Search in sources :

Example 6 with KeyProvider

use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.

the class TestKMS method testDelegationTokenAccess.

@Test
public void testDelegationTokenAccess() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.type", "kerberos");
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    final String keyA = "key_a";
    final String keyD = "key_d";
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyA + ".ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyD + ".ALL", "*");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            final Credentials credentials = new Credentials();
            final UserGroupInformation nonKerberosUgi = UserGroupInformation.getCurrentUser();
            try {
                KeyProvider kp = createProvider(uri, conf);
                kp.createKey(keyA, new KeyProvider.Options(conf));
            } catch (IOException ex) {
                System.out.println(ex.getMessage());
            }
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    KeyProviderDelegationTokenExtension kpdte = KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(kp);
                    kpdte.addDelegationTokens("foo", credentials);
                    return null;
                }
            });
            nonKerberosUgi.addCredentials(credentials);
            try {
                KeyProvider kp = createProvider(uri, conf);
                kp.createKey(keyA, new KeyProvider.Options(conf));
            } catch (IOException ex) {
                System.out.println(ex.getMessage());
            }
            nonKerberosUgi.doAs(new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    kp.createKey(keyD, new KeyProvider.Options(conf));
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) Configuration(org.apache.hadoop.conf.Configuration) IOException(java.io.IOException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) Credentials(org.apache.hadoop.security.Credentials) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 7 with KeyProvider

use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.

the class TestKMS method testStartStop.

public void testStartStop(final boolean ssl, final boolean kerberos) throws Exception {
    Configuration conf = new Configuration();
    if (kerberos) {
        conf.set("hadoop.security.authentication", "kerberos");
    }
    File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    final String keystore;
    final String password;
    if (ssl) {
        String sslConfDir = KeyStoreTestUtil.getClasspathDir(TestKMS.class);
        KeyStoreTestUtil.setupSSLConfig(testDir.getAbsolutePath(), sslConfDir, conf, false);
        keystore = testDir.getAbsolutePath() + "/serverKS.jks";
        password = "serverP";
    } else {
        keystore = null;
        password = null;
    }
    conf.set("hadoop.kms.authentication.token.validity", "1");
    if (kerberos) {
        conf.set("hadoop.kms.authentication.type", "kerberos");
        conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    }
    writeConf(testDir, conf);
    runServer(keystore, password, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            URL url = getKMSUrl();
            Assert.assertEquals(keystore != null, url.getProtocol().equals("https"));
            final URI uri = createKMSUri(getKMSUrl());
            if (ssl) {
                KeyProvider testKp = createProvider(uri, conf);
                ThreadGroup threadGroup = Thread.currentThread().getThreadGroup();
                while (threadGroup.getParent() != null) {
                    threadGroup = threadGroup.getParent();
                }
                Thread[] threads = new Thread[threadGroup.activeCount()];
                threadGroup.enumerate(threads);
                Thread reloaderThread = null;
                for (Thread thread : threads) {
                    if ((thread.getName() != null) && (thread.getName().contains(SSL_RELOADER_THREAD_NAME))) {
                        reloaderThread = thread;
                    }
                }
                Assert.assertTrue("Reloader is not alive", reloaderThread.isAlive());
                testKp.close();
                boolean reloaderStillAlive = true;
                for (int i = 0; i < 10; i++) {
                    reloaderStillAlive = reloaderThread.isAlive();
                    if (!reloaderStillAlive)
                        break;
                    Thread.sleep(1000);
                }
                Assert.assertFalse("Reloader is still alive", reloaderStillAlive);
            }
            if (kerberos) {
                for (String user : new String[] { "client", "client/host" }) {
                    doAs(user, new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            final KeyProvider kp = createProvider(uri, conf);
                            // getKeys() empty
                            Assert.assertTrue(kp.getKeys().isEmpty());
                            Thread.sleep(4000);
                            Token<?>[] tokens = ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) kp).addDelegationTokens("myuser", new Credentials());
                            Assert.assertEquals(1, tokens.length);
                            Assert.assertEquals("kms-dt", tokens[0].getKind().toString());
                            kp.close();
                            return null;
                        }
                    });
                }
            } else {
                KeyProvider kp = createProvider(uri, conf);
                // getKeys() empty
                Assert.assertTrue(kp.getKeys().isEmpty());
                Thread.sleep(4000);
                Token<?>[] tokens = ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) kp).addDelegationTokens("myuser", new Credentials());
                Assert.assertEquals(1, tokens.length);
                Assert.assertEquals("kms-dt", tokens[0].getKind().toString());
                kp.close();
            }
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) Configuration(org.apache.hadoop.conf.Configuration) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) KMSDelegationToken(org.apache.hadoop.crypto.key.kms.KMSDelegationToken) Token(org.apache.hadoop.security.token.Token) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) URL(java.net.URL) File(java.io.File) Credentials(org.apache.hadoop.security.Credentials)

Example 8 with KeyProvider

use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.

the class TestKMS method testServicePrincipalACLs.

@Test
public void testServicePrincipalACLs() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.type", "kerberos");
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
        conf.set(type.getAclConfigKey(), " ");
    }
    conf.set(KMSACLs.Type.CREATE.getAclConfigKey(), "client");
    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "client,client/host");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    try {
                        KeyProvider kp = createProvider(uri, conf);
                        KeyProvider.KeyVersion kv = kp.createKey("ck0", new KeyProvider.Options(conf));
                        Assert.assertNull(kv.getMaterial());
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("client/host", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    try {
                        KeyProvider kp = createProvider(uri, conf);
                        KeyProvider.KeyVersion kv = kp.createKey("ck1", new KeyProvider.Options(conf));
                        Assert.assertNull(kv.getMaterial());
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Configuration(org.apache.hadoop.conf.Configuration) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) Test(org.junit.Test)

Example 9 with KeyProvider

use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.

the class TestKMS method doProxyUserTest.

public void doProxyUserTest(final boolean kerberos) throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    if (kerberos) {
        conf.set("hadoop.kms.authentication.type", "kerberos");
    }
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    conf.set("hadoop.kms.proxyuser.client.users", "foo,bar");
    conf.set("hadoop.kms.proxyuser.client.hosts", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kaa.ALL", "client");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kbb.ALL", "foo");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kcc.ALL", "foo1");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kdd.ALL", "bar");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            UserGroupInformation proxyUgi = null;
            if (kerberos) {
                // proxyuser client using kerberos credentials
                proxyUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("client", keytab.getAbsolutePath());
            } else {
                proxyUgi = UserGroupInformation.createRemoteUser("client");
                UserGroupInformation.setLoginUser(proxyUgi);
            }
            final UserGroupInformation clientUgi = proxyUgi;
            clientUgi.doAs(new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    final KeyProvider kp = createProvider(uri, conf);
                    kp.createKey("kaa", new KeyProvider.Options(conf));
                    // authorized proxyuser
                    UserGroupInformation fooUgi = UserGroupInformation.createProxyUser("foo", clientUgi);
                    fooUgi.doAs(new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            Assert.assertNotNull(kp.createKey("kbb", new KeyProvider.Options(conf)));
                            return null;
                        }
                    });
                    // unauthorized proxyuser
                    UserGroupInformation foo1Ugi = UserGroupInformation.createProxyUser("foo1", clientUgi);
                    foo1Ugi.doAs(new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            try {
                                kp.createKey("kcc", new KeyProvider.Options(conf));
                                Assert.fail();
                            } catch (AuthorizationException ex) {
                            // OK
                            } catch (Exception ex) {
                                Assert.fail(ex.getMessage());
                            }
                            return null;
                        }
                    });
                    // authorized proxyuser
                    UserGroupInformation barUgi = UserGroupInformation.createProxyUser("bar", clientUgi);
                    barUgi.doAs(new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            Assert.assertNotNull(kp.createKey("kdd", new KeyProvider.Options(conf)));
                            return null;
                        }
                    });
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 10 with KeyProvider

use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.

the class TestKMS method testKMSAuthFailureRetry.

@Test
public void testKMSAuthFailureRetry() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    conf.set("hadoop.kms.authentication.token.validity", "1");
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
        conf.set(type.getAclConfigKey(), type.toString());
    }
    conf.set(KMSACLs.Type.CREATE.getAclConfigKey(), KMSACLs.Type.CREATE.toString() + ",SET_KEY_MATERIAL");
    conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(), KMSACLs.Type.ROLLOVER.toString() + ",SET_KEY_MATERIAL");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k0.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k1.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k3.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k4.ALL", "*");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    kp.createKey("k0", new byte[16], new KeyProvider.Options(conf));
                    // This happens before rollover
                    kp.createKey("k1", new byte[16], new KeyProvider.Options(conf));
                    // Atleast 2 rollovers.. so should induce signer Exception
                    Thread.sleep(3500);
                    kp.createKey("k2", new byte[16], new KeyProvider.Options(conf));
                    return null;
                }
            });
            return null;
        }
    });
    // Test retry count
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            conf.setInt(KMSClientProvider.AUTH_RETRY, 0);
            final URI uri = createKMSUri(getKMSUrl());
            doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    kp.createKey("k3", new byte[16], new KeyProvider.Options(conf));
                    // Atleast 2 rollovers.. so should induce signer Exception
                    Thread.sleep(3500);
                    try {
                        kp.createKey("k4", new byte[16], new KeyProvider.Options(conf));
                        Assert.fail("This should not succeed..");
                    } catch (IOException e) {
                        Assert.assertTrue("HTTP exception must be a 401 : " + e.getMessage(), e.getMessage().contains("401"));
                    }
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Configuration(org.apache.hadoop.conf.Configuration) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) IOException(java.io.IOException) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) Test(org.junit.Test)

Aggregations

KeyProvider (org.apache.hadoop.crypto.key.KeyProvider)38 IOException (java.io.IOException)27 URI (java.net.URI)25 Configuration (org.apache.hadoop.conf.Configuration)25 Test (org.junit.Test)21 File (java.io.File)17 SocketTimeoutException (java.net.SocketTimeoutException)17 Options (org.apache.hadoop.crypto.key.KeyProvider.Options)17 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)17 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)13 KeyProviderCryptoExtension (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension)10 KeyVersion (org.apache.hadoop.crypto.key.KeyProvider.KeyVersion)8 EncryptedKeyVersion (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion)8 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)8 Credentials (org.apache.hadoop.security.Credentials)6 HashMap (java.util.HashMap)5 KeyProviderDelegationTokenExtension (org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension)5 GeneralSecurityException (java.security.GeneralSecurityException)3 Map (java.util.Map)3 UserProvider (org.apache.hadoop.crypto.key.UserProvider)3