This is an automated email from the ASF dual-hosted git repository. shv pushed a commit to branch branch-2 in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-2 by this push: new dc2b838 HDFS-14305. Fix serial number calculation in BlockTokenSecretManager to avoid token key ID overlap between NameNodes. Contributed by Konstantin V Shvachko. dc2b838 is described below commit dc2b838a8e6dfe58598cac8ec37546332eeedeb2 Author: Konstantin V Shvachko <s...@apache.org> AuthorDate: Mon Sep 30 18:04:16 2019 -0700 HDFS-14305. Fix serial number calculation in BlockTokenSecretManager to avoid token key ID overlap between NameNodes. Contributed by Konstantin V Shvachko. --- .../token/block/BlockTokenSecretManager.java | 12 +++++++---- .../hdfs/security/token/block/TestBlockToken.java | 24 ++++++++++++++++++++++ .../ha/TestFailoverWithBlockTokensEnabled.java | 5 ++--- 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java index a934232..dae89c3 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java @@ -116,8 +116,6 @@ public class BlockTokenSecretManager extends encryptionAlgorithm, nnIndex, numNNs, shouldWrapQOP); Preconditions.checkArgument(nnIndex >= 0); Preconditions.checkArgument(numNNs > 0); - setSerialNo(new SecureRandom().nextInt()); - generateKeys(); } public BlockTokenSecretManager(long keyUpdateInterval, @@ -140,13 +138,19 @@ public class BlockTokenSecretManager extends this.encryptionAlgorithm = encryptionAlgorithm; this.shouldWrapQOP = shouldWrapQOP; this.timer = new Timer(); + setSerialNo(new SecureRandom().nextInt(Integer.MAX_VALUE)); + LOG.info("Block token key range: [" + + nnRangeStart + ", " + (nnRangeStart + intRange) + ")"); generateKeys(); } @VisibleForTesting - public synchronized void setSerialNo(int serialNo) { + public synchronized void setSerialNo(int nextNo) { // we mod the serial number by the range and then add that times the index - this.serialNo = (serialNo % intRange) + (nnRangeStart); + this.serialNo = (nextNo % intRange) + (nnRangeStart); + assert serialNo >= nnRangeStart && serialNo < (nnRangeStart + intRange) : + "serialNo " + serialNo + " is not in the designated range: [" + + nnRangeStart + ", " + (nnRangeStart + intRange) + ")"; } public void setBlockPoolId(String blockPoolId) { diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java index 55e9d30..7d0c90f 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java @@ -411,4 +411,28 @@ public class TestBlockToken { cluster.shutdown(); } } + + /** + * Verify that block token serialNo is always within the range designated to + * to the NameNode. + */ + @Test + public void testBlockTokenRanges() throws IOException { + final int interval = 1024; + final int numNNs = Integer.MAX_VALUE / interval; + for(int nnIdx = 0; nnIdx < 64; nnIdx++) { + BlockTokenSecretManager sm = new BlockTokenSecretManager( + blockKeyUpdateInterval, blockTokenLifetime, nnIdx, numNNs, + "fake-pool", null, false); + int rangeStart = nnIdx * interval; + for(int i = 0; i < interval * 3; i++) { + int serialNo = sm.getSerialNoForTesting(); + assertTrue( + "serialNo " + serialNo + " is not in the designated range: [" + + rangeStart + ", " + (rangeStart + interval) + ")", + serialNo >= rangeStart && serialNo < (rangeStart + interval)); + sm.updateKeys(); + } + } + } } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java index 43ab69d..ff90121 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java @@ -92,11 +92,10 @@ public class TestFailoverWithBlockTokensEnabled { setAndCheckSerialNumber(0, btsm1, btsm2, btsm3); setAndCheckSerialNumber(Integer.MAX_VALUE, btsm1, btsm2, btsm3); - setAndCheckSerialNumber(Integer.MIN_VALUE, btsm1, btsm2, btsm3); setAndCheckSerialNumber(Integer.MAX_VALUE / 2, btsm1, btsm2, btsm3); - setAndCheckSerialNumber(Integer.MIN_VALUE / 2, btsm1, btsm2, btsm3); setAndCheckSerialNumber(Integer.MAX_VALUE / 3, btsm1, btsm2, btsm3); - setAndCheckSerialNumber(Integer.MIN_VALUE / 3, btsm1, btsm2, btsm3); + setAndCheckSerialNumber(Integer.MAX_VALUE / 171717, + btsm1, btsm2, btsm3); } private void setAndCheckSerialNumber(int serialNumber, BlockTokenSecretManager... btsms) { --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org