HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.

2016-12-05 12:19:26 -08:00 · 2016-12-05 12:19:26 -08:00 · a2b5d60220
parent f3b8ff54ab
commit a2b5d60220
3 changed files with 23 additions and 3 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java
@ -202,8 +202,10 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory {
          SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
      String truststorePassword = getPassword(conf, passwordProperty, "");
      if (truststorePassword.isEmpty()) {
-        throw new GeneralSecurityException("The property '" + passwordProperty +
-            "' has not been set in the ssl configuration file.");
+        // An empty trust store password is legal; the trust store password
+        // is only required when writing to a trust store. Otherwise it's
+        // an optional integrity check.
+        truststorePassword = null;
      }
      long truststoreReloadInterval =
          conf.getLong(
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java
@ -167,7 +167,7 @@ public final class ReloadingX509TrustManager
    KeyStore ks = KeyStore.getInstance(type);
    FileInputStream in = new FileInputStream(file);
    try {
-      ks.load(in, password.toCharArray());
+      ks.load(in, (password == null) ? null : password.toCharArray());
      lastLoaded = file.lastModified();
      LOG.debug("Loaded truststore '" + file + "'");
    } finally {
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java
@ -199,4 +199,22 @@ public class TestReloadingX509TrustManager {
    }, reloadInterval, 10 * 1000);
  }

+  /** No password when accessing a trust store is legal. */
+  @Test
+  public void testNoPassword() throws Exception {
+    KeyPair kp = generateKeyPair("RSA");
+    cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
+    cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
+    String truststoreLocation = BASEDIR + "/testreload.jks";
+    createTrustStore(truststoreLocation, "password", "cert1", cert1);
+
+    final ReloadingX509TrustManager tm =
+        new ReloadingX509TrustManager("jks", truststoreLocation, null, 10);
+    try {
+      tm.init();
+      assertEquals(1, tm.getAcceptedIssuers().length);
+    } finally {
+      tm.destroy();
+    }
+  }
 }