[kudu] branch master updated: Fix master_hms-itest on RHEL9

Wed, 28 Jun 2023 00:08:18 -0700 

This is an automated email from the ASF dual-hosted git repository.

alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git


The following commit(s) were added to refs/heads/master by this push:
     new ec4381706 Fix master_hms-itest on RHEL9
ec4381706 is described below

commit ec43817068c7aaa429f5f7371108751bb2d5e675
Author: Marton Greber <[email protected]>
AuthorDate: Tue Jun 27 15:56:49 2023 +0000

    Fix master_hms-itest on RHEL9
    
    Tests in master_hms-itest are failing on RHEL9 with the following error:
    "Algorithm constraints check failed on keysize limits: RSA 768 bit key
    used with certificate: CN=kudu-ipki-ca
    ...
    (DisabledAlgorithmConstraints.java:887)".
    This is not expected as we already relax some constraints in
    mini_hms.cc [1].
    
    As it turns out there is a property in java.security properties
    file [2]:
    \# Determines whether this properties file will be appended to
    \# using the system properties file stored at
    \# /etc/crypto-policies/back-ends/java.config
    \#
    \security.useSystemPropertiesFile=true
    
    If we take a look inside the above mentioned java.config file we can
    find the source of the test errors (RSA keySize < 2048):
    jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048
    jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3,
    ...
    jdk.tls.legacyAlgorithms=
    
    This patch sets security.useSystemPropertiesFile=false in mini_hms.cc to
    make all the tests in master_hms-itest work on RHEL9.
    
    [1] https://github.com/apache/kudu/blob/\
        master/src/kudu/hms/mini_hms.cc#L226-L228
    [2] location: ${JAVA_HOME}/jre/lib/security/java.security
    
    Change-Id: I1906a1f79af62557a922348dcc64da9c788a9422
    Reviewed-on: http://gerrit.cloudera.org:8080/20128
    Tested-by: Kudu Jenkins
    Reviewed-by: Alexey Serbin <[email protected]>
---
 src/kudu/hms/mini_hms.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/kudu/hms/mini_hms.cc b/src/kudu/hms/mini_hms.cc
index 82a07f6dd..b424d0f47 100644
--- a/src/kudu/hms/mini_hms.cc
+++ b/src/kudu/hms/mini_hms.cc
@@ -223,7 +223,11 @@ Status MiniHms::CreateSecurityProperties() const {
   // smaller RSA keys to shorten runtime of tests, it's necessary to override
   // those default security settings to allow for using relaxed cryptography,
   // particularly smaller RSA keys.
+  // There are additional RSA key length settings on RHEL9 under:
+  // /etc/crypto-policies/back-ends/java.config. These are turned off with:
+  // security.useSystemPropertiesFile.
   string security_file_contents =
+      "security.useSystemPropertiesFile = false\n"
       "jdk.certpath.disabledAlgorithms = MD2, RC4, MD5\n"
       "jdk.tls.disabledAlgorithms = SSLv3, RC4, MD5\n);";

Reply via email to