From 0760418becd2a738f82190694890928dc2001808 Mon Sep 17 00:00:00 2001 From: Xiaoyu Yao Date: Tue, 31 Oct 2017 14:32:36 -0700 Subject: [PATCH] HDFS-12697. Ozone services must stay disabled in secure setup for alpha. Contributed by Bharat Viswanadham. --- .../hadoop-hdfs/src/main/bin/start-ozone.sh | 8 ++++++++ .../hadoop-hdfs/src/main/bin/stop-ozone.sh | 8 ++++++++ .../java/org/apache/hadoop/hdfs/DFSUtil.java | 20 +++++++++++++++++++ .../hadoop/ozone/ksm/KeySpaceManager.java | 9 ++++++++- .../ozone/scm/StorageContainerManager.java | 10 ++++++++-- 5 files changed, 52 insertions(+), 3 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-ozone.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-ozone.sh index 5291f57aa7..ca6b6b8255 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-ozone.sh +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/start-ozone.sh @@ -44,6 +44,14 @@ else exit 1 fi +SECURITY_ENABLED=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey hadoop.security.authentication | tr '[:upper:]' '[:lower:]' 2>&-) +SECURITY_AUTHORIZATION_ENABLED=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey hadoop.security.authorization | tr '[:upper:]' '[:lower:]' 2>&-) + +if [[ ${SECURITY_ENABLED} == "kerberos" || ${SECURITY_AUTHORIZATION_ENABLED} == "true" ]]; then + echo "Ozone is not supported in a security enabled cluster." + exit 1 +fi + #--------------------------------------------------------- # Check if ozone is enabled OZONE_ENABLED=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey ozone.enabled | tr '[:upper:]' '[:lower:]' 2>&-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-ozone.sh b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-ozone.sh index 216492b8ac..15255c0299 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-ozone.sh +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/bin/stop-ozone.sh @@ -44,6 +44,14 @@ else exit 1 fi +SECURITY_ENABLED=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey hadoop.security.authentication | tr '[:upper:]' '[:lower:]' 2>&-) +SECURITY_AUTHORIZATION_ENABLED=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey hadoop.security.authorization | tr '[:upper:]' '[:lower:]' 2>&-) + +if [[ ${SECURITY_ENABLED} == "kerberos" || ${SECURITY_AUTHORIZATION_ENABLED} == "true" ]]; then + echo "Ozone is not supported in a security enabled cluster." + exit 1 +fi + #--------------------------------------------------------- # Check if ozone is enabled OZONE_ENABLED=$("${HADOOP_HDFS_HOME}/bin/hdfs" getconf -confKey ozone.enabled | tr '[:upper:]' '[:lower:]' 2>&-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java index 4c94e380ca..72f39fc6c5 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java @@ -36,6 +36,8 @@ import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SERVER_HTTPS_KEYPASSWORD_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY; import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ENABLED; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ENABLED_DEFAULT; import java.io.ByteArrayInputStream; import java.io.DataInputStream; @@ -71,6 +73,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.crypto.key.KeyProvider; import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension; +import org.apache.hadoop.fs.CommonConfigurationKeysPublic; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; import org.apache.hadoop.hdfs.protocol.DatanodeInfo; @@ -1494,6 +1497,23 @@ static String getPassword(Configuration conf, String alias) { return password; } + public static boolean isOzoneEnabled(Configuration conf) { + String securityEnabled = conf.get(CommonConfigurationKeysPublic + .HADOOP_SECURITY_AUTHENTICATION, + "simple"); + boolean securityAuthorizationEnabled = conf.getBoolean( + CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, + false); + + if (securityEnabled.equals("kerberos") || securityAuthorizationEnabled) { + LOG.error("Ozone is not supported in a security enabled cluster. "); + return false; + } else { + return conf.getBoolean(OZONE_ENABLED, + OZONE_ENABLED_DEFAULT); + } + } + /** * Converts a Date into an ISO-8601 formatted datetime string. */ diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/ksm/KeySpaceManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/ksm/KeySpaceManager.java index 22ad4b8021..a48258e607 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/ksm/KeySpaceManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/ksm/KeySpaceManager.java @@ -57,6 +57,7 @@ import java.util.List; import java.util.Map; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ENABLED; import static org.apache.hadoop.ozone.ksm.KSMConfigKeys .OZONE_KSM_ADDRESS_KEY; import static org.apache.hadoop.ozone.ksm.KSMConfigKeys @@ -186,7 +187,13 @@ public KSMMetrics getMetrics() { public static void main(String[] argv) throws IOException { StringUtils.startupShutdownMessage(KeySpaceManager.class, argv, LOG); try { - KeySpaceManager ksm = new KeySpaceManager(new OzoneConfiguration()); + OzoneConfiguration conf = new OzoneConfiguration(); + if (!DFSUtil.isOzoneEnabled(conf)) { + System.out.println("KSM cannot be started in secure mode or when " + + OZONE_ENABLED + " is set to false"); + System.exit(1); + } + KeySpaceManager ksm = new KeySpaceManager(conf); ksm.start(); ksm.join(); } catch (Throwable t) { diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/scm/StorageContainerManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/scm/StorageContainerManager.java index 84e4386ff4..d341e2c280 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/scm/StorageContainerManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/scm/StorageContainerManager.java @@ -104,6 +104,7 @@ import java.util.Collections; import java.util.stream.Collectors; +import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ENABLED; import static org.apache.hadoop.ozone.protocol.proto .ScmBlockLocationProtocolProtos.DeleteScmBlockResult.Result; import static org.apache.hadoop.scm.ScmConfigKeys @@ -321,8 +322,13 @@ public static void main(String[] argv) throws IOException { StringUtils.startupShutdownMessage(StorageContainerManager.class, argv, LOG); try { - StorageContainerManager scm = new StorageContainerManager( - new OzoneConfiguration()); + OzoneConfiguration conf = new OzoneConfiguration(); + if (!DFSUtil.isOzoneEnabled(conf)) { + System.out.println("SCM cannot be started in secure mode or when " + + OZONE_ENABLED + " is set to false"); + System.exit(1); + } + StorageContainerManager scm = new StorageContainerManager(conf); scm.start(); scm.join(); } catch (Throwable t) {