Skip to content

Commit 821adc9

Browse files
aim-for-betterZhenyu Zhou
andauthored
Support creating cluster with encryption at host. (#12671)
Co-authored-by: Zhenyu Zhou <zhezhou@microsoft.com>
1 parent bbe51f8 commit 821adc9

File tree

12 files changed

+3038
-15
lines changed

12 files changed

+3038
-15
lines changed

src/HDInsight/HDInsight.Test/HDInsight.Test.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212

1313
<ItemGroup>
1414
<PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.5" />
15-
<PackageReference Include="Microsoft.Azure.Management.HDInsight" Version="5.5.0" />
15+
<PackageReference Include="Microsoft.Azure.Management.HDInsight" Version="5.6.0" />
1616
<PackageReference Include="Microsoft.Azure.Management.HDInsight.Job" Version="2.0.7" />
1717
<PackageReference Include="Microsoft.Azure.Management.KeyVault" Version="3.0.0" />
1818
<PackageReference Include="Microsoft.Azure.Management.ManagedServiceIdentity" Version="0.11.0" />

src/HDInsight/HDInsight.Test/ScenarioTests/HDInsightClusterTests.cs

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,5 +56,12 @@ public void TestCreateClusterWithPrivateLink()
5656
{
5757
TestController.NewInstance.RunPowerShellTest(_logger, "Test-CreateClusterWithPrivateLink");
5858
}
59+
60+
[Fact]
61+
[Trait(Category.AcceptanceType, Category.CheckIn)]
62+
public void TestCreateClusterWithEncryptionAtHost()
63+
{
64+
TestController.NewInstance.RunPowerShellTest(_logger, "Test-TestCreateClusterWithEncryptionAtHost");
65+
}
5966
}
6067
}

src/HDInsight/HDInsight.Test/ScenarioTests/HDInsightClusterTests.ps1

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -163,3 +163,39 @@ function Test-CreateClusterWithPrivateLink{
163163
Remove-AzResourceGroup -ResourceGroupName $cluster.ResourceGroup
164164
}
165165
}
166+
167+
<#
168+
.SYNOPSIS
169+
Test Create Azure HDInsight Cluster which Enalbes Encryption At Host
170+
#>
171+
172+
function Test-TestCreateClusterWithEncryptionAtHost{
173+
174+
# Create some resources that will be used throughout test
175+
try
176+
{
177+
# prepare parameter for creating parameter
178+
$params= Prepare-ClusterCreateParameterForWASB -Location "South Central US"
179+
$encryptionAtHost=$true
180+
$workerNodeSize="Standard_DS14_v2"
181+
$headNodeSize="Standard_DS14_v2"
182+
$zookeeperNodeSize="Standard_DS14_v2"
183+
184+
# create cluster
185+
$cluster=New-AzHDInsightCluster -Location $params.location -ResourceGroupName $params.resourceGroupName `
186+
-ClusterName $params.clusterName -ClusterSizeInNodes $params.clusterSizeInNodes -ClusterType $params.clusterType `
187+
-WorkerNodeSize $workerNodeSize -HeadNodeSize $headNodeSize -ZookeeperNodeSize $zookeeperNodeSize `
188+
-DefaultStorageAccountName $params.storageAccountName -DefaultStorageAccountKey $params.storageAccountKey `
189+
-HttpCredential $params.httpCredential -SshCredential $params.sshCredential `
190+
-MinSupportedTlsVersion $params.minSupportedTlsVersion -EncryptionAtHost $encryptionAtHost
191+
192+
Assert-AreEqual $cluster.DiskEncryption.EncryptionAtHost $encryptionAtHost
193+
194+
}
195+
finally
196+
{
197+
# Delete cluster and resource group
198+
Remove-AzHDInsightCluster -ClusterName $cluster.Name
199+
Remove-AzResourceGroup -ResourceGroupName $cluster.ResourceGroup
200+
}
201+
}

src/HDInsight/HDInsight.Test/SessionRecords/Commands.HDInsight.Test.ScenarioTests.HDInsightClusterTests/TestCreateClusterWithEncryptionAtHost.json

Lines changed: 2877 additions & 0 deletions
Large diffs are not rendered by default.

src/HDInsight/HDInsight/ChangeLog.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
- Additional information about change #1
1919
-->
2020
## Upcoming Release
21+
Support creating cluster with encryption at host feature.
2122

2223
## Version 3.4.0
2324
* Supported creating cluster with encryption in transit feature.

src/HDInsight/HDInsight/HDInsight.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
</PropertyGroup>
1212

1313
<ItemGroup>
14-
<PackageReference Include="Microsoft.Azure.Management.HDInsight" Version="5.5.0" />
14+
<PackageReference Include="Microsoft.Azure.Management.HDInsight" Version="5.6.0" />
1515
<PackageReference Include="Microsoft.Azure.Management.HDInsight.Job" Version="2.0.7" />
1616
<PackageReference Include="WindowsAzure.Storage" Version="9.3.0" />
1717
</ItemGroup>

src/HDInsight/HDInsight/ManagementCommands/NewAzureHDInsightClusterCommand.cs

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -145,7 +145,8 @@ public AzureHDInsightConfig Config
145145
EncryptionVaultUri = EncryptionVaultUri,
146146
PublicNetworkAccessType = PublicNetworkAccessType,
147147
OutboundPublicNetworkAccessType = OutboundPublicNetworkAccessType,
148-
EncryptionInTransit = EncryptionInTransit
148+
EncryptionInTransit = EncryptionInTransit,
149+
EncryptionAtHost = EncryptionAtHost
149150
};
150151
foreach (
151152
var storageAccount in
@@ -208,6 +209,7 @@ var storageAccount in
208209
PublicNetworkAccessType = value.PublicNetworkAccessType;
209210
OutboundPublicNetworkAccessType = value.OutboundPublicNetworkAccessType;
210211
EncryptionInTransit = value.EncryptionInTransit;
212+
EncryptionAtHost = value.EncryptionAtHost;
211213

212214
foreach (
213215
var storageAccount in
@@ -392,14 +394,17 @@ public DateTime RdpAccessExpiry
392394

393395
[Parameter(HelpMessage = "Gets or sets the public network access type.")]
394396
[ValidateSet(PublicNetworkAccess.InboundAndOutbound, PublicNetworkAccess.OutboundOnly, IgnoreCase = true)]
395-
public string PublicNetworkAccessType;
397+
public string PublicNetworkAccessType { get; set; }
396398

397399
[Parameter(HelpMessage = "Gets or sets the outbound access type to the public network.")]
398400
[ValidateSet(OutboundOnlyPublicNetworkAccessType.PublicLoadBalancer, OutboundOnlyPublicNetworkAccessType.UDR, IgnoreCase = true)]
399-
public string OutboundPublicNetworkAccessType;
401+
public string OutboundPublicNetworkAccessType { get; set; }
400402

401403
[Parameter(HelpMessage = "Gets or sets the flag which indicates whether enable encryption in transit or not.")]
402-
public bool? EncryptionInTransit;
404+
public bool? EncryptionInTransit { get; set; }
405+
406+
[Parameter(HelpMessage = "Gets or sets the flag which indicates whether enable encryption at host or not.")]
407+
public bool? EncryptionAtHost { get; set; }
403408

404409
#endregion
405410

@@ -540,6 +545,21 @@ var storageAccount in
540545
};
541546
}
542547

548+
if (EncryptionAtHost != null)
549+
{
550+
if (parameters.DiskEncryptionProperties != null)
551+
{
552+
parameters.DiskEncryptionProperties.EncryptionAtHost = EncryptionAtHost;
553+
}
554+
else
555+
{
556+
parameters.DiskEncryptionProperties = new DiskEncryptionProperties()
557+
{
558+
EncryptionAtHost = EncryptionAtHost
559+
};
560+
}
561+
}
562+
543563
var cluster = HDInsightManagementClient.CreateNewCluster(ResourceGroupName, ClusterName, OSType, parameters, MinSupportedTlsVersion, this.DefaultContext.Environment.ActiveDirectoryAuthority, this.DefaultContext.Environment.DataLakeEndpointResourceId, PublicNetworkAccessType, OutboundPublicNetworkAccessType, EncryptionInTransit);
544564

545565
if (cluster != null)

src/HDInsight/HDInsight/ManagementCommands/NewAzureHDInsightClusterConfigCommand.cs

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,13 @@ public bool? EncryptionInTransit
214214
set { _config.EncryptionInTransit = value; }
215215
}
216216

217+
[Parameter(HelpMessage = "Gets or sets the flag which indicates whether enable encryption at host or not.")]
218+
public bool? EncryptionAtHost
219+
{
220+
get { return _config.EncryptionAtHost; }
221+
set { _config.EncryptionAtHost = value; }
222+
}
223+
217224
#endregion
218225

219226
public NewAzureHDInsightClusterConfigCommand()

src/HDInsight/HDInsight/Models/Management/AzureHDInsightConfig.cs

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -185,6 +185,11 @@ public class AzureHDInsightConfig
185185
/// </summary>
186186
public bool? EncryptionInTransit;
187187

188+
/// <summary>
189+
/// Gets or sets the flag which indicates whether enable encryption at host or not.
190+
/// </summary>
191+
public bool? EncryptionAtHost;
192+
188193
public AzureHDInsightConfig()
189194
{
190195
ClusterType = Constants.Hadoop;

src/HDInsight/HDInsight/help/New-AzHDInsightCluster.md

Lines changed: 59 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -33,8 +33,9 @@ New-AzHDInsightCluster [-Location] <String> [-ResourceGroupName] <String> [-Clus
3333
[-AadTenantId <Guid>] [-SecurityProfile <AzureHDInsightSecurityProfile>] [-DisksPerWorkerNode <Int32>]
3434
[-MinSupportedTlsVersion <String>] [-AssignedIdentity <String>] [-EncryptionAlgorithm <String>]
3535
[-EncryptionKeyName <String>] [-EncryptionKeyVersion <String>] [-EncryptionVaultUri <String>]
36-
[-DefaultProfile <IAzureContextContainer>] [-PublicNetworkAccessType <String>]
37-
[-OutboundPublicNetworkAccessType <String>] [-EncryptionInTransit <Boolean>] [<CommonParameters>]
36+
[-PublicNetworkAccessType <String>] [-OutboundPublicNetworkAccessType <String>]
37+
[-EncryptionInTransit <Boolean>] [-EncryptionAtHost <Boolean>] [-DefaultProfile <IAzureContextContainer>]
38+
[<CommonParameters>]
3839
```
3940

4041
### CertificateFilePath
@@ -57,8 +58,9 @@ New-AzHDInsightCluster [-Location] <String> [-ResourceGroupName] <String> [-Clus
5758
[-CertificatePassword <String>] [-AadTenantId <Guid>] [-SecurityProfile <AzureHDInsightSecurityProfile>]
5859
[-DisksPerWorkerNode <Int32>] [-MinSupportedTlsVersion <String>] [-AssignedIdentity <String>]
5960
[-EncryptionAlgorithm <String>] [-EncryptionKeyName <String>] [-EncryptionKeyVersion <String>]
60-
[-EncryptionVaultUri <String>] [-DefaultProfile <IAzureContextContainer>] [-PublicNetworkAccessType <String>]
61-
[-OutboundPublicNetworkAccessType <String>] [-EncryptionInTransit <Boolean>] [<CommonParameters>]
61+
[-EncryptionVaultUri <String>] [-PublicNetworkAccessType <String>] [-OutboundPublicNetworkAccessType <String>]
62+
[-EncryptionInTransit <Boolean>] [-EncryptionAtHost <Boolean>] [-DefaultProfile <IAzureContextContainer>]
63+
[<CommonParameters>]
6264
```
6365

6466
### CertificateFileContents
@@ -81,8 +83,9 @@ New-AzHDInsightCluster [-Location] <String> [-ResourceGroupName] <String> [-Clus
8183
[-CertificatePassword <String>] [-AadTenantId <Guid>] [-SecurityProfile <AzureHDInsightSecurityProfile>]
8284
[-DisksPerWorkerNode <Int32>] [-MinSupportedTlsVersion <String>] [-AssignedIdentity <String>]
8385
[-EncryptionAlgorithm <String>] [-EncryptionKeyName <String>] [-EncryptionKeyVersion <String>]
84-
[-EncryptionVaultUri <String>] [-DefaultProfile <IAzureContextContainer>] [-PublicNetworkAccessType <String>]
85-
[-OutboundPublicNetworkAccessType <String>] [-EncryptionInTransit <Boolean>] [<CommonParameters>]
86+
[-EncryptionVaultUri <String>] [-PublicNetworkAccessType <String>] [-OutboundPublicNetworkAccessType <String>]
87+
[-EncryptionInTransit <Boolean>] [-EncryptionAtHost <Boolean>] [-DefaultProfile <IAzureContextContainer>]
88+
[<CommonParameters>]
8689
```
8790

8891
## DESCRIPTION
@@ -107,7 +110,7 @@ PS C:\&gt; # Primary storage account info
107110
$clusterCreds = Get-Credential
108111
109112
# If the cluster's resource group doesn't exist yet, run:
110-
# New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
113+
# New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
111114
112115
# Create the cluster
113116
New-AzHDInsightCluster `
@@ -185,7 +188,7 @@ PS C:\&gt; # Primary storage account info
185188
$clusterCreds = Get-Credential
186189
187190
# If the cluster's resource group doesn't exist yet, run:
188-
# New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
191+
# New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
189192
190193
# Create the cluster
191194
New-AzHDInsightCluster `
@@ -239,7 +242,40 @@ PS C:\&gt; # Primary storage account info
239242
-SshCredential $clusterCreds `
240243
-VirtualNetworkId $virtualNetworkId -SubnetName $subnetName `
241244
-PublicNetworkAccessType OutboundOnly -OutboundPublicNetworkAccessType PublicLoadBalancer `
245+
```
246+
247+
### Example 5: Create an Azure HDInsight cluster which enables encryption at host
248+
```
249+
PS C:\&gt; # Primary storage account info
250+
$storageAccountResourceGroupName = "Group"
251+
$storageAccountName = "yourstorageacct001"
252+
$storageAccountKey = Get-AzStorageAccountKey `
253+
-ResourceGroupName $storageAccountResourceGroupName `
254+
-Name $storageAccountName | %{ $_.Key1 }
255+
$storageContainer = "container002"
242256
257+
# Cluster configuration info
258+
$location = "East US 2"
259+
$clusterResourceGroupName = "Group"
260+
$clusterName = "your-hadoop-002"
261+
$clusterCreds = Get-Credential
262+
263+
# If the cluster's resource group doesn't exist yet, run:
264+
# New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
265+
266+
# Create the cluster
267+
New-AzHDInsightCluster `
268+
-ClusterType Hadoop `
269+
-ClusterSizeInNodes 4 `
270+
-ResourceGroupName $clusterResourceGroupName `
271+
-ClusterName $clusterName `
272+
-HttpCredential $clusterCreds `
273+
-Location $location `
274+
-DefaultStorageAccountName "$storageAccountName.blob.core.contoso.net" `
275+
-DefaultStorageAccountKey $storageAccountKey `
276+
-DefaultStorageContainer $storageContainer `
277+
-SshCredential $clusterCreds `
278+
-EncryptionAtHost $true `
243279
```
244280

245281
## PARAMETERS
@@ -601,6 +637,21 @@ Accept pipeline input: False
601637
Accept wildcard characters: False
602638
```
603639
640+
### -EncryptionAtHost
641+
Gets or sets the flag which indicates whether enable encryption at host or not.
642+
643+
```yaml
644+
Type: System.Nullable`1[System.Boolean]
645+
Parameter Sets: (All)
646+
Aliases:
647+
648+
Required: False
649+
Position: Named
650+
Default value: None
651+
Accept pipeline input: False
652+
Accept wildcard characters: False
653+
```
654+
604655
### -EncryptionInTransit
605656
Gets or sets the flag which indicates whether enable encryption in transit or not.
606657

0 commit comments

Comments
 (0)