You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by xy...@apache.org on 2019/08/28 00:29:33 UTC
[hadoop] branch trunk updated: HDDS-1946. CertificateClient should not persist keys/certs to ozone.m… (#1311)
This is an automated email from the ASF dual-hosted git repository.
xyao pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new b1eee8b HDDS-1946. CertificateClient should not persist keys/certs to ozone.m… (#1311)
b1eee8b is described below
commit b1eee8b52eecf45827abbe8fe16ab48eade46cc8
Author: Vivek Ratnavel Subramanian <vi...@gmail.com>
AuthorDate: Tue Aug 27 17:29:27 2019 -0700
HDDS-1946. CertificateClient should not persist keys/certs to ozone.m… (#1311)
---
.../apache/hadoop/hdds/scm/XceiverClientGrpc.java | 7 +-
.../hadoop/hdds/security/x509/SecurityConfig.java | 102 +++++++++++++-------
.../certificate/client/DNCertificateClient.java | 8 +-
.../client/DefaultCertificateClient.java | 21 +++--
.../certificate/client/OMCertificateClient.java | 6 +-
.../x509/certificate/utils/CertificateCodec.java | 25 +----
.../hadoop/hdds/security/x509/keys/KeyCodec.java | 26 +----
.../client/TestCertificateClientInit.java | 63 ++++++++-----
.../client/TestDefaultCertificateClient.java | 105 ++++++++++++---------
.../certificate/utils/TestCertificateCodec.java | 10 +-
.../hdds/security/x509/keys/TestKeyCodec.java | 18 ++--
.../common/transport/server/XceiverServerGrpc.java | 8 +-
.../hadoop/ozone/TestHddsSecureDatanodeInit.java | 17 ++--
.../hadoop/ozone/TestSecureOzoneCluster.java | 4 +-
.../hadoop/ozone/om/TestSecureOzoneManager.java | 14 +--
15 files changed, 241 insertions(+), 193 deletions(-)
diff --git a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
index b51b221..d8daaa7 100644
--- a/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
+++ b/hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java
@@ -70,6 +70,7 @@ import java.util.concurrent.TimeoutException;
*/
public class XceiverClientGrpc extends XceiverClientSpi {
static final Logger LOG = LoggerFactory.getLogger(XceiverClientGrpc.class);
+ private static final String COMPONENT = "dn";
private final Pipeline pipeline;
private final Configuration config;
private Map<UUID, XceiverClientProtocolServiceStub> asyncStubs;
@@ -150,9 +151,9 @@ public class XceiverClientGrpc extends XceiverClientSpi {
.intercept(new ClientCredentialInterceptor(userName, encodedToken),
new GrpcClientInterceptor());
if (secConfig.isGrpcTlsEnabled()) {
- File trustCertCollectionFile = secConfig.getTrustStoreFile();
- File privateKeyFile = secConfig.getClientPrivateKeyFile();
- File clientCertChainFile = secConfig.getClientCertChainFile();
+ File trustCertCollectionFile = secConfig.getTrustStoreFile(COMPONENT);
+ File privateKeyFile = secConfig.getClientPrivateKeyFile(COMPONENT);
+ File clientCertChainFile = secConfig.getClientCertChainFile(COMPONENT);
SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
if (trustCertCollectionFile != null) {
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
index 0e4204f..969f7bb 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
@@ -20,6 +20,7 @@
package org.apache.hadoop.hdds.security.x509;
import com.google.common.base.Preconditions;
+import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslProvider;
@@ -247,22 +248,11 @@ public class SecurityConfig {
}
/**
- * Returns the File path to where keys are stored.
- *
- * @return path Key location.
- */
- public Path getKeyLocation() {
- Preconditions.checkNotNull(this.metadatDir, "Metadata directory can't be"
- + " null. Please check configs.");
- return Paths.get(metadatDir, keyDir);
- }
-
- /**
* Returns the File path to where keys are stored with an additional component
* name inserted in between.
*
* @param component - Component Name - String.
- * @return Path location.
+ * @return Path Key location.
*/
public Path getKeyLocation(String component) {
Preconditions.checkNotNull(this.metadatDir, "Metadata directory can't be"
@@ -271,18 +261,8 @@ public class SecurityConfig {
}
/**
- * Returns the File path to where keys are stored.
- *
- * @return path Key location.
- */
- public Path getCertificateLocation() {
- Preconditions.checkNotNull(this.metadatDir, "Metadata directory can't be"
- + " null. Please check configs.");
- return Paths.get(metadatDir, certificateDir);
- }
-
- /**
- * Returns the File path to where keys are stored with an addition component
+ * Returns the File path to where certificates are stored with an addition
+ * component
* name inserted in between.
*
* @param component - Component Name - String.
@@ -381,12 +361,33 @@ public class SecurityConfig {
/**
* Returns the TLS-enabled gRPC client private key file(Only needed for mutual
+ * authentication) for the given component.
+ * @param component name of the component.
+ * @return the TLS-enabled gRPC client private key file.
+ */
+ public File getClientPrivateKeyFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ "client." + privateKeyFileName).toFile();
+ }
+
+ /**
+ * Returns the TLS-enabled gRPC client private key file(Only needed for mutual
* authentication).
* @return the TLS-enabled gRPC client private key file.
*/
public File getClientPrivateKeyFile() {
- return Paths.get(getKeyLocation().toString(),
- "client." + privateKeyFileName).toFile();
+ return getClientPrivateKeyFile(StringUtils.EMPTY);
+ }
+
+ /**
+ * Returns the TLS-enabled gRPC server private key file for the given
+ * component.
+ * @param component name of the component.
+ * @return the TLS-enabled gRPC server private key file.
+ */
+ public File getServerPrivateKeyFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ "server." + privateKeyFileName).toFile();
}
/**
@@ -394,8 +395,19 @@ public class SecurityConfig {
* @return the TLS-enabled gRPC server private key file.
*/
public File getServerPrivateKeyFile() {
- return Paths.get(getKeyLocation().toString(),
- "server." + privateKeyFileName).toFile();
+ return getServerPrivateKeyFile(StringUtils.EMPTY);
+ }
+
+ /**
+ * Get the trusted CA certificate file for the given component. (CA
+ * certificate)
+ * @param component name of the component.
+ * @return the trusted CA certificate.
+ */
+ public File getTrustStoreFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ trustStoreFileName).
+ toFile();
}
/**
@@ -403,7 +415,19 @@ public class SecurityConfig {
* @return the trusted CA certificate.
*/
public File getTrustStoreFile() {
- return Paths.get(getKeyLocation().toString(), trustStoreFileName).
+ return getTrustStoreFile(StringUtils.EMPTY);
+ }
+
+ /**
+ * Get the TLS-enabled gRPC Client certificate chain file for the given
+ * component (only needed for
+ * mutual authentication).
+ * @param component name of the component.
+ * @return the TLS-enabled gRPC Server certificate chain file.
+ */
+ public File getClientCertChainFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ clientCertChainFileName).
toFile();
}
@@ -413,7 +437,18 @@ public class SecurityConfig {
* @return the TLS-enabled gRPC Server certificate chain file.
*/
public File getClientCertChainFile() {
- return Paths.get(getKeyLocation().toString(), clientCertChainFileName).
+ return getClientCertChainFile(StringUtils.EMPTY);
+ }
+
+ /**
+ * Get the TLS-enabled gRPC Server certificate chain file for the given
+ * component.
+ * @param component name of the component.
+ * @return the TLS-enabled gRPC Server certificate chain file.
+ */
+ public File getServerCertChainFile(String component) {
+ return Paths.get(getKeyLocation(component).toString(),
+ serverCertChainFileName).
toFile();
}
@@ -422,8 +457,7 @@ public class SecurityConfig {
* @return the TLS-enabled gRPC Server certificate chain file.
*/
public File getServerCertChainFile() {
- return Paths.get(getKeyLocation().toString(), serverCertChainFileName).
- toFile();
+ return getServerCertChainFile(StringUtils.EMPTY);
}
/**
@@ -437,7 +471,7 @@ public class SecurityConfig {
/**
* Return true if using test certificates with authority as localhost.
- * This should be used only for unit test where certifiates are generated
+ * This should be used only for unit test where certificates are generated
* by openssl with localhost as DN and should never use for production as it
* will bypass the hostname/ip matching verification.
* @return true if using test certificates.
@@ -464,7 +498,7 @@ public class SecurityConfig {
/**
* Returns max date for which S3 tokens will be valid.
- * */
+ */
public long getS3TokenMaxDate() {
return getConfiguration().getTimeDuration(
OzoneConfigKeys.OZONE_S3_TOKEN_MAX_LIFETIME_KEY,
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java
index 7790d04..7698658 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DNCertificateClient.java
@@ -25,6 +25,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+
/**
* Certificate client for DataNodes.
*/
@@ -32,13 +33,16 @@ public class DNCertificateClient extends DefaultCertificateClient {
private static final Logger LOG =
LoggerFactory.getLogger(DNCertificateClient.class);
+
+ public static final String COMPONENT_NAME = "dn";
+
public DNCertificateClient(SecurityConfig securityConfig,
String certSerialId) {
- super(securityConfig, LOG, certSerialId);
+ super(securityConfig, LOG, certSerialId, COMPONENT_NAME);
}
public DNCertificateClient(SecurityConfig securityConfig) {
- super(securityConfig, LOG, null);
+ super(securityConfig, LOG, null, COMPONENT_NAME);
}
/**
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
index 8f13574..388c5bc 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
@@ -89,16 +89,18 @@ public abstract class DefaultCertificateClient implements CertificateClient {
private X509Certificate x509Certificate;
private Map<String, X509Certificate> certificateMap;
private String certSerialId;
+ private String component;
DefaultCertificateClient(SecurityConfig securityConfig, Logger log,
- String certSerialId) {
+ String certSerialId, String component) {
Objects.requireNonNull(securityConfig);
this.securityConfig = securityConfig;
- keyCodec = new KeyCodec(securityConfig);
+ keyCodec = new KeyCodec(securityConfig, component);
this.logger = log;
this.certificateMap = new ConcurrentHashMap<>();
this.certSerialId = certSerialId;
+ this.component = component;
loadAllCertificates();
}
@@ -108,7 +110,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
* */
private void loadAllCertificates() {
// See if certs directory exists in file system.
- Path certPath = securityConfig.getCertificateLocation();
+ Path certPath = securityConfig.getCertificateLocation(component);
if (Files.exists(certPath) && Files.isDirectory(certPath)) {
getLogger().info("Loading certificate from location:{}.",
certPath);
@@ -116,7 +118,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
if (certFiles != null) {
CertificateCodec certificateCodec =
- new CertificateCodec(securityConfig);
+ new CertificateCodec(securityConfig, component);
for (File file : certFiles) {
if (file.isFile()) {
try {
@@ -158,7 +160,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
return privateKey;
}
- Path keyPath = securityConfig.getKeyLocation();
+ Path keyPath = securityConfig.getKeyLocation(component);
if (OzoneSecurityUtil.checkIfFileExist(keyPath,
securityConfig.getPrivateKeyFileName())) {
try {
@@ -182,7 +184,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
return publicKey;
}
- Path keyPath = securityConfig.getKeyLocation();
+ Path keyPath = securityConfig.getKeyLocation(component);
if (OzoneSecurityUtil.checkIfFileExist(keyPath,
securityConfig.getPublicKeyFileName())) {
try {
@@ -477,9 +479,10 @@ public abstract class DefaultCertificateClient implements CertificateClient {
@Override
public void storeCertificate(String pemEncodedCert, boolean force,
boolean caCert) throws CertificateException {
- CertificateCodec certificateCodec = new CertificateCodec(securityConfig);
+ CertificateCodec certificateCodec = new CertificateCodec(securityConfig,
+ component);
try {
- Path basePath = securityConfig.getCertificateLocation();
+ Path basePath = securityConfig.getCertificateLocation(component);
X509Certificate cert =
CertificateCodec.getX509Certificate(pemEncodedCert);
@@ -738,7 +741,7 @@ public abstract class DefaultCertificateClient implements CertificateClient {
* location.
* */
protected void bootstrapClientKeys() throws CertificateException {
- Path keyPath = securityConfig.getKeyLocation();
+ Path keyPath = securityConfig.getKeyLocation(component);
if (Files.notExists(keyPath)) {
try {
Files.createDirectories(keyPath);
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/OMCertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/OMCertificateClient.java
index b1f7504..cb3ce75 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/OMCertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/OMCertificateClient.java
@@ -39,13 +39,15 @@ public class OMCertificateClient extends DefaultCertificateClient {
private static final Logger LOG =
LoggerFactory.getLogger(OMCertificateClient.class);
+ public static final String COMPONENT_NAME = "om";
+
public OMCertificateClient(SecurityConfig securityConfig,
String certSerialId) {
- super(securityConfig, LOG, certSerialId);
+ super(securityConfig, LOG, certSerialId, COMPONENT_NAME);
}
public OMCertificateClient(SecurityConfig securityConfig) {
- super(securityConfig, LOG, null);
+ super(securityConfig, LOG, null, COMPONENT_NAME);
}
protected InitResponse handleCase(InitCase init) throws
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java
index 90d5325..2c8721b 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateCodec.java
@@ -19,9 +19,7 @@
package org.apache.hadoop.hdds.security.x509.certificate.utils;
-import com.google.common.base.Preconditions;
import org.apache.commons.io.IOUtils;
-import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.bouncycastle.cert.X509CertificateHolder;
@@ -70,7 +68,7 @@ public class CertificateCodec {
Stream.of(OWNER_READ, OWNER_WRITE, OWNER_EXECUTE)
.collect(Collectors.toSet());
/**
- * Creates an CertificateCodec.
+ * Creates a CertificateCodec with component name.
*
* @param config - Security Config.
* @param component - Component String.
@@ -81,27 +79,6 @@ public class CertificateCodec {
}
/**
- * Creates an CertificateCodec.
- *
- * @param config - Security Config.
- */
- public CertificateCodec(SecurityConfig config) {
- this.securityConfig = config;
- this.location = securityConfig.getCertificateLocation();
- }
-
- /**
- * Creates an CertificateCodec.
- *
- * @param configuration - Configuration
- */
- public CertificateCodec(Configuration configuration) {
- Preconditions.checkNotNull(configuration, "Config cannot be null");
- this.securityConfig = new SecurityConfig(configuration);
- this.location = securityConfig.getCertificateLocation();
- }
-
- /**
* Returns a X509 Certificate from the Certificate Holder.
*
* @param holder - Holder
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java
index a5ebdae..82873b0 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/keys/KeyCodec.java
@@ -22,7 +22,6 @@ import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.output.FileWriterWithEncoding;
-import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
@@ -76,7 +75,7 @@ public class KeyCodec {
private Supplier<Boolean> isPosixFileSystem;
/**
- * Creates an KeyCodec.
+ * Creates a KeyCodec with component name.
*
* @param config - Security Config.
* @param component - Component String.
@@ -88,29 +87,6 @@ public class KeyCodec {
}
/**
- * Creates an KeyCodec.
- *
- * @param config - Security Config.
- */
- public KeyCodec(SecurityConfig config) {
- this.securityConfig = config;
- isPosixFileSystem = KeyCodec::isPosix;
- this.location = securityConfig.getKeyLocation();
- }
-
- /**
- * Creates an HDDS Key Writer.
- *
- * @param configuration - Configuration
- */
- public KeyCodec(Configuration configuration) {
- Preconditions.checkNotNull(configuration, "Config cannot be null");
- this.securityConfig = new SecurityConfig(configuration);
- isPosixFileSystem = KeyCodec::isPosix;
- this.location = securityConfig.getKeyLocation();
- }
-
- /**
* Checks if File System supports posix style security permissions.
*
* @return True if it supports posix.
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestCertificateClientInit.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestCertificateClientInit.java
index 61bcf21..dcd9898 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestCertificateClientInit.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestCertificateClientInit.java
@@ -66,8 +66,11 @@ public class TestCertificateClientInit {
private HDDSKeyGenerator keyGenerator;
private Path metaDirPath;
private SecurityConfig securityConfig;
- private KeyCodec keyCodec;
+ private KeyCodec dnKeyCodec;
+ private KeyCodec omKeyCodec;
private X509Certificate x509Certificate;
+ private final static String DN_COMPONENT = DNCertificateClient.COMPONENT_NAME;
+ private final static String OM_COMPONENT = OMCertificateClient.COMPONENT_NAME;
@Parameter
public boolean pvtKeyPresent;
@@ -107,9 +110,11 @@ public class TestCertificateClientInit {
certSerialId);
omCertificateClient = new OMCertificateClient(securityConfig,
certSerialId);
- keyCodec = new KeyCodec(securityConfig);
+ dnKeyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
+ omKeyCodec = new KeyCodec(securityConfig, OM_COMPONENT);
- Files.createDirectories(securityConfig.getKeyLocation());
+ Files.createDirectories(securityConfig.getKeyLocation(DN_COMPONENT));
+ Files.createDirectories(securityConfig.getKeyLocation(OM_COMPONENT));
}
@After
@@ -123,28 +128,32 @@ public class TestCertificateClientInit {
@Test
public void testInitDatanode() throws Exception {
if (pvtKeyPresent) {
- keyCodec.writePrivateKey(keyPair.getPrivate());
+ dnKeyCodec.writePrivateKey(keyPair.getPrivate());
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getPrivateKeyFileName()).toFile());
}
if (pubKeyPresent) {
if (dnCertificateClient.getPublicKey() == null) {
- keyCodec.writePublicKey(keyPair.getPublic());
+ dnKeyCodec.writePublicKey(keyPair.getPublic());
}
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(
+ Paths.get(securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getPublicKeyFileName()).toFile());
}
if (certPresent) {
- CertificateCodec codec = new CertificateCodec(securityConfig);
+ CertificateCodec codec = new CertificateCodec(securityConfig,
+ DN_COMPONENT);
codec.writeCertificate(new X509CertificateHolder(
x509Certificate.getEncoded()));
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getCertificateFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getCertificateFileName()).toFile());
}
InitResponse response = dnCertificateClient.init();
@@ -152,10 +161,10 @@ public class TestCertificateClientInit {
if (!response.equals(FAILURE)) {
assertTrue(OzoneSecurityUtil.checkIfFileExist(
- securityConfig.getKeyLocation(),
+ securityConfig.getKeyLocation(DN_COMPONENT),
securityConfig.getPrivateKeyFileName()));
assertTrue(OzoneSecurityUtil.checkIfFileExist(
- securityConfig.getKeyLocation(),
+ securityConfig.getKeyLocation(DN_COMPONENT),
securityConfig.getPublicKeyFileName()));
}
}
@@ -163,28 +172,32 @@ public class TestCertificateClientInit {
@Test
public void testInitOzoneManager() throws Exception {
if (pvtKeyPresent) {
- keyCodec.writePrivateKey(keyPair.getPrivate());
+ omKeyCodec.writePrivateKey(keyPair.getPrivate());
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ securityConfig.getPrivateKeyFileName()).toFile());
}
if (pubKeyPresent) {
if (omCertificateClient.getPublicKey() == null) {
- keyCodec.writePublicKey(keyPair.getPublic());
+ omKeyCodec.writePublicKey(keyPair.getPublic());
}
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ securityConfig.getPublicKeyFileName()).toFile());
}
if (certPresent) {
- CertificateCodec codec = new CertificateCodec(securityConfig);
+ CertificateCodec codec = new CertificateCodec(securityConfig,
+ OM_COMPONENT);
codec.writeCertificate(new X509CertificateHolder(
x509Certificate.getEncoded()));
} else {
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getCertificateFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ securityConfig.getCertificateFileName()).toFile());
}
InitResponse response = omCertificateClient.init();
@@ -196,10 +209,10 @@ public class TestCertificateClientInit {
if (!response.equals(FAILURE)) {
assertTrue(OzoneSecurityUtil.checkIfFileExist(
- securityConfig.getKeyLocation(),
+ securityConfig.getKeyLocation(OM_COMPONENT),
securityConfig.getPrivateKeyFileName()));
assertTrue(OzoneSecurityUtil.checkIfFileExist(
- securityConfig.getKeyLocation(),
+ securityConfig.getKeyLocation(OM_COMPONENT),
securityConfig.getPublicKeyFileName()));
}
}
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
index 11be0de..f389cdb 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
@@ -76,6 +76,8 @@ public class TestDefaultCertificateClient {
private SecurityConfig omSecurityConfig;
private SecurityConfig dnSecurityConfig;
private final static String UTF = "UTF-8";
+ private final static String DN_COMPONENT = DNCertificateClient.COMPONENT_NAME;
+ private final static String OM_COMPONENT = OMCertificateClient.COMPONENT_NAME;
private KeyCodec omKeyCodec;
private KeyCodec dnKeyCodec;
@@ -99,11 +101,11 @@ public class TestDefaultCertificateClient {
keyGenerator = new HDDSKeyGenerator(omSecurityConfig);
- omKeyCodec = new KeyCodec(omSecurityConfig);
- dnKeyCodec = new KeyCodec(dnSecurityConfig);
+ omKeyCodec = new KeyCodec(omSecurityConfig, OM_COMPONENT);
+ dnKeyCodec = new KeyCodec(dnSecurityConfig, DN_COMPONENT);
- Files.createDirectories(omSecurityConfig.getKeyLocation());
- Files.createDirectories(dnSecurityConfig.getKeyLocation());
+ Files.createDirectories(omSecurityConfig.getKeyLocation(OM_COMPONENT));
+ Files.createDirectories(dnSecurityConfig.getKeyLocation(DN_COMPONENT));
x509Certificate = generateX509Cert(null);
certSerialId = x509Certificate.getSerialNumber().toString();
getCertClient();
@@ -156,14 +158,18 @@ public class TestDefaultCertificateClient {
}
private void cleanupOldKeyPair() {
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPublicKeyFileName()).toFile());
}
/**
@@ -196,10 +202,12 @@ public class TestDefaultCertificateClient {
@Test
public void testSignDataStream() throws Exception {
String data = RandomStringUtils.random(100, UTF);
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
// Expect error when there is no private key to sign.
LambdaTestUtils.intercept(IOException.class, "Error while " +
@@ -285,8 +293,9 @@ public class TestDefaultCertificateClient {
X509Certificate cert2 = generateX509Cert(keyPair);
X509Certificate cert3 = generateX509Cert(keyPair);
- Path certPath = dnSecurityConfig.getCertificateLocation();
- CertificateCodec codec = new CertificateCodec(dnSecurityConfig);
+ Path certPath = dnSecurityConfig.getCertificateLocation(DN_COMPONENT);
+ CertificateCodec codec = new CertificateCodec(dnSecurityConfig,
+ DN_COMPONENT);
// Certificate not found.
LambdaTestUtils.intercept(CertificateException.class, "Error while" +
@@ -308,7 +317,7 @@ public class TestDefaultCertificateClient {
codec.writeCertificate(certPath, "3.crt",
getPEMEncodedString(cert3), true);
- // Re instentiate DN client which will load certificates from filesystem.
+ // Re instantiate DN client which will load certificates from filesystem.
dnCertClient = new DNCertificateClient(dnSecurityConfig, certSerialId);
assertNotNull(dnCertClient.getCertificate(cert1.getSerialNumber()
@@ -352,16 +361,20 @@ public class TestDefaultCertificateClient {
omClientLog.clearOutput();
// Case 1. Expect failure when keypair validation fails.
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPublicKeyFileName()).toFile());
omKeyCodec.writePrivateKey(keyPair.getPrivate());
omKeyCodec.writePublicKey(keyPair2.getPublic());
@@ -387,16 +400,20 @@ public class TestDefaultCertificateClient {
// Case 2. Expect failure when certificate is generated from different
// private key and keypair validation fails.
getCertClient();
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getCertificateFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getCertificateFileName()).toFile());
-
- CertificateCodec omCertCodec = new CertificateCodec(omSecurityConfig);
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getCertificateFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getCertificateFileName()).toFile());
+
+ CertificateCodec omCertCodec = new CertificateCodec(omSecurityConfig,
+ OM_COMPONENT);
omCertCodec.writeCertificate(new X509CertificateHolder(
x509Certificate.getEncoded()));
- CertificateCodec dnCertCodec = new CertificateCodec(dnSecurityConfig);
+ CertificateCodec dnCertCodec = new CertificateCodec(dnSecurityConfig,
+ DN_COMPONENT);
dnCertCodec.writeCertificate(new X509CertificateHolder(
x509Certificate.getEncoded()));
// Check for DN.
@@ -416,10 +433,12 @@ public class TestDefaultCertificateClient {
// private key and certificate validation fails.
// Re write the correct public key.
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPublicKeyFileName()).toFile());
getCertClient();
omKeyCodec.writePublicKey(keyPair.getPublic());
dnKeyCodec.writePublicKey(keyPair.getPublic());
@@ -440,10 +459,12 @@ public class TestDefaultCertificateClient {
// Case 4. Failure when public key recovery fails.
getCertClient();
- FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation()
- .toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation()
- .toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(),
+ omSecurityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ dnSecurityConfig.getPublicKeyFileName()).toFile());
// Check for DN.
assertEquals(dnCertClient.init(), FAILURE);
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java
index 9ac956f..ded5206 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestCertificateCodec.java
@@ -22,6 +22,7 @@ package org.apache.hadoop.hdds.security.x509.certificate.utils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
+import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.bouncycastle.cert.X509CertificateHolder;
@@ -50,12 +51,15 @@ import static org.junit.Assert.assertTrue;
*/
public class TestCertificateCodec {
private static OzoneConfiguration conf = new OzoneConfiguration();
+ private static final String COMPONENT = "test";
+ private SecurityConfig securityConfig;
@Rule
public TemporaryFolder temporaryFolder = new TemporaryFolder();
@Before
public void init() throws IOException {
conf.set(OZONE_METADATA_DIRS, temporaryFolder.newFolder().toString());
+ securityConfig = new SecurityConfig(conf);
}
/**
@@ -88,7 +92,7 @@ public class TestCertificateCodec {
.setKey(keyGenerator.generateKey())
.makeCA()
.build();
- CertificateCodec codec = new CertificateCodec(conf);
+ CertificateCodec codec = new CertificateCodec(securityConfig, COMPONENT);
String pemString = codec.getPEMEncodedString(cert);
assertTrue(pemString.startsWith(CertificateCodec.BEGIN_CERT));
assertTrue(pemString.endsWith(CertificateCodec.END_CERT + "\n"));
@@ -131,7 +135,7 @@ public class TestCertificateCodec {
.setKey(keyGenerator.generateKey())
.makeCA()
.build();
- CertificateCodec codec = new CertificateCodec(conf);
+ CertificateCodec codec = new CertificateCodec(securityConfig, COMPONENT);
String pemString = codec.getPEMEncodedString(cert);
File basePath = temporaryFolder.newFolder();
if (!basePath.exists()) {
@@ -172,7 +176,7 @@ public class TestCertificateCodec {
.setKey(keyGenerator.generateKey())
.makeCA()
.build();
- CertificateCodec codec = new CertificateCodec(conf);
+ CertificateCodec codec = new CertificateCodec(securityConfig, COMPONENT);
codec.writeCertificate(cert);
X509CertificateHolder certHolder = codec.readCertificate();
assertNotNull(certHolder);
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java
index d3e13d2..d82b02f 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/keys/TestKeyCodec.java
@@ -57,6 +57,8 @@ public class TestKeyCodec {
@Rule
public TemporaryFolder temporaryFolder = new TemporaryFolder();
private OzoneConfiguration configuration;
+ private SecurityConfig securityConfig;
+ private String component;
private HDDSKeyGenerator keyGenerator;
private String prefix;
@@ -66,6 +68,8 @@ public class TestKeyCodec {
prefix = temporaryFolder.newFolder().toString();
configuration.set(HDDS_METADATA_DIR_NAME, prefix);
keyGenerator = new HDDSKeyGenerator(configuration);
+ securityConfig = new SecurityConfig(configuration);
+ component = "test_component";
}
/**
@@ -83,11 +87,11 @@ public class TestKeyCodec {
throws NoSuchProviderException, NoSuchAlgorithmException,
IOException, InvalidKeySpecException {
KeyPair keys = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(configuration);
+ KeyCodec pemWriter = new KeyCodec(securityConfig, component);
pemWriter.writeKey(keys);
// Assert that locations have been created.
- Path keyLocation = pemWriter.getSecurityConfig().getKeyLocation();
+ Path keyLocation = pemWriter.getSecurityConfig().getKeyLocation(component);
Assert.assertTrue(keyLocation.toFile().exists());
// Assert that locations are created in the locations that we specified
@@ -172,7 +176,7 @@ public class TestKeyCodec {
public void testReWriteKey()
throws Exception {
KeyPair kp = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(configuration);
+ KeyCodec pemWriter = new KeyCodec(securityConfig, component);
SecurityConfig secConfig = pemWriter.getSecurityConfig();
pemWriter.writeKey(kp);
@@ -181,13 +185,13 @@ public class TestKeyCodec {
.intercept(IOException.class, "Private Key file already exists.",
() -> pemWriter.writeKey(kp));
FileUtils.deleteQuietly(Paths.get(
- secConfig.getKeyLocation().toString() + "/" + secConfig
+ secConfig.getKeyLocation(component).toString() + "/" + secConfig
.getPrivateKeyFileName()).toFile());
LambdaTestUtils
.intercept(IOException.class, "Public Key file already exists.",
() -> pemWriter.writeKey(kp));
FileUtils.deleteQuietly(Paths.get(
- secConfig.getKeyLocation().toString() + "/" + secConfig
+ secConfig.getKeyLocation(component).toString() + "/" + secConfig
.getPublicKeyFileName()).toFile());
// Should succeed now as both public and private key are deleted.
@@ -206,7 +210,7 @@ public class TestKeyCodec {
public void testWriteKeyInNonPosixFS()
throws Exception {
KeyPair kp = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(configuration);
+ KeyCodec pemWriter = new KeyCodec(securityConfig, component);
pemWriter.setIsPosixFileSystem(() -> false);
// Assert key rewrite fails in non Posix file system.
@@ -221,7 +225,7 @@ public class TestKeyCodec {
InvalidKeySpecException {
KeyPair kp = keyGenerator.generateKey();
- KeyCodec keycodec = new KeyCodec(configuration);
+ KeyCodec keycodec = new KeyCodec(securityConfig, component);
keycodec.writeKey(kp);
PublicKey pubKey = keycodec.readPublicKey();
diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
index 78c941e..23fa2d0 100644
--- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
+++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
@@ -64,6 +64,7 @@ import java.util.concurrent.TimeUnit;
public final class XceiverServerGrpc extends XceiverServer {
private static final Logger
LOG = LoggerFactory.getLogger(XceiverServerGrpc.class);
+ private static final String COMPONENT = "dn";
private int port;
private UUID id;
private Server server;
@@ -111,11 +112,12 @@ public final class XceiverServerGrpc extends XceiverServer {
}
if (getSecConfig().isGrpcTlsEnabled()) {
- File privateKeyFilePath = getSecurityConfig().getServerPrivateKeyFile();
+ File privateKeyFilePath =
+ getSecurityConfig().getServerPrivateKeyFile(COMPONENT);
File serverCertChainFilePath =
- getSecurityConfig().getServerCertChainFile();
+ getSecurityConfig().getServerCertChainFile(COMPONENT);
File clientCertChainFilePath =
- getSecurityConfig().getClientCertChainFile();
+ getSecurityConfig().getClientCertChainFile(COMPONENT);
try {
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(
serverCertChainFilePath, privateKeyFilePath);
diff --git a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java
index 20d5eef..04fd3a4 100644
--- a/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java
+++ b/hadoop-hdds/container-service/src/test/java/org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.java
@@ -66,6 +66,7 @@ public class TestHddsSecureDatanodeInit {
private static KeyCodec keyCodec;
private static CertificateCodec certCodec;
private static X509CertificateHolder certHolder;
+ private final static String DN_COMPONENT = DNCertificateClient.COMPONENT_NAME;
@BeforeClass
public static void setUp() throws Exception {
@@ -93,8 +94,8 @@ public class TestHddsSecureDatanodeInit {
service.initializeCertificateClient(conf);
return null;
});
- certCodec = new CertificateCodec(securityConfig);
- keyCodec = new KeyCodec(securityConfig);
+ certCodec = new CertificateCodec(securityConfig, DN_COMPONENT);
+ keyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
dnLogs.clearOutput();
privateKey = service.getCertificateClient().getPrivateKey();
publicKey = service.getCertificateClient().getPublicKey();
@@ -115,12 +116,14 @@ public class TestHddsSecureDatanodeInit {
@Before
public void setUpDNCertClient(){
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPrivateKeyFileName()).toFile());
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
- .toString(), securityConfig.getPublicKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getPrivateKeyFileName()).toFile());
+ FileUtils.deleteQuietly(Paths.get(
+ securityConfig.getKeyLocation(DN_COMPONENT).toString(),
+ securityConfig.getPublicKeyFileName()).toFile());
FileUtils.deleteQuietly(Paths.get(securityConfig
- .getCertificateLocation().toString(),
+ .getCertificateLocation(DN_COMPONENT).toString(),
securityConfig.getCertificateFileName()).toFile());
dnLogs.clearOutput();
client = new DNCertificateClient(securityConfig,
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
index 709c43f..68035f8 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
@@ -41,6 +41,7 @@ import org.apache.hadoop.hdds.scm.ScmInfo;
import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
+import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
@@ -114,6 +115,7 @@ import static org.slf4j.event.Level.INFO;
public final class TestSecureOzoneCluster {
private static final String TEST_USER = "testUgiUser@EXAMPLE.COM";
+ private static final String COMPONENT = "test";
private static final int CLIENT_TIMEOUT = 2 * 1000;
private Logger logger = LoggerFactory
.getLogger(TestSecureOzoneCluster.class);
@@ -559,7 +561,7 @@ public final class TestSecureOzoneCluster {
private void generateKeyPair(OzoneConfiguration config) throws Exception {
HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
keyPair = keyGenerator.generateKey();
- KeyCodec pemWriter = new KeyCodec(config);
+ KeyCodec pemWriter = new KeyCodec(new SecurityConfig(config), COMPONENT);
pemWriter.writeKey(keyPair, true);
}
diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java
index 888a650..728d170 100644
--- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java
+++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/om/TestSecureOzoneManager.java
@@ -60,6 +60,7 @@ import static org.apache.hadoop.test.GenericTestUtils.*;
*/
public class TestSecureOzoneManager {
+ private static final String COMPONENT = "om";
private MiniOzoneCluster cluster = null;
private OzoneConfiguration conf;
private String clusterId;
@@ -151,7 +152,7 @@ public class TestSecureOzoneManager {
// Case 3: When public key as well as certificate is missing.
client = new OMCertificateClient(securityConfig);
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
+ FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPublicKeyFileName()).toFile());
LambdaTestUtils.intercept(RuntimeException.class, " OM security" +
" initialization failed",
@@ -164,9 +165,9 @@ public class TestSecureOzoneManager {
// Case 4: When private key and certificate is missing.
client = new OMCertificateClient(securityConfig);
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
+ FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPrivateKeyFileName()).toFile());
- KeyCodec keyCodec = new KeyCodec(securityConfig);
+ KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
keyCodec.writePublicKey(publicKey);
LambdaTestUtils.intercept(RuntimeException.class, " OM security" +
" initialization failed",
@@ -178,9 +179,10 @@ public class TestSecureOzoneManager {
omLogs.clearOutput();
// Case 5: When only certificate is present.
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
+ FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPublicKeyFileName()).toFile());
- CertificateCodec certCodec = new CertificateCodec(securityConfig);
+ CertificateCodec certCodec =
+ new CertificateCodec(securityConfig, COMPONENT);
X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate(
"CN=Test", new KeyPair(publicKey, privateKey), 10,
securityConfig.getSignatureAlgo());
@@ -201,7 +203,7 @@ public class TestSecureOzoneManager {
// Case 6: When private key and certificate is present.
client = new OMCertificateClient(securityConfig,
x509Certificate.getSerialNumber().toString());
- FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation()
+ FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT)
.toString(), securityConfig.getPublicKeyFileName()).toFile());
keyCodec.writePrivateKey(privateKey);
OzoneManager.initializeSecurity(conf, omStorage);
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org