This is an automated email from the ASF dual-hosted git repository.
shv pushed a commit to branch branch-2
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-2 by this push:
new dc2b838 HDFS-14305. Fix serial number calculation in
BlockTokenSecretManager to avoid token key ID overlap between NameNodes.
Contributed by Konstantin V Shvachko.
dc2b838 is described below
commit dc2b838a8e6dfe58598cac8ec37546332eeedeb2
Author: Konstantin V Shvachko <s...@apache.org>
AuthorDate: Mon Sep 30 18:04:16 2019 -0700
HDFS-14305. Fix serial number calculation in BlockTokenSecretManager to
avoid token key ID overlap between NameNodes. Contributed by Konstantin V
Shvachko.
---
.../token/block/BlockTokenSecretManager.java | 12 +++++++----
.../hdfs/security/token/block/TestBlockToken.java | 24 ++++++++++++++++++++++
.../ha/TestFailoverWithBlockTokensEnabled.java | 5 ++---
3 files changed, 34 insertions(+), 7 deletions(-)
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
index a934232..dae89c3 100644
---
a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
@@ -116,8 +116,6 @@ public class BlockTokenSecretManager extends
encryptionAlgorithm, nnIndex, numNNs, shouldWrapQOP);
Preconditions.checkArgument(nnIndex >= 0);
Preconditions.checkArgument(numNNs > 0);
- setSerialNo(new SecureRandom().nextInt());
- generateKeys();
}
public BlockTokenSecretManager(long keyUpdateInterval,
@@ -140,13 +138,19 @@ public class BlockTokenSecretManager extends
this.encryptionAlgorithm = encryptionAlgorithm;
this.shouldWrapQOP = shouldWrapQOP;
this.timer = new Timer();
+ setSerialNo(new SecureRandom().nextInt(Integer.MAX_VALUE));
+ LOG.info("Block token key range: [" +
+ nnRangeStart + ", " + (nnRangeStart + intRange) + ")");
generateKeys();
}
@VisibleForTesting
- public synchronized void setSerialNo(int serialNo) {
+ public synchronized void setSerialNo(int nextNo) {
// we mod the serial number by the range and then add that times the index
- this.serialNo = (serialNo % intRange) + (nnRangeStart);
+ this.serialNo = (nextNo % intRange) + (nnRangeStart);
+ assert serialNo >= nnRangeStart && serialNo < (nnRangeStart + intRange) :
+ "serialNo " + serialNo + " is not in the designated range: [" +
+ nnRangeStart + ", " + (nnRangeStart + intRange) + ")";
}
public void setBlockPoolId(String blockPoolId) {
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java
index 55e9d30..7d0c90f 100644
---
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java
@@ -411,4 +411,28 @@ public class TestBlockToken {
cluster.shutdown();
}
}
+
+ /**
+ * Verify that block token serialNo is always within the range designated to
+ * to the NameNode.
+ */
+ @Test
+ public void testBlockTokenRanges() throws IOException {
+ final int interval = 1024;
+ final int numNNs = Integer.MAX_VALUE / interval;
+ for(int nnIdx = 0; nnIdx < 64; nnIdx++) {
+ BlockTokenSecretManager sm = new BlockTokenSecretManager(
+ blockKeyUpdateInterval, blockTokenLifetime, nnIdx, numNNs,
+ "fake-pool", null, false);
+ int rangeStart = nnIdx * interval;
+ for(int i = 0; i < interval * 3; i++) {
+ int serialNo = sm.getSerialNoForTesting();
+ assertTrue(
+ "serialNo " + serialNo + " is not in the designated range: [" +
+ rangeStart + ", " + (rangeStart + interval) + ")",
+ serialNo >= rangeStart && serialNo < (rangeStart + interval));
+ sm.updateKeys();
+ }
+ }
+ }
}
diff --git
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java
index 43ab69d..ff90121 100644
---
a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java
+++
b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java
@@ -92,11 +92,10 @@ public class TestFailoverWithBlockTokensEnabled {
setAndCheckSerialNumber(0, btsm1, btsm2, btsm3);
setAndCheckSerialNumber(Integer.MAX_VALUE, btsm1, btsm2, btsm3);
- setAndCheckSerialNumber(Integer.MIN_VALUE, btsm1, btsm2, btsm3);
setAndCheckSerialNumber(Integer.MAX_VALUE / 2, btsm1, btsm2, btsm3);
- setAndCheckSerialNumber(Integer.MIN_VALUE / 2, btsm1, btsm2, btsm3);
setAndCheckSerialNumber(Integer.MAX_VALUE / 3, btsm1, btsm2, btsm3);
- setAndCheckSerialNumber(Integer.MIN_VALUE / 3, btsm1, btsm2, btsm3);
+ setAndCheckSerialNumber(Integer.MAX_VALUE / 171717,
+ btsm1, btsm2, btsm3);
}
private void setAndCheckSerialNumber(int serialNumber,
BlockTokenSecretManager... btsms) {
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org
