Search in sources :

Example 1 with OMCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient in project ozone by apache.

the class TestSecureOzoneManager method testSecureOmInitFailures.

/**
 * Test failure cases for secure OM initialization.
 */
@Test
public void testSecureOmInitFailures() throws Exception {
    PrivateKey privateKey;
    PublicKey publicKey;
    LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
    OMStorage omStorage = new OMStorage(conf);
    omStorage.setClusterId(clusterId);
    omStorage.setOmId(omId);
    omLogs.clearOutput();
    // Case 1: When keypair as well as certificate is missing. Initial keypair
    // boot-up. Get certificate will fail when SCM is not running.
    SecurityConfig securityConfig = new SecurityConfig(conf);
    CertificateClient client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
    Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
    privateKey = client.getPrivateKey();
    publicKey = client.getPublicKey();
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 2: If key pair already exist than response should be RECOVER.
    client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
    Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 3: When public key as well as certificate is missing.
    client = new OMCertificateClient(securityConfig);
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 4: When private key and certificate is missing.
    client = new OMCertificateClient(securityConfig);
    KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
    keyCodec.writePublicKey(publicKey);
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPrivateKeyFileName()).toFile());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 5: When only certificate is present.
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    CertificateCodec certCodec = new CertificateCodec(securityConfig, COMPONENT);
    X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate("CN=Test", new KeyPair(publicKey, privateKey), 10, securityConfig.getSignatureAlgo());
    certCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNull(client.getPrivateKey());
    Assert.assertNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
    // Case 6: When private key and certificate is present.
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    keyCodec.writePrivateKey(privateKey);
    Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
    // Case 7 When keypair and certificate is present.
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
}
Also used : OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) PublicKey(java.security.PublicKey) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) LogCapturer(org.apache.ozone.test.GenericTestUtils.LogCapturer) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 2 with OMCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient in project ozone by apache.

the class OzoneManager method initializeSecurity.

/**
 * Initializes secure OzoneManager.
 */
@VisibleForTesting
public static void initializeSecurity(OzoneConfiguration conf, OMStorage omStore, String scmId) throws IOException {
    LOG.info("Initializing secure OzoneManager.");
    CertificateClient certClient = new OMCertificateClient(new SecurityConfig(conf), omStore.getOmCertSerialId());
    CertificateClient.InitResponse response = certClient.init();
    LOG.info("Init response: {}", response);
    switch(response) {
        case SUCCESS:
            LOG.info("Initialization successful.");
            break;
        case GETCERT:
            getSCMSignedCert(certClient, conf, omStore, scmId);
            LOG.info("Successfully stored SCM signed certificate.");
            break;
        case FAILURE:
            LOG.error("OM security initialization failed.");
            throw new RuntimeException("OM security initialization failed.");
        case RECOVER:
            LOG.error("OM security initialization failed. OM certificate is " + "missing.");
            throw new RuntimeException("OM security initialization failed.");
        default:
            LOG.error("OM security initialization failed. Init response: {}", response);
            throw new RuntimeException("OM security initialization failed.");
    }
}
Also used : CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Example 3 with OMCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient in project ozone by apache.

the class TestCertificateClientInit method setUp.

@Before
public void setUp() throws Exception {
    OzoneConfiguration config = new OzoneConfiguration();
    final String path = GenericTestUtils.getTempPath(UUID.randomUUID().toString());
    metaDirPath = Paths.get(path, "test");
    config.set(HDDS_METADATA_DIR_NAME, metaDirPath.toString());
    securityConfig = new SecurityConfig(config);
    keyGenerator = new HDDSKeyGenerator(securityConfig);
    keyPair = keyGenerator.generateKey();
    x509Certificate = getX509Certificate();
    certSerialId = x509Certificate.getSerialNumber().toString();
    dnCertificateClient = new DNCertificateClient(securityConfig, certSerialId);
    omCertificateClient = new OMCertificateClient(securityConfig, certSerialId);
    dnKeyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
    omKeyCodec = new KeyCodec(securityConfig, OM_COMPONENT);
    Files.createDirectories(securityConfig.getKeyLocation(DN_COMPONENT));
    Files.createDirectories(securityConfig.getKeyLocation(OM_COMPONENT));
}
Also used : HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec) Before(org.junit.Before)

Example 4 with OMCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient in project ozone by apache.

the class TestOzoneDelegationTokenSecretManager method setupCertificateClient.

/**
 * Helper function to create certificate client.
 */
private CertificateClient setupCertificateClient() throws Exception {
    KeyPair keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
    X509Certificate cert = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
    return new OMCertificateClient(securityConfig) {

        @Override
        public X509Certificate getCertificate() {
            return cert;
        }

        @Override
        public PrivateKey getPrivateKey() {
            return keyPair.getPrivate();
        }

        @Override
        public PublicKey getPublicKey() {
            return keyPair.getPublic();
        }

        @Override
        public X509Certificate getCertificate(String serialId) {
            return cert;
        }
    };
}
Also used : KeyPair(java.security.KeyPair) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) X509Certificate(java.security.cert.X509Certificate)

Example 5 with OMCertificateClient

use of org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient in project ozone by apache.

the class TestOzoneManagerRatisServer method init.

@Before
public void init() throws Exception {
    conf = new OzoneConfiguration();
    omID = UUID.randomUUID().toString();
    final String path = GenericTestUtils.getTempPath(omID);
    Path metaDirPath = Paths.get(path, "om-meta");
    conf.set(HddsConfigKeys.OZONE_METADATA_DIRS, metaDirPath.toString());
    conf.setTimeDuration(OMConfigKeys.OZONE_OM_RATIS_MINIMUM_TIMEOUT_KEY, RATIS_RPC_TIMEOUT, TimeUnit.MILLISECONDS);
    int ratisPort = conf.getInt(OMConfigKeys.OZONE_OM_RATIS_PORT_KEY, OMConfigKeys.OZONE_OM_RATIS_PORT_DEFAULT);
    InetSocketAddress rpcAddress = new InetSocketAddress(InetAddress.getLocalHost(), 0);
    omNodeDetails = new OMNodeDetails.Builder().setRpcAddress(rpcAddress).setRatisPort(ratisPort).setOMNodeId(omID).setOMServiceId(OzoneConsts.OM_SERVICE_ID_DEFAULT).build();
    // Starts a single node Ratis server
    ozoneManager = Mockito.mock(OzoneManager.class);
    OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
    ozoneConfiguration.set(OMConfigKeys.OZONE_OM_DB_DIRS, folder.newFolder().getAbsolutePath());
    omMetadataManager = new OmMetadataManagerImpl(ozoneConfiguration);
    when(ozoneManager.getMetadataManager()).thenReturn(omMetadataManager);
    initialTermIndex = TermIndex.valueOf(0, 0);
    RatisSnapshotInfo omRatisSnapshotInfo = new RatisSnapshotInfo();
    when(ozoneManager.getSnapshotInfo()).thenReturn(omRatisSnapshotInfo);
    secConfig = new SecurityConfig(conf);
    certClient = new OMCertificateClient(secConfig);
    omRatisServer = OzoneManagerRatisServer.newOMRatisServer(conf, ozoneManager, omNodeDetails, Collections.emptyMap(), secConfig, certClient, false);
    omRatisServer.start();
}
Also used : Path(java.nio.file.Path) OmMetadataManagerImpl(org.apache.hadoop.ozone.om.OmMetadataManagerImpl) OzoneManager(org.apache.hadoop.ozone.om.OzoneManager) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) InetSocketAddress(java.net.InetSocketAddress) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) RatisSnapshotInfo(org.apache.hadoop.ozone.common.ha.ratis.RatisSnapshotInfo) Before(org.junit.Before)

Aggregations

SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)4 OMCertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient)4 KeyPair (java.security.KeyPair)2 X509Certificate (java.security.cert.X509Certificate)2 OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)2 CertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)2 KeyCodec (org.apache.hadoop.hdds.security.x509.keys.KeyCodec)2 Before (org.junit.Before)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 InetSocketAddress (java.net.InetSocketAddress)1 Path (java.nio.file.Path)1 PrivateKey (java.security.PrivateKey)1 PublicKey (java.security.PublicKey)1 CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)1 HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)1 RatisSnapshotInfo (org.apache.hadoop.ozone.common.ha.ratis.RatisSnapshotInfo)1 OmMetadataManagerImpl (org.apache.hadoop.ozone.om.OmMetadataManagerImpl)1 OzoneManager (org.apache.hadoop.ozone.om.OzoneManager)1 LogCapturer (org.apache.ozone.test.GenericTestUtils.LogCapturer)1 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)1