You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by tu...@apache.org on 2014/08/21 20:58:55 UTC
svn commit: r1619518 [2/3] - in
/hadoop/common/branches/branch-2/hadoop-common-project: ./ hadoop-common/
hadoop-common/dev-support/
hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/
hadoop-common/src/main/resources/META-INF/services/ hadoo...
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSCacheKeyProvider.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSCacheKeyProvider.java?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSCacheKeyProvider.java (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSCacheKeyProvider.java Thu Aug 21 18:58:53 2014
@@ -0,0 +1,180 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
+import org.apache.hadoop.crypto.key.KeyProvider;
+
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * A <code>KeyProvider</code> proxy implementation providing a short lived
+ * cache for <code>KeyVersions</code> to avoid burst of requests to hit the
+ * underlying <code>KeyProvider</code>.
+ */
+public class KMSCacheKeyProvider extends KeyProvider {
+ private final KeyProvider provider;
+ private LoadingCache<String, KeyVersion> keyVersionCache;
+ private LoadingCache<String, KeyVersion> currentKeyCache;
+
+ private static class KeyNotFoundException extends Exception {
+ private static final long serialVersionUID = 1L;
+ }
+
+ public KMSCacheKeyProvider(KeyProvider prov, long timeoutMillis) {
+ this.provider = prov;
+ keyVersionCache = CacheBuilder.newBuilder().expireAfterAccess(timeoutMillis,
+ TimeUnit.MILLISECONDS).build(new CacheLoader<String, KeyVersion>() {
+ @Override
+ public KeyVersion load(String key) throws Exception {
+ KeyVersion kv = provider.getKeyVersion(key);
+ if (kv == null) {
+ throw new KeyNotFoundException();
+ }
+ return kv;
+ }
+ });
+ // for current key we don't want to go stale for more than 1 sec
+ currentKeyCache = CacheBuilder.newBuilder().expireAfterWrite(1000,
+ TimeUnit.MILLISECONDS).build(new CacheLoader<String, KeyVersion>() {
+ @Override
+ public KeyVersion load(String key) throws Exception {
+ KeyVersion kv = provider.getCurrentKey(key);
+ if (kv == null) {
+ throw new KeyNotFoundException();
+ }
+ return kv;
+ }
+ });
+ }
+
+ @Override
+ public KeyVersion getCurrentKey(String name) throws IOException {
+ try {
+ return currentKeyCache.get(name);
+ } catch (ExecutionException ex) {
+ Throwable cause = ex.getCause();
+ if (cause instanceof KeyNotFoundException) {
+ return null;
+ } else if (cause instanceof IOException) {
+ throw (IOException) cause;
+ } else {
+ throw new IOException(cause);
+ }
+ }
+ }
+
+ @Override
+ public KeyVersion getKeyVersion(String versionName)
+ throws IOException {
+ try {
+ return keyVersionCache.get(versionName);
+ } catch (ExecutionException ex) {
+ Throwable cause = ex.getCause();
+ if (cause instanceof KeyNotFoundException) {
+ return null;
+ } else if (cause instanceof IOException) {
+ throw (IOException) cause;
+ } else {
+ throw new IOException(cause);
+ }
+ }
+ }
+
+ @Override
+ public List<String> getKeys() throws IOException {
+ return provider.getKeys();
+ }
+
+ @Override
+ public List<KeyVersion> getKeyVersions(String name)
+ throws IOException {
+ return provider.getKeyVersions(name);
+ }
+
+ @Override
+ public Metadata getMetadata(String name) throws IOException {
+ return provider.getMetadata(name);
+ }
+
+ @Override
+ public KeyVersion createKey(String name, byte[] material,
+ Options options) throws IOException {
+ return provider.createKey(name, material, options);
+ }
+
+ @Override
+ public KeyVersion createKey(String name,
+ Options options)
+ throws NoSuchAlgorithmException, IOException {
+ return provider.createKey(name, options);
+ }
+
+ @Override
+ public void deleteKey(String name) throws IOException {
+ Metadata metadata = provider.getMetadata(name);
+ List<String> versions = new ArrayList<String>(metadata.getVersions());
+ for (int i = 0; i < metadata.getVersions(); i++) {
+ versions.add(KeyProvider.buildVersionName(name, i));
+ }
+ provider.deleteKey(name);
+ currentKeyCache.invalidate(name);
+ keyVersionCache.invalidateAll(versions);
+ }
+
+ @Override
+ public KeyVersion rollNewVersion(String name, byte[] material)
+ throws IOException {
+ KeyVersion key = provider.rollNewVersion(name, material);
+ currentKeyCache.invalidate(name);
+ return key;
+ }
+
+ @Override
+ public KeyVersion rollNewVersion(String name)
+ throws NoSuchAlgorithmException, IOException {
+ KeyVersion key = provider.rollNewVersion(name);
+ currentKeyCache.invalidate(name);
+ return key;
+ }
+
+ @Override
+ public void flush() throws IOException {
+ provider.flush();
+ }
+
+ @Override
+ public Metadata[] getKeysMetadata(String ... keyNames)
+ throws IOException {
+ return provider.getKeysMetadata(keyNames);
+ }
+
+ @Override
+ public boolean isTransient() {
+ return provider.isTransient();
+ }
+
+}
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java Thu Aug 21 18:58:53 2014
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import org.apache.hadoop.conf.Configuration;
+
+import java.io.File;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+/**
+ * Utility class to load KMS configuration files.
+ */
+public class KMSConfiguration {
+
+ public static final String KMS_CONFIG_DIR = "kms.config.dir";
+ public static final String KMS_SITE_XML = "kms-site.xml";
+ public static final String KMS_ACLS_XML = "kms-acls.xml";
+
+ public static final String CONFIG_PREFIX = "hadoop.kms.";
+
+ public static final String KEY_CACHE_TIMEOUT_KEY = CONFIG_PREFIX +
+ "cache.timeout.ms";
+ public static final long KEY_CACHE_TIMEOUT_DEFAULT = 10 * 1000; // 10 secs
+
+ static Configuration getConfiguration(boolean loadHadoopDefaults,
+ String ... resources) {
+ Configuration conf = new Configuration(loadHadoopDefaults);
+ String confDir = System.getProperty(KMS_CONFIG_DIR);
+ if (confDir != null) {
+ try {
+ if (!confDir.startsWith("/")) {
+ throw new RuntimeException("System property '" + KMS_CONFIG_DIR +
+ "' must be an absolute path: " + confDir);
+ }
+ if (!confDir.endsWith("/")) {
+ confDir += "/";
+ }
+ for (String resource : resources) {
+ conf.addResource(new URL("file://" + confDir + resource));
+ }
+ } catch (MalformedURLException ex) {
+ throw new RuntimeException(ex);
+ }
+ } else {
+ for (String resource : resources) {
+ conf.addResource(resource);
+ }
+ }
+ return conf;
+ }
+
+ public static Configuration getKMSConf() {
+ return getConfiguration(true, "core-site.xml", KMS_SITE_XML);
+ }
+
+ public static Configuration getACLsConf() {
+ return getConfiguration(false, KMS_ACLS_XML);
+ }
+
+ public static boolean isACLsFileNewer(long time) {
+ boolean newer = false;
+ String confDir = System.getProperty(KMS_CONFIG_DIR);
+ if (confDir != null) {
+ if (!confDir.startsWith("/")) {
+ throw new RuntimeException("System property '" + KMS_CONFIG_DIR +
+ "' must be an absolute path: " + confDir);
+ }
+ if (!confDir.endsWith("/")) {
+ confDir += "/";
+ }
+ File f = new File(confDir, KMS_ACLS_XML);
+ // at least 100ms newer than time, we do this to ensure the file
+ // has been properly closed/flushed
+ newer = f.lastModified() - time > 100;
+ }
+ return newer;
+ }
+}
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java Thu Aug 21 18:58:53 2014
@@ -0,0 +1,113 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+
+import com.sun.jersey.api.container.ContainerException;
+import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
+import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.ExceptionMapper;
+import javax.ws.rs.ext.Provider;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+/**
+ * Jersey provider that converts KMS exceptions into detailed HTTP errors.
+ */
+@Provider
+@InterfaceAudience.Private
+public class KMSExceptionsProvider implements ExceptionMapper<Exception> {
+ private static Logger LOG =
+ LoggerFactory.getLogger(KMSExceptionsProvider.class);
+
+ private static final String ENTER = System.getProperty("line.separator");
+
+ protected Response createResponse(Response.Status status, Throwable ex) {
+ Map<String, Object> json = new LinkedHashMap<String, Object>();
+ json.put(KMSRESTConstants.ERROR_EXCEPTION_JSON, ex.getClass().getName());
+ json.put(KMSRESTConstants.ERROR_MESSAGE_JSON, getOneLineMessage(ex));
+ log(status, ex);
+ return Response.status(status).type(MediaType.APPLICATION_JSON).
+ entity(json).build();
+ }
+
+ protected String getOneLineMessage(Throwable exception) {
+ String message = exception.getMessage();
+ if (message != null) {
+ int i = message.indexOf(ENTER);
+ if (i > -1) {
+ message = message.substring(0, i);
+ }
+ }
+ return message;
+ }
+
+ /**
+ * Maps different exceptions thrown by KMS to HTTP status codes.
+ */
+ @Override
+ public Response toResponse(Exception exception) {
+ Response.Status status;
+ boolean doAudit = true;
+ Throwable throwable = exception;
+ if (exception instanceof ContainerException) {
+ throwable = exception.getCause();
+ }
+ if (throwable instanceof SecurityException) {
+ status = Response.Status.FORBIDDEN;
+ } else if (throwable instanceof AuthenticationException) {
+ status = Response.Status.FORBIDDEN;
+ // we don't audit here because we did it already when checking access
+ doAudit = false;
+ } else if (throwable instanceof AccessControlException) {
+ status = Response.Status.FORBIDDEN;
+ } else if (exception instanceof IOException) {
+ status = Response.Status.INTERNAL_SERVER_ERROR;
+ } else if (exception instanceof UnsupportedOperationException) {
+ status = Response.Status.BAD_REQUEST;
+ } else if (exception instanceof IllegalArgumentException) {
+ status = Response.Status.BAD_REQUEST;
+ } else {
+ status = Response.Status.INTERNAL_SERVER_ERROR;
+ }
+ if (doAudit) {
+ KMSAudit.error(KMSMDCFilter.getPrincipal(), KMSMDCFilter.getMethod(),
+ KMSMDCFilter.getURL(), getOneLineMessage(exception));
+ }
+ return createResponse(status, throwable);
+ }
+
+ protected void log(Response.Status status, Throwable ex) {
+ Principal principal = KMSMDCFilter.getPrincipal();
+ String method = KMSMDCFilter.getMethod();
+ String url = KMSMDCFilter.getURL();
+ String msg = getOneLineMessage(ex);
+ LOG.warn("User:{} Method:{} URL:{} Response:{}-{}", principal, method, url,
+ status, msg, ex);
+ }
+
+}
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONReader.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONReader.java?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONReader.java (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONReader.java Thu Aug 21 18:58:53 2014
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.codehaus.jackson.map.ObjectMapper;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.ext.MessageBodyReader;
+import javax.ws.rs.ext.Provider;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Map;
+
+@Provider
+@Consumes(MediaType.APPLICATION_JSON)
+@InterfaceAudience.Private
+public class KMSJSONReader implements MessageBodyReader<Map> {
+
+ @Override
+ public boolean isReadable(Class<?> type, Type genericType,
+ Annotation[] annotations, MediaType mediaType) {
+ return type.isAssignableFrom(Map.class);
+ }
+
+ @Override
+ public Map readFrom(Class<Map> type, Type genericType,
+ Annotation[] annotations, MediaType mediaType,
+ MultivaluedMap<String, String> httpHeaders, InputStream entityStream)
+ throws IOException, WebApplicationException {
+ ObjectMapper mapper = new ObjectMapper();
+ return mapper.readValue(entityStream, type);
+ }
+}
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONWriter.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONWriter.java?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONWriter.java (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONWriter.java Thu Aug 21 18:58:53 2014
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.codehaus.jackson.map.ObjectMapper;
+
+import javax.ws.rs.Produces;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.ext.MessageBodyWriter;
+import javax.ws.rs.ext.Provider;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Jersey provider that converts <code>Map</code>s and <code>List</code>s
+ * to their JSON representation.
+ */
+@Provider
+@Produces(MediaType.APPLICATION_JSON)
+@InterfaceAudience.Private
+public class KMSJSONWriter implements MessageBodyWriter<Object> {
+
+ @Override
+ public boolean isWriteable(Class<?> aClass, Type type,
+ Annotation[] annotations, MediaType mediaType) {
+ return Map.class.isAssignableFrom(aClass) ||
+ List.class.isAssignableFrom(aClass);
+ }
+
+ @Override
+ public long getSize(Object obj, Class<?> aClass, Type type,
+ Annotation[] annotations, MediaType mediaType) {
+ return -1;
+ }
+
+ @Override
+ public void writeTo(Object obj, Class<?> aClass, Type type,
+ Annotation[] annotations, MediaType mediaType,
+ MultivaluedMap<String, Object> stringObjectMultivaluedMap,
+ OutputStream outputStream) throws IOException, WebApplicationException {
+ Writer writer = new OutputStreamWriter(outputStream);
+ ObjectMapper jsonMapper = new ObjectMapper();
+ jsonMapper.writerWithDefaultPrettyPrinter().writeValue(writer, obj);
+ }
+
+}
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java Thu Aug 21 18:58:53 2014
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.security.Principal;
+
+/**
+ * Servlet filter that captures context of the HTTP request to be use in the
+ * scope of KMS calls on the server side.
+ */
+@InterfaceAudience.Private
+public class KMSMDCFilter implements Filter {
+
+ private static class Data {
+ private Principal principal;
+ private String method;
+ private StringBuffer url;
+
+ private Data(Principal principal, String method, StringBuffer url) {
+ this.principal = principal;
+ this.method = method;
+ this.url = url;
+ }
+ }
+
+ private static ThreadLocal<Data> DATA_TL = new ThreadLocal<Data>();
+
+ public static Principal getPrincipal() {
+ return DATA_TL.get().principal;
+ }
+
+ public static String getMethod() {
+ return DATA_TL.get().method;
+ }
+
+ public static String getURL() {
+ return DATA_TL.get().url.toString();
+ }
+
+ @Override
+ public void init(FilterConfig config) throws ServletException {
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain)
+ throws IOException, ServletException {
+ try {
+ DATA_TL.remove();
+ Principal principal = ((HttpServletRequest) request).getUserPrincipal();
+ String method = ((HttpServletRequest) request).getMethod();
+ StringBuffer requestURL = ((HttpServletRequest) request).getRequestURL();
+ String queryString = ((HttpServletRequest) request).getQueryString();
+ if (queryString != null) {
+ requestURL.append("?").append(queryString);
+ }
+ DATA_TL.set(new Data(principal, method, requestURL));
+ chain.doFilter(request, response);
+ } finally {
+ DATA_TL.remove();
+ }
+ }
+
+ @Override
+ public void destroy() {
+ }
+}
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSServerJSONUtils.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSServerJSONUtils.java?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSServerJSONUtils.java (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSServerJSONUtils.java Thu Aug 21 18:58:53 2014
@@ -0,0 +1,80 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
+
+import java.util.ArrayList;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * JSON utility methods for the KMS.
+ */
+@InterfaceAudience.Private
+public class KMSServerJSONUtils {
+ @SuppressWarnings("unchecked")
+ public static Map toJSON(KeyProvider.KeyVersion keyVersion) {
+ Map json = new LinkedHashMap();
+ if (keyVersion != null) {
+ json.put(KMSRESTConstants.VERSION_NAME_FIELD,
+ keyVersion.getVersionName());
+ json.put(KMSRESTConstants.MATERIAL_FIELD, keyVersion.getMaterial());
+ }
+ return json;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static List toJSON(List<KeyProvider.KeyVersion> keyVersions) {
+ List json = new ArrayList();
+ if (keyVersions != null) {
+ for (KeyProvider.KeyVersion version : keyVersions) {
+ json.add(toJSON(version));
+ }
+ }
+ return json;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static Map toJSON(String keyName, KeyProvider.Metadata meta) {
+ Map json = new LinkedHashMap();
+ if (meta != null) {
+ json.put(KMSRESTConstants.NAME_FIELD, keyName);
+ json.put(KMSRESTConstants.CIPHER_FIELD, meta.getCipher());
+ json.put(KMSRESTConstants.LENGTH_FIELD, meta.getBitLength());
+ json.put(KMSRESTConstants.DESCRIPTION_FIELD, meta.getDescription());
+ json.put(KMSRESTConstants.CREATED_FIELD,
+ meta.getCreated().getTime());
+ json.put(KMSRESTConstants.VERSIONS_FIELD,
+ (long) meta.getVersions());
+ }
+ return json;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static List toJSON(String[] keyNames, KeyProvider.Metadata[] metas) {
+ List json = new ArrayList();
+ for (int i = 0; i < keyNames.length; i++) {
+ json.add(toJSON(keyNames[i], metas[i]));
+ }
+ return json;
+ }
+}
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java Thu Aug 21 18:58:53 2014
@@ -0,0 +1,214 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key.kms.server;
+
+import com.codahale.metrics.JmxReporter;
+import com.codahale.metrics.Meter;
+import com.codahale.metrics.MetricRegistry;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.KeyProvider;
+import org.apache.hadoop.crypto.key.KeyProviderFactory;
+import org.apache.hadoop.http.HttpServer2;
+import org.apache.hadoop.security.authorize.AccessControlList;
+import org.apache.hadoop.util.VersionInfo;
+import org.apache.log4j.PropertyConfigurator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.slf4j.bridge.SLF4JBridgeHandler;
+
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+import java.io.File;
+import java.net.URL;
+import java.util.List;
+
+@InterfaceAudience.Private
+public class KMSWebApp implements ServletContextListener {
+
+ private static final String LOG4J_PROPERTIES = "kms-log4j.properties";
+
+ private static final String METRICS_PREFIX = "hadoop.kms.";
+ private static final String ADMIN_CALLS_METER = METRICS_PREFIX +
+ "admin.calls.meter";
+ private static final String KEY_CALLS_METER = METRICS_PREFIX +
+ "key.calls.meter";
+ private static final String INVALID_CALLS_METER = METRICS_PREFIX +
+ "invalid.calls.meter";
+ private static final String UNAUTHORIZED_CALLS_METER = METRICS_PREFIX +
+ "unauthorized.calls.meter";
+ private static final String UNAUTHENTICATED_CALLS_METER = METRICS_PREFIX +
+ "unauthenticated.calls.meter";
+
+ private static Logger LOG;
+ private static MetricRegistry metricRegistry;
+
+ private JmxReporter jmxReporter;
+ private static Configuration kmsConf;
+ private static KMSACLs acls;
+ private static Meter adminCallsMeter;
+ private static Meter keyCallsMeter;
+ private static Meter unauthorizedCallsMeter;
+ private static Meter unauthenticatedCallsMeter;
+ private static Meter invalidCallsMeter;
+ private static KeyProvider keyProvider;
+
+ static {
+ SLF4JBridgeHandler.removeHandlersForRootLogger();
+ SLF4JBridgeHandler.install();
+ }
+
+ private void initLogging(String confDir) {
+ if (System.getProperty("log4j.configuration") == null) {
+ System.setProperty("log4j.defaultInitOverride", "true");
+ boolean fromClasspath = true;
+ File log4jConf = new File(confDir, LOG4J_PROPERTIES).getAbsoluteFile();
+ if (log4jConf.exists()) {
+ PropertyConfigurator.configureAndWatch(log4jConf.getPath(), 1000);
+ fromClasspath = false;
+ } else {
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ URL log4jUrl = cl.getResource(LOG4J_PROPERTIES);
+ if (log4jUrl != null) {
+ PropertyConfigurator.configure(log4jUrl);
+ }
+ }
+ LOG = LoggerFactory.getLogger(KMSWebApp.class);
+ LOG.debug("KMS log starting");
+ if (fromClasspath) {
+ LOG.warn("Log4j configuration file '{}' not found", LOG4J_PROPERTIES);
+ LOG.warn("Logging with INFO level to standard output");
+ }
+ } else {
+ LOG = LoggerFactory.getLogger(KMSWebApp.class);
+ }
+ }
+
+ @Override
+ public void contextInitialized(ServletContextEvent sce) {
+ try {
+ String confDir = System.getProperty(KMSConfiguration.KMS_CONFIG_DIR);
+ if (confDir == null) {
+ throw new RuntimeException("System property '" +
+ KMSConfiguration.KMS_CONFIG_DIR + "' not defined");
+ }
+ kmsConf = KMSConfiguration.getKMSConf();
+ initLogging(confDir);
+ LOG.info("-------------------------------------------------------------");
+ LOG.info(" Java runtime version : {}", System.getProperty(
+ "java.runtime.version"));
+ LOG.info(" KMS Hadoop Version: " + VersionInfo.getVersion());
+ LOG.info("-------------------------------------------------------------");
+
+ acls = new KMSACLs();
+ acls.startReloader();
+
+ metricRegistry = new MetricRegistry();
+ jmxReporter = JmxReporter.forRegistry(metricRegistry).build();
+ jmxReporter.start();
+ adminCallsMeter = metricRegistry.register(ADMIN_CALLS_METER, new Meter());
+ keyCallsMeter = metricRegistry.register(KEY_CALLS_METER, new Meter());
+ invalidCallsMeter = metricRegistry.register(INVALID_CALLS_METER,
+ new Meter());
+ unauthorizedCallsMeter = metricRegistry.register(UNAUTHORIZED_CALLS_METER,
+ new Meter());
+ unauthenticatedCallsMeter = metricRegistry.register(
+ UNAUTHENTICATED_CALLS_METER, new Meter());
+
+ // this is required for the the JMXJsonServlet to work properly.
+ // the JMXJsonServlet is behind the authentication filter,
+ // thus the '*' ACL.
+ sce.getServletContext().setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE,
+ kmsConf);
+ sce.getServletContext().setAttribute(HttpServer2.ADMINS_ACL,
+ new AccessControlList(AccessControlList.WILDCARD_ACL_VALUE));
+
+ // intializing the KeyProvider
+
+ List<KeyProvider> providers = KeyProviderFactory.getProviders(kmsConf);
+ if (providers.isEmpty()) {
+ throw new IllegalStateException("No KeyProvider has been defined");
+ }
+ if (providers.size() > 1) {
+ LOG.warn("There is more than one KeyProvider configured '{}', using " +
+ "the first provider",
+ kmsConf.get(KeyProviderFactory.KEY_PROVIDER_PATH));
+ }
+ keyProvider = providers.get(0);
+ long timeOutMillis =
+ kmsConf.getLong(KMSConfiguration.KEY_CACHE_TIMEOUT_KEY,
+ KMSConfiguration.KEY_CACHE_TIMEOUT_DEFAULT);
+ keyProvider = new KMSCacheKeyProvider(keyProvider, timeOutMillis);
+
+ LOG.info("KMS Started");
+ } catch (Throwable ex) {
+ System.out.println();
+ System.out.println("ERROR: Hadoop KMS could not be started");
+ System.out.println();
+ System.out.println("REASON: " + ex.toString());
+ System.out.println();
+ System.out.println("Stacktrace:");
+ System.out.println("---------------------------------------------------");
+ ex.printStackTrace(System.out);
+ System.out.println("---------------------------------------------------");
+ System.out.println();
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void contextDestroyed(ServletContextEvent sce) {
+ acls.stopReloader();
+ jmxReporter.stop();
+ jmxReporter.close();
+ metricRegistry = null;
+ LOG.info("KMS Stopped");
+ }
+
+ public static Configuration getConfiguration() {
+ return new Configuration(kmsConf);
+ }
+
+ public static KMSACLs getACLs() {
+ return acls;
+ }
+
+ public static Meter getAdminCallsMeter() {
+ return adminCallsMeter;
+ }
+
+ public static Meter getKeyCallsMeter() {
+ return keyCallsMeter;
+ }
+
+ public static Meter getInvalidCallsMeter() {
+ return invalidCallsMeter;
+ }
+
+ public static Meter getUnauthorizedCallsMeter() {
+ return unauthorizedCallsMeter;
+ }
+
+ public static Meter getUnauthenticatedCallsMeter() {
+ return unauthenticatedCallsMeter;
+ }
+
+ public static KeyProvider getKeyProvider() {
+ return keyProvider;
+ }
+}
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh Thu Aug 21 18:58:53 2014
@@ -0,0 +1,181 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# resolve links - $0 may be a softlink
+PRG="${0}"
+
+while [ -h "${PRG}" ]; do
+ ls=`ls -ld "${PRG}"`
+ link=`expr "$ls" : '.*-> \(.*\)$'`
+ if expr "$link" : '/.*' > /dev/null; then
+ PRG="$link"
+ else
+ PRG=`dirname "${PRG}"`/"$link"
+ fi
+done
+
+BASEDIR=`dirname ${PRG}`
+BASEDIR=`cd ${BASEDIR}/..;pwd`
+
+
+function print() {
+ if [ "${KMS_SILENT}" != "true" ]; then
+ echo "$@"
+ fi
+}
+
+# if KMS_HOME is already set warn it will be ignored
+#
+if [ "${KMS_HOME}" != "" ]; then
+ echo "WARNING: current setting of KMS_HOME ignored"
+fi
+
+print
+
+# setting KMS_HOME to the installation dir, it cannot be changed
+#
+export KMS_HOME=${BASEDIR}
+kms_home=${KMS_HOME}
+print "Setting KMS_HOME: ${KMS_HOME}"
+
+# if the installation has a env file, source it
+# this is for native packages installations
+#
+if [ -e "${KMS_HOME}/bin/kms-env.sh" ]; then
+ print "Sourcing: ${KMS_HOME}/bin/kms-env.sh"
+ source ${KMS_HOME}/bin/kms-env.sh
+ grep "^ *export " ${KMS_HOME}/bin/kms-env.sh | sed 's/ *export/ setting/'
+fi
+
+# verify that the sourced env file didn't change KMS_HOME
+# if so, warn and revert
+#
+if [ "${KMS_HOME}" != "${kms_home}" ]; then
+ print "WARN: KMS_HOME resetting to ''${KMS_HOME}'' ignored"
+ export KMS_HOME=${kms_home}
+ print " using KMS_HOME: ${KMS_HOME}"
+fi
+
+if [ "${KMS_CONFIG}" = "" ]; then
+ export KMS_CONFIG=${KMS_HOME}/etc/hadoop
+ print "Setting KMS_CONFIG: ${KMS_CONFIG}"
+else
+ print "Using KMS_CONFIG: ${KMS_CONFIG}"
+fi
+kms_config=${KMS_CONFIG}
+
+# if the configuration dir has a env file, source it
+#
+if [ -e "${KMS_CONFIG}/kms-env.sh" ]; then
+ print "Sourcing: ${KMS_CONFIG}/kms-env.sh"
+ source ${KMS_CONFIG}/kms-env.sh
+ grep "^ *export " ${KMS_CONFIG}/kms-env.sh | sed 's/ *export/ setting/'
+fi
+
+# verify that the sourced env file didn't change KMS_HOME
+# if so, warn and revert
+#
+if [ "${KMS_HOME}" != "${kms_home}" ]; then
+ echo "WARN: KMS_HOME resetting to ''${KMS_HOME}'' ignored"
+ export KMS_HOME=${kms_home}
+fi
+
+# verify that the sourced env file didn't change KMS_CONFIG
+# if so, warn and revert
+#
+if [ "${KMS_CONFIG}" != "${kms_config}" ]; then
+ echo "WARN: KMS_CONFIG resetting to ''${KMS_CONFIG}'' ignored"
+ export KMS_CONFIG=${kms_config}
+fi
+
+if [ "${KMS_LOG}" = "" ]; then
+ export KMS_LOG=${KMS_HOME}/logs
+ print "Setting KMS_LOG: ${KMS_LOG}"
+else
+ print "Using KMS_LOG: ${KMS_LOG}"
+fi
+
+if [ ! -f ${KMS_LOG} ]; then
+ mkdir -p ${KMS_LOG}
+fi
+
+if [ "${KMS_TEMP}" = "" ]; then
+ export KMS_TEMP=${KMS_HOME}/temp
+ print "Setting KMS_TEMP: ${KMS_TEMP}"
+else
+ print "Using KMS_TEMP: ${KMS_TEMP}"
+fi
+
+if [ ! -f ${KMS_TEMP} ]; then
+ mkdir -p ${KMS_TEMP}
+fi
+
+if [ "${KMS_HTTP_PORT}" = "" ]; then
+ export KMS_HTTP_PORT=16000
+ print "Setting KMS_HTTP_PORT: ${KMS_HTTP_PORT}"
+else
+ print "Using KMS_HTTP_PORT: ${KMS_HTTP_PORT}"
+fi
+
+if [ "${KMS_ADMIN_PORT}" = "" ]; then
+ export KMS_ADMIN_PORT=`expr $KMS_HTTP_PORT + 1`
+ print "Setting KMS_ADMIN_PORT: ${KMS_ADMIN_PORT}"
+else
+ print "Using KMS_ADMIN_PORT: ${KMS_ADMIN_PORT}"
+fi
+
+if [ "${KMS_SSL_KEYSTORE_FILE}" = "" ]; then
+ export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
+ print "Setting KMS_SSL_KEYSTORE_FILE: ${KMS_SSL_KEYSTORE_FILE}"
+else
+ print "Using KMS_SSL_KEYSTORE_FILE: ${KMS_SSL_KEYSTORE_FILE}"
+fi
+
+if [ "${KMS_SSL_KEYSTORE_PASS}" = "" ]; then
+ export KMS_SSL_KEYSTORE_PASS=password
+ print "Setting KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}"
+else
+ print "Using KMS_SSL_KEYSTORE_PASS: ${KMS_SSL_KEYSTORE_PASS}"
+fi
+
+if [ "${CATALINA_BASE}" = "" ]; then
+ export CATALINA_BASE=${KMS_HOME}/share/hadoop/kms/tomcat
+ print "Setting CATALINA_BASE: ${CATALINA_BASE}"
+else
+ print "Using CATALINA_BASE: ${CATALINA_BASE}"
+fi
+
+if [ "${KMS_CATALINA_HOME}" = "" ]; then
+ export KMS_CATALINA_HOME=${CATALINA_BASE}
+ print "Setting KMS_CATALINA_HOME: ${KMS_CATALINA_HOME}"
+else
+ print "Using KMS_CATALINA_HOME: ${KMS_CATALINA_HOME}"
+fi
+
+if [ "${CATALINA_OUT}" = "" ]; then
+ export CATALINA_OUT=${KMS_LOG}/kms-catalina.out
+ print "Setting CATALINA_OUT: ${CATALINA_OUT}"
+else
+ print "Using CATALINA_OUT: ${CATALINA_OUT}"
+fi
+
+if [ "${CATALINA_PID}" = "" ]; then
+ export CATALINA_PID=/tmp/kms.pid
+ print "Setting CATALINA_PID: ${CATALINA_PID}"
+else
+ print "Using CATALINA_PID: ${CATALINA_PID}"
+fi
+
+print
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh Thu Aug 21 18:58:53 2014
@@ -0,0 +1,60 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# resolve links - $0 may be a softlink
+PRG="${0}"
+
+while [ -h "${PRG}" ]; do
+ ls=`ls -ld "${PRG}"`
+ link=`expr "$ls" : '.*-> \(.*\)$'`
+ if expr "$link" : '/.*' > /dev/null; then
+ PRG="$link"
+ else
+ PRG=`dirname "${PRG}"`/"$link"
+ fi
+done
+
+BASEDIR=`dirname ${PRG}`
+BASEDIR=`cd ${BASEDIR}/..;pwd`
+
+KMS_SILENT=${KMS_SILENT:-true}
+
+source ${HADOOP_LIBEXEC_DIR:-${BASEDIR}/libexec}/kms-config.sh
+
+# The Java System property 'kms.http.port' it is not used by Kms,
+# it is used in Tomcat's server.xml configuration file
+#
+print "Using CATALINA_OPTS: ${CATALINA_OPTS}"
+
+catalina_opts="-Dkms.home.dir=${KMS_HOME}";
+catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}";
+catalina_opts="${catalina_opts} -Dkms.log.dir=${KMS_LOG}";
+catalina_opts="${catalina_opts} -Dkms.temp.dir=${KMS_TEMP}";
+catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}";
+catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}";
+catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}";
+catalina_opts="${catalina_opts} -Dkms.ssl.keystore.pass=${KMS_SSL_KEYSTORE_PASS}";
+
+print "Adding to CATALINA_OPTS: ${catalina_opts}"
+
+export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
+
+# A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
+#
+if [ "${1}" = "stop" ]; then
+ export JAVA_OPTS=${CATALINA_OPTS}
+fi
+
+exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@"
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml Thu Aug 21 18:58:53 2014
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee">
+</web-app>
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html Thu Aug 21 18:58:53 2014
@@ -0,0 +1,27 @@
+<!--
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+
+-->
+<html>
+<head>
+ <title>Hadoop KMS</title>
+</head>
+<body>
+<h1>Hadoop KMS</h1>
+<ul>
+ <li>KMS REST API end-point <b>/kms/v1/*</b></li>
+ <li><a href="/kms/jmx">KMS JMX JSON end-point</a></li>
+</ul>
+</body>
+</html>
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties Thu Aug 21 18:58:53 2014
@@ -0,0 +1,67 @@
+#
+# All Rights Reserved.
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+############################################################
+# Handler specific properties.
+# Describes specific configuration info for Handlers.
+############################################################
+
+1catalina.org.apache.juli.FileHandler.level = FINE
+1catalina.org.apache.juli.FileHandler.directory = ${kms.log.dir}
+1catalina.org.apache.juli.FileHandler.prefix = kms-catalina.
+
+2localhost.org.apache.juli.FileHandler.level = FINE
+2localhost.org.apache.juli.FileHandler.directory = ${kms.log.dir}
+2localhost.org.apache.juli.FileHandler.prefix = kms-localhost.
+
+3manager.org.apache.juli.FileHandler.level = FINE
+3manager.org.apache.juli.FileHandler.directory = ${kms.log.dir}
+3manager.org.apache.juli.FileHandler.prefix = kms-manager.
+
+4host-manager.org.apache.juli.FileHandler.level = FINE
+4host-manager.org.apache.juli.FileHandler.directory = ${kms.log.dir}
+4host-manager.org.apache.juli.FileHandler.prefix = kms-host-manager.
+
+java.util.logging.ConsoleHandler.level = FINE
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+
+
+############################################################
+# Facility specific properties.
+# Provides extra control for each logger.
+############################################################
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
+
+# For example, set the com.xyz.foo logger to only log SEVERE
+# messages:
+#org.apache.catalina.startup.ContextConfig.level = FINE
+#org.apache.catalina.startup.HostConfig.level = FINE
+#org.apache.catalina.session.ManagerBase.level = FINE
+#org.apache.catalina.core.AprLifecycleListener.level=FINE
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml Thu Aug 21 18:58:53 2014
@@ -0,0 +1,153 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+
+ All Rights Reserved.
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!-- Note: A "Server" is not itself a "Container", so you may not
+ define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/server.html
+ -->
+<Server port="${kms.admin.port}" shutdown="SHUTDOWN">
+
+ <!--APR library loader. Documentation at /docs/apr.html -->
+ <Listener className="org.apache.catalina.core.AprLifecycleListener"
+ SSLEngine="on"/>
+ <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+ <Listener className="org.apache.catalina.core.JasperListener"/>
+ <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+ <Listener
+ className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
+ <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
+ <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"/>
+ <Listener
+ className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
+
+ <!-- Global JNDI resources
+ Documentation at /docs/jndi-resources-howto.html
+ -->
+ <GlobalNamingResources>
+ <!-- Editable user database that can also be used by
+ UserDatabaseRealm to authenticate users
+ -->
+ <Resource name="UserDatabase" auth="Container"
+ type="org.apache.catalina.UserDatabase"
+ description="User database that can be updated and saved"
+ factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+ pathname="conf/tomcat-users.xml"/>
+ </GlobalNamingResources>
+
+ <!-- A "Service" is a collection of one or more "Connectors" that share
+ a single "Container" Note: A "Service" is not itself a "Container",
+ so you may not define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/service.html
+ -->
+ <Service name="Catalina">
+
+ <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+ <!--
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ maxThreads="150" minSpareThreads="4"/>
+ -->
+
+
+ <!-- A "Connector" represents an endpoint by which requests are received
+ and responses are returned. Documentation at :
+ Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+ Java AJP Connector: /docs/config/ajp.html
+ APR (HTTP/AJP) Connector: /docs/apr.html
+ Define a non-SSL HTTP/1.1 Connector on port ${kms.http.port}
+ -->
+ <Connector port="${kms.http.port}" protocol="HTTP/1.1"
+ connectionTimeout="20000"
+ redirectPort="8443"/>
+ <!-- A "Connector" using the shared thread pool-->
+ <!--
+ <Connector executor="tomcatThreadPool"
+ port="${kms.http.port}" protocol="HTTP/1.1"
+ connectionTimeout="20000"
+ redirectPort="8443" />
+ -->
+ <!-- Define a SSL HTTP/1.1 Connector on port 8443
+ This connector uses the JSSE configuration, when using APR, the
+ connector should be using the OpenSSL style configuration
+ described in the APR documentation -->
+ <!--
+ <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
+ maxThreads="150" scheme="https" secure="true"
+ clientAuth="false" sslProtocol="TLS" />
+ -->
+
+ <!-- Define an AJP 1.3 Connector on port 8009 -->
+
+
+ <!-- An Engine represents the entry point (within Catalina) that processes
+ every request. The Engine implementation for Tomcat stand alone
+ analyzes the HTTP headers included with the request, and passes them
+ on to the appropriate Host (virtual host).
+ Documentation at /docs/config/engine.html -->
+
+ <!-- You should set jvmRoute to support load-balancing via AJP ie :
+ <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+ -->
+ <Engine name="Catalina" defaultHost="localhost">
+
+ <!--For clustering, please take a look at documentation at:
+ /docs/cluster-howto.html (simple how to)
+ /docs/config/cluster.html (reference documentation) -->
+ <!--
+ <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+ -->
+
+ <!-- The request dumper valve dumps useful debugging information about
+ the request and response data received and sent by Tomcat.
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
+ -->
+
+ <!-- This Realm uses the UserDatabase configured in the global JNDI
+ resources under the key "UserDatabase". Any edits
+ that are performed against this UserDatabase are immediately
+ available for use by the Realm. -->
+ <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/>
+
+ <!-- Define the default virtual host
+ Note: XML Schema validation will not work with Xerces 2.2.
+ -->
+ <Host name="localhost" appBase="webapps"
+ unpackWARs="true" autoDeploy="true"
+ xmlValidation="false" xmlNamespaceAware="false">
+
+ <!-- SingleSignOn valve, share authentication between web applications
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+ -->
+
+ <!-- Access log processes all example.
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+ prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
+ -->
+
+ </Host>
+ </Engine>
+ </Service>
+</Server>
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml Thu Aug 21 18:58:53 2014
@@ -0,0 +1,135 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+
+ All Rights Reserved.
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!-- Note: A "Server" is not itself a "Container", so you may not
+ define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/server.html
+ -->
+<Server port="${kms.admin.port}" shutdown="SHUTDOWN">
+
+ <!--APR library loader. Documentation at /docs/apr.html -->
+ <Listener className="org.apache.catalina.core.AprLifecycleListener"
+ SSLEngine="on"/>
+ <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+ <Listener className="org.apache.catalina.core.JasperListener"/>
+ <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+ <Listener
+ className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
+ <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
+ <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"/>
+ <Listener
+ className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
+
+ <!-- Global JNDI resources
+ Documentation at /docs/jndi-resources-howto.html
+ -->
+ <GlobalNamingResources>
+ <!-- Editable user database that can also be used by
+ UserDatabaseRealm to authenticate users
+ -->
+ <Resource name="UserDatabase" auth="Container"
+ type="org.apache.catalina.UserDatabase"
+ description="User database that can be updated and saved"
+ factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+ pathname="conf/tomcat-users.xml"/>
+ </GlobalNamingResources>
+
+ <!-- A "Service" is a collection of one or more "Connectors" that share
+ a single "Container" Note: A "Service" is not itself a "Container",
+ so you may not define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/service.html
+ -->
+ <Service name="Catalina">
+
+ <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+ <!--
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ maxThreads="150" minSpareThreads="4"/>
+ -->
+
+ <!-- Define a SSL HTTP/1.1 Connector on port 8443
+ This connector uses the JSSE configuration, when using APR, the
+ connector should be using the OpenSSL style configuration
+ described in the APR documentation -->
+ <Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
+ maxThreads="150" scheme="https" secure="true"
+ clientAuth="false" sslProtocol="TLS"
+ keystoreFile="${kms.ssl.keystore.file}"
+ keystorePass="${kms.ssl.keystore.pass}"/>
+
+ <!-- Define an AJP 1.3 Connector on port 8009 -->
+
+
+ <!-- An Engine represents the entry point (within Catalina) that processes
+ every request. The Engine implementation for Tomcat stand alone
+ analyzes the HTTP headers included with the request, and passes them
+ on to the appropriate Host (virtual host).
+ Documentation at /docs/config/engine.html -->
+
+ <!-- You should set jvmRoute to support load-balancing via AJP ie :
+ <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+ -->
+ <Engine name="Catalina" defaultHost="localhost">
+
+ <!--For clustering, please take a look at documentation at:
+ /docs/cluster-howto.html (simple how to)
+ /docs/config/cluster.html (reference documentation) -->
+ <!--
+ <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+ -->
+
+ <!-- The request dumper valve dumps useful debugging information about
+ the request and response data received and sent by Tomcat.
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
+ -->
+
+ <!-- This Realm uses the UserDatabase configured in the global JNDI
+ resources under the key "UserDatabase". Any edits
+ that are performed against this UserDatabase are immediately
+ available for use by the Realm. -->
+ <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/>
+
+ <!-- Define the default virtual host
+ Note: XML Schema validation will not work with Xerces 2.2.
+ -->
+ <Host name="localhost" appBase="webapps"
+ unpackWARs="true" autoDeploy="true"
+ xmlValidation="false" xmlNamespaceAware="false">
+
+ <!-- SingleSignOn valve, share authentication between web applications
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+ -->
+
+ <!-- Access log processes all example.
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+ prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
+ -->
+
+ </Host>
+ </Engine>
+ </Service>
+</Server>
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml Thu Aug 21 18:58:53 2014
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee">
+
+ <listener>
+ <listener-class>org.apache.hadoop.crypto.key.kms.server.KMSWebApp</listener-class>
+ </listener>
+
+ <servlet>
+ <servlet-name>webservices-driver</servlet-name>
+ <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
+ <init-param>
+ <param-name>com.sun.jersey.config.property.packages</param-name>
+ <param-value>org.apache.hadoop.crypto.key.kms.server</param-value>
+ </init-param>
+
+ <!-- Enables detailed Jersey request/response logging -->
+ <!--
+ <init-param>
+ <param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name>
+ <param-value>com.sun.jersey.api.container.filter.LoggingFilter</param-value>
+ </init-param>
+ <init-param>
+ <param-name>com.sun.jersey.spi.container.ContainerResponseFilters</param-name>
+ <param-value>com.sun.jersey.api.container.filter.LoggingFilter</param-value>
+ </init-param>
+ -->
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet>
+ <servlet-name>jmx-servlet</servlet-name>
+ <servlet-class>org.apache.hadoop.jmx.JMXJsonServlet</servlet-class>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>webservices-driver</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
+ <servlet-name>jmx-servlet</servlet-name>
+ <url-pattern>/jmx</url-pattern>
+ </servlet-mapping>
+
+ <filter>
+ <filter-name>authFilter</filter-name>
+ <filter-class>org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter</filter-class>
+ </filter>
+
+ <filter>
+ <filter-name>MDCFilter</filter-name>
+ <filter-class>org.apache.hadoop.crypto.key.kms.server.KMSMDCFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>authFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>MDCFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
+</web-app>
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm Thu Aug 21 18:58:53 2014
@@ -0,0 +1,487 @@
+~~ Licensed under the Apache License, Version 2.0 (the "License");
+~~ you may not use this file except in compliance with the License.
+~~ You may obtain a copy of the License at
+~~
+~~ http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing, software
+~~ distributed under the License is distributed on an "AS IS" BASIS,
+~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+~~ See the License for the specific language governing permissions and
+~~ limitations under the License.
+
+ ---
+ Hadoop KMS - Documentation Sets ${project.version}
+ ---
+ ---
+ ${maven.build.timestamp}
+
+Hadoop Key Management Server (KMS) - Documentation Sets ${project.version}
+
+ Hadoop KMS is a cryptographic key management server based on Hadoop's
+ <<KeyProvider>> API.
+
+ It provides a client and a server components which communicate over
+ HTTP using a REST API.
+
+ The client is a KeyProvider implementation interacts with the KMS
+ using the KMS HTTP REST API.
+
+ KMS and its client have built-in security and they support HTTP SPNEGO
+ Kerberos authentication and HTTPS secure transport.
+
+ KMS is a Java web-application and it runs using a pre-configured Tomcat
+ bundled with the Hadoop distribution.
+
+* KMS Client Configuration
+
+ The KMS client <<<KeyProvider>>> uses the <<kms>> scheme, and the embedded
+ URL must be the URL of the KMS. For example, for a KMS running
+ on <<<http://localhost:16000/kms>>>, the KeyProvider URI is
+ <<<kms://http@localhost:16000/kms>>>. And, for a KMS running on
+ <<<https://localhost:16000/kms>>>, the KeyProvider URI is
+ <<<kms://https@localhost:16000/kms>>>
+
+* KMS
+
+** KMS Configuration
+
+ Configure the KMS backing KeyProvider properties
+ in the <<<etc/hadoop/kms-site.xml>>> configuration file:
+
++---+
+ <property>
+ <name>hadoop.security.key.provider.path</name>
+ <value>jceks://file@/${user.home}/kms.keystore</value>
+ </property>
+
+ <property>
+ <name>hadoop.security.keystore.java-keystore-provider.password-file</name>
+ <value>kms.keystore.password</value>
+ </property>
++---+
+
+ The password file is looked up in the Hadoop's configuration directory via the
+ classpath.
+
+ NOTE: You need to restart the KMS for the configuration changes to take
+ effect.
+
+** KMS Cache
+
+ KMS caches keys for short period of time to avoid excessive hits to the
+ underlying key provider.
+
+ The cache is used with the following 2 methods only, <<<getCurrentKey()>>>
+ and <<<getKeyVersion()>>>.
+
+ For the <<<getCurrentKey()>>> method, cached entries are kept for a maximum
+ of 1000 millisecond regardless the number of times the key is being access
+ (to avoid stale keys to be considered current).
+
+ For the <<<getKeyVersion()>>> method, cached entries are kept with a default
+ inactivity timeout of 10000 milliseconds. This time out is configurable via
+ the following property in the <<<etc/hadoop/kms-site.xml>>> configuration
+ file:
+
++---+
+ <property>
+ <name>hadoop.kms.cache.timeout.ms</name>
+ <value>10000</value>
+ </property>
++---+
+
+** Start/Stop the KMS
+
+ To start/stop KMS use KMS's bin/kms.sh script. For example:
+
++---+
+hadoop-${project.version} $ sbin/kms.sh start
++---+
+
+ NOTE: Invoking the script without any parameters list all possible
+ parameters (start, stop, run, etc.). The <<<kms.sh>>> script is a wrapper
+ for Tomcat's <<<catalina.sh>>> script that sets the environment variables
+ and Java System properties required to run KMS.
+
+** Embedded Tomcat Configuration
+
+ To configure the embedded Tomcat go to the <<<share/hadoop/kms/tomcat/conf>>>.
+
+ KMS pre-configures the HTTP and Admin ports in Tomcat's <<<server.xml>>> to
+ 16000 and 16001.
+
+ Tomcat logs are also preconfigured to go to Hadoop's <<<logs/>>> directory.
+
+ The following environment variables (which can be set in KMS's
+ <<<etc/hadoop/kms-env.sh>>> script) can be used to alter those values:
+
+ * KMS_HTTP_PORT
+
+ * KMS_ADMIN_PORT
+
+ * KMS_LOG
+
+ NOTE: You need to restart the KMS for the configuration changes to take
+ effect.
+
+** KMS Security Configuration
+
+*** Enabling Kerberos HTTP SPNEGO Authentication
+
+ Configure the Kerberos <<<etc/krb5.conf>>> file with the information of your
+ KDC server.
+
+ Create a service principal and its keytab for the KMS, it must be an
+ <<<HTTP>>> service principal.
+
+ Configure KMS <<<etc/hadoop/kms-site.xml>>> with the correct security values,
+ for example:
+
++---+
+ <property>
+ <name>hadoop.kms.authentication.type</name>
+ <value>kerberos</value>
+ </property>
+
+ <property>
+ <name>hadoop.kms.authentication.kerberos.keytab</name>
+ <value>${user.home}/kms.keytab</value>
+ </property>
+
+ <property>
+ <name>hadoop.kms.authentication.kerberos.principal</name>
+ <value>HTTP/localhost</value>
+ </property>
+
+ <property>
+ <name>hadoop.kms.authentication.kerberos.name.rules</name>
+ <value>DEFAULT</value>
+ </property>
++---+
+
+ NOTE: You need to restart the KMS for the configuration changes to take
+ effect.
+
+*** KMS over HTTPS (SSL)
+
+ To configure KMS to work over HTTPS the following 2 properties must be
+ set in the <<<etc/hadoop/kms_env.sh>>> script (shown with default values):
+
+ * KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
+
+ * KMS_SSL_KEYSTORE_PASS=password
+
+ In the KMS <<<tomcat/conf>>> directory, replace the <<<server.xml>>> file
+ with the provided <<<ssl-server.xml>>> file.
+
+ You need to create an SSL certificate for the KMS. As the
+ <<<kms>>> Unix user, using the Java <<<keytool>>> command to create the
+ SSL certificate:
+
++---+
+$ keytool -genkey -alias tomcat -keyalg RSA
++---+
+
+ You will be asked a series of questions in an interactive prompt. It will
+ create the keystore file, which will be named <<.keystore>> and located in the
+ <<<kms>>> user home directory.
+
+ The password you enter for "keystore password" must match the value of the
+ <<<KMS_SSL_KEYSTORE_PASS>>> environment variable set in the
+ <<<kms-env.sh>>> script in the configuration directory.
+
+ The answer to "What is your first and last name?" (i.e. "CN") must be the
+ hostname of the machine where the KMS will be running.
+
+ NOTE: You need to restart the KMS for the configuration changes to take
+ effect.
+
+*** KMS Access Control
+
+ KMS ACLs configuration are defined in the KMS <<<etc/hadoop/kms-acls.xml>>>
+ configuration file. This file is hot-reloaded when it changes.
+
+ KMS supports a fine grained access control via a set ACL
+ configuration properties:
+
++---+
+ <property>
+ <name>hadoop.kms.acl.CREATE</name>
+ <value>*</value>
+ <description>
+ ACL for create-key operations.
+ If the user does is not in the GET ACL, the key material is not returned
+ as part of the response.
+ </description>
+ </property>
+
+ <property>
+ <name>hadoop.kms.acl.DELETE</name>
+ <value>*</value>
+ <description>
+ ACL for delete-key operations.
+ </description>
+ </property>
+
+ <property>
+ <name>hadoop.kms.acl.ROLLOVER</name>
+ <value>*</value>
+ <description>
+ ACL for rollover-key operations.
+ If the user does is not in the GET ACL, the key material is not returned
+ as part of the response.
+ </description>
+ </property>
+
+ <property>
+ <name>hadoop.kms.acl.GET</name>
+ <value>*</value>
+ <description>
+ ACL for get-key-version and get-current-key operations.
+ </description>
+ </property>
+
+ <property>
+ <name>hadoop.kms.acl.GET_KEYS</name>
+ <value>*</value>
+ <description>
+ ACL for get-keys operation.
+ </description>
+ </property>
+
+ <property>
+ <name>hadoop.kms.acl.GET_METADATA</name>
+ <value>*</value>
+ <description>
+ ACL for get-key-metadata and get-keys-metadata operations.
+ </description>
+ </property>
+
+ <property>
+ <name>hadoop.kms.acl.SET_KEY_MATERIAL</name>
+ <value>*</value>
+ <description>
+ Complimentary ACL for CREATE and ROLLOVER operation to allow the client
+ to provide the key material when creating or rolling a key.
+ </description>
+ </property>
++---+
+
+** KMS HTTP REST API
+
+*** Create a Key
+
+ <REQUEST:>
+
++---+
+POST http://HOST:PORT/kms/v1/keys
+Content-Type: application/json
+
+{
+ "name" : "<key-name>",
+ "cipher" : "<cipher>",
+ "length" : <length>, //int
+ "material" : "<material>", //base64
+ "description" : "<description>"
+}
++---+
+
+ <RESPONSE:>
+
++---+
+201 CREATED
+LOCATION: http://HOST:PORT/kms/v1/key/<key-name>
+Content-Type: application/json
+
+{
+ "name" : "versionName",
+ "material" : "<material>", //base64, not present without GET ACL
+}
++---+
+
+*** Rollover Key
+
+ <REQUEST:>
+
++---+
+POST http://HOST:PORT/kms/v1/key/<key-name>
+Content-Type: application/json
+
+{
+ "material" : "<material>",
+}
++---+
+
+ <RESPONSE:>
+
++---+
+200 OK
+Content-Type: application/json
+
+{
+ "name" : "versionName",
+ "material" : "<material>", //base64, not present without GET ACL
+}
++---+
+
+*** Delete Key
+
+ <REQUEST:>
+
++---+
+DELETE http://HOST:PORT/kms/v1/key/<key-name>
++---+
+
+ <RESPONSE:>
+
++---+
+200 OK
++---+
+
+*** Get Key Metadata
+
+ <REQUEST:>
+
++---+
+GET http://HOST:PORT/kms/v1/key/<key-name>/_metadata
++---+
+
+ <RESPONSE:>
+
++---+
+200 OK
+Content-Type: application/json
+
+{
+ "name" : "<key-name>",
+ "cipher" : "<cipher>",
+ "length" : <length>, //int
+ "description" : "<description>",
+ "created" : <millis-epoc>, //long
+ "versions" : <versions> //int
+}
++---+
+
+*** Get Current Key
+
+ <REQUEST:>
+
++---+
+GET http://HOST:PORT/kms/v1/key/<key-name>/_currentversion
++---+
+
+ <RESPONSE:>
+
++---+
+200 OK
+Content-Type: application/json
+
+{
+ "name" : "versionName",
+ "material" : "<material>", //base64
+}
++---+
+
+*** Get Key Version
+
+ <REQUEST:>
+
++---+
+GET http://HOST:PORT/kms/v1/keyversion/<version-name>
++---+
+
+ <RESPONSE:>
+
++---+
+200 OK
+Content-Type: application/json
+
+{
+ "name" : "versionName",
+ "material" : "<material>", //base64
+}
++---+
+
+*** Get Key Versions
+
+ <REQUEST:>
+
++---+
+GET http://HOST:PORT/kms/v1/key/<key-name>/_versions
++---+
+
+ <RESPONSE:>
+
++---+
+200 OK
+Content-Type: application/json
+
+[
+ {
+ "name" : "versionName",
+ "material" : "<material>", //base64
+ },
+ {
+ "name" : "versionName",
+ "material" : "<material>", //base64
+ },
+ ...
+]
++---+
+
+*** Get Key Names
+
+ <REQUEST:>
+
++---+
+GET http://HOST:PORT/kms/v1/keys/names
++---+
+
+ <RESPONSE:>
+
++---+
+200 OK
+Content-Type: application/json
+
+[
+ "<key-name>",
+ "<key-name>",
+ ...
+]
++---+
+
+*** Get Keys Metadata
+
++---+
+GET http://HOST:PORT/kms/v1/keys/metadata?key=<key-name>&key=<key-name>,...
++---+
+
+ <RESPONSE:>
+
++---+
+200 OK
+Content-Type: application/json
+
+[
+ {
+ "name" : "<key-name>",
+ "cipher" : "<cipher>",
+ "length" : <length>, //int
+ "description" : "<description>",
+ "created" : <millis-epoc>, //long
+ "versions" : <versions> //int
+ },
+ {
+ "name" : "<key-name>",
+ "cipher" : "<cipher>",
+ "length" : <length>, //int
+ "description" : "<description>",
+ "created" : <millis-epoc>, //long
+ "versions" : <versions> //int
+ },
+ ...
+]
++---+
+
+ \[ {{{./index.html}Go Back}} \]
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/resources/css/site.css
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/resources/css/site.css?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/resources/css/site.css (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/resources/css/site.css Thu Aug 21 18:58:53 2014
@@ -0,0 +1,29 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements. See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License. You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+#banner {
+ height: 93px;
+ background: none;
+}
+
+#bannerLeft img {
+ margin-left: 30px;
+ margin-top: 10px;
+}
+
+#bannerRight img {
+ margin: 17px;
+}
Added: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/site.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/site.xml?rev=1619518&view=auto
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/site.xml (added)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-kms/src/site/site.xml Thu Aug 21 18:58:53 2014
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project name="Hadoop KMS">
+
+ <skin>
+ <groupId>org.apache.maven.skins</groupId>
+ <artifactId>maven-stylus-skin</artifactId>
+ <version>1.2</version>
+ </skin>
+
+ <body>
+ <links>
+ <item name="Apache Hadoop" href="http://hadoop.apache.org/"/>
+ </links>
+ </body>
+
+</project>