HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a2b5d602 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a2b5d602 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a2b5d602 Branch: refs/heads/YARN-5734 Commit: a2b5d602201a4f619f6a68ec2168a884190d8de6 Parents: f3b8ff5 Author: Xiao Chen <x...@apache.org> Authored: Mon Dec 5 12:19:26 2016 -0800 Committer: Xiao Chen <x...@apache.org> Committed: Mon Dec 5 17:36:00 2016 -0800 ---------------------------------------------------------------------- .../security/ssl/FileBasedKeyStoresFactory.java | 6 ++++-- .../security/ssl/ReloadingX509TrustManager.java | 2 +- .../ssl/TestReloadingX509TrustManager.java | 18 ++++++++++++++++++ 3 files changed, 23 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java index 4e59010..a01d11a 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java @@ -202,8 +202,10 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory { SSL_TRUSTSTORE_PASSWORD_TPL_KEY); String truststorePassword = getPassword(conf, passwordProperty, ""); if (truststorePassword.isEmpty()) { - throw new GeneralSecurityException("The property '" + passwordProperty + - "' has not been set in the ssl configuration file."); + // An empty trust store password is legal; the trust store password + // is only required when writing to a trust store. Otherwise it's + // an optional integrity check. + truststorePassword = null; } long truststoreReloadInterval = conf.getLong( http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java index 597f8d7..2d3afea 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java @@ -167,7 +167,7 @@ public final class ReloadingX509TrustManager KeyStore ks = KeyStore.getInstance(type); FileInputStream in = new FileInputStream(file); try { - ks.load(in, password.toCharArray()); + ks.load(in, (password == null) ? null : password.toCharArray()); lastLoaded = file.lastModified(); LOG.debug("Loaded truststore '" + file + "'"); } finally { http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2b5d602/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java index bf058cd..3fb203e 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java @@ -199,4 +199,22 @@ public class TestReloadingX509TrustManager { }, reloadInterval, 10 * 1000); } + /** No password when accessing a trust store is legal. */ + @Test + public void testNoPassword() throws Exception { + KeyPair kp = generateKeyPair("RSA"); + cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA"); + cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA"); + String truststoreLocation = BASEDIR + "/testreload.jks"; + createTrustStore(truststoreLocation, "password", "cert1", cert1); + + final ReloadingX509TrustManager tm = + new ReloadingX509TrustManager("jks", truststoreLocation, null, 10); + try { + tm.init(); + assertEquals(1, tm.getAcceptedIssuers().length); + } finally { + tm.destroy(); + } + } } --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org