This is an automated email from the ASF dual-hosted git repository.
vivekratnavel pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new d0f0f80 HDDS-5501. Support to upload/read keys from encrypted buckets
through S3G (#2467)
d0f0f80 is described below
commit d0f0f806e26e423c98af7b732d7a89f2e01ac4d1
Author: Bharat Viswanadham <[email protected]>
AuthorDate: Mon Aug 2 23:46:56 2021 +0530
HDDS-5501. Support to upload/read keys from encrypted buckets through S3G
(#2467)
Co-authored-by: Vivek Ratnavel Subramanian <[email protected]>
---
.../common/src/main/resources/ozone-default.xml | 17 +++++++++++++
.../apache/hadoop/ozone/client/rpc/RpcClient.java | 26 ++++++++++++++++---
.../src/main/compose/ozonesecure-ha/docker-config | 3 +++
.../src/main/compose/ozonesecure/docker-config | 3 +++
.../java/org/apache/hadoop/ozone/s3/Gateway.java | 29 ++++++++++++++++++++++
.../hadoop/ozone/s3/S3GatewayConfigKeys.java | 7 ++++++
6 files changed, 82 insertions(+), 3 deletions(-)
diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml
b/hadoop-hdds/common/src/main/resources/ozone-default.xml
index 6f73d9f..9abfc1a 100644
--- a/hadoop-hdds/common/src/main/resources/ozone-default.xml
+++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -2807,4 +2807,21 @@
will not be allocated a pipeline or container replica.
</description>
</property>
+
+ <property>
+ <name>ozone.s3g.kerberos.keytab.file</name>
+ <value>/etc/security/keytabs/s3g.keytab</value>
+ <tag>OZONE, SECURITY, KERBEROS, S3GATEWAY</tag>
+ <description> The keytab file used by S3Gateway daemon to login as its
+ service principal. The principal name is configured with
+ ozone.s3g.kerberos.principal.
+ </description>
+ </property>
+ <property>
+ <name>ozone.s3g.kerberos.principal</name>
+ <value>s3g/_HOST@REALM</value>
+ <tag>OZONE, SECURITY, KERBEROS, S3GATEWAY</tag>
+ <description>The S3Gateway service principal.
+ Ex: s3g/[email protected]</description>
+ </property>
</configuration>
diff --git
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
index 333fb77..b30c91f 100644
---
a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
+++
b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
@@ -25,6 +25,7 @@ import javax.crypto.CipherOutputStream;
import java.io.IOException;
import java.net.URI;
import java.security.InvalidKeyException;
+import java.security.PrivilegedExceptionAction;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -802,9 +803,28 @@ public class RpcClient implements ClientProtocol {
throws IOException {
// check crypto protocol version
OzoneKMSUtil.checkCryptoProtocolVersion(feInfo);
- KeyProvider.KeyVersion decrypted;
- decrypted = OzoneKMSUtil.decryptEncryptedDataEncryptionKey(feInfo,
- getKeyProvider());
+ KeyProvider.KeyVersion decrypted = null;
+ try {
+ // Do proxy thing only when current UGI not matching with login UGI
+ // In this way, proxying is done only for s3g where
+ // s3g can act as proxy to end user.
+ UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
+ if (!ugi.getShortUserName().equals(loginUser.getShortUserName())) {
+ UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
+ ugi.getShortUserName(), loginUser);
+ decrypted = proxyUser.doAs(
+ (PrivilegedExceptionAction<KeyProvider.KeyVersion>) () -> {
+ return OzoneKMSUtil.decryptEncryptedDataEncryptionKey(feInfo,
+ getKeyProvider());
+ });
+ } else {
+ decrypted = OzoneKMSUtil.decryptEncryptedDataEncryptionKey(feInfo,
+ getKeyProvider());
+ }
+ } catch (InterruptedException ex) {
+ Thread.currentThread().interrupt();
+ throw new IOException("Interrupted during decrypt key", ex);
+ }
return decrypted;
}
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
index f3ead91..91e80d3 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
@@ -78,6 +78,9 @@
OZONE-SITE.XML_ozone.om.kerberos.keytab.file=/etc/security/keytabs/om.keytab
OZONE-SITE.XML_ozone.recon.kerberos.keytab.file=/etc/security/keytabs/recon.keytab
OZONE-SITE.XML_ozone.recon.kerberos.principal=recon/[email protected]
+OZONE-SITE.XML_ozone.s3g.kerberos.keytab.file=/etc/security/keytabs/s3g.keytab
+OZONE-SITE.XML_ozone.s3g.kerberos.principal=s3g/[email protected]
+
HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/[email protected]
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/[email protected]
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
index c94a3d5..103a997 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
@@ -61,6 +61,9 @@
OZONE-SITE.XML_ozone.om.kerberos.keytab.file=/etc/security/keytabs/om.keytab
OZONE-SITE.XML_ozone.recon.kerberos.keytab.file=/etc/security/keytabs/recon.keytab
OZONE-SITE.XML_ozone.recon.kerberos.principal=recon/[email protected]
+OZONE-SITE.XML_ozone.s3g.kerberos.keytab.file=/etc/security/keytabs/s3g.keytab
+OZONE-SITE.XML_ozone.s3g.kerberos.principal=s3g/[email protected]
+
OZONE-SITE.XML_hdds.scm.replication.thread.interval=5s
OZONE-SITE.XML_hdds.scm.replication.event.timeout=10s
OZONE-SITE.XML_ozone.scm.stale.node.interval=30s
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/Gateway.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/Gateway.java
index 8b5eddb..0ba014e 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/Gateway.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/Gateway.java
@@ -24,15 +24,20 @@ import org.apache.hadoop.hdds.cli.GenericCli;
import org.apache.hadoop.hdds.cli.HddsVersionProvider;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.tracing.TracingUtil;
+import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.ozone.util.OzoneVersionInfo;
import org.apache.hadoop.ozone.util.ShutdownHookManager;
+import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
+import
org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import picocli.CommandLine.Command;
import static
org.apache.hadoop.ozone.conf.OzoneServiceConfig.DEFAULT_SHUTDOWN_HOOK_PRIORITY;
+import static
org.apache.hadoop.ozone.s3.S3GatewayConfigKeys.OZONE_S3G_KERBEROS_KEYTAB_FILE_KEY;
+import static
org.apache.hadoop.ozone.s3.S3GatewayConfigKeys.OZONE_S3G_KERBEROS_PRINCIPAL_KEY;
/**
* This class is used to start/stop S3 compatible rest server.
@@ -57,6 +62,7 @@ public class Gateway extends GenericCli {
TracingUtil.initTracing("S3gateway", ozoneConfiguration);
OzoneConfigurationHolder.setConfiguration(ozoneConfiguration);
UserGroupInformation.setConfiguration(ozoneConfiguration);
+ loginS3GUser(ozoneConfiguration);
httpServer = new S3GatewayHttpServer(ozoneConfiguration, "s3gateway");
start();
@@ -85,4 +91,27 @@ public class Gateway extends GenericCli {
httpServer.stop();
}
+ private static void loginS3GUser(OzoneConfiguration conf)
+ throws IOException, AuthenticationException {
+ if (OzoneSecurityUtil.isSecurityEnabled(conf)) {
+ if (SecurityUtil.getAuthenticationMethod(conf).equals(
+ UserGroupInformation.AuthenticationMethod.KERBEROS)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Ozone security is enabled. Attempting login for S3G user.
"
+ + "Principal: {}, keytab: {}",
+ conf.get(OZONE_S3G_KERBEROS_PRINCIPAL_KEY),
+ conf.get(OZONE_S3G_KERBEROS_KEYTAB_FILE_KEY));
+ }
+
+ SecurityUtil.login(conf, OZONE_S3G_KERBEROS_KEYTAB_FILE_KEY,
+ OZONE_S3G_KERBEROS_PRINCIPAL_KEY);
+ } else {
+ throw new AuthenticationException(SecurityUtil.getAuthenticationMethod(
+ conf) + " authentication method not supported. S3G user login "
+ + "failed.");
+ }
+ LOG.info("S3Gateway login successful.");
+ }
+ }
+
}
diff --git
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/S3GatewayConfigKeys.java
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/S3GatewayConfigKeys.java
index 5acf368..af85753 100644
---
a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/S3GatewayConfigKeys.java
+++
b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/S3GatewayConfigKeys.java
@@ -58,6 +58,13 @@ public final class S3GatewayConfigKeys {
public static final String OZONE_S3G_CLIENT_BUFFER_SIZE_DEFAULT =
"4KB";
+ // S3G kerberos, principal config
+ public static final String OZONE_S3G_KERBEROS_KEYTAB_FILE_KEY =
+ "ozone.s3g.kerberos.keytab.file";
+ public static final String OZONE_S3G_KERBEROS_PRINCIPAL_KEY =
+ "ozone.s3g.kerberos.principal";
+
+
/**
* Never constructed.
*/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
