[
https://issues.apache.org/jira/browse/HADOOP-19639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18009541#comment-18009541
]
ASF GitHub Bot commented on HADOOP-19639:
-----------------------------------------
abstractdog commented on code in PR #7827:
URL: https://github.com/apache/hadoop/pull/7827#discussion_r2228243815
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManagerConfig.java:
##########
@@ -0,0 +1,123 @@
+
+package org.apache.hadoop.security.token;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import java.security.NoSuchAlgorithmException;
+
+/**
+ * Provides configuration and utility methods for managing cryptographic key
generation
+ * and message authentication code (MAC) generation using specified algorithms
and key lengths.
+ * <p>
+ * This class supports static access to the selected cryptographic algorithm
and key length,
+ * and provides methods to create configured {@link javax.crypto.KeyGenerator}
and {@link javax.crypto.Mac} instances.
+ * The configuration is initialized statically from a provided {@link
Configuration} object.
+ * <p>
+ * The {@link SecretManager} has some static method, so static configuration
is required
+ */
+public class SecretManagerConfig {
+ private static final Logger LOG =
LoggerFactory.getLogger(SecretManagerConfig.class);
+ private static String SELECTED_ALGORITHM;
+ private static int SELECTED_LENGTH;
+
+ static {
+ update(new Configuration());
+ }
+
+ /**
+ * Updates the selected cryptographic algorithm and key length using the
provided
+ * Hadoop {@link Configuration}. This method reads the values for
+ * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY} and
+ * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY}, or uses default
values if not set.
+ *
+ * @param conf the configuration object containing cryptographic settings
+ */
+ public static void update(Configuration conf) {
Review Comment:
while this method is crucial for Tez as explain on
[HADOOP-19639](https://issues.apache.org/jira/browse/HADOOP-19639), it might
also bring confusion, which is due to the fact that we try to lazy init static
things, so scenario I'm worried about a wrong usage:
1. keyGen is initialized by createKeyGenerator
2. update is called
3. update is not effective as the keyGen is already initialized
need to make this more robust by giving a warning or even throwing an
exception if the update(Configuration) is called after initialization, making
the user aware that the settings won't be applied
> SecretManager configuration at runtime
> --------------------------------------
>
> Key: HADOOP-19639
> URL: https://issues.apache.org/jira/browse/HADOOP-19639
> Project: Hadoop Common
> Issue Type: Improvement
> Components: hadoop-common
> Affects Versions: 3.5.0
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> In case of TEZ *DAGAppMaster* the Hadoop *SecretManager* code can not read
> yarn config xml file, therefore the SELECTED_ALGORITHM and SELECTED_LENGTH
> variables in SecretManager can not be set at runtime.
> This can results with the following exception in FIPS environment:
> {code:java}
> java.security.InvalidParameterException: Key size for HMAC must be at least
> 112 bits in approved mode: SHA-1/HMAC
> at
> com.safelogic.cryptocomply.fips.core/com.safelogic.cryptocomply.jcajce.provider.BaseKeyGenerator.engineInit(Unknown
> Source)
> at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:540)
> at java.base/javax.crypto.KeyGenerator.init(KeyGenerator.java:517)
> at
> org.apache.hadoop.security.token.SecretManager.<init>(SecretManager.java:157)
> at
> org.apache.hadoop.yarn.security.client.BaseClientToAMTokenSecretManager.<init>(BaseClientToAMTokenSecretManager.java:38)
> at
> org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager.<init>(ClientToAMTokenSecretManager.java:46)
> at
> org.apache.tez.common.security.TezClientToAMTokenSecretManager.<init>(TezClientToAMTokenSecretManager.java:33)
> at
> org.apache.tez.dag.app.DAGAppMaster.serviceInit(DAGAppMaster.java:493)
> at
> org.apache.hadoop.service.AbstractService.init(AbstractService.java:164)
> at org.apache.tez.dag.app.DAGAppMaster$9.run(DAGAppMaster.java:2649)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at java.base/javax.security.auth.Subject.doAs(Subject.java:423)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1910)
> at
> org.apache.tez.dag.app.DAGAppMaster.initAndStartAppMaster(DAGAppMaster.java:2646)
> at org.apache.tez.dag.app.DAGAppMaster.main(DAGAppMaster.java:2440)
> {code}
> To mitigate the problem we should modify the *ClientToAMTokenSecretManager*
> to have a constructor where TEZ can path a configuration object with the
> selected values.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
