Search in sources :

Example 1 with SCMSecurityProtocolClientSideTranslatorPB

use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.

the class OzoneManager method getSCMSignedCert.

/**
 * Get SCM signed certificate and store it using certificate client.
 */
private static void getSCMSignedCert(CertificateClient client, OzoneConfiguration config, OMStorage omStore, String scmId) throws IOException {
    CertificateSignRequest.Builder builder = client.getCSRBuilder();
    KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
    InetSocketAddress omRpcAdd;
    omRpcAdd = OmUtils.getOmAddress(config);
    if (omRpcAdd == null || omRpcAdd.getAddress() == null) {
        LOG.error("Incorrect om rpc address. omRpcAdd:{}", omRpcAdd);
        throw new RuntimeException("Can't get SCM signed certificate. " + "omRpcAdd: " + omRpcAdd);
    }
    // Get host name.
    String hostname = omRpcAdd.getAddress().getHostName();
    String ip = omRpcAdd.getAddress().getHostAddress();
    String subject;
    if (builder.hasDnsName()) {
        subject = UserGroupInformation.getCurrentUser().getShortUserName() + "@" + hostname;
    } else {
        // With only IP in alt.name, certificate validation would fail if subject
        // isn't a hostname either, so omit username.
        subject = hostname;
    }
    builder.setCA(false).setKey(keyPair).setConfiguration(config).setScmID(scmId).setClusterID(omStore.getClusterID()).setSubject(subject);
    OMHANodeDetails haOMHANodeDetails = OMHANodeDetails.loadOMHAConfig(config);
    String serviceName = haOMHANodeDetails.getLocalNodeDetails().getServiceId();
    if (!StringUtils.isEmpty(serviceName)) {
        builder.addServiceName(serviceName);
    }
    LOG.info("Creating csr for OM->dns:{},ip:{},scmId:{},clusterId:{}," + "subject:{}", hostname, ip, scmId, omStore.getClusterID(), subject);
    HddsProtos.OzoneManagerDetailsProto.Builder omDetailsProtoBuilder = HddsProtos.OzoneManagerDetailsProto.newBuilder().setHostName(omRpcAdd.getHostName()).setIpAddress(ip).setUuid(omStore.getOmId()).addPorts(HddsProtos.Port.newBuilder().setName(RPC_PORT).setValue(omRpcAdd.getPort()).build());
    PKCS10CertificationRequest csr = builder.build();
    HddsProtos.OzoneManagerDetailsProto omDetailsProto = omDetailsProtoBuilder.build();
    LOG.info("OzoneManager ports added:{}", omDetailsProto.getPortsList());
    SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
    SCMGetCertResponseProto response = secureScmClient.getOMCertChain(omDetailsProto, getEncodedString(csr));
    String pemEncodedCert = response.getX509Certificate();
    try {
        // Store SCM CA certificate.
        if (response.hasX509CACertificate()) {
            String pemEncodedRootCert = response.getX509CACertificate();
            client.storeCertificate(pemEncodedRootCert, true, true);
            client.storeCertificate(pemEncodedCert, true);
            // Store Root CA certificate if available.
            if (response.hasX509RootCACertificate()) {
                client.storeRootCACertificate(response.getX509RootCACertificate(), true);
            }
            // Persist om cert serial id.
            omStore.setOmCertSerialId(CertificateCodec.getX509Certificate(pemEncodedCert).getSerialNumber().toString());
        } else {
            throw new RuntimeException("Unable to retrieve OM certificate " + "chain");
        }
    } catch (IOException | CertificateException e) {
        LOG.error("Error while storing SCM signed certificate.", e);
        throw new RuntimeException(e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) KeyPair(java.security.KeyPair) OMHANodeDetails(org.apache.hadoop.ozone.om.ha.OMHANodeDetails) SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB) InetSocketAddress(java.net.InetSocketAddress) CertificateException(java.security.cert.CertificateException) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) IOException(java.io.IOException) UncheckedIOException(java.io.UncheckedIOException) SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto) HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos) CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)

Example 2 with SCMSecurityProtocolClientSideTranslatorPB

use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.

the class HASecurityUtils method getRootCASignedSCMCert.

/**
 * For bootstrapped SCM get sub-ca signed certificate and root CA
 * certificate using scm security client and store it using certificate
 * client.
 */
private static void getRootCASignedSCMCert(CertificateClient client, OzoneConfiguration config, SCMStorageConfig scmStorageConfig, InetSocketAddress scmAddress) {
    try {
        // Generate CSR.
        PKCS10CertificationRequest csr = generateCSR(client, scmStorageConfig, config, scmAddress);
        ScmNodeDetailsProto scmNodeDetailsProto = ScmNodeDetailsProto.newBuilder().setClusterId(scmStorageConfig.getClusterID()).setHostName(scmAddress.getHostName()).setScmNodeId(scmStorageConfig.getScmId()).build();
        // Create SCM security client.
        SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
        // Get SCM sub CA cert.
        SCMGetCertResponseProto response = secureScmClient.getSCMCertChain(scmNodeDetailsProto, getEncodedString(csr));
        String pemEncodedCert = response.getX509Certificate();
        // Store SCM sub CA and root CA certificate.
        if (response.hasX509CACertificate()) {
            String pemEncodedRootCert = response.getX509CACertificate();
            client.storeCertificate(pemEncodedRootCert, true, true);
            client.storeCertificate(pemEncodedCert, true);
            X509Certificate certificate = CertificateCodec.getX509Certificate(pemEncodedCert);
            persistSubCACertificate(config, client, CertificateCodec.getCertificateHolder(certificate));
            // Persist scm cert serial ID.
            scmStorageConfig.setScmCertSerialId(certificate.getSerialNumber().toString());
        } else {
            throw new RuntimeException("Unable to retrieve SCM certificate chain");
        }
    } catch (IOException | CertificateException e) {
        LOG.error("Error while fetching/storing SCM signed certificate.", e);
        throw new RuntimeException(e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB) SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto) CertificateException(java.security.cert.CertificateException) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) ScmNodeDetailsProto(org.apache.hadoop.hdds.protocol.proto.HddsProtos.ScmNodeDetailsProto)

Example 3 with SCMSecurityProtocolClientSideTranslatorPB

use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.

the class HddsServerUtil method getScmSecurityClientWithFixedDuration.

public static SCMSecurityProtocolClientSideTranslatorPB getScmSecurityClientWithFixedDuration(OzoneConfiguration conf) throws IOException {
    // As for OM during init, we need to wait for specific duration so that
    // we can give response to user performed operation init in a definite
    // period, instead of stuck for ever.
    OzoneConfiguration configuration = new OzoneConfiguration(conf);
    long duration = conf.getTimeDuration(OZONE_SCM_INFO_WAIT_DURATION, OZONE_SCM_INFO_WAIT_DURATION_DEFAULT, TimeUnit.SECONDS);
    SCMClientConfig scmClientConfig = conf.getObject(SCMClientConfig.class);
    int retryCount = (int) (duration / (scmClientConfig.getRetryInterval() / 1000));
    // retry count.
    if (retryCount > scmClientConfig.getRetryCount()) {
        scmClientConfig.setRetryCount(retryCount);
        configuration.setFromObject(scmClientConfig);
    }
    return new SCMSecurityProtocolClientSideTranslatorPB(new SCMSecurityProtocolFailoverProxyProvider(configuration, UserGroupInformation.getCurrentUser()));
}
Also used : SCMClientConfig(org.apache.hadoop.hdds.scm.proxy.SCMClientConfig) SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB) SCMSecurityProtocolFailoverProxyProvider(org.apache.hadoop.hdds.scm.proxy.SCMSecurityProtocolFailoverProxyProvider) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) DBCheckpoint(org.apache.hadoop.hdds.utils.db.DBCheckpoint)

Example 4 with SCMSecurityProtocolClientSideTranslatorPB

use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.

the class ReconServer method getSCMSignedCert.

/**
 * Get SCM signed certificate and store it using certificate client.
 * @param config
 */
private void getSCMSignedCert(OzoneConfiguration config) {
    try {
        PKCS10CertificationRequest csr = ReconUtils.getCSR(config, certClient);
        LOG.info("Creating CSR for Recon.");
        SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithMaxRetry(config);
        HddsProtos.NodeDetailsProto.Builder reconDetailsProtoBuilder = HddsProtos.NodeDetailsProto.newBuilder().setHostName(InetAddress.getLocalHost().getHostName()).setClusterId(reconStorage.getClusterID()).setUuid(reconStorage.getReconId()).setNodeType(HddsProtos.NodeType.RECON);
        SCMSecurityProtocolProtos.SCMGetCertResponseProto response = secureScmClient.getCertificateChain(reconDetailsProtoBuilder.build(), getEncodedString(csr));
        // Persist certificates.
        if (response.hasX509CACertificate()) {
            String pemEncodedCert = response.getX509Certificate();
            certClient.storeCertificate(pemEncodedCert, true);
            certClient.storeCertificate(response.getX509CACertificate(), true, true);
            // Store Root CA certificate.
            if (response.hasX509RootCACertificate()) {
                certClient.storeRootCACertificate(response.getX509RootCACertificate(), true);
            }
            String reconCertSerialId = getX509Certificate(pemEncodedCert).getSerialNumber().toString();
            reconStorage.setReconCertSerialId(reconCertSerialId);
        } else {
            throw new RuntimeException("Unable to retrieve recon certificate " + "chain");
        }
    } catch (IOException | CertificateException e) {
        LOG.error("Error while storing SCM signed certificate.", e);
        throw new RuntimeException(e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB) SCMSecurityProtocolProtos(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos) CertificateException(java.security.cert.CertificateException) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) IOException(java.io.IOException)

Example 5 with SCMSecurityProtocolClientSideTranslatorPB

use of org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB in project ozone by apache.

the class HddsDatanodeService method getSCMSignedCert.

/**
 * Get SCM signed certificate and store it using certificate client.
 * @param config
 */
private void getSCMSignedCert(OzoneConfiguration config) {
    try {
        PKCS10CertificationRequest csr = getCSR(config);
        // TODO: For SCM CA we should fetch certificate from multiple SCMs.
        SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithMaxRetry(config);
        SCMGetCertResponseProto response = secureScmClient.getDataNodeCertificateChain(datanodeDetails.getProtoBufMessage(), getEncodedString(csr));
        // Persist certificates.
        if (response.hasX509CACertificate()) {
            String pemEncodedCert = response.getX509Certificate();
            dnCertClient.storeCertificate(pemEncodedCert, true);
            dnCertClient.storeCertificate(response.getX509CACertificate(), true, true);
            // Store Root CA certificate.
            if (response.hasX509RootCACertificate()) {
                dnCertClient.storeRootCACertificate(response.getX509RootCACertificate(), true);
            }
            String dnCertSerialId = getX509Certificate(pemEncodedCert).getSerialNumber().toString();
            datanodeDetails.setCertSerialId(dnCertSerialId);
            persistDatanodeDetails(datanodeDetails);
            // Rebuild dnCertClient with the new CSR result so that the default
            // certSerialId and the x509Certificate can be updated.
            dnCertClient = new DNCertificateClient(new SecurityConfig(config), dnCertSerialId);
        } else {
            throw new RuntimeException("Unable to retrieve datanode certificate " + "chain");
        }
    } catch (IOException | CertificateException e) {
        LOG.error("Error while storing SCM signed certificate.", e);
        throw new RuntimeException(e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) DNCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient) SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB) SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) CertificateException(java.security.cert.CertificateException) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) IOException(java.io.IOException)

Aggregations

SCMSecurityProtocolClientSideTranslatorPB (org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)7 IOException (java.io.IOException)4 CertificateException (java.security.cert.CertificateException)4 SCMGetCertResponseProto (org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)4 CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)4 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)4 OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)2 SCMClientConfig (org.apache.hadoop.hdds.scm.proxy.SCMClientConfig)2 SCMSecurityProtocolFailoverProxyProvider (org.apache.hadoop.hdds.scm.proxy.SCMSecurityProtocolFailoverProxyProvider)2 DBCheckpoint (org.apache.hadoop.hdds.utils.db.DBCheckpoint)2 UncheckedIOException (java.io.UncheckedIOException)1 InetSocketAddress (java.net.InetSocketAddress)1 KeyPair (java.security.KeyPair)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 HddsProtos (org.apache.hadoop.hdds.protocol.proto.HddsProtos)1 ScmNodeDetailsProto (org.apache.hadoop.hdds.protocol.proto.HddsProtos.ScmNodeDetailsProto)1 SCMSecurityProtocolProtos (org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos)1 SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)1 DNCertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient)1