You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2020/04/27 04:07:32 UTC

[GitHub] [hadoop-ozone] avijayanhwx commented on pull request #871: HDDS-3487. Ozone start fails with NullPointerException in TLS enabled cluster

avijayanhwx commented on pull request #871:
URL: https://github.com/apache/hadoop-ozone/pull/871#issuecomment-619702307


   > I tested it with a TLS enabled cluster and it worked well:
   > 
   > ssl-conf:
   > 
   > ```
   > <configuration>
   > <property><name>ssl.server.keystore.location</name><value>/etc/keystore/keystore</value></property>
   > <property><name>ssl.server.exclude.cipher.list</name><value>^.*MD5.*$,^TLS_DH_.*$,^.*RC4.*$,^.*CCM.*$,^TLS_DHE.*$,^.*SHA$,^TLS_RSA_WITH.*$</value></property>
   > <property><name>ssl.server.keystore.password</name><value>Welcome1</value></property>
   > <property><name>ssl.server.keystore.keypassword</name><value>Welcome1</value></property>
   > <property><name>ssl.server.truststore.location</name><value>/etc/keystore/keystore</value></property>
   > <property><name>ssl.server.truststore.password</name><value>Welcome1</value></property>
   > </configuration>
   > ```
   > 
   > OM/SCM can be started without any problem. Based on the code I think It's a problem with the missing support of `CredentialProviders`. If you use localjceks, I would suggest to add this information to the NPE:
   > 
   > ConfigurationSource.java:
   > 
   > ```
   >   default char[] getPassword(String key) throws IOException {
   >     String value = get(key);
   >     if (value == null) {
   >       throw new NullPointerException(
   >           "Password entry is missing for key " + key
   >               + ".Note: generic ConfigurationSource interface doesn't support"
   >               + " Hadoop CredentialProvider implementations");
   >     }
   >     return value.toCharArray();
   >   }
   > ```
   
   @elek In the cluster that I tried out, the 'ssl.server.truststore.password' config key is not defined. Instead the getPassword relies on the Hadoop credential provider to get the truststore password.
   
   Before this change, we relied on the Configuration#getPassword method while starting up the HTTP Server whose implementation looks like this.
   
   `  public char[] getPassword(String name) throws IOException {
       char[] pass = null;
   
       pass = getPasswordFromCredentialProviders(name);
   
       if (pass == null) {
         pass = getPasswordFromConfig(name);
       }
   
       return pass;
     }`
   
   After this change, the code logic becomes 
   
   ` default char[] getPassword(String key) throws IOException {
       return get(key).toCharArray();
     }`
   
   Hence, we have skipped the logic of checking in Credential provider.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org