if (!blockPoolTokenSecretManager.isBlockPoolRegistered(blockPoolId)) { long blockKeyUpdateInterval = keys.getKeyUpdateInterval(); long blockTokenLifetime = keys.getTokenLifetime(); new BlockTokenSecretManager(0, blockTokenLifetime, blockPoolId, dnConf.encryptionAlgorithm, enableProtobuf); blockPoolTokenSecretManager.addBlockPool(blockPoolId, secretMgr);
LOG.info("DatanodeCommand action from standby: DNA_ACCESSKEYUPDATE"); if (dn.isBlockTokenEnabled) { dn.blockPoolTokenSecretManager.addKeys( getBlockPoolId(), ((KeyUpdateCommand) cmd).getExportedKeys());
public byte[] retrieveDataEncryptionKey(int keyId, String blockPoolId, byte[] nonce) throws IOException { return get(blockPoolId).retrieveDataEncryptionKey(keyId, nonce); } }
/** * Test {@link BlockPoolTokenSecretManager} */ @Test public void testBlockPoolTokenSecretManager() throws Exception { BlockPoolTokenSecretManager bpMgr = new BlockPoolTokenSecretManager(); // Test BlockPoolSecretManager with upto 10 block pools for (int i = 0; i < 10; i++) { String bpid = Integer.toString(i); BlockTokenSecretManager masterHandler = new BlockTokenSecretManager( blockKeyUpdateInterval, blockTokenLifetime, 0, "fake-pool", null); BlockTokenSecretManager slaveHandler = new BlockTokenSecretManager( blockKeyUpdateInterval, blockTokenLifetime, "fake-pool", null); bpMgr.addBlockPool(bpid, slaveHandler); ExportedBlockKeys keys = masterHandler.exportKeys(); bpMgr.addKeys(bpid, keys); tokenGenerationAndVerification(masterHandler, bpMgr.get(bpid)); // Test key updating masterHandler.updateKeys(); tokenGenerationAndVerification(masterHandler, bpMgr.get(bpid)); keys = masterHandler.exportKeys(); bpMgr.addKeys(bpid, keys); tokenGenerationAndVerification(masterHandler, bpMgr.get(bpid)); } }
private void checkBlockToken(ExtendedBlock block, Token<BlockTokenIdentifier> token, AccessMode accessMode) throws IOException { if (isBlockTokenEnabled) { BlockTokenIdentifier id = new BlockTokenIdentifier(); ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); id.readFields(in); LOG.debug("Got: {}", id); blockPoolTokenSecretManager.checkAccess(id, null, block, accessMode, null, null); } }
this.blockPoolTokenSecretManager = new BlockPoolTokenSecretManager();
@Override public DataEncryptionKey newDataEncryptionKey() { return dnConf.encryptDataTransfer ? blockPoolTokenSecretManager.generateDataEncryptionKey( block.getBlockPoolId()) : null; } };
@VisibleForTesting public void clearAllBlockSecretKeys() { blockPoolTokenSecretManager.clearAllKeysForTesting(); }
/*** * Use BlockTokenSecretManager to generate block token for current user. */ public Token<BlockTokenIdentifier> getBlockAccessToken(ExtendedBlock b, EnumSet<AccessMode> mode, StorageType[] storageTypes, String[] storageIds) throws IOException { Token<BlockTokenIdentifier> accessToken = BlockTokenSecretManager.DUMMY_TOKEN; if (isBlockTokenEnabled) { accessToken = blockPoolTokenSecretManager.generateToken(b, mode, storageTypes, storageIds); } return accessToken; }
/** * Given a secret manager and a username encoded for the encrypted handshake, * determine the encryption key. * * @param userName containing the keyId, blockPoolId, and nonce. * @return secret encryption key. * @throws IOException */ private byte[] getEncryptionKeyFromUserName(String userName) throws IOException { String[] nameComponents = userName.split(NAME_DELIMITER); if (nameComponents.length != 3) { throw new IOException("Provided name '" + userName + "' has " + nameComponents.length + " components instead of the expected 3."); } int keyId = Integer.parseInt(nameComponents[0]); String blockPoolId = nameComponents[1]; byte[] nonce = Base64.decodeBase64(nameComponents[2]); return blockPoolTokenSecretManager.retrieveDataEncryptionKey(keyId, blockPoolId, nonce); }
private void checkReadAccess(final ExtendedBlock block) throws IOException { // Make sure this node has registered for the block pool. try { getDNRegistrationForBP(block.getBlockPoolId()); } catch (IOException e) { // if it has not registered with the NN, throw an exception back. throw new org.apache.hadoop.ipc.RetriableException( "Datanode not registered. Try again later."); } if (isBlockTokenEnabled) { Set<TokenIdentifier> tokenIds = UserGroupInformation.getCurrentUser() .getTokenIdentifiers(); if (tokenIds.size() != 1) { throw new IOException("Can't continue since none or more than one " + "BlockTokenIdentifier is found."); } for (TokenIdentifier tokenId : tokenIds) { BlockTokenIdentifier id = (BlockTokenIdentifier) tokenId; LOG.debug("Got: {}", id); blockPoolTokenSecretManager.checkAccess(id, null, block, BlockTokenIdentifier.AccessMode.READ, null, null); } } }
this.blockPoolTokenSecretManager = new BlockPoolTokenSecretManager();
@Override public DataEncryptionKey newDataEncryptionKey() { return dnConf.encryptDataTransfer ? blockPoolTokenSecretManager.generateDataEncryptionKey( block.getBlockPoolId()) : null; } };
@VisibleForTesting public void clearAllBlockSecretKeys() { blockPoolTokenSecretManager.clearAllKeysForTesting(); }
accessToken = blockPoolTokenSecretManager.generateToken(b, EnumSet.of(BlockTokenSecretManager.AccessMode.WRITE));
/** * Given a secret manager and a username encoded for the encrypted handshake, * determine the encryption key. * * @param userName containing the keyId, blockPoolId, and nonce. * @return secret encryption key. * @throws IOException */ private byte[] getEncryptionKeyFromUserName(String userName) throws IOException { String[] nameComponents = userName.split(NAME_DELIMITER); if (nameComponents.length != 3) { throw new IOException("Provided name '" + userName + "' has " + nameComponents.length + " components instead of the expected 3."); } int keyId = Integer.parseInt(nameComponents[0]); String blockPoolId = nameComponents[1]; byte[] nonce = Base64.decodeBase64(nameComponents[2]); return blockPoolTokenSecretManager.retrieveDataEncryptionKey(keyId, blockPoolId, nonce); }
/** * See {@link BlockTokenSecretManager#addKeys(ExportedBlockKeys)} */ public void addKeys(String bpid, ExportedBlockKeys exportedKeys) throws IOException { get(bpid).addKeys(exportedKeys); }
if (!blockPoolTokenSecretManager.isBlockPoolRegistered(blockPoolId)) { long blockKeyUpdateInterval = keys.getKeyUpdateInterval(); long blockTokenLifetime = keys.getTokenLifetime(); new BlockTokenSecretManager(0, blockTokenLifetime, blockPoolId, dnConf.encryptionAlgorithm); blockPoolTokenSecretManager.addBlockPool(blockPoolId, secretMgr);
LOG.info("DatanodeCommand action: DNA_ACCESSKEYUPDATE"); if (dn.isBlockTokenEnabled) { dn.blockPoolTokenSecretManager.addKeys( getBlockPoolId(), ((KeyUpdateCommand) cmd).getExportedKeys());
blk.getBlockId(), mode); try { datanode.blockPoolTokenSecretManager.checkAccess(t, null, blk, mode, storageTypes, storageIds); } catch(InvalidToken e) {