HDFS-6987. Move CipherSuite xattr information up to the encryption zone root. Contributed by Zhe Zhang.
This commit is contained in:
parent
c50fc92502
commit
1737950d0f
|
@ -34,6 +34,7 @@ public class FileEncryptionInfo {
|
||||||
private final CipherSuite cipherSuite;
|
private final CipherSuite cipherSuite;
|
||||||
private final byte[] edek;
|
private final byte[] edek;
|
||||||
private final byte[] iv;
|
private final byte[] iv;
|
||||||
|
private final String keyName;
|
||||||
private final String ezKeyVersionName;
|
private final String ezKeyVersionName;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -42,14 +43,16 @@ public class FileEncryptionInfo {
|
||||||
* @param suite CipherSuite used to encrypt the file
|
* @param suite CipherSuite used to encrypt the file
|
||||||
* @param edek encrypted data encryption key (EDEK) of the file
|
* @param edek encrypted data encryption key (EDEK) of the file
|
||||||
* @param iv initialization vector (IV) used to encrypt the file
|
* @param iv initialization vector (IV) used to encrypt the file
|
||||||
|
* @param keyName name of the key used for the encryption zone
|
||||||
* @param ezKeyVersionName name of the KeyVersion used to encrypt the
|
* @param ezKeyVersionName name of the KeyVersion used to encrypt the
|
||||||
* encrypted data encryption key.
|
* encrypted data encryption key.
|
||||||
*/
|
*/
|
||||||
public FileEncryptionInfo(final CipherSuite suite, final byte[] edek,
|
public FileEncryptionInfo(final CipherSuite suite, final byte[] edek,
|
||||||
final byte[] iv, final String ezKeyVersionName) {
|
final byte[] iv, final String keyName, final String ezKeyVersionName) {
|
||||||
checkNotNull(suite);
|
checkNotNull(suite);
|
||||||
checkNotNull(edek);
|
checkNotNull(edek);
|
||||||
checkNotNull(iv);
|
checkNotNull(iv);
|
||||||
|
checkNotNull(keyName);
|
||||||
checkNotNull(ezKeyVersionName);
|
checkNotNull(ezKeyVersionName);
|
||||||
checkArgument(edek.length == suite.getAlgorithmBlockSize(),
|
checkArgument(edek.length == suite.getAlgorithmBlockSize(),
|
||||||
"Unexpected key length");
|
"Unexpected key length");
|
||||||
|
@ -58,6 +61,7 @@ public class FileEncryptionInfo {
|
||||||
this.cipherSuite = suite;
|
this.cipherSuite = suite;
|
||||||
this.edek = edek;
|
this.edek = edek;
|
||||||
this.iv = iv;
|
this.iv = iv;
|
||||||
|
this.keyName = keyName;
|
||||||
this.ezKeyVersionName = ezKeyVersionName;
|
this.ezKeyVersionName = ezKeyVersionName;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -83,6 +87,11 @@ public class FileEncryptionInfo {
|
||||||
return iv;
|
return iv;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return name of the encryption zone key.
|
||||||
|
*/
|
||||||
|
public String getKeyName() { return keyName; }
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return name of the encryption zone KeyVersion used to encrypt the
|
* @return name of the encryption zone KeyVersion used to encrypt the
|
||||||
* encrypted data encryption key (EDEK).
|
* encrypted data encryption key (EDEK).
|
||||||
|
@ -95,6 +104,7 @@ public class FileEncryptionInfo {
|
||||||
builder.append("cipherSuite: " + cipherSuite);
|
builder.append("cipherSuite: " + cipherSuite);
|
||||||
builder.append(", edek: " + Hex.encodeHexString(edek));
|
builder.append(", edek: " + Hex.encodeHexString(edek));
|
||||||
builder.append(", iv: " + Hex.encodeHexString(iv));
|
builder.append(", iv: " + Hex.encodeHexString(iv));
|
||||||
|
builder.append(", keyName: " + keyName);
|
||||||
builder.append(", ezKeyVersionName: " + ezKeyVersionName);
|
builder.append(", ezKeyVersionName: " + ezKeyVersionName);
|
||||||
builder.append("}");
|
builder.append("}");
|
||||||
return builder.toString();
|
return builder.toString();
|
||||||
|
|
|
@ -169,7 +169,6 @@ public class MiniKMS {
|
||||||
kms.set(KMSConfiguration.KEY_PROVIDER_URI,
|
kms.set(KMSConfiguration.KEY_PROVIDER_URI,
|
||||||
"jceks://file@" + new Path(kmsConfDir, "kms.keystore").toUri());
|
"jceks://file@" + new Path(kmsConfDir, "kms.keystore").toUri());
|
||||||
kms.set("hadoop.kms.authentication.type", "simple");
|
kms.set("hadoop.kms.authentication.type", "simple");
|
||||||
kms.setBoolean(KMSConfiguration.KEY_AUTHORIZATION_ENABLE, false);
|
|
||||||
Writer writer = new FileWriter(kmsFile);
|
Writer writer = new FileWriter(kmsFile);
|
||||||
kms.writeXml(writer);
|
kms.writeXml(writer);
|
||||||
writer.close();
|
writer.close();
|
||||||
|
|
|
@ -133,6 +133,9 @@ Trunk (Unreleased)
|
||||||
HDFS-6609. Use DirectorySnapshottableFeature to represent a snapshottable
|
HDFS-6609. Use DirectorySnapshottableFeature to represent a snapshottable
|
||||||
directory. (Jing Zhao via wheat9)
|
directory. (Jing Zhao via wheat9)
|
||||||
|
|
||||||
|
HDFS-6987. Move CipherSuite xattr information up to the encryption zone
|
||||||
|
root. (Zhe Zhang via wang)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
BUG FIXES
|
BUG FIXES
|
||||||
|
|
|
@ -1319,8 +1319,7 @@ public class DFSClient implements java.io.Closeable, RemotePeerFactory,
|
||||||
" an encrypted file");
|
" an encrypted file");
|
||||||
}
|
}
|
||||||
EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
|
EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
|
||||||
//TODO: here we have to put the keyName to be provided by HDFS-6987
|
feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
|
||||||
null, feInfo.getEzKeyVersionName(), feInfo.getIV(),
|
|
||||||
feInfo.getEncryptedDataEncryptionKey());
|
feInfo.getEncryptedDataEncryptionKey());
|
||||||
try {
|
try {
|
||||||
return provider.decryptEncryptedKey(ekv);
|
return provider.decryptEncryptedKey(ekv);
|
||||||
|
|
|
@ -21,6 +21,7 @@ import org.apache.commons.lang.builder.EqualsBuilder;
|
||||||
import org.apache.commons.lang.builder.HashCodeBuilder;
|
import org.apache.commons.lang.builder.HashCodeBuilder;
|
||||||
import org.apache.hadoop.classification.InterfaceAudience;
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.classification.InterfaceStability;
|
import org.apache.hadoop.classification.InterfaceStability;
|
||||||
|
import org.apache.hadoop.crypto.CipherSuite;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A simple class for representing an encryption zone. Presently an encryption
|
* A simple class for representing an encryption zone. Presently an encryption
|
||||||
|
@ -31,32 +32,40 @@ import org.apache.hadoop.classification.InterfaceStability;
|
||||||
@InterfaceStability.Evolving
|
@InterfaceStability.Evolving
|
||||||
public class EncryptionZone {
|
public class EncryptionZone {
|
||||||
|
|
||||||
private final String path;
|
|
||||||
private final String keyName;
|
|
||||||
private final long id;
|
private final long id;
|
||||||
|
private final String path;
|
||||||
|
private final CipherSuite suite;
|
||||||
|
private final String keyName;
|
||||||
|
|
||||||
public EncryptionZone(String path, String keyName, long id) {
|
public EncryptionZone(long id, String path,
|
||||||
this.path = path;
|
CipherSuite suite, String keyName) {
|
||||||
this.keyName = keyName;
|
|
||||||
this.id = id;
|
this.id = id;
|
||||||
}
|
this.path = path;
|
||||||
|
this.suite = suite;
|
||||||
public String getPath() {
|
this.keyName = keyName;
|
||||||
return path;
|
|
||||||
}
|
|
||||||
|
|
||||||
public String getKeyName() {
|
|
||||||
return keyName;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public long getId() {
|
public long getId() {
|
||||||
return id;
|
return id;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public String getPath() {
|
||||||
|
return path;
|
||||||
|
}
|
||||||
|
|
||||||
|
public CipherSuite getSuite() {
|
||||||
|
return suite;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getKeyName() {
|
||||||
|
return keyName;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public int hashCode() {
|
public int hashCode() {
|
||||||
return new HashCodeBuilder(13, 31).
|
return new HashCodeBuilder(13, 31).
|
||||||
append(path).append(keyName).append(id).
|
append(id).append(path).
|
||||||
|
append(suite).append(keyName).
|
||||||
toHashCode();
|
toHashCode();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -74,16 +83,18 @@ public class EncryptionZone {
|
||||||
|
|
||||||
EncryptionZone rhs = (EncryptionZone) obj;
|
EncryptionZone rhs = (EncryptionZone) obj;
|
||||||
return new EqualsBuilder().
|
return new EqualsBuilder().
|
||||||
append(path, rhs.path).
|
|
||||||
append(keyName, rhs.keyName).
|
|
||||||
append(id, rhs.id).
|
append(id, rhs.id).
|
||||||
|
append(path, rhs.path).
|
||||||
|
append(suite, rhs.suite).
|
||||||
|
append(keyName, rhs.keyName).
|
||||||
isEquals();
|
isEquals();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return "EncryptionZone [path=" + path +
|
return "EncryptionZone [id=" + id +
|
||||||
", keyName=" + keyName +
|
", path=" + path +
|
||||||
", id=" + id + "]";
|
", suite=" + suite +
|
||||||
|
", keyName=" + keyName + "]";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -177,7 +177,6 @@ import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifie
|
||||||
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.NamenodeRole;
|
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.NamenodeRole;
|
||||||
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.NodeType;
|
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.NodeType;
|
||||||
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.ReplicaState;
|
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants.ReplicaState;
|
||||||
import org.apache.hadoop.hdfs.server.common.Storage;
|
|
||||||
import org.apache.hadoop.hdfs.server.common.StorageInfo;
|
import org.apache.hadoop.hdfs.server.common.StorageInfo;
|
||||||
import org.apache.hadoop.hdfs.server.namenode.CheckpointSignature;
|
import org.apache.hadoop.hdfs.server.namenode.CheckpointSignature;
|
||||||
import org.apache.hadoop.hdfs.server.namenode.INodeId;
|
import org.apache.hadoop.hdfs.server.namenode.INodeId;
|
||||||
|
@ -2332,12 +2331,14 @@ public class PBHelper {
|
||||||
return EncryptionZoneProto.newBuilder()
|
return EncryptionZoneProto.newBuilder()
|
||||||
.setId(zone.getId())
|
.setId(zone.getId())
|
||||||
.setKeyName(zone.getKeyName())
|
.setKeyName(zone.getKeyName())
|
||||||
.setPath(zone.getPath()).build();
|
.setPath(zone.getPath())
|
||||||
|
.setSuite(convert(zone.getSuite()))
|
||||||
|
.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
public static EncryptionZone convert(EncryptionZoneProto proto) {
|
public static EncryptionZone convert(EncryptionZoneProto proto) {
|
||||||
return new EncryptionZone(proto.getPath(), proto.getKeyName(),
|
return new EncryptionZone(proto.getId(), proto.getPath(),
|
||||||
proto.getId());
|
convert(proto.getSuite()), proto.getKeyName());
|
||||||
}
|
}
|
||||||
|
|
||||||
public static ShortCircuitShmSlotProto convert(SlotId slotId) {
|
public static ShortCircuitShmSlotProto convert(SlotId slotId) {
|
||||||
|
@ -2662,6 +2663,30 @@ public class PBHelper {
|
||||||
.setKey(getByteString(info.getEncryptedDataEncryptionKey()))
|
.setKey(getByteString(info.getEncryptedDataEncryptionKey()))
|
||||||
.setIv(getByteString(info.getIV()))
|
.setIv(getByteString(info.getIV()))
|
||||||
.setEzKeyVersionName(info.getEzKeyVersionName())
|
.setEzKeyVersionName(info.getEzKeyVersionName())
|
||||||
|
.setKeyName(info.getKeyName())
|
||||||
|
.build();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static HdfsProtos.PerFileEncryptionInfoProto convertPerFileEncInfo(
|
||||||
|
FileEncryptionInfo info) {
|
||||||
|
if (info == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
return HdfsProtos.PerFileEncryptionInfoProto.newBuilder()
|
||||||
|
.setKey(getByteString(info.getEncryptedDataEncryptionKey()))
|
||||||
|
.setIv(getByteString(info.getIV()))
|
||||||
|
.setEzKeyVersionName(info.getEzKeyVersionName())
|
||||||
|
.build();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static HdfsProtos.ZoneEncryptionInfoProto convert(
|
||||||
|
CipherSuite suite, String keyName) {
|
||||||
|
if (suite == null || keyName == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
return HdfsProtos.ZoneEncryptionInfoProto.newBuilder()
|
||||||
|
.setSuite(convert(suite))
|
||||||
|
.setKeyName(keyName)
|
||||||
.build();
|
.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2674,7 +2699,20 @@ public class PBHelper {
|
||||||
byte[] key = proto.getKey().toByteArray();
|
byte[] key = proto.getKey().toByteArray();
|
||||||
byte[] iv = proto.getIv().toByteArray();
|
byte[] iv = proto.getIv().toByteArray();
|
||||||
String ezKeyVersionName = proto.getEzKeyVersionName();
|
String ezKeyVersionName = proto.getEzKeyVersionName();
|
||||||
return new FileEncryptionInfo(suite, key, iv, ezKeyVersionName);
|
String keyName = proto.getKeyName();
|
||||||
|
return new FileEncryptionInfo(suite, key, iv, keyName, ezKeyVersionName);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static FileEncryptionInfo convert(
|
||||||
|
HdfsProtos.PerFileEncryptionInfoProto fileProto,
|
||||||
|
CipherSuite suite, String keyName) {
|
||||||
|
if (fileProto == null || suite == null || keyName == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
byte[] key = fileProto.getKey().toByteArray();
|
||||||
|
byte[] iv = fileProto.getIv().toByteArray();
|
||||||
|
String ezKeyVersionName = fileProto.getEzKeyVersionName();
|
||||||
|
return new FileEncryptionInfo(suite, key, iv, keyName, ezKeyVersionName);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,6 +26,7 @@ import java.util.TreeMap;
|
||||||
import com.google.common.base.Preconditions;
|
import com.google.common.base.Preconditions;
|
||||||
import com.google.common.collect.Lists;
|
import com.google.common.collect.Lists;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.crypto.CipherSuite;
|
||||||
import org.apache.hadoop.fs.UnresolvedLinkException;
|
import org.apache.hadoop.fs.UnresolvedLinkException;
|
||||||
import org.apache.hadoop.fs.XAttr;
|
import org.apache.hadoop.fs.XAttr;
|
||||||
import org.apache.hadoop.fs.XAttrSetFlag;
|
import org.apache.hadoop.fs.XAttrSetFlag;
|
||||||
|
@ -33,6 +34,8 @@ import org.apache.hadoop.hdfs.DFSConfigKeys;
|
||||||
import org.apache.hadoop.hdfs.XAttrHelper;
|
import org.apache.hadoop.hdfs.XAttrHelper;
|
||||||
import org.apache.hadoop.hdfs.protocol.EncryptionZone;
|
import org.apache.hadoop.hdfs.protocol.EncryptionZone;
|
||||||
import org.apache.hadoop.hdfs.protocol.SnapshotAccessControlException;
|
import org.apache.hadoop.hdfs.protocol.SnapshotAccessControlException;
|
||||||
|
import org.apache.hadoop.hdfs.protocol.proto.HdfsProtos;
|
||||||
|
import org.apache.hadoop.hdfs.protocolPB.PBHelper;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
|
@ -53,8 +56,8 @@ public class EncryptionZoneManager {
|
||||||
public static Logger LOG = LoggerFactory.getLogger(EncryptionZoneManager
|
public static Logger LOG = LoggerFactory.getLogger(EncryptionZoneManager
|
||||||
.class);
|
.class);
|
||||||
|
|
||||||
private static final EncryptionZone NULL_EZ =
|
public static final EncryptionZone NULL_EZ =
|
||||||
new EncryptionZone("", "", -1);
|
new EncryptionZone(-1, "", CipherSuite.UNKNOWN, "");
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* EncryptionZoneInt is the internal representation of an encryption zone. The
|
* EncryptionZoneInt is the internal representation of an encryption zone. The
|
||||||
|
@ -62,21 +65,27 @@ public class EncryptionZoneManager {
|
||||||
* contains the EZ's pathname.
|
* contains the EZ's pathname.
|
||||||
*/
|
*/
|
||||||
private static class EncryptionZoneInt {
|
private static class EncryptionZoneInt {
|
||||||
private final String keyName;
|
|
||||||
private final long inodeId;
|
private final long inodeId;
|
||||||
|
private final CipherSuite suite;
|
||||||
|
private final String keyName;
|
||||||
|
|
||||||
EncryptionZoneInt(long inodeId, String keyName) {
|
EncryptionZoneInt(long inodeId, CipherSuite suite, String keyName) {
|
||||||
this.keyName = keyName;
|
|
||||||
this.inodeId = inodeId;
|
this.inodeId = inodeId;
|
||||||
}
|
this.suite = suite;
|
||||||
|
this.keyName = keyName;
|
||||||
String getKeyName() {
|
|
||||||
return keyName;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
long getINodeId() {
|
long getINodeId() {
|
||||||
return inodeId;
|
return inodeId;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
CipherSuite getSuite() {
|
||||||
|
return suite;
|
||||||
|
}
|
||||||
|
|
||||||
|
String getKeyName() {
|
||||||
|
return keyName;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private final TreeMap<Long, EncryptionZoneInt> encryptionZones;
|
private final TreeMap<Long, EncryptionZoneInt> encryptionZones;
|
||||||
|
@ -109,9 +118,9 @@ public class EncryptionZoneManager {
|
||||||
* @param inodeId of the encryption zone
|
* @param inodeId of the encryption zone
|
||||||
* @param keyName encryption zone key name
|
* @param keyName encryption zone key name
|
||||||
*/
|
*/
|
||||||
void addEncryptionZone(Long inodeId, String keyName) {
|
void addEncryptionZone(Long inodeId, CipherSuite suite, String keyName) {
|
||||||
assert dir.hasWriteLock();
|
assert dir.hasWriteLock();
|
||||||
unprotectedAddEncryptionZone(inodeId, keyName);
|
unprotectedAddEncryptionZone(inodeId, suite, keyName);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -122,8 +131,10 @@ public class EncryptionZoneManager {
|
||||||
* @param inodeId of the encryption zone
|
* @param inodeId of the encryption zone
|
||||||
* @param keyName encryption zone key name
|
* @param keyName encryption zone key name
|
||||||
*/
|
*/
|
||||||
void unprotectedAddEncryptionZone(Long inodeId, String keyName) {
|
void unprotectedAddEncryptionZone(Long inodeId,
|
||||||
final EncryptionZoneInt ez = new EncryptionZoneInt(inodeId, keyName);
|
CipherSuite suite, String keyName) {
|
||||||
|
final EncryptionZoneInt ez = new EncryptionZoneInt(
|
||||||
|
inodeId, suite, keyName);
|
||||||
encryptionZones.put(inodeId, ez);
|
encryptionZones.put(inodeId, ez);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -207,8 +218,8 @@ public class EncryptionZoneManager {
|
||||||
if (ezi == null) {
|
if (ezi == null) {
|
||||||
return NULL_EZ;
|
return NULL_EZ;
|
||||||
} else {
|
} else {
|
||||||
return new EncryptionZone(getFullPathName(ezi), ezi.getKeyName(),
|
return new EncryptionZone(ezi.getINodeId(), getFullPathName(ezi),
|
||||||
ezi.getINodeId());
|
ezi.getSuite(), ezi.getKeyName());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -264,7 +275,7 @@ public class EncryptionZoneManager {
|
||||||
* <p/>
|
* <p/>
|
||||||
* Called while holding the FSDirectory lock.
|
* Called while holding the FSDirectory lock.
|
||||||
*/
|
*/
|
||||||
XAttr createEncryptionZone(String src, String keyName)
|
XAttr createEncryptionZone(String src, CipherSuite suite, String keyName)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
assert dir.hasWriteLock();
|
assert dir.hasWriteLock();
|
||||||
if (dir.isNonEmptyDirectory(src)) {
|
if (dir.isNonEmptyDirectory(src)) {
|
||||||
|
@ -284,8 +295,10 @@ public class EncryptionZoneManager {
|
||||||
"encryption zone. (" + getFullPathName(ezi) + ")");
|
"encryption zone. (" + getFullPathName(ezi) + ")");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
final HdfsProtos.ZoneEncryptionInfoProto proto =
|
||||||
|
PBHelper.convert(suite, keyName);
|
||||||
final XAttr ezXAttr = XAttrHelper
|
final XAttr ezXAttr = XAttrHelper
|
||||||
.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyName.getBytes());
|
.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, proto.toByteArray());
|
||||||
|
|
||||||
final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
|
final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
|
||||||
xattrs.add(ezXAttr);
|
xattrs.add(ezXAttr);
|
||||||
|
@ -327,8 +340,8 @@ public class EncryptionZoneManager {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
// Add the EZ to the result list
|
// Add the EZ to the result list
|
||||||
zones.add(new EncryptionZone(pathName,
|
zones.add(new EncryptionZone(ezi.getINodeId(), pathName,
|
||||||
ezi.getKeyName(), ezi.getINodeId()));
|
ezi.getSuite(), ezi.getKeyName()));
|
||||||
count++;
|
count++;
|
||||||
if (count >= numResponses) {
|
if (count >= numResponses) {
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -37,6 +37,7 @@ import com.google.protobuf.InvalidProtocolBufferException;
|
||||||
import org.apache.hadoop.HadoopIllegalArgumentException;
|
import org.apache.hadoop.HadoopIllegalArgumentException;
|
||||||
import org.apache.hadoop.classification.InterfaceAudience;
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.crypto.CipherSuite;
|
||||||
import org.apache.hadoop.fs.ContentSummary;
|
import org.apache.hadoop.fs.ContentSummary;
|
||||||
import org.apache.hadoop.fs.FileAlreadyExistsException;
|
import org.apache.hadoop.fs.FileAlreadyExistsException;
|
||||||
import org.apache.hadoop.fs.FileEncryptionInfo;
|
import org.apache.hadoop.fs.FileEncryptionInfo;
|
||||||
|
@ -1402,9 +1403,10 @@ public class FSDirectory implements Closeable {
|
||||||
if (srcs.endsWith(HdfsConstants.SEPARATOR_DOT_SNAPSHOT_DIR)) {
|
if (srcs.endsWith(HdfsConstants.SEPARATOR_DOT_SNAPSHOT_DIR)) {
|
||||||
return getSnapshotsListing(srcs, startAfter);
|
return getSnapshotsListing(srcs, startAfter);
|
||||||
}
|
}
|
||||||
final INodesInPath inodesInPath = getLastINodeInPath(srcs);
|
final INodesInPath inodesInPath = getINodesInPath(srcs, true);
|
||||||
|
final INode[] inodes = inodesInPath.getINodes();
|
||||||
final int snapshot = inodesInPath.getPathSnapshotId();
|
final int snapshot = inodesInPath.getPathSnapshotId();
|
||||||
final INode targetNode = inodesInPath.getLastINode();
|
final INode targetNode = inodes[inodes.length - 1];
|
||||||
if (targetNode == null)
|
if (targetNode == null)
|
||||||
return null;
|
return null;
|
||||||
byte parentStoragePolicy = isSuperUser ?
|
byte parentStoragePolicy = isSuperUser ?
|
||||||
|
@ -1414,7 +1416,7 @@ public class FSDirectory implements Closeable {
|
||||||
return new DirectoryListing(
|
return new DirectoryListing(
|
||||||
new HdfsFileStatus[]{createFileStatus(HdfsFileStatus.EMPTY_NAME,
|
new HdfsFileStatus[]{createFileStatus(HdfsFileStatus.EMPTY_NAME,
|
||||||
targetNode, needLocation, parentStoragePolicy, snapshot,
|
targetNode, needLocation, parentStoragePolicy, snapshot,
|
||||||
isRawPath)}, 0);
|
isRawPath, inodesInPath)}, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
final INodeDirectory dirInode = targetNode.asDirectory();
|
final INodeDirectory dirInode = targetNode.asDirectory();
|
||||||
|
@ -1431,7 +1433,7 @@ public class FSDirectory implements Closeable {
|
||||||
cur.getLocalStoragePolicyID(): BlockStoragePolicy.ID_UNSPECIFIED;
|
cur.getLocalStoragePolicyID(): BlockStoragePolicy.ID_UNSPECIFIED;
|
||||||
listing[i] = createFileStatus(cur.getLocalNameBytes(), cur, needLocation,
|
listing[i] = createFileStatus(cur.getLocalNameBytes(), cur, needLocation,
|
||||||
getStoragePolicyID(curPolicy, parentStoragePolicy), snapshot,
|
getStoragePolicyID(curPolicy, parentStoragePolicy), snapshot,
|
||||||
isRawPath);
|
isRawPath, inodesInPath);
|
||||||
listingCnt++;
|
listingCnt++;
|
||||||
if (needLocation) {
|
if (needLocation) {
|
||||||
// Once we hit lsLimit locations, stop.
|
// Once we hit lsLimit locations, stop.
|
||||||
|
@ -1482,7 +1484,8 @@ public class FSDirectory implements Closeable {
|
||||||
for (int i = 0; i < numOfListing; i++) {
|
for (int i = 0; i < numOfListing; i++) {
|
||||||
Root sRoot = snapshots.get(i + skipSize).getRoot();
|
Root sRoot = snapshots.get(i + skipSize).getRoot();
|
||||||
listing[i] = createFileStatus(sRoot.getLocalNameBytes(), sRoot,
|
listing[i] = createFileStatus(sRoot.getLocalNameBytes(), sRoot,
|
||||||
BlockStoragePolicy.ID_UNSPECIFIED, Snapshot.CURRENT_STATE_ID, false);
|
BlockStoragePolicy.ID_UNSPECIFIED, Snapshot.CURRENT_STATE_ID,
|
||||||
|
false, null);
|
||||||
}
|
}
|
||||||
return new DirectoryListing(
|
return new DirectoryListing(
|
||||||
listing, snapshots.size() - skipSize - numOfListing);
|
listing, snapshots.size() - skipSize - numOfListing);
|
||||||
|
@ -1505,12 +1508,14 @@ public class FSDirectory implements Closeable {
|
||||||
if (srcs.endsWith(HdfsConstants.SEPARATOR_DOT_SNAPSHOT_DIR)) {
|
if (srcs.endsWith(HdfsConstants.SEPARATOR_DOT_SNAPSHOT_DIR)) {
|
||||||
return getFileInfo4DotSnapshot(srcs);
|
return getFileInfo4DotSnapshot(srcs);
|
||||||
}
|
}
|
||||||
final INodesInPath inodesInPath = getLastINodeInPath(srcs, resolveLink);
|
final INodesInPath inodesInPath = getINodesInPath(srcs, resolveLink);
|
||||||
final INode i = inodesInPath.getINode(0);
|
final INode[] inodes = inodesInPath.getINodes();
|
||||||
|
final INode i = inodes[inodes.length - 1];
|
||||||
byte policyId = includeStoragePolicy && i != null && !i.isSymlink() ?
|
byte policyId = includeStoragePolicy && i != null && !i.isSymlink() ?
|
||||||
i.getStoragePolicyID() : BlockStoragePolicy.ID_UNSPECIFIED;
|
i.getStoragePolicyID() : BlockStoragePolicy.ID_UNSPECIFIED;
|
||||||
return i == null ? null : createFileStatus(HdfsFileStatus.EMPTY_NAME, i,
|
return i == null ? null : createFileStatus(HdfsFileStatus.EMPTY_NAME, i,
|
||||||
policyId, inodesInPath.getPathSnapshotId(), isRawPath);
|
policyId, inodesInPath.getPathSnapshotId(), isRawPath,
|
||||||
|
inodesInPath);
|
||||||
} finally {
|
} finally {
|
||||||
readUnlock();
|
readUnlock();
|
||||||
}
|
}
|
||||||
|
@ -2162,8 +2167,17 @@ public class FSDirectory implements Closeable {
|
||||||
for (XAttr xattr : xattrs) {
|
for (XAttr xattr : xattrs) {
|
||||||
final String xaName = XAttrHelper.getPrefixName(xattr);
|
final String xaName = XAttrHelper.getPrefixName(xattr);
|
||||||
if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
|
if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
|
||||||
ezManager.unprotectedAddEncryptionZone(inode.getId(),
|
try {
|
||||||
new String(xattr.getValue()));
|
final HdfsProtos.ZoneEncryptionInfoProto ezProto =
|
||||||
|
HdfsProtos.ZoneEncryptionInfoProto.parseFrom(
|
||||||
|
xattr.getValue());
|
||||||
|
ezManager.unprotectedAddEncryptionZone(inode.getId(),
|
||||||
|
PBHelper.convert(ezProto.getSuite()),
|
||||||
|
ezProto.getKeyName());
|
||||||
|
} catch (InvalidProtocolBufferException e) {
|
||||||
|
NameNode.LOG.warn("Error parsing protocol buffer of " +
|
||||||
|
"EZ XAttr " + xattr.getName());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -2355,12 +2369,15 @@ public class FSDirectory implements Closeable {
|
||||||
* @throws IOException if any error occurs
|
* @throws IOException if any error occurs
|
||||||
*/
|
*/
|
||||||
private HdfsFileStatus createFileStatus(byte[] path, INode node,
|
private HdfsFileStatus createFileStatus(byte[] path, INode node,
|
||||||
boolean needLocation, byte storagePolicy, int snapshot, boolean isRawPath)
|
boolean needLocation, byte storagePolicy, int snapshot,
|
||||||
|
boolean isRawPath, INodesInPath iip)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
if (needLocation) {
|
if (needLocation) {
|
||||||
return createLocatedFileStatus(path, node, storagePolicy, snapshot, isRawPath);
|
return createLocatedFileStatus(path, node, storagePolicy, snapshot,
|
||||||
|
isRawPath, iip);
|
||||||
} else {
|
} else {
|
||||||
return createFileStatus(path, node, storagePolicy, snapshot, isRawPath);
|
return createFileStatus(path, node, storagePolicy, snapshot,
|
||||||
|
isRawPath, iip);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2368,14 +2385,14 @@ public class FSDirectory implements Closeable {
|
||||||
* Create FileStatus by file INode
|
* Create FileStatus by file INode
|
||||||
*/
|
*/
|
||||||
HdfsFileStatus createFileStatus(byte[] path, INode node, byte storagePolicy,
|
HdfsFileStatus createFileStatus(byte[] path, INode node, byte storagePolicy,
|
||||||
int snapshot, boolean isRawPath) throws IOException {
|
int snapshot, boolean isRawPath, INodesInPath iip) throws IOException {
|
||||||
long size = 0; // length is zero for directories
|
long size = 0; // length is zero for directories
|
||||||
short replication = 0;
|
short replication = 0;
|
||||||
long blocksize = 0;
|
long blocksize = 0;
|
||||||
final boolean isEncrypted;
|
final boolean isEncrypted;
|
||||||
|
|
||||||
final FileEncryptionInfo feInfo = isRawPath ? null :
|
final FileEncryptionInfo feInfo = isRawPath ? null :
|
||||||
getFileEncryptionInfo(node, snapshot);
|
getFileEncryptionInfo(node, snapshot, iip);
|
||||||
|
|
||||||
if (node.isFile()) {
|
if (node.isFile()) {
|
||||||
final INodeFile fileNode = node.asFile();
|
final INodeFile fileNode = node.asFile();
|
||||||
|
@ -2413,7 +2430,8 @@ public class FSDirectory implements Closeable {
|
||||||
* Create FileStatus with location info by file INode
|
* Create FileStatus with location info by file INode
|
||||||
*/
|
*/
|
||||||
private HdfsLocatedFileStatus createLocatedFileStatus(byte[] path, INode node,
|
private HdfsLocatedFileStatus createLocatedFileStatus(byte[] path, INode node,
|
||||||
byte storagePolicy, int snapshot, boolean isRawPath) throws IOException {
|
byte storagePolicy, int snapshot, boolean isRawPath,
|
||||||
|
INodesInPath iip) throws IOException {
|
||||||
assert hasReadLock();
|
assert hasReadLock();
|
||||||
long size = 0; // length is zero for directories
|
long size = 0; // length is zero for directories
|
||||||
short replication = 0;
|
short replication = 0;
|
||||||
|
@ -2421,7 +2439,7 @@ public class FSDirectory implements Closeable {
|
||||||
LocatedBlocks loc = null;
|
LocatedBlocks loc = null;
|
||||||
final boolean isEncrypted;
|
final boolean isEncrypted;
|
||||||
final FileEncryptionInfo feInfo = isRawPath ? null :
|
final FileEncryptionInfo feInfo = isRawPath ? null :
|
||||||
getFileEncryptionInfo(node, snapshot);
|
getFileEncryptionInfo(node, snapshot, iip);
|
||||||
if (node.isFile()) {
|
if (node.isFile()) {
|
||||||
final INodeFile fileNode = node.asFile();
|
final INodeFile fileNode = node.asFile();
|
||||||
size = fileNode.computeFileSize(snapshot);
|
size = fileNode.computeFileSize(snapshot);
|
||||||
|
@ -2746,11 +2764,11 @@ public class FSDirectory implements Closeable {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
XAttr createEncryptionZone(String src, String keyName)
|
XAttr createEncryptionZone(String src, CipherSuite suite, String keyName)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
writeLock();
|
writeLock();
|
||||||
try {
|
try {
|
||||||
return ezManager.createEncryptionZone(src, keyName);
|
return ezManager.createEncryptionZone(src, suite, keyName);
|
||||||
} finally {
|
} finally {
|
||||||
writeUnlock();
|
writeUnlock();
|
||||||
}
|
}
|
||||||
|
@ -2781,7 +2799,8 @@ public class FSDirectory implements Closeable {
|
||||||
void setFileEncryptionInfo(String src, FileEncryptionInfo info)
|
void setFileEncryptionInfo(String src, FileEncryptionInfo info)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
// Make the PB for the xattr
|
// Make the PB for the xattr
|
||||||
final HdfsProtos.FileEncryptionInfoProto proto = PBHelper.convert(info);
|
final HdfsProtos.PerFileEncryptionInfoProto proto =
|
||||||
|
PBHelper.convertPerFileEncInfo(info);
|
||||||
final byte[] protoBytes = proto.toByteArray();
|
final byte[] protoBytes = proto.toByteArray();
|
||||||
final XAttr fileEncryptionAttr =
|
final XAttr fileEncryptionAttr =
|
||||||
XAttrHelper.buildXAttr(CRYPTO_XATTR_FILE_ENCRYPTION_INFO, protoBytes);
|
XAttrHelper.buildXAttr(CRYPTO_XATTR_FILE_ENCRYPTION_INFO, protoBytes);
|
||||||
|
@ -2797,35 +2816,64 @@ public class FSDirectory implements Closeable {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return the FileEncryptionInfo for an INode, or null if the INode is not
|
* This function combines the per-file encryption info (obtained
|
||||||
* an encrypted file.
|
* from the inode's XAttrs), and the encryption info from its zone, and
|
||||||
|
* returns a consolidated FileEncryptionInfo instance. Null is returned
|
||||||
|
* for non-encrypted files.
|
||||||
|
*
|
||||||
|
* @param inode inode of the file
|
||||||
|
* @param snapshotId ID of the snapshot that
|
||||||
|
* we want to get encryption info from
|
||||||
|
* @param iip inodes in the path containing the file, passed in to
|
||||||
|
* avoid obtaining the list of inodes again; if iip is
|
||||||
|
* null then the list of inodes will be obtained again
|
||||||
|
* @return consolidated file encryption info; null for non-encrypted files
|
||||||
*/
|
*/
|
||||||
FileEncryptionInfo getFileEncryptionInfo(INode inode, int snapshotId)
|
FileEncryptionInfo getFileEncryptionInfo(INode inode, int snapshotId,
|
||||||
throws IOException {
|
INodesInPath iip) throws IOException {
|
||||||
if (!inode.isFile()) {
|
if (!inode.isFile()) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
readLock();
|
readLock();
|
||||||
try {
|
try {
|
||||||
List<XAttr> xAttrs = XAttrStorage.readINodeXAttrs(inode, snapshotId);
|
if (iip == null) {
|
||||||
if (xAttrs == null) {
|
iip = getINodesInPath(inode.getFullPathName(), true);
|
||||||
return null;
|
|
||||||
}
|
}
|
||||||
for (XAttr x : xAttrs) {
|
EncryptionZone encryptionZone = getEZForPath(iip);
|
||||||
if (XAttrHelper.getPrefixName(x)
|
if (encryptionZone == null ||
|
||||||
.equals(CRYPTO_XATTR_FILE_ENCRYPTION_INFO)) {
|
encryptionZone.equals(EncryptionZoneManager.NULL_EZ)) {
|
||||||
try {
|
// not an encrypted file
|
||||||
HdfsProtos.FileEncryptionInfoProto proto =
|
return null;
|
||||||
HdfsProtos.FileEncryptionInfoProto.parseFrom(x.getValue());
|
} else if(encryptionZone.getPath() == null
|
||||||
FileEncryptionInfo feInfo = PBHelper.convert(proto);
|
|| encryptionZone.getPath().isEmpty()) {
|
||||||
return feInfo;
|
if (NameNode.LOG.isDebugEnabled()) {
|
||||||
} catch (InvalidProtocolBufferException e) {
|
NameNode.LOG.debug("Encryption zone " +
|
||||||
throw new IOException("Could not parse file encryption info for " +
|
encryptionZone.getPath() + " does not have a valid path.");
|
||||||
"inode " + inode, e);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return null;
|
|
||||||
|
CipherSuite suite = encryptionZone.getSuite();
|
||||||
|
String keyName = encryptionZone.getKeyName();
|
||||||
|
|
||||||
|
XAttr fileXAttr = unprotectedGetXAttrByName(inode, snapshotId,
|
||||||
|
CRYPTO_XATTR_FILE_ENCRYPTION_INFO);
|
||||||
|
|
||||||
|
if (fileXAttr == null) {
|
||||||
|
NameNode.LOG.warn("Could not find encryption XAttr for file " +
|
||||||
|
inode.getFullPathName() + " in encryption zone " +
|
||||||
|
encryptionZone.getPath());
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
HdfsProtos.PerFileEncryptionInfoProto fileProto =
|
||||||
|
HdfsProtos.PerFileEncryptionInfoProto.parseFrom(
|
||||||
|
fileXAttr.getValue());
|
||||||
|
return PBHelper.convert(fileProto, suite, keyName);
|
||||||
|
} catch (InvalidProtocolBufferException e) {
|
||||||
|
throw new IOException("Could not parse file encryption info for " +
|
||||||
|
"inode " + inode, e);
|
||||||
|
}
|
||||||
} finally {
|
} finally {
|
||||||
readUnlock();
|
readUnlock();
|
||||||
}
|
}
|
||||||
|
@ -2860,7 +2908,11 @@ public class FSDirectory implements Closeable {
|
||||||
* of encryption zones.
|
* of encryption zones.
|
||||||
*/
|
*/
|
||||||
if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
|
if (CRYPTO_XATTR_ENCRYPTION_ZONE.equals(xaName)) {
|
||||||
ezManager.addEncryptionZone(inode.getId(), new String(xattr.getValue()));
|
final HdfsProtos.ZoneEncryptionInfoProto ezProto =
|
||||||
|
HdfsProtos.ZoneEncryptionInfoProto.parseFrom(xattr.getValue());
|
||||||
|
ezManager.addEncryptionZone(inode.getId(),
|
||||||
|
PBHelper.convert(ezProto.getSuite()),
|
||||||
|
ezProto.getKeyName());
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isFile && SECURITY_XATTR_UNREADABLE_BY_SUPERUSER.equals(xaName)) {
|
if (!isFile && SECURITY_XATTR_UNREADABLE_BY_SUPERUSER.equals(xaName)) {
|
||||||
|
@ -2977,6 +3029,22 @@ public class FSDirectory implements Closeable {
|
||||||
return XAttrStorage.readINodeXAttrs(inode, snapshotId);
|
return XAttrStorage.readINodeXAttrs(inode, snapshotId);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private XAttr unprotectedGetXAttrByName(INode inode, int snapshotId,
|
||||||
|
String xAttrName)
|
||||||
|
throws IOException {
|
||||||
|
List<XAttr> xAttrs = XAttrStorage.readINodeXAttrs(inode, snapshotId);
|
||||||
|
if (xAttrs == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
for (XAttr x : xAttrs) {
|
||||||
|
if (XAttrHelper.getPrefixName(x)
|
||||||
|
.equals(xAttrName)) {
|
||||||
|
return x;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
private static INode resolveLastINode(String src, INodesInPath iip)
|
private static INode resolveLastINode(String src, INodesInPath iip)
|
||||||
throws FileNotFoundException {
|
throws FileNotFoundException {
|
||||||
INode inode = iip.getLastINode();
|
INode inode = iip.getLastINode();
|
||||||
|
|
|
@ -341,8 +341,10 @@ public class FSEditLogLoader {
|
||||||
// 3. OP_ADD to open file for append
|
// 3. OP_ADD to open file for append
|
||||||
|
|
||||||
// See if the file already exists (persistBlocks call)
|
// See if the file already exists (persistBlocks call)
|
||||||
final INodesInPath iip = fsDir.getLastINodeInPath(path);
|
final INodesInPath iip = fsDir.getINodesInPath(path, true);
|
||||||
INodeFile oldFile = INodeFile.valueOf(iip.getINode(0), path, true);
|
final INode[] inodes = iip.getINodes();
|
||||||
|
INodeFile oldFile = INodeFile.valueOf(
|
||||||
|
inodes[inodes.length - 1], path, true);
|
||||||
if (oldFile != null && addCloseOp.overwrite) {
|
if (oldFile != null && addCloseOp.overwrite) {
|
||||||
// This is OP_ADD with overwrite
|
// This is OP_ADD with overwrite
|
||||||
fsDir.unprotectedDelete(path, addCloseOp.mtime);
|
fsDir.unprotectedDelete(path, addCloseOp.mtime);
|
||||||
|
@ -372,7 +374,7 @@ public class FSEditLogLoader {
|
||||||
HdfsFileStatus stat = fsNamesys.dir.createFileStatus(
|
HdfsFileStatus stat = fsNamesys.dir.createFileStatus(
|
||||||
HdfsFileStatus.EMPTY_NAME, newFile,
|
HdfsFileStatus.EMPTY_NAME, newFile,
|
||||||
BlockStoragePolicy.ID_UNSPECIFIED, Snapshot.CURRENT_STATE_ID,
|
BlockStoragePolicy.ID_UNSPECIFIED, Snapshot.CURRENT_STATE_ID,
|
||||||
false);
|
false, iip);
|
||||||
fsNamesys.addCacheEntryWithPayload(addCloseOp.rpcClientId,
|
fsNamesys.addCacheEntryWithPayload(addCloseOp.rpcClientId,
|
||||||
addCloseOp.rpcCallId, stat);
|
addCloseOp.rpcCallId, stat);
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.hadoop.hdfs.server.namenode;
|
package org.apache.hadoop.hdfs.server.namenode;
|
||||||
|
|
||||||
import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
|
|
||||||
import static org.apache.hadoop.crypto.key.KeyProviderCryptoExtension
|
import static org.apache.hadoop.crypto.key.KeyProviderCryptoExtension
|
||||||
.EncryptedKeyVersion;
|
.EncryptedKeyVersion;
|
||||||
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_TRASH_INTERVAL_DEFAULT;
|
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.FS_TRASH_INTERVAL_DEFAULT;
|
||||||
|
@ -134,6 +133,7 @@ import org.apache.hadoop.HadoopIllegalArgumentException;
|
||||||
import org.apache.hadoop.classification.InterfaceAudience;
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.crypto.CipherSuite;
|
import org.apache.hadoop.crypto.CipherSuite;
|
||||||
|
import org.apache.hadoop.crypto.key.KeyProvider;
|
||||||
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
|
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
|
||||||
import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
|
import org.apache.hadoop.fs.BatchedRemoteIterator.BatchedListEntries;
|
||||||
import org.apache.hadoop.fs.CacheFlag;
|
import org.apache.hadoop.fs.CacheFlag;
|
||||||
|
@ -165,7 +165,6 @@ import org.apache.hadoop.hdfs.DFSConfigKeys;
|
||||||
import org.apache.hadoop.hdfs.DFSUtil;
|
import org.apache.hadoop.hdfs.DFSUtil;
|
||||||
import org.apache.hadoop.hdfs.HAUtil;
|
import org.apache.hadoop.hdfs.HAUtil;
|
||||||
import org.apache.hadoop.hdfs.HdfsConfiguration;
|
import org.apache.hadoop.hdfs.HdfsConfiguration;
|
||||||
import org.apache.hadoop.hdfs.StorageType;
|
|
||||||
import org.apache.hadoop.hdfs.XAttrHelper;
|
import org.apache.hadoop.hdfs.XAttrHelper;
|
||||||
import org.apache.hadoop.hdfs.UnknownCipherSuiteException;
|
import org.apache.hadoop.hdfs.UnknownCipherSuiteException;
|
||||||
import org.apache.hadoop.hdfs.protocol.AclException;
|
import org.apache.hadoop.hdfs.protocol.AclException;
|
||||||
|
@ -1833,8 +1832,10 @@ public class FSNamesystem implements Namesystem, FSClusterStats,
|
||||||
doAccessTime = false;
|
doAccessTime = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
final INodesInPath iip = dir.getLastINodeInPath(src);
|
final INodesInPath iip = dir.getINodesInPath(src, true);
|
||||||
final INodeFile inode = INodeFile.valueOf(iip.getLastINode(), src);
|
final INode[] inodes = iip.getINodes();
|
||||||
|
final INodeFile inode = INodeFile.valueOf(
|
||||||
|
inodes[inodes.length - 1], src);
|
||||||
if (isPermissionEnabled) {
|
if (isPermissionEnabled) {
|
||||||
checkUnreadableBySuperuser(pc, inode, iip.getPathSnapshotId());
|
checkUnreadableBySuperuser(pc, inode, iip.getPathSnapshotId());
|
||||||
}
|
}
|
||||||
|
@ -1867,7 +1868,8 @@ public class FSNamesystem implements Namesystem, FSClusterStats,
|
||||||
|
|
||||||
final FileEncryptionInfo feInfo =
|
final FileEncryptionInfo feInfo =
|
||||||
FSDirectory.isReservedRawName(srcArg) ?
|
FSDirectory.isReservedRawName(srcArg) ?
|
||||||
null : dir.getFileEncryptionInfo(inode, iip.getPathSnapshotId());
|
null : dir.getFileEncryptionInfo(inode, iip.getPathSnapshotId(),
|
||||||
|
iip);
|
||||||
|
|
||||||
final LocatedBlocks blocks =
|
final LocatedBlocks blocks =
|
||||||
blockManager.createLocatedBlocks(inode.getBlocks(), fileSize,
|
blockManager.createLocatedBlocks(inode.getBlocks(), fileSize,
|
||||||
|
@ -2599,7 +2601,7 @@ public class FSNamesystem implements Namesystem, FSClusterStats,
|
||||||
feInfo = new FileEncryptionInfo(suite,
|
feInfo = new FileEncryptionInfo(suite,
|
||||||
edek.getEncryptedKeyVersion().getMaterial(),
|
edek.getEncryptedKeyVersion().getMaterial(),
|
||||||
edek.getEncryptedKeyIv(),
|
edek.getEncryptedKeyIv(),
|
||||||
edek.getEncryptionKeyVersionName());
|
ezKeyName, edek.getEncryptionKeyVersionName());
|
||||||
Preconditions.checkNotNull(feInfo);
|
Preconditions.checkNotNull(feInfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -8619,8 +8621,8 @@ public class FSNamesystem implements Namesystem, FSClusterStats,
|
||||||
throw new IOException("Must specify a key name when creating an " +
|
throw new IOException("Must specify a key name when creating an " +
|
||||||
"encryption zone");
|
"encryption zone");
|
||||||
}
|
}
|
||||||
KeyVersion keyVersion = provider.getCurrentKey(keyName);
|
KeyProvider.Metadata metadata = provider.getMetadata(keyName);
|
||||||
if (keyVersion == null) {
|
if (metadata == null) {
|
||||||
/*
|
/*
|
||||||
* It would be nice if we threw something more specific than
|
* It would be nice if we threw something more specific than
|
||||||
* IOException when the key is not found, but the KeyProvider API
|
* IOException when the key is not found, but the KeyProvider API
|
||||||
|
@ -8631,7 +8633,8 @@ public class FSNamesystem implements Namesystem, FSClusterStats,
|
||||||
*/
|
*/
|
||||||
throw new IOException("Key " + keyName + " doesn't exist.");
|
throw new IOException("Key " + keyName + " doesn't exist.");
|
||||||
}
|
}
|
||||||
createEncryptionZoneInt(src, keyName, cacheEntry != null);
|
createEncryptionZoneInt(src, metadata.getCipher(),
|
||||||
|
keyName, cacheEntry != null);
|
||||||
success = true;
|
success = true;
|
||||||
} catch (AccessControlException e) {
|
} catch (AccessControlException e) {
|
||||||
logAuditEvent(false, "createEncryptionZone", src);
|
logAuditEvent(false, "createEncryptionZone", src);
|
||||||
|
@ -8641,8 +8644,8 @@ public class FSNamesystem implements Namesystem, FSClusterStats,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void createEncryptionZoneInt(final String srcArg, String keyName,
|
private void createEncryptionZoneInt(final String srcArg, String cipher,
|
||||||
final boolean logRetryCache) throws IOException {
|
String keyName, final boolean logRetryCache) throws IOException {
|
||||||
String src = srcArg;
|
String src = srcArg;
|
||||||
HdfsFileStatus resultingStat = null;
|
HdfsFileStatus resultingStat = null;
|
||||||
checkSuperuserPrivilege();
|
checkSuperuserPrivilege();
|
||||||
|
@ -8656,7 +8659,8 @@ public class FSNamesystem implements Namesystem, FSClusterStats,
|
||||||
checkNameNodeSafeMode("Cannot create encryption zone on " + src);
|
checkNameNodeSafeMode("Cannot create encryption zone on " + src);
|
||||||
src = resolvePath(src, pathComponents);
|
src = resolvePath(src, pathComponents);
|
||||||
|
|
||||||
final XAttr ezXAttr = dir.createEncryptionZone(src, keyName);
|
final CipherSuite suite = CipherSuite.convert(cipher);
|
||||||
|
final XAttr ezXAttr = dir.createEncryptionZone(src, suite, keyName);
|
||||||
List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
|
List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
|
||||||
xAttrs.add(ezXAttr);
|
xAttrs.add(ezXAttr);
|
||||||
getEditLog().logSetXAttrs(src, xAttrs, logRetryCache);
|
getEditLog().logSetXAttrs(src, xAttrs, logRetryCache);
|
||||||
|
|
|
@ -133,6 +133,7 @@ public class INodesInPath {
|
||||||
* be thrown when the path refers to a symbolic link.
|
* be thrown when the path refers to a symbolic link.
|
||||||
* @return the specified number of existing INodes in the path
|
* @return the specified number of existing INodes in the path
|
||||||
*/
|
*/
|
||||||
|
// TODO: Eliminate null elements from inodes (to be provided by HDFS-7104)
|
||||||
static INodesInPath resolve(final INodeDirectory startingDir,
|
static INodesInPath resolve(final INodeDirectory startingDir,
|
||||||
final byte[][] components, final int numOfINodes,
|
final byte[][] components, final int numOfINodes,
|
||||||
final boolean resolveLink) throws UnresolvedLinkException {
|
final boolean resolveLink) throws UnresolvedLinkException {
|
||||||
|
@ -311,7 +312,7 @@ public class INodesInPath {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the whole inodes array including the null elements.
|
* @return the inodes array excluding the null elements.
|
||||||
*/
|
*/
|
||||||
INode[] getINodes() {
|
INode[] getINodes() {
|
||||||
if (capacity < inodes.length) {
|
if (capacity < inodes.length) {
|
||||||
|
|
|
@ -46,9 +46,10 @@ message ListEncryptionZonesRequestProto {
|
||||||
}
|
}
|
||||||
|
|
||||||
message EncryptionZoneProto {
|
message EncryptionZoneProto {
|
||||||
required string path = 1;
|
required int64 id = 1;
|
||||||
required string keyName = 2;
|
required string path = 2;
|
||||||
required int64 id = 3;
|
required CipherSuite suite = 3;
|
||||||
|
required string keyName = 4;
|
||||||
}
|
}
|
||||||
|
|
||||||
message ListEncryptionZonesResponseProto {
|
message ListEncryptionZonesResponseProto {
|
||||||
|
|
|
@ -216,7 +216,27 @@ message FileEncryptionInfoProto {
|
||||||
required CipherSuite suite = 1;
|
required CipherSuite suite = 1;
|
||||||
required bytes key = 2;
|
required bytes key = 2;
|
||||||
required bytes iv = 3;
|
required bytes iv = 3;
|
||||||
required string ezKeyVersionName = 4;
|
required string keyName = 4;
|
||||||
|
required string ezKeyVersionName = 5;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Encryption information for an individual
|
||||||
|
* file within an encryption zone
|
||||||
|
*/
|
||||||
|
message PerFileEncryptionInfoProto {
|
||||||
|
required bytes key = 1;
|
||||||
|
required bytes iv = 2;
|
||||||
|
required string ezKeyVersionName = 3;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Encryption information for an encryption
|
||||||
|
* zone
|
||||||
|
*/
|
||||||
|
message ZoneEncryptionInfoProto {
|
||||||
|
required CipherSuite suite = 1;
|
||||||
|
required string keyName = 2;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
Loading…
Reference in New Issue