use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.
the class GetS3SecretHandler method execute.
@Override
protected void execute(OzoneClient client, OzoneAddress address) throws IOException {
if (username == null || username.isEmpty()) {
username = UserGroupInformation.getCurrentUser().getUserName();
}
final S3SecretValue secret = client.getObjectStore().getS3Secret(username);
if (export) {
out().println("export AWS_ACCESS_KEY_ID=" + secret.getAwsAccessKey());
out().println("export AWS_SECRET_ACCESS_KEY=" + secret.getAwsSecret());
} else {
out().println(secret);
}
}
use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.
the class TestSecureOzoneRpcClient method testS3Auth.
@Test
public void testS3Auth() throws Exception {
String volumeName = UUID.randomUUID().toString();
String strToSign = "AWS4-HMAC-SHA256\n" + "20150830T123600Z\n" + "20150830/us-east-1/iam/aws4_request\n" + "f536975d06c0309214f805bb90ccff089219ecd68b2" + "577efef23edd43b7e1a59";
String signature = "5d672d79c15b13162d9279b0855cfba" + "6789a8edb4c82c400e06b5924a6f2b5d7";
String secret = "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY";
String accessKey = UserGroupInformation.getCurrentUser().getUserName();
// Add secret to S3Secret table.
cluster.getOzoneManager().getMetadataManager().getS3SecretTable().put(accessKey, new S3SecretValue(accessKey, secret));
OMRequest writeRequest = OMRequest.newBuilder().setCmdType(OzoneManagerProtocolProtos.Type.CreateVolume).setVersion(CURRENT_VERSION).setClientId(UUID.randomUUID().toString()).setCreateVolumeRequest(CreateVolumeRequest.newBuilder().setVolumeInfo(VolumeInfo.newBuilder().setVolume(volumeName).setAdminName(accessKey).setOwnerName(accessKey).build()).build()).setS3Authentication(S3Authentication.newBuilder().setAccessId(accessKey).setSignature(signature).setStringToSign(strToSign)).build();
GenericTestUtils.waitFor(() -> cluster.getOzoneManager().isLeaderReady(), 100, 120000);
OMResponse omResponse = cluster.getOzoneManager().getOmServerProtocol().submitRequest(null, writeRequest);
// Verify response.
Assert.assertTrue(omResponse.getStatus() == Status.OK);
// Read Request
OMRequest readRequest = OMRequest.newBuilder().setCmdType(OzoneManagerProtocolProtos.Type.InfoVolume).setVersion(CURRENT_VERSION).setClientId(UUID.randomUUID().toString()).setInfoVolumeRequest(InfoVolumeRequest.newBuilder().setVolumeName(volumeName).build()).setS3Authentication(S3Authentication.newBuilder().setAccessId(accessKey).setSignature(signature).setStringToSign(strToSign)).build();
omResponse = cluster.getOzoneManager().getOmServerProtocol().submitRequest(null, readRequest);
// Verify response.
Assert.assertTrue(omResponse.getStatus() == Status.OK);
VolumeInfo volumeInfo = omResponse.getInfoVolumeResponse().getVolumeInfo();
Assert.assertNotNull(volumeInfo);
Assert.assertEquals(volumeName, volumeInfo.getVolume());
Assert.assertEquals(accessKey, volumeInfo.getAdminName());
Assert.assertEquals(accessKey, volumeInfo.getOwnerName());
// Override secret to S3Secret table with some dummy value
cluster.getOzoneManager().getMetadataManager().getS3SecretTable().put(accessKey, new S3SecretValue(accessKey, "dummy"));
// Write request with invalid credentials.
omResponse = cluster.getOzoneManager().getOmServerProtocol().submitRequest(null, writeRequest);
Assert.assertTrue(omResponse.getStatus() == Status.INVALID_TOKEN);
// Read request with invalid credentials.
omResponse = cluster.getOzoneManager().getOmServerProtocol().submitRequest(null, readRequest);
Assert.assertTrue(omResponse.getStatus() == Status.INVALID_TOKEN);
}
use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.
the class S3GetSecretRequest method validateAndUpdateCache.
@Override
public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, long transactionLogIndex, OzoneManagerDoubleBufferHelper ozoneManagerDoubleBufferHelper) {
OMClientResponse omClientResponse = null;
OMResponse.Builder omResponse = OmResponseUtil.getOMResponseBuilder(getOmRequest());
boolean acquiredLock = false;
IOException exception = null;
OMMetadataManager omMetadataManager = ozoneManager.getMetadataManager();
UpdateGetS3SecretRequest updateGetS3SecretRequest = getOmRequest().getUpdateGetS3SecretRequest();
String kerberosID = updateGetS3SecretRequest.getKerberosID();
try {
String awsSecret = updateGetS3SecretRequest.getAwsSecret();
acquiredLock = omMetadataManager.getLock().acquireWriteLock(S3_SECRET_LOCK, kerberosID);
S3SecretValue s3SecretValue = omMetadataManager.getS3SecretTable().get(kerberosID);
// If s3Secret for user is not in S3Secret table, add the Secret to cache.
if (s3SecretValue == null) {
omMetadataManager.getS3SecretTable().addCacheEntry(new CacheKey<>(kerberosID), new CacheValue<>(Optional.of(new S3SecretValue(kerberosID, awsSecret)), transactionLogIndex));
} else {
// If it already exists, use the existing one.
awsSecret = s3SecretValue.getAwsSecret();
}
GetS3SecretResponse.Builder getS3SecretResponse = GetS3SecretResponse.newBuilder().setS3Secret(S3Secret.newBuilder().setAwsSecret(awsSecret).setKerberosID(kerberosID));
if (s3SecretValue == null) {
omClientResponse = new S3GetSecretResponse(new S3SecretValue(kerberosID, awsSecret), omResponse.setGetS3SecretResponse(getS3SecretResponse).build());
} else {
// As when it already exists, we don't need to add to DB again. So
// set the value to null.
omClientResponse = new S3GetSecretResponse(null, omResponse.setGetS3SecretResponse(getS3SecretResponse).build());
}
} catch (IOException ex) {
exception = ex;
omClientResponse = new S3GetSecretResponse(null, createErrorOMResponse(omResponse, ex));
} finally {
addResponseToDoubleBuffer(transactionLogIndex, omClientResponse, ozoneManagerDoubleBufferHelper);
if (acquiredLock) {
omMetadataManager.getLock().releaseWriteLock(S3_SECRET_LOCK, kerberosID);
}
}
Map<String, String> auditMap = new HashMap<>();
auditMap.put(OzoneConsts.S3_GETSECRET_USER, kerberosID);
// audit log
auditLog(ozoneManager.getAuditLogger(), buildAuditMessage(OMAction.GET_S3_SECRET, auditMap, exception, getOmRequest().getUserInfo()));
if (exception == null) {
LOG.debug("Secret for accessKey:{} is generated Successfully", kerberosID);
} else {
LOG.error("Secret for accessKey:{} is generation failed", kerberosID, exception);
}
return omClientResponse;
}
use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.
the class S3SecretManagerImpl method getS3Secret.
@Override
public S3SecretValue getS3Secret(String kerberosID) throws IOException {
Preconditions.checkArgument(Strings.isNotBlank(kerberosID), "kerberosID cannot be null or empty.");
S3SecretValue result = null;
omMetadataManager.getLock().acquireWriteLock(S3_SECRET_LOCK, kerberosID);
try {
S3SecretValue s3Secret = omMetadataManager.getS3SecretTable().get(kerberosID);
if (s3Secret == null) {
byte[] secret = OmUtils.getSHADigest();
result = new S3SecretValue(kerberosID, DigestUtils.sha256Hex(secret));
omMetadataManager.getS3SecretTable().put(kerberosID, result);
} else {
return s3Secret;
}
} finally {
omMetadataManager.getLock().releaseWriteLock(S3_SECRET_LOCK, kerberosID);
}
if (LOG.isTraceEnabled()) {
LOG.trace("Secret for accessKey:{}, proto:{}", kerberosID, result);
}
return result;
}
use of org.apache.hadoop.ozone.om.helpers.S3SecretValue in project ozone by apache.
the class S3SecretManagerImpl method getS3UserSecretString.
@Override
public String getS3UserSecretString(String kerberosID) throws IOException {
Preconditions.checkArgument(Strings.isNotBlank(kerberosID), "awsAccessKeyId cannot be null or empty.");
LOG.trace("Get secret for awsAccessKey:{}", kerberosID);
S3SecretValue s3Secret;
omMetadataManager.getLock().acquireReadLock(S3_SECRET_LOCK, kerberosID);
try {
s3Secret = omMetadataManager.getS3SecretTable().get(kerberosID);
if (s3Secret == null) {
throw new OzoneSecurityException("S3 secret not found for " + "awsAccessKeyId " + kerberosID, S3_SECRET_NOT_FOUND);
}
} finally {
omMetadataManager.getLock().releaseReadLock(S3_SECRET_LOCK, kerberosID);
}
return s3Secret.getAwsSecret();
}
Aggregations