Search in sources :

Example 1 with S3SecretValue

use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.

the class GetS3SecretHandler method execute.

@Override
protected void execute(OzoneClient client, OzoneAddress address) throws IOException {
    if (username == null || username.isEmpty()) {
        username = UserGroupInformation.getCurrentUser().getUserName();
    }
    final S3SecretValue secret = client.getObjectStore().getS3Secret(username);
    if (export) {
        out().println("export AWS_ACCESS_KEY_ID=" + secret.getAwsAccessKey());
        out().println("export AWS_SECRET_ACCESS_KEY=" + secret.getAwsSecret());
    } else {
        out().println(secret);
    }
}
Also used : S3SecretValue(org.apache.hadoop.ozone.om.helpers.S3SecretValue)

Example 2 with S3SecretValue

use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.

the class TestSecureOzoneRpcClient method testS3Auth.

@Test
public void testS3Auth() throws Exception {
    String volumeName = UUID.randomUUID().toString();
    String strToSign = "AWS4-HMAC-SHA256\n" + "20150830T123600Z\n" + "20150830/us-east-1/iam/aws4_request\n" + "f536975d06c0309214f805bb90ccff089219ecd68b2" + "577efef23edd43b7e1a59";
    String signature = "5d672d79c15b13162d9279b0855cfba" + "6789a8edb4c82c400e06b5924a6f2b5d7";
    String secret = "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY";
    String accessKey = UserGroupInformation.getCurrentUser().getUserName();
    // Add secret to S3Secret table.
    cluster.getOzoneManager().getMetadataManager().getS3SecretTable().put(accessKey, new S3SecretValue(accessKey, secret));
    OMRequest writeRequest = OMRequest.newBuilder().setCmdType(OzoneManagerProtocolProtos.Type.CreateVolume).setVersion(CURRENT_VERSION).setClientId(UUID.randomUUID().toString()).setCreateVolumeRequest(CreateVolumeRequest.newBuilder().setVolumeInfo(VolumeInfo.newBuilder().setVolume(volumeName).setAdminName(accessKey).setOwnerName(accessKey).build()).build()).setS3Authentication(S3Authentication.newBuilder().setAccessId(accessKey).setSignature(signature).setStringToSign(strToSign)).build();
    GenericTestUtils.waitFor(() -> cluster.getOzoneManager().isLeaderReady(), 100, 120000);
    OMResponse omResponse = cluster.getOzoneManager().getOmServerProtocol().submitRequest(null, writeRequest);
    // Verify response.
    Assert.assertTrue(omResponse.getStatus() == Status.OK);
    // Read Request
    OMRequest readRequest = OMRequest.newBuilder().setCmdType(OzoneManagerProtocolProtos.Type.InfoVolume).setVersion(CURRENT_VERSION).setClientId(UUID.randomUUID().toString()).setInfoVolumeRequest(InfoVolumeRequest.newBuilder().setVolumeName(volumeName).build()).setS3Authentication(S3Authentication.newBuilder().setAccessId(accessKey).setSignature(signature).setStringToSign(strToSign)).build();
    omResponse = cluster.getOzoneManager().getOmServerProtocol().submitRequest(null, readRequest);
    // Verify response.
    Assert.assertTrue(omResponse.getStatus() == Status.OK);
    VolumeInfo volumeInfo = omResponse.getInfoVolumeResponse().getVolumeInfo();
    Assert.assertNotNull(volumeInfo);
    Assert.assertEquals(volumeName, volumeInfo.getVolume());
    Assert.assertEquals(accessKey, volumeInfo.getAdminName());
    Assert.assertEquals(accessKey, volumeInfo.getOwnerName());
    // Override secret to S3Secret table with some dummy value
    cluster.getOzoneManager().getMetadataManager().getS3SecretTable().put(accessKey, new S3SecretValue(accessKey, "dummy"));
    // Write request with invalid credentials.
    omResponse = cluster.getOzoneManager().getOmServerProtocol().submitRequest(null, writeRequest);
    Assert.assertTrue(omResponse.getStatus() == Status.INVALID_TOKEN);
    // Read request with invalid credentials.
    omResponse = cluster.getOzoneManager().getOmServerProtocol().submitRequest(null, readRequest);
    Assert.assertTrue(omResponse.getStatus() == Status.INVALID_TOKEN);
}
Also used : OMRequest(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest) VolumeInfo(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.VolumeInfo) S3SecretValue(org.apache.hadoop.ozone.om.helpers.S3SecretValue) OMResponse(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse) Test(org.junit.Test)

Example 3 with S3SecretValue

use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.

the class S3GetSecretRequest method validateAndUpdateCache.

@Override
public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, long transactionLogIndex, OzoneManagerDoubleBufferHelper ozoneManagerDoubleBufferHelper) {
    OMClientResponse omClientResponse = null;
    OMResponse.Builder omResponse = OmResponseUtil.getOMResponseBuilder(getOmRequest());
    boolean acquiredLock = false;
    IOException exception = null;
    OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager();
    UpdateGetS3SecretRequest updateGetS3SecretRequest = getOmRequest().getUpdateGetS3SecretRequest();
    String kerberosID = updateGetS3SecretRequest.getKerberosID();
    try {
        String awsSecret = updateGetS3SecretRequest.getAwsSecret();
        acquiredLock = omMetadataManager.getLock().acquireWriteLock(S3_SECRET_LOCK, kerberosID);
        S3SecretValue s3SecretValue = omMetadataManager.getS3SecretTable().get(kerberosID);
        // If s3Secret for user is not in S3Secret table, add the Secret to cache.
        if (s3SecretValue == null) {
            omMetadataManager.getS3SecretTable().addCacheEntry(new CacheKey<>(kerberosID), new CacheValue<>(Optional.of(new S3SecretValue(kerberosID, awsSecret)), transactionLogIndex));
        } else {
            // If it already exists, use the existing one.
            awsSecret = s3SecretValue.getAwsSecret();
        }
        GetS3SecretResponse.Builder getS3SecretResponse = GetS3SecretResponse.newBuilder().setS3Secret(S3Secret.newBuilder().setAwsSecret(awsSecret).setKerberosID(kerberosID));
        if (s3SecretValue == null) {
            omClientResponse = new S3GetSecretResponse(new S3SecretValue(kerberosID, awsSecret), omResponse.setGetS3SecretResponse(getS3SecretResponse).build());
        } else {
            // As when it already exists, we don't need to add to DB again. So
            // set the value to null.
            omClientResponse = new S3GetSecretResponse(null, omResponse.setGetS3SecretResponse(getS3SecretResponse).build());
        }
    } catch (IOException ex) {
        exception = ex;
        omClientResponse = new S3GetSecretResponse(null, createErrorOMResponse(omResponse, ex));
    } finally {
        addResponseToDoubleBuffer(transactionLogIndex, omClientResponse, ozoneManagerDoubleBufferHelper);
        if (acquiredLock) {
            omMetadataManager.getLock().releaseWriteLock(S3_SECRET_LOCK, kerberosID);
        }
    }
    Map<String, String> auditMap = new HashMap<>();
    auditMap.put(OzoneConsts.S3_GETSECRET_USER, kerberosID);
    // audit log
    auditLog(ozoneManager.getAuditLogger(), buildAuditMessage(OMAction.GET_S3_SECRET, auditMap, exception, getOmRequest().getUserInfo()));
    if (exception == null) {
        LOG.debug("Secret for accessKey:{} is generated Successfully", kerberosID);
    } else {
        LOG.error("Secret for accessKey:{} is generation failed", kerberosID, exception);
    }
    return omClientResponse;
}
Also used : OMClientResponse(org.apache.hadoop.ozone.om.response.OMClientResponse) HashMap(java.util.HashMap) IOException(java.io.IOException) S3SecretValue(org.apache.hadoop.ozone.om.helpers.S3SecretValue) OMResponse(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse) UpdateGetS3SecretRequest(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.UpdateGetS3SecretRequest) S3GetSecretResponse(org.apache.hadoop.ozone.om.response.s3.security.S3GetSecretResponse) OMMetadataManager(org.apache.hadoop.ozone.om.OMMetadataManager) GetS3SecretResponse(org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetS3SecretResponse)

Example 4 with S3SecretValue

use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.

the class S3SecretManagerImpl method getS3Secret.

@Override
public S3SecretValue getS3Secret(String kerberosID) throws IOException {
    Preconditions.checkArgument(Strings.isNotBlank(kerberosID), "kerberosID cannot be null or empty.");
    S3SecretValue result = null;
    omMetadataManager.getLock().acquireWriteLock(S3_SECRET_LOCK, kerberosID);
    try {
        S3SecretValue s3Secret = omMetadataManager.getS3SecretTable().get(kerberosID);
        if (s3Secret == null) {
            byte[] secret = OmUtils.getSHADigest();
            result = new S3SecretValue(kerberosID, DigestUtils.sha256Hex(secret));
            omMetadataManager.getS3SecretTable().put(kerberosID, result);
        } else {
            return s3Secret;
        }
    } finally {
        omMetadataManager.getLock().releaseWriteLock(S3_SECRET_LOCK, kerberosID);
    }
    if (LOG.isTraceEnabled()) {
        LOG.trace("Secret for accessKey:{}, proto:{}", kerberosID, result);
    }
    return result;
}
Also used : S3SecretValue(org.apache.hadoop.ozone.om.helpers.S3SecretValue)

Example 5 with S3SecretValue

use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.

the class S3SecretManagerImpl method getS3UserSecretString.

@Override
public String getS3UserSecretString(String kerberosID) throws IOException {
    Preconditions.checkArgument(Strings.isNotBlank(kerberosID), "awsAccessKeyId cannot be null or empty.");
    LOG.trace("Get secret for awsAccessKey:{}", kerberosID);
    S3SecretValue s3Secret;
    omMetadataManager.getLock().acquireReadLock(S3_SECRET_LOCK, kerberosID);
    try {
        s3Secret = omMetadataManager.getS3SecretTable().get(kerberosID);
        if (s3Secret == null) {
            throw new OzoneSecurityException("S3 secret not found for " + "awsAccessKeyId " + kerberosID, S3_SECRET_NOT_FOUND);
        }
    } finally {
        omMetadataManager.getLock().releaseReadLock(S3_SECRET_LOCK, kerberosID);
    }
    return s3Secret.getAwsSecret();
}
Also used : OzoneSecurityException(org.apache.hadoop.hdds.security.OzoneSecurityException) S3SecretValue(org.apache.hadoop.ozone.om.helpers.S3SecretValue)

Aggregations

S3SecretValue (org.apache.hadoop.ozone.om.helpers.S3SecretValue)8 Test (org.junit.Test)3 IOException (java.io.IOException)2 HashMap (java.util.HashMap)2 OMMetadataManager (org.apache.hadoop.ozone.om.OMMetadataManager)2 OMResponse (org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMResponse)2 OzoneSecurityException (org.apache.hadoop.hdds.security.OzoneSecurityException)1 SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)1 Text (org.apache.hadoop.io.Text)1 CertificateClientTestImpl (org.apache.hadoop.ozone.client.CertificateClientTestImpl)1 OmMetadataManagerImpl (org.apache.hadoop.ozone.om.OmMetadataManagerImpl)1 S3SecretManagerImpl (org.apache.hadoop.ozone.om.S3SecretManagerImpl)1 OzoneManagerProtocolClientSideTranslatorPB (org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB)1 OMClientResponse (org.apache.hadoop.ozone.om.response.OMClientResponse)1 S3GetSecretResponse (org.apache.hadoop.ozone.om.response.s3.security.S3GetSecretResponse)1 GetS3SecretResponse (org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.GetS3SecretResponse)1 OMRequest (org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest)1 UpdateGetS3SecretRequest (org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.UpdateGetS3SecretRequest)1 VolumeInfo (org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.VolumeInfo)1 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1