You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ae...@apache.org on 2019/09/20 05:49:47 UTC
[hadoop] branch trunk updated: HDDS-2020. Remove mTLS from Ozone
GRPC. Contributed by Xiaoyu Yao.
This is an automated email from the ASF dual-hosted git repository.
aengineer pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new d072d33 HDDS-2020. Remove mTLS from Ozone GRPC. Contributed by Xiaoyu Yao.
d072d33 is described below
commit d072d3304ce3fe33e22bb703839b41ab5107ad42
Author: Xiaoyu Yao <xy...@apache.org>
AuthorDate: Wed Aug 28 08:56:33 2019 -0700
HDDS-2020. Remove mTLS from Ozone GRPC. Contributed by Xiaoyu Yao.
Signed-off-by: Anu Engineer <ae...@apache.org>
---
.../apache/hadoop/hdds/scm/XceiverClientGrpc.java | 32 +++--
.../hadoop/hdds/scm/XceiverClientManager.java | 28 ++++-
.../apache/hadoop/hdds/scm/XceiverClientRatis.java | 9 +-
.../org/apache/hadoop/hdds/HddsConfigKeys.java | 26 +---
.../org/apache/hadoop/hdds/ratis/RatisHelper.java | 60 ++++++---
.../hadoop/hdds/security/x509/SecurityConfig.java | 137 ---------------------
.../x509/certificate/client/CertificateClient.java | 6 +
.../client/DefaultCertificateClient.java | 31 ++++-
.../common/src/main/resources/ozone-default.xml | 27 ----
.../container/common/helpers/ContainerMetrics.java | 9 +-
.../common/transport/server/XceiverServerGrpc.java | 16 +--
.../transport/server/ratis/XceiverServerRatis.java | 4 +-
.../ozone/container/ozoneimpl/OzoneContainer.java | 1 +
.../apache/hadoop/hdds/server/ProfileServlet.java | 1 -
.../hadoop/hdds/server/TestProfileServlet.java | 11 +-
.../hadoop/hdds/scm/pipeline/PipelineFactory.java | 5 +-
.../hadoop/hdds/scm/pipeline/PipelineManager.java | 2 +
.../hdds/scm/pipeline/PipelineReportHandler.java | 3 +-
.../hdds/scm/pipeline/RatisPipelineProvider.java | 9 +-
.../hdds/scm/pipeline/RatisPipelineUtils.java | 15 +--
.../hdds/scm/pipeline/SCMPipelineManager.java | 15 ++-
.../hdds/scm/server/StorageContainerManager.java | 13 +-
.../container/TestCloseContainerEventHandler.java | 2 +-
.../scm/container/TestSCMContainerManager.java | 2 +-
.../hdds/scm/node/TestContainerPlacement.java | 10 +-
.../scm/pipeline/MockRatisPipelineProvider.java | 2 +-
.../safemode/TestHealthyPipelineSafeModeRule.java | 6 +-
.../TestOneReplicaPipelineSafeModeRule.java | 2 +-
.../hdds/scm/safemode/TestSCMSafeModeManager.java | 10 +-
.../ozone/client/OzoneMultipartUploadList.java | 1 -
.../apache/hadoop/ozone/client/rpc/RpcClient.java | 54 ++------
.../apache/hadoop/ozone/om/OMMetadataManager.java | 1 -
.../ozone/om/helpers/OmMultipartKeyInfo.java | 3 -
.../ozone/om/helpers/OmMultipartUploadList.java | 3 -
.../om/helpers/OmMultipartUploadListParts.java | 1 -
...MultipartUploadList.java => ServiceInfoEx.java} | 30 ++---
.../ozone/om/protocol/OzoneManagerProtocol.java | 9 +-
...OzoneManagerProtocolClientSideTranslatorPB.java | 21 +++-
.../src/main/proto/OzoneManagerProtocol.proto | 3 +
.../hdds/scm/pipeline/TestSCMPipelineManager.java | 15 ++-
.../hadoop/ozone/TestStorageContainerManager.java | 23 ++--
.../ozone/client/CertificateClientTestImpl.java | 7 +-
.../rpc/TestContainerReplicationEndToEnd.java | 10 +-
.../ozoneimpl/TestOzoneContainerWithTLS.java | 104 +++++++++-------
.../hadoop/ozone/scm/TestXceiverClientManager.java | 6 +-
.../java/org/apache/hadoop/ozone/om/OMMetrics.java | 1 -
.../org/apache/hadoop/ozone/om/OzoneManager.java | 11 ++
.../protocolPB/OzoneManagerRequestHandler.java | 6 +-
48 files changed, 375 insertions(+), 428 deletions(-)
diff --git a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
index d8daaa7..b31da05 100644
--- a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
+++ b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
@@ -52,8 +52,8 @@ import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.io.File;
import java.io.IOException;
+import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -80,6 +80,7 @@ public class XceiverClientGrpc extends XceiverClientSpi {
private boolean closed = false;
private SecurityConfig secConfig;
private final boolean topologyAwareRead;
+ private X509Certificate caCert;
/**
* Constructs a client that can communicate with the Container framework on
@@ -87,8 +88,10 @@ public class XceiverClientGrpc extends XceiverClientSpi {
*
* @param pipeline - Pipeline that defines the machines.
* @param config -- Ozone Config
+ * @param caCert - SCM ca certificate.
*/
- public XceiverClientGrpc(Pipeline pipeline, Configuration config) {
+ public XceiverClientGrpc(Pipeline pipeline, Configuration config,
+ X509Certificate caCert) {
super();
Preconditions.checkNotNull(pipeline);
Preconditions.checkNotNull(config);
@@ -103,6 +106,18 @@ public class XceiverClientGrpc extends XceiverClientSpi {
this.topologyAwareRead = config.getBoolean(
OzoneConfigKeys.OZONE_NETWORK_TOPOLOGY_AWARE_READ_KEY,
OzoneConfigKeys.OZONE_NETWORK_TOPOLOGY_AWARE_READ_DEFAULT);
+ this.caCert = caCert;
+ }
+
+ /**
+ * Constructs a client that can communicate with the Container framework on
+ * data nodes.
+ *
+ * @param pipeline - Pipeline that defines the machines.
+ * @param config -- Ozone Config
+ */
+ public XceiverClientGrpc(Pipeline pipeline, Configuration config) {
+ this(pipeline, config, null);
}
/**
@@ -151,19 +166,10 @@ public class XceiverClientGrpc extends XceiverClientSpi {
.intercept(new ClientCredentialInterceptor(userName, encodedToken),
new GrpcClientInterceptor());
if (secConfig.isGrpcTlsEnabled()) {
- File trustCertCollectionFile = secConfig.getTrustStoreFile(COMPONENT);
- File privateKeyFile = secConfig.getClientPrivateKeyFile(COMPONENT);
- File clientCertChainFile = secConfig.getClientCertChainFile(COMPONENT);
-
SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
- if (trustCertCollectionFile != null) {
- sslContextBuilder.trustManager(trustCertCollectionFile);
- }
- if (secConfig.isGrpcMutualTlsRequired() && clientCertChainFile != null
- && privateKeyFile != null) {
- sslContextBuilder.keyManager(clientCertChainFile, privateKeyFile);
+ if (caCert != null) {
+ sslContextBuilder.trustManager(caCert);
}
-
if (secConfig.useTestCert()) {
channelBuilder.overrideAuthority("localhost");
}
diff --git a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientManager.java b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientManager.java
index f906ab6..ebed288 100644
--- a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientManager.java
+++ b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientManager.java
@@ -31,6 +31,8 @@ import org.apache.hadoop.hdds.conf.ConfigType;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
+import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
+import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
@@ -39,6 +41,8 @@ import org.slf4j.LoggerFactory;
import java.io.Closeable;
import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
@@ -65,6 +69,7 @@ public class XceiverClientManager implements Closeable {
private final Configuration conf;
private final Cache<String, XceiverClientSpi> clientCache;
private final boolean useRatis;
+ private X509Certificate caCert;
private static XceiverClientMetrics metrics;
private boolean isSecurityEnabled;
@@ -74,11 +79,13 @@ public class XceiverClientManager implements Closeable {
*
* @param conf configuration
*/
- public XceiverClientManager(Configuration conf) {
- this(conf, OzoneConfiguration.of(conf).getObject(ScmClientConfig.class));
+ public XceiverClientManager(Configuration conf) throws IOException {
+ this(conf, OzoneConfiguration.of(conf).getObject(ScmClientConfig.class),
+ null);
}
- public XceiverClientManager(Configuration conf, ScmClientConfig clientConf) {
+ public XceiverClientManager(Configuration conf, ScmClientConfig clientConf,
+ String caCertPem) throws IOException {
Preconditions.checkNotNull(clientConf);
Preconditions.checkNotNull(conf);
long staleThresholdMs = clientConf.getStaleThreshold(MILLISECONDS);
@@ -87,6 +94,16 @@ public class XceiverClientManager implements Closeable {
ScmConfigKeys.DFS_CONTAINER_RATIS_ENABLED_DEFAULT);
this.conf = conf;
this.isSecurityEnabled = OzoneSecurityUtil.isSecurityEnabled(conf);
+ if (isSecurityEnabled) {
+ Preconditions.checkNotNull(caCertPem);
+ try {
+ this.caCert = CertificateCodec.getX509Cert(caCertPem);
+ } catch (CertificateException ex) {
+ throw new SCMSecurityException("Error: Fail to get SCM CA certificate",
+ ex);
+ }
+ }
+
this.clientCache = CacheBuilder.newBuilder()
.expireAfterAccess(staleThresholdMs, MILLISECONDS)
.maximumSize(clientConf.getMaxSize())
@@ -211,11 +228,12 @@ public class XceiverClientManager implements Closeable {
XceiverClientSpi client = null;
switch (type) {
case RATIS:
- client = XceiverClientRatis.newXceiverClientRatis(pipeline, conf);
+ client = XceiverClientRatis.newXceiverClientRatis(pipeline, conf,
+ caCert);
client.connect();
break;
case STAND_ALONE:
- client = new XceiverClientGrpc(pipeline, conf);
+ client = new XceiverClientGrpc(pipeline, conf, caCert);
break;
case CHAINED:
default:
diff --git a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientRatis.java b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientRatis.java
index 3d83675..d234a3f 100644
--- a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientRatis.java
+++ b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientRatis.java
@@ -19,6 +19,7 @@
package org.apache.hadoop.hdds.scm;
import java.io.IOException;
+import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
@@ -78,6 +79,12 @@ public final class XceiverClientRatis extends XceiverClientSpi {
public static XceiverClientRatis newXceiverClientRatis(
org.apache.hadoop.hdds.scm.pipeline.Pipeline pipeline,
Configuration ozoneConf) {
+ return newXceiverClientRatis(pipeline, ozoneConf, null);
+ }
+
+ public static XceiverClientRatis newXceiverClientRatis(
+ org.apache.hadoop.hdds.scm.pipeline.Pipeline pipeline,
+ Configuration ozoneConf, X509Certificate caCert) {
final String rpcType = ozoneConf
.get(ScmConfigKeys.DFS_CONTAINER_RATIS_RPC_TYPE_KEY,
ScmConfigKeys.DFS_CONTAINER_RATIS_RPC_TYPE_DEFAULT);
@@ -87,7 +94,7 @@ public final class XceiverClientRatis extends XceiverClientSpi {
HddsClientUtils.getMaxOutstandingRequests(ozoneConf);
final RetryPolicy retryPolicy = RatisHelper.createRetryPolicy(ozoneConf);
final GrpcTlsConfig tlsConfig = RatisHelper.createTlsClientConfig(new
- SecurityConfig(ozoneConf));
+ SecurityConfig(ozoneConf), caCert);
return new XceiverClientRatis(pipeline,
SupportedRpcType.valueOfIgnoreCase(rpcType), maxOutstandingRequests,
retryPolicy, tlsConfig, clientRequestTimeout);
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
index 394eed7..99972ae 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
@@ -176,34 +176,18 @@ public final class HddsConfigKeys {
private HddsConfigKeys() {
}
+ // Enable TLS for GRPC clients/server in ozone.
public static final String HDDS_GRPC_TLS_ENABLED = "hdds.grpc.tls.enabled";
public static final boolean HDDS_GRPC_TLS_ENABLED_DEFAULT = false;
- public static final String HDDS_GRPC_MUTUAL_TLS_REQUIRED =
- "hdds.grpc.mutual.tls.required";
- public static final boolean HDDS_GRPC_MUTUAL_TLS_REQUIRED_DEFAULT = false;
-
+ // Choose TLS provider the default is set to OPENSSL for better performance.
public static final String HDDS_GRPC_TLS_PROVIDER = "hdds.grpc.tls.provider";
public static final String HDDS_GRPC_TLS_PROVIDER_DEFAULT = "OPENSSL";
- public static final String HDDS_TRUST_STORE_FILE_NAME =
- "hdds.trust.cert.collection.file.name";
- public static final String HDDS_TRUST_STORE_FILE_NAME_DEFAULT = "ca.crt";
-
- public static final String
- HDDS_SERVER_CERTIFICATE_CHAIN_FILE_NAME =
- "hdds.server.cert.chain.file.name";
- public static final String
- HDDS_SERVER_CERTIFICATE_CHAIN_FILE_NAME_DEFAULT = "server.crt";
-
- public static final String
- HDDS_CLIENT_CERTIFICATE_CHAIN_FILE_NAME =
- "hdds.client.cert.chain.file.name";
- public static final String
- HDDS_CLIENT_CERTIFICATE_CHAIN_FILE_NAME_DEFAULT = "client.crt";
-
+ // Test only settings for using test signed certificate, authority assume to
+ // be localhost.
public static final String HDDS_GRPC_TLS_TEST_CERT = "hdds.grpc.tls" +
- ".test_cert";
+ ".test.cert";
public static final boolean HDDS_GRPC_TLS_TEST_CERT_DEFAULT = false;
// Comma separated acls (users, groups) allowing clients accessing
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/ratis/RatisHelper.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/ratis/RatisHelper.java
index ea73a28..3ad4e2e 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/ratis/RatisHelper.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/ratis/RatisHelper.java
@@ -19,6 +19,8 @@
package org.apache.hadoop.hdds.ratis;
import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
@@ -31,7 +33,11 @@ import java.util.stream.Collectors;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
+import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
+import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
+import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.hadoop.ozone.OzoneConsts;
@@ -200,29 +206,47 @@ public interface RatisHelper {
return builder.build();
}
- static GrpcTlsConfig createTlsClientConfig(SecurityConfig conf) {
- if (conf.isGrpcTlsEnabled()) {
- if (conf.isGrpcMutualTlsRequired()) {
- return new GrpcTlsConfig(conf.getClientPrivateKeyFile(),
- conf.getClientCertChainFile(), conf.getTrustStoreFile(), true);
- } else {
- return new GrpcTlsConfig(
- null, null, conf.getTrustStoreFile(), false);
+ // For External gRPC client to server with gRPC TLS.
+ // No mTLS for external client as SCM CA does not issued certificates for them
+ static GrpcTlsConfig createTlsClientConfig(SecurityConfig conf,
+ X509Certificate caCert) {
+ GrpcTlsConfig tlsConfig = null;
+ if (conf.isSecurityEnabled() && conf.isGrpcTlsEnabled()) {
+ tlsConfig = new GrpcTlsConfig(null, null,
+ caCert, false);
+ }
+ return tlsConfig;
+ }
+
+ // For Internal gRPC client from SCM to DN with gRPC TLS
+ static GrpcTlsConfig createTlsClientConfigForSCM(SecurityConfig conf,
+ CertificateServer certificateServer) throws IOException {
+ if (conf.isSecurityEnabled() && conf.isGrpcTlsEnabled()) {
+ try {
+ X509Certificate caCert =
+ CertificateCodec.getX509Certificate(
+ certificateServer.getCACertificate());
+ return new GrpcTlsConfig(null, null,
+ caCert, false);
+ } catch (CertificateException ex) {
+ throw new SCMSecurityException("Fail to find SCM CA certificate.", ex);
}
}
return null;
}
- static GrpcTlsConfig createTlsServerConfig(SecurityConfig conf) {
- if (conf.isGrpcTlsEnabled()) {
- if (conf.isGrpcMutualTlsRequired()) {
- return new GrpcTlsConfig(
- conf.getServerPrivateKeyFile(), conf.getServerCertChainFile(), null,
- false);
- } else {
- return new GrpcTlsConfig(conf.getServerPrivateKeyFile(),
- conf.getServerCertChainFile(), conf.getClientCertChainFile(), true);
- }
+ // For gRPC server running DN container service with gPRC TLS
+ // No mTLS as the channel is shared for for external client, which
+ // does not have SCM CA issued certificates.
+ // In summary:
+ // authenticate from server to client is via TLS.
+ // authenticate from client to server is via block token (or container token).
+ static GrpcTlsConfig createTlsServerConfigForDN(SecurityConfig conf,
+ CertificateClient caClient) {
+ if (conf.isSecurityEnabled() && conf.isGrpcTlsEnabled()) {
+ return new GrpcTlsConfig(
+ caClient.getPrivateKey(), caClient.getCertificate(),
+ null, false);
}
return null;
}
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
index 969f7bb..8aaba5d 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
@@ -20,7 +20,6 @@
package org.apache.hadoop.hdds.security.x509;
import com.google.common.base.Preconditions;
-import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslProvider;
@@ -28,7 +27,6 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.io.File;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.Provider;
@@ -47,14 +45,6 @@ import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_GRPC_TLS_PROVIDER;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_GRPC_TLS_PROVIDER_DEFAULT;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT_DEFAULT;
-import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_GRPC_MUTUAL_TLS_REQUIRED;
-import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_GRPC_MUTUAL_TLS_REQUIRED_DEFAULT;
-import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_TRUST_STORE_FILE_NAME;
-import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_TRUST_STORE_FILE_NAME_DEFAULT;
-import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_CLIENT_CERTIFICATE_CHAIN_FILE_NAME;
-import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_CLIENT_CERTIFICATE_CHAIN_FILE_NAME_DEFAULT;
-import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_SERVER_CERTIFICATE_CHAIN_FILE_NAME;
-import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_SERVER_CERTIFICATE_CHAIN_FILE_NAME_DEFAULT;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_KEY_ALGORITHM;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_KEY_DIR_NAME;
@@ -106,12 +96,8 @@ public class SecurityConfig {
private final String certificateFileName;
private final boolean grpcTlsEnabled;
private boolean grpcTlsUseTestCert;
- private String trustStoreFileName;
- private String serverCertChainFileName;
- private String clientCertChainFileName;
private final Duration defaultCertDuration;
private final boolean isSecurityEnabled;
- private boolean grpcMutualTlsRequired;
/**
* Constructs a SecurityConfig.
@@ -158,20 +144,6 @@ public class SecurityConfig {
HDDS_GRPC_TLS_ENABLED_DEFAULT);
if (grpcTlsEnabled) {
- this.grpcMutualTlsRequired = configuration.getBoolean(
- HDDS_GRPC_MUTUAL_TLS_REQUIRED, HDDS_GRPC_MUTUAL_TLS_REQUIRED_DEFAULT);
-
- this.trustStoreFileName = this.configuration.get(
- HDDS_TRUST_STORE_FILE_NAME, HDDS_TRUST_STORE_FILE_NAME_DEFAULT);
-
- this.clientCertChainFileName = this.configuration.get(
- HDDS_CLIENT_CERTIFICATE_CHAIN_FILE_NAME,
- HDDS_CLIENT_CERTIFICATE_CHAIN_FILE_NAME_DEFAULT);
-
- this.serverCertChainFileName = this.configuration.get(
- HDDS_SERVER_CERTIFICATE_CHAIN_FILE_NAME,
- HDDS_SERVER_CERTIFICATE_CHAIN_FILE_NAME_DEFAULT);
-
this.grpcTlsUseTestCert = this.configuration.getBoolean(
HDDS_GRPC_TLS_TEST_CERT, HDDS_GRPC_TLS_TEST_CERT_DEFAULT);
}
@@ -352,115 +324,6 @@ public class SecurityConfig {
}
/**
- * Returns true if TLS mutual authentication is enabled for gRPC services.
- * @return true if TLS is enabled for gRPC services.
- */
- public boolean isGrpcMutualTlsRequired() {
- return this.grpcMutualTlsRequired;
- }
-
- /**
- * Returns the TLS-enabled gRPC client private key file(Only needed for mutual
- * authentication) for the given component.
- * @param component name of the component.
- * @return the TLS-enabled gRPC client private key file.
- */
- public File getClientPrivateKeyFile(String component) {
- return Paths.get(getKeyLocation(component).toString(),
- "client." + privateKeyFileName).toFile();
- }
-
- /**
- * Returns the TLS-enabled gRPC client private key file(Only needed for mutual
- * authentication).
- * @return the TLS-enabled gRPC client private key file.
- */
- public File getClientPrivateKeyFile() {
- return getClientPrivateKeyFile(StringUtils.EMPTY);
- }
-
- /**
- * Returns the TLS-enabled gRPC server private key file for the given
- * component.
- * @param component name of the component.
- * @return the TLS-enabled gRPC server private key file.
- */
- public File getServerPrivateKeyFile(String component) {
- return Paths.get(getKeyLocation(component).toString(),
- "server." + privateKeyFileName).toFile();
- }
-
- /**
- * Returns the TLS-enabled gRPC server private key file.
- * @return the TLS-enabled gRPC server private key file.
- */
- public File getServerPrivateKeyFile() {
- return getServerPrivateKeyFile(StringUtils.EMPTY);
- }
-
- /**
- * Get the trusted CA certificate file for the given component. (CA
- * certificate)
- * @param component name of the component.
- * @return the trusted CA certificate.
- */
- public File getTrustStoreFile(String component) {
- return Paths.get(getKeyLocation(component).toString(),
- trustStoreFileName).
- toFile();
- }
-
- /**
- * Get the trusted CA certificate file. (CA certificate)
- * @return the trusted CA certificate.
- */
- public File getTrustStoreFile() {
- return getTrustStoreFile(StringUtils.EMPTY);
- }
-
- /**
- * Get the TLS-enabled gRPC Client certificate chain file for the given
- * component (only needed for
- * mutual authentication).
- * @param component name of the component.
- * @return the TLS-enabled gRPC Server certificate chain file.
- */
- public File getClientCertChainFile(String component) {
- return Paths.get(getKeyLocation(component).toString(),
- clientCertChainFileName).
- toFile();
- }
-
- /**
- * Get the TLS-enabled gRPC Client certificate chain file (only needed for
- * mutual authentication).
- * @return the TLS-enabled gRPC Server certificate chain file.
- */
- public File getClientCertChainFile() {
- return getClientCertChainFile(StringUtils.EMPTY);
- }
-
- /**
- * Get the TLS-enabled gRPC Server certificate chain file for the given
- * component.
- * @param component name of the component.
- * @return the TLS-enabled gRPC Server certificate chain file.
- */
- public File getServerCertChainFile(String component) {
- return Paths.get(getKeyLocation(component).toString(),
- serverCertChainFileName).
- toFile();
- }
-
- /**
- * Get the TLS-enabled gRPC Server certificate chain file.
- * @return the TLS-enabled gRPC Server certificate chain file.
- */
- public File getServerCertChainFile() {
- return getServerCertChainFile(StringUtils.EMPTY);
- }
-
- /**
* Get the gRPC TLS provider.
* @return the gRPC TLS Provider.
*/
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
index c36c9e0..34b4930 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
@@ -70,6 +70,12 @@ public interface CertificateClient {
X509Certificate getCertificate();
/**
+ * Return the latest CA certificate known to the client.
+ * @return latest ca certificate known to the client.
+ */
+ X509Certificate getCACertificate();
+
+ /**
* Verifies if this certificate is part of a trusted chain.
* @param certificate - certificate.
* @return true if it trusted, false otherwise.
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
index 388c5bc..ff99e08 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
@@ -20,7 +20,9 @@
package org.apache.hadoop.hdds.security.x509.certificate.client;
import com.google.common.base.Preconditions;
+import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.commons.lang3.math.NumberUtils;
import org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
@@ -81,6 +83,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
private static final String CERT_FILE_NAME_FORMAT = "%s.crt";
private static final String CA_CERT_PREFIX = "CA-";
+ private static final int CA_CERT_PREFIX_LEN = 3;
private final Logger logger;
private final SecurityConfig securityConfig;
private final KeyCodec keyCodec;
@@ -89,9 +92,9 @@ public abstract class DefaultCertificateClient implements CertificateClient {
private X509Certificate x509Certificate;
private Map<String, X509Certificate> certificateMap;
private String certSerialId;
+ private String caCertId;
private String component;
-
DefaultCertificateClient(SecurityConfig securityConfig, Logger log,
String certSerialId, String component) {
Objects.requireNonNull(securityConfig);
@@ -119,6 +122,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
if (certFiles != null) {
CertificateCodec certificateCodec =
new CertificateCodec(securityConfig, component);
+ long latestCaCertSerailId = -1L;
for (File file : certFiles) {
if (file.isFile()) {
try {
@@ -132,6 +136,15 @@ public abstract class DefaultCertificateClient implements CertificateClient {
}
certificateMap.putIfAbsent(cert.getSerialNumber().toString(),
cert);
+ if (file.getName().startsWith(CA_CERT_PREFIX)) {
+ String certFileName = FilenameUtils.getBaseName(
+ file.getName());
+ long tmpCaCertSerailId = NumberUtils.toLong(
+ certFileName.substring(CA_CERT_PREFIX_LEN));
+ if (tmpCaCertSerailId > latestCaCertSerailId) {
+ latestCaCertSerailId = tmpCaCertSerailId;
+ }
+ }
getLogger().info("Added certificate from file:{}.",
file.getAbsolutePath());
} else {
@@ -144,6 +157,9 @@ public abstract class DefaultCertificateClient implements CertificateClient {
}
}
}
+ if (latestCaCertSerailId != -1) {
+ caCertId = Long.toString(latestCaCertSerailId);
+ }
}
}
}
@@ -222,6 +238,18 @@ public abstract class DefaultCertificateClient implements CertificateClient {
}
/**
+ * Return the latest CA certificate known to the client.
+ * @return latest ca certificate known to the client.
+ */
+ @Override
+ public X509Certificate getCACertificate() {
+ if (caCertId != null) {
+ return certificateMap.get(caCertId);
+ }
+ return null;
+ }
+
+ /**
* Returns the certificate with the specified certificate serial id if it
* exists else try to get it from SCM.
* @param certId
@@ -491,6 +519,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
if(caCert) {
certName = CA_CERT_PREFIX + certName;
+ caCertId = cert.getSerialNumber().toString();
}
certificateCodec.writeCertificate(basePath, certName,
diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml
index 82307a4..9e4c5ea 100644
--- a/hadoop-hdds/common/src/main/resources/ozone-default.xml
+++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -1838,39 +1838,12 @@
<description>HDDS GRPC server TLS provider.</description>
</property>
<property>
- <name>hdds.client.cert.chain.file.name</name>
- <value>client.crt</value>
- <tag>OZONE, HDDS, SECURITY</tag>
- <description>Client certificate file name. It is an optional
- field only required when mutual TLS (hdds.grpc.mutual.tls.required)
- is set to true .</description>
- </property>
- <property>
- <name>hdds.grpc.mutual.tls.required</name>
- <value>false</value>
- <tag>OZONE, HDDS, SECURITY, TLS</tag>
- <description>If mutual tls check is enabled for GRPC.
- Considered only if hdds.grpc.tls.enabled is set to true.</description>
- </property>
- <property>
<name>hdds.grpc.tls.enabled</name>
<value>false</value>
<tag>OZONE, HDDS, SECURITY, TLS</tag>
<description>If HDDS GRPC server TLS is enabled.</description>
</property>
<property>
- <name>hdds.server.cert.chain.file.name</name>
- <value>server.crt</value>
- <tag>OZONE, HDDS, SECURITY</tag>
- <description>Hdds server certificate file name.</description>
- </property>
- <property>
- <name>hdds.trust.cert.collection.file.name</name>
- <value>ca.crt</value>
- <tag>OZONE, HDDS, SECURITY</tag>
- <description>HDDS Certificate Authority trust store file name.</description>
- </property>
- <property>
<name>hdds.x509.default.duration</name>
<value>P365D</value>
<tag>OZONE, HDDS, SECURITY</tag>
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/helpers/ContainerMetrics.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/helpers/ContainerMetrics.java
index 2879001..9ea4adf 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/helpers/ContainerMetrics.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/helpers/ContainerMetrics.java
@@ -46,6 +46,8 @@ import org.apache.hadoop.metrics2.lib.MutableRate;
@InterfaceAudience.Private
@Metrics(about="Storage Container DataNode Metrics", context="dfs")
public class ContainerMetrics {
+ public static final String STORAGE_CONTAINER_METRICS =
+ "StorageContainerMetrics";
@Metric private MutableCounterLong numOps;
private MutableCounterLong[] numOpsArray;
private MutableCounterLong[] opsBytesArray;
@@ -89,11 +91,16 @@ public class ContainerMetrics {
// Percentile measurement is off by default, by watching no intervals
int[] intervals =
conf.getInts(DFSConfigKeys.DFS_METRICS_PERCENTILES_INTERVALS_KEY);
- return ms.register("StorageContainerMetrics",
+ return ms.register(STORAGE_CONTAINER_METRICS,
"Storage Container Node Metrics",
new ContainerMetrics(intervals));
}
+ public static void remove() {
+ MetricsSystem ms = DefaultMetricsSystem.instance();
+ ms.unregisterSource(STORAGE_CONTAINER_METRICS);
+ }
+
public void incContainerOpsMetrics(ContainerProtos.Type type) {
numOps.incr();
numOpsArray[type.ordinal()].incr();
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
index 23fa2d0..bb352ea 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
@@ -45,12 +45,10 @@ import org.apache.ratis.thirdparty.io.grpc.ServerBuilder;
import org.apache.ratis.thirdparty.io.grpc.ServerInterceptors;
import org.apache.ratis.thirdparty.io.grpc.netty.GrpcSslContexts;
import org.apache.ratis.thirdparty.io.grpc.netty.NettyServerBuilder;
-import org.apache.ratis.thirdparty.io.netty.handler.ssl.ClientAuth;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.List;
@@ -112,21 +110,9 @@ public final class XceiverServerGrpc extends XceiverServer {
}
if (getSecConfig().isGrpcTlsEnabled()) {
- File privateKeyFilePath =
- getSecurityConfig().getServerPrivateKeyFile(COMPONENT);
- File serverCertChainFilePath =
- getSecurityConfig().getServerCertChainFile(COMPONENT);
- File clientCertChainFilePath =
- getSecurityConfig().getClientCertChainFile(COMPONENT);
try {
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(
- serverCertChainFilePath, privateKeyFilePath);
- if (getSecurityConfig().isGrpcMutualTlsRequired() &&
- clientCertChainFilePath != null) {
- // Only needed for mutual TLS
- sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
- sslClientContextBuilder.trustManager(clientCertChainFilePath);
- }
+ caClient.getPrivateKey(), caClient.getCertificate());
SslContextBuilder sslContextBuilder = GrpcSslContexts.configure(
sslClientContextBuilder, getSecurityConfig().getGrpcSslProvider());
nettyServerBuilder.sslContext(sslContextBuilder.build());
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ratis/XceiverServerRatis.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ratis/XceiverServerRatis.java
index e521fb4..746bfb8 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ratis/XceiverServerRatis.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ratis/XceiverServerRatis.java
@@ -398,8 +398,8 @@ public final class XceiverServerRatis extends XceiverServer {
OzoneConfigKeys.DFS_CONTAINER_RATIS_IPC_RANDOM_PORT_DEFAULT)) {
localPort = 0;
}
- GrpcTlsConfig tlsConfig = RatisHelper.createTlsServerConfig(
- new SecurityConfig(ozoneConf));
+ GrpcTlsConfig tlsConfig = RatisHelper.createTlsServerConfigForDN(
+ new SecurityConfig(ozoneConf), caClient);
return new XceiverServerRatis(datanodeDetails, localPort, dispatcher,
containerController, context, tlsConfig, caClient, ozoneConf);
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ozoneimpl/OzoneContainer.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ozoneimpl/OzoneContainer.java
index 209a8e3..d52cf8c 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ozoneimpl/OzoneContainer.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ozoneimpl/OzoneContainer.java
@@ -236,6 +236,7 @@ public class OzoneContainer {
hddsDispatcher.shutdown();
volumeSet.shutdown();
blockDeletingService.shutdown();
+ ContainerMetrics.remove();
}
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java
index 42944e1..016445c 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java
@@ -348,7 +348,6 @@ public class ProfileServlet extends HttpServlet {
final HttpServletResponse resp)
throws IOException {
- ;
String safeFileName = validateFileName(fileName);
File requestedFile =
ProfileServlet.OUTPUT_DIR
diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/server/TestProfileServlet.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/server/TestProfileServlet.java
index c77fee0..1c4adf6 100644
--- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/server/TestProfileServlet.java
+++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/server/TestProfileServlet.java
@@ -17,20 +17,11 @@
*/
package org.apache.hadoop.hdds.server;
-import java.io.ByteArrayOutputStream;
import java.io.IOException;
-import java.io.OutputStreamWriter;
import org.apache.hadoop.hdds.server.ProfileServlet.Event;
import org.apache.hadoop.hdds.server.ProfileServlet.Output;
-import org.apache.hadoop.metrics2.MetricsSystem;
-import org.apache.hadoop.metrics2.annotation.Metric;
-import org.apache.hadoop.metrics2.annotation.Metrics;
-import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
-import org.apache.hadoop.metrics2.lib.MutableCounterLong;
-
-import static java.nio.charset.StandardCharsets.UTF_8;
-import org.junit.Assert;
+
import org.junit.Test;
/**
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineFactory.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineFactory.java
index cec688c..77e037a 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineFactory.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineFactory.java
@@ -24,6 +24,7 @@ import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationFactor;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationType;
import org.apache.hadoop.hdds.scm.node.NodeManager;
+import org.apache.ratis.grpc.GrpcTlsConfig;
import java.io.IOException;
import java.util.HashMap;
@@ -38,12 +39,12 @@ public final class PipelineFactory {
private Map<ReplicationType, PipelineProvider> providers;
PipelineFactory(NodeManager nodeManager, PipelineStateManager stateManager,
- Configuration conf) {
+ Configuration conf, GrpcTlsConfig tlsConfig) {
providers = new HashMap<>();
providers.put(ReplicationType.STAND_ALONE,
new SimplePipelineProvider(nodeManager));
providers.put(ReplicationType.RATIS,
- new RatisPipelineProvider(nodeManager, stateManager, conf));
+ new RatisPipelineProvider(nodeManager, stateManager, conf, tlsConfig));
}
@VisibleForTesting
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineManager.java
index bd8fa2d..9ba5f31 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineManager.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineManager.java
@@ -22,6 +22,7 @@ import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationFactor;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationType;
import org.apache.hadoop.hdds.scm.container.ContainerID;
+import org.apache.ratis.grpc.GrpcTlsConfig;
import java.io.Closeable;
import java.io.IOException;
@@ -94,4 +95,5 @@ public interface PipelineManager extends Closeable, PipelineManagerMXBean {
*/
void deactivatePipeline(PipelineID pipelineID) throws IOException;
+ GrpcTlsConfig getGrpcTlsConfig();
}
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineReportHandler.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineReportHandler.java
index 1bba45d..2b11da9 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineReportHandler.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/PipelineReportHandler.java
@@ -97,7 +97,8 @@ public class PipelineReportHandler implements
try {
pipeline = pipelineManager.getPipeline(pipelineID);
} catch (PipelineNotFoundException e) {
- RatisPipelineUtils.destroyPipeline(dn, pipelineID, conf);
+ RatisPipelineUtils.destroyPipeline(dn, pipelineID, conf,
+ pipelineManager.getGrpcTlsConfig());
return;
}
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/RatisPipelineProvider.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/RatisPipelineProvider.java
index 9e22733..a5e3d37 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/RatisPipelineProvider.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/RatisPipelineProvider.java
@@ -29,7 +29,6 @@ import org.apache.hadoop.hdds.scm.container.placement.algorithms.ContainerPlacem
import org.apache.hadoop.hdds.scm.container.placement.algorithms.SCMContainerPlacementRandom;
import org.apache.hadoop.hdds.scm.node.NodeManager;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline.PipelineState;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.io.MultipleIOException;
import org.apache.hadoop.hdds.ratis.RatisHelper;
import org.apache.ratis.client.RaftClient;
@@ -84,13 +83,15 @@ public class RatisPipelineProvider implements PipelineProvider {
private final ForkJoinPool forkJoinPool = new ForkJoinPool(
parallelismForPool, factory, null, false);
-
+ private final GrpcTlsConfig tlsConfig;
RatisPipelineProvider(NodeManager nodeManager,
- PipelineStateManager stateManager, Configuration conf) {
+ PipelineStateManager stateManager, Configuration conf,
+ GrpcTlsConfig tlsConfig) {
this.nodeManager = nodeManager;
this.stateManager = stateManager;
this.conf = conf;
+ this.tlsConfig = tlsConfig;
}
@@ -217,8 +218,6 @@ public class RatisPipelineProvider implements PipelineProvider {
Collections.synchronizedList(new ArrayList<>());
final int maxOutstandingRequests =
HddsClientUtils.getMaxOutstandingRequests(conf);
- final GrpcTlsConfig tlsConfig = RatisHelper.createTlsClientConfig(new
- SecurityConfig(conf));
final TimeDuration requestTimeout =
RatisHelper.getClientRequestTimeout(conf);
try {
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/RatisPipelineUtils.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/RatisPipelineUtils.java
index d9aec34..777a0b0 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/RatisPipelineUtils.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/RatisPipelineUtils.java
@@ -23,7 +23,6 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
-import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.ratis.RatisHelper;
import org.apache.ratis.client.RaftClient;
import org.apache.ratis.grpc.GrpcTlsConfig;
@@ -54,14 +53,16 @@ public final class RatisPipelineUtils {
*
* @param pipeline - Pipeline to be destroyed
* @param ozoneConf - Ozone configuration
+ * @param grpcTlsConfig
* @throws IOException
*/
- static void destroyPipeline(Pipeline pipeline, Configuration ozoneConf) {
+ static void destroyPipeline(Pipeline pipeline, Configuration ozoneConf,
+ GrpcTlsConfig grpcTlsConfig) {
final RaftGroup group = RatisHelper.newRaftGroup(pipeline);
LOG.debug("destroying pipeline:{} with {}", pipeline.getId(), group);
for (DatanodeDetails dn : pipeline.getNodes()) {
try {
- destroyPipeline(dn, pipeline.getId(), ozoneConf);
+ destroyPipeline(dn, pipeline.getId(), ozoneConf, grpcTlsConfig);
} catch (IOException e) {
LOG.warn("Pipeline destroy failed for pipeline={} dn={}",
pipeline.getId(), dn);
@@ -75,10 +76,11 @@ public final class RatisPipelineUtils {
* @param dn - Datanode on which pipeline needs to be destroyed
* @param pipelineID - ID of pipeline to be destroyed
* @param ozoneConf - Ozone configuration
+ * @param grpcTlsConfig - grpc tls configuration
* @throws IOException
*/
static void destroyPipeline(DatanodeDetails dn, PipelineID pipelineID,
- Configuration ozoneConf) throws IOException {
+ Configuration ozoneConf, GrpcTlsConfig grpcTlsConfig) throws IOException {
final String rpcType = ozoneConf
.get(ScmConfigKeys.DFS_CONTAINER_RATIS_RPC_TYPE_KEY,
ScmConfigKeys.DFS_CONTAINER_RATIS_RPC_TYPE_DEFAULT);
@@ -86,13 +88,12 @@ public final class RatisPipelineUtils {
final RaftPeer p = RatisHelper.toRaftPeer(dn);
final int maxOutstandingRequests =
HddsClientUtils.getMaxOutstandingRequests(ozoneConf);
- final GrpcTlsConfig tlsConfig = RatisHelper.createTlsClientConfig(
- new SecurityConfig(ozoneConf));
final TimeDuration requestTimeout =
RatisHelper.getClientRequestTimeout(ozoneConf);
try(RaftClient client = RatisHelper
.newRaftClient(SupportedRpcType.valueOfIgnoreCase(rpcType), p,
- retryPolicy, maxOutstandingRequests, tlsConfig, requestTimeout)) {
+ retryPolicy, maxOutstandingRequests, grpcTlsConfig,
+ requestTimeout)) {
client.groupRemove(RaftGroupId.valueOf(pipelineID.getId()),
true, p.getId());
}
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/SCMPipelineManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/SCMPipelineManager.java
index 20b9350..0964f6d 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/SCMPipelineManager.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/pipeline/SCMPipelineManager.java
@@ -37,6 +37,7 @@ import org.apache.hadoop.hdds.utils.MetadataKeyFilters;
import org.apache.hadoop.hdds.utils.MetadataStore;
import org.apache.hadoop.hdds.utils.MetadataStoreBuilder;
import org.apache.hadoop.hdds.utils.Scheduler;
+import org.apache.ratis.grpc.GrpcTlsConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -82,14 +83,16 @@ public class SCMPipelineManager implements PipelineManager {
private final Configuration conf;
// Pipeline Manager MXBean
private ObjectName pmInfoBean;
+ private GrpcTlsConfig grpcTlsConfig;
public SCMPipelineManager(Configuration conf, NodeManager nodeManager,
- EventPublisher eventPublisher) throws IOException {
+ EventPublisher eventPublisher, GrpcTlsConfig grpcTlsConfig)
+ throws IOException {
this.lock = new ReentrantReadWriteLock();
this.conf = conf;
this.stateManager = new PipelineStateManager(conf);
this.pipelineFactory = new PipelineFactory(nodeManager, stateManager,
- conf);
+ conf, grpcTlsConfig);
// TODO: See if thread priority needs to be set for these threads
scheduler = new Scheduler("RatisPipelineUtilsThread", false, 1);
this.backgroundPipelineCreator =
@@ -111,6 +114,7 @@ public class SCMPipelineManager implements PipelineManager {
this.pmInfoBean = MBeans.register("SCMPipelineManager",
"SCMPipelineManagerInfo", this);
initializePipelineState();
+ this.grpcTlsConfig = grpcTlsConfig;
}
public PipelineStateManager getStateManager() {
@@ -404,7 +408,7 @@ public class SCMPipelineManager implements PipelineManager {
* @throws IOException
*/
private void destroyPipeline(Pipeline pipeline) throws IOException {
- RatisPipelineUtils.destroyPipeline(pipeline, conf);
+ RatisPipelineUtils.destroyPipeline(pipeline, conf, grpcTlsConfig);
// remove the pipeline from the pipeline manager
removePipeline(pipeline.getId());
triggerPipelineCreation();
@@ -437,6 +441,11 @@ public class SCMPipelineManager implements PipelineManager {
}
@Override
+ public GrpcTlsConfig getGrpcTlsConfig() {
+ return grpcTlsConfig;
+ }
+
+ @Override
public void close() throws IOException {
if (scheduler != null) {
scheduler.close();
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
index 3502c85..4ecab37 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
@@ -34,6 +34,7 @@ import org.apache.hadoop.hdds.HddsUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeState;
+import org.apache.hadoop.hdds.ratis.RatisHelper;
import org.apache.hadoop.hdds.scm.HddsServerUtil;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
import org.apache.hadoop.hdds.scm.block.BlockManager;
@@ -100,6 +101,7 @@ import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.util.JvmPauseMonitor;
import org.apache.hadoop.hdds.utils.HddsVersionInfo;
+import org.apache.ratis.grpc.GrpcTlsConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -186,6 +188,7 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
private SCMSafeModeManager scmSafeModeManager;
private CertificateServer certificateServer;
+ private GrpcTlsConfig grpcTlsConfig;
private JvmPauseMonitor jvmPauseMonitor;
private final OzoneConfiguration configuration;
@@ -399,7 +402,8 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
pipelineManager = configurator.getPipelineManager();
} else {
pipelineManager =
- new SCMPipelineManager(conf, scmNodeManager, eventQueue);
+ new SCMPipelineManager(conf, scmNodeManager, eventQueue,
+ grpcTlsConfig);
}
if (configurator.getContainerManager() != null) {
@@ -443,8 +447,7 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
* @throws AuthenticationException - on Failure
*/
private void initializeCAnSecurityProtocol(OzoneConfiguration conf,
- SCMConfigurator configurator)
- throws IOException {
+ SCMConfigurator configurator) throws IOException {
if(configurator.getCertificateServer() != null) {
this.certificateServer = configurator.getCertificateServer();
} else {
@@ -458,6 +461,10 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
CertificateServer.CAType.SELF_SIGNED_CA);
securityProtocolServer = new SCMSecurityProtocolServer(conf,
certificateServer);
+
+ grpcTlsConfig = RatisHelper
+ .createTlsClientConfigForSCM(new SecurityConfig(conf),
+ certificateServer);
}
/**
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/container/TestCloseContainerEventHandler.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/container/TestCloseContainerEventHandler.java
index f7a5df7..a8364a4 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/container/TestCloseContainerEventHandler.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/container/TestCloseContainerEventHandler.java
@@ -67,7 +67,7 @@ public class TestCloseContainerEventHandler {
.set(HddsConfigKeys.OZONE_METADATA_DIRS, testDir.getAbsolutePath());
nodeManager = new MockNodeManager(true, 10);
pipelineManager =
- new SCMPipelineManager(configuration, nodeManager, eventQueue);
+ new SCMPipelineManager(configuration, nodeManager, eventQueue, null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
pipelineManager.getStateManager(), configuration);
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/container/TestSCMContainerManager.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/container/TestSCMContainerManager.java
index bfdeac5..75a1ad3 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/container/TestSCMContainerManager.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/container/TestSCMContainerManager.java
@@ -94,7 +94,7 @@ public class TestSCMContainerManager {
}
nodeManager = new MockNodeManager(true, 10);
pipelineManager =
- new SCMPipelineManager(conf, nodeManager, new EventQueue());
+ new SCMPipelineManager(conf, nodeManager, new EventQueue(), null);
containerManager = new SCMContainerManager(conf, nodeManager,
pipelineManager, new EventQueue());
xceiverClientManager = new XceiverClientManager(conf);
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/node/TestContainerPlacement.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/node/TestContainerPlacement.java
index ec0c4c3..26ffd8d 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/node/TestContainerPlacement.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/node/TestContainerPlacement.java
@@ -65,8 +65,6 @@ import static org.junit.Assert.assertEquals;
public class TestContainerPlacement {
@Rule
public ExpectedException thrown = ExpectedException.none();
- private static XceiverClientManager xceiverClientManager =
- new XceiverClientManager(new OzoneConfiguration());
/**
* Returns a new copy of Configuration.
@@ -109,7 +107,7 @@ public class TestContainerPlacement {
final int cacheSize = config.getInt(OZONE_SCM_DB_CACHE_SIZE_MB,
OZONE_SCM_DB_CACHE_SIZE_DEFAULT);
PipelineManager pipelineManager =
- new SCMPipelineManager(config, scmNodeManager, eventQueue);
+ new SCMPipelineManager(config, scmNodeManager, eventQueue, null);
return new SCMContainerManager(config, scmNodeManager, pipelineManager,
eventQueue);
@@ -144,6 +142,7 @@ public class TestContainerPlacement {
createContainerManager(conf, nodeManager);
List<DatanodeDetails> datanodes =
TestUtils.getListOfRegisteredDatanodeDetails(nodeManager, nodeCount);
+ XceiverClientManager xceiverClientManager = null;
try {
for (DatanodeDetails datanodeDetails : datanodes) {
nodeManager.processHeartbeat(datanodeDetails);
@@ -159,6 +158,8 @@ public class TestContainerPlacement {
assertEquals(remaining * nodeCount,
(long) nodeManager.getStats().getRemaining().get());
+ xceiverClientManager= new XceiverClientManager(new OzoneConfiguration());
+
ContainerInfo container = containerManager
.allocateContainer(
xceiverClientManager.getType(),
@@ -169,6 +170,9 @@ public class TestContainerPlacement {
} finally {
IOUtils.closeQuietly(containerManager);
IOUtils.closeQuietly(nodeManager);
+ if (xceiverClientManager != null) {
+ xceiverClientManager.close();
+ }
FileUtil.fullyDelete(testDir);
}
}
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/pipeline/MockRatisPipelineProvider.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/pipeline/MockRatisPipelineProvider.java
index 32784a3..01c53ba 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/pipeline/MockRatisPipelineProvider.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/pipeline/MockRatisPipelineProvider.java
@@ -31,7 +31,7 @@ public class MockRatisPipelineProvider extends RatisPipelineProvider {
public MockRatisPipelineProvider(NodeManager nodeManager,
PipelineStateManager stateManager,
Configuration conf) {
- super(nodeManager, stateManager, conf);
+ super(nodeManager, stateManager, conf, null);
}
protected void initializePipeline(Pipeline pipeline) throws IOException {
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestHealthyPipelineSafeModeRule.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestHealthyPipelineSafeModeRule.java
index eb1f88b..94c3039 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestHealthyPipelineSafeModeRule.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestHealthyPipelineSafeModeRule.java
@@ -71,7 +71,7 @@ public class TestHealthyPipelineSafeModeRule {
SCMPipelineManager pipelineManager = new SCMPipelineManager(config,
- nodeManager, eventQueue);
+ nodeManager, eventQueue, null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
pipelineManager.getStateManager(), config);
@@ -116,7 +116,7 @@ public class TestHealthyPipelineSafeModeRule {
SCMPipelineManager pipelineManager = new SCMPipelineManager(config,
- nodeManager, eventQueue);
+ nodeManager, eventQueue, null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
@@ -191,7 +191,7 @@ public class TestHealthyPipelineSafeModeRule {
SCMPipelineManager pipelineManager = new SCMPipelineManager(config,
- nodeManager, eventQueue);
+ nodeManager, eventQueue, null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
pipelineManager.getStateManager(), config);
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestOneReplicaPipelineSafeModeRule.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestOneReplicaPipelineSafeModeRule.java
index 99677d6..ca54d05 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestOneReplicaPipelineSafeModeRule.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestOneReplicaPipelineSafeModeRule.java
@@ -71,7 +71,7 @@ public class TestOneReplicaPipelineSafeModeRule {
eventQueue = new EventQueue();
pipelineManager =
new SCMPipelineManager(ozoneConfiguration, mockNodeManager,
- eventQueue);
+ eventQueue, null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(mockNodeManager,
diff --git a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestSCMSafeModeManager.java b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestSCMSafeModeManager.java
index 7ddf84e..ba92035 100644
--- a/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestSCMSafeModeManager.java
+++ b/hadoop-hdds/server-scm/src/test/java/org/apache/hadoop/hdds/scm/safemode/TestSCMSafeModeManager.java
@@ -197,7 +197,7 @@ public class TestSCMSafeModeManager {
0.9);
MockNodeManager mockNodeManager = new MockNodeManager(true, 10);
PipelineManager pipelineManager = new SCMPipelineManager(conf,
- mockNodeManager, queue);
+ mockNodeManager, queue, null);
scmSafeModeManager = new SCMSafeModeManager(
conf, containers, pipelineManager, queue);
fail("testFailWithIncorrectValueForHealthyPipelinePercent");
@@ -215,7 +215,7 @@ public class TestSCMSafeModeManager {
200);
MockNodeManager mockNodeManager = new MockNodeManager(true, 10);
PipelineManager pipelineManager = new SCMPipelineManager(conf,
- mockNodeManager, queue);
+ mockNodeManager, queue, null);
scmSafeModeManager = new SCMSafeModeManager(
conf, containers, pipelineManager, queue);
fail("testFailWithIncorrectValueForOneReplicaPipelinePercent");
@@ -232,7 +232,7 @@ public class TestSCMSafeModeManager {
conf.setDouble(HddsConfigKeys.HDDS_SCM_SAFEMODE_THRESHOLD_PCT, -1.0);
MockNodeManager mockNodeManager = new MockNodeManager(true, 10);
PipelineManager pipelineManager = new SCMPipelineManager(conf,
- mockNodeManager, queue);
+ mockNodeManager, queue, null);
scmSafeModeManager = new SCMSafeModeManager(
conf, containers, pipelineManager, queue);
fail("testFailWithIncorrectValueForSafeModePercent");
@@ -256,7 +256,7 @@ public class TestSCMSafeModeManager {
MockNodeManager mockNodeManager = new MockNodeManager(true, nodeCount);
SCMPipelineManager pipelineManager = new SCMPipelineManager(conf,
- mockNodeManager, queue);
+ mockNodeManager, queue, null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(mockNodeManager,
pipelineManager.getStateManager(), config);
@@ -477,7 +477,7 @@ public class TestSCMSafeModeManager {
HddsConfigKeys.HDDS_SCM_SAFEMODE_PIPELINE_AVAILABILITY_CHECK, true);
SCMPipelineManager pipelineManager = new SCMPipelineManager(config,
- nodeManager, queue);
+ nodeManager, queue, null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
diff --git a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneMultipartUploadList.java b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneMultipartUploadList.java
index 971d866..38377eb 100644
--- a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneMultipartUploadList.java
+++ b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/OzoneMultipartUploadList.java
@@ -18,7 +18,6 @@
package org.apache.hadoop.ozone.client;
-import java.util.ArrayList;
import java.util.List;
import com.google.common.base.Preconditions;
diff --git a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
index bd01aaf..202e0eb 100644
--- a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
+++ b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
@@ -32,14 +32,11 @@ import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos
.ChecksumType;
import org.apache.hadoop.hdds.scm.ByteStringHelper;
import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
-import org.apache.hadoop.hdds.scm.protocol.StorageContainerLocationProtocol;
import org.apache.hadoop.hdds.tracing.TracingUtil;
import org.apache.hadoop.io.IOUtils;
-import org.apache.hadoop.ipc.Client;
-import org.apache.hadoop.ipc.ProtobufRpcEngine;
-import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.hadoop.ozone.OzoneConsts;
+import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.ozone.client.*;
import org.apache.hadoop.hdds.client.OzoneQuota;
import org.apache.hadoop.hdds.client.ReplicationFactor;
@@ -68,21 +65,14 @@ import org.apache.hadoop.ozone.om.helpers.OpenKeySession;
import org.apache.hadoop.ozone.om.helpers.OzoneAclUtil;
import org.apache.hadoop.ozone.om.helpers.OzoneFileStatus;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
-import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
+import org.apache.hadoop.ozone.om.helpers.ServiceInfoEx;
import org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol;
import org.apache.hadoop.ozone.om.protocolPB
.OzoneManagerProtocolClientSideTranslatorPB;
-import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.ozone.OzoneAcl;
-import org.apache.hadoop.ozone.protocol.proto
- .OzoneManagerProtocolProtos.ServicePort;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
import org.apache.hadoop.hdds.scm.XceiverClientManager;
-import org.apache.hadoop.hdds.scm.protocolPB
- .StorageContainerLocationProtocolClientSideTranslatorPB;
-import org.apache.hadoop.hdds.scm.protocolPB
- .StorageContainerLocationProtocolPB;
import org.apache.hadoop.ozone.security.GDPRSymmetricKey;
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer.ACLIdentityType;
@@ -102,7 +92,6 @@ import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import java.io.IOException;
-import java.net.InetSocketAddress;
import java.net.URI;
import java.security.InvalidKeyException;
import java.util.*;
@@ -122,8 +111,6 @@ public class RpcClient implements ClientProtocol {
LoggerFactory.getLogger(RpcClient.class);
private final OzoneConfiguration conf;
- private final StorageContainerLocationProtocol
- storageContainerLocationClient;
private final OzoneManagerProtocol ozoneManagerClient;
private final XceiverClientManager xceiverClientManager;
private final int chunkSize;
@@ -143,7 +130,7 @@ public class RpcClient implements ClientProtocol {
private Text dtService;
private final boolean topologyAwareReadEnabled;
- /**
+ /**
* Creates RpcClient instance with the given configuration.
* @param conf Configuration
* @param omServiceId OM HA Service ID, set this to null if not HA
@@ -163,21 +150,16 @@ public class RpcClient implements ClientProtocol {
this.conf, clientId.toString(), omServiceId, ugi),
OzoneManagerProtocol.class, conf
);
- long scmVersion =
- RPC.getProtocolVersion(StorageContainerLocationProtocolPB.class);
- InetSocketAddress scmAddress = getScmAddressForClient();
- RPC.setProtocolEngine(conf, StorageContainerLocationProtocolPB.class,
- ProtobufRpcEngine.class);
-
- StorageContainerLocationProtocolClientSideTranslatorPB client =
- new StorageContainerLocationProtocolClientSideTranslatorPB(
- RPC.getProxy(StorageContainerLocationProtocolPB.class, scmVersion,
- scmAddress, ugi, conf, NetUtils.getDefaultSocketFactory(conf),
- Client.getRpcTimeout(conf)));
- this.storageContainerLocationClient =
- TracingUtil.createProxy(client, StorageContainerLocationProtocol.class,
- conf);
- this.xceiverClientManager = new XceiverClientManager(conf);
+
+ ServiceInfoEx serviceInfoEx = ozoneManagerClient.getServiceInfo();
+ String caCertPem = null;
+ if (OzoneSecurityUtil.isSecurityEnabled(conf)) {
+ caCertPem = serviceInfoEx.getCaCertificate();
+ }
+
+ this.xceiverClientManager = new XceiverClientManager(conf,
+ OzoneConfiguration.of(conf).getObject(XceiverClientManager.
+ ScmClientConfig.class), caCertPem);
int configuredChunkSize = (int) conf
.getStorageSize(ScmConfigKeys.OZONE_SCM_CHUNK_SIZE_KEY,
@@ -245,15 +227,6 @@ public class RpcClient implements ClientProtocol {
OzoneConfigKeys.OZONE_NETWORK_TOPOLOGY_AWARE_READ_DEFAULT);
}
- private InetSocketAddress getScmAddressForClient() throws IOException {
- List<ServiceInfo> services = ozoneManagerClient.getServiceList();
- ServiceInfo scmInfo = services.stream().filter(
- a -> a.getNodeType().equals(HddsProtos.NodeType.SCM))
- .collect(Collectors.toList()).get(0);
- return NetUtils.createSocketAddr(
- scmInfo.getServiceAddress(ServicePort.Type.RPC));
- }
-
@Override
public void createVolume(String volumeName) throws IOException {
createVolume(volumeName, VolumeArgs.newBuilder().build());
@@ -806,7 +779,6 @@ public class RpcClient implements ClientProtocol {
@Override
public void close() throws IOException {
- IOUtils.cleanupWithLogger(LOG, storageContainerLocationClient);
IOUtils.cleanupWithLogger(LOG, ozoneManagerClient);
IOUtils.cleanupWithLogger(LOG, xceiverClientManager);
}
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMMetadataManager.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMMetadataManager.java
index b2760b3..cc908fc 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMMetadataManager.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/OMMetadataManager.java
@@ -18,7 +18,6 @@ package org.apache.hadoop.ozone.om;
import java.io.IOException;
import java.util.List;
-import java.util.Map;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ozone.common.BlockGroup;
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartKeyInfo.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartKeyInfo.java
index a3bacec..80123fd 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartKeyInfo.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartKeyInfo.java
@@ -16,14 +16,11 @@
*/
package org.apache.hadoop.ozone.om.helpers;
-import org.apache.hadoop.hdds.client.ReplicationFactor;
-import org.apache.hadoop.hdds.client.ReplicationType;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos
.MultipartKeyInfo;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos
.PartKeyInfo;
-import java.time.Instant;
import java.util.HashMap;
import java.util.Map;
import java.util.TreeMap;
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadList.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadList.java
index 634f7ce9..0c13a0d 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadList.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadList.java
@@ -20,9 +20,6 @@ package org.apache.hadoop.ozone.om.helpers;
import java.util.List;
-import org.apache.hadoop.hdds.client.ReplicationType;
-import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationFactor;
-
/**
* List of in-flight MPU uploads.
*/
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadListParts.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadListParts.java
index 2921b7b..ba0cd42 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadListParts.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadListParts.java
@@ -20,7 +20,6 @@ package org.apache.hadoop.ozone.om.helpers;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationFactor;
-import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationType;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos
.PartInfo;
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadList.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/ServiceInfoEx.java
similarity index 63%
copy from hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadList.java
copy to hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/ServiceInfoEx.java
index 634f7ce9..a90be63 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmMultipartUploadList.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/ServiceInfoEx.java
@@ -20,28 +20,28 @@ package org.apache.hadoop.ozone.om.helpers;
import java.util.List;
-import org.apache.hadoop.hdds.client.ReplicationType;
-import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ReplicationFactor;
-
/**
- * List of in-flight MPU uploads.
+ * Wrapper class for service discovery, design for broader usage such as
+ * security, etc.
*/
-public class OmMultipartUploadList {
+public class ServiceInfoEx {
- private List<OmMultipartUpload> uploads;
+ private List<ServiceInfo> infoList;
- public OmMultipartUploadList(
- List<OmMultipartUpload> uploads) {
- this.uploads = uploads;
- }
+ // PEM encoded string of SCM CA certificate.
+ private String caCertificate;
- public List<OmMultipartUpload> getUploads() {
- return uploads;
+ public ServiceInfoEx(List<ServiceInfo> infoList,
+ String caCertificate) {
+ this.infoList = infoList;
+ this.caCertificate = caCertificate;
}
- public void setUploads(
- List<OmMultipartUpload> uploads) {
- this.uploads = uploads;
+ public List<ServiceInfo> getServiceInfoList() {
+ return infoList;
}
+ public String getCaCertificate() {
+ return caCertificate;
+ }
}
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
index 7dce8e5..a236695 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
@@ -22,8 +22,6 @@ import org.apache.hadoop.hdds.scm.container.common.helpers.ExcludeList;
import org.apache.hadoop.ozone.OzoneAcl;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.ha.OMFailoverProxyProvider;
-import org.apache.hadoop.ozone.om.helpers.OmMultipartCommitUploadPartInfo;
-import org.apache.hadoop.ozone.om.helpers.OmMultipartInfo;
import org.apache.hadoop.ozone.om.OMConfigKeys;
import org.apache.hadoop.ozone.om.helpers.OmBucketArgs;
@@ -31,15 +29,18 @@ import org.apache.hadoop.ozone.om.helpers.OmBucketInfo;
import org.apache.hadoop.ozone.om.helpers.OmKeyArgs;
import org.apache.hadoop.ozone.om.helpers.OmKeyInfo;
import org.apache.hadoop.ozone.om.helpers.OmKeyLocationInfo;
+import org.apache.hadoop.ozone.om.helpers.OmMultipartCommitUploadPartInfo;
+import org.apache.hadoop.ozone.om.helpers.OmMultipartInfo;
import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadCompleteInfo;
import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadCompleteList;
import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadList;
import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadListParts;
import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
import org.apache.hadoop.ozone.om.helpers.OpenKeySession;
+import org.apache.hadoop.ozone.om.helpers.OzoneFileStatus;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
-import org.apache.hadoop.ozone.om.helpers.OzoneFileStatus;
+import org.apache.hadoop.ozone.om.helpers.ServiceInfoEx;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OzoneAclInfo;
@@ -288,6 +289,8 @@ public interface OzoneManagerProtocol
*/
List<ServiceInfo> getServiceList() throws IOException;
+ ServiceInfoEx getServiceInfo() throws IOException;
+
/*
* S3 Specific functionality that is supported by Ozone Manager.
*/
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
index 5cd2709..c9dc8ec 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
@@ -55,9 +55,10 @@ import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadList;
import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadListParts;
import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
import org.apache.hadoop.ozone.om.helpers.OpenKeySession;
+import org.apache.hadoop.ozone.om.helpers.OzoneFileStatus;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
-import org.apache.hadoop.ozone.om.helpers.OzoneFileStatus;
+import org.apache.hadoop.ozone.om.helpers.ServiceInfoEx;
import org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.AddAclResponse;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetAclRequest;
@@ -1211,6 +1212,24 @@ public final class OzoneManagerProtocolClientSideTranslatorPB
}
+ @Override
+ public ServiceInfoEx getServiceInfo() throws IOException {
+ ServiceListRequest req = ServiceListRequest.newBuilder().build();
+
+ OMRequest omRequest = createOMRequest(Type.ServiceList)
+ .setServiceListRequest(req)
+ .build();
+
+ final ServiceListResponse resp = handleError(submitRequest(omRequest))
+ .getServiceListResponse();
+
+ return new ServiceInfoEx(
+ resp.getServiceInfoList().stream()
+ .map(ServiceInfo::getFromProtobuf)
+ .collect(Collectors.toList()),
+ resp.getCaCertificate());
+ }
+
/**
* Get a valid Delegation Token.
*
diff --git a/hadoop-ozone/common/src/main/proto/OzoneManagerProtocol.proto b/hadoop-ozone/common/src/main/proto/OzoneManagerProtocol.proto
index 3baad5a..0fd02ce 100644
--- a/hadoop-ozone/common/src/main/proto/OzoneManagerProtocol.proto
+++ b/hadoop-ozone/common/src/main/proto/OzoneManagerProtocol.proto
@@ -878,6 +878,9 @@ message DBUpdatesRequest {
message ServiceListResponse {
repeated ServiceInfo serviceInfo = 2;
+ // When security is enabled, return SCM CA certificate to Ozone client
+ // to set up gRPC TLS for client to authenticate server(DN).
+ optional string caCertificate = 3;
}
message DBUpdatesResponse {
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/pipeline/TestSCMPipelineManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/pipeline/TestSCMPipelineManager.java
index eebaa7d..2a486b1 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/pipeline/TestSCMPipelineManager.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/pipeline/TestSCMPipelineManager.java
@@ -76,7 +76,7 @@ public class TestSCMPipelineManager {
@Test
public void testPipelineReload() throws IOException {
SCMPipelineManager pipelineManager =
- new SCMPipelineManager(conf, nodeManager, new EventQueue());
+ new SCMPipelineManager(conf, nodeManager, new EventQueue(), null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
pipelineManager.getStateManager(), conf);
@@ -93,7 +93,7 @@ public class TestSCMPipelineManager {
// new pipeline manager should be able to load the pipelines from the db
pipelineManager =
- new SCMPipelineManager(conf, nodeManager, new EventQueue());
+ new SCMPipelineManager(conf, nodeManager, new EventQueue(), null);
mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
pipelineManager.getStateManager(), conf);
@@ -116,7 +116,7 @@ public class TestSCMPipelineManager {
@Test
public void testRemovePipeline() throws IOException {
SCMPipelineManager pipelineManager =
- new SCMPipelineManager(conf, nodeManager, new EventQueue());
+ new SCMPipelineManager(conf, nodeManager, new EventQueue(), null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
pipelineManager.getStateManager(), conf);
@@ -134,8 +134,7 @@ public class TestSCMPipelineManager {
// new pipeline manager should not be able to load removed pipelines
pipelineManager =
- new SCMPipelineManager(conf, nodeManager,
- new EventQueue());
+ new SCMPipelineManager(conf, nodeManager, new EventQueue(), null);
try {
pipelineManager.getPipeline(pipeline.getId());
Assert.fail("Pipeline should not have been retrieved");
@@ -151,7 +150,7 @@ public class TestSCMPipelineManager {
public void testPipelineReport() throws IOException {
EventQueue eventQueue = new EventQueue();
SCMPipelineManager pipelineManager =
- new SCMPipelineManager(conf, nodeManager, eventQueue);
+ new SCMPipelineManager(conf, nodeManager, eventQueue, null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
pipelineManager.getStateManager(), conf);
@@ -218,7 +217,7 @@ public class TestSCMPipelineManager {
MockNodeManager nodeManagerMock = new MockNodeManager(true,
20);
SCMPipelineManager pipelineManager =
- new SCMPipelineManager(conf, nodeManagerMock, new EventQueue());
+ new SCMPipelineManager(conf, nodeManagerMock, new EventQueue(), null);
PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManagerMock,
pipelineManager.getStateManager(), conf);
@@ -273,7 +272,7 @@ public class TestSCMPipelineManager {
@Test
public void testActivateDeactivatePipeline() throws IOException {
final SCMPipelineManager pipelineManager =
- new SCMPipelineManager(conf, nodeManager, new EventQueue());
+ new SCMPipelineManager(conf, nodeManager, new EventQueue(), null);
final PipelineProvider mockRatisProvider =
new MockRatisPipelineProvider(nodeManager,
pipelineManager.getStateManager(), conf);
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestStorageContainerManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestStorageContainerManager.java
index b8de587..d498200 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestStorageContainerManager.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestStorageContainerManager.java
@@ -83,6 +83,8 @@ import org.apache.hadoop.test.GenericTestUtils;
import org.apache.hadoop.util.Time;
import org.apache.hadoop.hdds.utils.HddsVersionInfo;
import org.junit.Assert;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
@@ -90,8 +92,6 @@ import org.junit.rules.TemporaryFolder;
import org.junit.rules.Timeout;
import org.mockito.ArgumentMatcher;
import org.mockito.Mockito;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
@@ -100,12 +100,7 @@ import com.google.common.collect.Maps;
* Test class that exercises the StorageContainerManager.
*/
public class TestStorageContainerManager {
- private static XceiverClientManager xceiverClientManager =
- new XceiverClientManager(
- new OzoneConfiguration());
- private static final Logger LOG = LoggerFactory.getLogger(
- TestStorageContainerManager.class);
-
+ private static XceiverClientManager xceiverClientManager;
/**
* Set the timeout for every test.
*/
@@ -121,6 +116,18 @@ public class TestStorageContainerManager {
@Rule
public TemporaryFolder folder= new TemporaryFolder();
+ @BeforeClass
+ public static void setup() throws IOException {
+ xceiverClientManager = new XceiverClientManager(new OzoneConfiguration());
+ }
+
+ @AfterClass
+ public static void cleanup() {
+ if (xceiverClientManager != null) {
+ xceiverClientManager.close();
+ }
+ }
+
@Test
public void testRpcPermission() throws Exception {
// Test with default configuration
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/CertificateClientTestImpl.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/CertificateClientTestImpl.java
index 25bde38..d05093f 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/CertificateClientTestImpl.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/CertificateClientTestImpl.java
@@ -61,7 +61,7 @@ public class CertificateClientTestImpl implements CertificateClient {
.setEndDate(LocalDate.now().plus(365, ChronoUnit.DAYS))
.setClusterID("cluster1")
.setKey(keyPair)
- .setSubject("TestCertSub")
+ .setSubject("localhost")
.setConfiguration(config)
.setScmID("TestScmId1")
.makeCA();
@@ -99,6 +99,11 @@ public class CertificateClientTestImpl implements CertificateClient {
}
@Override
+ public X509Certificate getCACertificate() {
+ return x509Certificate;
+ }
+
+ @Override
public boolean verifyCertificate(X509Certificate certificate) {
return true;
}
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestContainerReplicationEndToEnd.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestContainerReplicationEndToEnd.java
index e5a3d2f..0886d26 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestContainerReplicationEndToEnd.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestContainerReplicationEndToEnd.java
@@ -155,9 +155,13 @@ public class TestContainerReplicationEndToEnd {
.getPipeline(pipelineID);
key.close();
- cluster.getStorageContainerManager().getContainerManager()
- .updateContainerState(new ContainerID(containerID),
- HddsProtos.LifeCycleEvent.FINALIZE);
+ if (cluster.getStorageContainerManager().getContainerManager()
+ .getContainer(new ContainerID(containerID)).getState() !=
+ HddsProtos.LifeCycleState.CLOSING) {
+ cluster.getStorageContainerManager().getContainerManager()
+ .updateContainerState(new ContainerID(containerID),
+ HddsProtos.LifeCycleEvent.FINALIZE);
+ }
// wait for container to move to OPEN state in SCM
Thread.sleep(2 * containerReportInterval);
DatanodeDetails oldReplicaNode = pipeline.getFirstNode();
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
index c2937a8..30a2593 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
@@ -18,14 +18,17 @@
package org.apache.hadoop.ozone.container.ozoneimpl;
-import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.RandomUtils;
import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
+import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.ozone.client.CertificateClientTestImpl;
import org.apache.hadoop.ozone.container.ContainerTestHelper;
import org.apache.hadoop.hdds.scm.TestUtils;
import org.apache.hadoop.hdds.scm.XceiverClientGrpc;
@@ -33,13 +36,10 @@ import org.apache.hadoop.hdds.scm.XceiverClientSpi;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import org.apache.hadoop.ozone.container.common.statemachine.DatanodeStateMachine;
import org.apache.hadoop.ozone.container.common.statemachine.StateContext;
+import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.test.GenericTestUtils;
-import org.apache.hadoop.util.ThreadUtil;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Ignore;
-import org.junit.Rule;
-import org.junit.Test;
+import org.junit.*;
import org.junit.rules.TemporaryFolder;
import org.junit.rules.Timeout;
import org.junit.runner.RunWith;
@@ -49,13 +49,11 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
import java.util.Arrays;
import java.util.Collection;
+import java.util.EnumSet;
import java.util.UUID;
+import java.util.concurrent.TimeUnit;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_KEY_DIR_NAME;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_KEY_DIR_NAME_DEFAULT;
@@ -81,34 +79,24 @@ public class TestOzoneContainerWithTLS {
public TemporaryFolder tempFolder = new TemporaryFolder();
private OzoneConfiguration conf;
- private SecurityConfig secConfig;
- private Boolean requireMutualTls;
-
- public TestOzoneContainerWithTLS(Boolean requireMutualTls) {
- this.requireMutualTls = requireMutualTls;
+ private OzoneBlockTokenSecretManager secretManager;
+ private CertificateClientTestImpl caClient;
+ private boolean blockTokenEnabled;
+ public TestOzoneContainerWithTLS(boolean blockTokenEnabled) {
+ this.blockTokenEnabled = blockTokenEnabled;
}
@Parameterized.Parameters
- public static Collection<Object[]> encryptionOptions() {
+ public static Collection<Object[]> enableBlockToken() {
return Arrays.asList(new Object[][] {
- {true},
- {false}
+ {false},
+ {true}
});
}
- private void copyResource(String inputResourceName, File outputFile) throws
- IOException {
- InputStream is = ThreadUtil.getResourceAsStream(inputResourceName);
- try (OutputStream os = new FileOutputStream(outputFile)) {
- IOUtils.copy(is, os);
- } finally {
- IOUtils.closeQuietly(is);
- }
- }
-
@Before
- public void setup() throws IOException{
+ public void setup() throws Exception {
conf = new OzoneConfiguration();
String ozoneMetaPath =
GenericTestUtils.getTempPath("ozoneMeta");
@@ -125,21 +113,24 @@ public class TestOzoneContainerWithTLS {
conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_ENABLED, true);
conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT, true);
- secConfig = new SecurityConfig(conf);
- copyResource("ssl/ca.crt", secConfig.getTrustStoreFile());
- copyResource("ssl/server.pem", secConfig.getServerPrivateKeyFile());
- copyResource("ssl/client.pem", secConfig.getClientPrivateKeyFile());
- copyResource("ssl/client.crt", secConfig.getClientCertChainFile());
- copyResource("ssl/server.crt", secConfig.getServerCertChainFile());
+ long expiryTime = conf.getTimeDuration(
+ HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
+ HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
+ TimeUnit.MILLISECONDS);
+
+ caClient = new CertificateClientTestImpl(conf);
+ secretManager = new OzoneBlockTokenSecretManager(new SecurityConfig(conf),
+ expiryTime, caClient.getCertificate().
+ getSerialNumber().toString());
}
@Test
public void testCreateOzoneContainer() throws Exception {
- LOG.info("testCreateOzoneContainer with Mutual TLS: {}",
- requireMutualTls);
- conf.setBoolean(HddsConfigKeys.HDDS_GRPC_MUTUAL_TLS_REQUIRED,
- requireMutualTls);
+ LOG.info("testCreateOzoneContainer with TLS and blockToken enabled: {}",
+ blockTokenEnabled);
+ conf.setBoolean(HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED,
+ blockTokenEnabled);
long containerID = ContainerTestHelper.getTestContainerID();
OzoneContainer container = null;
@@ -154,13 +145,25 @@ public class TestOzoneContainerWithTLS {
conf.setBoolean(
OzoneConfigKeys.DFS_CONTAINER_IPC_RANDOM_PORT, false);
- container = new OzoneContainer(dn, conf, getContext(dn), null);
+ container = new OzoneContainer(dn, conf, getContext(dn), caClient);
//Set scmId and manually start ozone container.
container.start(UUID.randomUUID().toString());
- XceiverClientGrpc client = new XceiverClientGrpc(pipeline, conf);
- client.connect();
- createContainerForTesting(client, containerID);
+ XceiverClientGrpc client = new XceiverClientGrpc(pipeline, conf,
+ caClient.getCACertificate());
+
+ if (blockTokenEnabled) {
+ secretManager.start(caClient);
+ Token<OzoneBlockTokenIdentifier> token = secretManager.generateToken(
+ "123", EnumSet.allOf(
+ HddsProtos.BlockTokenSecretProto.AccessModeProto.class),
+ RandomUtils.nextLong());
+ client.connect(token.encodeToUrlString());
+ createSecureContainerForTesting(client, containerID, token);
+ } else {
+ createContainerForTesting(client, containerID);
+ client.connect();
+ }
} finally {
if (container != null) {
container.stop();
@@ -170,7 +173,6 @@ public class TestOzoneContainerWithTLS {
public static void createContainerForTesting(XceiverClientSpi client,
long containerID) throws Exception {
- // Create container
ContainerProtos.ContainerCommandRequestProto request =
ContainerTestHelper.getCreateContainerRequest(
containerID, client.getPipeline());
@@ -179,6 +181,18 @@ public class TestOzoneContainerWithTLS {
Assert.assertNotNull(response);
}
+ public static void createSecureContainerForTesting(XceiverClientSpi client,
+ long containerID, Token<OzoneBlockTokenIdentifier> token)
+ throws Exception {
+ ContainerProtos.ContainerCommandRequestProto request =
+ ContainerTestHelper.getCreateContainerSecureRequest(
+ containerID, client.getPipeline(), token);
+ ContainerProtos.ContainerCommandResponseProto response =
+ client.sendCommand(request);
+ Assert.assertNotNull(response);
+ }
+
+
private StateContext getContext(DatanodeDetails datanodeDetails) {
DatanodeStateMachine stateMachine = Mockito.mock(
DatanodeStateMachine.class);
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/scm/TestXceiverClientManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/scm/TestXceiverClientManager.java
index a92cd3a..4c25b0c 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/scm/TestXceiverClientManager.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/scm/TestXceiverClientManager.java
@@ -115,7 +115,7 @@ public class TestXceiverClientManager {
TestXceiverClientManager.class.getName() + UUID.randomUUID());
conf.set(HDDS_METADATA_DIR_NAME, metaDir);
XceiverClientManager clientManager =
- new XceiverClientManager(conf, clientConfig);
+ new XceiverClientManager(conf, clientConfig, null);
Cache<String, XceiverClientSpi> cache =
clientManager.getClientCache();
@@ -173,7 +173,7 @@ public class TestXceiverClientManager {
TestXceiverClientManager.class.getName() + UUID.randomUUID());
conf.set(HDDS_METADATA_DIR_NAME, metaDir);
XceiverClientManager clientManager =
- new XceiverClientManager(conf, clientConfig);
+ new XceiverClientManager(conf, clientConfig, null);
Cache<String, XceiverClientSpi> cache =
clientManager.getClientCache();
@@ -222,7 +222,7 @@ public class TestXceiverClientManager {
ScmClientConfig clientConfig = conf.getObject(ScmClientConfig.class);
clientConfig.setMaxSize(1);
XceiverClientManager clientManager =
- new XceiverClientManager(conf, clientConfig);
+ new XceiverClientManager(conf, clientConfig, null);
Cache<String, XceiverClientSpi> cache =
clientManager.getClientCache();
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMetrics.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMetrics.java
index 66a440d..de42be0 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMetrics.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OMMetrics.java
@@ -18,7 +18,6 @@
package org.apache.hadoop.ozone.om;
import com.google.common.annotations.VisibleForTesting;
-import com.sun.codemodel.internal.JExpression;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.metrics2.MetricsSystem;
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index f7297b7..d2d7256 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -117,6 +117,7 @@ import org.apache.hadoop.ozone.om.helpers.OmMultipartUploadListParts;
import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
import org.apache.hadoop.ozone.om.helpers.OpenKeySession;
import org.apache.hadoop.ozone.om.helpers.ServiceInfo;
+import org.apache.hadoop.ozone.om.helpers.ServiceInfoEx;
import org.apache.hadoop.ozone.om.helpers.OzoneFileStatus;
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolPB;
import org.apache.hadoop.ozone.om.ratis.OzoneManagerRatisClient;
@@ -240,6 +241,7 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
private OzoneDelegationTokenSecretManager delegationTokenMgr;
private OzoneBlockTokenSecretManager blockTokenMgr;
private CertificateClient certClient;
+ private String caCertPem = null;
private static boolean testSecureOmFlag = false;
private final Text omRpcAddressTxt;
private final OzoneConfiguration configuration;
@@ -1254,6 +1256,10 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
metadataManager.start(configuration);
startSecretManagerIfNecessary();
+ if (certClient != null) {
+ caCertPem = CertificateCodec.getPEMEncodedString(
+ certClient.getCACertificate());
+ }
// Set metrics and start metrics back ground thread
metrics.setNumVolumes(metadataManager.countRowsInTable(metadataManager
.getVolumeTable()));
@@ -2592,6 +2598,11 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
}
@Override
+ public ServiceInfoEx getServiceInfo() throws IOException {
+ return new ServiceInfoEx(getServiceList(), caCertPem);
+ }
+
+ @Override
/**
* {@inheritDoc}
*/
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
index 3da17a9..01e59b4 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/protocolPB/OzoneManagerRequestHandler.java
@@ -761,10 +761,12 @@ public class OzoneManagerRequestHandler implements RequestHandler {
throws IOException {
ServiceListResponse.Builder resp = ServiceListResponse.newBuilder();
- resp.addAllServiceInfo(impl.getServiceList().stream()
+ resp.addAllServiceInfo(impl.getServiceInfo().getServiceInfoList().stream()
.map(ServiceInfo::getProtobuf)
.collect(Collectors.toList()));
-
+ if (impl.getServiceInfo().getCaCertificate() != null) {
+ resp.setCaCertificate(impl.getServiceInfo().getCaCertificate());
+ }
return resp.build();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org