HADOOP-13992. KMS should load SSL configuration the same way as SSLFactory. Contributed by John Zhuge.

This commit is contained in:
Xiao Chen 2017-01-27 10:49:26 -08:00
parent 1a16431bd0
commit ebd40056a0
3 changed files with 23 additions and 20 deletions
hadoop-common-project
hadoop-common/src/main/java/org/apache/hadoop/security/ssl
hadoop-kms/src
main/java/org/apache/hadoop/crypto/key/kms/server
test/java/org/apache/hadoop/crypto/key/kms/server

View File

@ -128,9 +128,10 @@ public class SSLFactory implements ConnectionConfigurator {
throw new IllegalArgumentException("mode cannot be NULL");
}
this.mode = mode;
requireClientCert = conf.getBoolean(SSL_REQUIRE_CLIENT_CERT_KEY,
Configuration sslConf = readSSLConfiguration(conf, mode);
requireClientCert = sslConf.getBoolean(SSL_REQUIRE_CLIENT_CERT_KEY,
SSL_REQUIRE_CLIENT_CERT_DEFAULT);
Configuration sslConf = readSSLConfiguration(mode);
Class<? extends KeyStoresFactory> klass
= conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
@ -149,9 +150,11 @@ public class SSLFactory implements ConnectionConfigurator {
}
}
private Configuration readSSLConfiguration(Mode mode) {
public static Configuration readSSLConfiguration(Configuration conf,
Mode mode) {
Configuration sslConf = new Configuration(false);
sslConf.setBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, requireClientCert);
sslConf.setBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, conf.getBoolean(
SSL_REQUIRE_CLIENT_CERT_KEY, SSL_REQUIRE_CLIENT_CERT_DEFAULT));
String sslConfResource;
if (mode == Mode.CLIENT) {
sslConfResource = conf.get(SSL_CLIENT_CONF_KEY,

View File

@ -46,13 +46,7 @@ public class KMSWebServer {
private final HttpServer2 httpServer;
private final String scheme;
KMSWebServer(Configuration cnf) throws Exception {
ConfigurationWithLogging conf = new ConfigurationWithLogging(cnf);
// Add SSL configuration file
conf.addResource(conf.get(SSLFactory.SSL_SERVER_CONF_KEY,
SSLFactory.SSL_SERVER_CONF_DEFAULT));
KMSWebServer(Configuration conf, Configuration sslConf) throws Exception {
// Override configuration with deprecated environment variables.
deprecateEnv("KMS_TEMP", conf, HttpServer2.HTTP_TEMP_DIR_KEY,
KMSConfiguration.KMS_SITE_XML);
@ -68,10 +62,10 @@ public class KMSWebServer {
KMSConfiguration.KMS_SITE_XML);
deprecateEnv("KMS_SSL_ENABLED", conf,
KMSConfiguration.SSL_ENABLED_KEY, KMSConfiguration.KMS_SITE_XML);
deprecateEnv("KMS_SSL_KEYSTORE_FILE", conf,
deprecateEnv("KMS_SSL_KEYSTORE_FILE", sslConf,
SSLFactory.SSL_SERVER_KEYSTORE_LOCATION,
SSLFactory.SSL_SERVER_CONF_DEFAULT);
deprecateEnv("KMS_SSL_KEYSTORE_PASS", conf,
deprecateEnv("KMS_SSL_KEYSTORE_PASS", sslConf,
SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD,
SSLFactory.SSL_SERVER_CONF_DEFAULT);
@ -88,7 +82,7 @@ public class KMSWebServer {
httpServer = new HttpServer2.Builder()
.setName(NAME)
.setConf(conf)
.setSSLConf(conf)
.setSSLConf(sslConf)
.authFilterConfigurationPrefix(KMSAuthenticationFilter.CONFIG_PREFIX)
.addEndpoint(endpoint)
.build();
@ -147,8 +141,11 @@ public class KMSWebServer {
public static void main(String[] args) throws Exception {
StringUtils.startupShutdownMessage(KMSWebServer.class, args, LOG);
Configuration conf = KMSConfiguration.getKMSConf();
KMSWebServer kmsWebServer = new KMSWebServer(conf);
Configuration conf = new ConfigurationWithLogging(
KMSConfiguration.getKMSConf());
Configuration sslConf = new ConfigurationWithLogging(
SSLFactory.readSSLConfiguration(conf, SSLFactory.Mode.SERVER));
KMSWebServer kmsWebServer = new KMSWebServer(conf, sslConf);
kmsWebServer.start();
kmsWebServer.join();
}

View File

@ -145,14 +145,17 @@ public class MiniKMS {
final Configuration conf = KMSConfiguration.getKMSConf();
conf.set(KMSConfiguration.HTTP_HOST_KEY, "localhost");
conf.setInt(KMSConfiguration.HTTP_PORT_KEY, inPort);
Configuration sslConf = null;
if (keyStore != null) {
conf.setBoolean(KMSConfiguration.SSL_ENABLED_KEY, true);
conf.set(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION, keyStore);
conf.set(SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD, keyStorePassword);
conf.set(SSLFactory.SSL_SERVER_KEYSTORE_TYPE, "jks");
sslConf = SSLFactory.readSSLConfiguration(conf, SSLFactory.Mode.SERVER);
sslConf.set(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION, keyStore);
sslConf.set(SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD, keyStorePassword);
sslConf.set(SSLFactory.SSL_SERVER_KEYSTORE_TYPE, "jks");
}
jetty = new KMSWebServer(conf);
jetty = new KMSWebServer(conf, sslConf);
jetty.start();
kmsURL = jetty.getKMSUrl();
}