HDFS-9688. Test the effect of nested encryption zones in HDFS downgrade.

Change-Id: I2a802325a2bc82c97012d2c9fb388b292fe3af8f
2016-02-22 15:10:31 -08:00 · 2016-02-22 15:10:31 -08:00 · 79027309c9
parent 541dc02a6a
commit 79027309c9
3 changed files with 238 additions and 1 deletions
--- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
+++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
@ -1253,6 +1253,9 @@ Release 2.6.5 - UNRELEASED
     HDFS-9629. Update the footer of Web UI to show year 2016
     (Xiao Chen and Vinayakumar B via vinayakumarb)

+     HDFS-9688. Test the effect of nested encryption zones in HDFS downgrade.
+     (zhz)
+
  OPTIMIZATIONS

  BUG FIXES
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/EncryptionZoneManager.java
@ -23,6 +23,7 @@ import java.util.List;
 import java.util.NavigableMap;
 import java.util.TreeMap;

+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
 import org.apache.hadoop.conf.Configuration;
@ -57,6 +58,9 @@ public class EncryptionZoneManager {
  public static Logger LOG = LoggerFactory.getLogger(EncryptionZoneManager
      .class);

+  @VisibleForTesting
+  private boolean allowNestedEZ = false;
+
  /**
   * EncryptionZoneInt is the internal representation of an encryption zone. The
   * external representation of an EZ is embodied in an EncryptionZone and
@ -278,6 +282,16 @@ public class EncryptionZoneManager {
    }
  }

+  @VisibleForTesting
+  void setAllowNestedEZ() {
+    allowNestedEZ = true;
+  }
+
+  @VisibleForTesting
+  void setDisallowNestedEZ() {
+    allowNestedEZ = false;
+  }
+
  /**
   * Create a new encryption zone.
   * <p/>
@ -299,7 +313,7 @@ public class EncryptionZoneManager {
      throw new IOException("Attempt to create an encryption zone for a file.");
    }
    EncryptionZoneInt ezi = getEncryptionZoneForPath(srcIIP);
-    if (ezi != null) {
+    if (!allowNestedEZ && ezi != null) {
      throw new IOException("Directory " + src + " is already in an " +
          "encryption zone. (" + getFullPathName(ezi) + ")");
    }
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNestedEncryptionZones.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestNestedEncryptionZones.java
@ -0,0 +1,220 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hdfs.server.namenode;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.key.JavaKeyStoreProvider;
+import org.apache.hadoop.fs.FileSystemTestHelper;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
+import org.apache.hadoop.hdfs.DFSTestUtil;
+import org.apache.hadoop.hdfs.DistributedFileSystem;
+import org.apache.hadoop.hdfs.HdfsConfiguration;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.hdfs.protocol.HdfsConstants;
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.File;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+/**
+ * Test the behavior of nested encryption zones.
+ */
+public class TestNestedEncryptionZones {
+  private File testRootDir;
+  private final String TOP_EZ_KEY = "topezkey";
+  private final String NESTED_EZ_KEY = "nestedezkey";
+
+  private MiniDFSCluster cluster;
+  protected DistributedFileSystem fs;
+
+  private final Path rootDir = new Path("/");
+  private final Path rawDir = new Path("/.reserved/raw/");
+  private final Path topEZDir = new Path(rootDir, "topEZ");
+  private final Path nestedEZDir = new Path(topEZDir, "nestedEZ");
+
+  private final Path topEZBaseFile = new Path(rootDir, "topEZBaseFile");
+  private Path topEZFile = new Path(topEZDir, "file");
+  private Path topEZRawFile = new Path(rawDir, "topEZ/file");
+
+  private final Path nestedEZBaseFile = new Path(rootDir, "nestedEZBaseFile");
+  private Path nestedEZFile = new Path(nestedEZDir, "file");
+  private Path nestedEZRawFile = new Path(rawDir, "topEZ/nestedEZ/file");
+
+  // File length
+  private final int len = 8196;
+
+  private String getKeyProviderURI() {
+    return JavaKeyStoreProvider.SCHEME_NAME + "://file" +
+        new Path(testRootDir.toString(), "test.jks").toUri();
+  }
+
+  private void setProvider() {
+    // Need to set the client's KeyProvider to the NN's for JKS,
+    // else the updates do not get flushed properly
+    fs.getClient().setKeyProvider(cluster.getNameNode().getNamesystem()
+        .getProvider());
+  }
+
+  @Before
+  public void setup() throws Exception {
+    Configuration conf = new HdfsConfiguration();
+    FileSystemTestHelper fsHelper = new FileSystemTestHelper();
+    // Set up java key store
+    String testRoot = fsHelper.getTestRootDir();
+    testRootDir = new File(testRoot).getAbsoluteFile();
+    conf.set(DFSConfigKeys.DFS_ENCRYPTION_KEY_PROVIDER_URI, getKeyProviderURI());
+    conf.setBoolean(DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY, true);
+    // Lower the batch size for testing
+    conf.setInt(DFSConfigKeys.DFS_NAMENODE_LIST_ENCRYPTION_ZONES_NUM_RESPONSES,
+        2);
+    cluster = new MiniDFSCluster.Builder(conf).numDataNodes(1).build();
+    Logger.getLogger(EncryptionZoneManager.class).setLevel(Level.TRACE);
+    fs = cluster.getFileSystem();
+    setProvider();
+
+    // Create test keys and EZs
+    DFSTestUtil.createKey(TOP_EZ_KEY, cluster, conf);
+    DFSTestUtil.createKey(NESTED_EZ_KEY, cluster, conf);
+    fs.mkdir(topEZDir, FsPermission.getDirDefault());
+    fs.createEncryptionZone(topEZDir, TOP_EZ_KEY);
+    fs.mkdir(nestedEZDir, FsPermission.getDirDefault());
+
+    // Allow setting nested EZ temporarily
+    cluster.getNamesystem().getFSDirectory().ezManager.setAllowNestedEZ();
+    fs.createEncryptionZone(nestedEZDir, NESTED_EZ_KEY);
+    cluster.getNamesystem().getFSDirectory().ezManager.setDisallowNestedEZ();
+
+    DFSTestUtil.createFile(fs, topEZBaseFile, len, (short) 1, 0xFEED);
+    DFSTestUtil.createFile(fs, topEZFile, len, (short) 1, 0xFEED);
+    DFSTestUtil.createFile(fs, nestedEZBaseFile, len, (short) 1, 0xFEED);
+    DFSTestUtil.createFile(fs, nestedEZFile, len, (short) 1, 0xFEED);
+  }
+
+  @Test(timeout = 60000)
+  public void testNestedEncryptionZones() throws Exception {
+    verifyEncryption();
+
+    // Restart NameNode to test if nested EZs can be loaded from edit logs
+    cluster.restartNameNodes();
+    cluster.waitActive();
+    verifyEncryption();
+
+    // Checkpoint and restart NameNode, to test if nested EZs can be loaded
+    // from fsimage
+    fs.setSafeMode(HdfsConstants.SafeModeAction.SAFEMODE_ENTER);
+    fs.saveNamespace();
+    fs.setSafeMode(HdfsConstants.SafeModeAction.SAFEMODE_LEAVE);
+    cluster.restartNameNodes();
+    cluster.waitActive();
+    verifyEncryption();
+
+    Path renamedTopEZFile = new Path(topEZDir, "renamedFile");
+    Path renamedNestedEZFile = new Path(nestedEZDir, "renamedFile");
+    try {
+      fs.rename(topEZFile, renamedTopEZFile);
+      fs.rename(nestedEZFile, renamedNestedEZFile);
+    } catch (Exception e) {
+      fail("Should be able to rename files within the same EZ.");
+    }
+
+    topEZFile = renamedTopEZFile;
+    nestedEZFile = renamedNestedEZFile;
+    topEZRawFile = new Path(rawDir, "topEZ/renamedFile");
+    nestedEZRawFile = new Path(rawDir, "topEZ/nestedEZ/renamedFile");
+    verifyEncryption();
+
+    // Verify that files in top EZ cannot be moved into the nested EZ, and
+    // vice versa.
+    try {
+      fs.rename(topEZFile, new Path(nestedEZDir, "movedTopEZFile"));
+      fail("Shouldn't be able to rename between top EZ and nested EZ.");
+    } catch (Exception e) {
+      assertTrue(e.getMessage().contains(
+          "can't be moved from encryption zone " + topEZDir.toString() +
+              " to encryption zone " + nestedEZDir.toString()));
+    }
+    try {
+      fs.rename(nestedEZFile, new Path(topEZDir, "movedNestedEZFile"));
+      fail("Shouldn't be able to rename between top EZ and nested EZ.");
+    } catch (Exception e) {
+      assertTrue(e.getMessage().contains(
+          "can't be moved from encryption zone " + nestedEZDir.toString() +
+              " to encryption zone " + topEZDir.toString()));
+    }
+
+    // Verify that the nested EZ cannot be moved out of the top EZ.
+    try {
+      fs.rename(nestedEZFile, new Path(rootDir, "movedNestedEZFile"));
+      fail("Shouldn't be able to move the nested EZ out of the top EZ.");
+    } catch (Exception e) {
+      assertTrue(e.getMessage().contains(
+          "can't be moved from an encryption zone"));
+    }
+
+    // Verify that a non-nested EZ cannot be moved into another EZ
+    Path topEZ2Dir = new Path(rootDir, "topEZ2");
+    fs.mkdir(topEZ2Dir, FsPermission.getDirDefault());
+    fs.createEncryptionZone(topEZ2Dir, TOP_EZ_KEY);
+    try {
+      fs.rename(topEZ2Dir, new Path(topEZDir, "topEZ2"));
+      fail("Shouldn't be able to move a non-nested EZ into another " +
+          "existing EZ.");
+    } catch (Exception e){
+      assertTrue(e.getMessage().contains(
+          "can't be moved from encryption zone " + topEZ2Dir.toString() +
+              " to encryption zone"));
+    }
+
+    try {
+      fs.rename(topEZDir, new Path(rootDir, "newTopEZDir"));
+    } catch (Exception e) {
+      fail("Should be able to rename the root dir of an EZ.");
+    }
+
+    try {
+      fs.rename(new Path(rootDir, "newTopEZDir/nestedEZDir"),
+          new Path(rootDir, "newTopEZDir/newNestedEZDir"));
+    } catch (Exception e) {
+      fail("Should be able to rename the nested EZ dir within " +
+          "the same top EZ.");
+    }
+  }
+
+  private void verifyEncryption() throws Exception {
+    assertEquals("Top EZ dir is encrypted",
+        true, fs.getFileStatus(topEZDir).isEncrypted());
+    assertEquals("Nested EZ dir is encrypted",
+        true, fs.getFileStatus(nestedEZDir).isEncrypted());
+    assertEquals("Top zone file is encrypted",
+        true, fs.getFileStatus(topEZFile).isEncrypted());
+    assertEquals("Nested zone file is encrypted",
+        true, fs.getFileStatus(nestedEZFile).isEncrypted());
+
+    DFSTestUtil.verifyFilesEqual(fs, topEZBaseFile, topEZFile, len);
+    DFSTestUtil.verifyFilesEqual(fs, nestedEZBaseFile, nestedEZFile, len);
+    DFSTestUtil.verifyFilesNotEqual(fs, topEZRawFile, nestedEZRawFile, len);
+  }
+}