Search in sources :

Example 1 with SCMSecurityException

use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.

the class ShortLivedTokenVerifier method verify.

@Override
public void verify(String user, Token<?> token, ContainerCommandRequestProtoOrBuilder cmd) throws SCMSecurityException {
    if (!isTokenRequired(cmd.getCmdType())) {
        return;
    }
    if (caClient == null) {
        throw new SCMSecurityException("Certificate client not available " + "to validate token");
    }
    T tokenId = createTokenIdentifier();
    try {
        tokenId.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
    } catch (IOException ex) {
        throw new BlockTokenException("Failed to decode token : " + token);
    }
    UserGroupInformation tokenUser = tokenId.getUser();
    X509Certificate signerCert = caClient.getCertificate(tokenId.getCertSerialId());
    if (signerCert == null) {
        throw new BlockTokenException("Can't find signer certificate " + "(CertSerialId: " + tokenId.getCertSerialId() + ") of the token for user: " + tokenUser);
    }
    try {
        signerCert.checkValidity();
    } catch (CertificateExpiredException exExp) {
        throw new BlockTokenException("Token can't be verified due to " + "expired certificate " + tokenId.getCertSerialId());
    } catch (CertificateNotYetValidException exNyv) {
        throw new BlockTokenException("Token can't be verified due to " + "not yet valid certificate " + tokenId.getCertSerialId());
    }
    if (!caClient.verifySignature(tokenId.getBytes(), token.getPassword(), signerCert)) {
        throw new BlockTokenException("Invalid token for user: " + tokenUser);
    }
    // check expiration
    if (tokenId.isExpired(Instant.now())) {
        throw new BlockTokenException("Expired token for user: " + tokenUser);
    }
    // check token service (blockID or containerID)
    String service = String.valueOf(getService(cmd));
    if (!Objects.equals(service, tokenId.getService())) {
        throw new BlockTokenException("ID mismatch. Token for ID: " + tokenId.getService() + " can't be used to access: " + service + " by user: " + tokenUser);
    }
    verify(tokenId, cmd);
}
Also used : CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException) CertificateExpiredException(java.security.cert.CertificateExpiredException) ByteArrayInputStream(java.io.ByteArrayInputStream) IOException(java.io.IOException) DataInputStream(java.io.DataInputStream) X509Certificate(java.security.cert.X509Certificate) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 2 with SCMSecurityException

use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.

the class SCMSecurityProtocolServerSideTranslatorPB method getCrls.

public SCMGetCrlsResponseProto getCrls(SCMGetCrlsRequestProto request) throws IOException {
    List<CRLInfo> crls = impl.getCrls(request.getCrlIdList());
    SCMGetCrlsResponseProto.Builder builder = SCMGetCrlsResponseProto.newBuilder();
    for (CRLInfo crl : crls) {
        try {
            builder.addCrlInfos(crl.getProtobuf());
        } catch (SCMSecurityException e) {
            LOG.error("Fail in parsing CRL info", e);
            throw new SCMSecurityException("Fail in parsing CRL info", e);
        }
    }
    return builder.build();
}
Also used : SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException) CRLInfo(org.apache.hadoop.hdds.security.x509.crl.CRLInfo) SCMGetCrlsResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCrlsResponseProto)

Example 3 with SCMSecurityException

use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.

the class SCMSecurityProtocolServer method listCertificate.

/**
 * @param role            - node role: OM/SCM/DN.
 * @param startSerialId   - start certificate serial id.
 * @param count           - max number of certificates returned in a batch.
 * @param isRevoked       - whether list for revoked certs only.
 * @return
 * @throws IOException
 */
@Override
public List<String> listCertificate(NodeType role, long startSerialId, int count, boolean isRevoked) throws IOException {
    List<X509Certificate> certificates = scmCertificateServer.listCertificate(role, startSerialId, count, isRevoked);
    List<String> results = new ArrayList<>(certificates.size());
    for (X509Certificate cert : certificates) {
        try {
            String certStr = CertificateCodec.getPEMEncodedString(cert);
            results.add(certStr);
        } catch (SCMSecurityException e) {
            throw new SCMSecurityException("listCertificate operation failed.", e, e.getErrorCode());
        }
    }
    return results;
}
Also used : SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate)

Example 4 with SCMSecurityException

use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.

the class SCMSecurityProtocolServer method getCertificate.

/**
 * Get SCM signed certificate with given serial id.
 *
 * @param certSerialId - Certificate serial id.
 * @return string         - pem encoded SCM signed certificate.
 */
@Override
public String getCertificate(String certSerialId) throws IOException {
    LOGGER.debug("Getting certificate with certificate serial id {}", certSerialId);
    try {
        X509Certificate certificate = scmCertificateServer.getCertificate(certSerialId);
        if (certificate != null) {
            return CertificateCodec.getPEMEncodedString(certificate);
        }
    } catch (CertificateException e) {
        throw new SCMSecurityException("getCertificate operation failed. ", e, GET_CERTIFICATE_FAILED);
    }
    LOGGER.info("Certificate with serial id {} not found.", certSerialId);
    throw new SCMSecurityException("Certificate not found", CERTIFICATE_NOT_FOUND);
}
Also used : SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException) CertificateException(java.security.cert.CertificateException) X509Certificate(java.security.cert.X509Certificate)

Example 5 with SCMSecurityException

use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.

the class SCMCertStore method listCertificate.

@Override
public List<X509Certificate> listCertificate(NodeType role, BigInteger startSerialID, int count, CertType certType) throws IOException {
    List<X509Certificate> results = new ArrayList<>();
    String errorMessage = "Fail to list certificate from SCM metadata store";
    Preconditions.checkNotNull(startSerialID);
    if (startSerialID.longValue() == 0) {
        startSerialID = null;
    }
    if (certType == VALID_CERTS) {
        List<? extends Table.KeyValue<BigInteger, X509Certificate>> certs = getValidCertTableList(role, startSerialID, count);
        for (Table.KeyValue<BigInteger, X509Certificate> kv : certs) {
            try {
                X509Certificate cert = kv.getValue();
                results.add(cert);
            } catch (IOException e) {
                LOG.error(errorMessage, e);
                throw new SCMSecurityException(errorMessage);
            }
        }
    } else {
        List<? extends Table.KeyValue<BigInteger, CertInfo>> certs = scmMetadataStore.getRevokedCertsV2Table().getRangeKVs(startSerialID, count);
        for (Table.KeyValue<BigInteger, CertInfo> kv : certs) {
            try {
                CertInfo certInfo = kv.getValue();
                X509Certificate cert = certInfo != null ? certInfo.getX509Certificate() : null;
                results.add(cert);
            } catch (IOException e) {
                LOG.error(errorMessage, e);
                throw new SCMSecurityException(errorMessage);
            }
        }
    }
    return results;
}
Also used : CertInfo(org.apache.hadoop.hdds.security.x509.certificate.CertInfo) Table(org.apache.hadoop.hdds.utils.db.Table) SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException) ArrayList(java.util.ArrayList) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) BigInteger(java.math.BigInteger)

Aggregations

SCMSecurityException (org.apache.hadoop.hdds.security.exception.SCMSecurityException)18 IOException (java.io.IOException)10 X509Certificate (java.security.cert.X509Certificate)6 ArrayList (java.util.ArrayList)6 CertificateException (java.security.cert.CertificateException)4 CRLInfo (org.apache.hadoop.hdds.security.x509.crl.CRLInfo)4 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)3 File (java.io.File)2 FileOutputStream (java.io.FileOutputStream)2 BigInteger (java.math.BigInteger)2 CRLException (java.security.cert.CRLException)2 LocalDate (java.time.LocalDate)2 AtomicLong (java.util.concurrent.atomic.AtomicLong)2 SupplierWithIOException (org.apache.hadoop.hdds.function.SupplierWithIOException)2 DatanodeDetails (org.apache.hadoop.hdds.protocol.DatanodeDetails)2 ContainerCommandResponseProto (org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.ContainerCommandResponseProto)2 CertInfo (org.apache.hadoop.hdds.security.x509.certificate.CertInfo)2 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)2 Test (org.junit.Test)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1