http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh index 7611f2a..b4955d5 100755 --- a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh +++ b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh @@ -13,92 +13,52 @@ # limitations under the License. # -MYNAME="${BASH_SOURCE-$0}" +MYNAME="${0##*/}" -function hadoop_usage +## @description Print usage +## @audience private +## @stability stable +## @replaceable no +function print_usage { - hadoop_add_subcommand "run" "Start kms in the current window" - hadoop_add_subcommand "run -security" "Start in the current window with security manager" - hadoop_add_subcommand "start" "Start kms in a separate window" - hadoop_add_subcommand "start -security" "Start in a separate window with security manager" - hadoop_add_subcommand "status" "Return the LSB compliant status" - hadoop_add_subcommand "stop" "Stop kms, waiting up to 5 seconds for the process to end" - hadoop_add_subcommand "top n" "Stop kms, waiting up to n seconds for the process to end" - hadoop_add_subcommand "stop -force" "Stop kms, wait up to 5 seconds and then use kill -KILL if still running" - hadoop_add_subcommand "stop n -force" "Stop kms, wait up to n seconds and then use kill -KILL if still running" - hadoop_generate_usage "${MYNAME}" false + cat <<EOF +Usage: ${MYNAME} run|start|status|stop +commands: + run Run KMS, the Key Management Server + start Start KMS as a daemon + status Return the status of the KMS daemon + stop Stop the KMS daemon +EOF } -# let's locate libexec... -if [[ -n "${HADOOP_HOME}" ]]; then - HADOOP_DEFAULT_LIBEXEC_DIR="${HADOOP_HOME}/libexec" -else - bin=$(cd -P -- "$(dirname -- "${MYNAME}")" >/dev/null && pwd -P) - HADOOP_DEFAULT_LIBEXEC_DIR="${bin}/../libexec" -fi - -HADOOP_LIBEXEC_DIR="${HADOOP_LIBEXEC_DIR:-$HADOOP_DEFAULT_LIBEXEC_DIR}" -# shellcheck disable=SC2034 -HADOOP_NEW_CONFIG=true -if [[ -f "${HADOOP_LIBEXEC_DIR}/kms-config.sh" ]]; then - . "${HADOOP_LIBEXEC_DIR}/kms-config.sh" -else - echo "ERROR: Cannot execute ${HADOOP_LIBEXEC_DIR}/kms-config.sh." 2>&1 - exit 1 -fi - -# The Java System property 'kms.http.port' it is not used by Kms, -# it is used in Tomcat's server.xml configuration file -# - -hadoop_debug "Using CATALINA_OPTS: ${CATALINA_OPTS}" - -# We're using hadoop-common, so set up some stuff it might need: -hadoop_finalize - -hadoop_verify_logdir +echo "WARNING: ${MYNAME} is deprecated," \ + "please use 'hadoop [--daemon start|status|stop] kms'." >&2 if [[ $# = 0 ]]; then - case "${HADOOP_DAEMON_MODE}" in - status) - hadoop_status_daemon "${CATALINA_PID}" - exit - ;; - start) - set -- "start" - ;; - stop) - set -- "stop" - ;; - esac + print_usage + exit fi -hadoop_finalize_catalina_opts -export CATALINA_OPTS - -# A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server -# -if [[ "${1}" = "stop" ]]; then - export JAVA_OPTS=${CATALINA_OPTS} -fi +case $1 in + run) + args=("kms") + ;; + start|stop|status) + args=("--daemon" "$1" "kms") + ;; + *) + echo "Unknown sub-command \"$1\"." + print_usage + exit 1 + ;; +esac -# If ssl, the populate the passwords into ssl-server.xml before starting tomcat -# -# KMS_SSL_KEYSTORE_PASS is a bit odd. -# if undefined, then the if test will not enable ssl on its own -# if "", set it to "password". -# if custom, use provided password -# -if [[ -f "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml.conf" ]]; then - if [[ -n "${KMS_SSL_KEYSTORE_PASS+x}" ]]; then - export KMS_SSL_KEYSTORE_PASS=${KMS_SSL_KEYSTORE_PASS:-password} - KMS_SSL_KEYSTORE_PASS_ESCAPED=$(hadoop_xml_escape \ - "$(hadoop_sed_escape "$KMS_SSL_KEYSTORE_PASS")") - sed -e 's/"_kms_ssl_keystore_pass_"/'"\"${KMS_SSL_KEYSTORE_PASS_ESCAPED}\""'/g' \ - "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml.conf" \ - > "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml" - chmod 700 "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml" >/dev/null 2>&1 - fi +# Locate bin +if [[ -n "${HADOOP_HOME}" ]]; then + bin="${HADOOP_HOME}/bin" +else + sbin=$(cd -P -- "$(dirname -- "$0")" >/dev/null && pwd -P) + bin=$(cd -P -- "${sbin}/../bin" >/dev/null && pwd -P) fi -exec "${HADOOP_CATALINA_HOME}/bin/catalina.sh" "$@" +exec "${bin}/hadoop" "${args[@]}" \ No newline at end of file
http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml b/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml deleted file mode 100644 index 9d0ae0d..0000000 --- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml +++ /dev/null @@ -1,16 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee";> -</web-app> http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html b/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html deleted file mode 100644 index e9e4512..0000000 --- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html +++ /dev/null @@ -1,27 +0,0 @@ -<!-- - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - ---> -<html> -<head> - <title>Hadoop KMS</title> -</head> -<body> -<h1>Hadoop KMS</h1> -<ul> - <li>KMS REST API end-point <b>/kms/v1/*</b></li> - <li><a href="/kms/jmx">KMS JMX JSON end-point</a></li> -</ul> -</body> -</html> http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties b/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties deleted file mode 100644 index 7562719..0000000 --- a/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties +++ /dev/null @@ -1,67 +0,0 @@ -# -# All Rights Reserved. -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler - -.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler - -############################################################ -# Handler specific properties. -# Describes specific configuration info for Handlers. -############################################################ - -1catalina.org.apache.juli.FileHandler.level = FINE -1catalina.org.apache.juli.FileHandler.directory = ${kms.log.dir} -1catalina.org.apache.juli.FileHandler.prefix = kms-catalina. - -2localhost.org.apache.juli.FileHandler.level = FINE -2localhost.org.apache.juli.FileHandler.directory = ${kms.log.dir} -2localhost.org.apache.juli.FileHandler.prefix = kms-localhost. - -3manager.org.apache.juli.FileHandler.level = FINE -3manager.org.apache.juli.FileHandler.directory = ${kms.log.dir} -3manager.org.apache.juli.FileHandler.prefix = kms-manager. - -4host-manager.org.apache.juli.FileHandler.level = FINE -4host-manager.org.apache.juli.FileHandler.directory = ${kms.log.dir} -4host-manager.org.apache.juli.FileHandler.prefix = kms-host-manager. - -java.util.logging.ConsoleHandler.level = FINE -java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter - - -############################################################ -# Facility specific properties. -# Provides extra control for each logger. -############################################################ - -org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO -org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler - -org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO -org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler - -org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO -org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler - -# For example, set the com.xyz.foo logger to only log SEVERE -# messages: -#org.apache.catalina.startup.ContextConfig.level = FINE -#org.apache.catalina.startup.HostConfig.level = FINE -#org.apache.catalina.session.ManagerBase.level = FINE -#org.apache.catalina.core.AprLifecycleListener.level=FINE http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml b/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml deleted file mode 100644 index d8fd161..0000000 --- a/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml +++ /dev/null @@ -1,155 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?> -<!-- - - All Rights Reserved. - - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<!-- Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" at this level. - Documentation at /docs/config/server.html - --> -<Server port="${kms.admin.port}" shutdown="SHUTDOWN"> - - <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" - SSLEngine="on"/> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener"/> - <!-- Prevent memory leaks due to use of particular java/javax APIs--> - <Listener - className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> - <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> - <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"/> - <Listener - className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> - - <!-- Global JNDI resources - Documentation at /docs/jndi-resources-howto.html - --> - <GlobalNamingResources> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users - --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml"/> - </GlobalNamingResources> - - <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" Note: A "Service" is not itself a "Container", - so you may not define subcomponents such as "Valves" at this level. - Documentation at /docs/config/service.html - --> - <Service name="Catalina"> - - <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <!-- - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" - maxThreads="150" minSpareThreads="4"/> - --> - - - <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Documentation at : - Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) - Java AJP Connector: /docs/config/ajp.html - APR (HTTP/AJP) Connector: /docs/apr.html - Define a non-SSL HTTP/1.1 Connector on port ${kms.http.port} - --> - <Connector port="${kms.http.port}" protocol="HTTP/1.1" - maxThreads="${kms.max.threads}" - connectionTimeout="20000" - redirectPort="8443" - maxHttpHeaderSize="${kms.max.http.header.size}"/> - <!-- A "Connector" using the shared thread pool--> - <!-- - <Connector executor="tomcatThreadPool" - port="${kms.http.port}" protocol="HTTP/1.1" - connectionTimeout="20000" - redirectPort="8443" /> - --> - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <!-- - <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="150" scheme="https" secure="true" - clientAuth="false" sslProtocol="TLS" /> - --> - - <!-- Define an AJP 1.3 Connector on port 8009 --> - - - <!-- An Engine represents the entry point (within Catalina) that processes - every request. The Engine implementation for Tomcat stand alone - analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). - Documentation at /docs/config/engine.html --> - - <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> - --> - <Engine name="Catalina" defaultHost="localhost"> - - <!--For clustering, please take a look at documentation at: - /docs/cluster-howto.html (simple how to) - /docs/config/cluster.html (reference documentation) --> - <!-- - <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> - --> - - <!-- The request dumper valve dumps useful debugging information about - the request and response data received and sent by Tomcat. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve"/> - --> - - <!-- This Realm uses the UserDatabase configured in the global JNDI - resources under the key "UserDatabase". Any edits - that are performed against this UserDatabase are immediately - available for use by the Realm. --> - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <!-- Define the default virtual host - Note: XML Schema validation will not work with Xerces 2.2. - --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="true" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- SingleSignOn valve, share authentication between web applications - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Access log processes all example. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> - --> - - </Host> - </Engine> - </Service> -</Server> http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf deleted file mode 100644 index 272542a..0000000 --- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf +++ /dev/null @@ -1,136 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?> -<!-- - - All Rights Reserved. - - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<!-- Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" at this level. - Documentation at /docs/config/server.html - --> -<Server port="${kms.admin.port}" shutdown="SHUTDOWN"> - - <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" - SSLEngine="on"/> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener"/> - <!-- Prevent memory leaks due to use of particular java/javax APIs--> - <Listener - className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> - <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> - <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"/> - <Listener - className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> - - <!-- Global JNDI resources - Documentation at /docs/jndi-resources-howto.html - --> - <GlobalNamingResources> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users - --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml"/> - </GlobalNamingResources> - - <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" Note: A "Service" is not itself a "Container", - so you may not define subcomponents such as "Valves" at this level. - Documentation at /docs/config/service.html - --> - <Service name="Catalina"> - - <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <!-- - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" - maxThreads="150" minSpareThreads="4"/> - --> - - <!-- Define a SSL HTTP/1.1 Connector on port 8443 - This connector uses the JSSE configuration, when using APR, the - connector should be using the OpenSSL style configuration - described in the APR documentation --> - <Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true" - maxThreads="${kms.max.threads}" scheme="https" secure="true" - maxHttpHeaderSize="${kms.max.http.header.size}" - clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" - keystoreFile="${kms.ssl.keystore.file}" - keystorePass="_kms_ssl_keystore_pass_"/> - - <!-- Define an AJP 1.3 Connector on port 8009 --> - - - <!-- An Engine represents the entry point (within Catalina) that processes - every request. The Engine implementation for Tomcat stand alone - analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). - Documentation at /docs/config/engine.html --> - - <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> - --> - <Engine name="Catalina" defaultHost="localhost"> - - <!--For clustering, please take a look at documentation at: - /docs/cluster-howto.html (simple how to) - /docs/config/cluster.html (reference documentation) --> - <!-- - <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> - --> - - <!-- The request dumper valve dumps useful debugging information about - the request and response data received and sent by Tomcat. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve"/> - --> - - <!-- This Realm uses the UserDatabase configured in the global JNDI - resources under the key "UserDatabase". Any edits - that are performed against this UserDatabase are immediately - available for use by the Realm. --> - <Realm className="org.apache.catalina.realm.UserDatabaseRealm" - resourceName="UserDatabase"/> - - <!-- Define the default virtual host - Note: XML Schema validation will not work with Xerces 2.2. - --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="true" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- SingleSignOn valve, share authentication between web applications - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Access log processes all example. - Documentation at: /docs/config/valve.html --> - <!-- - <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" - prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> - --> - - </Host> - </Engine> - </Service> -</Server> http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml b/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml deleted file mode 100644 index d081764..0000000 --- a/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml +++ /dev/null @@ -1,78 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee";> - - <listener> - <listener-class>org.apache.hadoop.crypto.key.kms.server.KMSWebApp</listener-class> - </listener> - - <servlet> - <servlet-name>webservices-driver</servlet-name> - <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class> - <init-param> - <param-name>com.sun.jersey.config.property.packages</param-name> - <param-value>org.apache.hadoop.crypto.key.kms.server</param-value> - </init-param> - - <!-- Enables detailed Jersey request/response logging --> - <!-- - <init-param> - <param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name> - <param-value>com.sun.jersey.api.container.filter.LoggingFilter</param-value> - </init-param> - <init-param> - <param-name>com.sun.jersey.spi.container.ContainerResponseFilters</param-name> - <param-value>com.sun.jersey.api.container.filter.LoggingFilter</param-value> - </init-param> - --> - <load-on-startup>1</load-on-startup> - </servlet> - - <servlet> - <servlet-name>jmx-servlet</servlet-name> - <servlet-class>org.apache.hadoop.crypto.key.kms.server.KMSJMXServlet</servlet-class> - </servlet> - - <servlet-mapping> - <servlet-name>webservices-driver</servlet-name> - <url-pattern>/*</url-pattern> - </servlet-mapping> - - <servlet-mapping> - <servlet-name>jmx-servlet</servlet-name> - <url-pattern>/jmx</url-pattern> - </servlet-mapping> - - <filter> - <filter-name>authFilter</filter-name> - <filter-class>org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter</filter-class> - </filter> - - <filter> - <filter-name>MDCFilter</filter-name> - <filter-class>org.apache.hadoop.crypto.key.kms.server.KMSMDCFilter</filter-class> - </filter> - - <filter-mapping> - <filter-name>authFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - <filter-mapping> - <filter-name>MDCFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - -</web-app> http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/site/configuration.xsl ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/site/configuration.xsl b/hadoop-common-project/hadoop-kms/src/site/configuration.xsl new file mode 100644 index 0000000..8f2ae9b --- /dev/null +++ b/hadoop-common-project/hadoop-kms/src/site/configuration.xsl @@ -0,0 +1,49 @@ +<?xml version="1.0"?> +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + +--> + +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; version="1.0"> + <xsl:output method="html"/> + <xsl:template match="configuration"> + <html> + <body> + <h2>Configuration Properties</h2> + <table border="1"> + <tr> + <th>name</th> + <th>value</th> + <th>description</th> + </tr> + <xsl:for-each select="property"> + <tr> + <td> + <a name="{name}"> + <xsl:value-of select="name"/> + </a> + </td> + <td> + <xsl:value-of select="value"/> + </td> + <td> + <xsl:value-of select="description"/> + </td> + </tr> + </xsl:for-each> + </table> + </body> + </html> + </xsl:template> +</xsl:stylesheet> http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm index 58c1fbd..810d568 100644 --- a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm +++ b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm @@ -29,7 +29,7 @@ The client is a KeyProvider implementation interacts with the KMS using the KMS KMS and its client have built-in security and they support HTTP SPNEGO Kerberos authentication and HTTPS secure transport. -KMS is a Java web-application and it runs using a pre-configured Tomcat bundled with the Hadoop distribution. +KMS is a Java Jetty web-application. KMS Client Configuration ------------------------ @@ -51,6 +51,15 @@ The following is an example to configure HDFS NameNode as a KMS client in KMS --- +$H3 Start/Stop the KMS + +To start/stop KMS, use `hadoop --daemon start|stop kms`. For example: + + hadoop-${project.version} $ hadoop --daemon start kms + +NOTE: The script `kms.sh` is deprecated. It is now just a wrapper of +`hadoop kms`. + $H3 KMS Configuration Configure the KMS backing KeyProvider properties in the `etc/hadoop/kms-site.xml` configuration file: @@ -71,6 +80,15 @@ The password file is looked up in the Hadoop's configuration directory via the c NOTE: You need to restart the KMS for the configuration changes to take effect. +$H3 KMS HTTP Configuration + +KMS pre-configures the HTTP port to 9600. + +KMS supports the following HTTP [configuration properties](./kms-default.html) +in `etc/hadoop/kms-site.xml`. + +NOTE: You need to restart the KMS for the configuration changes to take effect. + $H3 KMS Cache KMS has two kinds of caching: a CachingKeyProvider for caching the encryption keys, and a KeyProvider for caching the EEKs. @@ -180,36 +198,6 @@ The Aggregation interval is configured via the property : <value>10000</value> </property> -$H3 Start/Stop the KMS - -To start/stop KMS use KMS's sbin/kms.sh script. For example: - - hadoop-${project.version} $ sbin/kms.sh start - -NOTE: Invoking the script without any parameters list all possible parameters (start, stop, run, etc.). The `kms.sh` script is a wrapper for Tomcat's `catalina.sh` script that sets the environment variables and Java System properties required to run KMS. - -$H3 Embedded Tomcat Configuration - -To configure the embedded Tomcat go to the `share/hadoop/kms/tomcat/conf`. - -KMS pre-configures the HTTP and Admin ports in Tomcat's `server.xml` to 9600 and 9601. - -Tomcat logs are also preconfigured to go to Hadoop's `logs/` directory. - -The following environment variables (which can be set in KMS's `etc/hadoop/kms-env.sh` script) can be used to alter those values: - -* KMS_HTTP_PORT -* KMS_ADMIN_PORT -* KMS_MAX_THREADS -* KMS_MAX_HTTP_HEADER_SIZE -* KMS_LOGNOTE: You need to restart the KMS for the configuration changes to take effect. - -$H3 Loading native libraries - -The following environment variable (which can be set in KMS's `etc/hadoop/kms-env.sh` script) can be used to specify the location of any required native libraries. For eg. Tomact native Apache Portable Runtime (APR) libraries: - -* JAVA_LIBRARY_PATH - $H3 KMS Security Configuration $H4 Enabling Kerberos HTTP SPNEGO Authentication @@ -279,20 +267,52 @@ If `users`, `groups` or `hosts` has a `*`, it means there are no restrictions fo $H4 KMS over HTTPS (SSL) -To configure KMS to work over HTTPS the following 2 properties must be set in the `etc/hadoop/kms_env.sh` script (shown with default values): +Enable SSL in `etc/hadoop/kms-site.xml`: -* KMS_SSL_KEYSTORE_FILE=$HOME/.keystore -* KMS_SSL_KEYSTORE_PASS=password +```xml + <property> + <name>hadoop.kms.ssl.enabled</name> + <value>true</value> + <description> + Whether SSL is enabled. Default is false, i.e. disabled. + </description> + </property> + +``` -In the KMS `tomcat/conf` directory, replace the `server.xml` file with the provided `ssl-server.xml` file. +Configure `etc/hadoop/ssl-server.xml` with proper values, for example: + +```xml +<property> + <name>ssl.server.keystore.location</name> + <value>${user.home}/.keystore</value> + <description>Keystore to be used. Must be specified.</description> +</property> + +<property> + <name>ssl.server.keystore.password</name> + <value></value> + <description>Must be specified.</description> +</property> + +<property> + <name>ssl.server.keystore.keypassword</name> + <value></value> + <description>Must be specified.</description> +</property> +``` You need to create an SSL certificate for the KMS. As the `kms` Unix user, using the Java `keytool` command to create the SSL certificate: - $ keytool -genkey -alias tomcat -keyalg RSA + $ keytool -genkey -alias jetty -keyalg RSA -You will be asked a series of questions in an interactive prompt. It will create the keystore file, which will be named **.keystore** and located in the `kms` user home directory. +You will be asked a series of questions in an interactive prompt. It will +create the keystore file, which will be named **.keystore** and located in the +user's home directory. -The password you enter for "keystore password" must match the value of the `KMS_SSL_KEYSTORE_PASS` environment variable set in the `kms-env.sh` script in the configuration directory. +The password you enter for "keystore password" must match the value of the +property `ssl.server.keystore.password` set in the `ssl-server.xml` in the +configuration directory. The answer to "What is your first and last name?" (i.e. "CN") must be the hostname of the machine where the KMS will be running. @@ -1032,3 +1052,29 @@ $H4 Get Keys Metadata }, ... ] + +$H3 Deprecated Environment Variables + +The following environment variables are deprecated. Set the corresponding +configuration properties instead. + +Environment Variable | Configuration Property | Configuration File +-------------------------|------------------------------|-------------------- +KMS_HTTP_PORT | hadoop.kms.http.port | kms-site.xml +KMS_MAX_HTTP_HEADER_SIZE | hadoop.http.max.request.header.size and hadoop.http.max.response.header.size | kms-site.xml +KMS_MAX_THREADS | hadoop.http.max.threads | kms-site.xml +KMS_SSL_ENABLED | hadoop.kms.ssl.enabled | kms-site.xml +KMS_SSL_KEYSTORE_FILE | ssl.server.keystore.location | ssl-server.xml +KMS_SSL_KEYSTORE_PASS | ssl.server.keystore.password | ssl-server.xml +KMS_TEMP | hadoop.http.temp.dir | kms-site.xml + +$H3 Default HTTP Services + +Name | Description +-------------------|------------------------------------ +/conf | Display configuration properties +/jmx | Java JMX management interface +/logLevel | Get or set log level per class +/logs | Display log files +/stacks | Display JVM stacks +/static/index.html | The static home page \ No newline at end of file http://git-wip-us.apache.org/repos/asf/hadoop/blob/5d182949/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java index 8b181ad..f911c5b 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java @@ -17,83 +17,23 @@ */ package org.apache.hadoop.crypto.key.kms.server; -import com.google.common.base.Preconditions; - -import org.apache.commons.io.IOUtils; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.http.JettyUtils; -import org.apache.hadoop.util.ThreadUtil; -import org.eclipse.jetty.http.HttpVersion; -import org.eclipse.jetty.server.ConnectionFactory; -import org.eclipse.jetty.server.HttpConfiguration; -import org.eclipse.jetty.server.HttpConnectionFactory; -import org.eclipse.jetty.server.SecureRequestCustomizer; -import org.eclipse.jetty.server.Server; -import org.eclipse.jetty.server.ServerConnector; -import org.eclipse.jetty.server.SslConnectionFactory; -import org.eclipse.jetty.util.ssl.SslContextFactory; -import org.eclipse.jetty.webapp.WebAppContext; - import java.io.File; import java.io.FileOutputStream; import java.io.FileWriter; +import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.io.Writer; -import java.io.IOException; -import java.net.MalformedURLException; import java.net.URL; -import java.util.UUID; - -public class MiniKMS { - private static Server createJettyServer(String keyStore, String password, int inPort) { - try { - boolean ssl = keyStore != null; - String host = "localhost"; - Server server = new Server(); - ServerConnector conn = new ServerConnector(server); - HttpConfiguration httpConfig = new HttpConfiguration(); - httpConfig.setRequestHeaderSize(JettyUtils.HEADER_SIZE); - httpConfig.setResponseHeaderSize(JettyUtils.HEADER_SIZE); - httpConfig.setSecureScheme("https"); - httpConfig.addCustomizer(new SecureRequestCustomizer()); - ConnectionFactory connFactory = new HttpConnectionFactory(httpConfig); - conn.addConnectionFactory(connFactory); - conn.setHost(host); - conn.setPort(inPort); - if (ssl) { - SslContextFactory sslContextFactory = new SslContextFactory(); - sslContextFactory.setNeedClientAuth(false); - sslContextFactory.setKeyStorePath(keyStore); - sslContextFactory.setKeyStoreType("jks"); - sslContextFactory.setKeyStorePassword(password); - conn.addFirstConnectionFactory( - new SslConnectionFactory(sslContextFactory, - HttpVersion.HTTP_1_1.asString())); - } - server.addConnector(conn); - return server; - } catch (Exception ex) { - throw new RuntimeException("Could not start embedded servlet container, " - + ex.getMessage(), ex); - } - } +import com.google.common.base.Preconditions; +import org.apache.commons.io.IOUtils; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.security.ssl.SSLFactory; +import org.apache.hadoop.util.ThreadUtil; - private static URL getJettyURL(Server server) { - boolean ssl = server.getConnectors()[0] - .getConnectionFactory(SslConnectionFactory.class) != null; - try { - String scheme = (ssl) ? "https" : "http"; - return new URL(scheme + "://" + - ((ServerConnector)server.getConnectors()[0]).getHost() + ":" - + ((ServerConnector)server.getConnectors()[0]).getLocalPort()); - } catch (MalformedURLException ex) { - throw new RuntimeException("It should never happen, " + ex.getMessage(), - ex); - } - } +public class MiniKMS { public static class Builder { private File kmsConfDir; @@ -150,7 +90,7 @@ public class MiniKMS { private String log4jConfFile; private String keyStore; private String keyStorePassword; - private Server jetty; + private KMSWebServer jetty; private int inPort; private URL kmsURL; @@ -178,7 +118,6 @@ public class MiniKMS { } public void start() throws Exception { - ClassLoader cl = Thread.currentThread().getContextClassLoader(); System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, kmsConfDir); File aclsFile = new File(kmsConfDir, "kms-acls.xml"); if (!aclsFile.exists()) { @@ -202,35 +141,20 @@ public class MiniKMS { writer.close(); } System.setProperty("log4j.configuration", log4jConfFile); - jetty = createJettyServer(keyStore, keyStorePassword, inPort); - - // we need to do a special handling for MiniKMS to work when in a dir and - // when in a JAR in the classpath thanks to Jetty way of handling of webapps - // when they are in the a DIR, WAR or JAR. - URL webXmlUrl = cl.getResource("kms-webapp/WEB-INF/web.xml"); - if (webXmlUrl == null) { - throw new RuntimeException( - "Could not find kms-webapp/ dir in test classpath"); - } - boolean webXmlInJar = webXmlUrl.getPath().contains(".jar!/"); - String webappPath; - if (webXmlInJar) { - File webInf = new File("target/" + UUID.randomUUID().toString() + - "/kms-webapp/WEB-INF"); - webInf.mkdirs(); - new File(webInf, "web.xml").delete(); - copyResource("kms-webapp/WEB-INF/web.xml", new File(webInf, "web.xml")); - webappPath = webInf.getParentFile().getAbsolutePath(); - } else { - webappPath = cl.getResource("kms-webapp").getPath(); - } - WebAppContext context = new WebAppContext(webappPath, "/kms"); - if (webXmlInJar) { - context.setClassLoader(cl); + + final Configuration conf = KMSConfiguration.getKMSConf(); + conf.set(KMSConfiguration.HTTP_HOST_KEY, "localhost"); + conf.setInt(KMSConfiguration.HTTP_PORT_KEY, inPort); + if (keyStore != null) { + conf.setBoolean(KMSConfiguration.SSL_ENABLED_KEY, true); + conf.set(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION, keyStore); + conf.set(SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD, keyStorePassword); + conf.set(SSLFactory.SSL_SERVER_KEYSTORE_TYPE, "jks"); } - jetty.setHandler(context); + + jetty = new KMSWebServer(conf); jetty.start(); - kmsURL = new URL(getJettyURL(jetty), "kms"); + kmsURL = jetty.getKMSUrl(); } public URL getKMSUrl() { --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
