This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 670fe2ba35 HDDS-8266. Create tests for certificate hotswap (#4681)
670fe2ba35 is described below
commit 670fe2ba355c504fd2df3df9d0bc65643cac7f4d
Author: Galsza <[email protected]>
AuthorDate: Tue Jun 6 13:06:10 2023 +0200
HDDS-8266. Create tests for certificate hotswap (#4681)
---
.../org/apache/hadoop/hdds/HddsConfigKeys.java | 4 ++
.../container/ec/reconstruction/TokenHelper.java | 9 ++--
.../hdds/scm/server/StorageContainerManager.java | 7 ++-
hadoop-ozone/dist/pom.xml | 2 +-
.../compose/ozonesecure/certificate-rotation.yaml | 35 +++++++++++++
.../ozonesecure/test-certificate-rotation.sh | 37 +++++++++++++
.../smoketest/certrotation/cert-rotation.robot | 61 ++++++++++++++++++++++
.../src/main/smoketest/scmha/primordial-scm.robot | 2 +-
.../hadoop/ozone/TestOzoneConfigurationFields.java | 1 +
.../org/apache/hadoop/ozone/om/OzoneManager.java | 10 +++-
10 files changed, 159 insertions(+), 9 deletions(-)
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
index f5d5314c80..b684220747 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
@@ -201,6 +201,10 @@ public final class HddsConfigKeys {
"hdds.x509.renew.grace.duration";
public static final String HDDS_X509_RENEW_GRACE_DURATION_DEFAULT = "P28D";
+ public static final String HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED =
+ "hdds.x509.grace.duration.token.checks.enabled";
+ public static final boolean
+ HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED_DEFAULT = true;
public static final String HDDS_NEW_KEY_CERT_DIR_NAME_SUFFIX = "-next";
public static final String HDDS_BACKUP_KEY_CERT_DIR_NAME_SUFFIX =
"-previous";
diff --git
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
index ffd7632804..b5f7871d45 100644
---
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
+++
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/ec/reconstruction/TokenHelper.java
@@ -71,10 +71,13 @@ class TokenHelper {
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
TimeUnit.MILLISECONDS);
long certificateGracePeriod = Duration.parse(
- conf.get(HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION,
- HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION_DEFAULT))
+ conf.get(HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION,
+ HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION_DEFAULT))
.toMillis();
- if (expiryTime > certificateGracePeriod) {
+ boolean tokenSanityChecksEnabled = conf.getBoolean(
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED,
+
HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED_DEFAULT);
+ if (tokenSanityChecksEnabled && expiryTime > certificateGracePeriod) {
throw new IllegalArgumentException("Certificate grace period " +
HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION +
" should be greater than maximum block/container token lifetime " +
diff --git
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
index 8bf5b0f1d3..f2a5b0844c 100644
---
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
+++
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
@@ -942,8 +942,11 @@ public final class StorageContainerManager extends
ServiceRuntimeInfoImpl
long certificateGracePeriod = Duration.parse(
conf.get(HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION,
HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION_DEFAULT)).toMillis();
- if (expiryTime > certificateGracePeriod) {
- throw new IllegalArgumentException("Certificate grace period " +
+ boolean tokenSanityChecksEnabled = conf.getBoolean(
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED,
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED_DEFAULT);
+ if (tokenSanityChecksEnabled && expiryTime > certificateGracePeriod) {
+ throw new IllegalArgumentException(" Certificate grace period " +
HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION +
" should be greater than maximum block/container token lifetime " +
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME);
diff --git a/hadoop-ozone/dist/pom.xml b/hadoop-ozone/dist/pom.xml
index 40747fa6ed..92c8835fa1 100644
--- a/hadoop-ozone/dist/pom.xml
+++ b/hadoop-ozone/dist/pom.xml
@@ -28,7 +28,7 @@
<properties>
<file.encoding>UTF-8</file.encoding>
<downloadSources>true</downloadSources>
- <docker.ozone-runner.version>20230104-1</docker.ozone-runner.version>
+ <docker.ozone-runner.version>20230503-1</docker.ozone-runner.version>
<docker.ozone-testkr5b.image>apache/ozone-testkrb5:20230318-1</docker.ozone-testkr5b.image>
</properties>
diff --git
a/hadoop-ozone/dist/src/main/compose/ozonesecure/certificate-rotation.yaml
b/hadoop-ozone/dist/src/main/compose/ozonesecure/certificate-rotation.yaml
new file mode 100644
index 0000000000..382127c5c7
--- /dev/null
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/certificate-rotation.yaml
@@ -0,0 +1,35 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: "3.4"
+
+x-cert-rotation-config:
+ &cert-rotation-config
+ environment:
+ - OZONE-SITE.XML_hdds.x509.default.duration=PT40s
+ - OZONE-SITE.XML_hdds.x509.renew.grace.duration=PT30s
+ - OZONE-SITE.XML_hdds.x509.grace.duration.token.checks.enabled=false
+services:
+ datanode:
+ <<: *cert-rotation-config
+ om:
+ <<: *cert-rotation-config
+ scm:
+ <<: *cert-rotation-config
+ s3g:
+ <<: *cert-rotation-config
+ recon:
+ <<: *cert-rotation-config
diff --git
a/hadoop-ozone/dist/src/main/compose/ozonesecure/test-certificate-rotation.sh
b/hadoop-ozone/dist/src/main/compose/ozonesecure/test-certificate-rotation.sh
new file mode 100644
index 0000000000..cc7f609ff4
--- /dev/null
+++
b/hadoop-ozone/dist/src/main/compose/ozonesecure/test-certificate-rotation.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#suite:secure
+
+COMPOSE_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+export COMPOSE_DIR
+
+# shellcheck source=/dev/null
+source "$COMPOSE_DIR/../testlib.sh"
+
+export SECURITY_ENABLED=true
+export COMPOSE_FILE=docker-compose.yaml:certificate-rotation.yaml
+
+: ${OZONE_BUCKET_KEY_NAME:=key1}
+
+start_docker_env
+
+execute_robot_test scm certrotation
+
+stop_docker_env
+
+generate_report
diff --git
a/hadoop-ozone/dist/src/main/smoketest/certrotation/cert-rotation.robot
b/hadoop-ozone/dist/src/main/smoketest/certrotation/cert-rotation.robot
new file mode 100644
index 0000000000..9d78e0a158
--- /dev/null
+++ b/hadoop-ozone/dist/src/main/smoketest/certrotation/cert-rotation.robot
@@ -0,0 +1,61 @@
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+Documentation Smoketest ozone cluster startup
+Library OperatingSystem
+Library DateTime
+Resource ../commonlib.robot
+Resource ../ozone-lib/freon.robot
+Suite Setup Setup Test
+Test Timeout 5 minutes
+
+*** Variables ***
+${datanode} datanode
+${port} 9859
+
+*** Keywords ***
+Setup Test
+ Run Keyword if '${SECURITY_ENABLED}' == 'true' Kinit test user
testuser testuser.keytab
+
+Basic key generation and validation
+ ${random} = Generate Random String 10
+ Freon OCKG prefix=${random}
+ Freon OCKV prefix=${random}
+
+Find certificate duration
+ ${waitTime} = Execute ozone getconf confKey
hdds.x509.default.duration | sed 's/PT//'
+ ${result} = Set Variable if "${waitTime}" != "${EMPTY}"
${waitTime} 0s
+ [return] ${result}
+
+Get datanode cert serial
+ ${certSerial} Execute openssl s_client -connect
"${datanode}":"${port}" -showcerts | openssl x509 -noout -serial | grep serial
| sed 's/serial=//'
+ [return] ${certSerial}
+
+Datanode has new certificate
+ [arguments] ${certId}
+ ${newCertId} = Get datanode cert serial
+ Should Not Be Equal ${certId} ${newCertId}
+
+Double duration
+ [arguments] ${duration}
+ ${doubleDuration} = Add Time To Time ${duration} ${duration}
+ [return] ${doubleDuration}
+
+*** Test Cases ***
+Test datanode functions before and after certificate rotation
+ Basic key generation and validation
+ ${certDuration} = Find certificate duration
+ ${doubleDuration} = Double duration ${certDuration}
+ ${certId1} = Get datanode cert serial
+ Wait Until Keyword Succeeds ${doubleDuration} 5sec Datanode has
new certificate ${certId1}
+ Basic key generation and validation
diff --git a/hadoop-ozone/dist/src/main/smoketest/scmha/primordial-scm.robot
b/hadoop-ozone/dist/src/main/smoketest/scmha/primordial-scm.robot
index 879940093a..9d224b3fa5 100644
--- a/hadoop-ozone/dist/src/main/smoketest/scmha/primordial-scm.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/scmha/primordial-scm.robot
@@ -53,7 +53,7 @@ Verify SCM4 Certificate
${root_ca_cert_split} = Split String
${root_ca_cert}
${root_ca_cert_subject} = Strip String
${root_ca_cert_split[3]}
- ${output} = Execute ozone admin cert list
+ ${output} = Execute ozone admin cert list -c
1000000
${scm4_cert} = Get Lines Containing String
${output} scm4.org
${scm4_cert_split} = Split String
${scm4_cert}
${scm4_cert_issuer} = Strip String
${scm4_cert_split[4]}
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java
index 17de1a3c97..745b58a665 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestOzoneConfigurationFields.java
@@ -92,6 +92,7 @@ public class TestOzoneConfigurationFields extends
TestConfigurationFieldsBase {
HddsConfigKeys.HDDS_KEY_ALGORITHM,
HddsConfigKeys.HDDS_SECURITY_PROVIDER,
HddsConfigKeys.HDDS_X509_CRL_NAME, // HDDS-2873
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED,
OMConfigKeys.OZONE_OM_NODES_KEY,
OMConfigKeys.OZONE_OM_DECOMMISSIONED_NODES_KEY,
ScmConfigKeys.OZONE_SCM_NODES_KEY,
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 3555658201..1138420918 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -999,7 +999,10 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
long certificateGracePeriod = Duration.parse(
conf.get(HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION,
HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION_DEFAULT)).toMillis();
- if (tokenMaxLifetime > certificateGracePeriod) {
+ boolean tokenSanityChecksEnabled = conf.getBoolean(
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED,
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED_DEFAULT);
+ if (tokenSanityChecksEnabled && tokenMaxLifetime > certificateGracePeriod)
{
throw new IllegalArgumentException("Certificate grace period " +
HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION +
" should be greater than maximum delegation token lifetime " +
@@ -1029,7 +1032,10 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
long certificateGracePeriod = Duration.parse(
conf.get(HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION,
HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION_DEFAULT)).toMillis();
- if (expiryTime > certificateGracePeriod) {
+ boolean tokenSanityChecksEnabled = conf.getBoolean(
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED,
+ HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED_DEFAULT);
+ if (tokenSanityChecksEnabled && expiryTime > certificateGracePeriod) {
throw new IllegalArgumentException("Certificate grace period " +
HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION +
" should be greater than maximum block token lifetime " +
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
