUBLIC_PRIVATE_KEY_FILE_NOT_EXIST;
/**
* Certificate client provides and interface to certificate operations that
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateNotification.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateNotification.java
similarity index 100%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateNotification.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateNotification.java
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/package-info.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/package-info.java
similarity index 87%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/package-info.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/package-info.java
index 752df0ae28b9..6f67b5723659 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/package-info.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/package-info.java
@@ -17,6 +17,6 @@
*
*/
/**
- * Certificate Utils.
+ * Classes related to creating and using certificates.
*/
-package org.apache.hadoop.hdds.security.x509.certificate.utils;
+package org.apache.hadoop.hdds.security.x509.certificate.client;
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java
index d02cc8d1a2b3..6c7bb5389adf 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java
@@ -20,8 +20,8 @@
package org.apache.hadoop.hdds.security.x509.certificate.utils;
import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java
similarity index 98%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java
index 9a47a5c69eb2..547c51019e15 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java
@@ -29,9 +29,8 @@
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.validator.routines.DomainValidator;
-import org.apache.hadoop.hdds.conf.ConfigurationSource;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import com.google.common.base.Preconditions;
@@ -206,8 +205,8 @@ public static class Builder {
private boolean digitalEncryption;
public CertificateSignRequest.Builder setConfiguration(
- ConfigurationSource configuration) {
- this.config = new SecurityConfig(configuration);
+ SecurityConfig configuration) {
+ this.config = configuration;
return this;
}
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java
similarity index 97%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java
index 0b036ce787e5..c44e499d4bf4 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java
@@ -32,9 +32,8 @@
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.validator.routines.DomainValidator;
-import org.apache.hadoop.hdds.conf.ConfigurationSource;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.util.Time;
@@ -176,8 +175,8 @@ public static class Builder {
private BigInteger caCertSerialId;
private List altNames;
- public Builder setConfiguration(ConfigurationSource configuration) {
- this.config = new SecurityConfig(configuration);
+ public Builder setConfiguration(SecurityConfig configuration) {
+ this.config = configuration;
return this;
}
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/exception/CertificateException.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/exception/CertificateException.java
similarity index 100%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/exception/CertificateException.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/exception/CertificateException.java
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/exception/package-info.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/exception/package-info.java
similarity index 100%
rename from hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/exception/package-info.java
rename to hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/exception/package-info.java
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
index 85bc566902b6..bcfc07e943da 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java
@@ -471,9 +471,6 @@ public final class OzoneConfigKeys {
"ozone.s3g.volume.name";
public static final String OZONE_S3_VOLUME_NAME_DEFAULT =
"s3v";
- public static final String OZONE_S3_AUTHINFO_MAX_LIFETIME_KEY =
- "ozone.s3.token.max.lifetime";
- public static final String OZONE_S3_AUTHINFO_MAX_LIFETIME_KEY_DEFAULT = "3m";
public static final String OZONE_FS_ITERATE_BATCH_SIZE =
"ozone.fs.iterate.batch-size";
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
index 01391abccafa..d838839a5714 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
@@ -42,9 +42,10 @@
import org.apache.hadoop.hdds.datanode.metadata.DatanodeCRLStoreImpl;
import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.protocol.SecretKeyProtocol;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.symmetric.DefaultSecretKeyClient;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyClient;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
@@ -77,9 +78,11 @@
import static org.apache.hadoop.hdds.protocol.DatanodeDetails.Port.Name.HTTP;
import static org.apache.hadoop.hdds.protocol.DatanodeDetails.Port.Name.HTTPS;
import static org.apache.hadoop.hdds.utils.HddsServerUtil.getRemoteUser;
+import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry;
import static org.apache.hadoop.ozone.OzoneConfigKeys.HDDS_DATANODE_PLUGINS_KEY;
import static org.apache.hadoop.ozone.conf.OzoneServiceConfig.DEFAULT_SHUTDOWN_HOOK_PRIORITY;
import static org.apache.hadoop.ozone.common.Storage.StorageState.INITIALIZED;
+import static org.apache.hadoop.security.UserGroupInformation.getCurrentUser;
import static org.apache.hadoop.util.ExitUtil.terminate;
import org.slf4j.Logger;
@@ -125,7 +128,26 @@ public class HddsDatanodeService extends GenericCli implements ServicePlugin {
//Constructor for DataNode PluginService
public HddsDatanodeService() { }
- public HddsDatanodeService(boolean printBanner, String[] args) {
+ /**
+ * Create a Datanode instance based on the supplied command-line arguments.
+ *
+ * This method is intended for unit tests only. It suppresses the
+ * startup/shutdown message and skips registering Unix signal handlers.
+ *
+ * @param args command line arguments.
+ */
+ @VisibleForTesting
+ public HddsDatanodeService(String[] args) {
+ this(false, args);
+ }
+
+ /**
+ * Create a Datanode instance based on the supplied command-line arguments.
+ *
+ * @param args command line arguments.
+ * @param printBanner if true, then log a verbose startup message.
+ */
+ private HddsDatanodeService(boolean printBanner, String[] args) {
this.printBanner = printBanner;
this.args = args != null ? Arrays.copyOf(args, args.length) : null;
}
@@ -149,39 +171,12 @@ private void cleanTmpDir() {
}
}
- /**
- * Create a Datanode instance based on the supplied command-line arguments.
- *
- * This method is intended for unit tests only. It suppresses the
- * startup/shutdown message and skips registering Unix signal handlers.
- *
- * @param args command line arguments.
- * @return Datanode instance
- */
- @VisibleForTesting
- public static HddsDatanodeService createHddsDatanodeService(
- String[] args) {
- return createHddsDatanodeService(args, false);
- }
-
- /**
- * Create a Datanode instance based on the supplied command-line arguments.
- *
- * @param args command line arguments.
- * @param printBanner if true, then log a verbose startup message.
- * @return Datanode instance
- */
- private static HddsDatanodeService createHddsDatanodeService(
- String[] args, boolean printBanner) {
- return new HddsDatanodeService(printBanner, args);
- }
-
public static void main(String[] args) {
try {
OzoneNetUtils.disableJvmNetworkAddressCacheIfRequired(
new OzoneConfiguration());
HddsDatanodeService hddsDatanodeService =
- createHddsDatanodeService(args, true);
+ new HddsDatanodeService(true, args);
hddsDatanodeService.run(args);
} catch (Throwable e) {
LOG.error("Exception in HddsDatanodeService.", e);
@@ -263,17 +258,13 @@ public void start() {
// Authenticate Hdds Datanode service if security is enabled
if (OzoneSecurityUtil.isSecurityEnabled(conf)) {
component = "dn-" + datanodeDetails.getUuidString();
-
secConf = new SecurityConfig(conf);
- dnCertClient = new DNCertificateClient(secConf, datanodeDetails,
- datanodeDetails.getCertSerialId(), this::saveNewCertId,
- this::terminateDatanode);
if (SecurityUtil.getAuthenticationMethod(conf).equals(
UserGroupInformation.AuthenticationMethod.KERBEROS)) {
LOG.info("Ozone security is enabled. Attempting login for Hdds " +
"Datanode user. Principal: {},keytab: {}", conf.get(
- DFSConfigKeysLegacy.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY),
+ DFSConfigKeysLegacy.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY),
conf.get(
DFSConfigKeysLegacy.DFS_DATANODE_KERBEROS_KEYTAB_FILE_KEY));
@@ -365,6 +356,12 @@ public void start() {
}
}
+ @VisibleForTesting
+ SCMSecurityProtocolClientSideTranslatorPB createScmSecurityClient()
+ throws IOException {
+ return getScmSecurityClientWithMaxRetry(conf, getCurrentUser());
+ }
+
/**
* Initialize and start Ratis server.
*
@@ -398,12 +395,21 @@ public CertificateClient initializeCertificateClient(
CertificateClient certClient) throws IOException {
LOG.info("Initializing secure Datanode.");
+ if (certClient == null) {
+ dnCertClient = new DNCertificateClient(secConf,
+ createScmSecurityClient(),
+ datanodeDetails,
+ datanodeDetails.getCertSerialId(), this::saveNewCertId,
+ this::terminateDatanode);
+ certClient = dnCertClient;
+ }
CertificateClient.InitResponse response = certClient.init();
if (response.equals(CertificateClient.InitResponse.REINIT)) {
certClient.close();
LOG.info("Re-initialize certificate client.");
- certClient = new DNCertificateClient(secConf, datanodeDetails, null,
- this::saveNewCertId, this::terminateDatanode);
+ certClient = new DNCertificateClient(secConf,
+ createScmSecurityClient(),
+ datanodeDetails, null, this::saveNewCertId, this::terminateDatanode);
response = certClient.init();
}
LOG.info("Init response: {}", response);
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
index 1b22f4f3bd6e..f5fcb6eacfaa 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
@@ -36,7 +36,7 @@
import org.apache.hadoop.hdds.protocol.proto.StorageContainerDatanodeProtocolProtos.PipelineReport;
import org.apache.hadoop.hdds.scm.container.common.helpers.StorageContainerException;
import org.apache.hadoop.hdds.scm.pipeline.PipelineID;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.tracing.GrpcServerInterceptor;
import org.apache.hadoop.hdds.tracing.TracingUtil;
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ratis/XceiverServerRatis.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ratis/XceiverServerRatis.java
index 768420ea0cfa..e690ab3bc521 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ratis/XceiverServerRatis.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ratis/XceiverServerRatis.java
@@ -56,8 +56,8 @@
import org.apache.hadoop.hdds.ratis.ContainerCommandRequestMessage;
import org.apache.hadoop.hdds.ratis.RatisHelper;
import org.apache.hadoop.hdds.scm.pipeline.PipelineID;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.tracing.TracingUtil;
import org.apache.hadoop.hdds.utils.HddsServerUtil;
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/ECReconstructionCoordinator.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/ECReconstructionCoordinator.java
index f454e202761d..e78aa70acd1c 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/ECReconstructionCoordinator.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/ECReconstructionCoordinator.java
@@ -35,6 +35,7 @@
import org.apache.hadoop.hdds.scm.storage.BufferPool;
import org.apache.hadoop.hdds.scm.storage.ECBlockOutputStream;
import org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.token.ContainerTokenIdentifier;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.utils.IOUtils;
@@ -100,7 +101,6 @@ public class ECReconstructionCoordinator implements Closeable {
private final ECContainerOperationClient containerOperationClient;
private final ByteBufferPool byteBufferPool;
- private final CertificateClient certificateClient;
private final ExecutorService ecReconstructExecutor;
@@ -118,7 +118,6 @@ public ECReconstructionCoordinator(
this.containerOperationClient = new ECContainerOperationClient(conf,
certificateClient);
this.byteBufferPool = new ElasticByteBufferPool();
- this.certificateClient = certificateClient;
this.ecReconstructExecutor =
new ThreadPoolExecutor(EC_RECONSTRUCT_STRIPE_READ_POOL_MIN_SIZE,
conf.getObject(OzoneClientConfig.class)
@@ -128,7 +127,7 @@ public ECReconstructionCoordinator(
new ThreadPoolExecutor.CallerRunsPolicy());
this.blockInputStreamFactory = BlockInputStreamFactoryImpl
.getInstance(byteBufferPool, () -> ecReconstructExecutor);
- tokenHelper = new TokenHelper(conf, secretKeyClient);
+ tokenHelper = new TokenHelper(new SecurityConfig(conf), secretKeyClient);
this.clientMetrics = ContainerClientMetrics.acquire();
this.metrics = metrics;
}
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
index 682b9dc14766..d916300a7c27 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
@@ -17,24 +17,21 @@
*/
package org.apache.hadoop.ozone.container.ec.reconstruction;
-import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.client.BlockID;
-import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto;
import org.apache.hadoop.hdds.scm.container.ContainerID;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient;
import org.apache.hadoop.hdds.security.token.ContainerTokenIdentifier;
import org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager;
import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import java.io.IOException;
import java.util.EnumSet;
import java.util.Set;
-import java.util.concurrent.TimeUnit;
import static org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto.DELETE;
import static org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto.READ;
@@ -51,10 +48,9 @@ class TokenHelper {
private static final Set MODES =
EnumSet.of(READ, WRITE, DELETE);
- TokenHelper(ConfigurationSource conf, SecretKeySignerClient secretKeyClient)
- throws IOException {
+ TokenHelper(SecurityConfig securityConfig,
+ SecretKeySignerClient secretKeyClient) throws IOException {
- SecurityConfig securityConfig = new SecurityConfig(conf);
boolean blockTokenEnabled = securityConfig.isBlockTokenEnabled();
boolean containerTokenEnabled = securityConfig.isContainerTokenEnabled();
@@ -65,10 +61,7 @@ class TokenHelper {
if (securityEnabled && (blockTokenEnabled || containerTokenEnabled)) {
user = UserGroupInformation.getCurrentUser().getShortUserName();
- long expiryTime = conf.getTimeDuration(
- HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
- HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
- TimeUnit.MILLISECONDS);
+ long expiryTime = securityConfig.getBlockTokenExpiryDurationMs();
if (blockTokenEnabled) {
blockTokenMgr = new OzoneBlockTokenSecretManager(expiryTime,
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ozoneimpl/OzoneContainer.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ozoneimpl/OzoneContainer.java
index dbb3832b9450..3c3d26c74173 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ozoneimpl/OzoneContainer.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ozoneimpl/OzoneContainer.java
@@ -28,9 +28,9 @@
import org.apache.hadoop.hdds.protocol.proto.StorageContainerDatanodeProtocolProtos.ContainerReplicaProto;
import org.apache.hadoop.hdds.protocol.proto.StorageContainerDatanodeProtocolProtos.IncrementalContainerReportProto;
import org.apache.hadoop.hdds.protocol.proto.StorageContainerDatanodeProtocolProtos.PipelineReportsProto;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
import org.apache.hadoop.hdds.security.token.TokenVerifier;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.utils.HddsServerUtil;
import org.apache.hadoop.ozone.container.common.helpers.ContainerMetrics;
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/GrpcContainerUploader.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/GrpcContainerUploader.java
index 3f6fdc1ab595..8728ff35e252 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/GrpcContainerUploader.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/GrpcContainerUploader.java
@@ -23,7 +23,7 @@
import org.apache.hadoop.hdds.protocol.DatanodeDetails.Port;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.SendContainerRequest;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.SendContainerResponse;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.utils.IOUtils;
import org.apache.ratis.thirdparty.io.grpc.stub.StreamObserver;
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/GrpcReplicationClient.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/GrpcReplicationClient.java
index b5ea4b179187..6c9cdc3fef10 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/GrpcReplicationClient.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/GrpcReplicationClient.java
@@ -34,8 +34,8 @@
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.SendContainerResponse;
import org.apache.hadoop.hdds.protocol.datanode.proto.IntraDatanodeProtocolServiceGrpc;
import org.apache.hadoop.hdds.protocol.datanode.proto.IntraDatanodeProtocolServiceGrpc.IntraDatanodeProtocolServiceStub;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.ozone.OzoneConsts;
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java
index ee1faf8917d9..2118e9039ea2 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java
@@ -27,7 +27,7 @@
import org.apache.hadoop.hdds.conf.ConfigGroup;
import org.apache.hadoop.hdds.conf.ConfigType;
import org.apache.hadoop.hdds.conf.PostConstruct;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.tracing.GrpcServerInterceptor;
import org.apache.hadoop.ozone.OzoneConsts;
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/SimpleContainerDownloader.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/SimpleContainerDownloader.java
index 414d51fc4bcd..cf7ff211bf8f 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/SimpleContainerDownloader.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/SimpleContainerDownloader.java
@@ -29,7 +29,7 @@
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.protocol.DatanodeDetails.Port.Name;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import com.google.common.annotations.VisibleForTesting;
diff --git a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/hdds/datanode/metadata/TestDatanodeCRLStoreImpl.java b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/hdds/datanode/metadata/TestDatanodeCRLStoreImpl.java
index 11747920a216..8d3de5218afa 100644
--- a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/hdds/datanode/metadata/TestDatanodeCRLStoreImpl.java
+++ b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/hdds/datanode/metadata/TestDatanodeCRLStoreImpl.java
@@ -20,7 +20,7 @@
import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CRLApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCRLApprover;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
diff --git a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsDatanodeService.java b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsDatanodeService.java
index b6d70054ce34..87dc68383bd9 100644
--- a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsDatanodeService.java
+++ b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsDatanodeService.java
@@ -74,7 +74,7 @@ public class TestHddsDatanodeService {
private final String clusterId = UUID.randomUUID().toString();
private final OzoneConfiguration conf = new OzoneConfiguration();
private final HddsDatanodeService service =
- HddsDatanodeService.createHddsDatanodeService(new String[] {});
+ new HddsDatanodeService(new String[] {});
private static final int SCM_SERVER_COUNT = 1;
@BeforeEach
diff --git a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java
index 84e98a20435d..eea522438fab 100644
--- a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java
+++ b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java
@@ -35,7 +35,7 @@
import org.apache.hadoop.hdds.protocol.MockDatanodeDetails;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertificate;
@@ -48,6 +48,7 @@
import org.apache.commons.io.FileUtils;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_CHECK_INTERNAL;
+import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION;
import static org.apache.hadoop.ozone.HddsDatanodeService.getLogger;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
@@ -86,6 +87,7 @@ public class TestHddsSecureDatanodeInit {
private DNCertificateClient client;
private static DatanodeDetails datanodeDetails;
+ private static SCMSecurityProtocolClientSideTranslatorPB scmClient;
@BeforeAll
public static void setUp() throws Exception {
@@ -102,9 +104,17 @@ public static void setUp() throws Exception {
ServicePlugin.class);
conf.set(HDDS_X509_RENEW_GRACE_DURATION, "PT5S"); // 5s
conf.set(HDDS_X509_CA_ROTATION_CHECK_INTERNAL, "PT1S"); // 1s
+ conf.setBoolean(HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED, false);
+
securityConfig = new SecurityConfig(conf);
- service = HddsDatanodeService.createHddsDatanodeService(args);
+ service = new HddsDatanodeService(args) {
+ @Override
+ SCMSecurityProtocolClientSideTranslatorPB createScmSecurityClient()
+ throws IOException {
+ return mock(SCMSecurityProtocolClientSideTranslatorPB.class);
+ }
+ };
dnLogs = GenericTestUtils.LogCapturer.captureLogs(getLogger());
callQuietly(() -> {
service.start(conf);
@@ -123,6 +133,8 @@ public static void setUp() throws Exception {
certHolder = generateX509CertHolder(new KeyPair(publicKey, privateKey),
null, Duration.ofSeconds(CERT_LIFETIME));
datanodeDetails = MockDatanodeDetails.randomDatanodeDetails();
+
+ scmClient = mock(SCMSecurityProtocolClientSideTranslatorPB.class);
}
@AfterAll
@@ -143,9 +155,8 @@ public void setUpDNCertClient() throws IOException {
.getCertificateLocation(DN_COMPONENT).toString(),
securityConfig.getCertificateFileName()).toFile());
dnLogs.clearOutput();
- client = new DNCertificateClient(securityConfig, datanodeDetails,
+ client = new DNCertificateClient(securityConfig, scmClient, datanodeDetails,
certHolder.getSerialNumber().toString(), null, null);
- service.setCertificateClient(client);
}
@AfterEach
@@ -278,6 +289,7 @@ public static void callQuietly(Callable closure) {
try {
closure.call();
} catch (Throwable e) {
+ e.printStackTrace();
// Ignore all Throwable,
}
}
@@ -287,11 +299,6 @@ public void testCertificateRotation() throws Exception {
// save the certificate on dn
certCodec.writeCertificate(certHolder);
- // prepare a mocked scmClient to certificate signing
- SCMSecurityProtocolClientSideTranslatorPB scmClient =
- mock(SCMSecurityProtocolClientSideTranslatorPB.class);
- client.setSecureScmClient(scmClient);
-
Duration gracePeriod = securityConfig.getRenewalGracePeriod();
X509CertificateHolder newCertHolder = generateX509CertHolder(null,
LocalDateTime.now().plus(gracePeriod),
@@ -364,11 +371,6 @@ public void testCertificateRotationRecoverableFailure() throws Exception {
// save the certificate on dn
certCodec.writeCertificate(certHolder);
- // prepare a mocked scmClient to certificate signing
- SCMSecurityProtocolClientSideTranslatorPB scmClient =
- mock(SCMSecurityProtocolClientSideTranslatorPB.class);
- client.setSecureScmClient(scmClient);
-
Duration gracePeriod = securityConfig.getRenewalGracePeriod();
X509CertificateHolder newCertHolder = generateX509CertHolder(null,
LocalDateTime.now().plus(gracePeriod),
@@ -437,7 +439,7 @@ private static X509CertificateHolder generateX509CertHolder(KeyPair keyPair,
.setClusterID("cluster")
.setKey(keyPair)
.setSubject("localhost")
- .setConfiguration(conf)
+ .setConfiguration(securityConfig)
.setScmID("test")
.build();
}
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolClientSideTranslatorPB.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolClientSideTranslatorPB.java
index e3803c492a9a..4074465ae36b 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolClientSideTranslatorPB.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolClientSideTranslatorPB.java
@@ -190,6 +190,7 @@ public String getCertificate(NodeDetailsProto nodeDetails,
* @return String - pem encoded SCM signed
* certificate.
*/
+ @Override
public String getSCMCertificate(ScmNodeDetailsProto scmNodeDetails,
String certSignReq) throws IOException {
return getSCMCertChain(scmNodeDetails, certSignReq).getX509Certificate();
@@ -297,6 +298,7 @@ public SCMGetCertResponseProto getCertificateChain(
builder -> builder.setGetCertRequest(request))
.getGetCertResponseProto();
}
+
/**
* Get CA certificate.
*
@@ -307,7 +309,6 @@ public String getCACertificate() throws IOException {
return getCACert().getX509Certificate();
}
-
public SCMGetCertResponseProto getCACert() throws IOException {
SCMGetCACertificateRequestProto protoIns = SCMGetCACertificateRequestProto
.getDefaultInstance();
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecretKey.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecretKey.java
index 9f335e7dd558..c79d6f5aa274 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecretKey.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecretKey.java
@@ -31,7 +31,6 @@
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.keys.SecurityUtil;
import org.apache.hadoop.io.Writable;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.SecretKeyProto;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecretManager.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecretManager.java
index 3c16fc69517d..c99a13c48916 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecretManager.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/OzoneSecretManager.java
@@ -20,7 +20,7 @@
import com.google.common.base.Preconditions;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.exception.OzoneSecurityException;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateNotification;
import org.apache.hadoop.io.Text;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/BlockTokenVerifier.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/BlockTokenVerifier.java
index c9999d253bc6..949016724cfc 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/BlockTokenVerifier.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/BlockTokenVerifier.java
@@ -25,9 +25,9 @@
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.ContainerCommandRequestProtoOrBuilder;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/ContainerTokenVerifier.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/ContainerTokenVerifier.java
index 7e4d186c3223..a52293847599 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/ContainerTokenVerifier.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/ContainerTokenVerifier.java
@@ -21,8 +21,8 @@
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.ContainerCommandRequestProtoOrBuilder;
import org.apache.hadoop.hdds.scm.container.ContainerID;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
/** Verifier for container tokens. */
public class ContainerTokenVerifier extends
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/ShortLivedTokenVerifier.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/ShortLivedTokenVerifier.java
index ae18305f9ead..802323436e17 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/ShortLivedTokenVerifier.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/ShortLivedTokenVerifier.java
@@ -19,10 +19,10 @@
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.ContainerCommandRequestProtoOrBuilder;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/TokenVerifier.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/TokenVerifier.java
index 3301b68fccad..4d06cbf15fe9 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/TokenVerifier.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/TokenVerifier.java
@@ -22,9 +22,9 @@
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.ContainerCommandRequestProtoOrBuilder;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.security.token.Token;
import java.io.IOException;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/BaseApprover.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/BaseApprover.java
index 0389b9554b53..3e6194f9203c 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/BaseApprover.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/BaseApprover.java
@@ -19,8 +19,8 @@
package org.apache.hadoop.hdds.security.x509.certificate.authority;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.bouncycastle.asn1.ASN1Encodable;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateApprover.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateApprover.java
index 31d0aeaddc56..51ca989323ff 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateApprover.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateApprover.java
@@ -19,7 +19,7 @@
package org.apache.hadoop.hdds.security.x509.certificate.authority;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java
index 69d28ccc6885..819be4972272 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java
@@ -21,8 +21,8 @@
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeType;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover.ApprovalType;
import org.apache.hadoop.hdds.security.x509.crl.CRLInfo;
import org.bouncycastle.asn1.x509.CRLReason;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultApprover.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultApprover.java
index 4277dbe70f00..ad08cb46299c 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultApprover.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultApprover.java
@@ -19,8 +19,8 @@
package org.apache.hadoop.hdds.security.x509.certificate.authority;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile;
import org.apache.hadoop.util.Time;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java
index b3204e580038..be5755f0b4c6 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java
@@ -24,8 +24,8 @@
import org.apache.commons.collections.CollectionUtils;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeType;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertificate;
@@ -571,7 +571,7 @@ private void generateRootCertificate(
.setBeginDate(beginDate)
.setEndDate(endDate)
.makeCA()
- .setConfiguration(securityConfig.getConfiguration())
+ .setConfiguration(securityConfig)
.setKey(key);
builder.addInetAddresses();
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCRLApprover.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCRLApprover.java
index a5a545b83ec7..671e31d18d91 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCRLApprover.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCRLApprover.java
@@ -19,7 +19,7 @@
package org.apache.hadoop.hdds.security.x509.certificate.authority;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.crl.CRLCodec;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509v2CRLBuilder;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CommonCertificateClient.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CommonCertificateClient.java
index ca0d7e8bd975..8ab3c1371978 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CommonCertificateClient.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CommonCertificateClient.java
@@ -17,7 +17,8 @@
package org.apache.hadoop.hdds.security.x509.certificate.client;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.slf4j.Logger;
@@ -37,11 +38,17 @@ public abstract class CommonCertificateClient extends DefaultCertificateClient {
private final Logger log;
- public CommonCertificateClient(SecurityConfig securityConfig, Logger log,
- String certSerialId, String component,
- Consumer saveCertIdCallback, Runnable shutdownCallback) {
- super(securityConfig, log, certSerialId, component, saveCertIdCallback,
- shutdownCallback);
+ public CommonCertificateClient(
+ SecurityConfig securityConfig,
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient,
+ Logger log,
+ String certSerialId,
+ String component,
+ Consumer saveCertIdCallback,
+ Runnable shutdownCallback
+ ) {
+ super(securityConfig, scmSecurityClient, log, certSerialId, component,
+ saveCertIdCallback, shutdownCallback);
this.log = log;
}
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java
index 63b6a37c3e74..8c5c91320338 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java
@@ -21,7 +21,8 @@
import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
@@ -51,10 +52,15 @@ public class DNCertificateClient extends DefaultCertificateClient {
public static final String COMPONENT_NAME = "dn";
private final DatanodeDetails dn;
- public DNCertificateClient(SecurityConfig securityConfig,
- DatanodeDetails datanodeDetails, String certSerialId,
- Consumer saveCertId, Runnable shutdown) {
- super(securityConfig, LOG, certSerialId, COMPONENT_NAME,
+ public DNCertificateClient(
+ SecurityConfig securityConfig,
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient,
+ DatanodeDetails datanodeDetails,
+ String certSerialId,
+ Consumer saveCertId,
+ Runnable shutdown
+ ) {
+ super(securityConfig, scmSecurityClient, LOG, certSerialId, COMPONENT_NAME,
saveCertId, shutdown);
this.dn = datanodeDetails;
}
@@ -79,7 +85,7 @@ public CertificateSignRequest.Builder getCSRBuilder()
.getShortUserName() + "@" + hostname;
builder.setCA(false)
.setKey(new KeyPair(getPublicKey(), getPrivateKey()))
- .setConfiguration(getConfig())
+ .setConfiguration(getSecurityConfig())
.setSubject(subject);
LOG.info("Created csr for DN-> subject:{}", subject);
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
index 56b3bbba10d6..d64cabf5c92a 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
@@ -59,14 +59,12 @@
import java.util.stream.Stream;
import java.util.stream.Collectors;
-import com.google.common.annotations.VisibleForTesting;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import org.apache.commons.io.FileUtils;
-import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
@@ -90,9 +88,7 @@
import static org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CRYPTO_SIGN_ERROR;
import static org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.RENEW_ERROR;
import static org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.ROLLBACK_ERROR;
-import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry;
-import org.apache.hadoop.security.UserGroupInformation;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.slf4j.Logger;
@@ -126,15 +122,21 @@ public abstract class DefaultCertificateClient implements CertificateClient {
private ScheduledExecutorService executorService;
private Consumer certIdSaveCallback;
private Runnable shutdownCallback;
- private SCMSecurityProtocolClientSideTranslatorPB scmSecurityProtocolClient;
+ private SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient;
private final Set notificationReceivers;
- private static UserGroupInformation ugi;
- protected DefaultCertificateClient(SecurityConfig securityConfig, Logger log,
- String certSerialId, String component,
- Consumer saveCertId, Runnable shutdown) {
+ protected DefaultCertificateClient(
+ SecurityConfig securityConfig,
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient,
+ Logger log,
+ String certSerialId,
+ String component,
+ Consumer saveCertId,
+ Runnable shutdown
+ ) {
Objects.requireNonNull(securityConfig);
this.securityConfig = securityConfig;
+ this.scmSecurityClient = scmSecurityClient;
keyCodec = new KeyCodec(securityConfig, component);
this.logger = log;
this.certificateMap = new ConcurrentHashMap<>();
@@ -529,8 +531,8 @@ public CertificateSignRequest.Builder getCSRBuilder()
throws CertificateException {
CertificateSignRequest.Builder builder =
new CertificateSignRequest.Builder()
- .setConfiguration(securityConfig.getConfiguration());
- builder.addInetAddresses();
+ .setConfiguration(securityConfig)
+ .addInetAddresses();
return builder;
}
@@ -1197,10 +1199,6 @@ public SecurityConfig getSecurityConfig() {
return securityConfig;
}
- public OzoneConfiguration getConfig() {
- return (OzoneConfiguration)securityConfig.getConfiguration();
- }
-
private synchronized String updateCertSerialId(String newCertSerialId) {
certSerialId = newCertSerialId;
loadAllCertificates();
@@ -1214,27 +1212,12 @@ protected abstract String signAndStoreCertificate(
public String signAndStoreCertificate(
PKCS10CertificationRequest request) throws CertificateException {
return updateCertSerialId(signAndStoreCertificate(request,
- getSecurityConfig().getCertificateLocation(getComponentName())));
+ securityConfig.getCertificateLocation(getComponentName())));
}
public SCMSecurityProtocolClientSideTranslatorPB getScmSecureClient()
throws IOException {
- if (scmSecurityProtocolClient == null) {
- scmSecurityProtocolClient =
- getScmSecurityClientWithMaxRetry(getConfig(), ugi);
- }
- return scmSecurityProtocolClient;
- }
-
- @VisibleForTesting
- public void setSecureScmClient(
- SCMSecurityProtocolClientSideTranslatorPB client) {
- scmSecurityProtocolClient = client;
- }
-
- @VisibleForTesting
- public static void setUgi(UserGroupInformation user) {
- ugi = user;
+ return scmSecurityClient;
}
public synchronized void startCertificateMonitor() {
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java
index 2f64017af6a3..51eb2959a6e9 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java
@@ -18,7 +18,8 @@
package org.apache.hadoop.hdds.security.x509.certificate.client;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.ozone.OzoneConsts;
@@ -49,14 +50,21 @@ public class SCMCertificateClient extends DefaultCertificateClient {
Paths.get(OzoneConsts.SCM_CA_CERT_STORAGE_DIR,
OzoneConsts.SCM_SUB_CA_PATH).toString();
- public SCMCertificateClient(SecurityConfig securityConfig,
- String certSerialId) {
- super(securityConfig, LOG, certSerialId, COMPONENT_NAME, null, null);
+ public SCMCertificateClient(
+ SecurityConfig securityConfig,
+ SCMSecurityProtocolClientSideTranslatorPB scmClient,
+ String certSerialId
+ ) {
+ super(securityConfig, scmClient, LOG, certSerialId,
+ COMPONENT_NAME, null, null);
}
- public SCMCertificateClient(SecurityConfig securityConfig,
- String certSerialId, String component) {
- super(securityConfig, LOG, certSerialId, component, null, null);
+ public SCMCertificateClient(
+ SecurityConfig securityConfig,
+ SCMSecurityProtocolClientSideTranslatorPB scmClient,
+ String certSerialId,
+ String component) {
+ super(securityConfig, scmClient, LOG, certSerialId, component, null, null);
}
@Override
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/crl/CRLCodec.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/crl/CRLCodec.java
index 354e2675c528..f634cd6dcc32 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/crl/CRLCodec.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/crl/CRLCodec.java
@@ -19,8 +19,8 @@
package org.apache.hadoop.hdds.security.x509.crl;
import org.apache.commons.io.IOUtils;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/HDDSKeyGenerator.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/HDDSKeyGenerator.java
index 1f3b66598888..28233b4bc81e 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/HDDSKeyGenerator.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/HDDSKeyGenerator.java
@@ -23,8 +23,7 @@
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
-import org.apache.hadoop.hdds.conf.ConfigurationSource;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -37,15 +36,6 @@ public class HDDSKeyGenerator {
LoggerFactory.getLogger(HDDSKeyGenerator.class);
private final SecurityConfig securityConfig;
- /**
- * Constructor for HDDSKeyGenerator.
- *
- * @param configuration - config
- */
- public HDDSKeyGenerator(ConfigurationSource configuration) {
- this.securityConfig = new SecurityConfig(configuration);
- }
-
/**
* Constructor that takes a SecurityConfig as the Argument.
*
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java
index b8d0104c6102..c4e24783c3b8 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java
@@ -22,7 +22,7 @@
import com.google.common.base.Preconditions;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.output.FileWriterWithEncoding;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.bouncycastle.util.io.pem.PemWriter;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/SecurityUtil.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/SecurityUtil.java
index 2740c55c843c..5f34e8dfe03c 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/SecurityUtil.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/SecurityUtil.java
@@ -29,9 +29,9 @@
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
import org.apache.hadoop.hdds.security.ssl.PemFileBasedKeyStoresFactory;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/HddsServerUtil.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/HddsServerUtil.java
index 5888940f8214..c6840d39d53f 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/HddsServerUtil.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/HddsServerUtil.java
@@ -94,8 +94,6 @@
import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_HEARTBEAT_RPC_RETRY_INTERVAL_DEFAULT;
import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_STALENODE_INTERVAL;
import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_STALENODE_INTERVAL_DEFAULT;
-import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_INFO_WAIT_DURATION;
-import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_INFO_WAIT_DURATION_DEFAULT;
import static org.apache.hadoop.hdds.server.ServerUtils.sanitizeUserArgs;
import static org.apache.hadoop.ozone.OzoneConfigKeys.HDDS_DATANODE_CONTAINER_DB_DIR;
@@ -472,31 +470,6 @@ public static SCMSecurityProtocolClientSideTranslatorPB getScmSecurityClient(
ugi == null ? UserGroupInformation.getCurrentUser() : ugi));
}
- public static SCMSecurityProtocolClientSideTranslatorPB
- getScmSecurityClientWithFixedDuration(OzoneConfiguration conf)
- throws IOException {
- // As for OM during init, we need to wait for specific duration so that
- // we can give response to user performed operation init in a definite
- // period, instead of stuck for ever.
- OzoneConfiguration configuration = new OzoneConfiguration(conf);
- long duration = conf.getTimeDuration(OZONE_SCM_INFO_WAIT_DURATION,
- OZONE_SCM_INFO_WAIT_DURATION_DEFAULT, TimeUnit.SECONDS);
- SCMClientConfig scmClientConfig = conf.getObject(SCMClientConfig.class);
- int retryCount =
- (int) (duration / (scmClientConfig.getRetryInterval() / 1000));
-
- // If duration is set to lesser value, fall back to actual default
- // retry count.
- if (retryCount > scmClientConfig.getRetryCount()) {
- scmClientConfig.setRetryCount(retryCount);
- configuration.setFromObject(scmClientConfig);
- }
-
- return new SCMSecurityProtocolClientSideTranslatorPB(
- new SCMSecurityProtocolFailoverProxyProvider(configuration,
- UserGroupInformation.getCurrentUser()));
- }
-
/**
* Create a scm block client, used by putKey() and getKey().
*
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestPemFileBasedKeyStoresFactory.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestPemFileBasedKeyStoresFactory.java
index 5b3746645069..cb02e99b8351 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestPemFileBasedKeyStoresFactory.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestPemFileBasedKeyStoresFactory.java
@@ -29,7 +29,7 @@
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import org.apache.hadoop.hdds.scm.pipeline.PipelineID;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClientTestImpl;
import org.apache.hadoop.ozone.container.ContainerTestHelper;
import org.apache.ratis.thirdparty.io.grpc.ManagedChannel;
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestBlockTokenVerifier.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestBlockTokenVerifier.java
index 91825b09cc14..81a5799c7837 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestBlockTokenVerifier.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestBlockTokenVerifier.java
@@ -24,7 +24,7 @@
import org.apache.hadoop.hdds.scm.pipeline.MockPipeline;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.ozone.container.ContainerTestHelper;
import java.io.IOException;
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestContainerTokenVerifier.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestContainerTokenVerifier.java
index 1704226e5a9f..4803433998ba 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestContainerTokenVerifier.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestContainerTokenVerifier.java
@@ -24,7 +24,7 @@
import org.apache.hadoop.hdds.scm.pipeline.MockPipeline;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import java.io.IOException;
import java.time.Instant;
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestOzoneBlockTokenSecretManager.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestOzoneBlockTokenSecretManager.java
index d8c22713235a..7227107b87d6 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestOzoneBlockTokenSecretManager.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestOzoneBlockTokenSecretManager.java
@@ -29,7 +29,7 @@
import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyTestUtil;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.security.token.Token;
import org.apache.ozone.test.GenericTestUtils;
import org.junit.Assert;
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TokenVerifierTests.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TokenVerifierTests.java
index 1ff9bee053a9..a8bcb128fbae 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TokenVerifierTests.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TokenVerifierTests.java
@@ -22,7 +22,7 @@
import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
import org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.jetbrains.annotations.NotNull;
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/MockApprover.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/MockApprover.java
index 0ec1ccc55e45..96221d7a10d8 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/MockApprover.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/MockApprover.java
@@ -19,7 +19,7 @@
package org.apache.hadoop.hdds.security.x509.certificate.authority;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.operator.OperatorCreationException;
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
index 8cea1f6f4d42..0d64e5f96b65 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
@@ -24,7 +24,7 @@
import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.DefaultCAProfile;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.DefaultProfile;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
@@ -85,19 +85,20 @@
*/
public class TestDefaultCAServer {
private OzoneConfiguration conf;
+ private SecurityConfig securityConfig;
private MockCAStore caStore;
@BeforeEach
public void init(@TempDir Path tempDir) throws IOException {
conf = new OzoneConfiguration();
conf.set(OZONE_METADATA_DIRS, tempDir.toString());
+ securityConfig = new SecurityConfig(conf);
caStore = new MockCAStore();
}
@Test
public void testInit() throws SCMSecurityException, CertificateException,
IOException {
- SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA",
RandomStringUtils.randomAlphabetic(4),
RandomStringUtils.randomAlphabetic(4), caStore,
@@ -114,7 +115,6 @@ public void testInit() throws SCMSecurityException, CertificateException,
@Test
public void testMissingCertificate() {
- SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA",
RandomStringUtils.randomAlphabetic(4),
RandomStringUtils.randomAlphabetic(4), caStore,
@@ -137,7 +137,6 @@ public void testMissingCertificate() {
@Test
public void testMissingKey() {
- SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA",
RandomStringUtils.randomAlphabetic(4),
RandomStringUtils.randomAlphabetic(4), caStore,
@@ -174,7 +173,7 @@ public void testRequestCertificate() throws IOException,
String scmId = RandomStringUtils.randomAlphabetic(4);
String clusterId = RandomStringUtils.randomAlphabetic(4);
KeyPair keyPair =
- new HDDSKeyGenerator(conf).generateKey();
+ new HDDSKeyGenerator(securityConfig).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
.addDnsName("hadoop.apache.org")
.addIpAddress("8.8.8.8")
@@ -183,7 +182,7 @@ public void testRequestCertificate() throws IOException,
.setClusterID(clusterId)
.setScmID(scmId)
.setSubject("Ozone Cluster")
- .setConfiguration(conf)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.build();
@@ -194,8 +193,7 @@ public void testRequestCertificate() throws IOException,
clusterId, scmId, caStore,
new DefaultProfile(),
Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
- testCA.init(new SecurityConfig(conf),
- CAType.ROOT);
+ testCA.init(securityConfig, CAType.ROOT);
Future holder = testCA.requestCertificate(
csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
@@ -231,13 +229,13 @@ public void testRequestCertificateWithInvalidSubject() throws IOException,
ExecutionException, InterruptedException,
NoSuchProviderException, NoSuchAlgorithmException {
KeyPair keyPair =
- new HDDSKeyGenerator(conf).generateKey();
+ new HDDSKeyGenerator(securityConfig).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
.addDnsName("hadoop.apache.org")
.addIpAddress("8.8.8.8")
.setCA(false)
.setSubject("Ozone Cluster")
- .setConfiguration(conf)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.build();
@@ -249,8 +247,7 @@ public void testRequestCertificateWithInvalidSubject() throws IOException,
RandomStringUtils.randomAlphabetic(4), caStore,
new DefaultProfile(),
Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
- testCA.init(new SecurityConfig(conf),
- CAType.ROOT);
+ testCA.init(securityConfig, CAType.ROOT);
Future holder = testCA.requestCertificate(
csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, OM);
@@ -269,17 +266,16 @@ public void testRevokeCertificates() throws Exception {
clusterId, scmId, caStore,
new DefaultProfile(),
Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
- testCA.init(new SecurityConfig(conf),
- CAType.ROOT);
+ testCA.init(securityConfig, CAType.ROOT);
KeyPair keyPair =
- new HDDSKeyGenerator(conf).generateKey();
+ new HDDSKeyGenerator(securityConfig).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
.addDnsName("hadoop.apache.org")
.addIpAddress("8.8.8.8")
.setCA(false)
.setSubject("testCA")
- .setConfiguration(conf)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.build();
@@ -314,7 +310,7 @@ public void testRevokeCertificates() throws Exception {
public void testRequestCertificateWithInvalidSubjectFailure()
throws Exception {
KeyPair keyPair =
- new HDDSKeyGenerator(conf).generateKey();
+ new HDDSKeyGenerator(securityConfig).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
.addDnsName("hadoop.apache.org")
.addIpAddress("8.8.8.8")
@@ -322,7 +318,7 @@ public void testRequestCertificateWithInvalidSubjectFailure()
.setScmID("wrong one")
.setClusterID("223432rf")
.setSubject("Ozone Cluster")
- .setConfiguration(conf)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.build();
@@ -334,8 +330,7 @@ public void testRequestCertificateWithInvalidSubjectFailure()
RandomStringUtils.randomAlphabetic(4), caStore,
new DefaultProfile(),
Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
- testCA.init(new SecurityConfig(conf),
- CAType.ROOT);
+ testCA.init(securityConfig, CAType.ROOT);
LambdaTestUtils.intercept(ExecutionException.class, "ScmId and " +
"ClusterId in CSR subject are incorrect",
@@ -356,7 +351,7 @@ public void testIntermediaryCAWithEmpty() {
new DefaultProfile(), Paths.get("scm").toString());
assertThrows(IllegalStateException.class,
- () -> scmCA.init(new SecurityConfig(conf), CAType.SUBORDINATE));
+ () -> scmCA.init(securityConfig, CAType.SUBORDINATE));
}
@Test
@@ -365,9 +360,8 @@ public void testExternalRootCA(@TempDir Path tempDir) throws Exception {
String externalCaCertFileName = "CaCert.pem";
setExternalPathsInConfig(tempDir, externalCaCertFileName);
- SecurityConfig securityConfig = new SecurityConfig(conf);
try (SCMCertificateClient scmCertificateClient =
- new SCMCertificateClient(new SecurityConfig(conf), null)) {
+ new SCMCertificateClient(securityConfig, null, null)) {
KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
KeyCodec keyPEMWriter = new KeyCodec(securityConfig,
@@ -409,20 +403,20 @@ private void setExternalPathsInConfig(Path tempDir,
privateKeyPath);
conf.set(HddsConfigKeys.HDDS_X509_ROOTCA_PUBLIC_KEY_FILE,
publicKeyPath);
+ securityConfig = new SecurityConfig(conf);
}
@Test
public void testInitWithCertChain(@TempDir Path tempDir) throws Exception {
String externalCaCertFileName = "CaCert.pem";
setExternalPathsInConfig(tempDir, externalCaCertFileName);
- SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateApprover approver = new DefaultApprover(new DefaultCAProfile(),
securityConfig);
try (SCMCertificateClient scmCertificateClient =
- new SCMCertificateClient(new SecurityConfig(conf), null)) {
+ new SCMCertificateClient(securityConfig, null, null)) {
String scmId = RandomStringUtils.randomAlphabetic(4);
String clusterId = RandomStringUtils.randomAlphabetic(4);
- KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
+ KeyPair keyPair = new HDDSKeyGenerator(securityConfig).generateKey();
KeyCodec keyPEMWriter = new KeyCodec(securityConfig,
scmCertificateClient.getComponentName());
@@ -438,7 +432,7 @@ public void testInitWithCertChain(@TempDir Path tempDir) throws Exception {
.setClusterID(clusterId)
.setScmID(scmId)
.setSubject("Ozone Cluster")
- .setConfiguration(conf)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.build();
X509CertificateHolder externalCert = generateExternalCert(keyPair);
@@ -472,6 +466,7 @@ public void testInitWithCertChain(@TempDir Path tempDir) throws Exception {
public void testIntermediaryCA() throws Exception {
conf.set(HddsConfigKeys.HDDS_X509_MAX_DURATION, "P3650D");
+ securityConfig = new SecurityConfig(conf);
String clusterId = RandomStringUtils.randomAlphanumeric(4);
String scmId = RandomStringUtils.randomAlphanumeric(4);
@@ -480,24 +475,24 @@ public void testIntermediaryCA() throws Exception {
clusterId, scmId, caStore, new DefaultProfile(),
Paths.get("scm", "ca").toString());
- rootCA.init(new SecurityConfig(conf), CAType.ROOT);
+ rootCA.init(securityConfig, CAType.ROOT);
try (SCMCertificateClient scmCertificateClient =
- new SCMCertificateClient(new SecurityConfig(conf), null)) {
+ new SCMCertificateClient(securityConfig, null, null)) {
CertificateClient.InitResponse response = scmCertificateClient.init();
assertEquals(CertificateClient.InitResponse.GETCERT, response);
// Generate cert
KeyPair keyPair =
- new HDDSKeyGenerator(conf).generateKey();
+ new HDDSKeyGenerator(securityConfig).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
.addDnsName("hadoop.apache.org")
.addIpAddress("8.8.8.8")
.setCA(false)
.setSubject("testCA")
- .setConfiguration(conf)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.build();
@@ -527,7 +522,7 @@ clusterId, scmId, caStore, new DefaultProfile(),
CertificateCodec.getPEMEncodedString(certificateHolder), CAType.NONE);
CertificateCodec certCodec =
- new CertificateCodec(new SecurityConfig(conf),
+ new CertificateCodec(securityConfig,
scmCertificateClient.getComponentName());
certCodec.writeCertificate(certificateHolder);
@@ -538,7 +533,7 @@ clusterId, scmId, caStore, new DefaultProfile(),
scmCertificateClient.getComponentName());
try {
- scmCA.init(new SecurityConfig(conf), CAType.SUBORDINATE);
+ scmCA.init(securityConfig, CAType.SUBORDINATE);
} catch (Exception e) {
fail("testIntermediaryCA failed during init");
}
@@ -553,18 +548,16 @@ private X509CertificateHolder generateExternalCert(KeyPair keyPair)
String scmID = UUID.randomUUID().toString();
String subject = "testRootCert";
- SelfSignedCertificate.Builder builder =
- SelfSignedCertificate.newBuilder()
- .setBeginDate(notBefore)
- .setEndDate(notAfter)
- .setClusterID(clusterID)
- .setScmID(scmID)
- .setSubject(subject)
- .setKey(keyPair)
- .setConfiguration(conf)
- .makeCA();
-
- builder.addInetAddresses();
- return builder.build();
+ return SelfSignedCertificate.newBuilder()
+ .setBeginDate(notBefore)
+ .setEndDate(notAfter)
+ .setClusterID(clusterID)
+ .setScmID(scmID)
+ .setSubject(subject)
+ .setKey(keyPair)
+ .setConfiguration(securityConfig)
+ .makeCA()
+ .addInetAddresses()
+ .build();
}
}
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
index c72d63109872..4e60d7e967aa 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
@@ -21,7 +21,7 @@
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.DefaultProfile;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
@@ -61,7 +61,6 @@
* Tests for the default PKI Profile.
*/
public class TestDefaultProfile {
- private OzoneConfiguration configuration;
private SecurityConfig securityConfig;
private DefaultProfile defaultProfile;
private MockApprover testApprover;
@@ -69,7 +68,7 @@ public class TestDefaultProfile {
@BeforeEach
public void setUp(@TempDir Path tempDir) throws Exception {
- configuration = new OzoneConfiguration();
+ OzoneConfiguration configuration = new OzoneConfiguration();
configuration.set(OZONE_METADATA_DIRS, tempDir.toString());
securityConfig = new SecurityConfig(configuration);
defaultProfile = new DefaultProfile();
@@ -112,7 +111,7 @@ public void testVerifyCertificate() throws SCMSecurityException,
.setClusterID("ClusterID")
.setScmID("SCMID")
.setSubject("Ozone Cluster")
- .setConfiguration(configuration)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.build();
assertTrue(testApprover.verifyPkcs10Request(csr));
@@ -144,7 +143,7 @@ public void testVerifyCertificateInvalidKeys() throws SCMSecurityException,
.setClusterID("ClusterID")
.setScmID("SCMID")
.setSubject("Ozone Cluster")
- .setConfiguration(configuration)
+ .setConfiguration(securityConfig)
.setKey(wrongKey)
.build();
// Signature verification should fail here, since the public/private key
@@ -168,7 +167,7 @@ public void testExtensions() throws SCMSecurityException {
.setClusterID("ClusterID")
.setScmID("SCMID")
.setSubject("Ozone Cluster")
- .setConfiguration(configuration)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.build();
assertTrue(testApprover.verfiyExtensions(csr));
@@ -190,7 +189,7 @@ public void testInvalidExtensionsWithCA() throws SCMSecurityException {
.setClusterID("ClusterID")
.setScmID("SCMID")
.setSubject("Ozone Cluster")
- .setConfiguration(configuration)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.build();
assertFalse(testApprover.verfiyExtensions(csr));
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClientTestImpl.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClientTestImpl.java
index c7215cef4e45..57801a5c13b1 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClientTestImpl.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClientTestImpl.java
@@ -45,7 +45,7 @@
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.DefaultProfile;
@@ -72,7 +72,6 @@
public class CertificateClientTestImpl implements CertificateClient {
- private final OzoneConfiguration config;
private final SecurityConfig securityConfig;
private KeyPair keyPair;
private X509Certificate x509Certificate;
@@ -98,10 +97,9 @@ public CertificateClientTestImpl(OzoneConfiguration conf, boolean autoRenew)
certificateMap = new ConcurrentHashMap<>();
securityConfig = new SecurityConfig(conf);
rootCerts = new HashSet<>();
- keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
+ keyGen = new HDDSKeyGenerator(securityConfig);
keyPair = keyGen.generateKey();
rootKeyPair = keyGen.generateKey();
- config = conf;
LocalDateTime start = LocalDateTime.now();
String rootCACertDuration = conf.get(HDDS_X509_MAX_DURATION,
HDDS_X509_MAX_DURATION_DEFAULT);
@@ -115,7 +113,7 @@ public CertificateClientTestImpl(OzoneConfiguration conf, boolean autoRenew)
.setClusterID("cluster1")
.setKey(rootKeyPair)
.setSubject("rootCA@localhost")
- .setConfiguration(config)
+ .setConfiguration(securityConfig)
.setScmID("scm1")
.makeCA();
rootCert = new JcaX509CertificateConverter().getCertificate(
@@ -130,7 +128,7 @@ public CertificateClientTestImpl(OzoneConfiguration conf, boolean autoRenew)
new CertificateSignRequest.Builder();
// Get host name.
csrBuilder.setKey(keyPair)
- .setConfiguration(config)
+ .setConfiguration(securityConfig)
.setScmID("scm1")
.setClusterID("cluster1")
.setSubject("localhost")
@@ -300,9 +298,8 @@ public List updateCAList() throws IOException {
public void renewRootCA() throws Exception {
LocalDateTime start = LocalDateTime.now();
- String rootCACertDuration = config.get(HDDS_X509_MAX_DURATION,
- HDDS_X509_MAX_DURATION_DEFAULT);
- LocalDateTime end = start.plus(Duration.parse(rootCACertDuration));
+ Duration rootCACertDuration = securityConfig.getMaxCertificateDuration();
+ LocalDateTime end = start.plus(rootCACertDuration);
rootKeyPair = keyGen.generateKey();
SelfSignedCertificate.Builder builder =
SelfSignedCertificate.newBuilder()
@@ -311,7 +308,7 @@ public void renewRootCA() throws Exception {
.setClusterID("cluster1")
.setKey(rootKeyPair)
.setSubject("rootCA-new@localhost")
- .setConfiguration(config)
+ .setConfiguration(securityConfig)
.setScmID("scm1")
.makeCA(BigInteger.ONE.add(BigInteger.ONE));
rootCert = new JcaX509CertificateConverter().getCertificate(
@@ -326,19 +323,18 @@ public void renewKey() throws Exception {
new CertificateSignRequest.Builder();
// Get host name.
csrBuilder.setKey(newKeyPair)
- .setConfiguration(config)
+ .setConfiguration(securityConfig)
.setScmID("scm1")
.setClusterID("cluster1")
.setSubject("localhost")
.setDigitalSignature(true);
- String certDuration = config.get(HDDS_X509_DEFAULT_DURATION,
- HDDS_X509_DEFAULT_DURATION_DEFAULT);
+ Duration certDuration = securityConfig.getDefaultCertDuration();
Date start = new Date();
X509CertificateHolder certificateHolder =
approver.sign(securityConfig, rootKeyPair.getPrivate(),
new X509CertificateHolder(rootCert.getEncoded()), start,
- new Date(start.getTime() + Duration.parse(certDuration).toMillis()),
+ new Date(start.getTime() + certDuration.toMillis()),
csrBuilder.build(), "scm1", "cluster1");
X509Certificate newX509Certificate =
new JcaX509CertificateConverter().getCertificate(certificateHolder);
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
index d2d313e01d34..2fe0bf84ea24 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
@@ -55,7 +55,7 @@
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.ozone.test.GenericTestUtils;
@@ -96,6 +96,7 @@ public class TestDefaultCertificateClient {
private HDDSKeyGenerator keyGenerator;
private Path dnMetaDirPath;
private SecurityConfig dnSecurityConfig;
+ private SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient;
private static final String DN_COMPONENT = DNCertificateClient.COMPONENT_NAME;
private KeyCodec dnKeyCodec;
@@ -117,6 +118,7 @@ public void setUp() throws Exception {
Files.createDirectories(dnSecurityConfig.getKeyLocation(DN_COMPONENT));
x509Certificate = generateX509Cert(null);
certSerialId = x509Certificate.getSerialNumber().toString();
+ scmSecurityClient = mock(SCMSecurityProtocolClientSideTranslatorPB.class);
getCertClient();
}
@@ -124,7 +126,8 @@ private void getCertClient() throws IOException {
if (dnCertClient != null) {
dnCertClient.close();
}
- dnCertClient = new DNCertificateClient(dnSecurityConfig,
+
+ dnCertClient = new DNCertificateClient(dnSecurityConfig, scmSecurityClient,
MockDatanodeDetails.randomDatanodeDetails(), certSerialId, null,
() -> System.exit(1));
}
@@ -321,7 +324,7 @@ public void testCertificateLoadingOnInit() throws Exception {
if (dnCertClient != null) {
dnCertClient.close();
}
- dnCertClient = new DNCertificateClient(dnSecurityConfig, null,
+ dnCertClient = new DNCertificateClient(dnSecurityConfig, null, null,
certSerialId, null, null);
assertNotNull(dnCertClient.getCertificate(cert1.getSerialNumber()
@@ -463,7 +466,7 @@ public void testCertificateExpirationHandlingInInit() throws Exception {
when(mockCert.getNotAfter()).thenReturn(expiration);
try (DefaultCertificateClient client =
- new DefaultCertificateClient(config, mockLogger, certId, compName,
+ new DefaultCertificateClient(config, null, mockLogger, certId, compName,
null, null) {
@Override
public PrivateKey getPrivateKey() {
@@ -524,10 +527,7 @@ public void testRenewAndStoreKeyAndCertificate() throws Exception {
certCodec.writeCertificate(
new X509CertificateHolder(x509Certificate.getEncoded()));
- SCMSecurityProtocolClientSideTranslatorPB scmClient =
- mock(SCMSecurityProtocolClientSideTranslatorPB.class);
X509Certificate newCert = generateX509Cert(null);
- dnCertClient.setSecureScmClient(scmClient);
String pemCert = CertificateCodec.getPEMEncodedString(newCert);
SCMSecurityProtocolProtos.SCMGetCertResponseProto responseProto =
SCMSecurityProtocolProtos.SCMGetCertResponseProto
@@ -536,7 +536,7 @@ public void testRenewAndStoreKeyAndCertificate() throws Exception {
.setX509Certificate(pemCert)
.setX509CACertificate(pemCert)
.build();
- when(scmClient.getDataNodeCertificateChain(any(), anyString()))
+ when(scmSecurityClient.getDataNodeCertificateChain(any(), anyString()))
.thenReturn(responseProto);
String certID = dnCertClient.getCertificate().getSerialNumber().toString();
@@ -615,7 +615,7 @@ public void testCloseCertificateClient(@TempDir File metaDir)
Logger logger = mock(Logger.class);
String certId = cert.getSerialNumber().toString();
DefaultCertificateClient client = new DefaultCertificateClient(
- conf, logger, certId, compName, null, null
+ conf, null, logger, certId, compName, null, null
) {
@Override
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDnCertificateClientInit.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDnCertificateClientInit.java
index 54cf5b6ad7f9..ad8a9578a4d4 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDnCertificateClientInit.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDnCertificateClientInit.java
@@ -20,7 +20,7 @@
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
@@ -93,7 +93,8 @@ public void setUp() throws Exception {
x509Certificate = getX509Certificate();
certSerialId = x509Certificate.getSerialNumber().toString();
dnCertificateClient =
- new DNCertificateClient(securityConfig, null, certSerialId, null, null);
+ new DNCertificateClient(
+ securityConfig, null, null, certSerialId, null, null);
dnKeyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
Files.createDirectories(securityConfig.getKeyLocation(DN_COMPONENT));
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCRLCodec.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCRLCodec.java
index bc22252584c7..c975198c266c 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCRLCodec.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCRLCodec.java
@@ -47,7 +47,7 @@
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.crl.CRLCodec;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.bouncycastle.asn1.x500.X500Name;
@@ -68,7 +68,6 @@
*/
public class TestCRLCodec {
- private static OzoneConfiguration conf = new OzoneConfiguration();
private static final String COMPONENT = "test";
private SecurityConfig securityConfig;
private X509CertificateHolder x509CertificateHolder;
@@ -93,7 +92,7 @@ public class TestCRLCodec {
public void init(@TempDir Path tempDir) throws NoSuchProviderException,
NoSuchAlgorithmException, IOException,
CertificateException, OperatorCreationException {
-
+ OzoneConfiguration conf = new OzoneConfiguration();
conf.set(OZONE_METADATA_DIRS, tempDir.toString());
securityConfig = new SecurityConfig(conf);
writeTempCert();
@@ -242,8 +241,7 @@ public void testGetX509CRLFromCRLHolder() throws IOException,
*/
private void writeTempCert() throws NoSuchProviderException,
NoSuchAlgorithmException, IOException {
- HDDSKeyGenerator keyGenerator =
- new HDDSKeyGenerator(conf);
+ HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(securityConfig);
keyPair = keyGenerator.generateKey();
LocalDateTime startDate = LocalDateTime.now();
LocalDateTime endDate = startDate.plusDays(1);
@@ -254,8 +252,7 @@ private void writeTempCert() throws NoSuchProviderException,
.setScmID(RandomStringUtils.randomAlphabetic(4))
.setBeginDate(startDate)
.setEndDate(endDate)
- .setConfiguration(keyGenerator.getSecurityConfig()
- .getConfiguration())
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.makeCA()
.build();
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java
index 9b8eaaa6a48a..f2ae1221f1b7 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java
@@ -23,7 +23,7 @@
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory;
@@ -51,13 +51,12 @@
* Tests the Certificate codecs.
*/
public class TestCertificateCodec {
- private OzoneConfiguration conf;
private static final String COMPONENT = "test";
private SecurityConfig securityConfig;
@BeforeEach
public void init(@TempDir Path tempDir) {
- conf = new OzoneConfiguration();
+ OzoneConfiguration conf = new OzoneConfiguration();
conf.set(OZONE_METADATA_DIRS, tempDir.toString());
securityConfig = new SecurityConfig(conf);
}
@@ -260,7 +259,7 @@ public void testMultipleCertReadWrite() throws IOException,
private X509CertificateHolder generateTestCert()
throws IOException, NoSuchProviderException, NoSuchAlgorithmException {
HDDSKeyGenerator keyGenerator =
- new HDDSKeyGenerator(conf);
+ new HDDSKeyGenerator(securityConfig);
LocalDateTime startDate = LocalDateTime.now();
LocalDateTime endDate = startDate.plusDays(1);
return SelfSignedCertificate.newBuilder()
@@ -269,8 +268,7 @@ private X509CertificateHolder generateTestCert()
.setScmID(RandomStringUtils.randomAlphabetic(4))
.setBeginDate(startDate)
.setEndDate(endDate)
- .setConfiguration(keyGenerator.getSecurityConfig()
- .getConfiguration())
+ .setConfiguration(securityConfig)
.setKey(keyGenerator.generateKey())
.makeCA()
.build();
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateSignRequest.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateSignRequest.java
index 43981183aaf8..2c71e2b36823 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateSignRequest.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateSignRequest.java
@@ -20,7 +20,7 @@
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
@@ -59,11 +59,11 @@
*/
public class TestCertificateSignRequest {
- private static OzoneConfiguration conf = new OzoneConfiguration();
private SecurityConfig securityConfig;
@BeforeEach
public void init(@TempDir Path tempDir) throws IOException {
+ OzoneConfiguration conf = new OzoneConfiguration();
conf.set(OZONE_METADATA_DIRS, tempDir.toString());
securityConfig = new SecurityConfig(conf);
}
@@ -76,7 +76,7 @@ public void testGenerateCSR() throws NoSuchProviderException,
String scmID = UUID.randomUUID().toString();
String subject = "DN001";
HDDSKeyGenerator keyGen =
- new HDDSKeyGenerator(securityConfig.getConfiguration());
+ new HDDSKeyGenerator(securityConfig);
KeyPair keyPair = keyGen.generateKey();
CertificateSignRequest.Builder builder =
@@ -85,7 +85,7 @@ public void testGenerateCSR() throws NoSuchProviderException,
.setScmID(scmID)
.setClusterID(clusterID)
.setKey(keyPair)
- .setConfiguration(conf);
+ .setConfiguration(securityConfig);
PKCS10CertificationRequest csr = builder.build();
// Check the Subject Name is in the expected format.
@@ -128,7 +128,7 @@ public void testGenerateCSRwithSan() throws NoSuchProviderException,
String scmID = UUID.randomUUID().toString();
String subject = "DN001";
HDDSKeyGenerator keyGen =
- new HDDSKeyGenerator(securityConfig.getConfiguration());
+ new HDDSKeyGenerator(securityConfig);
KeyPair keyPair = keyGen.generateKey();
CertificateSignRequest.Builder builder =
@@ -137,7 +137,7 @@ public void testGenerateCSRwithSan() throws NoSuchProviderException,
.setScmID(scmID)
.setClusterID(clusterID)
.setKey(keyPair)
- .setConfiguration(conf);
+ .setConfiguration(securityConfig);
// Multi-home
builder.addIpAddress("192.168.1.1");
@@ -184,7 +184,7 @@ public void testGenerateCSRWithInvalidParams() throws NoSuchProviderException,
String scmID = UUID.randomUUID().toString();
String subject = "DN001";
HDDSKeyGenerator keyGen =
- new HDDSKeyGenerator(securityConfig.getConfiguration());
+ new HDDSKeyGenerator(securityConfig);
KeyPair keyPair = keyGen.generateKey();
CertificateSignRequest.Builder builder =
@@ -193,7 +193,7 @@ public void testGenerateCSRWithInvalidParams() throws NoSuchProviderException,
.setScmID(scmID)
.setClusterID(clusterID)
.setKey(keyPair)
- .setConfiguration(conf);
+ .setConfiguration(securityConfig);
try {
builder.setKey(null);
@@ -253,7 +253,7 @@ public void testCsrSerialization() throws NoSuchProviderException,
String scmID = UUID.randomUUID().toString();
String subject = "DN001";
HDDSKeyGenerator keyGen =
- new HDDSKeyGenerator(securityConfig.getConfiguration());
+ new HDDSKeyGenerator(securityConfig);
KeyPair keyPair = keyGen.generateKey();
CertificateSignRequest.Builder builder =
@@ -262,7 +262,7 @@ public void testCsrSerialization() throws NoSuchProviderException,
.setScmID(scmID)
.setClusterID(clusterID)
.setKey(keyPair)
- .setConfiguration(conf);
+ .setConfiguration(securityConfig);
PKCS10CertificationRequest csr = builder.build();
byte[] csrBytes = csr.getEncoded();
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestRootCertificate.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestRootCertificate.java
index 0682585e7e23..b725bd9ca243 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestRootCertificate.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestRootCertificate.java
@@ -21,7 +21,7 @@
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.X509CertificateHolder;
@@ -31,13 +31,10 @@
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
-import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Path;
import java.security.InvalidKeyException;
import java.security.KeyPair;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
@@ -52,27 +49,24 @@
* Test Class for Root Certificate generation.
*/
public class TestRootCertificate {
- private static OzoneConfiguration conf = new OzoneConfiguration();
private SecurityConfig securityConfig;
@BeforeEach
public void init(@TempDir Path tempDir) {
+ OzoneConfiguration conf = new OzoneConfiguration();
conf.set(OZONE_METADATA_DIRS, tempDir.toString());
securityConfig = new SecurityConfig(conf);
}
@Test
- public void testAllFieldsAreExpected()
- throws SCMSecurityException, NoSuchProviderException,
- NoSuchAlgorithmException, CertificateException,
- SignatureException, InvalidKeyException, IOException {
+ public void testAllFieldsAreExpected() throws Exception {
LocalDateTime notBefore = LocalDateTime.now();
LocalDateTime notAfter = notBefore.plusYears(1);
String clusterID = UUID.randomUUID().toString();
String scmID = UUID.randomUUID().toString();
String subject = "testRootCert";
HDDSKeyGenerator keyGen =
- new HDDSKeyGenerator(securityConfig.getConfiguration());
+ new HDDSKeyGenerator(securityConfig);
KeyPair keyPair = keyGen.generateKey();
SelfSignedCertificate.Builder builder =
@@ -83,7 +77,7 @@ public void testAllFieldsAreExpected()
.setScmID(scmID)
.setSubject(subject)
.setKey(keyPair)
- .setConfiguration(conf);
+ .setConfiguration(securityConfig);
X509CertificateHolder certificateHolder = builder.build();
@@ -126,19 +120,17 @@ public void testAllFieldsAreExpected()
}
@Test
- public void testCACert(@TempDir Path basePath)
- throws SCMSecurityException, NoSuchProviderException,
- NoSuchAlgorithmException, IOException, CertificateException {
+ public void testCACert(@TempDir Path basePath) throws Exception {
LocalDateTime notBefore = LocalDateTime.now();
LocalDateTime notAfter = notBefore.plusYears(1);
String clusterID = UUID.randomUUID().toString();
String scmID = UUID.randomUUID().toString();
String subject = "testRootCert";
HDDSKeyGenerator keyGen =
- new HDDSKeyGenerator(securityConfig.getConfiguration());
+ new HDDSKeyGenerator(securityConfig);
KeyPair keyPair = keyGen.generateKey();
- SelfSignedCertificate.Builder builder =
+ X509CertificateHolder certificateHolder =
SelfSignedCertificate.newBuilder()
.setBeginDate(notBefore)
.setEndDate(notAfter)
@@ -146,12 +138,11 @@ public void testCACert(@TempDir Path basePath)
.setScmID(scmID)
.setSubject(subject)
.setKey(keyPair)
- .setConfiguration(conf)
- .makeCA();
+ .setConfiguration(securityConfig)
+ .makeCA()
+ .addInetAddresses()
+ .build();
- builder.addInetAddresses();
-
- X509CertificateHolder certificateHolder = builder.build();
// This time we asked for a CertificateServer Certificate, make sure that
// extension is
// present and valid.
@@ -180,16 +171,14 @@ public void testCACert(@TempDir Path basePath)
}
@Test
- public void testInvalidParamFails()
- throws SCMSecurityException, NoSuchProviderException,
- NoSuchAlgorithmException, IOException {
+ public void testInvalidParamFails() throws Exception {
LocalDateTime notBefore = LocalDateTime.now();
LocalDateTime notAfter = notBefore.plusYears(1);
String clusterID = UUID.randomUUID().toString();
String scmID = UUID.randomUUID().toString();
String subject = "testRootCert";
HDDSKeyGenerator keyGen =
- new HDDSKeyGenerator(securityConfig.getConfiguration());
+ new HDDSKeyGenerator(securityConfig);
KeyPair keyPair = keyGen.generateKey();
SelfSignedCertificate.Builder builder =
@@ -199,7 +188,7 @@ public void testInvalidParamFails()
.setClusterID(clusterID)
.setScmID(scmID)
.setSubject(subject)
- .setConfiguration(conf)
+ .setConfiguration(securityConfig)
.setKey(keyPair)
.makeCA();
try {
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestHDDSKeyGenerator.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestHDDSKeyGenerator.java
index d96e9426cc08..954edcc27b86 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestHDDSKeyGenerator.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestHDDSKeyGenerator.java
@@ -27,7 +27,7 @@
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.ozone.test.GenericTestUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
@@ -56,7 +56,7 @@ public void init() {
@Test
public void testGenerateKey()
throws NoSuchProviderException, NoSuchAlgorithmException {
- HDDSKeyGenerator keyGen = new HDDSKeyGenerator(config.getConfiguration());
+ HDDSKeyGenerator keyGen = new HDDSKeyGenerator(config);
KeyPair keyPair = keyGen.generateKey();
Assertions.assertEquals(config.getKeyAlgo(),
keyPair.getPrivate().getAlgorithm());
@@ -76,7 +76,7 @@ public void testGenerateKey()
@Test
public void testGenerateKeyWithSize() throws NoSuchProviderException,
NoSuchAlgorithmException {
- HDDSKeyGenerator keyGen = new HDDSKeyGenerator(config.getConfiguration());
+ HDDSKeyGenerator keyGen = new HDDSKeyGenerator(config);
KeyPair keyPair = keyGen.generateKey(4096);
PublicKey publicKey = keyPair.getPublic();
if (publicKey instanceof RSAPublicKey) {
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java
index 83b9a800e152..a54e297a13d0 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java
@@ -40,7 +40,7 @@
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.ozone.test.LambdaTestUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
@@ -52,7 +52,6 @@
*/
public class TestKeyCodec {
- private OzoneConfiguration configuration;
private SecurityConfig securityConfig;
private String component;
private HDDSKeyGenerator keyGenerator;
@@ -60,11 +59,11 @@ public class TestKeyCodec {
@BeforeEach
public void init(@TempDir Path tempDir) throws IOException {
- configuration = new OzoneConfiguration();
+ OzoneConfiguration configuration = new OzoneConfiguration();
prefix = tempDir.toString();
configuration.set(HDDS_METADATA_DIR_NAME, prefix);
- keyGenerator = new HDDSKeyGenerator(configuration);
securityConfig = new SecurityConfig(configuration);
+ keyGenerator = new HDDSKeyGenerator(securityConfig);
component = "test_component";
}
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/HASecurityUtils.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/HASecurityUtils.java
index ee25fc50c534..a8cb1880ee06 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/HASecurityUtils.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/HASecurityUtils.java
@@ -21,9 +21,11 @@
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.ratis.RatisHelper;
+import org.apache.hadoop.hdds.scm.proxy.SCMClientConfig;
+import org.apache.hadoop.hdds.scm.proxy.SCMSecurityProtocolFailoverProxyProvider;
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
@@ -35,7 +37,7 @@
import org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
-import org.apache.hadoop.hdds.utils.HddsServerUtil;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ratis.client.RaftClient;
import org.apache.ratis.conf.RaftProperties;
import org.apache.ratis.grpc.GrpcTlsConfig;
@@ -61,11 +63,15 @@
import java.util.concurrent.TimeUnit;
import static org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeType.SCM;
+import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_INFO_WAIT_DURATION;
+import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_INFO_WAIT_DURATION_DEFAULT;
import static org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover.ApprovalType.KERBEROS_TRUSTED;
import static org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest.getEncodedString;
+import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry;
import static org.apache.hadoop.ozone.OzoneConsts.SCM_ROOT_CA_COMPONENT_NAME;
import static org.apache.hadoop.ozone.OzoneConsts.SCM_ROOT_CA_PREFIX;
import static org.apache.hadoop.ozone.OzoneConsts.SCM_SUB_CA_PREFIX;
+import static org.apache.hadoop.security.UserGroupInformation.getCurrentUser;
/**
* Utilities for SCM HA security.
@@ -92,9 +98,12 @@ public static void initializeSecurity(SCMStorageConfig scmStorageConfig,
throws IOException {
LOG.info("Initializing secure StorageContainerManager.");
+ SecurityConfig securityConfig = new SecurityConfig(conf);
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient =
+ getScmSecurityClientWithMaxRetry(conf, getCurrentUser());
try (CertificateClient certClient =
new SCMCertificateClient(
- new SecurityConfig(conf), scmStorageConfig.getScmId())) {
+ securityConfig, scmSecurityClient, scmStorageConfig.getScmId())) {
InitResponse response = certClient.init();
LOG.info("Init response: {}", response);
switch (response) {
@@ -103,11 +112,11 @@ public static void initializeSecurity(SCMStorageConfig scmStorageConfig,
break;
case GETCERT:
if (!primaryscm) {
- getRootCASignedSCMCert(certClient, conf, scmStorageConfig,
- scmAddress);
+ getRootCASignedSCMCert(conf, certClient, securityConfig,
+ scmStorageConfig, scmAddress);
} else {
- getPrimarySCMSelfSignedCert(certClient, conf, scmStorageConfig,
- scmAddress);
+ getPrimarySCMSelfSignedCert(certClient, securityConfig,
+ scmStorageConfig, scmAddress);
}
LOG.info("Successfully stored SCM signed certificate.");
break;
@@ -131,13 +140,17 @@ public static void initializeSecurity(SCMStorageConfig scmStorageConfig,
* certificate using scm security client and store it using certificate
* client.
*/
- private static void getRootCASignedSCMCert(CertificateClient client,
- OzoneConfiguration config,
- SCMStorageConfig scmStorageConfig, InetSocketAddress scmAddress) {
+ private static void getRootCASignedSCMCert(
+ OzoneConfiguration configuration,
+ CertificateClient client,
+ SecurityConfig securityConfig,
+ SCMStorageConfig scmStorageConfig,
+ InetSocketAddress scmAddress
+ ) {
try {
// Generate CSR.
PKCS10CertificationRequest csr = generateCSR(client, scmStorageConfig,
- config, scmAddress);
+ securityConfig, scmAddress);
ScmNodeDetailsProto scmNodeDetailsProto =
ScmNodeDetailsProto.newBuilder()
@@ -147,7 +160,7 @@ private static void getRootCASignedSCMCert(CertificateClient client,
// Create SCM security client.
SCMSecurityProtocolClientSideTranslatorPB secureScmClient =
- HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
+ getScmSecurityClientWithFixedDuration(configuration);
// Get SCM sub CA cert.
SCMGetCertResponseProto response = secureScmClient.
@@ -161,7 +174,7 @@ private static void getRootCASignedSCMCert(CertificateClient client,
pemEncodedRootCert, CAType.SUBORDINATE);
client.storeCertificate(pemEncodedCert, CAType.NONE);
//note: this does exactly the same as store certificate
- persistSubCACertificate(config, client,
+ persistSubCACertificate(securityConfig, client,
pemEncodedCert);
X509Certificate certificate =
@@ -184,7 +197,7 @@ private static void getRootCASignedSCMCert(CertificateClient client,
* root CA certificate server and store it using certificate client.
*/
private static void getPrimarySCMSelfSignedCert(CertificateClient client,
- OzoneConfiguration config, SCMStorageConfig scmStorageConfig,
+ SecurityConfig config, SCMStorageConfig scmStorageConfig,
InetSocketAddress scmAddress) {
try {
@@ -240,7 +253,7 @@ private static void getPrimarySCMSelfSignedCert(CertificateClient client,
* @param scmStorageConfig
*/
public static CertificateServer initializeRootCertificateServer(
- OzoneConfiguration config, CertificateStore scmCertStore,
+ SecurityConfig config, CertificateStore scmCertStore,
SCMStorageConfig scmStorageConfig, PKIProfile pkiProfile)
throws IOException {
String subject = SCM_ROOT_CA_PREFIX +
@@ -251,7 +264,7 @@ public static CertificateServer initializeRootCertificateServer(
scmStorageConfig.getScmId(), scmCertStore, pkiProfile,
SCM_ROOT_CA_COMPONENT_NAME);
- rootCAServer.init(new SecurityConfig(config), CAType.ROOT);
+ rootCAServer.init(config, CAType.ROOT);
return rootCAServer;
}
@@ -261,7 +274,7 @@ public static CertificateServer initializeRootCertificateServer(
*/
private static PKCS10CertificationRequest generateCSR(
CertificateClient client, SCMStorageConfig scmStorageConfig,
- OzoneConfiguration config, InetSocketAddress scmAddress)
+ SecurityConfig config, InetSocketAddress scmAddress)
throws IOException {
CertificateSignRequest.Builder builder = client.getCSRBuilder();
@@ -293,17 +306,14 @@ private static PKCS10CertificationRequest generateCSR(
* @param certificateHolder
* @throws IOException
*/
- private static void persistSubCACertificate(OzoneConfiguration config,
+ private static void persistSubCACertificate(SecurityConfig config,
CertificateClient certificateClient,
String certificateHolder) throws IOException {
- SecurityConfig securityConfig = new SecurityConfig(config);
CertificateCodec certCodec =
- new CertificateCodec(securityConfig,
- certificateClient.getComponentName());
+ new CertificateCodec(config, certificateClient.getComponentName());
certCodec.writeCertificate(certCodec.getLocation().toAbsolutePath(),
- securityConfig.getCertificateFileName(),
- certificateHolder);
+ config.getCertificateFileName(), certificateHolder);
}
/**
@@ -358,4 +368,28 @@ public static SCMRatisResponse submitScmCertsToRatis(RaftGroup raftGroup,
return SCMRatisResponse.decode(raftClientReply);
}
}
+
+ private static SCMSecurityProtocolClientSideTranslatorPB
+ getScmSecurityClientWithFixedDuration(OzoneConfiguration conf)
+ throws IOException {
+ // As for OM during init, we need to wait for specific duration so that
+ // we can give response to user performed operation init in a definite
+ // period, instead of stuck for ever.
+ long duration = conf.getTimeDuration(OZONE_SCM_INFO_WAIT_DURATION,
+ OZONE_SCM_INFO_WAIT_DURATION_DEFAULT, TimeUnit.SECONDS);
+ SCMClientConfig scmClientConfig = conf.getObject(SCMClientConfig.class);
+ int retryCount =
+ (int) (duration / (scmClientConfig.getRetryInterval() / 1000));
+
+ // If duration is set to lesser value, fall back to actual default
+ // retry count.
+ if (retryCount > scmClientConfig.getRetryCount()) {
+ scmClientConfig.setRetryCount(retryCount);
+ conf.setFromObject(scmClientConfig);
+ }
+
+ return new SCMSecurityProtocolClientSideTranslatorPB(
+ new SCMSecurityProtocolFailoverProxyProvider(conf,
+ UserGroupInformation.getCurrentUser()));
+ }
}
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcClient.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcClient.java
index 14d2823fff41..8211e758aeae 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcClient.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcClient.java
@@ -23,8 +23,8 @@
import org.apache.hadoop.hdds.protocol.scm.proto.InterSCMProtocolProtos.CopyDBCheckpointResponseProto;
import org.apache.hadoop.hdds.protocol.scm.proto.InterSCMProtocolServiceGrpc;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.ratis.thirdparty.io.grpc.ManagedChannel;
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java
index 7487c2437874..7197bb1cd601 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java
@@ -25,7 +25,7 @@
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.ratis.thirdparty.io.grpc.Server;
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/SCMHAManagerImpl.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/SCMHAManagerImpl.java
index aeefdcbbf072..54de06efb98a 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/SCMHAManagerImpl.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/SCMHAManagerImpl.java
@@ -29,8 +29,8 @@
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
import org.apache.hadoop.hdds.scm.security.SecretKeyManagerService;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.utils.HAUtils;
import com.google.common.annotations.VisibleForTesting;
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/SCMRatisServerImpl.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/SCMRatisServerImpl.java
index fa4e12e0b422..51b6e3fba9fc 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/SCMRatisServerImpl.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/SCMRatisServerImpl.java
@@ -38,7 +38,7 @@
import org.apache.hadoop.hdds.scm.RemoveSCMRequest;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.util.Time;
import org.apache.ratis.conf.Parameters;
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationManager.java
index 0eee052f8b67..bbd883cb6053 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationManager.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationManager.java
@@ -24,7 +24,7 @@
import org.apache.hadoop.hdds.scm.ha.SCMService;
import org.apache.hadoop.hdds.scm.ha.SCMServiceException;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/SecretKeyManagerService.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/SecretKeyManagerService.java
index 1761f9799223..0d4fbad2c625 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/SecretKeyManagerService.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/SecretKeyManagerService.java
@@ -21,12 +21,12 @@
import org.apache.hadoop.hdds.scm.ha.SCMContext;
import org.apache.hadoop.hdds.scm.ha.SCMRatisServer;
import org.apache.hadoop.hdds.scm.ha.SCMService;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.symmetric.LocalSecretKeyStore;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyConfig;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyManager;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyState;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyStore;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java
index 292597bbac38..37d2ba32fc51 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMClientProtocolServer.java
@@ -72,7 +72,7 @@
import org.apache.hadoop.hdds.scm.protocol.StorageContainerLocationProtocol;
import org.apache.hadoop.hdds.scm.protocol.StorageContainerLocationProtocolServerSideTranslatorPB;
import org.apache.hadoop.hdds.scm.protocolPB.StorageContainerLocationProtocolPB;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.utils.HddsServerUtil;
import org.apache.hadoop.hdds.utils.ProtocolMessageMetrics;
import org.apache.hadoop.io.IOUtils;
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
index 37fb5ee9d63f..3d1b6e9e3dd8 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
@@ -25,7 +25,6 @@
import com.google.common.base.Preconditions;
import com.google.protobuf.BlockingService;
-import java.time.Duration;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.hadoop.conf.Configuration;
@@ -37,6 +36,7 @@
import org.apache.hadoop.hdds.conf.ReconfigurationHandler;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeState;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.scm.PipelineChoosePolicy;
import org.apache.hadoop.hdds.scm.PlacementPolicy;
import org.apache.hadoop.hdds.scm.RemoveSCMRequest;
@@ -133,7 +133,7 @@
import org.apache.hadoop.hdds.scm.safemode.SCMSafeModeManager;
import org.apache.hadoop.hdds.scm.server.SCMDatanodeHeartbeatDispatcher.ContainerReportFromDatanode;
import org.apache.hadoop.hdds.scm.server.SCMDatanodeHeartbeatDispatcher.IncrementalContainerReportFromDatanode;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer;
import org.apache.hadoop.hdds.server.ServiceRuntimeInfoImpl;
@@ -194,10 +194,12 @@
import static org.apache.hadoop.hdds.scm.security.SecretKeyManagerService.isSecretKeyEnable;
import static org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore.CertType.VALID_CERTS;
import static org.apache.hadoop.hdds.utils.HddsServerUtil.getRemoteUser;
+import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
import static org.apache.hadoop.ozone.OzoneConsts.CRL_SEQUENCE_ID_KEY;
import static org.apache.hadoop.ozone.OzoneConsts.SCM_SUB_CA_PREFIX;
import static org.apache.hadoop.ozone.OzoneConsts.SCM_ROOT_CA_COMPONENT_NAME;
+import static org.apache.hadoop.security.UserGroupInformation.getCurrentUser;
/**
* StorageContainerManager is the main entry point for the service that
@@ -364,7 +366,6 @@ private StorageContainerManager(OzoneConfiguration conf,
}
primaryScmNodeId = scmStorageConfig.getPrimaryScmNodeId();
- initializeCertificateClient();
jvmPauseMonitor = !ratisEnabled ? newJvmPauseMonitor(getScmId()) : null;
@@ -377,6 +378,7 @@ private StorageContainerManager(OzoneConfiguration conf,
if (OzoneSecurityUtil.isSecurityEnabled(conf)) {
loginAsSCMUserIfSecurityEnabled(scmHANodeDetails, conf);
}
+ initializeCertificateClient();
// Creates the SCM DBs or opens them if it exists.
// A valid pointer to the store is required by all the other services below.
@@ -555,12 +557,15 @@ private void initializeEventHandlers() {
}
- private void initializeCertificateClient() {
+ private void initializeCertificateClient() throws IOException {
securityConfig = new SecurityConfig(configuration);
if (OzoneSecurityUtil.isSecurityEnabled(configuration) &&
scmStorageConfig.checkPrimarySCMIdInitialized()) {
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient =
+ getScmSecurityClientWithMaxRetry(configuration, getCurrentUser());
scmCertificateClient = new SCMCertificateClient(
- securityConfig, scmStorageConfig.getScmCertSerialId());
+ securityConfig, scmSecurityClient,
+ scmStorageConfig.getScmCertSerialId());
}
}
@@ -859,7 +864,7 @@ certificateStore, new DefaultCAProfile(),
rootCertificateServer = configurator.getCertificateServer();
} else {
rootCertificateServer =
- HASecurityUtils.initializeRootCertificateServer(conf,
+ HASecurityUtils.initializeRootCertificateServer(securityConfig,
certificateStore, scmStorageConfig, new DefaultCAProfile());
}
persistPrimarySCMCerts();
@@ -872,7 +877,7 @@ certificateStore, new DefaultCAProfile(),
// intermediate CA server which is issuing certificates to DN and OM,
// we will have one root CA server too.
rootCertificateServer =
- HASecurityUtils.initializeRootCertificateServer(conf,
+ HASecurityUtils.initializeRootCertificateServer(securityConfig,
certificateStore, scmStorageConfig, new DefaultProfile());
}
@@ -889,7 +894,7 @@ certificateStore, new DefaultCAProfile(),
scmCertificateClient.getCACertificate(), this, secretKeyManager);
if (securityConfig.isContainerTokenEnabled()) {
- containerTokenMgr = createContainerTokenSecretManager(configuration);
+ containerTokenMgr = createContainerTokenSecretManager();
}
rootCARotationManager = new RootCARotationManager(this);
}
@@ -947,25 +952,10 @@ public Clock getSystemClock() {
return systemClock;
}
- private ContainerTokenSecretManager createContainerTokenSecretManager(
- OzoneConfiguration conf) throws IOException {
+ private ContainerTokenSecretManager createContainerTokenSecretManager()
+ throws IOException {
- long expiryTime = conf.getTimeDuration(
- HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
- HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
- TimeUnit.MILLISECONDS);
- long certificateGracePeriod = Duration.parse(
- conf.get(HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION,
- HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION_DEFAULT)).toMillis();
- boolean tokenSanityChecksEnabled = conf.getBoolean(
- HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED,
- HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED_DEFAULT);
- if (tokenSanityChecksEnabled && expiryTime > certificateGracePeriod) {
- throw new IllegalArgumentException(" Certificate grace period " +
- HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION +
- " should be greater than maximum block/container token lifetime " +
- HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME);
- }
+ long expiryTime = securityConfig.getBlockTokenExpiryDurationMs();
// Means this is an upgraded cluster and it has no sub-ca,
// so SCM Certificate client is not initialized. To make Tokens
@@ -986,8 +976,10 @@ private ContainerTokenSecretManager createContainerTokenSecretManager(
LOG.error("Get CA Certificate failed", ex);
throw ex;
}
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient =
+ getScmSecurityClientWithMaxRetry(configuration, getCurrentUser());
scmCertificateClient = new SCMCertificateClient(securityConfig,
- certSerialNumber, SCM_ROOT_CA_COMPONENT_NAME);
+ scmSecurityClient, certSerialNumber, SCM_ROOT_CA_COMPONENT_NAME);
}
return new ContainerTokenSecretManager(expiryTime,
secretKeyManagerService.getSecretKeyManager());
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/ha/TestSCMHAManagerImpl.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/ha/TestSCMHAManagerImpl.java
index 27eacb742bc8..7e99e5e76c81 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/ha/TestSCMHAManagerImpl.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/ha/TestSCMHAManagerImpl.java
@@ -36,9 +36,8 @@
import org.apache.hadoop.hdds.scm.server.SCMDatanodeProtocolServer;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
import org.apache.hadoop.hdds.scm.server.upgrade.FinalizationManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
-import org.apache.hadoop.hdds.security.x509.certificate.client
- .CertificateClient;
+import org.apache.hadoop.hdds.security.SecurityConfig;
+import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.utils.TransactionInfo;
import org.apache.hadoop.hdds.utils.db.BatchOperation;
import org.apache.hadoop.hdds.utils.db.DBStore;
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/security/TestRootCARotationManager.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/security/TestRootCARotationManager.java
index 7bf5765be3ef..636641999acc 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/security/TestRootCARotationManager.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/security/TestRootCARotationManager.java
@@ -24,6 +24,7 @@
import org.apache.hadoop.hdds.scm.ha.SCMContext;
import org.apache.hadoop.hdds.scm.ha.SCMServiceManager;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertificate;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
@@ -49,6 +50,7 @@
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_CHECK_INTERNAL;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_TIME_OF_DAY;
+import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION;
import static org.junit.Assert.assertEquals;
import static org.junit.jupiter.api.Assertions.fail;
@@ -73,8 +75,10 @@ public void init() throws IOException, TimeoutException {
ozoneConfig = new OzoneConfiguration();
testDir = GenericTestUtils.getTestDir(
TestContainerManagerImpl.class.getSimpleName() + UUID.randomUUID());
- ozoneConfig.set(HddsConfigKeys.OZONE_METADATA_DIRS,
- testDir.getAbsolutePath());
+ ozoneConfig
+ .set(HddsConfigKeys.OZONE_METADATA_DIRS, testDir.getAbsolutePath());
+ ozoneConfig
+ .setBoolean(HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED, false);
scm = Mockito.mock(StorageContainerManager.class);
scmCertClient = Mockito.mock(CertificateClient.class);
scmServiceManager = new SCMServiceManager();
@@ -206,9 +210,14 @@ private X509Certificate generateX509Cert(
LocalDateTime start = startDate == null ? LocalDateTime.now() : startDate;
LocalDateTime end = start.plus(certLifetime);
return new JcaX509CertificateConverter().getCertificate(
- SelfSignedCertificate.newBuilder().setBeginDate(start)
- .setEndDate(end).setClusterID("cluster").setKey(keyPair)
- .setSubject("localhost").setConfiguration(conf).setScmID("test")
+ SelfSignedCertificate.newBuilder()
+ .setBeginDate(start)
+ .setEndDate(end)
+ .setClusterID("cluster")
+ .setKey(keyPair)
+ .setSubject("localhost")
+ .setConfiguration(new SecurityConfig(conf))
+ .setScmID("test")
.build());
}
}
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/server/TestSCMCertStore.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/server/TestSCMCertStore.java
index ed0a0f26af01..93bb02f28baa 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/server/TestSCMCertStore.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/server/TestSCMCertStore.java
@@ -22,7 +22,7 @@
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStoreImpl;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.CertInfo;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CRLApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/update/server/MockCRLStore.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/update/server/MockCRLStore.java
index d67af90f0dad..12e8836519bc 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/update/server/MockCRLStore.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/update/server/MockCRLStore.java
@@ -26,7 +26,7 @@
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStoreImpl;
import org.apache.hadoop.hdds.scm.server.SCMCertStore;
import org.apache.hadoop.hdds.scm.update.client.CRLStore;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CRLApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCRLApprover;
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/GrpcOmTransport.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/GrpcOmTransport.java
index 2bad2d32b391..74a6422f5c58 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/GrpcOmTransport.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/GrpcOmTransport.java
@@ -37,7 +37,7 @@
import org.apache.hadoop.hdds.conf.ConfigGroup;
import org.apache.hadoop.hdds.conf.ConfigTag;
import org.apache.hadoop.hdds.conf.ConfigurationSource;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.io.retry.RetryPolicy;
import org.apache.hadoop.ozone.OzoneConfigKeys;
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/MiniOzoneClusterImpl.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/MiniOzoneClusterImpl.java
index a58e86eaa50d..42b5402256eb 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/MiniOzoneClusterImpl.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/MiniOzoneClusterImpl.java
@@ -408,8 +408,7 @@ public void restartHddsDatanode(int i, boolean waitForDatanode)
waitForHddsDatanodeToStop(datanodeService.getDatanodeDetails());
}
String[] args = new String[] {};
- HddsDatanodeService service =
- HddsDatanodeService.createHddsDatanodeService(args);
+ HddsDatanodeService service = new HddsDatanodeService(args);
hddsDatanodes.add(i, service);
service.start(config);
if (waitForDatanode) {
@@ -876,8 +875,7 @@ protected List createHddsDatanodes(
reconScm.getDatanodeRpcAddress().getPort());
}
- HddsDatanodeService datanode
- = HddsDatanodeService.createHddsDatanodeService(args);
+ HddsDatanodeService datanode = new HddsDatanodeService(args);
datanode.setConfiguration(dnConf);
hddsDatanodes.add(datanode);
}
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestDelegationToken.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestDelegationToken.java
index 2484af75facd..426b5c114157 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestDelegationToken.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestDelegationToken.java
@@ -31,7 +31,7 @@
import org.apache.hadoop.hdds.scm.ScmConfig;
import org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClientTestImpl;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
@@ -390,9 +390,10 @@ public void testDelegationToken() throws Exception {
}
private void generateKeyPair() throws Exception {
- HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
+ SecurityConfig securityConfig = new SecurityConfig(conf);
+ HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(securityConfig);
KeyPair keyPair = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(new SecurityConfig(conf), COMPONENT);
+ KeyCodec pemWriter = new KeyCodec(securityConfig, COMPONENT);
pemWriter.writeKey(keyPair, true);
}
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java
index 745b58a66523..6c3d2629e28e 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java
@@ -102,7 +102,6 @@ private void addPropertiesNotInXml() {
OMConfigKeys.OZONE_FS_TRASH_CHECKPOINT_INTERVAL_KEY,
OMConfigKeys.OZONE_OM_S3_GPRC_SERVER_ENABLED,
OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE,
- OzoneConfigKeys.OZONE_S3_AUTHINFO_MAX_LIFETIME_KEY,
OzoneConfigKeys.OZONE_CLIENT_REQUIRED_OM_VERSION_MIN_KEY,
OzoneConfigKeys.OZONE_RECOVERING_CONTAINER_SCRUBBING_SERVICE_WORKERS,
OzoneConfigKeys.OZONE_RECOVERING_CONTAINER_SCRUBBING_SERVICE_TIMEOUT,
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
index 06c2616c03a1..ca29b34f09e3 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
@@ -31,15 +31,21 @@
import java.time.Duration;
import java.time.LocalDate;
import java.time.LocalDateTime;
+import java.time.ZoneId;
import java.time.temporal.ChronoUnit;
+import java.util.ArrayList;
import java.util.Date;
+import java.util.List;
import java.util.Properties;
import java.util.UUID;
import java.util.concurrent.Callable;
+import org.apache.commons.validator.routines.DomainValidator;
+import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.conf.DefaultConfigManager;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
@@ -56,11 +62,17 @@
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
+import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
+import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultApprover;
+import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.DefaultProfile;
+import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClientTestImpl;
import org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer;
+import org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
+import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertificate;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
@@ -72,6 +84,8 @@
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.ozone.client.OzoneClient;
+import org.apache.hadoop.ozone.client.OzoneClientFactory;
import org.apache.hadoop.ozone.common.Storage;
import org.apache.hadoop.ozone.om.OMConfigKeys;
import org.apache.hadoop.ozone.om.OMStorage;
@@ -79,6 +93,9 @@
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
+import org.apache.hadoop.ozone.om.helpers.ServiceInfoEx;
+import org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransport;
+import org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory;
import org.apache.hadoop.ozone.om.protocolPB.OmTransportFactory;
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB;
import org.apache.hadoop.ozone.security.OMCertificateClient;
@@ -97,8 +114,10 @@
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
+import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_GRPC_TLS_ENABLED;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_CHECK_INTERNAL;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_DEFAULT_DURATION;
+import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION;
import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
import static org.apache.hadoop.hdds.scm.ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY;
@@ -119,6 +138,7 @@
import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClient;
import static org.apache.hadoop.net.ServerSocketUtil.getPort;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_CLIENT_FAILOVER_MAX_ATTEMPTS_KEY;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
import static org.apache.hadoop.ozone.om.OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY;
import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE;
@@ -127,6 +147,7 @@
import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_KERBEROS_PRINCIPAL_KEY;
import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_ADDRESS_KEY;
import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_S3_GPRC_SERVER_ENABLED;
+import static org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_TRANSPORT_CLASS;
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_EXPIRED;
import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.KERBEROS;
import org.apache.ratis.protocol.ClientId;
@@ -188,6 +209,7 @@ public final class TestSecureOzoneCluster {
private String testUserPrincipal;
private StorageContainerManager scm;
private OzoneManager om;
+ private HddsProtos.OzoneManagerDetailsProto omInfo;
private String host;
private String clusterId;
private String scmId;
@@ -230,6 +252,7 @@ public void init() {
Duration.ofMillis(certGraceTime - 1000).toString());
conf.set(HDDS_X509_RENEW_GRACE_DURATION,
Duration.ofMillis(certGraceTime).toString());
+ conf.setBoolean(HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED, false);
conf.setLong(OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY,
delegationTokenMaxTime);
@@ -242,7 +265,7 @@ public void init() {
setSecureConfig();
createCredentialsInKDC();
generateKeyPair();
-// OzoneManager.setTestSecureOmFlag(true);
+ omInfo = OzoneManager.getOmDetailsProto(conf, omId);
} catch (Exception e) {
LOG.error("Failed to initialize TestSecureOzoneCluster", e);
}
@@ -565,9 +588,10 @@ public void testAccessControlExceptionOnClient() throws Exception {
}
private void generateKeyPair() throws Exception {
- HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
+ SecurityConfig securityConfig = new SecurityConfig(conf);
+ HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(securityConfig);
keyPair = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(new SecurityConfig(conf), COMPONENT);
+ KeyCodec pemWriter = new KeyCodec(securityConfig, COMPONENT);
pemWriter.writeKey(keyPair, true);
}
@@ -887,7 +911,7 @@ public void testCertificateRotation() throws Exception {
final int certificateLifetime = 20; // seconds
KeyCodec keyCodec =
new KeyCodec(securityConfig, securityConfig.getKeyLocation("om"));
- X509CertificateHolder certHolder = generateX509CertHolder(conf,
+ X509CertificateHolder certHolder = generateX509CertHolder(securityConfig,
new KeyPair(keyCodec.readPublicKey(), keyCodec.readPrivateKey()),
null, Duration.ofSeconds(certificateLifetime));
String certId = certHolder.getSerialNumber().toString();
@@ -895,29 +919,31 @@ public void testCertificateRotation() throws Exception {
omStorage.forceInitialize();
CertificateCodec certCodec = new CertificateCodec(securityConfig, "om");
certCodec.writeCertificate(certHolder);
+
+ // first renewed cert
+ X509CertificateHolder newCertHolder =
+ generateX509CertHolder(securityConfig, null,
+ LocalDateTime.now().plus(securityConfig.getRenewalGracePeriod()),
+ Duration.ofSeconds(certificateLifetime));
+ String pemCert = CertificateCodec.getPEMEncodedString(newCertHolder);
+ SCMGetCertResponseProto responseProto =
+ SCMGetCertResponseProto.newBuilder()
+ .setResponseCode(SCMSecurityProtocolProtos
+ .SCMGetCertResponseProto.ResponseCode.success)
+ .setX509Certificate(pemCert)
+ .setX509CACertificate(pemCert)
+ .build();
+ SCMSecurityProtocolClientSideTranslatorPB scmClient =
+ mock(SCMSecurityProtocolClientSideTranslatorPB.class);
+ when(scmClient.getOMCertChain(anyObject(), anyString()))
+ .thenReturn(responseProto);
+
try (OMCertificateClient client =
- new OMCertificateClient(securityConfig, omStorage, scmId, null, null)) {
+ new OMCertificateClient(
+ securityConfig, scmClient, omStorage, omInfo, "", scmId, null, null)
+ ) {
client.init();
- // first renewed cert
- X509CertificateHolder newCertHolder = generateX509CertHolder(conf,
- null,
- LocalDateTime.now().plus(securityConfig.getRenewalGracePeriod()),
- Duration.ofSeconds(certificateLifetime));
- String pemCert = CertificateCodec.getPEMEncodedString(newCertHolder);
- SCMGetCertResponseProto responseProto =
- SCMGetCertResponseProto.newBuilder()
- .setResponseCode(SCMSecurityProtocolProtos
- .SCMGetCertResponseProto.ResponseCode.success)
- .setX509Certificate(pemCert)
- .setX509CACertificate(pemCert)
- .build();
- SCMSecurityProtocolClientSideTranslatorPB scmClient =
- mock(SCMSecurityProtocolClientSideTranslatorPB.class);
- when(scmClient.getOMCertChain(anyObject(), anyString()))
- .thenReturn(responseProto);
- client.setSecureScmClient(scmClient);
-
// create Ozone Manager instance, it will start the monitor task
conf.set(OZONE_SCM_CLIENT_ADDRESS_KEY, "localhost");
om = OzoneManager.createOm(conf);
@@ -931,7 +957,7 @@ public void testCertificateRotation() throws Exception {
// test the second time certificate rotation
// second renewed cert
- newCertHolder = generateX509CertHolder(conf,
+ newCertHolder = generateX509CertHolder(securityConfig,
null, null, Duration.ofSeconds(certificateLifetime));
pemCert = CertificateCodec.getPEMEncodedString(newCertHolder);
responseProto = SCMGetCertResponseProto.newBuilder()
@@ -968,7 +994,7 @@ public void testCertificateRotationRecoverableFailure() throws Exception {
final int certificateLifetime = 20; // seconds
KeyCodec keyCodec =
new KeyCodec(securityConfig, securityConfig.getKeyLocation("om"));
- X509CertificateHolder certHolder = generateX509CertHolder(conf,
+ X509CertificateHolder certHolder = generateX509CertHolder(securityConfig,
new KeyPair(keyCodec.readPublicKey(), keyCodec.readPrivateKey()),
null, Duration.ofSeconds(certificateLifetime));
String certId = certHolder.getSerialNumber().toString();
@@ -976,30 +1002,33 @@ public void testCertificateRotationRecoverableFailure() throws Exception {
omStorage.setOmCertSerialId(certId);
omStorage.forceInitialize();
+ // prepare a mocked scmClient to certificate signing
+ SCMSecurityProtocolClientSideTranslatorPB scmClient =
+ mock(SCMSecurityProtocolClientSideTranslatorPB.class);
+
+ Duration gracePeriod = securityConfig.getRenewalGracePeriod();
+ X509CertificateHolder newCertHolder = generateX509CertHolder(
+ securityConfig, null,
+ LocalDateTime.now().plus(gracePeriod),
+ Duration.ofSeconds(certificateLifetime));
+ String pemCert = CertificateCodec.getPEMEncodedString(newCertHolder);
+ // provide an invalid SCMGetCertResponseProto. Without
+ // setX509CACertificate(pemCert), signAndStoreCert will throw exception.
+ SCMSecurityProtocolProtos.SCMGetCertResponseProto responseProto =
+ SCMSecurityProtocolProtos.SCMGetCertResponseProto
+ .newBuilder().setResponseCode(SCMSecurityProtocolProtos
+ .SCMGetCertResponseProto.ResponseCode.success)
+ .setX509Certificate(pemCert)
+ .build();
+ when(scmClient.getOMCertChain(anyObject(), anyString()))
+ .thenReturn(responseProto);
+
try (OMCertificateClient client =
- new OMCertificateClient(securityConfig, omStorage, scmId, null, null)) {
+ new OMCertificateClient(
+ securityConfig, scmClient, omStorage, omInfo, "", scmId, null, null)
+ ) {
client.init();
- // prepare a mocked scmClient to certificate signing
- SCMSecurityProtocolClientSideTranslatorPB scmClient =
- mock(SCMSecurityProtocolClientSideTranslatorPB.class);
- client.setSecureScmClient(scmClient);
-
- Duration gracePeriod = securityConfig.getRenewalGracePeriod();
- X509CertificateHolder newCertHolder = generateX509CertHolder(conf, null,
- LocalDateTime.now().plus(gracePeriod),
- Duration.ofSeconds(certificateLifetime));
- String pemCert = CertificateCodec.getPEMEncodedString(newCertHolder);
- // provide an invalid SCMGetCertResponseProto. Without
- // setX509CACertificate(pemCert), signAndStoreCert will throw exception.
- SCMSecurityProtocolProtos.SCMGetCertResponseProto responseProto =
- SCMSecurityProtocolProtos.SCMGetCertResponseProto
- .newBuilder().setResponseCode(SCMSecurityProtocolProtos
- .SCMGetCertResponseProto.ResponseCode.success)
- .setX509Certificate(pemCert)
- .build();
- when(scmClient.getOMCertChain(anyObject(), anyString()))
- .thenReturn(responseProto);
// check that new cert ID should not equal to current cert ID
String certId1 = newCertHolder.getSerialNumber().toString();
@@ -1019,7 +1048,7 @@ public void testCertificateRotationRecoverableFailure() throws Exception {
"Error while signing and storing SCM signed certificate."));
// provide a new valid SCMGetCertResponseProto
- newCertHolder = generateX509CertHolder(conf, null, null,
+ newCertHolder = generateX509CertHolder(securityConfig, null, null,
Duration.ofSeconds(certificateLifetime));
pemCert = CertificateCodec.getPEMEncodedString(newCertHolder);
responseProto = SCMSecurityProtocolProtos.SCMGetCertResponseProto
@@ -1055,12 +1084,14 @@ public void testCertificateRotationUnRecoverableFailure() throws Exception {
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateCodec certCodec = new CertificateCodec(securityConfig, "om");
try (OMCertificateClient client =
- new OMCertificateClient(securityConfig, omStorage, scmId, null, null)) {
+ new OMCertificateClient(
+ securityConfig, null, omStorage, omInfo, "", scmId, null, null)
+ ) {
client.init();
// save first cert
final int certificateLifetime = 20; // seconds
- X509CertificateHolder certHolder = generateX509CertHolder(conf,
+ X509CertificateHolder certHolder = generateX509CertHolder(securityConfig,
new KeyPair(client.getPublicKey(), client.getPrivateKey()),
null, Duration.ofSeconds(certificateLifetime));
String certId = certHolder.getSerialNumber().toString();
@@ -1069,7 +1100,8 @@ public void testCertificateRotationUnRecoverableFailure() throws Exception {
omStorage.forceInitialize();
// second cert as renew response
- X509CertificateHolder newCertHolder = generateX509CertHolder(conf, null,
+ X509CertificateHolder newCertHolder = generateX509CertHolder(
+ securityConfig, null,
null, Duration.ofSeconds(certificateLifetime));
DNCertificateClient mockClient = mock(DNCertificateClient.class);
when(mockClient.getCertificate()).thenReturn(
@@ -1171,6 +1203,126 @@ public void testDelegationTokenRenewCrossCertificateRenew() throws Exception {
}
}
+ /**
+ * Test functionality to get SCM signed certificate for OM.
+ */
+ @Test
+ @Ignore("HDDS-8764")
+ public void testOMGrpcServerCertificateRenew() throws Exception {
+ initSCM();
+ try {
+ scm = HddsTestUtils.getScmSimple(conf);
+ scm.start();
+
+ conf.set(OZONE_METADATA_DIRS, omMetaDirPath.toString());
+ int certLifetime = 30; // second
+ conf.set(HDDS_X509_DEFAULT_DURATION,
+ Duration.ofSeconds(certLifetime).toString());
+ conf.setInt(OZONE_CLIENT_FAILOVER_MAX_ATTEMPTS_KEY, 2);
+
+ // initialize OmStorage, save om Cert and CA Certs to disk
+ OMStorage omStore = new OMStorage(conf);
+ omStore.setClusterId(clusterId);
+ omStore.setOmId(omId);
+
+ // Prepare the certificates for OM before OM start
+ SecurityConfig securityConfig = new SecurityConfig(conf);
+ CertificateClient scmCertClient = scm.getScmCertificateClient();
+ CertificateCodec certCodec = new CertificateCodec(securityConfig, "om");
+ X509Certificate scmCert = scmCertClient.getCertificate();
+ X509Certificate rootCert = scmCertClient.getCACertificate();
+ X509CertificateHolder certHolder =
+ generateX509CertHolder(securityConfig, keyPair,
+ new KeyPair(scmCertClient.getPublicKey(),
+ scmCertClient.getPrivateKey()),
+ scmCert, "om_cert", clusterId);
+ String certId = certHolder.getSerialNumber().toString();
+ certCodec.writeCertificate(certHolder);
+ certCodec.writeCertificate(CertificateCodec.getCertificateHolder(scmCert),
+ String.format(DefaultCertificateClient.CERT_FILE_NAME_FORMAT,
+ CAType.SUBORDINATE.getFileNamePrefix() +
+ scmCert.getSerialNumber().toString()));
+ certCodec.writeCertificate(CertificateCodec.getCertificateHolder(
+ scmCertClient.getCACertificate()),
+ String.format(DefaultCertificateClient.CERT_FILE_NAME_FORMAT,
+ CAType.ROOT.getFileNamePrefix() +
+ rootCert.getSerialNumber().toString()));
+ omStore.setOmCertSerialId(certId);
+ omStore.initialize();
+
+ conf.setBoolean(HDDS_GRPC_TLS_ENABLED, true);
+ conf.setBoolean(OZONE_OM_S3_GPRC_SERVER_ENABLED, true);
+ conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT, true);
+ OzoneManager.setTestSecureOmFlag(true);
+ UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+ // In this process, SCM has already login using Kerberos. So pass
+ // specific UGI to DefaultCertificateClient and OzoneManager to avoid
+ // conflict with SCM procedure.
+ OzoneManager.setUgi(ugi);
+ om = OzoneManager.createOm(conf);
+ om.start();
+
+ CertificateClient omCertClient = om.getCertificateClient();
+ X509Certificate omCert = omCertClient.getCertificate();
+ X509Certificate caCert = omCertClient.getCACertificate();
+ X509Certificate rootCaCert = omCertClient.getRootCACertificate();
+ List certList = new ArrayList<>();
+ certList.add(caCert);
+ certList.add(rootCaCert);
+ // set certificates in GrpcOmTransport
+ GrpcOmTransport.setCaCerts(certList);
+
+ GenericTestUtils.waitFor(() -> om.isLeaderReady(), 500, 10000);
+ String transportCls = GrpcOmTransportFactory.class.getName();
+ conf.set(OZONE_OM_TRANSPORT_CLASS, transportCls);
+ try (OzoneClient client = OzoneClientFactory.getRpcClient(conf)) {
+
+ ServiceInfoEx serviceInfoEx = client.getObjectStore()
+ .getClientProxy().getOzoneManagerClient().getServiceInfo();
+ Assert.assertTrue(serviceInfoEx.getCaCertificate().equals(
+ CertificateCodec.getPEMEncodedString(caCert)));
+
+ // Wait for OM certificate to renewed
+ GenericTestUtils.waitFor(() ->
+ !omCert.getSerialNumber().toString().equals(
+ omCertClient.getCertificate().getSerialNumber().toString()),
+ 500, certLifetime * 1000);
+
+ // rerun the command using old client, it should succeed
+ serviceInfoEx = client.getObjectStore()
+ .getClientProxy().getOzoneManagerClient().getServiceInfo();
+ Assert.assertTrue(serviceInfoEx.getCaCertificate().equals(
+ CertificateCodec.getPEMEncodedString(caCert)));
+ }
+
+ // get new client, it should succeed.
+ try {
+ OzoneClient client1 = OzoneClientFactory.getRpcClient(conf);
+ client1.close();
+ } catch (Exception e) {
+ System.out.println("OzoneClientFactory.getRpcClient failed for " +
+ e.getMessage());
+ fail("Create client should succeed for certificate is renewed");
+ }
+
+ // Wait for old OM certificate to expire
+ GenericTestUtils.waitFor(() -> omCert.getNotAfter().before(new Date()),
+ 500, certLifetime * 1000);
+ // get new client, it should succeed too.
+ try {
+ OzoneClient client1 = OzoneClientFactory.getRpcClient(conf);
+ client1.close();
+ } catch (Exception e) {
+ System.out.println("OzoneClientFactory.getRpcClient failed for " +
+ e.getMessage());
+ fail("Create client should succeed for certificate is renewed");
+ }
+ } finally {
+ OzoneManager.setUgi(null);
+ GrpcOmTransport.setCaCerts(null);
+ }
+ }
+
public void validateCertificate(X509Certificate cert) throws Exception {
// Assert that we indeed have a self signed certificate.
@@ -1219,7 +1371,7 @@ private void initializeOmStorage(OMStorage omStorage) throws IOException {
}
private static X509CertificateHolder generateX509CertHolder(
- OzoneConfiguration conf, KeyPair keyPair, LocalDateTime startDate,
+ SecurityConfig conf, KeyPair keyPair, LocalDateTime startDate,
Duration certLifetime) throws Exception {
if (keyPair == null) {
keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
@@ -1236,4 +1388,44 @@ private static X509CertificateHolder generateX509CertHolder(
.setScmID("test")
.build();
}
+
+ private static X509CertificateHolder generateX509CertHolder(
+ SecurityConfig conf, KeyPair keyPair, KeyPair rootKeyPair,
+ X509Certificate rootCert, String subject, String clusterId
+ ) throws Exception {
+ // Generate normal certificate, signed by RootCA certificate
+ DefaultApprover approver = new DefaultApprover(new DefaultProfile(), conf);
+
+ CertificateSignRequest.Builder csrBuilder =
+ new CertificateSignRequest.Builder();
+ // Get host name.
+ csrBuilder.setKey(keyPair)
+ .setConfiguration(conf)
+ .setScmID("test")
+ .setClusterID(clusterId)
+ .setSubject(subject)
+ .setDigitalSignature(true)
+ .setDigitalEncryption(true);
+
+ addIpAndDnsDataToBuilder(csrBuilder);
+ LocalDateTime start = LocalDateTime.now();
+ Duration certDuration = conf.getDefaultCertDuration();
+ X509CertificateHolder certificateHolder =
+ approver.sign(conf, rootKeyPair.getPrivate(),
+ new X509CertificateHolder(rootCert.getEncoded()),
+ Date.from(start.atZone(ZoneId.systemDefault()).toInstant()),
+ Date.from(start.plus(certDuration)
+ .atZone(ZoneId.systemDefault()).toInstant()),
+ csrBuilder.build(), "test", clusterId);
+ return certificateHolder;
+ }
+
+ private static void addIpAndDnsDataToBuilder(
+ CertificateSignRequest.Builder csrBuilder) throws IOException {
+ DomainValidator validator = DomainValidator.getInstance();
+ // Add all valid ips.
+ List inetAddresses =
+ OzoneSecurityUtil.getValidInetsForCurrentHost();
+ csrBuilder.addInetAddresses(inetAddresses, validator);
+ }
}
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
index b3762cf1ba37..c94e7eb10d07 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
@@ -76,6 +76,7 @@
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_KEY_LEN;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_CHECK_INTERNAL;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_DEFAULT_DURATION;
+import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION;
import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_DATANODE_DIR_KEY;
@@ -135,6 +136,7 @@ public void setup() throws Exception {
conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_ENABLED, true);
conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT, true);
+ conf.setBoolean(HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED, false);
conf.setInt(HDDS_KEY_LEN, 1024);
// certificate lives for 10s
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestSecureOzoneContainer.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestSecureOzoneContainer.java
index 85149b69ada4..e403d4de8e02 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestSecureOzoneContainer.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestSecureOzoneContainer.java
@@ -33,7 +33,7 @@
import org.apache.hadoop.hdds.security.symmetric.SecretKeyClient;
import org.apache.hadoop.hdds.security.token.ContainerTokenIdentifier;
import org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClientTestImpl;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.ozone.OzoneConfigKeys;
@@ -65,7 +65,6 @@
import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_DATANODE_DIR_KEY;
-import static org.apache.hadoop.ozone.OzoneConfigKeys.DFS_CONTAINER_IPC_PORT_DEFAULT;
import static org.apache.hadoop.ozone.container.ContainerTestHelper.getCreateContainerSecureRequest;
import static org.apache.hadoop.ozone.container.ContainerTestHelper.getTestContainerID;
import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -159,12 +158,6 @@ public void testCreateOzoneContainer() throws Exception {
UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
user, new String[] {"usergroup"});
- int port = dn.getPort(DatanodeDetails.Port.Name.STANDALONE).getValue();
- if (port == 0) {
- port = secConfig.getConfiguration().getInt(OzoneConfigKeys
- .DFS_CONTAINER_IPC_PORT, DFS_CONTAINER_IPC_PORT_DEFAULT);
- }
-
ugi.doAs((PrivilegedAction) () -> {
try (XceiverClientGrpc client = new XceiverClientGrpc(pipeline, conf)) {
client.connect();
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestContainerServer.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestContainerServer.java
index 814c54378e10..6ed0819fd393 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestContainerServer.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestContainerServer.java
@@ -36,7 +36,7 @@
import org.apache.hadoop.hdds.scm.XceiverClientSpi;
import org.apache.hadoop.hdds.scm.pipeline.MockPipeline;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
@@ -88,7 +88,7 @@ public class TestContainerServer {
public static void setup() {
DefaultMetricsSystem.setMiniClusterMode(true);
CONF.set(HddsConfigKeys.HDDS_METADATA_DIR_NAME, TEST_DIR);
- caClient = new DNCertificateClient(new SecurityConfig(CONF),
+ caClient = new DNCertificateClient(new SecurityConfig(CONF), null,
null, null, null, null);
}
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestSecureContainerServer.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestSecureContainerServer.java
index 0b979ba0fe9c..0ab142f8f9c9 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestSecureContainerServer.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestSecureContainerServer.java
@@ -49,7 +49,7 @@
import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
import org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager;
import org.apache.hadoop.hdds.security.token.TokenVerifier;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClientTestImpl;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.ozone.OzoneConfigKeys;
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java
index e1bf665734b4..7dacdbca3250 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java
@@ -20,7 +20,8 @@
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
@@ -66,6 +67,7 @@ public class TestSecureOzoneManager {
private String scmId;
private String omId;
private Path metaDir;
+ private HddsProtos.OzoneManagerDetailsProto omInfo;
@Rule
public Timeout timeout = Timeout.seconds(25);
@@ -90,7 +92,7 @@ public void init() throws Exception {
metaDir = Paths.get(path, "om-meta");
conf.set(HddsConfigKeys.OZONE_METADATA_DIRS, metaDir.toString());
OzoneManager.setTestSecureOmFlag(true);
-
+ omInfo = OzoneManager.getOmDetailsProto(conf, omId);
}
/**
@@ -122,7 +124,8 @@ public void testSecureOmInitFailures() throws Exception {
// boot-up. Get certificate will fail when SCM is not running.
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateClient client =
- new OMCertificateClient(securityConfig, omStorage, scmId, null, null);
+ new OMCertificateClient(
+ securityConfig, null, omStorage, omInfo, "", scmId, null, null);
Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
privateKey = client.getPrivateKey();
publicKey = client.getPublicKey();
@@ -133,7 +136,8 @@ public void testSecureOmInitFailures() throws Exception {
// Case 2: If key pair already exist than response should be RECOVER.
client =
- new OMCertificateClient(securityConfig, omStorage, scmId, null, null);
+ new OMCertificateClient(
+ securityConfig, null, omStorage, omInfo, "", scmId, null, null);
Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
@@ -142,7 +146,8 @@ public void testSecureOmInitFailures() throws Exception {
// Case 3: When public key as well as certificate is missing.
client =
- new OMCertificateClient(securityConfig, omStorage, null, null, null);
+ new OMCertificateClient(
+ securityConfig, null, omStorage, omInfo, "", null, null, null);
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPublicKeyFileName()).toFile());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
@@ -153,7 +158,8 @@ public void testSecureOmInitFailures() throws Exception {
// Case 4: When private key and certificate is missing.
client =
- new OMCertificateClient(securityConfig, omStorage, null, null, null);
+ new OMCertificateClient(
+ securityConfig, null, omStorage, omInfo, "", null, null, null);
KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
keyCodec.writePublicKey(publicKey);
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
@@ -176,7 +182,8 @@ public void testSecureOmInitFailures() throws Exception {
x509Certificate.getEncoded()));
omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
client =
- new OMCertificateClient(securityConfig, omStorage, scmId, null, null);
+ new OMCertificateClient(
+ securityConfig, null, omStorage, omInfo, "", scmId, null, null);
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNull(client.getPrivateKey());
Assert.assertNull(client.getPublicKey());
@@ -185,7 +192,8 @@ public void testSecureOmInitFailures() throws Exception {
// Case 6: When private key and certificate is present.
client =
- new OMCertificateClient(securityConfig, omStorage, scmId, null, null);
+ new OMCertificateClient(
+ securityConfig, null, omStorage, omInfo, "", scmId, null, null);
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPublicKeyFileName()).toFile());
keyCodec.writePrivateKey(privateKey);
@@ -197,7 +205,8 @@ public void testSecureOmInitFailures() throws Exception {
// Case 7 When keypair and certificate is present.
client =
- new OMCertificateClient(securityConfig, omStorage, scmId, null, null);
+ new OMCertificateClient(
+ securityConfig, null, omStorage, omInfo, "", scmId, null, null);
Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneDatanodeShell.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneDatanodeShell.java
index 6c89f2b7d7cb..ba5da3540372 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneDatanodeShell.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/shell/TestOzoneDatanodeShell.java
@@ -63,7 +63,7 @@ public class TestOzoneDatanodeShell {
*/
@BeforeClass
public static void init() {
- datanode = new TestHddsDatanodeService(false, new String[] {});
+ datanode = new TestHddsDatanodeService(new String[] {});
}
private void executeDatanode(HddsDatanodeService hdds, String[] args) {
@@ -138,8 +138,8 @@ public void testDatanodeInvalidParamCommand() {
}
private static class TestHddsDatanodeService extends HddsDatanodeService {
- TestHddsDatanodeService(boolean printBanner, String[] args) {
- super(printBanner, args);
+ TestHddsDatanodeService(String[] args) {
+ super(args);
}
@Override
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java
index c452bf48e460..c4a29b80102f 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java
@@ -27,7 +27,9 @@
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import org.apache.hadoop.hdds.HddsUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
+import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.ozone.grpc.metrics.GrpcMetricsServerRequestInterceptor;
import org.apache.hadoop.ozone.grpc.metrics.GrpcMetricsServerResponseInterceptor;
import org.apache.hadoop.ozone.grpc.metrics.GrpcMetricsServerTransportFilter;
@@ -36,8 +38,6 @@
import org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB;
import org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransport;
import org.apache.hadoop.ozone.security.OzoneDelegationTokenSecretManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
-import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.NettyServerBuilder;
import io.netty.channel.EventLoopGroup;
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 4cd062eb9274..08d7dc16b886 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -74,6 +74,7 @@
import org.apache.hadoop.hdds.protocol.proto.ReconfigureProtocolProtos.ReconfigureProtocolService;
import org.apache.hadoop.hdds.protocolPB.ReconfigureProtocolPB;
import org.apache.hadoop.hdds.protocolPB.ReconfigureProtocolServerSideTranslatorPB;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.ratis.RatisHelper;
import org.apache.hadoop.hdds.scm.ScmInfo;
import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
@@ -99,13 +100,11 @@
import org.apache.hadoop.hdds.scm.ha.SCMNodeInfo;
import org.apache.hadoop.hdds.scm.protocol.ScmBlockLocationProtocol;
import org.apache.hadoop.hdds.scm.protocol.StorageContainerLocationProtocol;
-import org.apache.hadoop.hdds.security.OzoneSecurityException;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient;
import org.apache.hadoop.hdds.security.symmetric.DefaultSecretKeySignerClient;
import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
-import org.apache.hadoop.ozone.security.OMCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.server.ServiceRuntimeInfoImpl;
@@ -170,6 +169,7 @@
import org.apache.hadoop.ozone.om.protocolPB.OMAdminProtocolPB;
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolPB;
import org.apache.hadoop.ozone.common.ha.ratis.RatisSnapshotInfo;
+import org.apache.hadoop.hdds.security.exception.OzoneSecurityException;
import org.apache.hadoop.hdds.utils.TransactionInfo;
import org.apache.hadoop.ozone.om.ratis.OzoneManagerRatisServer;
import org.apache.hadoop.ozone.om.ratis.utils.OzoneManagerRatisUtils;
@@ -189,6 +189,7 @@
import org.apache.hadoop.ozone.protocolPB.OMAdminProtocolServerSideImpl;
import org.apache.hadoop.ozone.storage.proto.OzoneManagerStorageProtos.PersistedUserVolumeInfo;
import org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB;
+import org.apache.hadoop.ozone.security.OMCertificateClient;
import org.apache.hadoop.ozone.security.OzoneDelegationTokenSecretManager;
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
@@ -232,6 +233,7 @@
import static org.apache.hadoop.hdds.server.ServerUtils.updateRPCListenAddress;
import static org.apache.hadoop.hdds.utils.HAUtils.getScmInfo;
import static org.apache.hadoop.hdds.utils.HddsServerUtil.getRemoteUser;
+import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry;
import static org.apache.hadoop.ozone.OmUtils.MAX_TRXN_ID;
import static org.apache.hadoop.ozone.OzoneAcl.AclScope.ACCESS;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED;
@@ -288,6 +290,7 @@
import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_ERROR_OTHER;
import static org.apache.hadoop.ozone.om.s3.S3SecretStoreConfigurationKeys.DEFAULT_SECRET_STORAGE_TYPE;
import static org.apache.hadoop.ozone.om.s3.S3SecretStoreConfigurationKeys.S3_SECRET_STORAGE_TYPE;
+import static org.apache.hadoop.security.UserGroupInformation.getCurrentUser;
import static org.apache.hadoop.util.ExitUtil.terminate;
import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.BUCKET_LOCK;
import static org.apache.hadoop.ozone.om.lock.OzoneManagerLock.Resource.VOLUME_LOCK;
@@ -617,13 +620,19 @@ private OzoneManager(OzoneConfiguration conf, StartupOption startupOption)
}
if (secConfig.isSecurityEnabled()) {
omComponent = OM_DAEMON + "-" + omId;
+ HddsProtos.OzoneManagerDetailsProto omInfo =
+ getOmDetailsProto(conf, omStorage.getOmId());
if (omStorage.getOmCertSerialId() == null) {
throw new RuntimeException("OzoneManager started in secure mode but " +
"doesn't have SCM signed certificate.");
}
- certClient = new OMCertificateClient(secConfig, omStorage,
- scmInfo == null ? null : scmInfo.getScmId(), this::saveNewCertId,
- this::terminateOM);
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient =
+ getScmSecurityClientWithMaxRetry(configuration, getCurrentUser());
+ certClient = new OMCertificateClient(secConfig, scmSecurityClient,
+ omStorage, omInfo, "",
+ scmInfo == null ? null : scmInfo.getScmId(),
+ this::saveNewCertId, this::terminateOM);
+
SecretKeyProtocol secretKeyProtocol =
HddsServerUtil.getSecretKeyClientForOm(conf);
secretKeyClient = new DefaultSecretKeySignerClient(secretKeyProtocol);
@@ -1354,9 +1363,16 @@ public static void initializeSecurity(OzoneConfiguration conf,
OMStorage omStore, String scmId) throws IOException {
LOG.info("Initializing secure OzoneManager.");
+ HddsProtos.OzoneManagerDetailsProto omInfo =
+ getOmDetailsProto(conf, omStore.getOmId());
+
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient =
+ getScmSecurityClientWithMaxRetry(conf, getCurrentUser());
+
CertificateClient certClient =
new OMCertificateClient(
- new SecurityConfig(conf), omStore, scmId, null, null);
+ new SecurityConfig(conf), scmSecurityClient, omStore, omInfo,
+ "", scmId, null, null);
CertificateClient.InitResponse response = certClient.init();
if (response.equals(CertificateClient.InitResponse.REINIT)) {
LOG.info("Re-initialize certificate client.");
@@ -1364,7 +1380,8 @@ public static void initializeSecurity(OzoneConfiguration conf,
omStore.persistCurrentState();
IOUtils.close(LOG, certClient);
certClient = new OMCertificateClient(
- new SecurityConfig(conf), omStore, scmId, null, null);
+ new SecurityConfig(conf), scmSecurityClient, omStore, omInfo,
+ "", scmId, null, null);
response = certClient.init();
}
LOG.info("Init response: {}", response);
@@ -3080,8 +3097,7 @@ public void transferLeadership(String newLeaderId)
}
final GrpcTlsConfig tlsConfig =
- OzoneManagerRatisUtils.createServerTlsConfig(
- secConfig, certClient, true);
+ OzoneManagerRatisUtils.createServerTlsConfig(secConfig, certClient);
RatisHelper.transferRatisLeadership(configuration, division.getGroup(),
targetPeerId, tlsConfig);
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManagerServiceGrpc.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManagerServiceGrpc.java
index 2faa3646e4d9..b45f3b876387 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManagerServiceGrpc.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManagerServiceGrpc.java
@@ -20,7 +20,7 @@
import io.grpc.Status;
import com.google.protobuf.RpcController;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.ipc.ClientId;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.Server;
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3SecretManagerImpl.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3SecretManagerImpl.java
index 7397d7782d0e..9e15c42bd440 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3SecretManagerImpl.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/S3SecretManagerImpl.java
@@ -20,14 +20,14 @@
import com.google.common.base.Preconditions;
import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.hdds.security.OzoneSecurityException;
+import org.apache.hadoop.hdds.security.exception.OzoneSecurityException;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
-import static org.apache.hadoop.hdds.security.OzoneSecurityException.ResultCodes.S3_SECRET_NOT_FOUND;
+import static org.apache.hadoop.hdds.security.exception.OzoneSecurityException.ResultCodes.S3_SECRET_NOT_FOUND;
/**
* S3 Secret manager.
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerRatisServer.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerRatisServer.java
index ae8749b3cf37..b36118b37e26 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerRatisServer.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/OzoneManagerRatisServer.java
@@ -45,7 +45,7 @@
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.conf.StorageUnit;
import org.apache.hadoop.hdds.ratis.RatisHelper;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.tracing.TracingUtil;
import org.apache.hadoop.ipc.ProtobufRpcEngine.Server;
@@ -877,7 +877,7 @@ public RaftGroupId getRaftGroupId() {
private static Parameters createServerTlsParameters(SecurityConfig conf,
CertificateClient caClient) throws IOException {
- GrpcTlsConfig config = createServerTlsConfig(conf, caClient, true);
+ GrpcTlsConfig config = createServerTlsConfig(conf, caClient);
return config == null ? null : RatisHelper.setServerTlsConf(config);
}
}
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java
index 595cf80b4df2..df2a730f1a80 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java
@@ -25,8 +25,8 @@
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.server.ServerUtils;
import org.apache.hadoop.hdds.utils.HAUtils;
@@ -478,11 +478,11 @@ public static void checkLeaderStatus(OzoneManager ozoneManager)
}
public static GrpcTlsConfig createServerTlsConfig(SecurityConfig conf,
- CertificateClient caClient, boolean mutualTls) throws IOException {
+ CertificateClient caClient) throws IOException {
if (conf.isSecurityEnabled() && conf.isGrpcTlsEnabled()) {
KeyStoresFactory serverKeyFactory = caClient.getServerKeyStoresFactory();
return new GrpcTlsConfig(serverKeyFactory.getKeyManagers()[0],
- serverKeyFactory.getTrustManagers()[0], mutualTls);
+ serverKeyFactory.getTrustManagers()[0], true);
}
return null;
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OMCertificateClient.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OMCertificateClient.java
index 73d54d0e7a6c..88312cacf403 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OMCertificateClient.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OMCertificateClient.java
@@ -22,14 +22,14 @@
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.client.CommonCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.ozone.om.OMStorage;
-import org.apache.hadoop.ozone.om.ha.OMHANodeDetails;
import org.apache.hadoop.security.UserGroupInformation;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.slf4j.Logger;
@@ -41,7 +41,6 @@
import java.util.function.Consumer;
import static org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest.getEncodedString;
-import static org.apache.hadoop.ozone.om.OzoneManager.getOmDetailsProto;
/**
* Certificate client for OzoneManager.
@@ -52,23 +51,28 @@ public class OMCertificateClient extends CommonCertificateClient {
LoggerFactory.getLogger(OMCertificateClient.class);
public static final String COMPONENT_NAME = "om";
+ private String serviceId;
private String scmID;
private final String clusterID;
private final HddsProtos.OzoneManagerDetailsProto omInfo;
+ @SuppressWarnings("checkstyle:ParameterNumber")
public OMCertificateClient(
SecurityConfig secConfig,
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient,
OMStorage omStorage,
+ HddsProtos.OzoneManagerDetailsProto omInfo,
+ String serviceId,
String scmID,
Consumer saveCertIdCallback,
Runnable shutdownCallback
) {
- super(secConfig, LOG, omStorage.getOmCertSerialId(), COMPONENT_NAME,
- saveCertIdCallback, shutdownCallback);
+ super(secConfig, scmSecurityClient, LOG, omStorage.getOmCertSerialId(),
+ COMPONENT_NAME, saveCertIdCallback, shutdownCallback);
+ this.serviceId = serviceId;
this.scmID = scmID;
this.clusterID = omStorage.getClusterID();
- this.omInfo =
- getOmDetailsProto(secConfig.getConfiguration(), omStorage.getOmId());
+ this.omInfo = omInfo;
}
/**
@@ -101,17 +105,13 @@ public CertificateSignRequest.Builder getCSRBuilder()
builder.setCA(false)
.setKey(new KeyPair(getPublicKey(), getPrivateKey()))
- .setConfiguration(getConfig())
+ .setConfiguration(getSecurityConfig())
.setScmID(scmID)
.setClusterID(clusterID)
.setSubject(subject);
- OMHANodeDetails haOMHANodeDetails =
- OMHANodeDetails.loadOMHAConfig(getConfig());
- String serviceName =
- haOMHANodeDetails.getLocalNodeDetails().getServiceId();
- if (!StringUtils.isEmpty(serviceName)) {
- builder.addServiceName(serviceName);
+ if (!StringUtils.isEmpty(serviceId)) {
+ builder.addServiceName(serviceId);
}
LOG.info("Creating csr for OM->dns:{},ip:{},scmId:{},clusterId:{}," +
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
index a823d4a1c3d4..23d529daa7d5 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
@@ -31,7 +31,7 @@
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.OzoneSecretManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.io.Text;
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerRatisServer.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerRatisServer.java
index 479c5dcae7e6..2aa74c4c1de0 100644
--- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerRatisServer.java
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/ratis/TestOzoneManagerRatisServer.java
@@ -29,8 +29,9 @@
import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.utils.TransactionInfo;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.ozone.om.OMStorage;
import org.apache.hadoop.ozone.security.OMCertificateClient;
import org.apache.hadoop.ozone.OmUtils;
@@ -128,8 +129,11 @@ public void init() throws Exception {
when(ozoneManager.getSnapshotInfo()).thenReturn(omRatisSnapshotInfo);
when(ozoneManager.getConfiguration()).thenReturn(conf);
secConfig = new SecurityConfig(conf);
+ HddsProtos.OzoneManagerDetailsProto omInfo =
+ OzoneManager.getOmDetailsProto(conf, omID);
certClient =
- new OMCertificateClient(secConfig, omStorage, null, null, null);
+ new OMCertificateClient(
+ secConfig, null, omStorage, omInfo, "", null, null, null);
omRatisServer = OzoneManagerRatisServer.newOMRatisServer(conf, ozoneManager,
omNodeDetails, Collections.emptyMap(), secConfig, certClient, false);
omRatisServer.start();
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOmCertificateClientInit.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOmCertificateClientInit.java
index d384e855cc0a..7bbd2d390bb2 100644
--- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOmCertificateClientInit.java
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOmCertificateClientInit.java
@@ -20,13 +20,15 @@
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.ozone.om.OMStorage;
+import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.ozone.test.GenericTestUtils;
import org.bouncycastle.cert.X509CertificateHolder;
@@ -101,8 +103,11 @@ public void setUp() throws Exception {
when(storage.getOmCertSerialId()).thenReturn(certSerialId);
when(storage.getClusterID()).thenReturn("test");
when(storage.getOmId()).thenReturn(UUID.randomUUID().toString());
+ HddsProtos.OzoneManagerDetailsProto omInfo =
+ OzoneManager.getOmDetailsProto(config, storage.getOmId());
omCertificateClient =
- new OMCertificateClient(securityConfig, storage, null, null, null);
+ new OMCertificateClient(
+ securityConfig, null, storage, omInfo, "", null, null, null);
omKeyCodec = new KeyCodec(securityConfig, OM_COMPONENT);
Files.createDirectories(securityConfig.getKeyLocation(OM_COMPONENT));
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
index c2a4008714dd..0325f6531661 100644
--- a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
+++ b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
@@ -32,7 +32,7 @@
import com.google.common.collect.ImmutableList;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.server.ServerUtils;
@@ -149,7 +149,7 @@ private CertificateClient setupCertificateClient() throws Exception {
when(omStorage.getClusterID()).thenReturn("test");
when(omStorage.getOmId()).thenReturn(UUID.randomUUID().toString());
return new OMCertificateClient(
- securityConfig, omStorage, null, null, null) {
+ securityConfig, null, omStorage, null, "", null, null, null) {
@Override
public CertPath getCertPath() {
return certPath;
diff --git a/hadoop-ozone/ozonefs-common/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneClientAdapterImpl.java b/hadoop-ozone/ozonefs-common/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneClientAdapterImpl.java
index 4905fd1d305f..b74deb9f2ed8 100644
--- a/hadoop-ozone/ozonefs-common/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneClientAdapterImpl.java
+++ b/hadoop-ozone/ozonefs-common/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneClientAdapterImpl.java
@@ -43,7 +43,7 @@
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.scm.OzoneClientConfig;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdfs.protocol.SnapshotDiffReport;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ozone.OFSPath;
diff --git a/hadoop-ozone/ozonefs-common/src/main/java/org/apache/hadoop/fs/ozone/BasicRootedOzoneClientAdapterImpl.java b/hadoop-ozone/ozonefs-common/src/main/java/org/apache/hadoop/fs/ozone/BasicRootedOzoneClientAdapterImpl.java
index 382f1df3856b..993f222aa4c6 100644
--- a/hadoop-ozone/ozonefs-common/src/main/java/org/apache/hadoop/fs/ozone/BasicRootedOzoneClientAdapterImpl.java
+++ b/hadoop-ozone/ozonefs-common/src/main/java/org/apache/hadoop/fs/ozone/BasicRootedOzoneClientAdapterImpl.java
@@ -50,7 +50,7 @@
import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.OzoneClientConfig;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdfs.protocol.SnapshotDiffReport;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ozone.OFSPath;
diff --git a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java
index a719508237a8..9c6e81acc9c8 100644
--- a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java
+++ b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java
@@ -25,9 +25,10 @@
import org.apache.hadoop.hdds.StringUtils;
import org.apache.hadoop.hdds.cli.GenericCli;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.recon.ReconConfig;
import org.apache.hadoop.hdds.scm.server.OzoneStorageContainerManager;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.ozone.recon.api.types.FeatureProvider;
import org.apache.hadoop.ozone.recon.security.ReconCertificateClient;
@@ -58,8 +59,10 @@
import static org.apache.hadoop.hdds.ratis.RatisHelper.newJvmPauseMonitor;
import static org.apache.hadoop.hdds.recon.ReconConfig.ConfigStrings.OZONE_RECON_KERBEROS_KEYTAB_FILE_KEY;
import static org.apache.hadoop.hdds.recon.ReconConfig.ConfigStrings.OZONE_RECON_KERBEROS_PRINCIPAL_KEY;
+import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry;
import static org.apache.hadoop.ozone.common.Storage.StorageState.INITIALIZED;
import static org.apache.hadoop.ozone.conf.OzoneServiceConfig.DEFAULT_SHUTDOWN_HOOK_PRIORITY;
+import static org.apache.hadoop.security.UserGroupInformation.getCurrentUser;
import static org.apache.hadoop.util.ExitUtil.terminate;
/**
@@ -120,7 +123,7 @@ public Void call() throws Exception {
if (OzoneSecurityUtil.isSecurityEnabled(configuration)) {
LOG.info("ReconStorageConfig initialized." +
"Initializing certificate.");
- initializeCertificateClient(configuration);
+ initializeCertificateClient();
}
} catch (Exception e) {
LOG.error("Error during initializing Recon certificate", e);
@@ -172,11 +175,14 @@ public Void call() throws Exception {
/**
* Initializes secure Recon.
* */
- private void initializeCertificateClient(OzoneConfiguration conf)
+ private void initializeCertificateClient()
throws IOException {
LOG.info("Initializing secure Recon.");
- certClient = new ReconCertificateClient(new SecurityConfig(configuration),
- reconStorage, this::saveNewCertId, null);
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient =
+ getScmSecurityClientWithMaxRetry(configuration, getCurrentUser());
+ SecurityConfig secConf = new SecurityConfig(configuration);
+ certClient = new ReconCertificateClient(secConf, scmSecurityClient,
+ reconStorage, this::saveNewCertId, this::terminateRecon);
CertificateClient.InitResponse response = certClient.init();
if (response.equals(CertificateClient.InitResponse.REINIT)) {
@@ -184,7 +190,7 @@ private void initializeCertificateClient(OzoneConfiguration conf)
certClient.close();
reconStorage.unsetReconCertSerialId();
reconStorage.persistCurrentState();
- certClient = new ReconCertificateClient(new SecurityConfig(configuration),
+ certClient = new ReconCertificateClient(secConf, scmSecurityClient,
reconStorage, this::saveNewCertId, this::terminateRecon);
response = certClient.init();
}
diff --git a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/security/ReconCertificateClient.java b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/security/ReconCertificateClient.java
index 5850c44baeef..2a78ddae23b3 100644
--- a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/security/ReconCertificateClient.java
+++ b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/security/ReconCertificateClient.java
@@ -19,7 +19,8 @@
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.client.CommonCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
@@ -54,10 +55,11 @@ public class ReconCertificateClient extends CommonCertificateClient {
public ReconCertificateClient(
SecurityConfig config,
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient,
ReconStorageConfig storage,
Consumer saveCertIdCallback,
Runnable shutdownCallback) {
- super(config, LOG, storage.getReconCertSerialId(),
+ super(config, scmSecurityClient, LOG, storage.getReconCertSerialId(),
COMPONENT_NAME, saveCertIdCallback, shutdownCallback);
this.clusterID = storage.getClusterID();
this.reconID = storage.getReconId();
@@ -75,7 +77,7 @@ public CertificateSignRequest.Builder getCSRBuilder()
builder.setCA(false)
.setKey(new KeyPair(getPublicKey(), getPrivateKey()))
- .setConfiguration(getConfig())
+ .setConfiguration(getSecurityConfig())
.setSubject(subject);
return builder;
diff --git a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/spi/impl/StorageContainerServiceProviderImpl.java b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/spi/impl/StorageContainerServiceProviderImpl.java
index 9cf83cd10a77..8e242ad53f52 100644
--- a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/spi/impl/StorageContainerServiceProviderImpl.java
+++ b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/spi/impl/StorageContainerServiceProviderImpl.java
@@ -19,12 +19,14 @@
package org.apache.hadoop.ozone.recon.spi.impl;
import static org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_AUTH_TYPE;
+import static org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry;
import static org.apache.hadoop.ozone.OzoneConsts.OZONE_DB_CHECKPOINT_HTTP_ENDPOINT;
import static org.apache.hadoop.ozone.recon.ReconConstants.RECON_SCM_SNAPSHOT_DB;
import static org.apache.hadoop.ozone.recon.ReconServerConfigKeys.OZONE_RECON_SCM_CONNECTION_REQUEST_TIMEOUT;
import static org.apache.hadoop.ozone.recon.ReconServerConfigKeys.OZONE_RECON_SCM_CONNECTION_REQUEST_TIMEOUT_DEFAULT;
import static org.apache.hadoop.ozone.recon.ReconServerConfigKeys.OZONE_RECON_SCM_CONNECTION_TIMEOUT;
import static org.apache.hadoop.ozone.recon.ReconServerConfigKeys.OZONE_RECON_SCM_CONNECTION_TIMEOUT_DEFAULT;
+import static org.apache.hadoop.security.UserGroupInformation.getCurrentUser;
import java.io.File;
import java.io.IOException;
@@ -40,6 +42,7 @@
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
+import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
import org.apache.hadoop.hdds.scm.container.ContainerInfo;
import org.apache.hadoop.hdds.scm.container.common.helpers.ContainerWithPipeline;
@@ -48,8 +51,7 @@
import org.apache.hadoop.hdds.scm.ha.SCMSnapshotDownloader;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import org.apache.hadoop.hdds.scm.protocol.StorageContainerLocationProtocol;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
-import org.apache.hadoop.ozone.recon.security.ReconCertificateClient;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.server.http.HttpConfig;
import org.apache.hadoop.hdds.utils.db.DBCheckpoint;
import org.apache.hadoop.hdds.utils.db.RocksDBCheckpoint;
@@ -57,6 +59,7 @@
import org.apache.hadoop.ozone.ClientVersion;
import org.apache.hadoop.ozone.recon.ReconUtils;
import org.apache.hadoop.ozone.recon.scm.ReconStorageConfig;
+import org.apache.hadoop.ozone.recon.security.ReconCertificateClient;
import org.apache.hadoop.ozone.recon.spi.StorageContainerServiceProvider;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.ratis.proto.RaftProtos;
@@ -199,9 +202,12 @@ connectionFactory, getScmDBSnapshotUrl(),
ScmConfigKeys.OZONE_SCM_GRPC_PORT_DEFAULT);
SecurityConfig secConf = new SecurityConfig(configuration);
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient =
+ getScmSecurityClientWithMaxRetry(
+ configuration, getCurrentUser());
try (ReconCertificateClient certClient =
new ReconCertificateClient(
- secConf, reconStorage, null, null);
+ secConf, scmSecurityClient, reconStorage, null, null);
SCMSnapshotDownloader downloadClient = new InterSCMGrpcClient(
hostAddress, grpcPort, configuration, certClient)) {
downloadClient.download(targetFile.toPath()).get();
diff --git a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientCache.java b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientCache.java
index 4a7c4a21424a..4f08527668c0 100644
--- a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientCache.java
+++ b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/OzoneClientCache.java
@@ -19,7 +19,7 @@
import org.apache.hadoop.ozone.OmUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.ozone.client.OzoneClient;
import org.apache.hadoop.ozone.client.OzoneClientFactory;
import org.apache.hadoop.ozone.om.protocol.S3Auth;