[
https://issues.apache.org/jira/browse/HADOOP-19639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18009536#comment-18009536
]
ASF GitHub Bot commented on HADOOP-19639:
-----------------------------------------
K0K0V0K commented on code in PR #7827:
URL: https://github.com/apache/hadoop/pull/7827#discussion_r2228235542
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManagerConfig.java:
##########
@@ -0,0 +1,123 @@
+
+package org.apache.hadoop.security.token;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import java.security.NoSuchAlgorithmException;
+
+/**
+ * Provides configuration and utility methods for managing cryptographic key
generation
+ * and message authentication code (MAC) generation using specified algorithms
and key lengths.
+ * <p>
+ * This class supports static access to the selected cryptographic algorithm
and key length,
+ * and provides methods to create configured {@link javax.crypto.KeyGenerator}
and {@link javax.crypto.Mac} instances.
+ * The configuration is initialized statically from a provided {@link
Configuration} object.
+ * <p>
+ * The {@link SecretManager} has some static method, so static configuration
is required
+ */
+public class SecretManagerConfig {
+ private static final Logger LOG =
LoggerFactory.getLogger(SecretManagerConfig.class);
+ private static String SELECTED_ALGORITHM;
+ private static int SELECTED_LENGTH;
+
+ static {
+ update(new Configuration());
+ }
+
+ /**
+ * Updates the selected cryptographic algorithm and key length using the
provided
+ * Hadoop {@link Configuration}. This method reads the values for
+ * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY} and
+ * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY}, or uses default
values if not set.
+ *
+ * @param conf the configuration object containing cryptographic settings
+ */
+ public static void update(Configuration conf) {
+ SELECTED_ALGORITHM = conf.get(
+
CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
+
CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT);
+ LOG.debug("Selected hash algorithm: {}", SELECTED_ALGORITHM);
+ SELECTED_LENGTH = conf.getInt(
+
CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
+
CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT);
+ LOG.debug("Selected hash key length: {}", SELECTED_LENGTH);
+ }
+
+ /**
+ * Returns the currently selected cryptographic algorithm.
+ *
+ * @return the name of the selected algorithm
+ */
+ public static String getSelectedAlgorithm() {
+ return SELECTED_ALGORITHM;
+ }
+
+ /**
+ * Returns the currently selected key length in bits.
+ *
+ * @return the selected key length
+ */
+ public static int getSelectedLength() {
+ return SELECTED_LENGTH;
+ }
+
+ /**
+ * Sets the cryptographic algorithm to use.
+ *
+ * @param algorithm the algorithm name (e.g., "HmacSHA256", "AES")
+ */
+ public static void setSelectedAlgorithm(String algorithm) {
Review Comment:
Hi @abstractdog !
Thanks for the review. I was thinking we can provide 2 method and components
can decide what they prefer, but maybe you right and that will over complicate
the things. I will delete these setters.
> SecretManager configuration at runtime
> --------------------------------------
>
> Key: HADOOP-19639
> URL: https://issues.apache.org/jira/browse/HADOOP-19639
> Project: Hadoop Common
> Issue Type: Improvement
> Components: hadoop-common
> Affects Versions: 3.5.0
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> In case of TEZ *DAGAppMaster* the Hadoop *SecretManager* code can not read
> yarn config xml file, therefore the SELECTED_ALGORITHM and SELECTED_LENGTH
> variables in SecretManager can not be set at runtime.
> This can results with the following exception in FIPS environment:
> {code:java}
> java.security.InvalidParameterException: Key size for HMAC must be at least
> 112 bits in approved mode: SHA-1/HMAC
> at
> com.safelogic.cryptocomply.fips.core/com.safelogic.cryptocomply.jcajce.provider.BaseKeyGenerator.engineInit(Unknown
> Source)
> at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:540)
> at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:517)
> at
> org.apache.hadoop.security.token.SecretManager.<init>(SecretManager.java:157)
> at
> org.apache.hadoop.yarn.security.client.BaseClientToAMTokenSecretManager.<init>(BaseClientToAMTokenSecretManager.java:38)
> at
> org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager.<init>(ClientToAMTokenSecretManager.java:46)
> at
> org.apache.tez.common.security.TezClientToAMTokenSecretManager.<init>(TezClientToAMTokenSecretManager.java:33)
> at
> org.apache.tez.dag.app.DAGAppMaster.serviceInit(DAGAppMaster.java:493)
> at
> org.apache.hadoop.service.AbstractService.init(AbstractService.java:164)
> at org.apache.tez.dag.app.DAGAppMaster$9.run(DAGAppMaster.java:2649)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at java.base/javax.security.auth.Subject.doAs(Subject.java:423)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1910)
> at
> org.apache.tez.dag.app.DAGAppMaster.initAndStartAppMaster(DAGAppMaster.java:2646)
> at org.apache.tez.dag.app.DAGAppMaster.main(DAGAppMaster.java:2440)
> {code}
> To mitigate the problem we should modify the *ClientToAMTokenSecretManager*
> to have a constructor where TEZ can path a configuration object with the
> selected values.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
