You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by xy...@apache.org on 2019/08/28 00:40:16 UTC
[hadoop] branch ozone-0.4.1 updated (ab7605b -> 577e033)
This is an automated email from the ASF dual-hosted git repository.
xyao pushed a change to branch ozone-0.4.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git.
from ab7605b HDDS-2029. Fix license issues on ozone-0.4.1. (#1346)
add 708f031 HDDS-1927. Consolidate add/remove Acl into OzoneAclUtil class. Contributed by Xiaoyu Yao.
new 577e033 HDDS-1946. CertificateClient should not persist keys/certs to ozone.m… (#1311)
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../apache/hadoop/hdds/scm/XceiverClientGrpc.java | 7 +-
.../hadoop/hdds/security/x509/SecurityConfig.java | 102 +++++---
.../certificate/client/DNCertificateClient.java | 8 +-
.../client/DefaultCertificateClient.java | 21 +-
.../certificate/client/OMCertificateClient.java | 6 +-
.../x509/certificate/utils/CertificateCodec.java | 25 +-
.../hadoop/hdds/security/x509/keys/KeyCodec.java | 26 +-
.../client/TestCertificateClientInit.java | 63 +++--
.../client/TestDefaultCertificateClient.java | 105 +++++---
.../certificate/utils/TestCertificateCodec.java | 10 +-
.../hdds/security/x509/keys/TestKeyCodec.java | 18 +-
.../common/transport/server/XceiverServerGrpc.java | 8 +-
.../hadoop/ozone/TestHddsSecureDatanodeInit.java | 17 +-
.../apache/hadoop/ozone/client/rpc/RpcClient.java | 5 +-
.../java/org/apache/hadoop/ozone/OzoneAcl.java | 5 +
.../hadoop/ozone/om/helpers/OmBucketInfo.java | 36 ++-
.../apache/hadoop/ozone/om/helpers/OmKeyInfo.java | 69 +++--
.../hadoop/ozone/om/helpers/OmOzoneAclMap.java | 7 +-
.../hadoop/ozone/om/helpers/OmPrefixInfo.java | 30 ++-
.../hadoop/ozone/om/helpers/OzoneAclUtil.java | 286 +++++++++++++++++++++
.../apache/hadoop/ozone/web/utils/OzoneUtils.java | 158 ------------
.../hadoop/ozone/om/helpers/TestOzoneAclUtil.java | 191 ++++++++++++++
.../hadoop/ozone/TestSecureOzoneCluster.java | 4 +-
.../client/rpc/TestOzoneRpcClientAbstract.java | 15 +-
.../apache/hadoop/ozone/om/TestKeyManagerImpl.java | 7 +-
.../apache/hadoop/ozone/om/TestOzoneManager.java | 3 +-
.../hadoop/ozone/om/TestSecureOzoneManager.java | 14 +-
.../security/acl/TestOzoneNativeAuthorizer.java | 4 +-
.../web/storage/DistributedStorageHandler.java | 3 +-
.../apache/hadoop/ozone/om/BucketManagerImpl.java | 91 +------
.../org/apache/hadoop/ozone/om/KeyManagerImpl.java | 204 ++++-----------
.../apache/hadoop/ozone/om/PrefixManagerImpl.java | 245 +++++++++---------
.../om/request/file/OMDirectoryCreateRequest.java | 5 +-
.../hadoop/ozone/om/request/key/OMKeyRequest.java | 13 +-
.../S3InitiateMultipartUploadRequest.java | 3 +-
.../protocolPB/OzoneManagerRequestHandler.java | 5 +-
36 files changed, 1045 insertions(+), 774 deletions(-)
create mode 100644 hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OzoneAclUtil.java
create mode 100644 hadoop-ozone/common/src/test/java/org/apache/hadoop/ozone/om/helpers/TestOzoneAclUtil.java
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org
[hadoop] 01/01: HDDS-1946. CertificateClient should not persist keys/certs to ozone.m… (#1311)
Posted by xy...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
xyao pushed a commit to branch ozone-0.4.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git
commit 577e033f84c62490dad631dad13ca17d14c58c9f
Author: Vivek Ratnavel Subramanian <vi...@gmail.com>
AuthorDate: Tue Aug 27 17:29:27 2019 -0700
HDDS-1946. CertificateClient should not persist keys/certs to ozone.m… (#1311)
(cherry picked from commit b1eee8b52eecf45827abbe8fe16ab48eade46cc8)
---
.../apache/hadoop/hdds/scm/XceiverClientGrpc.java | 7 +-
.../hadoop/hdds/security/x509/SecurityConfig.java | 102 +++++++++++++-------
.../certificate/client/DNCertificateClient.java | 8 +-
.../client/DefaultCertificateClient.java | 21 +++--
.../certificate/client/OMCertificateClient.java | 6 +-
.../x509/certificate/utils/CertificateCodec.java | 25 +----
.../hadoop/hdds/security/x509/keys/KeyCodec.java | 26 +----
.../client/TestCertificateClientInit.java | 63 ++++++++-----
.../client/TestDefaultCertificateClient.java | 105 ++++++++++++---------
.../certificate/utils/TestCertificateCodec.java | 10 +-
.../hdds/security/x509/keys/TestKeyCodec.java | 18 ++--
.../common/transport/server/XceiverServerGrpc.java | 8 +-
.../hadoop/ozone/TestHddsSecureDatanodeInit.java | 17 ++--
.../hadoop/ozone/TestSecureOzoneCluster.java | 4 +-
.../hadoop/ozone/om/TestSecureOzoneManager.java | 14 +--
15 files changed, 241 insertions(+), 193 deletions(-)
diff --git a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
index 9f99ab5..5d70364 100644
--- a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
+++ b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
@@ -70,6 +70,7 @@ import java.util.concurrent.TimeoutException;
*/
public class XceiverClientGrpc extends XceiverClientSpi {
static final Logger LOG = LoggerFactory.getLogger(XceiverClientGrpc.class);
+ private static final String COMPONENT = "dn";
private final Pipeline pipeline;
private final Configuration config;
private Map<UUID, XceiverClientProtocolServiceStub> asyncStubs;
@@ -150,9 +151,9 @@ public class XceiverClientGrpc extends XceiverClientSpi {
.intercept(new ClientCredentialInterceptor(userName, encodedToken),
new GrpcClientInterceptor());
if (secConfig.isGrpcTlsEnabled()) {
- File trustCertCollectionFile = secConfig.getTrustStoreFile();
- File privateKeyFile = secConfig.getClientPrivateKeyFile();
- File clientCertChainFile = secConfig.getClientCertChainFile();
+ File trustCertCollectionFile = secConfig.getTrustStoreFile(COMPONENT);
+ File privateKeyFile = secConfig.getClientPrivateKeyFile(COMPONENT);
+ File clientCertChainFile = secConfig.getClientCertChainFile(COMPONENT);
SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
if (trustCertCollectionFile != null) {
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
index 0e4204f..969f7bb 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
@@ -20,6 +20,7 @@
package org.apache.hadoop.hdds.security.x509;
import com.google.common.base.Preconditions;
+import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslProvider;
@@ -247,22 +248,11 @@ public class SecurityConfig {
}
/**
- * Returns the File path to where keys are stored.
- *
- * @return path Key location.
- */
- public Path getKeyLocation() {
- Preconditions.checkNotNull(this.metadatDir, "Metadata directory can't be"
- + " null. Please check configs.");
- return Paths.get(metadatDir, keyDir);
- }
-
- /**
* Returns the File path to where keys are stored with an additional component
* name inserted in between.
*
* @param component - Component Name - String.
- * @return Path location.
+ * @return Path Key location.
*/
public Path getKeyLocation(String component) {
Preconditions.checkNotNull(this.metadatDir, "Metadata directory can't be"
@@ -271,18 +261,8 @@ public class SecurityConfig {
}
/**
- * Returns the File path to where keys are stored.
- *
- * @return path Key location.
- */
- public Path getCertificateLocation() {
- Preconditions.checkNotNull(this.metadatDir, "Metadata directory can't be"
- + " null. Please check configs.");
- return Paths.get(metadatDir, certificateDir);
- }
-
- /**
- * Returns the File path to where keys are stored with an addition component
+ * Returns the File path to where certificates are stored with an addition
+ * component
* name inserted in between.
*
* @param component - Component Name - String.
@@ -381,12 +361,33 @@ public class SecurityConfig {
/**
* Returns the TLS-enabled gRPC client private key file(Only needed for mutual
+ * authentication) for the given component.
+ * @param component name of the component.
+ * @return the TLS-enabled gRPC client private key file.
+ */
+ public File getClientPrivateKeyFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ "client." + privateKeyFileName).toFile();
+ }
+
+ /**
+ * Returns the TLS-enabled gRPC client private key file(Only needed for mutual
* authentication).
* @return the TLS-enabled gRPC client private key file.
*/
public File getClientPrivateKeyFile() {
- return Paths.get(getKeyLocation().toString(),
- "client." + privateKeyFileName).toFile();
+ return getClientPrivateKeyFile(StringUtils.EMPTY);
+ }
+
+ /**
+ * Returns the TLS-enabled gRPC server private key file for the given
+ * component.
+ * @param component name of the component.
+ * @return the TLS-enabled gRPC server private key file.
+ */
+ public File getServerPrivateKeyFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ "server." + privateKeyFileName).toFile();
}
/**
@@ -394,8 +395,19 @@ public class SecurityConfig {
* @return the TLS-enabled gRPC server private key file.
*/
public File getServerPrivateKeyFile() {
- return Paths.get(getKeyLocation().toString(),
- "server." + privateKeyFileName).toFile();
+ return getServerPrivateKeyFile(StringUtils.EMPTY);
+ }
+
+ /**
+ * Get the trusted CA certificate file for the given component. (CA
+ * certificate)
+ * @param component name of the component.
+ * @return the trusted CA certificate.
+ */
+ public File getTrustStoreFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ trustStoreFileName).
+ toFile();
}
/**
@@ -403,7 +415,19 @@ public class SecurityConfig {
* @return the trusted CA certificate.
*/
public File getTrustStoreFile() {
- return Paths.get(getKeyLocation().toString(), trustStoreFileName).
+ return getTrustStoreFile(StringUtils.EMPTY);
+ }
+
+ /**
+ * Get the TLS-enabled gRPC Client certificate chain file for the given
+ * component (only needed for
+ * mutual authentication).
+ * @param component name of the component.
+ * @return the TLS-enabled gRPC Server certificate chain file.
+ */
+ public File getClientCertChainFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ clientCertChainFileName).
toFile();
}
@@ -413,7 +437,18 @@ public class SecurityConfig {
* @return the TLS-enabled gRPC Server certificate chain file.
*/
public File getClientCertChainFile() {
- return Paths.get(getKeyLocation().toString(), clientCertChainFileName).
+ return getClientCertChainFile(StringUtils.EMPTY);
+ }
+
+ /**
+ * Get the TLS-enabled gRPC Server certificate chain file for the given
+ * component.
+ * @param component name of the component.
+ * @return the TLS-enabled gRPC Server certificate chain file.
+ */
+ public File getServerCertChainFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ serverCertChainFileName).
toFile();
}
@@ -422,8 +457,7 @@ public class SecurityConfig {
* @return the TLS-enabled gRPC Server certificate chain file.
*/
public File getServerCertChainFile() {
- return Paths.get(getKeyLocation().toString(), serverCertChainFileName).
- toFile();
+ return getServerCertChainFile(StringUtils.EMPTY);
}
/**
@@ -437,7 +471,7 @@ public class SecurityConfig {
/**
* Return true if using test certificates with authority as localhost.
- * This should be used only for unit test where certifiates are generated
+ * This should be used only for unit test where certificates are generated
* by openssl with localhost as DN and should never use for production as it
* will bypass the hostname/ip matching verification.
* @return true if using test certificates.
@@ -464,7 +498,7 @@ public class SecurityConfig {
/**
* Returns max date for which S3 tokens will be valid.
- * */
+ */
public long getS3TokenMaxDate() {
return getConfiguration().getTimeDuration(
OzoneConfigKeys.OZONE_S3_TOKEN_MAX_LIFETIME_KEY,
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java
index 7790d04..7698658 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java
@@ -25,6 +25,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+
/**
* Certificate client for DataNodes.
*/
@@ -32,13 +33,16 @@ public class DNCertificateClient extends DefaultCertificateClient {
private static final Logger LOG =
LoggerFactory.getLogger(DNCertificateClient.class);
+
+ public static final String COMPONENT_NAME = "dn";
+
public DNCertificateClient(SecurityConfig securityConfig,
String certSerialId) {
- super(securityConfig, LOG, certSerialId);
+ super(securityConfig, LOG, certSerialId, COMPONENT_NAME);
}
public DNCertificateClient(SecurityConfig securityConfig) {
- super(securityConfig, LOG, null);
+ super(securityConfig, LOG, null, COMPONENT_NAME);
}
/**
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
index 8f13574..388c5bc 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
@@ -89,16 +89,18 @@ public abstract class DefaultCertificateClient implements CertificateClient {
private X509Certificate x509Certificate;
private Map<String, X509Certificate> certificateMap;
private String certSerialId;
+ private String component;
DefaultCertificateClient(SecurityConfig securityConfig, Logger log,
- String certSerialId) {
+ String certSerialId, String component) {
Objects.requireNonNull(securityConfig);
this.securityConfig = securityConfig;
- keyCodec = new KeyCodec(securityConfig);
+ keyCodec = new KeyCodec(securityConfig, component);
this.logger = log;
this.certificateMap = new ConcurrentHashMap<>();
this.certSerialId = certSerialId;
+ this.component = component;
loadAllCertificates();
}
@@ -108,7 +110,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
* */
private void loadAllCertificates() {
// See if certs directory exists in file system.
- Path certPath = securityConfig.getCertificateLocation();
+ Path certPath = securityConfig.getCertificateLocation(component);
if (Files.exists(certPath) && Files.isDirectory(certPath)) {
getLogger().info("Loading certificate from location:{}.",
certPath);
@@ -116,7 +118,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
if (certFiles != null) {
CertificateCodec certificateCodec =
- new CertificateCodec(securityConfig);
+ new CertificateCodec(securityConfig, component);
for (File file : certFiles) {
if (file.isFile()) {
try {
@@ -158,7 +160,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
return privateKey;
}
- Path keyPath = securityConfig.getKeyLocation();
+ Path keyPath = securityConfig.getKeyLocation(component);
if (OzoneSecurityUtil.checkIfFileExist(keyPath,
securityConfig.getPrivateKeyFileName())) {
try {
@@ -182,7 +184,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
return publicKey;
}
- Path keyPath = securityConfig.getKeyLocation();
+ Path keyPath = securityConfig.getKeyLocation(component);
if (OzoneSecurityUtil.checkIfFileExist(keyPath,
securityConfig.getPublicKeyFileName())) {
try {
@@ -477,9 +479,10 @@ public abstract class DefaultCertificateClient implements CertificateClient {
@Override
public void storeCertificate(String pemEncodedCert, boolean force,
boolean caCert) throws CertificateException {
- CertificateCodec certificateCodec = new CertificateCodec(securityConfig);
+ CertificateCodec certificateCodec = new CertificateCodec(securityConfig,
+ component);
try {
- Path basePath = securityConfig.getCertificateLocation();
+ Path basePath = securityConfig.getCertificateLocation(component);
X509Certificate cert =
CertificateCodec.getX509Certificate(pemEncodedCert);
@@ -738,7 +741,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
* location.
* */
protected void bootstrapClientKeys() throws CertificateException {
- Path keyPath = securityConfig.getKeyLocation();
+ Path keyPath = securityConfig.getKeyLocation(component);
if (Files.notExists(keyPath)) {
try {
Files.createDirectories(keyPath);
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/OMCertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/OMCertificateClient.java
index b1f7504..cb3ce75 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/OMCertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/OMCertificateClient.java
@@ -39,13 +39,15 @@ public class OMCertificateClient extends DefaultCertificateClient {
private static final Logger LOG =
LoggerFactory.getLogger(OMCertificateClient.class);
+ public static final String COMPONENT_NAME = "om";
+
public OMCertificateClient(SecurityConfig securityConfig,
String certSerialId) {
- super(securityConfig, LOG, certSerialId);
+ super(securityConfig, LOG, certSerialId, COMPONENT_NAME);
}
public OMCertificateClient(SecurityConfig securityConfig) {
- super(securityConfig, LOG, null);
+ super(securityConfig, LOG, null, COMPONENT_NAME);
}
protected InitResponse handleCase(InitCase init) throws
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java
index 90d5325..2c8721b 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java
@@ -19,9 +19,7 @@
package org.apache.hadoop.hdds.security.x509.certificate.utils;
-import com.google.common.base.Preconditions;
import org.apache.commons.io.IOUtils;
-import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.bouncycastle.cert.X509CertificateHolder;
@@ -70,7 +68,7 @@ public class CertificateCodec {
Stream.of(OWNER_READ, OWNER_WRITE, OWNER_EXECUTE)
.collect(Collectors.toSet());
/**
- * Creates an CertificateCodec.
+ * Creates a CertificateCodec with component name.
*
* @param config - Security Config.
* @param component - Component String.
@@ -81,27 +79,6 @@ public class CertificateCodec {
}
/**
- * Creates an CertificateCodec.
- *
- * @param config - Security Config.
- */
- public CertificateCodec(SecurityConfig config) {
- this.securityConfig = config;
- this.location = securityConfig.getCertificateLocation();
- }
-
- /**
- * Creates an CertificateCodec.
- *
- * @param configuration - Configuration
- */
- public CertificateCodec(Configuration configuration) {
- Preconditions.checkNotNull(configuration, "Config cannot be null");
- this.securityConfig = new SecurityConfig(configuration);
- this.location = securityConfig.getCertificateLocation();
- }
-
- /**
* Returns a X509 Certificate from the Certificate Holder.
*
* @param holder - Holder
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java
index a5ebdae..82873b0 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java
@@ -22,7 +22,6 @@ import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.output.FileWriterWithEncoding;
-import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
@@ -76,7 +75,7 @@ public class KeyCodec {
private Supplier<Boolean> isPosixFileSystem;
/**
- * Creates an KeyCodec.
+ * Creates a KeyCodec with component name.
*
* @param config - Security Config.
* @param component - Component String.
@@ -88,29 +87,6 @@ public class KeyCodec {
}
/**
- * Creates an KeyCodec.
- *
- * @param config - Security Config.
- */
- public KeyCodec(SecurityConfig config) {
- this.securityConfig = config;
- isPosixFileSystem = KeyCodec::isPosix;
- this.location = securityConfig.getKeyLocation();
- }
-
- /**
- * Creates an HDDS Key Writer.
- *
- * @param configuration - Configuration
- */
- public KeyCodec(Configuration configuration) {
- Preconditions.checkNotNull(configuration, "Config cannot be null");
- this.securityConfig = new SecurityConfig(configuration);
- isPosixFileSystem = KeyCodec::isPosix;
- this.location = securityConfig.getKeyLocation();
- }
-
- /**
* Checks if File System supports posix style security permissions.
*
* @return True if it supports posix.
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestCertificateClientInit.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestCertificateClientInit.java
index 61bcf21..dcd9898 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestCertificateClientInit.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestCertificateClientInit.java
@@ -66,8 +66,11 @@ public class TestCertificateClientInit {
private HDDSKeyGenerator keyGenerator;
private Path metaDirPath;
private SecurityConfig securityConfig;
- private KeyCodec keyCodec;
+ private KeyCodec dnKeyCodec;
+ private KeyCodec omKeyCodec;
private X509Certificate x509Certificate;
+ private final static String DN_COMPONENT = DNCertificateClient.COMPONENT_NAME;
+ private final static String OM_COMPONENT = OMCertificateClient.COMPONENT_NAME;
@Parameter
public boolean pvtKeyPresent;
@@ -107,9 +110,11 @@ public class TestCertificateClientInit {
certSerialId);
omCertificateClient = new OMCertificateClient(securityConfig,
certSerialId);
- keyCodec = new KeyCodec(securityConfig);
+ dnKeyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
+ omKeyCodec = new KeyCodec(securityConfig, OM_COMPONENT);
- Files.createDirectories(securityConfig.getKeyLocation());
+ Files.createDirectories(securityConfig.getKeyLocation(DN_COMPONENT));
+ Files.createDirectories(securityConfig.getKeyLocation(OM_COMPONENT));
}
@After
@@ -123,28 +128,32 @@ public class TestCertificateClientInit {
@Test
public void testInitDatanode() throws Exception {
if (pvtKeyPresent) {
- keyCodec.writePrivateKey(keyPair.getPrivate());
+ dnKeyCodec.writePrivateKey(keyPair.getPrivate());
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getPrivateKeyFileName()).toFile());
}
if (pubKeyPresent) {
if (dnCertificateClient.getPublicKey() == null) {
- keyCodec.writePublicKey(keyPair.getPublic());
+ dnKeyCodec.writePublicKey(keyPair.getPublic());
}
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(
+ Paths.get(securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getPublicKeyFileName()).toFile());
}
if (certPresent) {
- CertificateCodec codec = new CertificateCodec(securityConfig);
+ CertificateCodec codec = new CertificateCodec(securityConfig,
+ DN_COMPONENT);
codec.writeCertificate(new X509CertificateHolder(
x509Certificate.getEncoded()));
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getCertificateFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getCertificateFileName()).toFile());
}
InitResponse response = dnCertificateClient.init();
@@ -152,10 +161,10 @@ public class TestCertificateClientInit {
if (!response.equals(FAILURE)) {
assertTrue(OzoneSecurityUtil.checkIfFileExist(
- securityConfig.getKeyLocation(),
+ securityConfig.getKeyLocation(DN_COMPONENT),
securityConfig.getPrivateKeyFileName()));
assertTrue(OzoneSecurityUtil.checkIfFileExist(
- securityConfig.getKeyLocation(),
+ securityConfig.getKeyLocation(DN_COMPONENT),
securityConfig.getPublicKeyFileName()));
}
}
@@ -163,28 +172,32 @@ public class TestCertificateClientInit {
@Test
public void testInitOzoneManager() throws Exception {
if (pvtKeyPresent) {
- keyCodec.writePrivateKey(keyPair.getPrivate());
+ omKeyCodec.writePrivateKey(keyPair.getPrivate());
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ securityConfig.getPrivateKeyFileName()).toFile());
}
if (pubKeyPresent) {
if (omCertificateClient.getPublicKey() == null) {
- keyCodec.writePublicKey(keyPair.getPublic());
+ omKeyCodec.writePublicKey(keyPair.getPublic());
}
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ securityConfig.getPublicKeyFileName()).toFile());
}
if (certPresent) {
- CertificateCodec codec = new CertificateCodec(securityConfig);
+ CertificateCodec codec = new CertificateCodec(securityConfig,
+ OM_COMPONENT);
codec.writeCertificate(new X509CertificateHolder(
x509Certificate.getEncoded()));
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getCertificateFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ securityConfig.getCertificateFileName()).toFile());
}
InitResponse response = omCertificateClient.init();
@@ -196,10 +209,10 @@ public class TestCertificateClientInit {
if (!response.equals(FAILURE)) {
assertTrue(OzoneSecurityUtil.checkIfFileExist(
- securityConfig.getKeyLocation(),
+ securityConfig.getKeyLocation(OM_COMPONENT),
securityConfig.getPrivateKeyFileName()));
assertTrue(OzoneSecurityUtil.checkIfFileExist(
- securityConfig.getKeyLocation(),
+ securityConfig.getKeyLocation(OM_COMPONENT),
securityConfig.getPublicKeyFileName()));
}
}
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
index 11be0de..f389cdb 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
@@ -76,6 +76,8 @@ public class TestDefaultCertificateClient {
private SecurityConfig omSecurityConfig;
private SecurityConfig dnSecurityConfig;
private final static String UTF = "UTF-8";
+ private final static String DN_COMPONENT = DNCertificateClient.COMPONENT_NAME;
+ private final static String OM_COMPONENT = OMCertificateClient.COMPONENT_NAME;
private KeyCodec omKeyCodec;
private KeyCodec dnKeyCodec;
@@ -99,11 +101,11 @@ public class TestDefaultCertificateClient {
keyGenerator = new HDDSKeyGenerator(omSecurityConfig);
- omKeyCodec = new KeyCodec(omSecurityConfig);
- dnKeyCodec = new KeyCodec(dnSecurityConfig);
+ omKeyCodec = new KeyCodec(omSecurityConfig, OM_COMPONENT);
+ dnKeyCodec = new KeyCodec(dnSecurityConfig, DN_COMPONENT);
- Files.createDirectories(omSecurityConfig.getKeyLocation());
- Files.createDirectories(dnSecurityConfig.getKeyLocation());
+ Files.createDirectories(omSecurityConfig.getKeyLocation(OM_COMPONENT));
+ Files.createDirectories(dnSecurityConfig.getKeyLocation(DN_COMPONENT));
x509Certificate = generateX509Cert(null);
certSerialId = x509Certificate.getSerialNumber().toString();
getCertClient();
@@ -156,14 +158,18 @@ public class TestDefaultCertificateClient {
}
private void cleanupOldKeyPair() {
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPublicKeyFileName()).toFile());
}
/**
@@ -196,10 +202,12 @@ public class TestDefaultCertificateClient {
@Test
public void testSignDataStream() throws Exception {
String data = RandomStringUtils.random(100, UTF);
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
// Expect error when there is no private key to sign.
LambdaTestUtils.intercept(IOException.class, "Error while " +
@@ -285,8 +293,9 @@ public class TestDefaultCertificateClient {
X509Certificate cert2 = generateX509Cert(keyPair);
X509Certificate cert3 = generateX509Cert(keyPair);
- Path certPath = dnSecurityConfig.getCertificateLocation();
- CertificateCodec codec = new CertificateCodec(dnSecurityConfig);
+ Path certPath = dnSecurityConfig.getCertificateLocation(DN_COMPONENT);
+ CertificateCodec codec = new CertificateCodec(dnSecurityConfig,
+ DN_COMPONENT);
// Certificate not found.
LambdaTestUtils.intercept(CertificateException.class, "Error while" +
@@ -308,7 +317,7 @@ public class TestDefaultCertificateClient {
codec.writeCertificate(certPath, "3.crt",
getPEMEncodedString(cert3), true);
- // Re instentiate DN client which will load certificates from filesystem.
+ // Re instantiate DN client which will load certificates from filesystem.
dnCertClient = new DNCertificateClient(dnSecurityConfig, certSerialId);
assertNotNull(dnCertClient.getCertificate(cert1.getSerialNumber()
@@ -352,16 +361,20 @@ public class TestDefaultCertificateClient {
omClientLog.clearOutput();
// Case 1. Expect failure when keypair validation fails.
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPublicKeyFileName()).toFile());
omKeyCodec.writePrivateKey(keyPair.getPrivate());
omKeyCodec.writePublicKey(keyPair2.getPublic());
@@ -387,16 +400,20 @@ public class TestDefaultCertificateClient {
// Case 2. Expect failure when certificate is generated from different
// private key and keypair validation fails.
getCertClient();
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getCertificateFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getCertificateFileName()).toFile());
-
- CertificateCodec omCertCodec = new CertificateCodec(omSecurityConfig);
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getCertificateFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getCertificateFileName()).toFile());
+
+ CertificateCodec omCertCodec = new CertificateCodec(omSecurityConfig,
+ OM_COMPONENT);
omCertCodec.writeCertificate(new X509CertificateHolder(
x509Certificate.getEncoded()));
- CertificateCodec dnCertCodec = new CertificateCodec(dnSecurityConfig);
+ CertificateCodec dnCertCodec = new CertificateCodec(dnSecurityConfig,
+ DN_COMPONENT);
dnCertCodec.writeCertificate(new X509CertificateHolder(
x509Certificate.getEncoded()));
// Check for DN.
@@ -416,10 +433,12 @@ public class TestDefaultCertificateClient {
// private key and certificate validation fails.
// Re write the correct public key.
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPublicKeyFileName()).toFile());
getCertClient();
omKeyCodec.writePublicKey(keyPair.getPublic());
dnKeyCodec.writePublicKey(keyPair.getPublic());
@@ -440,10 +459,12 @@ public class TestDefaultCertificateClient {
// Case 4. Failure when public key recovery fails.
getCertClient();
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPublicKeyFileName()).toFile());
// Check for DN.
assertEquals(dnCertClient.init(), FAILURE);
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java
index 9ac956f..ded5206 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java
@@ -22,6 +22,7 @@ package org.apache.hadoop.hdds.security.x509.certificate.utils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
+import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.bouncycastle.cert.X509CertificateHolder;
@@ -50,12 +51,15 @@ import static org.junit.Assert.assertTrue;
*/
public class TestCertificateCodec {
private static OzoneConfiguration conf = new OzoneConfiguration();
+ private static final String COMPONENT = "test";
+ private SecurityConfig securityConfig;
@Rule
public TemporaryFolder temporaryFolder = new TemporaryFolder();
@Before
public void init() throws IOException {
conf.set(OZONE_METADATA_DIRS, temporaryFolder.newFolder().toString());
+ securityConfig = new SecurityConfig(conf);
}
/**
@@ -88,7 +92,7 @@ public class TestCertificateCodec {
.setKey(keyGenerator.generateKey())
.makeCA()
.build();
- CertificateCodec codec = new CertificateCodec(conf);
+ CertificateCodec codec = new CertificateCodec(securityConfig, COMPONENT);
String pemString = codec.getPEMEncodedString(cert);
assertTrue(pemString.startsWith(CertificateCodec.BEGIN_CERT));
assertTrue(pemString.endsWith(CertificateCodec.END_CERT + "\n"));
@@ -131,7 +135,7 @@ public class TestCertificateCodec {
.setKey(keyGenerator.generateKey())
.makeCA()
.build();
- CertificateCodec codec = new CertificateCodec(conf);
+ CertificateCodec codec = new CertificateCodec(securityConfig, COMPONENT);
String pemString = codec.getPEMEncodedString(cert);
File basePath = temporaryFolder.newFolder();
if (!basePath.exists()) {
@@ -172,7 +176,7 @@ public class TestCertificateCodec {
.setKey(keyGenerator.generateKey())
.makeCA()
.build();
- CertificateCodec codec = new CertificateCodec(conf);
+ CertificateCodec codec = new CertificateCodec(securityConfig, COMPONENT);
codec.writeCertificate(cert);
X509CertificateHolder certHolder = codec.readCertificate();
assertNotNull(certHolder);
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java
index d3e13d2..d82b02f 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java
@@ -57,6 +57,8 @@ public class TestKeyCodec {
@Rule
public TemporaryFolder temporaryFolder = new TemporaryFolder();
private OzoneConfiguration configuration;
+ private SecurityConfig securityConfig;
+ private String component;
private HDDSKeyGenerator keyGenerator;
private String prefix;
@@ -66,6 +68,8 @@ public class TestKeyCodec {
prefix = temporaryFolder.newFolder().toString();
configuration.set(HDDS_METADATA_DIR_NAME, prefix);
keyGenerator = new HDDSKeyGenerator(configuration);
+ securityConfig = new SecurityConfig(configuration);
+ component = "test_component";
}
/**
@@ -83,11 +87,11 @@ public class TestKeyCodec {
throws NoSuchProviderException, NoSuchAlgorithmException,
IOException, InvalidKeySpecException {
KeyPair keys = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(configuration);
+ KeyCodec pemWriter = new KeyCodec(securityConfig, component);
pemWriter.writeKey(keys);
// Assert that locations have been created.
- Path keyLocation = pemWriter.getSecurityConfig().getKeyLocation();
+ Path keyLocation = pemWriter.getSecurityConfig().getKeyLocation(component);
Assert.assertTrue(keyLocation.toFile().exists());
// Assert that locations are created in the locations that we specified
@@ -172,7 +176,7 @@ public class TestKeyCodec {
public void testReWriteKey()
throws Exception {
KeyPair kp = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(configuration);
+ KeyCodec pemWriter = new KeyCodec(securityConfig, component);
SecurityConfig secConfig = pemWriter.getSecurityConfig();
pemWriter.writeKey(kp);
@@ -181,13 +185,13 @@ public class TestKeyCodec {
.intercept(IOException.class, "Private Key file already exists.",
() -> pemWriter.writeKey(kp));
FileUtils.deleteQuietly(Paths.get(
- secConfig.getKeyLocation().toString() + "/" + secConfig
+ secConfig.getKeyLocation(component).toString() + "/" + secConfig
.getPrivateKeyFileName()).toFile());
LambdaTestUtils
.intercept(IOException.class, "Public Key file already exists.",
() -> pemWriter.writeKey(kp));
FileUtils.deleteQuietly(Paths.get(
- secConfig.getKeyLocation().toString() + "/" + secConfig
+ secConfig.getKeyLocation(component).toString() + "/" + secConfig
.getPublicKeyFileName()).toFile());
// Should succeed now as both public and private key are deleted.
@@ -206,7 +210,7 @@ public class TestKeyCodec {
public void testWriteKeyInNonPosixFS()
throws Exception {
KeyPair kp = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(configuration);
+ KeyCodec pemWriter = new KeyCodec(securityConfig, component);
pemWriter.setIsPosixFileSystem(() -> false);
// Assert key rewrite fails in non Posix file system.
@@ -221,7 +225,7 @@ public class TestKeyCodec {
InvalidKeySpecException {
KeyPair kp = keyGenerator.generateKey();
- KeyCodec keycodec = new KeyCodec(configuration);
+ KeyCodec keycodec = new KeyCodec(securityConfig, component);
keycodec.writeKey(kp);
PublicKey pubKey = keycodec.readPublicKey();
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
index 78c941e..23fa2d0 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
@@ -64,6 +64,7 @@ import java.util.concurrent.TimeUnit;
public final class XceiverServerGrpc extends XceiverServer {
private static final Logger
LOG = LoggerFactory.getLogger(XceiverServerGrpc.class);
+ private static final String COMPONENT = "dn";
private int port;
private UUID id;
private Server server;
@@ -111,11 +112,12 @@ public final class XceiverServerGrpc extends XceiverServer {
}
if (getSecConfig().isGrpcTlsEnabled()) {
- File privateKeyFilePath = getSecurityConfig().getServerPrivateKeyFile();
+ File privateKeyFilePath =
+ getSecurityConfig().getServerPrivateKeyFile(COMPONENT);
File serverCertChainFilePath =
- getSecurityConfig().getServerCertChainFile();
+ getSecurityConfig().getServerCertChainFile(COMPONENT);
File clientCertChainFilePath =
- getSecurityConfig().getClientCertChainFile();
+ getSecurityConfig().getClientCertChainFile(COMPONENT);
try {
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(
serverCertChainFilePath, privateKeyFilePath);
diff --git a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java
index 20d5eef..04fd3a4 100644
--- a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java
+++ b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java
@@ -66,6 +66,7 @@ public class TestHddsSecureDatanodeInit {
private static KeyCodec keyCodec;
private static CertificateCodec certCodec;
private static X509CertificateHolder certHolder;
+ private final static String DN_COMPONENT = DNCertificateClient.COMPONENT_NAME;
@BeforeClass
public static void setUp() throws Exception {
@@ -93,8 +94,8 @@ public class TestHddsSecureDatanodeInit {
service.initializeCertificateClient(conf);
return null;
});
- certCodec = new CertificateCodec(securityConfig);
- keyCodec = new KeyCodec(securityConfig);
+ certCodec = new CertificateCodec(securityConfig, DN_COMPONENT);
+ keyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
dnLogs.clearOutput();
privateKey = service.getCertificateClient().getPrivateKey();
publicKey = service.getCertificateClient().getPublicKey();
@@ -115,12 +116,14 @@ public class TestHddsSecureDatanodeInit {
@Before
public void setUpDNCertClient(){
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getPublicKeyFileName()).toFile());
FileUtils.deleteQuietly(Paths.get(securityConfig
- .getCertificateLocation().toString(),
+ .getCertificateLocation(DN_COMPONENT).toString(),
securityConfig.getCertificateFileName()).toFile());
dnLogs.clearOutput();
client = new DNCertificateClient(securityConfig,
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
index 247c9d7..c9afe69 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
@@ -40,6 +40,7 @@ import org.apache.hadoop.hdds.scm.ScmInfo;
import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
+import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
@@ -112,6 +113,7 @@ import static org.slf4j.event.Level.INFO;
public final class TestSecureOzoneCluster {
private static final String TEST_USER = "testUgiUser@EXAMPLE.COM";
+ private static final String COMPONENT = "test";
private static final int CLIENT_TIMEOUT = 2 * 1000;
private Logger logger = LoggerFactory
.getLogger(TestSecureOzoneCluster.class);
@@ -557,7 +559,7 @@ public final class TestSecureOzoneCluster {
private void generateKeyPair(OzoneConfiguration config) throws Exception {
HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
keyPair = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(config);
+ KeyCodec pemWriter = new KeyCodec(new SecurityConfig(config), COMPONENT);
pemWriter.writeKey(keyPair, true);
}
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java
index 888a650..728d170 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java
@@ -60,6 +60,7 @@ import static org.apache.hadoop.test.GenericTestUtils.*;
*/
public class TestSecureOzoneManager {
+ private static final String COMPONENT = "om";
private MiniOzoneCluster cluster = null;
private OzoneConfiguration conf;
private String clusterId;
@@ -151,7 +152,7 @@ public class TestSecureOzoneManager {
// Case 3: When public key as well as certificate is missing.
client = new OMCertificateClient(securityConfig);
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
+ FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPublicKeyFileName()).toFile());
LambdaTestUtils.intercept(RuntimeException.class, " OM security" +
" initialization failed",
@@ -164,9 +165,9 @@ public class TestSecureOzoneManager {
// Case 4: When private key and certificate is missing.
client = new OMCertificateClient(securityConfig);
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
+ FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPrivateKeyFileName()).toFile());
- KeyCodec keyCodec = new KeyCodec(securityConfig);
+ KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
keyCodec.writePublicKey(publicKey);
LambdaTestUtils.intercept(RuntimeException.class, " OM security" +
" initialization failed",
@@ -178,9 +179,10 @@ public class TestSecureOzoneManager {
omLogs.clearOutput();
// Case 5: When only certificate is present.
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
+ FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPublicKeyFileName()).toFile());
- CertificateCodec certCodec = new CertificateCodec(securityConfig);
+ CertificateCodec certCodec =
+ new CertificateCodec(securityConfig, COMPONENT);
X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate(
"CN=Test", new KeyPair(publicKey, privateKey), 10,
securityConfig.getSignatureAlgo());
@@ -201,7 +203,7 @@ public class TestSecureOzoneManager {
// Case 6: When private key and certificate is present.
client = new OMCertificateClient(securityConfig,
x509Certificate.getSerialNumber().toString());
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
+ FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPublicKeyFileName()).toFile());
keyCodec.writePrivateKey(privateKey);
OzoneManager.initializeSecurity(conf, omStorage);
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org