HDDS-7831. Use symmetric secret key to sign and verify token (apache#…

…4417)
duongkame · Jun 8, 2023 · 655dd60 · 655dd60
1 parent e2709f8
commit 655dd60
Show file tree

Hide file tree

Showing 65 changed files with 1,261 additions and 1,547 deletions.
diff --git a/.../common/src/main/java/org/apache/hadoop/hdds/security/token/ContainerTokenIdentifier.java b/.../common/src/main/java/org/apache/hadoop/hdds/security/token/ContainerTokenIdentifier.java
@@ -21,13 +21,15 @@
 import org.apache.hadoop.hdds.protocol.proto.StorageContainerLocationProtocolProtos.ContainerTokenSecretProto;
 import org.apache.hadoop.hdds.scm.container.ContainerID;
 import org.apache.hadoop.io.Text;
+import org.apache.hadoop.util.ProtobufUtils;
 
 import java.io.DataInput;
 import java.io.DataInputStream;
 import java.io.DataOutput;
 import java.io.IOException;
 import java.time.Instant;
 import java.util.Objects;
+import java.util.UUID;
 
 /**
  * Token identifier for container operations, similar to block token.
@@ -43,11 +45,18 @@ public ContainerTokenIdentifier() {
   }
 
   public ContainerTokenIdentifier(String ownerId, ContainerID containerID,
-      String certSerialId, Instant expiryDate) {
-    super(ownerId, expiryDate, certSerialId);
+                                  Instant expiryDate) {
+    super(ownerId, expiryDate);
     this.containerID = containerID;
   }
 
+  public ContainerTokenIdentifier(String ownerId, ContainerID containerID,
+                                  UUID secretKeyId,
+                                  Instant expiryDate) {
+    this(ownerId, containerID, expiryDate);
+    setSecretKeyId(secretKeyId);
+  }
+
   @Override
   public Text getKind() {
     return KIND;
@@ -58,7 +67,7 @@ public void write(DataOutput out) throws IOException {
     ContainerTokenSecretProto.Builder builder = ContainerTokenSecretProto
         .newBuilder()
         .setOwnerId(getOwnerId())
-        .setCertSerialId(getCertSerialId())
+        .setSecretKeyId(ProtobufUtils.toProtobuf(getSecretKeyId()))
         .setExpiryDate(getExpiry().toEpochMilli())
         .setContainerId(containerID.getProtobuf());
     out.write(builder.build().toByteArray());
@@ -72,7 +81,7 @@ public void readFields(DataInput in) throws IOException {
     }
     ContainerTokenSecretProto proto =
         ContainerTokenSecretProto.parseFrom((DataInputStream) in);
-    setCertSerialId(proto.getCertSerialId());
+    setSecretKeyId(ProtobufUtils.fromProtobuf(proto.getSecretKeyId()));
     setExpiry(Instant.ofEpochMilli(proto.getExpiryDate()));
     setOwnerId(proto.getOwnerId());
     this.containerID = ContainerID.getFromProtobuf(proto.getContainerId());

diff --git a/...common/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenIdentifier.java b/...common/src/main/java/org/apache/hadoop/hdds/security/token/OzoneBlockTokenIdentifier.java
@@ -25,6 +25,7 @@
 import org.apache.hadoop.hdds.protocol.proto.HddsProtos.BlockTokenSecretProto.AccessModeProto;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.token.Token.TrivialRenewer;
+import org.apache.hadoop.util.ProtobufUtils;
 
 import java.io.DataInput;
 import java.io.DataInputStream;
@@ -59,16 +60,14 @@ public OzoneBlockTokenIdentifier() {
   }
 
   public OzoneBlockTokenIdentifier(String ownerId, BlockID blockId,
-      Set<AccessModeProto> modes, long expiryDate, String omCertSerialId,
-      long maxLength) {
-    this(ownerId, getTokenService(blockId), modes, expiryDate, omCertSerialId,
+      Set<AccessModeProto> modes, long expiryDate, long maxLength) {
+    this(ownerId, getTokenService(blockId), modes, expiryDate,
         maxLength);
   }
 
   public OzoneBlockTokenIdentifier(String ownerId, String blockId,
-      Set<AccessModeProto> modes, long expiryDate, String omCertSerialId,
-      long maxLength) {
-    super(ownerId, Instant.ofEpochMilli(expiryDate), omCertSerialId);
+      Set<AccessModeProto> modes, long expiryDate, long maxLength) {
+    super(ownerId, Instant.ofEpochMilli(expiryDate));
     this.blockId = blockId;
     this.modes = modes == null
         ? EnumSet.noneOf(AccessModeProto.class) : EnumSet.copyOf(modes);
@@ -136,7 +135,7 @@ public void readFields(DataInput in) throws IOException {
         BlockTokenSecretProto.parseFrom((DataInputStream) in);
     setOwnerId(token.getOwnerId());
     setExpiry(Instant.ofEpochMilli(token.getExpiryDate()));
-    setCertSerialId(token.getOmCertSerialId());
+    setSecretKeyId(ProtobufUtils.fromProtobuf(token.getSecretKeyId()));
     this.blockId = token.getBlockId();
     this.modes = EnumSet.copyOf(token.getModesList());
     this.maxLength = token.getMaxLength();
@@ -147,18 +146,21 @@ public static OzoneBlockTokenIdentifier readFieldsProtobuf(DataInput in)
       throws IOException {
     BlockTokenSecretProto token =
         BlockTokenSecretProto.parseFrom((DataInputStream) in);
-    return new OzoneBlockTokenIdentifier(token.getOwnerId(),
-        token.getBlockId(), EnumSet.copyOf(token.getModesList()),
-        token.getExpiryDate(), token.getOmCertSerialId(),
-        token.getMaxLength());
+    OzoneBlockTokenIdentifier tokenId =
+        new OzoneBlockTokenIdentifier(token.getOwnerId(),
+            token.getBlockId(), EnumSet.copyOf(token.getModesList()),
+            token.getExpiryDate(),
+            token.getMaxLength());
+    tokenId.setSecretKeyId(ProtobufUtils.fromProtobuf(token.getSecretKeyId()));
+    return tokenId;
   }
 
   @Override
   public void write(DataOutput out) throws IOException {
     BlockTokenSecretProto.Builder builder = BlockTokenSecretProto.newBuilder()
         .setBlockId(blockId)
         .setOwnerId(getOwnerId())
-        .setOmCertSerialId(getCertSerialId())
+        .setSecretKeyId(ProtobufUtils.toProtobuf(getSecretKeyId()))
         .setExpiryDate(getExpiryDate())
         .setMaxLength(maxLength);
     // Add access mode allowed

diff --git a/...common/src/main/java/org/apache/hadoop/hdds/security/token/ShortLivedTokenIdentifier.java b/...common/src/main/java/org/apache/hadoop/hdds/security/token/ShortLivedTokenIdentifier.java
@@ -24,6 +24,7 @@
 
 import java.time.Instant;
 import java.util.Objects;
+import java.util.UUID;
 
 /**
  * Base class for short-lived tokens (block, container).
@@ -33,18 +34,16 @@ public abstract class ShortLivedTokenIdentifier extends TokenIdentifier {
 
   private String ownerId;
   private Instant expiry;
-  private String certSerialId;
+  private UUID secretKeyId;
 
   public abstract String getService();
 
   protected ShortLivedTokenIdentifier() {
   }
 
-  protected ShortLivedTokenIdentifier(String ownerId, Instant expiry,
-      String certSerialId) {
+  protected ShortLivedTokenIdentifier(String ownerId, Instant expiry) {
     this.ownerId = ownerId;
     this.expiry = expiry;
-    this.certSerialId = certSerialId;
   }
 
   @Override
@@ -67,22 +66,23 @@ protected void setExpiry(Instant expiry) {
     this.expiry = expiry;
   }
 
-  protected void setCertSerialId(String certSerialId) {
-    this.certSerialId = certSerialId;
+  public void setSecretKeyId(UUID secretKeyId) {
+    this.secretKeyId = secretKeyId;
   }
 
   public Instant getExpiry() {
     return expiry;
   }
 
-  public String getCertSerialId() {
-    return certSerialId;
-  }
 
   public String getOwnerId() {
     return ownerId;
   }
 
+  public UUID getSecretKeyId() {
+    return secretKeyId;
+  }
+
   @Override
   public boolean equals(Object o) {
     if (this == o) {
@@ -95,18 +95,18 @@ public boolean equals(Object o) {
     ShortLivedTokenIdentifier that = (ShortLivedTokenIdentifier) o;
     return Objects.equals(ownerId, that.ownerId) &&
         Objects.equals(expiry, that.expiry) &&
-        Objects.equals(certSerialId, that.certSerialId);
+        Objects.equals(secretKeyId, that.secretKeyId);
   }
 
   @Override
   public int hashCode() {
-    return Objects.hash(ownerId, expiry, certSerialId);
+    return Objects.hash(ownerId, expiry, secretKeyId);
   }
 
   @Override
   public String toString() {
     return "ownerId=" + ownerId +
         ", expiry=" + expiry +
-        ", certSerialId=" + certSerialId;
+        ", secretKeyId=" + secretKeyId;
   }
 }
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
@@ -487,4 +487,8 @@ public long getS3AuthInfoMaxDate() {
         OzoneConfigKeys.OZONE_S3_AUTHINFO_MAX_LIFETIME_KEY_DEFAULT,
         TimeUnit.MICROSECONDS);
   }
+
+  public boolean isTokenEnabled() {
+    return blockTokenEnabled || containerTokenEnabled;
+  }
 }
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
@@ -36,6 +36,7 @@
 import org.apache.hadoop.hdds.conf.ConfigurationSource;
 
 import org.apache.commons.validator.routines.InetAddressValidator;
+
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_DEFAULT;
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_HTTP_SECURITY_ENABLED_KEY;
 import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT;