use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.
the class OzoneManager method getSCMSignedCert.
/**
* Get SCM signed certificate and store it using certificate client.
*/
private static void getSCMSignedCert(CertificateClient client, OzoneConfiguration config, OMStorage omStore, String scmId) throws IOException {
CertificateSignRequest.Builder builder = client.getCSRBuilder();
KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
InetSocketAddress omRpcAdd;
omRpcAdd = OmUtils.getOmAddress(config);
if (omRpcAdd == null || omRpcAdd.getAddress() == null) {
LOG.error("Incorrect om rpc address. omRpcAdd:{}", omRpcAdd);
throw new RuntimeException("Can't get SCM signed certificate. " + "omRpcAdd: " + omRpcAdd);
}
// Get host name.
String hostname = omRpcAdd.getAddress().getHostName();
String ip = omRpcAdd.getAddress().getHostAddress();
String subject;
if (builder.hasDnsName()) {
subject = UserGroupInformation.getCurrentUser().getShortUserName() + "@" + hostname;
} else {
// With only IP in alt.name, certificate validation would fail if subject
// isn't a hostname either, so omit username.
subject = hostname;
}
builder.setCA(false).setKey(keyPair).setConfiguration(config).setScmID(scmId).setClusterID(omStore.getClusterID()).setSubject(subject);
OMHANodeDetails haOMHANodeDetails = OMHANodeDetails.loadOMHAConfig(config);
String serviceName = haOMHANodeDetails.getLocalNodeDetails().getServiceId();
if (!StringUtils.isEmpty(serviceName)) {
builder.addServiceName(serviceName);
}
LOG.info("Creating csr for OM->dns:{},ip:{},scmId:{},clusterId:{}," + "subject:{}", hostname, ip, scmId, omStore.getClusterID(), subject);
HddsProtos.OzoneManagerDetailsProto.Builder omDetailsProtoBuilder = HddsProtos.OzoneManagerDetailsProto.newBuilder().setHostName(omRpcAdd.getHostName()).setIpAddress(ip).setUuid(omStore.getOmId()).addPorts(HddsProtos.Port.newBuilder().setName(RPC_PORT).setValue(omRpcAdd.getPort()).build());
PKCS10CertificationRequest csr = builder.build();
HddsProtos.OzoneManagerDetailsProto omDetailsProto = omDetailsProtoBuilder.build();
LOG.info("OzoneManager ports added:{}", omDetailsProto.getPortsList());
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
SCMGetCertResponseProto response = secureScmClient.getOMCertChain(omDetailsProto, getEncodedString(csr));
String pemEncodedCert = response.getX509Certificate();
try {
// Store SCM CA certificate.
if (response.hasX509CACertificate()) {
String pemEncodedRootCert = response.getX509CACertificate();
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
// Store Root CA certificate if available.
if (response.hasX509RootCACertificate()) {
client.storeRootCACertificate(response.getX509RootCACertificate(), true);
}
// Persist om cert serial id.
omStore.setOmCertSerialId(CertificateCodec.getX509Certificate(pemEncodedCert).getSerialNumber().toString());
} else {
throw new RuntimeException("Unable to retrieve OM certificate " + "chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.
the class HASecurityUtils method getRootCASignedSCMCert.
/**
* For bootstrapped SCM get sub-ca signed certificate and root CA
* certificate using scm security client and store it using certificate
* client.
*/
private static void getRootCASignedSCMCert(CertificateClient client, OzoneConfiguration config, SCMStorageConfig scmStorageConfig, InetSocketAddress scmAddress) {
try {
// Generate CSR.
PKCS10CertificationRequest csr = generateCSR(client, scmStorageConfig, config, scmAddress);
ScmNodeDetailsProto scmNodeDetailsProto = ScmNodeDetailsProto.newBuilder().setClusterId(scmStorageConfig.getClusterID()).setHostName(scmAddress.getHostName()).setScmNodeId(scmStorageConfig.getScmId()).build();
// Create SCM security client.
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
// Get SCM sub CA cert.
SCMGetCertResponseProto response = secureScmClient.getSCMCertChain(scmNodeDetailsProto, getEncodedString(csr));
String pemEncodedCert = response.getX509Certificate();
// Store SCM sub CA and root CA certificate.
if (response.hasX509CACertificate()) {
String pemEncodedRootCert = response.getX509CACertificate();
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
X509Certificate certificate = CertificateCodec.getX509Certificate(pemEncodedCert);
persistSubCACertificate(config, client, CertificateCodec.getCertificateHolder(certificate));
// Persist scm cert serial ID.
scmStorageConfig.setScmCertSerialId(certificate.getSerialNumber().toString());
} else {
throw new RuntimeException("Unable to retrieve SCM certificate chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while fetching/storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.
the class HddsServerUtil method getScmSecurityClientWithFixedDuration.
public static SCMSecurityProtocolClientSideTranslatorPB getScmSecurityClientWithFixedDuration(OzoneConfiguration conf) throws IOException {
// As for OM during init, we need to wait for specific duration so that
// we can give response to user performed operation init in a definite
// period, instead of stuck for ever.
OzoneConfiguration configuration = new OzoneConfiguration(conf);
long duration = conf.getTimeDuration(OZONE_SCM_INFO_WAIT_DURATION, OZONE_SCM_INFO_WAIT_DURATION_DEFAULT, TimeUnit.SECONDS);
SCMClientConfig scmClientConfig = conf.getObject(SCMClientConfig.class);
int retryCount = (int) (duration / (scmClientConfig.getRetryInterval() / 1000));
// retry count.
if (retryCount > scmClientConfig.getRetryCount()) {
scmClientConfig.setRetryCount(retryCount);
configuration.setFromObject(scmClientConfig);
}
return new SCMSecurityProtocolClientSideTranslatorPB(new SCMSecurityProtocolFailoverProxyProvider(configuration, UserGroupInformation.getCurrentUser()));
}
use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.
the class ReconServer method getSCMSignedCert.
/**
* Get SCM signed certificate and store it using certificate client.
* @param config
*/
private void getSCMSignedCert(OzoneConfiguration config) {
try {
PKCS10CertificationRequest csr = ReconUtils.getCSR(config, certClient);
LOG.info("Creating CSR for Recon.");
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithMaxRetry(config);
HddsProtos.NodeDetailsProto.Builder reconDetailsProtoBuilder = HddsProtos.NodeDetailsProto.newBuilder().setHostName(InetAddress.getLocalHost().getHostName()).setClusterId(reconStorage.getClusterID()).setUuid(reconStorage.getReconId()).setNodeType(HddsProtos.NodeType.RECON);
SCMSecurityProtocolProtos.SCMGetCertResponseProto response = secureScmClient.getCertificateChain(reconDetailsProtoBuilder.build(), getEncodedString(csr));
// Persist certificates.
if (response.hasX509CACertificate()) {
String pemEncodedCert = response.getX509Certificate();
certClient.storeCertificate(pemEncodedCert, true);
certClient.storeCertificate(response.getX509CACertificate(), true, true);
// Store Root CA certificate.
if (response.hasX509RootCACertificate()) {
certClient.storeRootCACertificate(response.getX509RootCACertificate(), true);
}
String reconCertSerialId = getX509Certificate(pemEncodedCert).getSerialNumber().toString();
reconStorage.setReconCertSerialId(reconCertSerialId);
} else {
throw new RuntimeException("Unable to retrieve recon certificate " + "chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.
the class HddsDatanodeService method getSCMSignedCert.
/**
* Get SCM signed certificate and store it using certificate client.
* @param config
*/
private void getSCMSignedCert(OzoneConfiguration config) {
try {
PKCS10CertificationRequest csr = getCSR(config);
// TODO: For SCM CA we should fetch certificate from multiple SCMs.
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithMaxRetry(config);
SCMGetCertResponseProto response = secureScmClient.getDataNodeCertificateChain(datanodeDetails.getProtoBufMessage(), getEncodedString(csr));
// Persist certificates.
if (response.hasX509CACertificate()) {
String pemEncodedCert = response.getX509Certificate();
dnCertClient.storeCertificate(pemEncodedCert, true);
dnCertClient.storeCertificate(response.getX509CACertificate(), true, true);
// Store Root CA certificate.
if (response.hasX509RootCACertificate()) {
dnCertClient.storeRootCACertificate(response.getX509RootCACertificate(), true);
}
String dnCertSerialId = getX509Certificate(pemEncodedCert).getSerialNumber().toString();
datanodeDetails.setCertSerialId(dnCertSerialId);
persistDatanodeDetails(datanodeDetails);
// Rebuild dnCertClient with the new CSR result so that the default
// certSerialId and the x509Certificate can be updated.
dnCertClient = new DNCertificateClient(new SecurityConfig(config), dnCertSerialId);
} else {
throw new RuntimeException("Unable to retrieve datanode certificate " + "chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
Aggregations