add OM layout feature DELEGATION_TOKEN_SYMMETRIC_SIGN

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/upgrade/OMLayoutFeature.java

@@ -46,7 +46,8 @@ public enum OMLayoutFeature implements LayoutFeature {
   FILESYSTEM_SNAPSHOT(5, "Ozone version supporting snapshot"),
 
   QUOTA(6, "Ozone quota re-calculate"),
-  HBASE_SUPPORT(7, "Full support of hsync, lease recovery and listOpenFiles APIs for HBase");
+  HBASE_SUPPORT(7, "Full support of hsync, lease recovery and listOpenFiles APIs for HBase"),
+  DELEGATION_TOKEN_SYMMETRIC_SIGN(8, "Delegation token signed by symmetric key");
 
   ///////////////////////////////  /////////////////////////////
   //    Example OM Layout Feature with Actions

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java

@@ -47,6 +47,7 @@
 import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.apache.hadoop.ozone.om.exceptions.OMLeaderNotReadyException;
 import org.apache.hadoop.ozone.om.exceptions.OMNotLeaderException;
+import org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature;
 import org.apache.hadoop.ozone.security.OzoneSecretStore.OzoneManagerSecretState;
 import org.apache.hadoop.ozone.security.OzoneTokenIdentifier.TokenInfo;
 import org.apache.hadoop.security.AccessControlException;
@@ -207,10 +208,16 @@ public Token<OzoneTokenIdentifier> createToken(Text owner, Text renewer,
       throws IOException {
     OzoneTokenIdentifier identifier = createIdentifier(owner, renewer,
         realUser);
-    ManagedSecretKey currentSecretKey = secretKeyClient.getCurrentSecretKey();
     updateIdentifierDetails(identifier);
-    identifier.setSecretKeyId(currentSecretKey.getId().toString());
-    byte[] password = currentSecretKey.sign(identifier.getBytes());
+    byte[] password;
+    if (ozoneManager.getVersionManager().isAllowed(OMLayoutFeature.DELEGATION_TOKEN_SYMMETRIC_SIGN)) {
+      ManagedSecretKey currentSecretKey = secretKeyClient.getCurrentSecretKey();
+      identifier.setSecretKeyId(currentSecretKey.getId().toString());
+      password = currentSecretKey.sign(identifier.getBytes());
+    } else {
+      identifier.setOmCertSerialId(getCertSerialId());
+      password = createPassword(identifier.getBytes(), getCurrentKey().getPrivateKey());
+    }
     long expiryTime = identifier.getIssueDate() + getTokenRenewInterval();
 
     // For HA ratis will take care of updating.

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.java

@@ -51,6 +51,8 @@
 import org.apache.hadoop.ozone.om.exceptions.OMLeaderNotReadyException;
 import org.apache.hadoop.ozone.om.exceptions.OMNotLeaderException;
 import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
+import org.apache.hadoop.ozone.om.upgrade.OMLayoutVersionManager;
+import org.apache.hadoop.ozone.upgrade.LayoutFeature;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
 import org.apache.hadoop.security.token.SecretManager;
@@ -65,6 +67,7 @@
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
@@ -117,6 +120,9 @@ public void setUp() throws Exception {
     om = mock(OzoneManager.class);
     OMMetadataManager metadataManager = new OmMetadataManagerImpl(conf, om);
     when(om.getMetadataManager()).thenReturn(metadataManager);
+    OMLayoutVersionManager versionManager = mock(OMLayoutVersionManager.class);
+    when(versionManager.isAllowed(any(LayoutFeature.class))).thenReturn(true);
+    when(om.getVersionManager()).thenReturn(versionManager);
     s3SecretManager = new S3SecretLockedManager(
         new S3SecretManagerImpl(new S3SecretStoreMap(s3Secrets),
             mock(S3SecretCache.class)),