This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new fafc3c6383 HDDS-8738. Fix
TestSecureOzoneCluster#testOMGrpcServerCertificateRenew local failures (#4807)
fafc3c6383 is described below
commit fafc3c638394fcf4d6a407f0f81c8ef8a978e08e
Author: Galsza <[email protected]>
AuthorDate: Mon Jun 5 16:36:55 2023 +0200
HDDS-8738. Fix TestSecureOzoneCluster#testOMGrpcServerCertificateRenew
local failures (#4807)
---
.../certificate/authority/DefaultCAServer.java | 20 +----------
.../client/DefaultCertificateClient.java | 19 +----------
.../certificate/utils/CertificateSignRequest.java | 39 ++++++++++++++++++++++
.../certificate/utils/SelfSignedCertificate.java | 33 ++++++++++++++++++
.../certificate/authority/TestDefaultCAServer.java | 20 +----------
.../certificate/utils/TestRootCertificate.java | 20 +----------
.../hadoop/ozone/TestSecureOzoneCluster.java | 18 +++++++---
7 files changed, 90 insertions(+), 79 deletions(-)
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java
index ddba9eb316..b3204e5800 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java
@@ -22,7 +22,6 @@ package
org.apache.hadoop.hdds.security.x509.certificate.authority;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeType;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
@@ -33,7 +32,6 @@ import
org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertific
import org.apache.hadoop.hdds.security.x509.crl.CRLInfo;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
-import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.operator.OperatorCreationException;
@@ -69,7 +67,6 @@ import java.util.function.Consumer;
import static
org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest.getCertificationRequest;
import static
org.apache.hadoop.hdds.security.exception.SCMSecurityException.ErrorCode.UNABLE_TO_ISSUE_CERTIFICATE;
-import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CSR_ERROR;
/**
* The default CertificateServer used by SCM. This has no dependencies on any
@@ -577,22 +574,7 @@ public class DefaultCAServer implements CertificateServer {
.setConfiguration(securityConfig.getConfiguration())
.setKey(key);
- try {
- DomainValidator validator = DomainValidator.getInstance();
- // Add all valid ips.
- OzoneSecurityUtil.getValidInetsForCurrentHost().forEach(
- ip -> {
- builder.addIpAddress(ip.getHostAddress());
- if (validator.isValid(ip.getCanonicalHostName())) {
- builder.addDnsName(ip.getCanonicalHostName());
- }
- });
- } catch (IOException e) {
- throw new org.apache.hadoop.hdds.security.x509
- .exception.CertificateException(
- "Error while adding ip to CA self signed certificate", e,
- CSR_ERROR);
- }
+ builder.addInetAddresses();
X509CertificateHolder selfSignedCertificate = builder.build();
CertificateCodec certCodec =
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
index ade505d3f8..2584e9c781 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
@@ -75,7 +75,6 @@ import com.google.common.base.Preconditions;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.math.NumberUtils;
-import org.apache.commons.validator.routines.DomainValidator;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_BACKUP_KEY_CERT_DIR_NAME_SUFFIX;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_NEW_KEY_CERT_DIR_NAME_SUFFIX;
@@ -87,7 +86,6 @@ import static
org.apache.hadoop.hdds.security.x509.exception.CertificateExceptio
import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CERTIFICATE_ERROR;
import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CRYPTO_SIGNATURE_VERIFICATION_ERROR;
import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CRYPTO_SIGN_ERROR;
-import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CSR_ERROR;
import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.RENEW_ERROR;
import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.ROLLBACK_ERROR;
import static
org.apache.hadoop.hdds.utils.HddsServerUtil.getScmSecurityClientWithMaxRetry;
@@ -490,22 +488,7 @@ public abstract class DefaultCertificateClient implements
CertificateClient {
CertificateSignRequest.Builder builder =
new CertificateSignRequest.Builder()
.setConfiguration(securityConfig.getConfiguration());
- try {
- DomainValidator validator = DomainValidator.getInstance();
- // Add all valid ips.
- OzoneSecurityUtil.getValidInetsForCurrentHost().forEach(
- ip -> {
- builder.addIpAddress(ip.getHostAddress());
- if (validator.isValid(ip.getCanonicalHostName())) {
- builder.addDnsName(ip.getCanonicalHostName());
- } else {
- getLogger().error("Invalid domain {}",
ip.getCanonicalHostName());
- }
- });
- } catch (IOException e) {
- throw new CertificateException("Error while adding ip to CSR builder",
- e, CSR_ERROR);
- }
+ builder.addInetAddresses();
return builder;
}
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java
index 68a0a18fe5..888958a07a 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java
@@ -21,17 +21,20 @@ package
org.apache.hadoop.hdds.security.x509.certificate.utils;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
+import java.net.InetAddress;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
+import org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import com.google.common.base.Preconditions;
+import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.logging.log4j.util.Strings;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Object;
@@ -60,8 +63,11 @@ import
org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import static
org.apache.hadoop.hdds.security.exception.SCMSecurityException.ErrorCode.INVALID_CSR;
+import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CSR_ERROR;
/**
* A certificate sign request object that wraps operations to build a
@@ -70,6 +76,8 @@ import static
org.apache.hadoop.hdds.security.exception.SCMSecurityException.Err
public final class CertificateSignRequest {
// Ozone Certificate distinguished format: (CN=Subject,OU=ScmID,O=ClusterID).
private static final String DISTINGUISHED_NAME_FORMAT = "CN=%s,OU=%s,O=%s";
+ private static final Logger LOG =
+ LoggerFactory.getLogger(CertificateSignRequest.class);
private final KeyPair keyPair;
private final SecurityConfig config;
private final Extensions extensions;
@@ -260,6 +268,37 @@ public final class CertificateSignRequest {
return this;
}
+ public CertificateSignRequest.Builder addInetAddresses()
+ throws CertificateException {
+ try {
+ DomainValidator validator = DomainValidator.getInstance();
+ // Add all valid ips.
+ List<InetAddress> inetAddresses =
+ OzoneSecurityUtil.getValidInetsForCurrentHost();
+ this.addInetAddresses(inetAddresses, validator);
+ } catch (IOException e) {
+ throw new CertificateException("Error while getting Inet addresses " +
+ "for the CSR builder", e, CSR_ERROR);
+ }
+ return this;
+ }
+
+ public CertificateSignRequest.Builder addInetAddresses(
+ List<InetAddress> addresses,
+ DomainValidator validator) {
+ // Add all valid ips.
+ addresses.forEach(
+ ip -> {
+ this.addIpAddress(ip.getHostAddress());
+ if (validator.isValid(ip.getCanonicalHostName())) {
+ this.addDnsName(ip.getCanonicalHostName());
+ } else {
+ LOG.error("Invalid domain {}", ip.getCanonicalHostName());
+ }
+ });
+ return this;
+ }
+
public CertificateSignRequest.Builder addServiceName(
String serviceName) {
Preconditions.checkNotNull(
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java
index a7feb74ce5..3c20b6e5d9 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.java
@@ -21,6 +21,7 @@ package
org.apache.hadoop.hdds.security.x509.certificate.utils;
import java.io.IOException;
import java.math.BigInteger;
+import java.net.InetAddress;
import java.security.KeyPair;
import java.time.Duration;
import java.time.LocalDateTime;
@@ -29,10 +30,12 @@ import java.util.ArrayList;
import java.util.Date;
import java.util.List;
+import org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
+import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.util.Time;
import com.google.common.annotations.VisibleForTesting;
@@ -60,6 +63,8 @@ import
org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CSR_ERROR;
+
/**
* A Self Signed Certificate with CertificateServer basic constraint can be
used
* to bootstrap a certificate infrastructure, if no external certificate is
@@ -215,6 +220,34 @@ public final class SelfSignedCertificate {
return this;
}
+ public Builder addInetAddresses() throws CertificateException {
+ try {
+ DomainValidator validator = DomainValidator.getInstance();
+ // Add all valid ips.
+ List<InetAddress> inetAddresses =
+ OzoneSecurityUtil.getValidInetsForCurrentHost();
+ this.addInetAddresses(inetAddresses, validator);
+ } catch (IOException e) {
+ throw new CertificateException("Error while getting Inet addresses " +
+ "for the CSR builder", e, CSR_ERROR);
+ }
+ return this;
+ }
+
+ public Builder addInetAddresses(List<InetAddress> addresses,
+ DomainValidator validator) {
+ addresses.forEach(
+ ip -> {
+ this.addIpAddress(ip.getHostAddress());
+ if (validator.isValid(ip.getCanonicalHostName())) {
+ this.addDnsName(ip.getCanonicalHostName());
+ } else {
+ LOG.error("Invalid domain {}", ip.getCanonicalHostName());
+ }
+ });
+ return this;
+ }
+
// Support SAN extension with DNS and RFC822 Name
// other name type will be added as needed.
public Builder addDnsName(String dnsName) {
diff --git
a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
index c259b3353c..8cea1f6f4d 100644
---
a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
+++
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
@@ -21,7 +21,6 @@ package
org.apache.hadoop.hdds.security.x509.certificate.authority;
import com.google.common.collect.ImmutableList;
import org.apache.commons.lang3.RandomStringUtils;
-import org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
@@ -35,7 +34,6 @@ import
org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignReq
import
org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertificate;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
-import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.ozone.test.LambdaTestUtils;
@@ -74,7 +72,6 @@ import java.util.function.Consumer;
import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
import static org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeType.OM;
import static org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeType.SCM;
-import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CSR_ERROR;
import static org.apache.hadoop.ozone.OzoneConsts.SCM_CA_CERT_STORAGE_DIR;
import static org.apache.hadoop.ozone.OzoneConsts.SCM_CA_PATH;
import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -567,22 +564,7 @@ public class TestDefaultCAServer {
.setConfiguration(conf)
.makeCA();
- try {
- DomainValidator validator = DomainValidator.getInstance();
- // Add all valid ips.
- OzoneSecurityUtil.getValidInetsForCurrentHost().forEach(
- ip -> {
- builder.addIpAddress(ip.getHostAddress());
- if (validator.isValid(ip.getCanonicalHostName())) {
- builder.addDnsName(ip.getCanonicalHostName());
- }
- });
- } catch (IOException e) {
- throw new org.apache.hadoop.hdds.security.x509
- .exception.CertificateException(
- "Error while adding ip to CA self signed certificate", e,
- CSR_ERROR);
- }
+ builder.addInetAddresses();
return builder.build();
}
}
diff --git
a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestRootCertificate.java
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestRootCertificate.java
index 7d98e2f2c0..0682585e7e 100644
---
a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestRootCertificate.java
+++
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/utils/TestRootCertificate.java
@@ -19,12 +19,10 @@
package org.apache.hadoop.hdds.security.x509.certificate.utils;
-import org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
-import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
@@ -49,7 +47,6 @@ import java.util.Date;
import java.util.UUID;
import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
-import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CSR_ERROR;
/**
* Test Class for Root Certificate generation.
@@ -152,22 +149,7 @@ public class TestRootCertificate {
.setConfiguration(conf)
.makeCA();
- try {
- DomainValidator validator = DomainValidator.getInstance();
- // Add all valid ips.
- OzoneSecurityUtil.getValidInetsForCurrentHost().forEach(
- ip -> {
- builder.addIpAddress(ip.getHostAddress());
- if (validator.isValid(ip.getCanonicalHostName())) {
- builder.addDnsName(ip.getCanonicalHostName());
- }
- });
- } catch (IOException e) {
- throw new org.apache.hadoop.hdds.security.x509
- .exception.CertificateException(
- "Error while adding ip to CA self signed certificate", e,
- CSR_ERROR);
- }
+ builder.addInetAddresses();
X509CertificateHolder certificateHolder = builder.build();
// This time we asked for a CertificateServer Certificate, make sure that
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
index 16c1cb62d8..37a6bc3957 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java
@@ -40,6 +40,7 @@ import java.util.Properties;
import java.util.UUID;
import java.util.concurrent.Callable;
+import org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.conf.DefaultConfigManager;
@@ -1296,8 +1297,7 @@ public final class TestSecureOzoneCluster {
X509CertificateHolder certHolder = generateX509CertHolder(conf, keyPair,
new KeyPair(scmCertClient.getPublicKey(),
scmCertClient.getPrivateKey()), scmCert,
- Duration.ofSeconds(certLifetime),
- InetAddress.getLocalHost().getCanonicalHostName(), clusterId);
+ "om_cert", clusterId);
String certId = certHolder.getSerialNumber().toString();
certCodec.writeCertificate(certHolder);
certCodec.writeCertificate(CertificateCodec.getCertificateHolder(scmCert),
@@ -1455,7 +1455,7 @@ public final class TestSecureOzoneCluster {
private static X509CertificateHolder generateX509CertHolder(
OzoneConfiguration conf, KeyPair keyPair, KeyPair rootKeyPair,
- X509Certificate rootCert, Duration certLifetime, String subject,
+ X509Certificate rootCert, String subject,
String clusterId) throws Exception {
// Generate normal certificate, signed by RootCA certificate
SecurityConfig secConfig = new SecurityConfig(conf);
@@ -1472,7 +1472,8 @@ public final class TestSecureOzoneCluster {
.setSubject(subject)
.setDigitalSignature(true)
.setDigitalEncryption(true);
-
+
+ addIpAndDnsDataToBuilder(csrBuilder);
LocalDateTime start = LocalDateTime.now();
String certDuration = conf.get(HDDS_X509_DEFAULT_DURATION,
HDDS_X509_DEFAULT_DURATION_DEFAULT);
@@ -1485,4 +1486,13 @@ public final class TestSecureOzoneCluster {
csrBuilder.build(), "test", clusterId);
return certificateHolder;
}
+
+ private static void addIpAndDnsDataToBuilder(
+ CertificateSignRequest.Builder csrBuilder) throws IOException {
+ DomainValidator validator = DomainValidator.getInstance();
+ // Add all valid ips.
+ List<InetAddress> inetAddresses =
+ OzoneSecurityUtil.getValidInetsForCurrentHost();
+ csrBuilder.addInetAddresses(inetAddresses, validator);
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
