Commit Graph

139 Commits

Author SHA1 Message Date
Xiao Chen 74156ee20a HADOOP-13437. KMS should reload whitelist and default key ACLs when hot-reloading. Contributed by Xiao Chen.
(cherry picked from commit 9daa9979a1)
2016-08-15 18:18:31 -07:00
Wei-Chiu Chuang 6d53e096b2 HADOOP-13190. Mention LoadBalancingKMSClientProvider in KMS HA documentation. Contributed by Wei-Chiu Chuang.
(cherry picked from commit db719ef125)
2016-08-11 12:27:52 -07:00
Wei-Chiu Chuang cc20316b55 HADOOP-13395. Enhance TestKMSAudit. Contributed by Xiao Chen.
(cherry picked from commit 070548943a)

Conflicts:
hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
2016-08-08 15:16:14 -07:00
Xiao Chen 8fe4b2429a HADOOP-13381. KMS clients should use KMS Delegation Tokens from current UGI. Contributed by Xiao Chen.
(cherry picked from commit 8ebf2e95d2)

Conflicts:
	hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
2016-07-28 18:39:59 -07:00
Andrew Wang d8a69c8737 HADOOP-13251. Authenticate with Kerberos credentials when renewing KMS delegation token. Contributed by Xiao Chen.
(cherry picked from commit 771f798edf)

 Conflicts:
	hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
2016-06-27 18:29:39 -07:00
Xiaoyu Yao ddf66427ff HADOOP-13255. KMSClientProvider should check and renew tgt when doing delegation token operations. Contributed by Xiao Chen. 2016-06-16 20:12:17 -07:00
Andrew Wang 03c4724c88 HADOOP-13155. Implement TokenRenewer to renew and cancel delegation tokens in KMS. Contributed by Xiao Chen.
(cherry picked from commit 713cb71820)

 Conflicts:
	hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderDelegationTokenExtension.java
	hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/DFSUtilClient.java
2016-06-03 17:01:11 -07:00
Andrew Wang 7271e91b79 HADOOP-13030. Handle special characters in passwords in KMS startup script. Contributed by Xiao Chen. 2016-04-27 17:13:50 -07:00
Andrew Wang 2f983b161f HADOOP-12951. Improve documentation on KMS ACLs and delegation tokens. Contributed by Xiao Chen.
(cherry picked from commit 594c70f779)
2016-04-07 23:50:36 -07:00
Andrew Wang c58599acba HADOOP-12962. KMS key names are incorrectly encoded when creating key. Contributed by Xiao Chen.
(cherry picked from commit d4df7849a5)
2016-03-25 15:29:06 -07:00
Masatake Iwasaki 722182fdfb HADOOP-12470. In-page TOC of documentation should be automatically generated by doxia macro (iwasakims)
(cherry picked from commit cbd31328a6)

 Conflicts:
	hadoop-common-project/hadoop-common/src/site/markdown/CommandsManual.md
	hadoop-common-project/hadoop-common/src/site/markdown/UnixShellGuide.md
2016-03-04 14:12:44 +09:00
Yongjun Zhang 36c08f793a HADOOP-12828. Print user when services are started. (Wei-Chiu Chuang via Yongjun Zhang)
(cherry picked from commit a963baba10)
2016-02-19 09:57:45 -08:00
Andrew Wang fb57c01eaa HADOOP-12699. TestKMS#testKMSProvider intermittently fails during 'test rollover draining'. Contributed by Xiao Chen.
(cherry picked from commit 8fdef0bd9d)
2016-02-11 17:21:50 -08:00
cnauroth 25dcb88630 HADOOP-12795. KMS does not log detailed stack trace for unexpected errors. Contributed by Chris Nauroth.
(cherry picked from commit 70c756d35e)
2016-02-11 16:53:12 -08:00
Zhe Zhang 84dcd1a802 HADOOP-12764. Increase default value of KMS maxHttpHeaderSize and make it configurable. (zhz)
Change-Id: Iabb766f6311b83a1ac03093b0ba26a0284b74d70
2016-02-11 09:29:14 -08:00
Steve Loughran c6f7c30a8d HADOOP-12597. In kms-site.xml configuration "hadoop.security.keystore.JavaKeyStoreProvider.password" should be updated with new name. (Surendra Singh Lilhore via stevel) 2016-01-07 16:00:37 +00:00
Xiaoyu Yao d590c17851 HADOOP-12682. Fix TestKMS#testKMSRestart* failure. Contributed by Wei-Chiu Chuang.
(cherry picked from commit ab725cff66)
2015-12-30 10:43:44 -08:00
Vinod Kumar Vavilapalli b20e77eba3 Preparing for 2.9.0 development: mvn versions:set -DnewVersion=2.9.0 2015-11-25 17:47:22 -08:00
Haohui Mai 64add87f5c HADOOP-11218. Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. Contributed by Vijay Singh. 2015-11-22 16:00:44 -08:00
Haohui Mai 950e8a459e HADOOP-12474. MiniKMS should use random ports for Jetty server by default. Contributed by Mingliang Liu. 2015-10-13 13:08:03 -07:00
Andrew Wang bdaa0fed13 HADOOP-11885. hadoop-dist dist-layout-stitching.sh does not work with dash. (wang)
(cherry picked from commit 7673d4f205)

 Conflicts:
	hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-nativetask/pom.xml
	hadoop-mapreduce-project/pom.xml
2015-05-29 14:55:52 -07:00
Colin Patrick Mccabe 3dec58dd78 HADOOP-11969. ThreadLocal initialization in several classes is not thread safe (Sean Busbey via Colin P. McCabe)
(cherry picked from commit 7dba7005b7)
2015-05-26 12:40:41 -07:00
Robert Kanter f00815ac8a HADOOP-11870. [JDK8] AuthenticationFilter, CertificateUtil, SignerSecretProviders, KeyAuthorizationKeyProvider Javadoc issues (rkanter)
(cherry picked from commit 9fec02c069)
2015-04-27 13:26:00 -07:00
Haohui Mai e75e6c66ea HADOOP-11633. Convert remaining branch-2 .apt.vm files to markdown. Contributed by Masatake Iwasaki. 2015-03-11 14:23:44 -07:00
Vinod Kumar Vavilapalli d9416317a9 Preparing for 2.8.0 development. Changing SNAPSHOT version to be 2.8 on branch-2. 2015-03-08 20:32:51 -07:00
Andrew Wang 0512e50d6e HADOOP-11620. Add support for load balancing across a group of KMS for HA. Contributed by Arun Suresh.
(cherry picked from commit 71385f9b70)
2015-02-25 21:17:44 -08:00
yliu 3ac8f88989 HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when loading key acl. (Dian Fu via yliu) 2015-01-27 23:55:52 +08:00
Andrew Wang 7b69719455 HADOOP-11482. Use correct UGI when KMSClientProvider is called by a proxy user. Contributed by Arun Suresh.
(cherry picked from commit 4b00935643)
2015-01-23 12:11:29 -08:00
Akira Ajisaka 13067cf4b1 HADOOP-11493. Fix some typos in kms-acls.xml description. (Contributed by Charles Lamb)
(cherry picked from commit aee4500612)
2015-01-23 11:49:37 +09:00
Haohui Mai 784f481473 HADOOP-11378. Fix new findbugs warnings in hadoop-kms. Contributed by Li Lu. 2014-12-09 13:10:09 -08:00
Andrew Wang deaa172e7a HADOOP-11368. Fix SSLFactory truststore reloader thread leak in KMSClientProvider. Contributed by Arun Suresh.
(cherry picked from commit 74d4bfded9)
2014-12-09 10:47:33 -08:00
Andrew Wang 46a7365164 HADOOP-11329. Add JAVA_LIBRARY_PATH to KMS startup options. Contributed by Arun Suresh.
(cherry picked from commit ddffcd8fac)
2014-12-08 13:45:34 -08:00
Andrew Wang b8e4fffa49 HADOOP-11355. When accessing data in HDFS and the key has been deleted, a Null Pointer Exception is shown. Contributed by Arun Suresh.
(cherry picked from commit 9cdaec6a6f)
2014-12-05 12:01:32 -08:00
Andrew Wang 696e15f0d1 HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL and whitelist key ACL. Contributed by Dian Fu.
(cherry picked from commit 1812241ee1)
2014-12-03 12:00:29 -08:00
Andrew Wang c962eef533 HADOOP-11344. KMS kms-config.sh sets a default value for the keystore password even in non-ssl setup. Contributed by Arun Suresh.
(cherry picked from commit 3d48ad7eb4)
2014-12-02 19:04:33 -08:00
Andrew Wang 881c77107e HADOOP-11341. KMS support for whitelist key ACLs. Contributed by Arun Suresh.
(cherry picked from commit 31b4d2daa1)
2014-12-01 21:58:21 -08:00
Andrew Wang 084667aad9 HADOOP-11337. KeyAuthorizationKeyProvider access checks need to be done atomically. Contributed by Dian Fu.
(cherry picked from commit 9fa2990257)
2014-12-01 21:22:03 -08:00
Andrew Wang aad16f8f5c HADOOP-11300. KMS startup scripts must not display the keystore / truststore passwords. Contributed by Arun Suresh.
(cherry picked from commit 56f3eecc12)
2014-11-25 15:12:09 -08:00
yliu 4b62d6d2fd HADOOP-11322. key based ACL check in KMS always check KeyOpType.MANAGEMENT even actual KeyOpType is not MANAGEMENT. (Dian Fu via yliu) 2014-11-25 01:12:31 +08:00
Andrew Wang 1e14792be6 HADOOP-11312. Fix unit tests to not use uppercase key names.
(cherry picked from commit bcd402ae38)
2014-11-18 10:48:10 -08:00
Karthik Kambatla 6e64390627 HADOOP-11217. (Addendum to allow SSLv2Hello) Disable SSLv3 in KMS. (Robert Kanter via kasha)
(cherry picked from commit 87818ef4e7)
2014-11-12 18:39:21 -08:00
Arun C. Murthy adfb830a2b Preparing to release hadoop-2.6.0: Set version in branch-2 to 2.7.0-SNAPSHOT. 2014-11-09 19:19:02 -08:00
Aaron T. Myers d698ed1d6f HADOOP-11187 NameNode - KMS communication fails after a long period of inactivity. Contributed by Arun Suresh.
(cherry picked from commit d593035d50e9997f31ddd67275b6e68504f9ca3c)
2014-11-05 18:17:43 -08:00
Aaron T. Myers e96f0c6aae HADOOP-11272. Allow ZKSignerSecretProvider and ZKDelegationTokenSecretManager to use the same curator client. Contributed by Arun Suresh.
(cherry picked from commit 8a261e68e4)
2014-11-05 17:47:49 -08:00
Haohui Mai fa92b40f09 HADOOP-11230. Add missing dependency of bouncycastle for kms, httpfs, hdfs, MR and YARN. Contributed by Robert Kanter. 2014-11-04 17:53:00 -08:00
Karthik Kambatla 395d4ba766 HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha)
(cherry picked from commit dbf30e3c0e)
2014-11-04 16:22:09 -08:00
Karthik Kambatla 0aec884704 HADOOP-11217. Disable SSLv3 in KMS. (Robert Kanter via kasha)
(cherry picked from commit 1a78082338)
2014-10-28 17:31:55 -07:00
Aaron T. Myers f3132eee10 HADOOP-11176. KMSClientProvider authentication fails when both currentUgi and loginUgi are a proxied user. Contributed by Arun Suresh.
(cherry picked from commit 0e57aa3bf6)
2014-10-13 18:10:23 -07:00
Andrew Wang 3e897da5fc HADOOP-11169. Fix DelegationTokenAuthenticatedURL to pass the connection Configurator to the authenticator. (Arun Suresh via wang)
(cherry picked from commit b2f6197523)
2014-10-07 14:47:14 -07:00
Andrew Wang 9ebff016c2 HADOOP-11151. Automatically refresh auth token and retry on auth failure. Contributed by Arun Suresh.
(cherry picked from commit 2d8e6e2c4a)
2014-10-02 19:59:56 -07:00
Andrew Wang 489b4008df HADOOP-11113. Namenode not able to reconnect to KMS after KMS restart. (Arun Suresh via wang)
(cherry picked from commit e25a25c5343c889d8c9e45b65082ddb55cf36d52)
2014-09-30 16:48:17 -07:00
Andrew Wang 758fb8465a HADOOP-11153. Make number of KMS threads configurable. (wang)
(cherry picked from commit 64aef18965)
2014-09-29 15:04:26 -07:00
Andrew Wang 3cf28210ec HDFS-6987. Move CipherSuite xattr information up to the encryption zone root. (Zhe Zhang via wang) 2014-09-24 12:11:45 -07:00
Andrew Wang eec927f3fc HADOOP-11112. TestKMSWithZK does not use KEY_PROVIDER_URI. (tucu via wang)
(cherry picked from commit b6ceef90e5)
2014-09-19 17:42:11 -07:00
Andrew Wang ee508c1b32 HADOOP-10970. Cleanup KMS configuration keys. (wang)
(cherry picked from commit adf0b67a71)
2014-09-19 15:03:26 -07:00
Aaron T. Myers 71e6a4a735 HADOOP-11109. Site build is broken. Contributed by Jian He.
(cherry picked from commit 0e2b64f2029cabbbf05a132625244427f8bf9518)
2014-09-18 18:00:07 -07:00
Alejandro Abdelnur 22f4ef4fa9 KMS: Support for multiple Kerberos principals. (tucu)
(cherry picked from commit fad4cd85b3)
2014-09-18 16:04:18 -07:00
Andrew Wang b477d30e63 HDFS-7004. Update KeyProvider instantiation to create by URI. (wang)
(cherry picked from commit 10e8602f32)
2014-09-17 20:15:42 -07:00
Alejandro Abdelnur d3efebf4aa HADOOP-11016. KMS should support signing cookies with zookeeper secret manager. (tucu)
(cherry picked from commit 123f20d42f)

Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt
2014-09-17 15:30:56 -07:00
Alejandro Abdelnur 6857c291af HADOOP-11099. KMS return HTTP UNAUTHORIZED 401 on ACL failure. (tucu)
(cherry picked from commit e4ddb6da15)
2014-09-17 11:08:25 -07:00
Alejandro Abdelnur 75bd79231c HADOOP-11097. kms docs say proxyusers, not proxyuser for config params. (clamb via tucu) 2014-09-16 23:21:17 -07:00
Alejandro Abdelnur 94a1e68aa5 HADOOP-11096. KMS: KeyAuthorizationKeyProvider should verify the keyversion belongs to the keyname on decrypt. (tucu) 2014-09-16 23:21:17 -07:00
Alejandro Abdelnur 5d897026e4 HDFS-7006. Test encryption zones with KMS. (Anthony Young-Garner and tucu) 2014-09-16 14:37:04 -07:00
cnauroth 5afc3f1dad HADOOP-11088. Unittest TestKeyShell, TestCredShell and TestKMS assume UNIX path separator for JECKS key store path. Contributed by Xiaoyu Yao.
(cherry picked from commit 957414d4cb)
2014-09-12 14:50:37 -07:00
Alejandro Abdelnur 88e5549d90 HADOOP-10758. KMS: add ACLs on per key basis. (tucu) 2014-09-10 14:27:22 -07:00
Alejandro Abdelnur d510cefd14 HADOOP-11071. KMSClientProvider should drain the local generated EEK cache on key rollover. (tucu) 2014-09-08 11:32:20 -07:00
Alejandro Abdelnur 8bf2a0de69 HADOOP-11069. KMSClientProvider should use getAuthenticationMethod() to determine if in proxyuser mode or not. (tucu) 2014-09-05 22:01:13 -07:00
Alejandro Abdelnur e98c244730 HADOOP-11070. Create MiniKMS for testing. (tucu) 2014-09-05 22:01:06 -07:00
cnauroth c035365338 HADOOP-11063. KMS cannot deploy on Windows, because class names are too long. Contributed by Chris Nauroth.
(cherry picked from commit b44b2ee4ad)
2014-09-04 12:09:34 -07:00
Alejandro Abdelnur dc2e38780b HADOOP-11015. Http server/client utils to propagate and recreate Exceptions from server to client. (tucu) 2014-09-04 09:14:07 -07:00
Alejandro Abdelnur a7d8ede309 HADOOP-10863. KMS should have a blacklist for decrypting EEKs. (asuresh via tucu)
Conflicts:
	hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
2014-09-03 15:20:28 -07:00
Alejandro Abdelnur 09a0ad328f HADOOP-10814. Update Tomcat version used by HttpFS and KMS to latest 6.x version. (rkanter via tucu)
(cherry picked from commit 189abddf0b68ab43978dacaf3a9bf6ee7169cf78)
2014-08-29 11:53:13 -07:00
Alejandro Abdelnur eff192af69 HADOOP-10698. KMS, add proxyuser support. (tucu)
Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619552 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 19:00:06 +00:00
Alejandro Abdelnur 4dea3e8192 HADOOP-10770. KMS add delegation token support. (tucu)
Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619550 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 19:00:01 +00:00
Alejandro Abdelnur 6d2281b4c6 HADOOP-10862. Miscellaneous trivial corrections to KMS classes. (asuresh via tucu)
Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619548 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:54 +00:00
Alejandro Abdelnur bcff355417 HADOOP-10918. JMXJsonServlet fails when used within Tomcat. (tucu)
Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619546 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:51 +00:00
Alejandro Abdelnur 05daefb1a8 HADOOP-10936. Change default KeyProvider bitlength to 128. (wang)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619545 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:48 +00:00
Alejandro Abdelnur c111c9379b HADOOP-10920. site plugin couldn't parse hadoop-kms index.apt.vm. Contributed by Akira Ajisaka.
Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619543 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:44 +00:00
Alejandro Abdelnur b781c3bc88 HADOOP-10756. KMS audit log should consolidate successful similar requests. (asuresh via tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619541 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:41 +00:00
Alejandro Abdelnur 30fe1849c3 HADOOP-10881. Clarify usage of encryption and encrypted encryption key in KeyProviderCryptoExtension. (wang)
Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619539 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:36 +00:00
Alejandro Abdelnur 03f9e28a7e HADOOP-10720. KMS: Implement generateEncryptedKey and decryptEncryptedKey in the REST API. (asuresh via tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619537 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:32 +00:00
Alejandro Abdelnur 7f8ac5b812 HADOOP-10750. KMSKeyProviderCache should be in hadoop-common. (asuresh via tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619536 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:29 +00:00
Alejandro Abdelnur 0ef751797e HADOOP-10824. Refactor KMSACLs to avoid locking. (Benoy Antony via umamahesh)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619531 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:19 +00:00
Alejandro Abdelnur edb969c3ff HADOOP-10757. KeyProvider KeyVersion should provide the key name. (asuresh via tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619526 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:11 +00:00
Alejandro Abdelnur 2b3010483d HADOOP-10695. KMSClientProvider should respect a configurable timeout. (yoderme via tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619525 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:09 +00:00
Alejandro Abdelnur 27b1f41455 HADOOP-10696. Add optional attributes to KeyProvider Options and Metadata. (tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619524 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:07 +00:00
Alejandro Abdelnur 137ecfc74f HADOOP-10611. KMS, keyVersion name should not be assumed to be keyName@versionNumber. (tucu)
Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619522 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:59:02 +00:00
Alejandro Abdelnur 2b0016ec18 HADOOP-10645. TestKMS fails because race condition writing acl files. (tucu)
Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619521 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:58:59 +00:00
Alejandro Abdelnur d637c71e4d HADOOP-10433. Key Management Server based on KeyProvider API. (tucu)
Conflicts:
	hadoop-common-project/hadoop-common/CHANGES.txt
	hadoop-project/pom.xml

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619518 13f79535-47bb-0310-9956-ffa450edef68
2014-08-21 18:58:53 +00:00