http://git-wip-us.apache.org/repos/asf/hadoop/blob/96bd574d/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestSecureOzoneContainer.java
----------------------------------------------------------------------
diff --git 
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestSecureOzoneContainer.java
 
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestSecureOzoneContainer.java
new file mode 100644
index 0000000..02d5e28
--- /dev/null
+++ 
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestSecureOzoneContainer.java
@@ -0,0 +1,209 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.container.ozoneimpl;
+
+import org.apache.hadoop.hdds.HddsConfigKeys;
+import org.apache.hadoop.hdds.protocol.DatanodeDetails;
+import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
+import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
+import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
+import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
+import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.apache.hadoop.ozone.OzoneConfigKeys;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.ozone.container.ContainerTestHelper;
+import org.apache.hadoop.hdds.scm.TestUtils;
+import org.apache.hadoop.hdds.scm.XceiverClientGrpc;
+import org.apache.hadoop.hdds.scm.XceiverClientSpi;
+import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.test.GenericTestUtils;
+import org.apache.hadoop.util.Time;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+import org.junit.rules.Timeout;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.security.PrivilegedAction;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.EnumSet;
+import java.util.UUID;
+
+import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
+import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_DATANODE_DIR_KEY;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+/**
+ * Tests ozone containers via secure grpc/netty.
+ */
+@RunWith(Parameterized.class)
+public class TestSecureOzoneContainer {
+  private static final Logger LOG = LoggerFactory.getLogger(
+      TestSecureOzoneContainer.class);
+  /**
+   * Set the timeout for every test.
+   */
+  @Rule
+  public Timeout testTimeout = new Timeout(300000);
+
+  @Rule
+  public TemporaryFolder tempFolder = new TemporaryFolder();
+
+  private OzoneConfiguration conf;
+  private SecurityConfig secConfig;
+  private Boolean requireBlockToken;
+  private Boolean hasBlockToken;
+  private Boolean blockTokeExpired;
+
+
+  public TestSecureOzoneContainer(Boolean requireBlockToken,
+      Boolean hasBlockToken, Boolean blockTokenExpired) {
+    this.requireBlockToken = requireBlockToken;
+    this.hasBlockToken = hasBlockToken;
+    this.blockTokeExpired = blockTokenExpired;
+  }
+
+  @Parameterized.Parameters
+  public static Collection<Object[]> blockTokenOptions() {
+    return Arrays.asList(new Object[][] {
+        {true, true, false},
+        {true, true, true},
+        {true, false, false},
+        {false, true, false},
+        {false, false, false}});
+  }
+
+  @Before
+  public void setup() throws IOException{
+    conf = new OzoneConfiguration();
+    String ozoneMetaPath =
+        GenericTestUtils.getTempPath("ozoneMeta");
+    conf.set(OZONE_METADATA_DIRS, ozoneMetaPath);
+
+    secConfig = new SecurityConfig(conf);
+
+  }
+
+  @Test
+  public void testCreateOzoneContainer() throws Exception {
+    LOG.info("Test case: requireBlockToken: {} hasBlockToken: {} " +
+        "blockTokenExpired: {}.", requireBlockToken, hasBlockToken,
+        blockTokeExpired);
+    conf.setBoolean(HddsConfigKeys.HDDS_GRPC_BLOCK_TOKEN_ENABLED,
+        requireBlockToken);
+
+    long containerID = ContainerTestHelper.getTestContainerID();
+    OzoneContainer container = null;
+    
System.out.println(System.getProperties().getProperty("java.library.path"));
+    try {
+      Pipeline pipeline = ContainerTestHelper.createSingleNodePipeline();
+      conf.set(HDDS_DATANODE_DIR_KEY, tempFolder.getRoot().getPath());
+      conf.setInt(OzoneConfigKeys.DFS_CONTAINER_IPC_PORT, pipeline
+          .getFirstNode().getPort(DatanodeDetails.Port.Name.STANDALONE)
+          .getValue());
+      conf.setBoolean(
+          OzoneConfigKeys.DFS_CONTAINER_IPC_RANDOM_PORT, false);
+
+      DatanodeDetails dn = TestUtils.randomDatanodeDetails();
+      container = new OzoneContainer(dn, conf, null);
+      //Setting scmId, as we start manually ozone container.
+      container.getDispatcher().setScmId(UUID.randomUUID().toString());
+      container.start();
+
+      UserGroupInformation ugi = UserGroupInformation.createUserForTesting(
+          "user1",  new String[] {"usergroup"});
+      long expiryDate = (blockTokeExpired) ?
+          Time.now() - 60 * 60 * 2 : Time.now() + 60 * 60 * 24;
+
+      OzoneBlockTokenIdentifier tokenId = new OzoneBlockTokenIdentifier(
+          "testUser", "cid:lud:bcsid",
+          
EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class),
+          expiryDate, "1234", 128L);
+
+      int port = dn.getPort(DatanodeDetails.Port.Name.STANDALONE).getValue();
+      if (port == 0) {
+        port = secConfig.getConfiguration().getInt(OzoneConfigKeys
+                .DFS_CONTAINER_IPC_PORT,
+            OzoneConfigKeys.DFS_CONTAINER_IPC_PORT_DEFAULT);
+      }
+      InetSocketAddress addr =
+          new InetSocketAddress(dn.getIpAddress(), port);
+
+      Token<OzoneBlockTokenIdentifier> token =
+          new Token(tokenId.getBytes(), new byte[2], tokenId.getKind(),
+              SecurityUtil.buildTokenService(addr));
+      if (hasBlockToken) {
+        ugi.addToken(token);
+      }
+
+      ugi.doAs(new PrivilegedAction<Void>() {
+        @Override
+        public Void run() {
+          try {
+            XceiverClientGrpc client = new XceiverClientGrpc(pipeline, conf);
+            client.connect();
+            createContainerForTesting(client, containerID);
+          } catch (Exception e) {
+            if (requireBlockToken && hasBlockToken && !blockTokeExpired) {
+              fail("Client with BlockToken should succeed when block token is" 
+
+                  " required.");
+            }
+            if (requireBlockToken && hasBlockToken && blockTokeExpired) {
+              assertTrue("Receive expected exception",
+                  e instanceof SCMSecurityException);
+            }
+            if (requireBlockToken && !hasBlockToken) {
+              assertTrue("Receive expected exception", e instanceof
+                  SCMSecurityException);
+            }
+          }
+          return null;
+        }
+      });
+    } finally {
+      if (container != null) {
+        container.stop();
+      }
+    }
+  }
+
+  public static void createContainerForTesting(XceiverClientSpi client,
+      long containerID) throws Exception {
+    // Create container
+    ContainerProtos.ContainerCommandRequestProto request =
+        ContainerTestHelper.getCreateContainerRequest(
+            containerID, client.getPipeline());
+    ContainerProtos.ContainerCommandResponseProto response =
+        client.sendCommand(request);
+    Assert.assertNotNull(response);
+    Assert.assertTrue(request.getTraceID().equals(response.getTraceID()));
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/hadoop/blob/96bd574d/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneBlockTokenIdentifier.java
----------------------------------------------------------------------
diff --git 
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneBlockTokenIdentifier.java
 
b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneBlockTokenIdentifier.java
deleted file mode 100644
index 5909916..0000000
--- 
a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestOzoneBlockTokenIdentifier.java
+++ /dev/null
@@ -1,255 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.ozone.security;
-
-import java.io.File;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.InvalidKeyException;
-import java.security.KeyPair;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PrivateKey;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.EnumSet;
-import java.util.List;
-import java.util.Map;
-import javax.crypto.KeyGenerator;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import org.apache.commons.lang3.RandomStringUtils;
-import org.apache.commons.lang3.RandomUtils;
-import org.apache.hadoop.fs.FileUtil;
-import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
-import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
-import org.apache.hadoop.test.GenericTestUtils;
-import org.apache.hadoop.util.Time;
-import org.junit.After;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * Test class for OzoneManagerDelegationToken.
- */
-public class TestOzoneBlockTokenIdentifier {
-
-  private static final Logger LOG = LoggerFactory
-      .getLogger(TestOzoneBlockTokenIdentifier.class);
-  private static final String BASEDIR = GenericTestUtils
-      .getTempPath(TestOzoneBlockTokenIdentifier.class.getSimpleName());
-  private static final String KEYSTORES_DIR =
-      new File(BASEDIR).getAbsolutePath();
-  private static long expiryTime;
-  private static KeyPair keyPair;
-  private static X509Certificate cert;
-
-  @BeforeClass
-  public static void setUp() throws Exception {
-    File base = new File(BASEDIR);
-    FileUtil.fullyDelete(base);
-    base.mkdirs();
-    expiryTime = Time.monotonicNow() + 60 * 60 * 24;
-
-    // Create Ozone Master key pair.
-    keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
-    // Create Ozone Master certificate (SCM CA issued cert) and key store.
-    cert = KeyStoreTestUtil
-        .generateCertificate("CN=OzoneMaster", keyPair, 30, "SHA256withRSA");
-  }
-
-  @After
-  public void cleanUp() throws Exception {
-    // KeyStoreTestUtil.cleanupSSLConfig(KEYSTORES_DIR, sslConfsDir);
-  }
-
-  @Test
-  public void testSignToken() throws GeneralSecurityException, IOException {
-    String keystore = new File(KEYSTORES_DIR, "keystore.jks")
-        .getAbsolutePath();
-    String truststore = new File(KEYSTORES_DIR, "truststore.jks")
-        .getAbsolutePath();
-    String trustPassword = "trustPass";
-    String keyStorePassword = "keyStorePass";
-    String keyPassword = "keyPass";
-
-
-    KeyStoreTestUtil.createKeyStore(keystore, keyStorePassword, keyPassword,
-        "OzoneMaster", keyPair.getPrivate(), cert);
-
-    // Create trust store and put the certificate in the trust store
-    Map<String, X509Certificate> certs = Collections.singletonMap("server",
-        cert);
-    KeyStoreTestUtil.createTrustStore(truststore, trustPassword, certs);
-
-    // Sign the OzoneMaster Token with Ozone Master private key
-    PrivateKey privateKey = keyPair.getPrivate();
-    OzoneBlockTokenIdentifier tokenId = new OzoneBlockTokenIdentifier(
-        "testUser", "84940",
-        EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class),
-        expiryTime, cert.getSerialNumber().toString());
-    byte[] signedToken = signTokenAsymmetric(tokenId, privateKey);
-
-    // Verify a valid signed OzoneMaster Token with Ozone Master
-    // public key(certificate)
-    boolean isValidToken = verifyTokenAsymmetric(tokenId, signedToken, cert);
-    LOG.info("{} is {}", tokenId, isValidToken ? "valid." : "invalid.");
-
-    // Verify an invalid signed OzoneMaster Token with Ozone Master
-    // public key(certificate)
-    tokenId = new OzoneBlockTokenIdentifier("", "",
-        EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class),
-        expiryTime, cert.getSerialNumber().toString());
-    LOG.info("Unsigned token {} is {}", tokenId,
-        verifyTokenAsymmetric(tokenId, RandomUtils.nextBytes(128), cert));
-
-  }
-
-  public byte[] signTokenAsymmetric(OzoneBlockTokenIdentifier tokenId,
-      PrivateKey privateKey) throws NoSuchAlgorithmException,
-      InvalidKeyException, SignatureException {
-    Signature rsaSignature = Signature.getInstance("SHA256withRSA");
-    rsaSignature.initSign(privateKey);
-    rsaSignature.update(tokenId.getBytes());
-    byte[] signature = rsaSignature.sign();
-    return signature;
-  }
-
-  public boolean verifyTokenAsymmetric(OzoneBlockTokenIdentifier tokenId,
-      byte[] signature, Certificate certificate) throws InvalidKeyException,
-      NoSuchAlgorithmException, SignatureException {
-    Signature rsaSignature = Signature.getInstance("SHA256withRSA");
-    rsaSignature.initVerify(certificate);
-    rsaSignature.update(tokenId.getBytes());
-    boolean isValid = rsaSignature.verify(signature);
-    return isValid;
-  }
-
-  private byte[] signTokenSymmetric(OzoneBlockTokenIdentifier identifier,
-      Mac mac, SecretKey key) {
-    try {
-      mac.init(key);
-    } catch (InvalidKeyException ike) {
-      throw new IllegalArgumentException("Invalid key to HMAC computation",
-          ike);
-    }
-    return mac.doFinal(identifier.getBytes());
-  }
-
-  OzoneBlockTokenIdentifier generateTestToken() {
-    return new OzoneBlockTokenIdentifier(RandomStringUtils.randomAlphabetic(6),
-        RandomStringUtils.randomAlphabetic(5),
-        EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class),
-        expiryTime, cert.getSerialNumber().toString());
-  }
-
-  @Test
-  public void testAsymmetricTokenPerf() throws NoSuchAlgorithmException,
-      CertificateEncodingException, NoSuchProviderException,
-      InvalidKeyException, SignatureException {
-    final int testTokenCount = 1000;
-    List<OzoneBlockTokenIdentifier> tokenIds = new ArrayList<>();
-    List<byte[]> tokenPasswordAsym = new ArrayList<>();
-    for (int i = 0; i < testTokenCount; i++) {
-      tokenIds.add(generateTestToken());
-    }
-
-    KeyPair kp = KeyStoreTestUtil.generateKeyPair("RSA");
-
-    // Create Ozone Master certificate (SCM CA issued cert) and key store
-    X509Certificate certificate;
-    certificate = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster",
-        kp, 30, "SHA256withRSA");
-
-    long startTime = Time.monotonicNowNanos();
-    for (int i = 0; i < testTokenCount; i++) {
-      tokenPasswordAsym.add(
-          signTokenAsymmetric(tokenIds.get(i), kp.getPrivate()));
-    }
-    long duration = Time.monotonicNowNanos() - startTime;
-    LOG.info("Average token sign time with HmacSha256(RSA/1024 key) is {} ns",
-        duration / testTokenCount);
-
-    startTime = Time.monotonicNowNanos();
-    for (int i = 0; i < testTokenCount; i++) {
-      verifyTokenAsymmetric(tokenIds.get(i), tokenPasswordAsym.get(i),
-          certificate);
-    }
-    duration = Time.monotonicNowNanos() - startTime;
-    LOG.info("Average token verify time with HmacSha256(RSA/1024 key) "
-        + "is {} ns", duration / testTokenCount);
-  }
-
-  @Test
-  public void testSymmetricTokenPerf() {
-    String hmacSHA1 = "HmacSHA1";
-    String hmacSHA256 = "HmacSHA256";
-
-    testSymmetricTokenPerfHelper(hmacSHA1, 64);
-    testSymmetricTokenPerfHelper(hmacSHA256, 1024);
-  }
-
-  public void testSymmetricTokenPerfHelper(String hmacAlgorithm, int keyLen) {
-    final int testTokenCount = 1000;
-    List<OzoneBlockTokenIdentifier> tokenIds = new ArrayList<>();
-    List<byte[]> tokenPasswordSym = new ArrayList<>();
-    for (int i = 0; i < testTokenCount; i++) {
-      tokenIds.add(generateTestToken());
-    }
-
-    KeyGenerator keyGen;
-    try {
-      keyGen = KeyGenerator.getInstance(hmacAlgorithm);
-      keyGen.init(keyLen);
-    } catch (NoSuchAlgorithmException nsa) {
-      throw new IllegalArgumentException("Can't find " + hmacAlgorithm +
-          " algorithm.");
-    }
-
-    Mac mac;
-    try {
-      mac = Mac.getInstance(hmacAlgorithm);
-    } catch (NoSuchAlgorithmException nsa) {
-      throw new IllegalArgumentException("Can't find " + hmacAlgorithm +
-          " algorithm.");
-    }
-
-    SecretKey secretKey = keyGen.generateKey();
-
-    long startTime = Time.monotonicNowNanos();
-    for (int i = 0; i < testTokenCount; i++) {
-      tokenPasswordSym.add(
-          signTokenSymmetric(tokenIds.get(i), mac, secretKey));
-    }
-    long duration = Time.monotonicNowNanos() - startTime;
-    LOG.info("Average token sign time with {}({} symmetric key) is {} ns",
-        hmacAlgorithm, keyLen, duration / testTokenCount);
-  }
-
-  // TODO: verify certificate with a trust store
-  public boolean verifyCert(Certificate certificate) {
-    return true;
-  }
-}
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org

Reply via email to