This is an automated email from the ASF dual-hosted git repository.
umamahesh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 9f43b0efbf HDDS-6873. EC: Add block token support for
ECReconstructionCoordinator (#3539)
9f43b0efbf is described below
commit 9f43b0efbfc355676e30e06dca728600c76fdfe1
Author: Doroszlai, Attila <[email protected]>
AuthorDate: Thu Jun 23 17:01:15 2022 +0200
HDDS-6873. EC: Add block token support for ECReconstructionCoordinator
(#3539)
---
.../ECReconstructionCoordinator.java | 61 +++++-----
.../container/ec/reconstruction/TokenHelper.java | 125 +++++++++++++++++++++
.../token}/OzoneBlockTokenSecretManager.java | 4 +-
.../token}/TestOzoneBlockTokenSecretManager.java | 6 +-
.../hdds/scm/storage/TestContainerCommandsEC.java | 95 +++++++++++++---
.../ozone/client/rpc/TestSecureOzoneRpcClient.java | 2 +-
.../ozoneimpl/TestOzoneContainerWithTLS.java | 2 +-
.../server/TestSecureContainerServer.java | 2 +-
.../org/apache/hadoop/ozone/om/KeyManagerImpl.java | 2 +-
.../org/apache/hadoop/ozone/om/OzoneManager.java | 2 +-
.../hadoop/ozone/om/request/key/OMKeyRequest.java | 2 +-
.../org/apache/hadoop/ozone/om/OmTestManagers.java | 2 +-
.../ozone/om/request/key/TestOMKeyRequest.java | 2 +-
13 files changed, 247 insertions(+), 60 deletions(-)
diff --git
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/ECReconstructionCoordinator.java
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/ECReconstructionCoordinator.java
index 780c520d72..9b00596d58 100644
---
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/ECReconstructionCoordinator.java
+++
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/ECReconstructionCoordinator.java
@@ -26,11 +26,13 @@ import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.scm.ByteStringConversion;
import org.apache.hadoop.hdds.scm.OzoneClientConfig;
+import org.apache.hadoop.hdds.scm.container.ContainerID;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import org.apache.hadoop.hdds.scm.pipeline.PipelineID;
import org.apache.hadoop.hdds.scm.storage.BlockLocationInfo;
import org.apache.hadoop.hdds.scm.storage.BufferPool;
import org.apache.hadoop.hdds.scm.storage.ECBlockOutputStream;
+import org.apache.hadoop.hdds.security.token.ContainerTokenIdentifier;
import
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.utils.IOUtils;
import org.apache.hadoop.io.ByteBufferPool;
@@ -41,6 +43,7 @@ import
org.apache.hadoop.ozone.client.io.BlockInputStreamFactoryImpl;
import org.apache.hadoop.ozone.client.io.ECBlockInputStreamProxy;
import org.apache.hadoop.ozone.client.io.ECBlockReconstructedStripeInputStream;
import org.apache.hadoop.ozone.container.common.helpers.BlockData;
+import org.apache.hadoop.security.token.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -62,6 +65,8 @@ import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
+import static
org.apache.hadoop.ozone.container.ec.reconstruction.TokenHelper.encode;
+
/**
* The Coordinator implements the main flow of reconstructing
* missing container replicas.
@@ -88,38 +93,30 @@ public class ECReconstructionCoordinator implements
Closeable {
private final ECContainerOperationClient containerOperationClient;
- private final ConfigurationSource config;
-
private final ByteBufferPool byteBufferPool;
+ private final CertificateClient certificateClient;
- private ExecutorService ecReconstructExecutor;
+ private final ExecutorService ecReconstructExecutor;
- private BlockInputStreamFactory blockInputStreamFactory;
-
- public ECReconstructionCoordinator(ECContainerOperationClient
containerClient,
- ConfigurationSource conf, ByteBufferPool byteBufferPool,
- ExecutorService reconstructExecutor,
- BlockInputStreamFactory streamFactory) {
- this.containerOperationClient = containerClient;
- this.config = conf;
- this.byteBufferPool = byteBufferPool;
- this.blockInputStreamFactory = streamFactory;
- this.ecReconstructExecutor = reconstructExecutor;
- }
+ private final BlockInputStreamFactory blockInputStreamFactory;
+ private final TokenHelper tokenHelper;
public ECReconstructionCoordinator(ConfigurationSource conf,
CertificateClient certificateClient) throws IOException {
- this(new ECContainerOperationClient(conf, certificateClient), conf,
- new ElasticByteBufferPool(), null, null);
+ this.containerOperationClient = new ECContainerOperationClient(conf,
+ certificateClient);
+ this.byteBufferPool = new ElasticByteBufferPool();
+ this.certificateClient = certificateClient;
this.ecReconstructExecutor =
new ThreadPoolExecutor(EC_RECONSTRUCT_STRIPE_READ_POOL_MIN_SIZE,
- config.getObject(OzoneClientConfig.class)
+ conf.getObject(OzoneClientConfig.class)
.getEcReconstructStripeReadPoolLimit(), 60, TimeUnit.SECONDS,
new SynchronousQueue<>(), new ThreadFactoryBuilder()
.setNameFormat("ec-reconstruct-reader-TID-%d").build(),
new ThreadPoolExecutor.CallerRunsPolicy());
this.blockInputStreamFactory = BlockInputStreamFactoryImpl
.getInstance(byteBufferPool, () -> ecReconstructExecutor);
+ tokenHelper = new TokenHelper(conf, certificateClient);
}
public void reconstructECContainerGroup(long containerID,
@@ -134,13 +131,16 @@ public class ECReconstructionCoordinator implements
Closeable {
SortedMap<Long, BlockLocationInfo> blockLocationInfoMap =
calcBlockLocationInfoMap(containerID, blockDataMap, pipeline);
+ ContainerID cid = ContainerID.valueOf(containerID);
// 1. create target recovering containers.
+ String containerToken = encode(tokenHelper.getContainerToken(cid));
for (Map.Entry<Integer, DatanodeDetails> indexDnPair : targetNodeMap
.entrySet()) {
- this.containerOperationClient
- .createRecoveringContainer(containerID, indexDnPair.getValue(),
- repConfig, null, indexDnPair.getKey());
+ DatanodeDetails dn = indexDnPair.getValue();
+ Integer index = indexDnPair.getKey();
+ containerOperationClient.createRecoveringContainer(containerID, dn,
+ repConfig, containerToken, index);
}
// 2. Reconstruct and transfer to targets
@@ -152,8 +152,8 @@ public class ECReconstructionCoordinator implements
Closeable {
for (Map.Entry<Integer, DatanodeDetails> indexDnPair : targetNodeMap
.entrySet()) {
DatanodeDetails dn = indexDnPair.getValue();
- this.containerOperationClient
- .closeContainer(containerID, dn, repConfig, null);
+ containerOperationClient.closeContainer(containerID, dn, repConfig,
+ containerToken);
}
}
@@ -309,9 +309,13 @@ public class ECReconstructionCoordinator implements
Closeable {
long blockGroupLen = calcEffectiveBlockGroupLen(blockGroup,
pipeline.getReplicationConfig().getRequiredNodes());
if (blockGroupLen > 0) {
+ BlockID blockID = new BlockID(containerID, localID);
BlockLocationInfo blockLocationInfo = new BlockLocationInfo.Builder()
- .setBlockID(new BlockID(containerID, localID))
- .setLength(blockGroupLen).setPipeline(pipeline).build();
+ .setBlockID(blockID)
+ .setLength(blockGroupLen)
+ .setPipeline(pipeline)
+ .setToken(tokenHelper.getBlockToken(blockID, blockGroupLen))
+ .build();
blockInfoMap.put(localID, blockLocationInfo);
}
}
@@ -323,6 +327,7 @@ public class ECReconstructionCoordinator implements
Closeable {
if (containerOperationClient != null) {
containerOperationClient.close();
}
+ tokenHelper.stop();
}
private Pipeline rebuildInputPipeline(ECReplicationConfig repConfig,
@@ -351,6 +356,8 @@ public class ECReconstructionCoordinator implements
Closeable {
Map<Integer, DatanodeDetails> sourceNodeMap) throws IOException {
SortedMap<Long, BlockData[]> resultMap = new TreeMap<>();
+ Token<ContainerTokenIdentifier> containerToken =
+ tokenHelper.getContainerToken(new ContainerID(containerID));
Iterator<Map.Entry<Integer, DatanodeDetails>> iterator =
sourceNodeMap.entrySet().iterator();
@@ -360,8 +367,8 @@ public class ECReconstructionCoordinator implements
Closeable {
Integer index = next.getKey();
DatanodeDetails dn = next.getValue();
- BlockData[] blockDataArr =
- containerOperationClient.listBlock(containerID, dn, repConfig, null);
+ BlockData[] blockDataArr = containerOperationClient.listBlock(
+ containerID, dn, repConfig, containerToken);
for (BlockData blockData : blockDataArr) {
BlockID blockID = blockData.getBlockID();
diff --git
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
new file mode 100644
index 0000000000..72217092b0
--- /dev/null
+++
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.ozone.container.ec.reconstruction;
+
+import org.apache.hadoop.hdds.HddsConfigKeys;
+import org.apache.hadoop.hdds.client.BlockID;
+import org.apache.hadoop.hdds.conf.ConfigurationSource;
+import
org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto;
+import org.apache.hadoop.hdds.scm.container.ContainerID;
+import org.apache.hadoop.hdds.security.token.ContainerTokenIdentifier;
+import org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
+
+import java.io.IOException;
+import java.util.EnumSet;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+
+import static
org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto.DELETE;
+import static
org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto.READ;
+import static
org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto.WRITE;
+
+/**
+ * Wraps block and container token managers for datanode.
+ */
+class TokenHelper {
+
+ private final OzoneBlockTokenSecretManager blockTokenMgr;
+ private final ContainerTokenSecretManager containerTokenMgr;
+ private final String user;
+ private static final Set<AccessModeProto> MODES =
+ EnumSet.of(READ, WRITE, DELETE);
+
+ TokenHelper(ConfigurationSource conf, CertificateClient certClient)
+ throws IOException {
+
+ SecurityConfig securityConfig = new SecurityConfig(conf);
+ boolean blockTokenEnabled = securityConfig.isBlockTokenEnabled();
+ boolean containerTokenEnabled = securityConfig.isContainerTokenEnabled();
+
+ if (blockTokenEnabled || containerTokenEnabled) {
+ user = UserGroupInformation.getCurrentUser().getShortUserName();
+
+ long expiryTime = conf.getTimeDuration(
+ HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
+ HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
+ TimeUnit.MILLISECONDS);
+ String certId = certClient.getCertificate().getSerialNumber().toString();
+
+ if (blockTokenEnabled) {
+ blockTokenMgr = new OzoneBlockTokenSecretManager(
+ securityConfig, expiryTime, certId);
+ blockTokenMgr.start(certClient);
+ } else {
+ blockTokenMgr = null;
+ }
+
+ if (containerTokenEnabled) {
+ containerTokenMgr = new ContainerTokenSecretManager(
+ securityConfig, expiryTime, certId);
+ containerTokenMgr.start(certClient);
+ } else {
+ containerTokenMgr = null;
+ }
+ } else {
+ user = null;
+ blockTokenMgr = null;
+ containerTokenMgr = null;
+ }
+ }
+
+ void stop() {
+ if (blockTokenMgr != null) {
+ try {
+ blockTokenMgr.stop();
+ } catch (IOException ignored) {
+ // no threads involved, cannot really happen
+ }
+ }
+ if (containerTokenMgr != null) {
+ try {
+ containerTokenMgr.stop();
+ } catch (IOException ignored) {
+ // no threads involved, cannot really happen
+ }
+ }
+ }
+
+ Token<OzoneBlockTokenIdentifier> getBlockToken(BlockID blockID, long length)
{
+ return blockTokenMgr != null
+ ? blockTokenMgr.generateToken(user, blockID, MODES, length)
+ : null;
+ }
+
+ Token<ContainerTokenIdentifier> getContainerToken(ContainerID containerID) {
+ return containerTokenMgr != null
+ ? containerTokenMgr.generateToken(user, containerID)
+ : null;
+ }
+
+ static String encode(Token<?> token) throws IOException {
+ return token != null ? token.encodeToUrlString() : null;
+ }
+
+}
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneBlockTokenSecretManager.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenSecretManager.java
similarity index 96%
rename from
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneBlockTokenSecretManager.java
rename to
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenSecretManager.java
index 54ba3ffb68..886d6b354a 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneBlockTokenSecretManager.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenSecretManager.java
@@ -15,14 +15,12 @@
* the License.
*/
-package org.apache.hadoop.ozone.security;
+package org.apache.hadoop.hdds.security.token;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.client.BlockID;
-import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
import
org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto;
-import org.apache.hadoop.hdds.security.token.ShortLivedTokenSecretManager;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneBlockTokenSecretManager.java
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestOzoneBlockTokenSecretManager.java
similarity index 98%
rename from
hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneBlockTokenSecretManager.java
rename to
hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestOzoneBlockTokenSecretManager.java
index 7a3acba22b..4ac33655dc 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneBlockTokenSecretManager.java
+++
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/token/TestOzoneBlockTokenSecretManager.java
@@ -16,7 +16,7 @@
* limitations under the License.
*/
-package org.apache.hadoop.ozone.security;
+package org.apache.hadoop.hdds.security.token;
import static
org.apache.hadoop.ozone.container.ContainerTestHelper.getBlockRequest;
import static
org.apache.hadoop.ozone.container.ContainerTestHelper.getPutBlockRequest;
@@ -34,10 +34,6 @@ import
org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos.ContainerC
import
org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto;
import org.apache.hadoop.hdds.scm.pipeline.MockPipeline;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
-import org.apache.hadoop.hdds.security.token.BlockTokenException;
-import org.apache.hadoop.hdds.security.token.BlockTokenVerifier;
-import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
-import org.apache.hadoop.hdds.security.token.TokenVerifier;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import
org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient;
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/storage/TestContainerCommandsEC.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/storage/TestContainerCommandsEC.java
index 3047d18d7e..e57ec400cc 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/storage/TestContainerCommandsEC.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/storage/TestContainerCommandsEC.java
@@ -42,8 +42,14 @@ import org.apache.hadoop.hdds.scm.pipeline.PipelineID;
import
org.apache.hadoop.hdds.scm.pipeline.WritableECContainerProvider.WritableECContainerProviderConfig;
import
org.apache.hadoop.hdds.scm.protocolPB.StorageContainerLocationProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
+import org.apache.hadoop.hdds.security.token.ContainerTokenIdentifier;
+import org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.ozone.MiniOzoneCluster;
import org.apache.hadoop.ozone.OzoneConfigKeys;
+import org.apache.hadoop.ozone.client.CertificateClientTestImpl;
import org.apache.hadoop.ozone.client.ObjectStore;
import org.apache.hadoop.ozone.client.OzoneBucket;
import org.apache.hadoop.ozone.client.OzoneClient;
@@ -58,6 +64,9 @@ import org.apache.hadoop.ozone.common.utils.BufferUtils;
import org.apache.hadoop.ozone.container.ContainerTestHelper;
import
org.apache.hadoop.ozone.container.ec.reconstruction.ECContainerOperationClient;
import
org.apache.hadoop.ozone.container.ec.reconstruction.ECReconstructionCoordinator;
+import org.apache.hadoop.ozone.om.OzoneManager;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.TokenIdentifier;
import org.junit.Assert;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
@@ -73,6 +82,7 @@ import java.io.OutputStream;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
@@ -80,18 +90,25 @@ import java.util.Map;
import java.util.SortedMap;
import java.util.TreeMap;
import java.util.UUID;
+import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import java.util.stream.Stream;
import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED;
+import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_CONTAINER_TOKEN_ENABLED;
+import static
org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto.READ;
+import static
org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto.WRITE;
+import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
/**
* This class tests container commands on EC containers.
*/
public class TestContainerCommandsEC {
+ private static final String ANY_USER = "any";
private static MiniOzoneCluster cluster;
private static StorageContainerManager scm;
private static OzoneClient rpcClient;
@@ -119,8 +136,12 @@ public class TestContainerCommandsEC {
private static long containerID;
private static Pipeline pipeline;
private static List<DatanodeDetails> datanodeDetails;
+ private static Token<ContainerTokenIdentifier> containerToken;
+ private static ContainerTokenSecretManager containerTokenGenerator;
+ private static OzoneBlockTokenSecretManager blockTokenGenerator;
private List<XceiverClientSpi> clients = null;
private static OzoneConfiguration config;
+ private static CertificateClient certClient;
@BeforeAll
public static void init() throws Exception {
@@ -129,6 +150,8 @@ public class TestContainerCommandsEC {
config.setBoolean(OzoneConfigKeys.OZONE_ACL_ENABLED, true);
config.set(OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS,
OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS_NATIVE);
+ config.setBoolean(HDDS_BLOCK_TOKEN_ENABLED, true);
+ config.setBoolean(HDDS_CONTAINER_TOKEN_ENABLED, true);
startCluster(config);
prepareData(KEY_SIZE_RANGES);
rpcClient = OzoneClientFactory.getRpcClient(config);
@@ -200,7 +223,7 @@ public class TestContainerCommandsEC {
Throwable t = Assertions.assertThrows(StorageContainerException.class,
() -> ContainerProtocolCalls
.listBlock(clients.get(j), containerID, null,
- numExpectedBlocks + 1, null));
+ numExpectedBlocks + 1, containerToken));
Assertions
.assertEquals("ContainerID " + containerID + " does not exist",
t.getMessage());
@@ -208,7 +231,7 @@ public class TestContainerCommandsEC {
}
ListBlockResponseProto response = ContainerProtocolCalls
.listBlock(clients.get(i), containerID, null, numExpectedBlocks + 1,
- null);
+ containerToken);
Assertions.assertEquals(numExpectedBlocks, response.getBlockDataCount(),
"blocks count doesn't match on DN " + i);
Assertions.assertEquals(numExpectedChunks,
@@ -226,8 +249,10 @@ public class TestContainerCommandsEC {
Pipeline newPipeline =
scm.getPipelineManager().createPipeline(replicationConfig);
scm.getPipelineManager().activatePipeline(newPipeline.getId());
- ContainerInfo container =
+ final ContainerInfo container =
scm.getContainerManager().allocateContainer(replicationConfig, "test");
+ Token<ContainerTokenIdentifier> cToken = containerTokenGenerator
+ .generateToken(ANY_USER, container.containerID());
scm.getContainerManager().getContainerStateManager()
.addContainer(container.getProtobuf());
@@ -245,15 +270,22 @@ public class TestContainerCommandsEC {
HddsProtos.LifeCycleEvent.CLOSE);
//Create the recovering container in DN.
+ String encodedToken = cToken.encodeToUrlString();
ContainerProtocolCalls.createRecoveringContainer(dnClient,
- container.containerID().getProtobuf().getId(), null, 4);
+ container.containerID().getProtobuf().getId(),
+ encodedToken, 4);
BlockID blockID = ContainerTestHelper
.getTestBlockID(container.containerID().getProtobuf().getId());
+ Token<? extends TokenIdentifier> blockToken =
+ blockTokenGenerator.generateToken(ANY_USER, blockID,
+ EnumSet.of(READ, WRITE), Long.MAX_VALUE);
byte[] data = "TestData".getBytes(UTF_8);
ContainerProtos.ContainerCommandRequestProto writeChunkRequest =
ContainerTestHelper.newWriteChunkRequestBuilder(newPipeline, blockID,
- ChunkBuffer.wrap(ByteBuffer.wrap(data)), 0).build();
+ ChunkBuffer.wrap(ByteBuffer.wrap(data)), 0)
+ .setEncodedToken(blockToken.encodeToUrlString())
+ .build();
dnClient.sendCommand(writeChunkRequest);
// Now, explicitly make a putKey request for the block.
@@ -264,7 +296,7 @@ public class TestContainerCommandsEC {
ContainerProtos.ReadContainerResponseProto readContainerResponseProto =
ContainerProtocolCalls.readContainer(dnClient,
- container.containerID().getProtobuf().getId(), null);
+ container.containerID().getProtobuf().getId(), encodedToken);
Assert.assertEquals(ContainerProtos.ContainerDataProto.State.RECOVERING,
readContainerResponseProto.getContainerData().getState());
// Container at SCM should be still in closed state.
@@ -273,17 +305,17 @@ public class TestContainerCommandsEC {
.getContainer(container.containerID()).getState());
// close container call
ContainerProtocolCalls.closeContainer(dnClient,
- container.containerID().getProtobuf().getId(), null);
+ container.containerID().getProtobuf().getId(), encodedToken);
// Make sure we have the container and readable.
readContainerResponseProto = ContainerProtocolCalls
.readContainer(dnClient,
- container.containerID().getProtobuf().getId(), null);
+ container.containerID().getProtobuf().getId(), encodedToken);
Assert.assertEquals(ContainerProtos.ContainerDataProto.State.CLOSED,
readContainerResponseProto.getContainerData().getState());
ContainerProtos.ReadChunkResponseProto readChunkResponseProto =
ContainerProtocolCalls.readChunk(dnClient,
writeChunkRequest.getWriteChunk().getChunkData(), blockID, null,
- null);
+ blockToken);
ByteBuffer[] readOnlyByteBuffersArray = BufferUtils
.getReadOnlyByteBuffersArray(
readChunkResponseProto.getDataBuffers().getBuffersList());
@@ -361,10 +393,12 @@ public class TestContainerCommandsEC {
}
ECReconstructionCoordinator coordinator =
- new ECReconstructionCoordinator(config, null);
+ new ECReconstructionCoordinator(config, certClient);
OzoneKeyDetails key = bucket.getKey(keyString);
long conID = key.getOzoneKeyLocations().get(0).getContainerID();
+ Token<ContainerTokenIdentifier> cToken = containerTokenGenerator
+ .generateToken(ANY_USER, new ContainerID(conID));
//Close the container first.
scm.getContainerManager().getContainerStateManager().updateContainerState(
@@ -412,15 +446,15 @@ public class TestContainerCommandsEC {
blockDataArrList = new ArrayList<>();
for (int j = 0; j < containerToDeletePipeline.size(); j++) {
org.apache.hadoop.ozone.container.common.helpers.BlockData[] blockData =
- new ECContainerOperationClient(new OzoneConfiguration(), null)
+ new ECContainerOperationClient(new OzoneConfiguration(), certClient)
.listBlock(conID,
containerToDeletePipeline.get(j).getFirstNode(),
(ECReplicationConfig) containerToDeletePipeline.get(j)
- .getReplicationConfig(), null);
+ .getReplicationConfig(), cToken);
blockDataArrList.add(blockData);
// Delete the first index container
ContainerProtocolCalls.deleteContainer(
xceiverClientManager.acquireClient(containerToDeletePipeline.get(j)),
- conID, true, null);
+ conID, true, cToken.encodeToUrlString());
}
//Give the new target to reconstruct the container
@@ -452,17 +486,17 @@ public class TestContainerCommandsEC {
org.apache.hadoop.ozone.container.common.helpers.BlockData[]
reconstructedBlockData =
- new ECContainerOperationClient(new OzoneConfiguration(), null)
+ new ECContainerOperationClient(new OzoneConfiguration(), certClient)
.listBlock(conID, newTargetPipeline.getFirstNode(),
(ECReplicationConfig) newTargetPipeline
- .getReplicationConfig(), null);
+ .getReplicationConfig(), cToken);
Assert.assertEquals(blockDataArrList.get(i).length,
reconstructedBlockData.length);
checkBlockData(blockDataArrList.get(i), reconstructedBlockData);
ContainerProtos.ReadContainerResponseProto readContainerResponseProto =
ContainerProtocolCalls.readContainer(
xceiverClientManager.acquireClient(newTargetPipeline), conID,
- null);
+ cToken.encodeToUrlString());
Assert.assertEquals(ContainerProtos.ContainerDataProto.State.CLOSED,
readContainerResponseProto.getContainerData().getState());
i++;
@@ -506,9 +540,15 @@ public class TestContainerCommandsEC {
writableECContainerProviderConfig.setMinimumPipelines(1);
conf.setFromObject(writableECContainerProviderConfig);
+ OzoneManager.setTestSecureOmFlag(true);
+ certClient = new CertificateClientTestImpl(config);
+
cluster = MiniOzoneCluster.newBuilder(conf).setNumDatanodes(NUM_DN)
- .setScmId(SCM_ID).setClusterId(CLUSTER_ID).build();
+ .setScmId(SCM_ID).setClusterId(CLUSTER_ID)
+ .setCertificateClient(new CertificateClientTestImpl(conf))
+ .build();
cluster.waitForClusterToBeReady();
+ cluster.getOzoneManager().startSecretManager();
scm = cluster.getStorageContainerManager();
rpcClient = OzoneClientFactory.getRpcClient(conf);
store = rpcClient.getObjectStore();
@@ -543,6 +583,19 @@ public class TestContainerCommandsEC {
Assertions.assertEquals(1, pipelines.size());
pipeline = pipelines.get(0);
datanodeDetails = pipeline.getNodes();
+
+ OzoneConfiguration tweakedConfig = new OzoneConfiguration(config);
+ tweakedConfig.setBoolean(OZONE_SECURITY_ENABLED_KEY, true);
+ SecurityConfig conf = new SecurityConfig(tweakedConfig);
+ long tokenLifetime = TimeUnit.DAYS.toMillis(1);
+ containerTokenGenerator = new ContainerTokenSecretManager(
+ conf, tokenLifetime, "1");
+ containerTokenGenerator.start(certClient);
+ blockTokenGenerator = new OzoneBlockTokenSecretManager(
+ conf, tokenLifetime, "1");
+ blockTokenGenerator.start(certClient);
+ containerToken = containerTokenGenerator
+ .generateToken(ANY_USER, new ContainerID(containerID));
}
public static void stopCluster() throws IOException {
@@ -557,6 +610,14 @@ public class TestContainerCommandsEC {
if (cluster != null) {
cluster.shutdown();
}
+
+ if (blockTokenGenerator != null) {
+ blockTokenGenerator.stop();
+ }
+
+ if (containerTokenGenerator != null) {
+ containerTokenGenerator.stop();
+ }
}
}
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java
index 1b06940e12..68c4e7168f 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/rpc/TestSecureOzoneRpcClient.java
@@ -53,7 +53,7 @@ import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRespo
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.S3Authentication;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Status;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.VolumeInfo;
-import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ozone.test.GenericTestUtils;
import org.apache.ozone.test.LambdaTestUtils;
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
index 5b65d92d15..c5a4a9339b 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
@@ -35,7 +35,7 @@ import org.apache.hadoop.hdds.scm.XceiverClientSpi;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import
org.apache.hadoop.ozone.container.common.statemachine.DatanodeStateMachine;
import org.apache.hadoop.ozone.container.common.statemachine.StateContext;
-import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.ozone.test.GenericTestUtils;
import org.junit.Assert;
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestSecureContainerServer.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestSecureContainerServer.java
index cd7c995544..361158edb9 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestSecureContainerServer.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/server/TestSecureContainerServer.java
@@ -67,7 +67,7 @@ import
org.apache.hadoop.ozone.container.common.volume.MutableVolumeSet;
import org.apache.hadoop.ozone.container.common.volume.StorageVolume;
import org.apache.hadoop.ozone.container.common.volume.VolumeSet;
import org.apache.hadoop.ozone.container.ozoneimpl.ContainerController;
-import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.ozone.test.GenericTestUtils;
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java
index b592d25036..cbc492161f 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/KeyManagerImpl.java
@@ -88,7 +88,7 @@ import org.apache.hadoop.ozone.om.request.OMClientRequest;
import org.apache.hadoop.ozone.om.request.file.OMFileRequest;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OpenKeyBucket;
import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.PartKeyInfo;
-import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.ozone.security.acl.RequestContext;
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 408d2e67f4..60ba6bb852 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -167,7 +167,7 @@ import
org.apache.hadoop.ozone.protocolPB.OMInterServiceProtocolServerSideImpl;
import org.apache.hadoop.ozone.protocolPB.OMAdminProtocolServerSideImpl;
import
org.apache.hadoop.ozone.storage.proto.OzoneManagerStorageProtos.PersistedUserVolumeInfo;
import
org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB;
-import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
import org.apache.hadoop.ozone.security.OzoneDelegationTokenSecretManager;
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java
index b1e13ca2e9..79e0d51443 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/key/OMKeyRequest.java
@@ -78,7 +78,7 @@ import
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos
.KeyArgs;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos
.OMRequest;
-import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/OmTestManagers.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/OmTestManagers.java
index 89cbac4313..79de54efa3 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/OmTestManagers.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/OmTestManagers.java
@@ -26,7 +26,7 @@ import
org.apache.hadoop.hdds.scm.protocol.StorageContainerLocationProtocol;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.ozone.client.OzoneClientFactory;
import org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol;
-import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
import
org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.mockito.Mockito;
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
index 26068664ff..c2232931d7 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/key/TestOMKeyRequest.java
@@ -64,7 +64,7 @@ import org.apache.hadoop.ozone.om.OMMetrics;
import org.apache.hadoop.ozone.om.OmMetadataManagerImpl;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.ScmClient;
-import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
import org.apache.hadoop.util.Time;
import static org.mockito.ArgumentMatchers.any;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
