This is an automated email from the ASF dual-hosted git repository.
weichiu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 8651aa4a76f HDDS-13343. Consider delegation token lifetime for secret
key expiry (#8742)
8651aa4a76f is described below
commit 8651aa4a76f84473b1e3d4ae8aee4601d6f4503b
Author: Sammi Chen <[email protected]>
AuthorDate: Sat Jul 12 07:04:38 2025 +0800
HDDS-13343. Consider delegation token lifetime for secret key expiry (#8742)
---
.../org/apache/hadoop/hdds/HddsConfigKeys.java | 2 +-
.../common/src/main/resources/ozone-default.xml | 22 +++++++--
.../dist/src/main/compose/common/security.conf | 3 ++
.../src/main/compose/ozonesecure-ha/docker-config | 3 ++
.../hadoop/hdds/scm/TestSecretKeySnapshot.java | 4 ++
.../apache/hadoop/hdds/scm/TestSecretKeysApi.java | 5 ++
.../org/apache/hadoop/ozone/TestBlockTokens.java | 4 ++
.../hadoop/ozone/TestSecureOzoneCluster.java | 29 +++++++++++-
.../TestContainerCommandReconciliation.java | 8 +++-
.../org/apache/hadoop/ozone/om/OzoneManager.java | 53 +++++++++++++++++-----
.../OzoneDelegationTokenSecretManager.java | 4 ++
11 files changed, 115 insertions(+), 22 deletions(-)
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
index eaf631ed17f..3bf1bdcae1a 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
@@ -255,7 +255,7 @@ public final class HddsConfigKeys {
public static final String HDDS_SECRET_KEY_EXPIRY_DURATION =
"hdds.secret.key.expiry.duration";
- public static final String HDDS_SECRET_KEY_EXPIRY_DURATION_DEFAULT = "7d";
+ public static final String HDDS_SECRET_KEY_EXPIRY_DURATION_DEFAULT = "9d";
public static final String HDDS_SECRET_KEY_ROTATE_DURATION =
"hdds.secret.key.rotate.duration";
diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml
b/hadoop-hdds/common/src/main/resources/ozone-default.xml
index f240d0cfbd4..4cec20714ee 100644
--- a/hadoop-hdds/common/src/main/resources/ozone-default.xml
+++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -2773,8 +2773,14 @@
<name>ozone.manager.delegation.token.max-lifetime</name>
<value>7d</value>
<description>
- Default max time interval after which ozone delegation token will
- not be renewed.
+ Default max time interval after which ozone delegation token will not be
renewed.
+ Delegation Token is signed and verified using secret key which has a max
hdds.secret.key.expiry.duration lifetime.
+ To guarantee that the delegation token can be properly loaded, verified,
and renewed during its lifetime,
+ (ozone.manager.delegation.token.max-lifetime +
hdds.secret.key.rotate.duration +
ozone.manager.delegation.remover.scan.interval)
+ must not be greater than hdds.secret.key.expiry.duration.
+ If any of ozone.manager.delegation.token.max-lifetime,
hdds.secret.key.expiry.duration, hdds.secret.key.rotate.duration
+ or ozone.manager.delegation.remover.scan.interval value is changed, The
above constrain must be checked and
+ values be adjusted accordingly if necessary.
</description>
</property>
@@ -4558,12 +4564,18 @@
</property>
<property>
<name>hdds.secret.key.expiry.duration</name>
- <value>7d</value>
+ <value>9d</value>
<tag>SCM, SECURITY</tag>
<description>
The duration for which symmetric secret keys issued by SCM are valid.
- This default value, in combination with
hdds.secret.key.rotate.duration=1d, results in 7 secret keys (for the
- last 7 days) are kept valid at any point of time.
+ Secret key is used to sign delegation tokens signed by OM, so the secret
key must be valid for at least
+ (ozone.manager.delegation.token.max-lifetime +
hdds.secret.key.rotate.duration +
ozone.manager.delegation.remover.scan.interval)
+ time to guarantee that delegation tokens can be verified by OM.
Considering the default value of three properties
+ mentioned and rounding up to days, this property's default value, in
combination with hdds.secret.key.rotate.duration=1d,
+ results in 9 secret keys (for the last 9 days) are kept valid at any
point of time.
+ If any of ozone.manager.delegation.token.max-lifetime,
hdds.secret.key.rotate.duration or
+ ozone.manager.delegation.remover.scan.interval value is changed, this
property should be checked, and updated
+ accordingly if necessary.
</description>
</property>
<property>
diff --git a/hadoop-ozone/dist/src/main/compose/common/security.conf
b/hadoop-ozone/dist/src/main/compose/common/security.conf
index 7b74224e603..a506ce996ec 100644
--- a/hadoop-ozone/dist/src/main/compose/common/security.conf
+++ b/hadoop-ozone/dist/src/main/compose/common/security.conf
@@ -56,6 +56,9 @@
OZONE-SITE.XML_ozone.http.filter.initializers=org.apache.hadoop.security.Authent
OZONE-SITE.XML_hdds.secret.key.rotate.duration=5m
OZONE-SITE.XML_hdds.secret.key.rotate.check.duration=1m
OZONE-SITE.XML_hdds.secret.key.expiry.duration=1h
+OZONE-SITE.XML_ozone.manager.delegation.token.max-lifetime=30m
+OZONE-SITE.XML_ozone.manager.delegation.token.renew-interval=5m
+OZONE-SITE.XML_ozone.manager.delegation.remover.scan.interval=1m
OZONE-SITE.XML_ozone.om.http.auth.type=kerberos
OZONE-SITE.XML_hdds.scm.http.auth.type=kerberos
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
index 38db5ac1fa4..a4f2b16b81d 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
@@ -171,3 +171,6 @@ OZONE-SITE.XML_ozone.filesystem.snapshot.enabled=true
OZONE-SITE.XML_hdds.secret.key.rotate.duration=5m
OZONE-SITE.XML_hdds.secret.key.rotate.check.duration=1m
OZONE-SITE.XML_hdds.secret.key.expiry.duration=1h
+OZONE-SITE.XML_ozone.manager.delegation.token.max-lifetime=30m
+OZONE-SITE.XML_ozone.manager.delegation.token.renew-interval=5m
+OZONE-SITE.XML_ozone.manager.delegation.remover.scan.interval=1m
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestSecretKeySnapshot.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestSecretKeySnapshot.java
index 6252f1f5f2f..57179ec3d5e 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestSecretKeySnapshot.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestSecretKeySnapshot.java
@@ -31,6 +31,8 @@
import static
org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
+import static
org.apache.hadoop.ozone.om.OMConfigKeys.DELEGATION_REMOVER_SCAN_INTERVAL_KEY;
+import static
org.apache.hadoop.ozone.om.OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_KERBEROS_KEYTAB_FILE_KEY;
@@ -113,6 +115,8 @@ public void init() throws Exception {
ROTATE_CHECK_DURATION_MS + "ms");
conf.set(HDDS_SECRET_KEY_ROTATE_DURATION, ROTATE_DURATION_MS + "ms");
conf.set(HDDS_SECRET_KEY_EXPIRY_DURATION, EXPIRY_DURATION_MS + "ms");
+ conf.set(DELEGATION_TOKEN_MAX_LIFETIME_KEY, ROTATE_DURATION_MS + "ms");
+ conf.set(DELEGATION_REMOVER_SCAN_INTERVAL_KEY, ROTATE_CHECK_DURATION_MS +
"ms");
MiniOzoneHAClusterImpl.Builder builder =
MiniOzoneCluster.newHABuilder(conf);
builder
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestSecretKeysApi.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestSecretKeysApi.java
index e4e2dcdd194..0f68cc9ab39 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestSecretKeysApi.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/hdds/scm/TestSecretKeysApi.java
@@ -33,6 +33,8 @@
import static
org.apache.hadoop.hdds.utils.HddsServerUtil.getSecretKeyClientForDatanode;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
+import static
org.apache.hadoop.ozone.om.OMConfigKeys.DELEGATION_REMOVER_SCAN_INTERVAL_KEY;
+import static
org.apache.hadoop.ozone.om.OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_KERBEROS_KEYTAB_FILE_KEY;
@@ -185,6 +187,8 @@ public void testSecretKeyApiSuccess() throws Exception {
conf.set(HDDS_SECRET_KEY_ROTATE_CHECK_DURATION, "100ms");
conf.set(HDDS_SECRET_KEY_ROTATE_DURATION, "1s");
conf.set(HDDS_SECRET_KEY_EXPIRY_DURATION, "3000ms");
+ conf.set(DELEGATION_TOKEN_MAX_LIFETIME_KEY, "1500ms");
+ conf.set(DELEGATION_REMOVER_SCAN_INTERVAL_KEY, "100ms");
startCluster(3);
SecretKeyProtocol secretKeyProtocol = getSecretKeyProtocol();
@@ -258,6 +262,7 @@ public void testSecretKeyAfterSCMFailover() throws
Exception {
conf.set(HDDS_SECRET_KEY_ROTATE_CHECK_DURATION, "10m");
conf.set(HDDS_SECRET_KEY_ROTATE_DURATION, "1d");
conf.set(HDDS_SECRET_KEY_EXPIRY_DURATION, "7d");
+ conf.set(DELEGATION_TOKEN_MAX_LIFETIME_KEY, "5d");
startCluster(3);
SecretKeyProtocol securityProtocol = getSecretKeyProtocol();
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestBlockTokens.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestBlockTokens.java
index a3e56f659c2..d8d8ac08cc5 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestBlockTokens.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestBlockTokens.java
@@ -35,6 +35,8 @@
import static
org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY;
import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ADMINISTRATORS;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
+import static
org.apache.hadoop.ozone.om.OMConfigKeys.DELEGATION_REMOVER_SCAN_INTERVAL_KEY;
+import static
org.apache.hadoop.ozone.om.OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_KERBEROS_KEYTAB_FILE_KEY;
@@ -309,6 +311,8 @@ private static void setSecretKeysConfig() {
ROTATION_CHECK_DURATION_IN_MS + "ms");
conf.set(HDDS_SECRET_KEY_ROTATE_DURATION, ROTATE_DURATION_IN_MS + "ms");
conf.set(HDDS_SECRET_KEY_EXPIRY_DURATION, EXPIRY_DURATION_IN_MS + "ms");
+ conf.set(DELEGATION_TOKEN_MAX_LIFETIME_KEY, ROTATE_DURATION_IN_MS + "ms");
+ conf.set(DELEGATION_REMOVER_SCAN_INTERVAL_KEY,
ROTATION_CHECK_DURATION_IN_MS + "ms");
// enable tokens
conf.setBoolean(HDDS_BLOCK_TOKEN_ENABLED, true);
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
index 9e5aa5b69cc..a1a5afdfe43 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
@@ -19,6 +19,7 @@
import static
org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_GRPC_TLS_ENABLED;
+import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_SECRET_KEY_EXPIRY_DURATION;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_ACK_TIMEOUT;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_CHECK_INTERNAL;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_DEFAULT_DURATION;
@@ -88,6 +89,7 @@
import java.util.Properties;
import java.util.UUID;
import java.util.concurrent.Callable;
+import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.io.IOUtils;
@@ -535,6 +537,31 @@ void testSecureOMInitializationFailure() throws Exception {
}
}
+ /**
+ * Tests the secure om Initialization Failure due to delegation token and
secret key configuration don't meet
+ * requirement.
+ */
+ @Test
+ void testSecureOMDelegationTokenSecretManagerInitializationFailure() throws
Exception {
+ initSCM();
+ // Create a secure SCM instance as om client will connect to it
+ scm = HddsTestUtils.getScmSimple(conf);
+ try {
+ scm.start();
+ conf.setTimeDuration(HDDS_SECRET_KEY_EXPIRY_DURATION, 7, TimeUnit.DAYS);
+ conf.setTimeDuration(OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY, 7,
TimeUnit.DAYS);
+ IllegalArgumentException exception = assertThrows(
+ IllegalArgumentException.class, () -> setupOm(conf));
+ assertTrue(exception.getMessage().contains("Secret key expiry duration
hdds.secret.key.expiry.duration " +
+ "should be greater than value of
(ozone.manager.delegation.token.max-lifetime + " +
+ "ozone.manager.delegation.remover.scan.interval +
hdds.secret.key.rotate.duration"));
+ } finally {
+ if (scm != null) {
+ scm.stop();
+ }
+ }
+ }
+
/**
* Tests the secure om Initialization success.
*/
@@ -866,7 +893,6 @@ void testSecureOmReInit() throws Exception {
scm.stop();
}
}
-
}
/**
@@ -913,7 +939,6 @@ void testSecureOmInitSuccess() throws Exception {
}
IOUtils.closeQuietly(om);
}
-
}
/**
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/dn/checksum/TestContainerCommandReconciliation.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/dn/checksum/TestContainerCommandReconciliation.java
index f47c66bf9c5..e4e25566bf4 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/dn/checksum/TestContainerCommandReconciliation.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/dn/checksum/TestContainerCommandReconciliation.java
@@ -49,6 +49,8 @@
import static
org.apache.hadoop.ozone.container.checksum.ContainerMerkleTreeTestUtils.assertTreesSortedAndMatch;
import static
org.apache.hadoop.ozone.container.checksum.ContainerMerkleTreeTestUtils.buildTestTree;
import static
org.apache.hadoop.ozone.container.checksum.ContainerMerkleTreeTestUtils.readChecksumFile;
+import static
org.apache.hadoop.ozone.om.OMConfigKeys.DELEGATION_REMOVER_SCAN_INTERVAL_KEY;
+import static
org.apache.hadoop.ozone.om.OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_HTTP_KERBEROS_KEYTAB_FILE;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_HTTP_KERBEROS_PRINCIPAL_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_OM_KERBEROS_KEYTAB_FILE_KEY;
@@ -600,9 +602,11 @@ public static void writeChecksumFileToDatanodes(long
containerID, ContainerMerkl
private static void setSecretKeysConfig() {
// Secret key lifecycle configs.
- conf.set(HDDS_SECRET_KEY_ROTATE_CHECK_DURATION, "500s");
- conf.set(HDDS_SECRET_KEY_ROTATE_DURATION, "500s");
+ conf.set(HDDS_SECRET_KEY_ROTATE_CHECK_DURATION, "1s");
+ conf.set(HDDS_SECRET_KEY_ROTATE_DURATION, "100s");
conf.set(HDDS_SECRET_KEY_EXPIRY_DURATION, "500s");
+ conf.set(DELEGATION_TOKEN_MAX_LIFETIME_KEY, "300s");
+ conf.set(DELEGATION_REMOVER_SCAN_INTERVAL_KEY, "1s");
// enable tokens
conf.setBoolean(HDDS_BLOCK_TOKEN_ENABLED, true);
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 66dc87e1433..a5df1337dc0 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -49,6 +49,7 @@
import static org.apache.hadoop.ozone.OzoneConsts.OZONE_RATIS_SNAPSHOT_DIR;
import static org.apache.hadoop.ozone.OzoneConsts.PREPARE_MARKER_KEY;
import static org.apache.hadoop.ozone.OzoneConsts.RPC_PORT;
+import static org.apache.hadoop.ozone.OzoneConsts.SCM_CA_CERT_STORAGE_DIR;
import static org.apache.hadoop.ozone.OzoneConsts.TRANSACTION_INFO_KEY;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_DEFAULT_BUCKET_LAYOUT;
import static
org.apache.hadoop.ozone.om.OMConfigKeys.OZONE_DEFAULT_BUCKET_LAYOUT_DEFAULT;
@@ -191,6 +192,7 @@
import org.apache.hadoop.hdds.security.exception.OzoneSecurityException;
import org.apache.hadoop.hdds.security.symmetric.DefaultSecretKeyClient;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyClient;
+import org.apache.hadoop.hdds.security.symmetric.SecretKeyConfig;
import org.apache.hadoop.hdds.security.token.OzoneBlockTokenSecretManager;
import
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.server.OzoneAdmins;
@@ -955,7 +957,19 @@ private void instantiateServices(boolean withNewSnapshot)
throws IOException {
metadataManager.getLock()
);
if (secConfig.isSecurityEnabled() || testSecureOmFlag) {
- delegationTokenMgr = createDelegationTokenSecretManager(configuration);
+ try {
+ delegationTokenMgr = createDelegationTokenSecretManager(configuration);
+ } catch (IllegalArgumentException e) {
+ if (metadataManager != null) {
+ // to avoid the unit test leak report failure
+ try {
+ metadataManager.stop();
+ } catch (Exception ex) {
+ LOG.warn("Failed to stop metadataManager", e);
+ }
+ }
+ throw e;
+ }
}
prefixManager = new PrefixManagerImpl(this, metadataManager, true);
@@ -1170,17 +1184,32 @@ private OzoneDelegationTokenSecretManager
createDelegationTokenSecretManager(
conf.getTimeDuration(OMConfigKeys.DELEGATION_TOKEN_RENEW_INTERVAL_KEY,
OMConfigKeys.DELEGATION_TOKEN_RENEW_INTERVAL_DEFAULT,
TimeUnit.MILLISECONDS);
- long certificateGracePeriod = Duration.parse(
- conf.get(HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION,
- HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION_DEFAULT)).toMillis();
- boolean tokenSanityChecksEnabled = conf.getBoolean(
- HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED,
- HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED_DEFAULT);
- if (tokenSanityChecksEnabled && tokenMaxLifetime > certificateGracePeriod)
{
- throw new IllegalArgumentException("Certificate grace period " +
- HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION +
- " should be greater than maximum delegation token lifetime " +
- OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY);
+
+ if
(versionManager.isAllowed(OMLayoutFeature.DELEGATION_TOKEN_SYMMETRIC_SIGN)) {
+ // verify the configuration dependency between dt and secret key
+ SecretKeyConfig secretKeyConfig = new SecretKeyConfig(conf,
SCM_CA_CERT_STORAGE_DIR);
+ long skExpiryDuration = secretKeyConfig.getExpiryDuration().toMillis();
+ long skRotationDuration = secretKeyConfig.getRotateDuration().toMillis();
+ if ((skRotationDuration + tokenMaxLifetime + tokenRemoverScanInterval) >
skExpiryDuration) {
+ throw new IllegalArgumentException("Secret key expiry duration " +
+ HddsConfigKeys.HDDS_SECRET_KEY_EXPIRY_DURATION +
+ " should be greater than value of (" +
OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY + " + " +
+ OMConfigKeys.DELEGATION_REMOVER_SCAN_INTERVAL_KEY + " + " +
+ HddsConfigKeys.HDDS_SECRET_KEY_ROTATE_DURATION);
+ }
+ } else {
+ long certificateGracePeriod = Duration.parse(
+ conf.get(HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION,
+
HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION_DEFAULT)).toMillis();
+ boolean tokenSanityChecksEnabled = conf.getBoolean(
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED,
+
HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED_DEFAULT);
+ if (tokenSanityChecksEnabled && tokenMaxLifetime >
certificateGracePeriod) {
+ throw new IllegalArgumentException("Certificate grace period " +
+ HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION +
+ " should be greater than maximum delegation token lifetime " +
+ OMConfigKeys.DELEGATION_TOKEN_MAX_LIFETIME_KEY);
+ }
}
return new OzoneDelegationTokenSecretManager.Builder()
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
index 49ec21bef68..5a53740416f 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java
@@ -414,6 +414,10 @@ public boolean verifySignature(OzoneTokenIdentifier
identifier,
if (StringUtils.isNotEmpty(secretKeyId)) {
try {
ManagedSecretKey verifyKey =
secretKeyClient.getSecretKey(UUID.fromString(secretKeyId));
+ if (verifyKey == null) {
+ throw new SCMSecurityException("Secret verify key " +
UUID.fromString(secretKeyId) +
+ " not found for token " + formatTokenId(identifier));
+ }
return verifyKey.isValidSignature(identifier.getBytes(), password);
} catch (SCMSecurityException e) {
LOG.error("verifySignature for identifier {} failed", identifier, e);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
