[03/50] [abbrv] hadoop git commit: HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.
HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a2b5d602 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a2b5d602 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a2b5d602 Branch: refs/heads/YARN-5085 Commit: a2b5d602201a4f619f6a68ec2168a884190d8de6 Parents: f3b8ff5 Author: Xiao ChenAuthored: Mon Dec 5 12:19:26 2016 -0800 Committer: Xiao Chen Committed: Mon Dec 5 17:36:00 2016 -0800 -- .../security/ssl/FileBasedKeyStoresFactory.java | 6 -- .../security/ssl/ReloadingX509TrustManager.java | 2 +- .../ssl/TestReloadingX509TrustManager.java| 18 ++ 3 files changed, 23 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java -- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java index 4e59010..a01d11a 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java @@ -202,8 +202,10 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory { SSL_TRUSTSTORE_PASSWORD_TPL_KEY); String truststorePassword = getPassword(conf, passwordProperty, ""); if (truststorePassword.isEmpty()) { -throw new GeneralSecurityException("The property '" + passwordProperty + -"' has not been set in the ssl configuration file."); +// An empty trust store password is legal; the trust store password +// is only required when writing to a trust store. Otherwise it's +// an optional integrity check. +truststorePassword = null; } long truststoreReloadInterval = conf.getLong( http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java -- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java index 597f8d7..2d3afea 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java @@ -167,7 +167,7 @@ public final class ReloadingX509TrustManager KeyStore ks = KeyStore.getInstance(type); FileInputStream in = new FileInputStream(file); try { - ks.load(in, password.toCharArray()); + ks.load(in, (password == null) ? null : password.toCharArray()); lastLoaded = file.lastModified(); LOG.debug("Loaded truststore '" + file + "'"); } finally { http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java -- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java index bf058cd..3fb203e 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java @@ -199,4 +199,22 @@ public class TestReloadingX509TrustManager { }, reloadInterval, 10 * 1000); } + /** No password when accessing a trust store is legal. */ + @Test + public void testNoPassword() throws Exception { +KeyPair kp = generateKeyPair("RSA"); +cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA"); +cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA"); +String truststoreLocation = BASEDIR + "/testreload.jks"; +createTrustStore(truststoreLocation, "password", "cert1", cert1); + +final ReloadingX509TrustManager tm = +new
[07/50] [abbrv] hadoop git commit: HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.
HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a2b5d602 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a2b5d602 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a2b5d602 Branch: refs/heads/YARN-5734 Commit: a2b5d602201a4f619f6a68ec2168a884190d8de6 Parents: f3b8ff5 Author: Xiao ChenAuthored: Mon Dec 5 12:19:26 2016 -0800 Committer: Xiao Chen Committed: Mon Dec 5 17:36:00 2016 -0800 -- .../security/ssl/FileBasedKeyStoresFactory.java | 6 -- .../security/ssl/ReloadingX509TrustManager.java | 2 +- .../ssl/TestReloadingX509TrustManager.java| 18 ++ 3 files changed, 23 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java -- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java index 4e59010..a01d11a 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java @@ -202,8 +202,10 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory { SSL_TRUSTSTORE_PASSWORD_TPL_KEY); String truststorePassword = getPassword(conf, passwordProperty, ""); if (truststorePassword.isEmpty()) { -throw new GeneralSecurityException("The property '" + passwordProperty + -"' has not been set in the ssl configuration file."); +// An empty trust store password is legal; the trust store password +// is only required when writing to a trust store. Otherwise it's +// an optional integrity check. +truststorePassword = null; } long truststoreReloadInterval = conf.getLong( http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java -- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java index 597f8d7..2d3afea 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java @@ -167,7 +167,7 @@ public final class ReloadingX509TrustManager KeyStore ks = KeyStore.getInstance(type); FileInputStream in = new FileInputStream(file); try { - ks.load(in, password.toCharArray()); + ks.load(in, (password == null) ? null : password.toCharArray()); lastLoaded = file.lastModified(); LOG.debug("Loaded truststore '" + file + "'"); } finally { http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java -- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java index bf058cd..3fb203e 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java @@ -199,4 +199,22 @@ public class TestReloadingX509TrustManager { }, reloadInterval, 10 * 1000); } + /** No password when accessing a trust store is legal. */ + @Test + public void testNoPassword() throws Exception { +KeyPair kp = generateKeyPair("RSA"); +cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA"); +cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA"); +String truststoreLocation = BASEDIR + "/testreload.jks"; +createTrustStore(truststoreLocation, "password", "cert1", cert1); + +final ReloadingX509TrustManager tm = +new
[14/50] [abbrv] hadoop git commit: HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.
HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a2b5d602 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a2b5d602 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a2b5d602 Branch: refs/heads/HADOOP-13345 Commit: a2b5d602201a4f619f6a68ec2168a884190d8de6 Parents: f3b8ff5 Author: Xiao ChenAuthored: Mon Dec 5 12:19:26 2016 -0800 Committer: Xiao Chen Committed: Mon Dec 5 17:36:00 2016 -0800 -- .../security/ssl/FileBasedKeyStoresFactory.java | 6 -- .../security/ssl/ReloadingX509TrustManager.java | 2 +- .../ssl/TestReloadingX509TrustManager.java| 18 ++ 3 files changed, 23 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java -- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java index 4e59010..a01d11a 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java @@ -202,8 +202,10 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory { SSL_TRUSTSTORE_PASSWORD_TPL_KEY); String truststorePassword = getPassword(conf, passwordProperty, ""); if (truststorePassword.isEmpty()) { -throw new GeneralSecurityException("The property '" + passwordProperty + -"' has not been set in the ssl configuration file."); +// An empty trust store password is legal; the trust store password +// is only required when writing to a trust store. Otherwise it's +// an optional integrity check. +truststorePassword = null; } long truststoreReloadInterval = conf.getLong( http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java -- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java index 597f8d7..2d3afea 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java @@ -167,7 +167,7 @@ public final class ReloadingX509TrustManager KeyStore ks = KeyStore.getInstance(type); FileInputStream in = new FileInputStream(file); try { - ks.load(in, password.toCharArray()); + ks.load(in, (password == null) ? null : password.toCharArray()); lastLoaded = file.lastModified(); LOG.debug("Loaded truststore '" + file + "'"); } finally { http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java -- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java index bf058cd..3fb203e 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java @@ -199,4 +199,22 @@ public class TestReloadingX509TrustManager { }, reloadInterval, 10 * 1000); } + /** No password when accessing a trust store is legal. */ + @Test + public void testNoPassword() throws Exception { +KeyPair kp = generateKeyPair("RSA"); +cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA"); +cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA"); +String truststoreLocation = BASEDIR + "/testreload.jks"; +createTrustStore(truststoreLocation, "password", "cert1", cert1); + +final ReloadingX509TrustManager tm = +new
hadoop git commit: HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.
Repository: hadoop Updated Branches: refs/heads/trunk f3b8ff54a -> a2b5d6022 HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a2b5d602 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a2b5d602 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a2b5d602 Branch: refs/heads/trunk Commit: a2b5d602201a4f619f6a68ec2168a884190d8de6 Parents: f3b8ff5 Author: Xiao ChenAuthored: Mon Dec 5 12:19:26 2016 -0800 Committer: Xiao Chen Committed: Mon Dec 5 17:36:00 2016 -0800 -- .../security/ssl/FileBasedKeyStoresFactory.java | 6 -- .../security/ssl/ReloadingX509TrustManager.java | 2 +- .../ssl/TestReloadingX509TrustManager.java| 18 ++ 3 files changed, 23 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java -- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java index 4e59010..a01d11a 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java @@ -202,8 +202,10 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory { SSL_TRUSTSTORE_PASSWORD_TPL_KEY); String truststorePassword = getPassword(conf, passwordProperty, ""); if (truststorePassword.isEmpty()) { -throw new GeneralSecurityException("The property '" + passwordProperty + -"' has not been set in the ssl configuration file."); +// An empty trust store password is legal; the trust store password +// is only required when writing to a trust store. Otherwise it's +// an optional integrity check. +truststorePassword = null; } long truststoreReloadInterval = conf.getLong( http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java -- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java index 597f8d7..2d3afea 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java @@ -167,7 +167,7 @@ public final class ReloadingX509TrustManager KeyStore ks = KeyStore.getInstance(type); FileInputStream in = new FileInputStream(file); try { - ks.load(in, password.toCharArray()); + ks.load(in, (password == null) ? null : password.toCharArray()); lastLoaded = file.lastModified(); LOG.debug("Loaded truststore '" + file + "'"); } finally { http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java -- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java index bf058cd..3fb203e 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java @@ -199,4 +199,22 @@ public class TestReloadingX509TrustManager { }, reloadInterval, 10 * 1000); } + /** No password when accessing a trust store is legal. */ + @Test + public void testNoPassword() throws Exception { +KeyPair kp = generateKeyPair("RSA"); +cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA"); +cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA"); +String truststoreLocation = BASEDIR + "/testreload.jks"; +createTrustStore(truststoreLocation, "password", "cert1",