From ebd40056a07df5807baf0652a47ea97334038f4d Mon Sep 17 00:00:00 2001 From: Xiao Chen Date: Fri, 27 Jan 2017 10:49:26 -0800 Subject: [PATCH] HADOOP-13992. KMS should load SSL configuration the same way as SSLFactory. Contributed by John Zhuge. --- .../hadoop/security/ssl/SSLFactory.java | 11 ++++++---- .../crypto/key/kms/server/KMSWebServer.java | 21 ++++++++----------- .../hadoop/crypto/key/kms/server/MiniKMS.java | 11 ++++++---- 3 files changed, 23 insertions(+), 20 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java index d72f9bed437..07eafabb4ae 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java @@ -128,9 +128,10 @@ public class SSLFactory implements ConnectionConfigurator { throw new IllegalArgumentException("mode cannot be NULL"); } this.mode = mode; - requireClientCert = conf.getBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, + Configuration sslConf = readSSLConfiguration(conf, mode); + + requireClientCert = sslConf.getBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, SSL_REQUIRE_CLIENT_CERT_DEFAULT); - Configuration sslConf = readSSLConfiguration(mode); Class klass = conf.getClass(KEYSTORES_FACTORY_CLASS_KEY, @@ -149,9 +150,11 @@ public class SSLFactory implements ConnectionConfigurator { } } - private Configuration readSSLConfiguration(Mode mode) { + public static Configuration readSSLConfiguration(Configuration conf, + Mode mode) { Configuration sslConf = new Configuration(false); - sslConf.setBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, requireClientCert); + sslConf.setBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, conf.getBoolean( + SSL_REQUIRE_CLIENT_CERT_KEY, SSL_REQUIRE_CLIENT_CERT_DEFAULT)); String sslConfResource; if (mode == Mode.CLIENT) { sslConfResource = conf.get(SSL_CLIENT_CONF_KEY, diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java index 70945cb2c10..02c4a42ce81 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java @@ -46,13 +46,7 @@ public class KMSWebServer { private final HttpServer2 httpServer; private final String scheme; - KMSWebServer(Configuration cnf) throws Exception { - ConfigurationWithLogging conf = new ConfigurationWithLogging(cnf); - - // Add SSL configuration file - conf.addResource(conf.get(SSLFactory.SSL_SERVER_CONF_KEY, - SSLFactory.SSL_SERVER_CONF_DEFAULT)); - + KMSWebServer(Configuration conf, Configuration sslConf) throws Exception { // Override configuration with deprecated environment variables. deprecateEnv("KMS_TEMP", conf, HttpServer2.HTTP_TEMP_DIR_KEY, KMSConfiguration.KMS_SITE_XML); @@ -68,10 +62,10 @@ public class KMSWebServer { KMSConfiguration.KMS_SITE_XML); deprecateEnv("KMS_SSL_ENABLED", conf, KMSConfiguration.SSL_ENABLED_KEY, KMSConfiguration.KMS_SITE_XML); - deprecateEnv("KMS_SSL_KEYSTORE_FILE", conf, + deprecateEnv("KMS_SSL_KEYSTORE_FILE", sslConf, SSLFactory.SSL_SERVER_KEYSTORE_LOCATION, SSLFactory.SSL_SERVER_CONF_DEFAULT); - deprecateEnv("KMS_SSL_KEYSTORE_PASS", conf, + deprecateEnv("KMS_SSL_KEYSTORE_PASS", sslConf, SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD, SSLFactory.SSL_SERVER_CONF_DEFAULT); @@ -88,7 +82,7 @@ public class KMSWebServer { httpServer = new HttpServer2.Builder() .setName(NAME) .setConf(conf) - .setSSLConf(conf) + .setSSLConf(sslConf) .authFilterConfigurationPrefix(KMSAuthenticationFilter.CONFIG_PREFIX) .addEndpoint(endpoint) .build(); @@ -147,8 +141,11 @@ public class KMSWebServer { public static void main(String[] args) throws Exception { StringUtils.startupShutdownMessage(KMSWebServer.class, args, LOG); - Configuration conf = KMSConfiguration.getKMSConf(); - KMSWebServer kmsWebServer = new KMSWebServer(conf); + Configuration conf = new ConfigurationWithLogging( + KMSConfiguration.getKMSConf()); + Configuration sslConf = new ConfigurationWithLogging( + SSLFactory.readSSLConfiguration(conf, SSLFactory.Mode.SERVER)); + KMSWebServer kmsWebServer = new KMSWebServer(conf, sslConf); kmsWebServer.start(); kmsWebServer.join(); } diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java index f911c5b7508..0a7ff413192 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java @@ -145,14 +145,17 @@ public class MiniKMS { final Configuration conf = KMSConfiguration.getKMSConf(); conf.set(KMSConfiguration.HTTP_HOST_KEY, "localhost"); conf.setInt(KMSConfiguration.HTTP_PORT_KEY, inPort); + + Configuration sslConf = null; if (keyStore != null) { conf.setBoolean(KMSConfiguration.SSL_ENABLED_KEY, true); - conf.set(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION, keyStore); - conf.set(SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD, keyStorePassword); - conf.set(SSLFactory.SSL_SERVER_KEYSTORE_TYPE, "jks"); + sslConf = SSLFactory.readSSLConfiguration(conf, SSLFactory.Mode.SERVER); + sslConf.set(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION, keyStore); + sslConf.set(SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD, keyStorePassword); + sslConf.set(SSLFactory.SSL_SERVER_KEYSTORE_TYPE, "jks"); } - jetty = new KMSWebServer(conf); + jetty = new KMSWebServer(conf, sslConf); jetty.start(); kmsURL = jetty.getKMSUrl(); }