This is an automated email from the ASF dual-hosted git repository.
weichiu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 9d2b4158e7c HDDS-13234. Expired secret key can abort leader OM
startup. (#8601)
9d2b4158e7c is described below
commit 9d2b4158e7ca5537ceb15ee93c4ac4d08f5361cf
Author: Wei-Chiu Chuang <[email protected]>
AuthorDate: Tue Jun 17 16:50:03 2025 -0700
HDDS-13234. Expired secret key can abort leader OM startup. (#8601)
---
.../OzoneDelegationTokenSecretManager.java | 16 ++++++++-
.../TestOzoneDelegationTokenSecretManager.java | 41 ++++++++++++++++++++++
2 files changed, 56 insertions(+), 1 deletion(-)
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
index 93ca46c36e8..4d6928c5350 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
@@ -513,7 +513,11 @@ private void loadTokenSecretState(
LOG.info("Loading token state into token manager.");
for (Map.Entry<OzoneTokenIdentifier, Long> entry :
state.getTokenState().entrySet()) {
- addPersistedDelegationToken(entry.getKey(), entry.getValue());
+ try {
+ addPersistedDelegationToken(entry.getKey(), entry.getValue());
+ } catch (Exception e) {
+ LOG.error("exception while loading delegation token from DB... ignored
to continue startup", e);
+ }
}
}
@@ -528,6 +532,16 @@ private void
addPersistedDelegationToken(OzoneTokenIdentifier identifier,
byte[] password;
if (StringUtils.isNotEmpty(identifier.getSecretKeyId())) {
ManagedSecretKey signKey =
secretKeyClient.getSecretKey(UUID.fromString(identifier.getSecretKeyId()));
+ if (signKey == null) {
+ // if delegation token expired, remove it from the store.
+ if (renewDate < Time.now()) {
+ LOG.info("Removing expired persisted delegation token {} from DB",
identifier);
+ this.store.removeToken(identifier);
+ }
+
+ throw new IOException("Secret key " +
UUID.fromString(identifier.getSecretKeyId()) +
+ " not found for token " + formatTokenId(identifier));
+ }
password = signKey.sign(identifier.getBytes());
} else {
if (LOG.isDebugEnabled()) {
diff --git
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
index fe7b2d18e9d..94116719119 100644
---
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
+++
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java
@@ -26,8 +26,12 @@
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import com.google.common.collect.ImmutableList;
@@ -231,6 +235,43 @@ public void testCreateToken() throws Exception {
validateHash(token.getPassword(), token.getIdentifier());
}
+ @Test
+ public void testExpiredSecretKey() throws Exception {
+ SecretKeyClient old = secretKeyClient;
+ secretKeyClient = spy(secretKeyClient);
+ doReturn(null).when(secretKeyClient).getSecretKey(any());
+
+ Text tester = new Text("tester");
+ OzoneTokenIdentifier identifier =
+ new OzoneTokenIdentifier(tester, tester, tester);
+ identifier.setSecretKeyId(UUID.randomUUID().toString());
+ identifier.setOmServiceId(OzoneConsts.OM_SERVICE_ID_DEFAULT);
+
+ // case 1: Secret key not found, and delegation token is valid.
+ om.getMetadataManager().getDelegationTokenTable().put(identifier,
Long.MAX_VALUE);
+ try {
+ secretManager = createSecretManager(conf, TOKEN_MAX_LIFETIME,
+ expiryTime, TOKEN_REMOVER_SCAN_INTERVAL);
+ om.getMetadataManager().getDelegationTokenTable().delete(identifier);
+
+ // case 2: Secret key not found, and delegation token is expired.
+ OzoneTokenIdentifier identifier2 =
+ new OzoneTokenIdentifier(tester, tester, tester);
+ identifier2.setSecretKeyId(UUID.randomUUID().toString());
+ identifier2.setOmServiceId(OzoneConsts.OM_SERVICE_ID_DEFAULT);
+
+ om.getMetadataManager().getDelegationTokenTable().put(identifier2,
Time.now() - 1);
+ secretManager = createSecretManager(conf, TOKEN_MAX_LIFETIME,
+ expiryTime, TOKEN_REMOVER_SCAN_INTERVAL);
+ // expired token should be removed from the table.
+
assertFalse(om.getMetadataManager().getDelegationTokenTable().isExist(identifier2),
+ "Expired token " + identifier2 + " should be removed from the
table");
+ } finally {
+ verify(secretKeyClient, times(2)).getSecretKey(any());
+ secretKeyClient = old;
+ }
+ }
+
private void restartSecretManager() throws IOException {
secretManager.stop();
secretManager = null;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
