use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.
the class ShortLivedTokenVerifier method verify.
@Override
public void verify(String user, Token<?> token, ContainerCommandRequestProtoOrBuilder cmd) throws SCMSecurityException {
if (!isTokenRequired(cmd.getCmdType())) {
return;
}
if (caClient == null) {
throw new SCMSecurityException("Certificate client not available " + "to validate token");
}
T tokenId = createTokenIdentifier();
try {
tokenId.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
} catch (IOException ex) {
throw new BlockTokenException("Failed to decode token : " + token);
}
UserGroupInformation tokenUser = tokenId.getUser();
X509Certificate signerCert = caClient.getCertificate(tokenId.getCertSerialId());
if (signerCert == null) {
throw new BlockTokenException("Can't find signer certificate " + "(CertSerialId: " + tokenId.getCertSerialId() + ") of the token for user: " + tokenUser);
}
try {
signerCert.checkValidity();
} catch (CertificateExpiredException exExp) {
throw new BlockTokenException("Token can't be verified due to " + "expired certificate " + tokenId.getCertSerialId());
} catch (CertificateNotYetValidException exNyv) {
throw new BlockTokenException("Token can't be verified due to " + "not yet valid certificate " + tokenId.getCertSerialId());
}
if (!caClient.verifySignature(tokenId.getBytes(), token.getPassword(), signerCert)) {
throw new BlockTokenException("Invalid token for user: " + tokenUser);
}
// check expiration
if (tokenId.isExpired(Instant.now())) {
throw new BlockTokenException("Expired token for user: " + tokenUser);
}
// check token service (blockID or containerID)
String service = String.valueOf(getService(cmd));
if (!Objects.equals(service, tokenId.getService())) {
throw new BlockTokenException("ID mismatch. Token for ID: " + tokenId.getService() + " can't be used to access: " + service + " by user: " + tokenUser);
}
verify(tokenId, cmd);
}
use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.
the class SCMSecurityProtocolServerSideTranslatorPB method getCrls.
public SCMGetCrlsResponseProto getCrls(SCMGetCrlsRequestProto request) throws IOException {
List<CRLInfo> crls = impl.getCrls(request.getCrlIdList());
SCMGetCrlsResponseProto.Builder builder = SCMGetCrlsResponseProto.newBuilder();
for (CRLInfo crl : crls) {
try {
builder.addCrlInfos(crl.getProtobuf());
} catch (SCMSecurityException e) {
LOG.error("Fail in parsing CRL info", e);
throw new SCMSecurityException("Fail in parsing CRL info", e);
}
}
return builder.build();
}
use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.
the class SCMSecurityProtocolServer method listCertificate.
/**
* @param role - node role: OM/SCM/DN.
* @param startSerialId - start certificate serial id.
* @param count - max number of certificates returned in a batch.
* @param isRevoked - whether list for revoked certs only.
* @return
* @throws IOException
*/
@Override
public List<String> listCertificate(NodeType role, long startSerialId, int count, boolean isRevoked) throws IOException {
List<X509Certificate> certificates = scmCertificateServer.listCertificate(role, startSerialId, count, isRevoked);
List<String> results = new ArrayList<>(certificates.size());
for (X509Certificate cert : certificates) {
try {
String certStr = CertificateCodec.getPEMEncodedString(cert);
results.add(certStr);
} catch (SCMSecurityException e) {
throw new SCMSecurityException("listCertificate operation failed.", e, e.getErrorCode());
}
}
return results;
}
use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.
the class SCMSecurityProtocolServer method getCertificate.
/**
* Get SCM signed certificate with given serial id.
*
* @param certSerialId - Certificate serial id.
* @return string - pem encoded SCM signed certificate.
*/
@Override
public String getCertificate(String certSerialId) throws IOException {
LOGGER.debug("Getting certificate with certificate serial id {}", certSerialId);
try {
X509Certificate certificate = scmCertificateServer.getCertificate(certSerialId);
if (certificate != null) {
return CertificateCodec.getPEMEncodedString(certificate);
}
} catch (CertificateException e) {
throw new SCMSecurityException("getCertificate operation failed. ", e, GET_CERTIFICATE_FAILED);
}
LOGGER.info("Certificate with serial id {} not found.", certSerialId);
throw new SCMSecurityException("Certificate not found", CERTIFICATE_NOT_FOUND);
}
use of org.apache.hadoop.hdds.security.exception.SCMSecurityException in project ozone by apache.
the class SCMCertStore method listCertificate.
@Override
public List<X509Certificate> listCertificate(NodeType role, BigInteger startSerialID, int count, CertType certType) throws IOException {
List<X509Certificate> results = new ArrayList<>();
String errorMessage = "Fail to list certificate from SCM metadata store";
Preconditions.checkNotNull(startSerialID);
if (startSerialID.longValue() == 0) {
startSerialID = null;
}
if (certType == VALID_CERTS) {
List<? extends Table.KeyValue<BigInteger, X509Certificate>> certs = getValidCertTableList(role, startSerialID, count);
for (Table.KeyValue<BigInteger, X509Certificate> kv : certs) {
try {
X509Certificate cert = kv.getValue();
results.add(cert);
} catch (IOException e) {
LOG.error(errorMessage, e);
throw new SCMSecurityException(errorMessage);
}
}
} else {
List<? extends Table.KeyValue<BigInteger, CertInfo>> certs = scmMetadataStore.getRevokedCertsV2Table().getRangeKVs(startSerialID, count);
for (Table.KeyValue<BigInteger, CertInfo> kv : certs) {
try {
CertInfo certInfo = kv.getValue();
X509Certificate cert = certInfo != null ? certInfo.getX509Certificate() : null;
results.add(cert);
} catch (IOException e) {
LOG.error(errorMessage, e);
throw new SCMSecurityException(errorMessage);
}
}
}
return results;
}
Aggregations