From 23c495c62a200c5d7a49ebf7eaa97b4b5ad3a67b Mon Sep 17 00:00:00 2001 From: Sammi Chen Date: Tue, 13 Dec 2022 14:42:22 +0800 Subject: [PATCH] remove hadoop security dependecy --- .../hdds/security/ssl/KeyStoresFactory.java | 11 ++++++----- .../hdds/security/ssl/MonitoringTimerTask.java | 2 -- .../ssl/PemFileBasedKeyStoresFactory.java | 15 +++++++-------- .../security/ssl/ReloadingX509KeyManager.java | 7 +++---- .../security/ssl/ReloadingX509TrustManager.java | 9 ++++----- .../hdds/security/x509/keys/SecurityUtil.java | 4 ++-- .../ssl/TestPemFileBasedKeyStoresFactory.java | 9 ++++----- 7 files changed, 26 insertions(+), 31 deletions(-) diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/KeyStoresFactory.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/KeyStoresFactory.java index fb5ac50da4cf..17811a28c9f6 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/KeyStoresFactory.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/KeyStoresFactory.java @@ -17,9 +17,8 @@ */ package org.apache.hadoop.hdds.security.ssl; -import org.apache.hadoop.classification.InterfaceAudience; -import org.apache.hadoop.classification.InterfaceStability; -import org.apache.hadoop.security.ssl.SSLFactory; +import org.apache.hadoop.hdds.annotation.InterfaceAudience; +import org.apache.hadoop.hdds.annotation.InterfaceStability; import javax.net.ssl.KeyManager; import javax.net.ssl.TrustManager; @@ -34,6 +33,8 @@ @InterfaceStability.Evolving public interface KeyStoresFactory { + enum Mode { CLIENT, SERVER } + /** * Initializes the keystores of the factory. * @@ -45,8 +46,8 @@ public interface KeyStoresFactory { * @throws GeneralSecurityException thrown if the keystores could not be * initialized due to an security error. */ - void init(SSLFactory.Mode mode, boolean requireClientAuth) - throws IOException, GeneralSecurityException; + void init(Mode mode, boolean requireClientAuth) throws IOException, + GeneralSecurityException; /** * Releases any resources being used. diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/MonitoringTimerTask.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/MonitoringTimerTask.java index fdb372f732d6..d6dd1ff7f7c8 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/MonitoringTimerTask.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/MonitoringTimerTask.java @@ -17,7 +17,6 @@ */ package org.apache.hadoop.hdds.security.ssl; -import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Preconditions; @@ -33,7 +32,6 @@ * can optionally also be specified in the constructor, otherwise any * exception occurring during process will be logged using this class' logger. */ -@InterfaceAudience.Private public class MonitoringTimerTask extends TimerTask { static final Logger LOG = LoggerFactory.getLogger(MonitoringTimerTask.class); diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java index d63bdcd0239e..1a8b33f403b4 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.java @@ -18,11 +18,10 @@ package org.apache.hadoop.hdds.security.ssl; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; -import org.apache.hadoop.classification.InterfaceAudience; -import org.apache.hadoop.classification.InterfaceStability; +import org.apache.hadoop.hdds.annotation.InterfaceAudience; +import org.apache.hadoop.hdds.annotation.InterfaceStability; import org.apache.hadoop.hdds.security.x509.SecurityConfig; import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient; -import org.apache.hadoop.security.ssl.SSLFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -78,7 +77,7 @@ public PemFileBasedKeyStoresFactory(SecurityConfig securityConfig, * to reload truststore. * @param mode client or server */ - private void createTrustManagers(SSLFactory.Mode mode) throws + private void createTrustManagers(Mode mode) throws GeneralSecurityException, IOException { long truststoreReloadInterval = secConfig.getSslTruststoreReloadInterval(); LOG.info(mode.toString() + " TrustStore reloading at " + @@ -105,7 +104,7 @@ private void createTrustManagers(SSLFactory.Mode mode) throws * to reload keystores. * @param mode client or server */ - private void createKeyManagers(SSLFactory.Mode mode) throws + private void createKeyManagers(Mode mode) throws GeneralSecurityException, IOException { long keystoreReloadInterval = secConfig.getSslKeystoreReloadInterval(); LOG.info(mode.toString() + " KeyStore reloading at " + @@ -139,20 +138,20 @@ private void createKeyManagers(SSLFactory.Mode mode) throws * @throws GeneralSecurityException thrown if the keystores could not be * initialized due to a security error. */ - public synchronized void init(SSLFactory.Mode mode, boolean requireClientAuth) + public synchronized void init(Mode mode, boolean requireClientAuth) throws IOException, GeneralSecurityException { monitoringTimer = new Timer(caClient.getComponentName() + "-" + SSL_MONITORING_THREAD_NAME, true); // key manager - if (requireClientAuth || mode == SSLFactory.Mode.SERVER) { + if (requireClientAuth || mode == Mode.SERVER) { createKeyManagers(mode); } else { KeyStore keystore = KeyStore.getInstance(DEFAULT_KEYSTORE_TYPE); keystore.load(null, null); KeyManagerFactory keyMgrFactory = KeyManagerFactory - .getInstance(SSLFactory.SSLCERTIFICATE); + .getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyMgrFactory.init(keystore, null); keyManagers = keyMgrFactory.getKeyManagers(); diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java index 6d84ebbd985f..ee2805cb1cff 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java @@ -17,10 +17,9 @@ */ package org.apache.hadoop.hdds.security.ssl; -import org.apache.hadoop.classification.InterfaceAudience; -import org.apache.hadoop.classification.InterfaceStability; +import org.apache.hadoop.hdds.annotation.InterfaceAudience; +import org.apache.hadoop.hdds.annotation.InterfaceStability; import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient; -import org.apache.hadoop.security.ssl.SSLFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -163,7 +162,7 @@ private X509ExtendedKeyManager loadKeyManager(CertificateClient caClient) privateKey, EMPTY_PASSWORD, new Certificate[]{cert}); KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance( - SSLFactory.SSLCERTIFICATE); + KeyManagerFactory.getDefaultAlgorithm()); keyMgrFactory.init(keystore, EMPTY_PASSWORD); for (KeyManager candidate: keyMgrFactory.getKeyManagers()) { if (candidate instanceof X509ExtendedKeyManager) { diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java index e209bdc56fbb..5252c278ddb7 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java @@ -17,10 +17,9 @@ */ package org.apache.hadoop.hdds.security.ssl; -import org.apache.hadoop.classification.InterfaceAudience; -import org.apache.hadoop.classification.InterfaceStability; +import org.apache.hadoop.hdds.annotation.InterfaceAudience; +import org.apache.hadoop.hdds.annotation.InterfaceStability; import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient; -import org.apache.hadoop.security.ssl.SSLFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -137,8 +136,8 @@ X509TrustManager loadTrustManager(CertificateClient caClient) ks.load(null, null); ks.setCertificateEntry(certId, cert); - TrustManagerFactory trustManagerFactory = - TrustManagerFactory.getInstance(SSLFactory.SSLCERTIFICATE); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( + TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(ks); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); for (TrustManager trustManager1 : trustManagers) { diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/SecurityUtil.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/SecurityUtil.java index 5085b6f42e06..102f3b695b8a 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/SecurityUtil.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/keys/SecurityUtil.java @@ -148,7 +148,7 @@ public static KeyStoresFactory getServerKeyStoresFactory( PemFileBasedKeyStoresFactory factory = new PemFileBasedKeyStoresFactory(securityConfig, client); try { - factory.init(SSLFactory.Mode.SERVER, requireClientAuth); + factory.init(KeyStoresFactory.Mode.SERVER, requireClientAuth); } catch (IOException | GeneralSecurityException e) { throw new CertificateException("Failed to init keyStoresFactory", e, CertificateException.ErrorCode.KEYSTORE_ERROR); @@ -163,7 +163,7 @@ public static KeyStoresFactory getClientKeyStoresFactory( new PemFileBasedKeyStoresFactory(securityConfig, client); try { - factory.init(SSLFactory.Mode.CLIENT, requireClientAuth); + factory.init(KeyStoresFactory.Mode.CLIENT, requireClientAuth); } catch (IOException | GeneralSecurityException e) { throw new CertificateException("Failed to init keyStoresFactory", e, CertificateException.ErrorCode.KEYSTORE_ERROR); diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestPemFileBasedKeyStoresFactory.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestPemFileBasedKeyStoresFactory.java index adf66d94de8e..236439a37694 100644 --- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestPemFileBasedKeyStoresFactory.java +++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestPemFileBasedKeyStoresFactory.java @@ -33,7 +33,6 @@ import org.apache.hadoop.hdds.security.x509.CertificateClientTest; import org.apache.hadoop.hdds.security.x509.SecurityConfig; import org.apache.hadoop.ozone.container.ContainerTestHelper; -import org.apache.hadoop.security.ssl.SSLFactory; import org.apache.ratis.thirdparty.io.grpc.ManagedChannel; import org.apache.ratis.thirdparty.io.grpc.Server; import org.apache.ratis.thirdparty.io.grpc.netty.GrpcSslContexts; @@ -84,7 +83,7 @@ private void clientMode(boolean clientAuth) throws Exception { KeyStoresFactory keyStoresFactory = new PemFileBasedKeyStoresFactory( secConf, caClient); try { - keyStoresFactory.init(SSLFactory.Mode.CLIENT, clientAuth); + keyStoresFactory.init(KeyStoresFactory.Mode.CLIENT, clientAuth); if (clientAuth) { Assert.assertTrue(keyStoresFactory.getKeyManagers()[0] instanceof ReloadingX509KeyManager); @@ -103,7 +102,7 @@ private void serverMode(boolean clientAuth) throws Exception { KeyStoresFactory keyStoresFactory = new PemFileBasedKeyStoresFactory( secConf, caClient); try { - keyStoresFactory.init(SSLFactory.Mode.SERVER, clientAuth); + keyStoresFactory.init(KeyStoresFactory.Mode.SERVER, clientAuth); Assert.assertTrue(keyStoresFactory.getKeyManagers()[0] instanceof ReloadingX509KeyManager); Assert.assertTrue(keyStoresFactory.getTrustManagers()[0] @@ -122,13 +121,13 @@ public void testConnectionWithCertReload() throws Exception { try { // create server serverFactory = new PemFileBasedKeyStoresFactory(secConf, caClient); - serverFactory.init(SSLFactory.Mode.SERVER, true); + serverFactory.init(KeyStoresFactory.Mode.SERVER, true); server = setupServer(serverFactory); server.start(); // create client clientFactory = new PemFileBasedKeyStoresFactory(secConf, caClient); - clientFactory.init(SSLFactory.Mode.CLIENT, true); + clientFactory.init(KeyStoresFactory.Mode.CLIENT, true); channel = setupClient(clientFactory, server.getPort()); XceiverClientProtocolServiceStub asyncStub = XceiverClientProtocolServiceGrpc.newStub(channel);