HADOOP-15473. Configure serialFilter in KeyProvider to avoid UnrecoverableKeyException caused by JDK-8189997. Contributed by Gabor Bota.
This commit is contained in:
parent
8d5509c681
commit
02322de3f9
@ -42,6 +42,8 @@
|
|||||||
|
|
||||||
import javax.crypto.KeyGenerator;
|
import javax.crypto.KeyGenerator;
|
||||||
|
|
||||||
|
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_JCEKS_KEY_SERIALFILTER;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A provider of secret key material for Hadoop applications. Provides an
|
* A provider of secret key material for Hadoop applications. Provides an
|
||||||
* abstraction to separate key storage from users of encryption. It
|
* abstraction to separate key storage from users of encryption. It
|
||||||
@ -61,6 +63,14 @@ public abstract class KeyProvider {
|
|||||||
CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_DEFAULT_BITLENGTH_KEY;
|
CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_DEFAULT_BITLENGTH_KEY;
|
||||||
public static final int DEFAULT_BITLENGTH = CommonConfigurationKeysPublic.
|
public static final int DEFAULT_BITLENGTH = CommonConfigurationKeysPublic.
|
||||||
HADOOP_SECURITY_KEY_DEFAULT_BITLENGTH_DEFAULT;
|
HADOOP_SECURITY_KEY_DEFAULT_BITLENGTH_DEFAULT;
|
||||||
|
public static final String JCEKS_KEY_SERIALFILTER_DEFAULT =
|
||||||
|
"java.lang.Enum;"
|
||||||
|
+ "java.security.KeyRep;"
|
||||||
|
+ "java.security.KeyRep$Type;"
|
||||||
|
+ "javax.crypto.spec.SecretKeySpec;"
|
||||||
|
+ "org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata;"
|
||||||
|
+ "!*";
|
||||||
|
public static final String JCEKS_KEY_SERIAL_FILTER = "jceks.key.serialFilter";
|
||||||
|
|
||||||
private final Configuration conf;
|
private final Configuration conf;
|
||||||
|
|
||||||
@ -394,6 +404,14 @@ public String toString() {
|
|||||||
*/
|
*/
|
||||||
public KeyProvider(Configuration conf) {
|
public KeyProvider(Configuration conf) {
|
||||||
this.conf = new Configuration(conf);
|
this.conf = new Configuration(conf);
|
||||||
|
// Added for HADOOP-15473. Configured serialFilter property fixes
|
||||||
|
// java.security.UnrecoverableKeyException in JDK 8u171.
|
||||||
|
if(System.getProperty(JCEKS_KEY_SERIAL_FILTER) == null) {
|
||||||
|
String serialFilter =
|
||||||
|
conf.get(HADOOP_SECURITY_CRYPTO_JCEKS_KEY_SERIALFILTER,
|
||||||
|
JCEKS_KEY_SERIALFILTER_DEFAULT);
|
||||||
|
System.setProperty(JCEKS_KEY_SERIAL_FILTER, serialFilter);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -662,6 +662,13 @@ public class CommonConfigurationKeysPublic {
|
|||||||
* <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml">
|
* <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml">
|
||||||
* core-default.xml</a>
|
* core-default.xml</a>
|
||||||
*/
|
*/
|
||||||
|
public static final String HADOOP_SECURITY_CRYPTO_JCEKS_KEY_SERIALFILTER =
|
||||||
|
"hadoop.security.crypto.jceks.key.serialfilter";
|
||||||
|
/**
|
||||||
|
* @see
|
||||||
|
* <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml">
|
||||||
|
* core-default.xml</a>
|
||||||
|
*/
|
||||||
public static final String HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY =
|
public static final String HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY =
|
||||||
"hadoop.security.crypto.buffer.size";
|
"hadoop.security.crypto.buffer.size";
|
||||||
/** Defalt value for HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY */
|
/** Defalt value for HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY */
|
||||||
|
@ -2486,6 +2486,29 @@
|
|||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>hadoop.security.crypto.jceks.key.serialfilter</name>
|
||||||
|
<description>
|
||||||
|
Enhanced KeyStore Mechanisms in JDK 8u171 introduced jceks.key.serialFilter.
|
||||||
|
If jceks.key.serialFilter is configured, the JCEKS KeyStore uses it during
|
||||||
|
the deserialization of the encrypted Key object stored inside a
|
||||||
|
SecretKeyEntry.
|
||||||
|
If jceks.key.serialFilter is not configured it will cause an error when
|
||||||
|
recovering keystore file in KeyProviderFactory when recovering key from
|
||||||
|
keystore file using JDK 8u171 or newer. The filter pattern uses the same
|
||||||
|
format as jdk.serialFilter.
|
||||||
|
|
||||||
|
The value of this property will be used as the following:
|
||||||
|
1. The value of jceks.key.serialFilter system property takes precedence
|
||||||
|
over the value of this property.
|
||||||
|
2. In the absence of jceks.key.serialFilter system property the value of
|
||||||
|
this property will be set as the value of jceks.key.serialFilter.
|
||||||
|
3. If the value of this property and jceks.key.serialFilter system
|
||||||
|
property has not been set, org.apache.hadoop.crypto.key.KeyProvider
|
||||||
|
sets a default value for jceks.key.serialFilter.
|
||||||
|
</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<name>hadoop.security.crypto.buffer.size</name>
|
<name>hadoop.security.crypto.buffer.size</name>
|
||||||
<value>8192</value>
|
<value>8192</value>
|
||||||
|
Loading…
Reference in New Issue
Block a user