This is an automated email from the ASF dual-hosted git repository. laiyingchun pushed a commit to branch branch-1.17.x in repository https://gitbox.apache.org/repos/asf/kudu.git
commit afc6ee3e962bba61e4d62c90dce09667d1021b02 Author: Marton Greber <[email protected]> AuthorDate: Tue Jun 27 15:56:49 2023 +0000 Fix master_hms-itest on RHEL9 Tests in master_hms-itest are failing on RHEL9 with the following error: "Algorithm constraints check failed on keysize limits: RSA 768 bit key used with certificate: CN=kudu-ipki-ca ... (DisabledAlgorithmConstraints.java:887)". This is not expected as we already relax some constraints in mini_hms.cc [1]. As it turns out there is a property in java.security properties file [2]: \# Determines whether this properties file will be appended to \# using the system properties file stored at \# /etc/crypto-policies/back-ends/java.config \# \security.useSystemPropertiesFile=true If we take a look inside the above mentioned java.config file we can find the source of the test errors (RSA keySize < 2048): jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, ... jdk.tls.legacyAlgorithms= This patch sets security.useSystemPropertiesFile=false in mini_hms.cc to make all the tests in master_hms-itest work on RHEL9. [1] https://github.com/apache/kudu/blob/\ master/src/kudu/hms/mini_hms.cc#L226-L228 [2] location: ${JAVA_HOME}/jre/lib/security/java.security Change-Id: I1906a1f79af62557a922348dcc64da9c788a9422 Reviewed-on: http://gerrit.cloudera.org:8080/20128 Tested-by: Kudu Jenkins Reviewed-by: Alexey Serbin <[email protected]> (cherry picked from commit ec43817068c7aaa429f5f7371108751bb2d5e675) Reviewed-on: http://gerrit.cloudera.org:8080/20412 Reviewed-by: Yingchun Lai <[email protected]> --- src/kudu/hms/mini_hms.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/kudu/hms/mini_hms.cc b/src/kudu/hms/mini_hms.cc index 82a07f6dd..b424d0f47 100644 --- a/src/kudu/hms/mini_hms.cc +++ b/src/kudu/hms/mini_hms.cc @@ -223,7 +223,11 @@ Status MiniHms::CreateSecurityProperties() const { // smaller RSA keys to shorten runtime of tests, it's necessary to override // those default security settings to allow for using relaxed cryptography, // particularly smaller RSA keys. + // There are additional RSA key length settings on RHEL9 under: + // /etc/crypto-policies/back-ends/java.config. These are turned off with: + // security.useSystemPropertiesFile. string security_file_contents = + "security.useSystemPropertiesFile = false\n" "jdk.certpath.disabledAlgorithms = MD2, RC4, MD5\n" "jdk.tls.disabledAlgorithms = SSLv3, RC4, MD5\n);";
