This is an automated email from the ASF dual-hosted git repository. bharat pushed a commit to branch HDDS-5501 in repository https://gitbox.apache.org/repos/asf/ozone.git
commit 6cfd76651d33c5e298275fd38942b54e6b635c16 Author: Bharat Viswanadham <[email protected]> AuthorDate: Tue Jul 27 14:09:44 2021 +0530 HDDS-5501. Support to upload/read keys from encrypted buckets through S3G. --- .../apache/hadoop/ozone/client/rpc/RpcClient.java | 26 ++++++++++++++++++--- .../src/main/compose/ozonesecure-ha/docker-config | 3 +++ .../src/main/compose/ozonesecure/docker-config | 3 +++ .../java/org/apache/hadoop/ozone/s3/Gateway.java | 27 ++++++++++++++++++++++ .../hadoop/ozone/s3/S3GatewayConfigKeys.java | 7 ++++++ 5 files changed, 63 insertions(+), 3 deletions(-) diff --git a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java index 333fb77..8a4fc23 100644 --- a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java +++ b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java @@ -25,6 +25,7 @@ import javax.crypto.CipherOutputStream; import java.io.IOException; import java.net.URI; import java.security.InvalidKeyException; +import java.security.PrivilegedExceptionAction; import java.security.SecureRandom; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -802,9 +803,28 @@ public class RpcClient implements ClientProtocol { throws IOException { // check crypto protocol version OzoneKMSUtil.checkCryptoProtocolVersion(feInfo); - KeyProvider.KeyVersion decrypted; - decrypted = OzoneKMSUtil.decryptEncryptedDataEncryptionKey(feInfo, - getKeyProvider()); + KeyProvider.KeyVersion decrypted = null; + try { + // Do proxy thing only when current UGI not matching with login UGI + // In this way, proxying is done only for s3g where + // s3g can act as proxy to end user. + UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); + if (!ugi.getShortUserName().equals(loginUser.getShortUserName())) { + UserGroupInformation proxyUser = UserGroupInformation.createProxyUser( + ugi.getShortUserName(), UserGroupInformation.getLoginUser()); + decrypted = proxyUser.doAs( + (PrivilegedExceptionAction<KeyProvider.KeyVersion>) () -> { + return OzoneKMSUtil.decryptEncryptedDataEncryptionKey(feInfo, + getKeyProvider()); + }); + } else { + decrypted = OzoneKMSUtil.decryptEncryptedDataEncryptionKey(feInfo, + getKeyProvider()); + } + } catch (InterruptedException ex) { + Thread.currentThread().interrupt(); + throw new IOException("Interrupted during decrypt key", ex); + } return decrypted; } diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config index 1602784..f0d1287 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config @@ -77,6 +77,9 @@ OZONE-SITE.XML_ozone.om.kerberos.keytab.file=/etc/security/keytabs/om.keytab OZONE-SITE.XML_ozone.recon.kerberos.keytab.file=/etc/security/keytabs/recon.keytab OZONE-SITE.XML_ozone.recon.kerberos.principal=recon/[email protected] +OZONE-SITE.XML_ozone.s3g.kerberos.keytab.file=/etc/security/keytabs/s3g.keytab +OZONE-SITE.XML_ozone.s3g.kerberos.principal=s3g/[email protected] + HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/[email protected] HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/[email protected] diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config index 1d5c07d..6828b1e 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config @@ -61,6 +61,9 @@ OZONE-SITE.XML_ozone.om.kerberos.keytab.file=/etc/security/keytabs/om.keytab OZONE-SITE.XML_ozone.recon.kerberos.keytab.file=/etc/security/keytabs/recon.keytab OZONE-SITE.XML_ozone.recon.kerberos.principal=recon/[email protected] +OZONE-SITE.XML_ozone.s3g.kerberos.keytab.file=/etc/security/keytabs/s3g.keytab +OZONE-SITE.XML_ozone.s3g.kerberos.principal=s3g/[email protected] + OZONE-SITE.XML_hdds.scm.replication.thread.interval=5s OZONE-SITE.XML_hdds.scm.replication.event.timeout=10s OZONE-SITE.XML_ozone.scm.stale.node.interval=30s diff --git a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/Gateway.java b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/Gateway.java index 8b5eddb..7590802 100644 --- a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/Gateway.java +++ b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/Gateway.java @@ -27,12 +27,16 @@ import org.apache.hadoop.hdds.tracing.TracingUtil; import org.apache.hadoop.ozone.util.OzoneVersionInfo; import org.apache.hadoop.ozone.util.ShutdownHookManager; +import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import picocli.CommandLine.Command; import static org.apache.hadoop.ozone.conf.OzoneServiceConfig.DEFAULT_SHUTDOWN_HOOK_PRIORITY; +import static org.apache.hadoop.ozone.s3.S3GatewayConfigKeys.OZONE_S3G_KERBEROS_KEYTAB_FILE_KEY; +import static org.apache.hadoop.ozone.s3.S3GatewayConfigKeys.OZONE_S3G_KERBEROS_PRINCIPAL_KEY; /** * This class is used to start/stop S3 compatible rest server. @@ -57,6 +61,7 @@ public class Gateway extends GenericCli { TracingUtil.initTracing("S3gateway", ozoneConfiguration); OzoneConfigurationHolder.setConfiguration(ozoneConfiguration); UserGroupInformation.setConfiguration(ozoneConfiguration); + loginS3GUser(ozoneConfiguration); httpServer = new S3GatewayHttpServer(ozoneConfiguration, "s3gateway"); start(); @@ -85,4 +90,26 @@ public class Gateway extends GenericCli { httpServer.stop(); } + private static void loginS3GUser(OzoneConfiguration conf) + throws IOException, AuthenticationException { + + if (SecurityUtil.getAuthenticationMethod(conf).equals( + UserGroupInformation.AuthenticationMethod.KERBEROS)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Ozone security is enabled. Attempting login for S3G user. " + + "Principal: {}, keytab: {}", + conf.get(OZONE_S3G_KERBEROS_PRINCIPAL_KEY), + conf.get(OZONE_S3G_KERBEROS_KEYTAB_FILE_KEY)); + } + + SecurityUtil.login(conf, OZONE_S3G_KERBEROS_KEYTAB_FILE_KEY, + OZONE_S3G_KERBEROS_PRINCIPAL_KEY); + } else { + throw new AuthenticationException(SecurityUtil.getAuthenticationMethod( + conf) + " authentication method not supported. S3 user login " + + "failed."); + } + LOG.info("S3Gateway login successful."); + } + } diff --git a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/S3GatewayConfigKeys.java b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/S3GatewayConfigKeys.java index 5acf368..af85753 100644 --- a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/S3GatewayConfigKeys.java +++ b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/S3GatewayConfigKeys.java @@ -58,6 +58,13 @@ public final class S3GatewayConfigKeys { public static final String OZONE_S3G_CLIENT_BUFFER_SIZE_DEFAULT = "4KB"; + // S3G kerberos, principal config + public static final String OZONE_S3G_KERBEROS_KEYTAB_FILE_KEY = + "ozone.s3g.kerberos.keytab.file"; + public static final String OZONE_S3G_KERBEROS_PRINCIPAL_KEY = + "ozone.s3g.kerberos.principal"; + + /** * Never constructed. */ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
