HADOOP-15473. Configure serialFilter in KeyProvider to avoid UnrecoverableKeyException caused by JDK-8189997. Contributed by Gabor Bota.
This commit is contained in:
parent
8d5509c681
commit
02322de3f9
@ -42,6 +42,8 @@
|
||||
|
||||
import javax.crypto.KeyGenerator;
|
||||
|
||||
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_JCEKS_KEY_SERIALFILTER;
|
||||
|
||||
/**
|
||||
* A provider of secret key material for Hadoop applications. Provides an
|
||||
* abstraction to separate key storage from users of encryption. It
|
||||
@ -61,6 +63,14 @@ public abstract class KeyProvider {
|
||||
CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_DEFAULT_BITLENGTH_KEY;
|
||||
public static final int DEFAULT_BITLENGTH = CommonConfigurationKeysPublic.
|
||||
HADOOP_SECURITY_KEY_DEFAULT_BITLENGTH_DEFAULT;
|
||||
public static final String JCEKS_KEY_SERIALFILTER_DEFAULT =
|
||||
"java.lang.Enum;"
|
||||
+ "java.security.KeyRep;"
|
||||
+ "java.security.KeyRep$Type;"
|
||||
+ "javax.crypto.spec.SecretKeySpec;"
|
||||
+ "org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata;"
|
||||
+ "!*";
|
||||
public static final String JCEKS_KEY_SERIAL_FILTER = "jceks.key.serialFilter";
|
||||
|
||||
private final Configuration conf;
|
||||
|
||||
@ -394,6 +404,14 @@ public String toString() {
|
||||
*/
|
||||
public KeyProvider(Configuration conf) {
|
||||
this.conf = new Configuration(conf);
|
||||
// Added for HADOOP-15473. Configured serialFilter property fixes
|
||||
// java.security.UnrecoverableKeyException in JDK 8u171.
|
||||
if(System.getProperty(JCEKS_KEY_SERIAL_FILTER) == null) {
|
||||
String serialFilter =
|
||||
conf.get(HADOOP_SECURITY_CRYPTO_JCEKS_KEY_SERIALFILTER,
|
||||
JCEKS_KEY_SERIALFILTER_DEFAULT);
|
||||
System.setProperty(JCEKS_KEY_SERIAL_FILTER, serialFilter);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -662,6 +662,13 @@ public class CommonConfigurationKeysPublic {
|
||||
* <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml">
|
||||
* core-default.xml</a>
|
||||
*/
|
||||
public static final String HADOOP_SECURITY_CRYPTO_JCEKS_KEY_SERIALFILTER =
|
||||
"hadoop.security.crypto.jceks.key.serialfilter";
|
||||
/**
|
||||
* @see
|
||||
* <a href="{@docRoot}/../hadoop-project-dist/hadoop-common/core-default.xml">
|
||||
* core-default.xml</a>
|
||||
*/
|
||||
public static final String HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY =
|
||||
"hadoop.security.crypto.buffer.size";
|
||||
/** Defalt value for HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY */
|
||||
|
@ -2486,6 +2486,29 @@
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.security.crypto.jceks.key.serialfilter</name>
|
||||
<description>
|
||||
Enhanced KeyStore Mechanisms in JDK 8u171 introduced jceks.key.serialFilter.
|
||||
If jceks.key.serialFilter is configured, the JCEKS KeyStore uses it during
|
||||
the deserialization of the encrypted Key object stored inside a
|
||||
SecretKeyEntry.
|
||||
If jceks.key.serialFilter is not configured it will cause an error when
|
||||
recovering keystore file in KeyProviderFactory when recovering key from
|
||||
keystore file using JDK 8u171 or newer. The filter pattern uses the same
|
||||
format as jdk.serialFilter.
|
||||
|
||||
The value of this property will be used as the following:
|
||||
1. The value of jceks.key.serialFilter system property takes precedence
|
||||
over the value of this property.
|
||||
2. In the absence of jceks.key.serialFilter system property the value of
|
||||
this property will be set as the value of jceks.key.serialFilter.
|
||||
3. If the value of this property and jceks.key.serialFilter system
|
||||
property has not been set, org.apache.hadoop.crypto.key.KeyProvider
|
||||
sets a default value for jceks.key.serialFilter.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.security.crypto.buffer.size</name>
|
||||
<value>8192</value>
|
||||
|
Loading…
Reference in New Issue
Block a user