Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HDDS-2073. Make SCMSecurityProtocol message based. 

Contributed by Elek, Marton.
This commit is contained in:
Anu Engineer 2019-10-02 12:19:58 -07:00
parent e8ae632d4c
commit ffd4e52725
7 changed files with 401 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolClientSideTranslatorPB.java
View File

@ -16,22 +16,29 @@
*/
package org.apache.hadoop.hdds.protocolPB;
import com.google.protobuf.RpcController;
import com.google.protobuf.ServiceException;
import java.io.Closeable;
import java.io.IOException;
import java.util.function.Consumer;
import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.DatanodeDetailsProto;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.OzoneManagerDetailsProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCACertificateRequestProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertificateRequestProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertificateRequestProto.Builder;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetDataNodeCertRequestProto;
import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMSecurityRequest;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMSecurityRequest.Builder;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMSecurityResponse;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.Type;
import org.apache.hadoop.hdds.tracing.TracingUtil;
import org.apache.hadoop.ipc.ProtobufHelper;
import org.apache.hadoop.ipc.ProtocolTranslator;
import org.apache.hadoop.ipc.RPC;
import com.google.protobuf.RpcController;
import com.google.protobuf.ServiceException;
import static org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetOMCertRequestProto;
/**
@ -52,6 +59,28 @@ public SCMSecurityProtocolClientSideTranslatorPB(
this.rpcProxy = rpcProxy;
}
/**
* Helper method to wrap the request and send the message.
*/
private SCMSecurityResponse submitRequest(
SCMSecurityProtocolProtos.Type type,
Consumer<Builder> builderConsumer) throws IOException {
final SCMSecurityResponse response;
try {
Builder builder = SCMSecurityRequest.newBuilder()
.setCmdType(type)
.setTraceID(TracingUtil.exportCurrentSpan());
builderConsumer.accept(builder);
SCMSecurityRequest wrapper = builder.build();
response = rpcProxy.submitRequest(NULL_RPC_CONTROLLER, wrapper);
} catch (ServiceException ex) {
throw ProtobufHelper.getRemoteException(ex);
}
return response;
}
/**
* Closes this stream and releases any system resources associated
* with it. If the stream is already closed then invoking this
@ -87,8 +116,8 @@ public String getDataNodeCertificate(DatanodeDetailsProto dataNodeDetails,
/**
* Get SCM signed certificate for OM.
*
* @param omDetails - OzoneManager Details.
* @param certSignReq - Certificate signing request.
* @param omDetails - OzoneManager Details.
* @param certSignReq - Certificate signing request.
* @return byte[] - SCM signed certificate.
*/
@Override
@ -100,64 +129,61 @@ public String getOMCertificate(OzoneManagerDetailsProto omDetails,
/**
* Get SCM signed certificate for OM.
*
* @param omDetails - OzoneManager Details.
* @param certSignReq - Certificate signing request.
* @param omDetails - OzoneManager Details.
* @param certSignReq - Certificate signing request.
* @return byte[] - SCM signed certificate.
*/
public SCMGetCertResponseProto getOMCertChain(
OzoneManagerDetailsProto omDetails, String certSignReq)
throws IOException {
SCMGetOMCertRequestProto.Builder builder = SCMGetOMCertRequestProto
SCMGetOMCertRequestProto request = SCMGetOMCertRequestProto
.newBuilder()
.setCSR(certSignReq)
.setOmDetails(omDetails);
try {
return rpcProxy.getOMCertificate(NULL_RPC_CONTROLLER, builder.build());
} catch (ServiceException e) {
throw ProtobufHelper.getRemoteException(e);
}
.setOmDetails(omDetails)
.build();
return submitRequest(Type.GetOMCertificate,
builder -> builder.setGetOMCertRequest(request))
.getGetCertResponseProto();
}
/**
* Get SCM signed certificate with given serial id. Throws exception if
* certificate is not found.
*
* @param certSerialId - Certificate serial id.
* @param certSerialId - Certificate serial id.
* @return string - pem encoded certificate.
*/
@Override
public String getCertificate(String certSerialId) throws IOException {
Builder builder = SCMGetCertificateRequestProto
SCMGetCertificateRequestProto request = SCMGetCertificateRequestProto
.newBuilder()
.setCertSerialId(certSerialId);
try {
return rpcProxy.getCertificate(NULL_RPC_CONTROLLER, builder.build())
.getX509Certificate();
} catch (ServiceException e) {
throw ProtobufHelper.getRemoteException(e);
}
.setCertSerialId(certSerialId)
.build();
return submitRequest(Type.GetCertificate,
builder -> builder.setGetCertificateRequest(request))
.getGetCertResponseProto()
.getX509Certificate();
}
/**
* Get SCM signed certificate for Datanode.
*
* @param dnDetails - Datanode Details.
* @param certSignReq - Certificate signing request.
* @param dnDetails - Datanode Details.
* @param certSignReq - Certificate signing request.
* @return byte[] - SCM signed certificate.
*/
public SCMGetCertResponseProto getDataNodeCertificateChain(
DatanodeDetailsProto dnDetails, String certSignReq)
throws IOException {
SCMGetDataNodeCertRequestProto.Builder builder =
SCMGetDataNodeCertRequestProto request =
SCMGetDataNodeCertRequestProto.newBuilder()
.setCSR(certSignReq)
.setDatanodeDetails(dnDetails);
try {
return rpcProxy.getDataNodeCertificate(NULL_RPC_CONTROLLER,
builder.build());
} catch (ServiceException e) {
throw ProtobufHelper.getRemoteException(e);
}
.setDatanodeDetails(dnDetails)
.build();
return submitRequest(Type.GetDataNodeCertificate,
builder -> builder.setGetDataNodeCertRequest(request))
.getGetCertResponseProto();
}
/**
@ -169,12 +195,10 @@ public SCMGetCertResponseProto getDataNodeCertificateChain(
public String getCACertificate() throws IOException {
SCMGetCACertificateRequestProto protoIns = SCMGetCACertificateRequestProto
.getDefaultInstance();
try {
return rpcProxy.getCACertificate(NULL_RPC_CONTROLLER, protoIns)
.getX509Certificate();
} catch (ServiceException e) {
throw ProtobufHelper.getRemoteException(e);
}
return submitRequest(Type.GetCACertificate,
builder -> builder.setGetCACertificateRequest(protoIns))
.getGetCertResponseProto().getX509Certificate();
}
/**

132
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolServerSideTranslatorPB.java
View File

@ -1,132 +0,0 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with this
* work for additional information regarding copyright ownership. The ASF
* licenses this file to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* <p>
* http://www.apache.org/licenses/LICENSE-2.0
* <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*/
package org.apache.hadoop.hdds.protocolPB;
import com.google.protobuf.RpcController;
import com.google.protobuf.ServiceException;
import java.io.IOException;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertificateRequestProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetDataNodeCertRequestProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto.ResponseCode;
import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetOMCertRequestProto;
/**
* This class is the server-side translator that forwards requests received on
* {@link SCMSecurityProtocolPB} to the {@link
* SCMSecurityProtocol} server implementation.
*/
public class SCMSecurityProtocolServerSideTranslatorPB implements
SCMSecurityProtocolPB {
private final SCMSecurityProtocol impl;
public SCMSecurityProtocolServerSideTranslatorPB(SCMSecurityProtocol impl) {
this.impl = impl;
}
/**
* Get SCM signed certificate for DataNode.
*
* @param controller
* @param request
* @return SCMGetDataNodeCertResponseProto.
*/
@Override
public SCMGetCertResponseProto getDataNodeCertificate(
RpcController controller, SCMGetDataNodeCertRequestProto request)
throws ServiceException {
try {
String certificate = impl
.getDataNodeCertificate(request.getDatanodeDetails(),
request.getCSR());
SCMGetCertResponseProto.Builder builder =
SCMGetCertResponseProto
.newBuilder()
.setResponseCode(ResponseCode.success)
.setX509Certificate(certificate)
.setX509CACertificate(impl.getCACertificate());
return builder.build();
} catch (IOException e) {
throw new ServiceException(e);
}
}
/**
* Get SCM signed certificate for OzoneManager.
*
* @param controller
* @param request
* @return SCMGetCertResponseProto.
*/
@Override
public SCMGetCertResponseProto getOMCertificate(
RpcController controller, SCMGetOMCertRequestProto request)
throws ServiceException {
try {
String certificate = impl
.getOMCertificate(request.getOmDetails(),
request.getCSR());
SCMGetCertResponseProto.Builder builder =
SCMGetCertResponseProto
.newBuilder()
.setResponseCode(ResponseCode.success)
.setX509Certificate(certificate)
.setX509CACertificate(impl.getCACertificate());
return builder.build();
} catch (IOException e) {
throw new ServiceException(e);
}
}
@Override
public SCMGetCertResponseProto getCertificate(RpcController controller,
SCMGetCertificateRequestProto request) throws ServiceException {
try {
String certificate = impl.getCertificate(request.getCertSerialId());
SCMGetCertResponseProto.Builder builder =
SCMGetCertResponseProto
.newBuilder()
.setResponseCode(ResponseCode.success)
.setX509Certificate(certificate);
return builder.build();
} catch (IOException e) {
throw new ServiceException(e);
}
}
@Override
public SCMGetCertResponseProto getCACertificate(RpcController controller,
SCMSecurityProtocolProtos.SCMGetCACertificateRequestProto request)
throws ServiceException {
try {
String certificate = impl.getCACertificate();
SCMGetCertResponseProto.Builder builder =
SCMGetCertResponseProto
.newBuilder()
.setResponseCode(ResponseCode.success)
.setX509Certificate(certificate);
return builder.build();
} catch (IOException e) {
throw new ServiceException(e);
}
}
}

96
hadoop-hdds/common/src/main/proto/SCMSecurityProtocol.proto
View File

@ -30,17 +30,61 @@ option java_generic_services = true;
option java_generate_equals_and_hash = true;
package hadoop.hdds;
package hadoop.hdds.security;
import "hdds.proto";
/**
All commands is send as request and all response come back via
Response class. If adding new functions please follow this protocol, since
our tracing and visibility tools depend on this pattern.
*/
message SCMSecurityRequest {
required Type cmdType = 1; // Type of the command
optional string traceID = 2;
optional SCMGetDataNodeCertRequestProto getDataNodeCertRequest = 3;
optional SCMGetOMCertRequestProto getOMCertRequest = 4;
optional SCMGetCertificateRequestProto getCertificateRequest = 5;
optional SCMGetCACertificateRequestProto getCACertificateRequest = 6;
}
message SCMSecurityResponse {
required Type cmdType = 1; // Type of the command
// A string that identifies this command, we generate Trace ID in Ozone
// frontend and this allows us to trace that command all over ozone.
optional string traceID = 2;
optional bool success = 3 [default = true];
optional string message = 4;
required Status status = 5;
optional SCMGetCertResponseProto getCertResponseProto = 6;
}
enum Type {
GetDataNodeCertificate = 1;
GetOMCertificate = 2;
GetCertificate = 3;
GetCACertificate = 4;
}
enum Status {
OK = 1;
}
/**
* This message is send by data node to prove its identity and get an SCM
* signed certificate.
*/
message SCMGetDataNodeCertRequestProto {
required DatanodeDetailsProto datanodeDetails = 1;
required string CSR = 2;
required DatanodeDetailsProto datanodeDetails = 1;
required string CSR = 2;
}
/**
@ -48,15 +92,15 @@ message SCMGetDataNodeCertRequestProto {
* signed certificate.
*/
message SCMGetOMCertRequestProto {
required OzoneManagerDetailsProto omDetails = 1;
required string CSR = 2;
required OzoneManagerDetailsProto omDetails = 1;
required string CSR = 2;
}
/**
* Proto request to get a certificate with given serial id.
*/
message SCMGetCertificateRequestProto {
required string certSerialId = 1;
required string certSerialId = 1;
}
/**
@ -69,39 +113,17 @@ message SCMGetCACertificateRequestProto {
* Returns a certificate signed by SCM.
*/
message SCMGetCertResponseProto {
enum ResponseCode {
success = 1;
authenticationFailed = 2;
invalidCSR = 3;
}
required ResponseCode responseCode = 1;
required string x509Certificate = 2; // Base64 encoded X509 certificate.
optional string x509CACertificate = 3; // Base64 encoded CA X509 certificate.
enum ResponseCode {
success = 1;
authenticationFailed = 2;
invalidCSR = 3;
}
required ResponseCode responseCode = 1;
required string x509Certificate = 2; // Base64 encoded X509 certificate.
optional string x509CACertificate = 3; // Base64 encoded CA X509 certificate.
}
service SCMSecurityProtocolService {
/**
* Get SCM signed certificate for DataNode.
*/
rpc getDataNodeCertificate (SCMGetDataNodeCertRequestProto) returns
(SCMGetCertResponseProto);
/**
* Get SCM signed certificate for DataNode.
*/
rpc getOMCertificate (SCMGetOMCertRequestProto) returns
(SCMGetCertResponseProto);
/**
* Get SCM signed certificate for DataNode.
*/
rpc getCertificate (SCMGetCertificateRequestProto) returns
(SCMGetCertResponseProto);
/**
* Get SCM signed certificate for DataNode.
*/
rpc getCACertificate (SCMGetCACertificateRequestProto) returns
(SCMGetCertResponseProto);
rpc submitRequest (SCMSecurityRequest) returns (SCMSecurityResponse);
}

186
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/protocol/SCMSecurityProtocolServerSideTranslatorPB.java Normal file
View File

@ -0,0 +1,186 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with this
* work for additional information regarding copyright ownership. The ASF
* licenses this file to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* <p>
* http://www.apache.org/licenses/LICENSE-2.0
* <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*/
package org.apache.hadoop.hdds.scm.protocol;
import com.google.protobuf.RpcController;
import com.google.protobuf.ServiceException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertificateRequestProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetDataNodeCertRequestProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto.ResponseCode;
import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetOMCertRequestProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMSecurityRequest;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMSecurityResponse;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.Status;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolPB;
import org.apache.hadoop.hdds.server.OzoneProtocolMessageDispatcher;
import org.apache.hadoop.ozone.protocolPB.ProtocolMessageMetrics;
/**
* This class is the server-side translator that forwards requests received on
* {@link SCMSecurityProtocolPB} to the {@link
* SCMSecurityProtocol} server implementation.
*/
public class SCMSecurityProtocolServerSideTranslatorPB
implements SCMSecurityProtocolPB {
private static final Logger LOG =
LoggerFactory.getLogger(SCMSecurityProtocolServerSideTranslatorPB.class);
private final SCMSecurityProtocol impl;
private OzoneProtocolMessageDispatcher<SCMSecurityRequest,
SCMSecurityResponse>
dispatcher;
public SCMSecurityProtocolServerSideTranslatorPB(SCMSecurityProtocol impl,
ProtocolMessageMetrics messageMetrics) {
this.impl = impl;
this.dispatcher =
new OzoneProtocolMessageDispatcher<>("ScmSecurityProtocol",
messageMetrics, LOG);
}
@Override
public SCMSecurityResponse submitRequest(RpcController controller,
SCMSecurityRequest request) throws ServiceException {
return dispatcher.processRequest(request, this::processRequest,
request.getCmdType(), request.getTraceID());
}
public SCMSecurityResponse processRequest(SCMSecurityRequest request)
throws ServiceException {
try {
switch (request.getCmdType()) {
case GetCertificate:
return SCMSecurityResponse.newBuilder()
.setCmdType(request.getCmdType())
.setStatus(Status.OK)
.setGetCertResponseProto(
getCertificate(request.getGetCertificateRequest()))
.build();
case GetCACertificate:
return SCMSecurityResponse.newBuilder()
.setCmdType(request.getCmdType())
.setStatus(Status.OK)
.setGetCertResponseProto(
getCACertificate(request.getGetCACertificateRequest()))
.build();
case GetOMCertificate:
return SCMSecurityResponse.newBuilder()
.setCmdType(request.getCmdType())
.setStatus(Status.OK)
.setGetCertResponseProto(
getOMCertificate(request.getGetOMCertRequest()))
.build();
case GetDataNodeCertificate:
return SCMSecurityResponse.newBuilder()
.setCmdType(request.getCmdType())
.setStatus(Status.OK)
.setGetCertResponseProto(
getDataNodeCertificate(request.getGetDataNodeCertRequest()))
.build();
default:
throw new IllegalArgumentException(
"Unknown request type: " + request.getCmdType());
}
} catch (IOException e) {
throw new ServiceException(e);
}
}
/**
* Get SCM signed certificate for DataNode.
*
* @param request
* @return SCMGetDataNodeCertResponseProto.
*/
public SCMGetCertResponseProto getDataNodeCertificate(
SCMGetDataNodeCertRequestProto request)
throws IOException {
String certificate = impl
.getDataNodeCertificate(request.getDatanodeDetails(),
request.getCSR());
SCMGetCertResponseProto.Builder builder =
SCMGetCertResponseProto
.newBuilder()
.setResponseCode(ResponseCode.success)
.setX509Certificate(certificate)
.setX509CACertificate(impl.getCACertificate());
return builder.build();
}
/**
* Get SCM signed certificate for OzoneManager.
*
* @param request
* @return SCMGetCertResponseProto.
*/
public SCMGetCertResponseProto getOMCertificate(
SCMGetOMCertRequestProto request) throws IOException {
String certificate = impl
.getOMCertificate(request.getOmDetails(),
request.getCSR());
SCMGetCertResponseProto.Builder builder =
SCMGetCertResponseProto
.newBuilder()
.setResponseCode(ResponseCode.success)
.setX509Certificate(certificate)
.setX509CACertificate(impl.getCACertificate());
return builder.build();
}
public SCMGetCertResponseProto getCertificate(
SCMGetCertificateRequestProto request) throws IOException {
String certificate = impl.getCertificate(request.getCertSerialId());
SCMGetCertResponseProto.Builder builder =
SCMGetCertResponseProto
.newBuilder()
.setResponseCode(ResponseCode.success)
.setX509Certificate(certificate);
return builder.build();
}
public SCMGetCertResponseProto getCACertificate(
SCMSecurityProtocolProtos.SCMGetCACertificateRequestProto request)
throws IOException {
String certificate = impl.getCACertificate();
SCMGetCertResponseProto.Builder builder =
SCMGetCertResponseProto
.newBuilder()
.setResponseCode(ResponseCode.success)
.setX509Certificate(certificate);
return builder.build();
}
}

27
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java
View File

@ -5,9 +5,9 @@
* licenses this file to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* <p>
* http://www.apache.org/licenses/LICENSE-2.0
*
* <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
@ -17,6 +17,7 @@
package org.apache.hadoop.hdds.scm.server;
import com.google.protobuf.BlockingService;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.cert.CertificateException;
@ -32,7 +33,7 @@
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.OzoneManagerDetailsProto;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolPB;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolServerSideTranslatorPB;
import org.apache.hadoop.hdds.scm.protocol.SCMSecurityProtocolServerSideTranslatorPB;
import org.apache.hadoop.hdds.scm.HddsServerUtil;
import org.apache.hadoop.hdds.scm.ScmConfigKeys;
import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol;
@ -41,7 +42,9 @@
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.ipc.ProtobufRpcEngine;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ozone.protocolPB.ProtocolMessageMetrics;
import org.apache.hadoop.security.KerberosInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -62,6 +65,7 @@ public class SCMSecurityProtocolServer implements SCMSecurityProtocol {
private final CertificateServer certificateServer;
private final RPC.Server rpcServer;
private final InetSocketAddress rpcAddress;
private final ProtocolMessageMetrics metrics;
SCMSecurityProtocolServer(OzoneConfiguration conf,
CertificateServer certificateServer) throws IOException {
@ -76,10 +80,13 @@ public class SCMSecurityProtocolServer implements SCMSecurityProtocol {
// SCM security service RPC service.
RPC.setProtocolEngine(conf, SCMSecurityProtocolPB.class,
ProtobufRpcEngine.class);
metrics = new ProtocolMessageMetrics("ScmSecurityProtocol",
"SCM Security protocol metrics",
SCMSecurityProtocolProtos.Type.values());
BlockingService secureProtoPbService =
SCMSecurityProtocolProtos.SCMSecurityProtocolService
.newReflectiveBlockingService(
new SCMSecurityProtocolServerSideTranslatorPB(this));
new SCMSecurityProtocolServerSideTranslatorPB(this, metrics));
this.rpcServer =
StorageContainerManager.startRpcServer(
conf,
@ -96,8 +103,8 @@ public class SCMSecurityProtocolServer implements SCMSecurityProtocol {
/**
* Get SCM signed certificate for DataNode.
*
* @param dnDetails - DataNode Details.
* @param certSignReq - Certificate signing request.
* @param dnDetails - DataNode Details.
* @param certSignReq - Certificate signing request.
* @return String - SCM signed pem encoded certificate.
*/
@Override
@ -122,8 +129,8 @@ public String getDataNodeCertificate(
/**
* Get SCM signed certificate for OM.
*
* @param omDetails - OzoneManager Details.
* @param certSignReq - Certificate signing request.
* @param omDetails - OzoneManager Details.
* @param certSignReq - Certificate signing request.
* @return String - SCM signed pem encoded certificate.
*/
@Override
@ -147,7 +154,7 @@ public String getOMCertificate(OzoneManagerDetailsProto omDetails,
/**
* Get SCM signed certificate with given serial id.
*
* @param certSerialId - Certificate serial id.
* @param certSerialId - Certificate serial id.
* @return string - pem encoded SCM signed certificate.
*/
@Override
@ -196,12 +203,14 @@ public InetSocketAddress getRpcAddress() {
public void start() {
LOGGER.info(StorageContainerManager.buildRpcServerStartMessage("Starting"
+ " RPC server for SCMSecurityProtocolServer.", getRpcAddress()));
metrics.register();
getRpcServer().start();
}
public void stop() {
try {
LOGGER.info("Stopping the SCMSecurityProtocolServer.");
metrics.unregister();
getRpcServer().stop();
} catch (Exception ex) {
LOGGER.error("SCMSecurityProtocolServer stop failed.", ex);

6
hadoop-ozone/insight/src/main/java/org/apache/hadoop/ozone/insight/BaseInsightSubCommand.java
View File

@ -31,7 +31,7 @@
import org.apache.hadoop.ozone.insight.scm.NodeManagerInsight;
import org.apache.hadoop.ozone.insight.scm.ReplicaManagerInsight;
import org.apache.hadoop.ozone.insight.scm.ScmProtocolBlockLocationInsight;
import org.apache.hadoop.ozone.insight.scm.ScmProtocolDatanodeInsight;
import org.apache.hadoop.ozone.insight.scm.ScmProtocolSecurityInsight;
import org.apache.hadoop.ozone.om.OMConfigKeys;
import picocli.CommandLine;
@ -89,8 +89,8 @@ public Map<String, InsightPoint> createInsightPoints(
insights.put("scm.event-queue", new EventQueueInsight());
insights.put("scm.protocol.block-location",
new ScmProtocolBlockLocationInsight());
insights.put("scm.protocol.datanode",
new ScmProtocolDatanodeInsight());
insights.put("scm.protocol.security",
new ScmProtocolSecurityInsight());
insights.put("om.key-manager", new KeyManagerInsight());
insights.put("om.protocol.client", new OmProtocolInsight());

71
hadoop-ozone/insight/src/main/java/org/apache/hadoop/ozone/insight/scm/ScmProtocolSecurityInsight.java Normal file
View File

@ -0,0 +1,71 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.ozone.insight.scm;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.scm.protocol.SCMSecurityProtocolServerSideTranslatorPB;
import org.apache.hadoop.hdds.scm.server.SCMSecurityProtocolServer;
import org.apache.hadoop.ozone.insight.BaseInsightPoint;
import org.apache.hadoop.ozone.insight.Component.Type;
import org.apache.hadoop.ozone.insight.LoggerSource;
import org.apache.hadoop.ozone.insight.MetricGroupDisplay;
/**
* Insight metric to check the SCM block location protocol behaviour.
*/
public class ScmProtocolSecurityInsight extends BaseInsightPoint {
@Override
public List<LoggerSource> getRelatedLoggers(boolean verbose) {
List<LoggerSource> loggers = new ArrayList<>();
loggers.add(
new LoggerSource(Type.SCM,
SCMSecurityProtocolServerSideTranslatorPB.class,
defaultLevel(verbose)));
new LoggerSource(Type.SCM,
SCMSecurityProtocolServer.class,
defaultLevel(verbose));
return loggers;
}
@Override
public List<MetricGroupDisplay> getMetrics() {
List<MetricGroupDisplay> metrics = new ArrayList<>();
Map<String, String> filter = new HashMap<>();
filter.put("servername", "SCMSecurityProtocolService");
addRpcMetrics(metrics, Type.SCM, filter);
addProtocolMessageMetrics(metrics, "scm_security_protocol",
Type.SCM, SCMSecurityProtocolProtos.Type.values());
return metrics;
}
@Override
public String getDescription() {
return "SCM Block location protocol endpoint";
}
}