Search in sources :

Example 1 with DNCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient in project ozone by apache.

the class TestDefaultCertificateClient method testCertificateLoadingOnInit.

@Test
public void testCertificateLoadingOnInit() throws Exception {
    KeyPair keyPair = keyGenerator.generateKey();
    X509Certificate cert1 = generateX509Cert(keyPair);
    X509Certificate cert2 = generateX509Cert(keyPair);
    X509Certificate cert3 = generateX509Cert(keyPair);
    Path certPath = dnSecurityConfig.getCertificateLocation(DN_COMPONENT);
    CertificateCodec codec = new CertificateCodec(dnSecurityConfig, DN_COMPONENT);
    // Certificate not found.
    LambdaTestUtils.intercept(CertificateException.class, "Error while" + " getting certificate", () -> dnCertClient.getCertificate(cert1.getSerialNumber().toString()));
    LambdaTestUtils.intercept(CertificateException.class, "Error while" + " getting certificate", () -> dnCertClient.getCertificate(cert2.getSerialNumber().toString()));
    LambdaTestUtils.intercept(CertificateException.class, "Error while" + " getting certificate", () -> dnCertClient.getCertificate(cert3.getSerialNumber().toString()));
    codec.writeCertificate(certPath, "1.crt", getPEMEncodedString(cert1), true);
    codec.writeCertificate(certPath, "2.crt", getPEMEncodedString(cert2), true);
    codec.writeCertificate(certPath, "3.crt", getPEMEncodedString(cert3), true);
    // Re instantiate DN client which will load certificates from filesystem.
    dnCertClient = new DNCertificateClient(dnSecurityConfig, certSerialId);
    assertNotNull(dnCertClient.getCertificate(cert1.getSerialNumber().toString()));
    assertNotNull(dnCertClient.getCertificate(cert2.getSerialNumber().toString()));
    assertNotNull(dnCertClient.getCertificate(cert3.getSerialNumber().toString()));
}
Also used : Path(java.nio.file.Path) KeyPair(java.security.KeyPair) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 2 with DNCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient in project ozone by apache.

the class TestCertificateClientInit method setUp.

@Before
public void setUp() throws Exception {
    OzoneConfiguration config = new OzoneConfiguration();
    final String path = GenericTestUtils.getTempPath(UUID.randomUUID().toString());
    metaDirPath = Paths.get(path, "test");
    config.set(HDDS_METADATA_DIR_NAME, metaDirPath.toString());
    securityConfig = new SecurityConfig(config);
    keyGenerator = new HDDSKeyGenerator(securityConfig);
    keyPair = keyGenerator.generateKey();
    x509Certificate = getX509Certificate();
    certSerialId = x509Certificate.getSerialNumber().toString();
    dnCertificateClient = new DNCertificateClient(securityConfig, certSerialId);
    omCertificateClient = new OMCertificateClient(securityConfig, certSerialId);
    dnKeyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
    omKeyCodec = new KeyCodec(securityConfig, OM_COMPONENT);
    Files.createDirectories(securityConfig.getKeyLocation(DN_COMPONENT));
    Files.createDirectories(securityConfig.getKeyLocation(OM_COMPONENT));
}
Also used : HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec) Before(org.junit.Before)

Example 3 with DNCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient in project ozone by apache.

the class TestHddsSecureDatanodeInit method setUpDNCertClient.

@Before
public void setUpDNCertClient() {
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(DN_COMPONENT).toString(), securityConfig.getPrivateKeyFileName()).toFile());
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(DN_COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    FileUtils.deleteQuietly(Paths.get(securityConfig.getCertificateLocation(DN_COMPONENT).toString(), securityConfig.getCertificateFileName()).toFile());
    dnLogs.clearOutput();
    client = new DNCertificateClient(securityConfig, certHolder.getSerialNumber().toString());
    service.setCertificateClient(client);
}
Also used : DNCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient) Before(org.junit.Before)

Example 4 with DNCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient in project ozone by apache.

the class TestContainerServer method setup.

@BeforeClass
public static void setup() {
    CONF.set(HddsConfigKeys.HDDS_METADATA_DIR_NAME, TEST_DIR);
    caClient = new DNCertificateClient(new SecurityConfig(CONF));
}
Also used : DNCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) BeforeClass(org.junit.BeforeClass)

Example 5 with DNCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient in project ozone by apache.

the class HddsDatanodeService method start.

public void start() {
    serviceRuntimeInfo.setStartTime();
    RatisDropwizardExports.registerRatisMetricReporters(ratisMetricsMap);
    OzoneConfiguration.activate();
    HddsServerUtil.initializeMetrics(conf, "HddsDatanode");
    try {
        String hostname = HddsUtils.getHostName(conf);
        String ip = InetAddress.getByName(hostname).getHostAddress();
        datanodeDetails = initializeDatanodeDetails();
        datanodeDetails.setHostName(hostname);
        datanodeDetails.setIpAddress(ip);
        datanodeDetails.setVersion(HddsVersionInfo.HDDS_VERSION_INFO.getVersion());
        datanodeDetails.setSetupTime(Time.now());
        datanodeDetails.setRevision(HddsVersionInfo.HDDS_VERSION_INFO.getRevision());
        datanodeDetails.setBuildDate(HddsVersionInfo.HDDS_VERSION_INFO.getDate());
        datanodeDetails.setCurrentVersion(DatanodeVersions.CURRENT_VERSION);
        TracingUtil.initTracing("HddsDatanodeService." + datanodeDetails.getUuidString().substring(0, 8), conf);
        LOG.info("HddsDatanodeService host:{} ip:{}", hostname, ip);
        // Authenticate Hdds Datanode service if security is enabled
        if (OzoneSecurityUtil.isSecurityEnabled(conf)) {
            component = "dn-" + datanodeDetails.getUuidString();
            dnCertClient = new DNCertificateClient(new SecurityConfig(conf), datanodeDetails.getCertSerialId());
            if (SecurityUtil.getAuthenticationMethod(conf).equals(UserGroupInformation.AuthenticationMethod.KERBEROS)) {
                LOG.info("Ozone security is enabled. Attempting login for Hdds " + "Datanode user. Principal: {},keytab: {}", conf.get(DFSConfigKeysLegacy.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY), conf.get(DFSConfigKeysLegacy.DFS_DATANODE_KERBEROS_KEYTAB_FILE_KEY));
                UserGroupInformation.setConfiguration(conf);
                SecurityUtil.login(conf, DFSConfigKeysLegacy.DFS_DATANODE_KERBEROS_KEYTAB_FILE_KEY, DFSConfigKeysLegacy.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY, hostname);
            } else {
                throw new AuthenticationException(SecurityUtil.getAuthenticationMethod(conf) + " authentication method not " + "supported. Datanode user" + " login " + "failed.");
            }
            LOG.info("Hdds Datanode login successful.");
        }
        DatanodeLayoutStorage layoutStorage = new DatanodeLayoutStorage(conf, datanodeDetails.getUuidString());
        if (layoutStorage.getState() != INITIALIZED) {
            layoutStorage.initialize();
        }
        // initialize datanode CRL store
        dnCRLStore = new DatanodeCRLStoreImpl(conf);
        if (OzoneSecurityUtil.isSecurityEnabled(conf)) {
            initializeCertificateClient(conf);
        }
        datanodeStateMachine = new DatanodeStateMachine(datanodeDetails, conf, dnCertClient, this::terminateDatanode, dnCRLStore);
        try {
            httpServer = new HddsDatanodeHttpServer(conf);
            httpServer.start();
        } catch (Exception ex) {
            LOG.error("HttpServer failed to start.", ex);
        }
        startPlugins();
        // Starting HDDS Daemons
        datanodeStateMachine.startDaemon();
        if ("follower".equalsIgnoreCase(System.getenv("OZONE_DATANODE_STANDALONE_TEST"))) {
            startRatisForTest();
        }
        registerMXBean();
    } catch (IOException e) {
        throw new RuntimeException("Can't start the HDDS datanode plugin", e);
    } catch (AuthenticationException ex) {
        throw new RuntimeException("Fail to authentication when starting" + " HDDS datanode plugin", ex);
    }
}
Also used : DNCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException) DatanodeLayoutStorage(org.apache.hadoop.ozone.container.common.DatanodeLayoutStorage) DatanodeStateMachine(org.apache.hadoop.ozone.container.common.statemachine.DatanodeStateMachine) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) IOException(java.io.IOException) DatanodeCRLStoreImpl(org.apache.hadoop.hdds.datanode.metadata.DatanodeCRLStoreImpl) AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException)

Aggregations

SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)4 DNCertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient)4 IOException (java.io.IOException)2 CertificateException (java.security.cert.CertificateException)2 CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)2 Before (org.junit.Before)2 Path (java.nio.file.Path)1 KeyPair (java.security.KeyPair)1 X509Certificate (java.security.cert.X509Certificate)1 OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)1 DatanodeCRLStoreImpl (org.apache.hadoop.hdds.datanode.metadata.DatanodeCRLStoreImpl)1 SCMGetCertResponseProto (org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)1 SCMSecurityProtocolClientSideTranslatorPB (org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)1 CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)1 HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)1 KeyCodec (org.apache.hadoop.hdds.security.x509.keys.KeyCodec)1 DatanodeLayoutStorage (org.apache.hadoop.ozone.container.common.DatanodeLayoutStorage)1 DatanodeStateMachine (org.apache.hadoop.ozone.container.common.statemachine.DatanodeStateMachine)1 AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)1 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)1