Example 1 with SecurityConfig
use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.
the class TestSecureOzoneManager method testSecureOmInitFailures.
/**
* Test failure cases for secure OM initialization.
*/
@Test
public void testSecureOmInitFailures() throws Exception {
PrivateKey privateKey;
PublicKey publicKey;
LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
OMStorage omStorage = new OMStorage(conf);
omStorage.setClusterId(clusterId);
omStorage.setOmId(omId);
omLogs.clearOutput();
// Case 1: When keypair as well as certificate is missing. Initial keypair
// boot-up. Get certificate will fail when SCM is not running.
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateClient client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
privateKey = client.getPrivateKey();
publicKey = client.getPublicKey();
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 2: If key pair already exist than response should be RECOVER.
client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 3: When public key as well as certificate is missing.
client = new OMCertificateClient(securityConfig);
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 4: When private key and certificate is missing.
client = new OMCertificateClient(securityConfig);
KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
keyCodec.writePublicKey(publicKey);
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPrivateKeyFileName()).toFile());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 5: When only certificate is present.
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
CertificateCodec certCodec = new CertificateCodec(securityConfig, COMPONENT);
X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate("CN=Test", new KeyPair(publicKey, privateKey), 10, securityConfig.getSignatureAlgo());
certCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNull(client.getPrivateKey());
Assert.assertNull(client.getPublicKey());
Assert.assertNotNull(client.getCertificate());
// Case 6: When private key and certificate is present.
client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
keyCodec.writePrivateKey(privateKey);
Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNotNull(client.getCertificate());
// Case 7 When keypair and certificate is present.
client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNotNull(client.getCertificate());
}
Also used :
OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient)
CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
PublicKey(java.security.PublicKey)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
LogCapturer(org.apache.ozone.test.GenericTestUtils.LogCapturer)
CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)
KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec)
OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 2 with SecurityConfig
use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.
the class TestOzoneContainerWithTLS method setup.
@Before
public void setup() throws Exception {
conf = new OzoneConfiguration();
String ozoneMetaPath = GenericTestUtils.getTempPath("ozoneMeta");
File ozoneMetaFile = new File(ozoneMetaPath);
conf.set(OZONE_METADATA_DIRS, ozoneMetaPath);
FileUtil.fullyDelete(ozoneMetaFile);
String keyDirName = conf.get(HDDS_KEY_DIR_NAME, HDDS_KEY_DIR_NAME_DEFAULT);
File ozoneKeyDir = new File(ozoneMetaFile, keyDirName);
ozoneKeyDir.mkdirs();
conf.setBoolean(OZONE_SECURITY_ENABLED_KEY, true);
conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_ENABLED, true);
conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT, true);
long expiryTime = conf.getTimeDuration(HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME, HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT, TimeUnit.MILLISECONDS);
caClient = new CertificateClientTestImpl(conf);
secretManager = new OzoneBlockTokenSecretManager(new SecurityConfig(conf), expiryTime, caClient.getCertificate().getSerialNumber().toString());
}
Also used :
CertificateClientTestImpl(org.apache.hadoop.ozone.client.CertificateClientTestImpl)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration)
File(java.io.File)
OzoneBlockTokenSecretManager(org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager)
Before(org.junit.Before)
Example 3 with SecurityConfig
use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.
the class TestSecureOzoneContainer method setup.
@Before
public void setup() throws Exception {
DefaultMetricsSystem.setMiniClusterMode(true);
ExitUtils.disableSystemExit();
conf = new OzoneConfiguration();
String ozoneMetaPath = GenericTestUtils.getTempPath("ozoneMeta");
conf.set(OZONE_METADATA_DIRS, ozoneMetaPath);
secConfig = new SecurityConfig(conf);
caClient = new CertificateClientTestImpl(conf);
secretManager = new ContainerTokenSecretManager(new SecurityConfig(conf), TimeUnit.DAYS.toMillis(1), caClient.getCertificate().getSerialNumber().toString());
}
Also used :
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
CertificateClientTestImpl(org.apache.hadoop.ozone.client.CertificateClientTestImpl)
OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration)
ContainerTokenSecretManager(org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager)
Before(org.junit.Before)
Example 4 with SecurityConfig
use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.
the class TestDefaultCAServer method testRequestCertificate.
/**
* The most important test of this test suite. This tests that we are able
* to create a Test CA, creates it own self-Signed CA and then issue a
* certificate based on a CSR.
* @throws SCMSecurityException - on ERROR.
* @throws ExecutionException - on ERROR.
* @throws InterruptedException - on ERROR.
* @throws NoSuchProviderException - on ERROR.
* @throws NoSuchAlgorithmException - on ERROR.
*/
@Test
public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
String scmId = RandomStringUtils.randomAlphabetic(4);
String clusterId = RandomStringUtils.randomAlphabetic(4);
KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(clusterId).setScmID(scmId).setSubject("Ozone Cluster").setConfiguration(conf).setKey(keyPair).build();
// Let us convert this to a string to mimic the common use case.
String csrString = CertificateSignRequest.getEncodedString(csr);
CertificateServer testCA = new DefaultCAServer("testCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
testCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
Future<X509CertificateHolder> holder = testCA.requestCertificate(csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
// Right now our calls are synchronous. Eventually this will have to wait.
assertTrue(holder.isDone());
assertNotNull(holder.get());
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
KeyPair(java.security.KeyPair)
HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
Test(org.junit.Test)
Example 5 with SecurityConfig
use of org.apache.hadoop.hdds.security.x509.SecurityConfig in project ozone by apache.
the class TestDefaultCAServer method testMissingCertificate.
@Test
public void testMissingCertificate() {
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
Consumer<SecurityConfig> caInitializer = ((DefaultCAServer) testCA).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_CERTIFICATE, SELF_SIGNED_CA);
try {
caInitializer.accept(securityConfig);
fail("code should not reach here, exception should have been thrown.");
} catch (IllegalStateException e) {
// This also is a runtime exception. Hence not caught by junit expected
// exception.
assertTrue(e.toString().contains("Missing Root Certs"));
}
}
Also used :
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
Test(org.junit.Test)
Aggregations
SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)47
Test (org.junit.Test)25
HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)18
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)17
Before (org.junit.Before)17
KeyPair (java.security.KeyPair)15
OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)15
IOException (java.io.IOException)12
DefaultProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)11
CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)11
File (java.io.File)9
X509Certificate (java.security.cert.X509Certificate)9
LocalDate (java.time.LocalDate)8
CertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)7
KeyCodec (org.apache.hadoop.hdds.security.x509.keys.KeyCodec)7
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)7
Path (java.nio.file.Path)5
Date (java.util.Date)5
CertificateClientTestImpl (org.apache.hadoop.ozone.client.CertificateClientTestImpl)5
BeforeClass (org.junit.BeforeClass)5
