HDFS-6720. Remove KeyProvider in EncryptionZoneManager. (wang)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1612632 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
b52b80d7bd
commit
69b75fca7a
@ -54,6 +54,8 @@ fs-encryption (Unreleased)
|
||||
|
||||
HDFS-6718. Remove EncryptionZoneManager lock. (wang)
|
||||
|
||||
HDFS-6720. Remove KeyProvider in EncryptionZoneManager. (wang)
|
||||
|
||||
OPTIMIZATIONS
|
||||
|
||||
BUG FIXES
|
||||
|
@ -2807,11 +2807,11 @@ public AclStatus getAclStatus(String src) throws IOException {
|
||||
}
|
||||
}
|
||||
|
||||
public void createEncryptionZone(String src, String keyId)
|
||||
public void createEncryptionZone(String src, String keyName)
|
||||
throws IOException {
|
||||
checkOpen();
|
||||
try {
|
||||
namenode.createEncryptionZone(src, keyId);
|
||||
namenode.createEncryptionZone(src, keyName);
|
||||
} catch (RemoteException re) {
|
||||
throw re.unwrapRemoteException(AccessControlException.class,
|
||||
SafeModeException.class,
|
||||
|
@ -1799,9 +1799,9 @@ public AclStatus next(final FileSystem fs, final Path p)
|
||||
}
|
||||
|
||||
/* HDFS only */
|
||||
public void createEncryptionZone(Path path, String keyId)
|
||||
public void createEncryptionZone(Path path, String keyName)
|
||||
throws IOException {
|
||||
dfs.createEncryptionZone(getPathName(path), keyId);
|
||||
dfs.createEncryptionZone(getPathName(path), keyName);
|
||||
}
|
||||
|
||||
/* HDFS only */
|
||||
|
@ -231,21 +231,16 @@ public RemoteIterator<CachePoolEntry> listCachePools() throws IOException {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an encryption zone rooted at path using the optional encryption key
|
||||
* id. An encryption zone is a portion of the HDFS file system hierarchy in
|
||||
* which all files are encrypted with the same key, but possibly different
|
||||
* key versions per file.
|
||||
* <p/>
|
||||
* Path must refer to an empty, existing directory. Otherwise an IOException
|
||||
* will be thrown. keyId specifies the id of an encryption key in the
|
||||
* KeyProvider that the Namenode has been configured to use. If keyId is
|
||||
* null, then a key is generated in the KeyProvider using {@link
|
||||
* java.util.UUID} to generate a key id.
|
||||
* Create an encryption zone rooted at an empty existing directory. An
|
||||
* encryption zone has an associated encryption key used when reading and
|
||||
* writing files within the zone. An existing key can be specified,
|
||||
* else a new key will be generated for the encryption zone.
|
||||
*
|
||||
* @param path The path of the root of the encryption zone.
|
||||
* @param path The path of the root of the encryption zone. Must refer to
|
||||
* an empty, existing directory.
|
||||
*
|
||||
* @param keyId An optional keyId in the KeyProvider. If null, then
|
||||
* a key is generated.
|
||||
* @param keyName Optional name of key available at the KeyProvider. If null,
|
||||
* then a key is generated.
|
||||
*
|
||||
* @throws IOException if there was a general IO exception
|
||||
*
|
||||
@ -253,18 +248,15 @@ public RemoteIterator<CachePoolEntry> listCachePools() throws IOException {
|
||||
*
|
||||
* @throws FileNotFoundException if the path does not exist
|
||||
*/
|
||||
public void createEncryptionZone(Path path, String keyId)
|
||||
public void createEncryptionZone(Path path, String keyName)
|
||||
throws IOException, AccessControlException, FileNotFoundException {
|
||||
dfs.createEncryptionZone(path, keyId);
|
||||
dfs.createEncryptionZone(path, keyName);
|
||||
}
|
||||
|
||||
/**
|
||||
* Return a list of all {@EncryptionZone}s in the HDFS hierarchy which are
|
||||
* visible to the caller. If the caller is the HDFS admin, then the returned
|
||||
* EncryptionZone instances will have the key id field filled in. If the
|
||||
* caller is not the HDFS admin, then the EncryptionZone instances will only
|
||||
* have the path field filled in and only those zones that are visible to the
|
||||
* user are returned.
|
||||
* Return a list of all {@link EncryptionZone}s in the HDFS hierarchy which
|
||||
* are visible to the caller. If the caller is an HDFS superuser,
|
||||
* then the key name of each encryption zone will also be provided.
|
||||
*
|
||||
* @throws IOException if there was a general IO exception
|
||||
*
|
||||
|
@ -1263,7 +1263,7 @@ public void removeAclEntries(String src, List<AclEntry> aclSpec)
|
||||
* Create an encryption zone
|
||||
*/
|
||||
@AtMostOnce
|
||||
public void createEncryptionZone(String src, String keyId)
|
||||
public void createEncryptionZone(String src, String keyName)
|
||||
throws IOException;
|
||||
|
||||
/**
|
||||
|
@ -24,32 +24,32 @@
|
||||
|
||||
/**
|
||||
* A simple class for representing an encryption zone. Presently an encryption
|
||||
* zone only has a path (the root of the encryption zone) and a key id.
|
||||
* zone only has a path (the root of the encryption zone) and a key name.
|
||||
*/
|
||||
@InterfaceAudience.Public
|
||||
@InterfaceStability.Evolving
|
||||
public class EncryptionZone {
|
||||
|
||||
private final String path;
|
||||
private final String keyId;
|
||||
private final String keyName;
|
||||
|
||||
public EncryptionZone(String path, String keyId) {
|
||||
public EncryptionZone(String path, String keyName) {
|
||||
this.path = path;
|
||||
this.keyId = keyId;
|
||||
this.keyName = keyName;
|
||||
}
|
||||
|
||||
public String getPath() {
|
||||
return path;
|
||||
}
|
||||
|
||||
public String getKeyId() {
|
||||
return keyId;
|
||||
public String getKeyName() {
|
||||
return keyName;
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
return new HashCodeBuilder(13, 31).
|
||||
append(path).append(keyId).
|
||||
append(path).append(keyName).
|
||||
toHashCode();
|
||||
}
|
||||
|
||||
@ -68,12 +68,12 @@ public boolean equals(Object obj) {
|
||||
EncryptionZone rhs = (EncryptionZone) obj;
|
||||
return new EqualsBuilder().
|
||||
append(path, rhs.path).
|
||||
append(keyId, rhs.keyId).
|
||||
append(keyName, rhs.keyName).
|
||||
isEquals();
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "EncryptionZone [path=" + path + ", keyId=" + keyId + "]";
|
||||
return "EncryptionZone [path=" + path + ", keyName=" + keyName + "]";
|
||||
}
|
||||
}
|
||||
|
@ -1287,7 +1287,7 @@ public CreateEncryptionZoneResponseProto createEncryptionZone(
|
||||
RpcController controller, CreateEncryptionZoneRequestProto req)
|
||||
throws ServiceException {
|
||||
try {
|
||||
server.createEncryptionZone(req.getSrc(), req.getKeyId());
|
||||
server.createEncryptionZone(req.getSrc(), req.getKeyName());
|
||||
return CreateEncryptionZoneResponseProto.newBuilder().build();
|
||||
} catch (IOException e) {
|
||||
throw new ServiceException(e);
|
||||
|
@ -1284,13 +1284,13 @@ public AclStatus getAclStatus(String src) throws IOException {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void createEncryptionZone(String src, String keyId)
|
||||
public void createEncryptionZone(String src, String keyName)
|
||||
throws IOException {
|
||||
final CreateEncryptionZoneRequestProto.Builder builder =
|
||||
CreateEncryptionZoneRequestProto.newBuilder();
|
||||
builder.setSrc(src);
|
||||
if (keyId != null && !keyId.isEmpty()) {
|
||||
builder.setKeyId(keyId);
|
||||
if (keyName != null && !keyName.isEmpty()) {
|
||||
builder.setKeyName(keyName);
|
||||
}
|
||||
CreateEncryptionZoneRequestProto req = builder.build();
|
||||
try {
|
||||
|
@ -2209,7 +2209,7 @@ public static List<EncryptionZoneProto> convertEZProto(
|
||||
final EncryptionZoneProto.Builder builder =
|
||||
EncryptionZoneProto.newBuilder();
|
||||
builder.setPath(a.getPath());
|
||||
builder.setKeyId(a.getKeyId());
|
||||
builder.setKeyName(a.getKeyName());
|
||||
ret.add(builder.build());
|
||||
}
|
||||
return ret;
|
||||
@ -2221,7 +2221,7 @@ public static List<EncryptionZone> convertEZ(
|
||||
Lists.newArrayListWithCapacity(ezs.size());
|
||||
for (EncryptionZoneProto a : ezs) {
|
||||
final EncryptionZone ez =
|
||||
new EncryptionZone(a.getPath(), a.getKeyId());
|
||||
new EncryptionZone(a.getPath(), a.getKeyName());
|
||||
ret.add(ez);
|
||||
}
|
||||
return ret;
|
||||
|
@ -5,11 +5,9 @@
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.locks.ReentrantReadWriteLock;
|
||||
|
||||
import com.google.common.base.Preconditions;
|
||||
import com.google.common.collect.Lists;
|
||||
import org.apache.hadoop.crypto.key.KeyProvider;
|
||||
import org.apache.hadoop.fs.UnresolvedLinkException;
|
||||
import org.apache.hadoop.fs.XAttr;
|
||||
import org.apache.hadoop.fs.XAttrSetFlag;
|
||||
@ -20,7 +18,6 @@
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
|
||||
import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
|
||||
import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants
|
||||
.CRYPTO_XATTR_ENCRYPTION_ZONE;
|
||||
|
||||
@ -62,16 +59,14 @@ long getINodeId() {
|
||||
|
||||
private final Map<Long, EncryptionZoneInt> encryptionZones;
|
||||
private final FSDirectory dir;
|
||||
private final KeyProvider provider;
|
||||
|
||||
/**
|
||||
* Construct a new EncryptionZoneManager.
|
||||
*
|
||||
* @param dir Enclosing FSDirectory
|
||||
*/
|
||||
public EncryptionZoneManager(FSDirectory dir, KeyProvider provider) {
|
||||
public EncryptionZoneManager(FSDirectory dir) {
|
||||
this.dir = dir;
|
||||
this.provider = provider;
|
||||
encryptionZones = new HashMap<Long, EncryptionZoneInt>();
|
||||
}
|
||||
|
||||
@ -81,11 +76,11 @@ public EncryptionZoneManager(FSDirectory dir, KeyProvider provider) {
|
||||
* Called while holding the FSDirectory lock.
|
||||
*
|
||||
* @param inodeId of the encryption zone
|
||||
* @param keyId encryption zone key id
|
||||
* @param keyName encryption zone key name
|
||||
*/
|
||||
void addEncryptionZone(Long inodeId, String keyId) {
|
||||
void addEncryptionZone(Long inodeId, String keyName) {
|
||||
assert dir.hasWriteLock();
|
||||
final EncryptionZoneInt ez = new EncryptionZoneInt(inodeId, keyId);
|
||||
final EncryptionZoneInt ez = new EncryptionZoneInt(inodeId, keyName);
|
||||
encryptionZones.put(inodeId, ez);
|
||||
}
|
||||
|
||||
@ -209,7 +204,7 @@ void checkMoveValidity(INodesInPath srcIIP, INodesInPath dstIIP, String src)
|
||||
* <p/>
|
||||
* Called while holding the FSDirectory lock.
|
||||
*/
|
||||
XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
|
||||
XAttr createEncryptionZone(String src, String keyName)
|
||||
throws IOException {
|
||||
assert dir.hasWriteLock();
|
||||
if (dir.isNonEmptyDirectory(src)) {
|
||||
@ -224,17 +219,16 @@ XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
|
||||
"encryption zone. (" + getFullPathName(ezi) + ")");
|
||||
}
|
||||
|
||||
final XAttr keyIdXAttr = XAttrHelper
|
||||
.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyId.getBytes());
|
||||
final XAttr ezXAttr = XAttrHelper
|
||||
.buildXAttr(CRYPTO_XATTR_ENCRYPTION_ZONE, keyName.getBytes());
|
||||
|
||||
final List<XAttr> xattrs = Lists.newArrayListWithCapacity(1);
|
||||
xattrs.add(keyIdXAttr);
|
||||
xattrs.add(ezXAttr);
|
||||
// updating the xattr will call addEncryptionZone,
|
||||
// done this way to handle edit log loading
|
||||
dir.unprotectedSetXAttrs(src, xattrs, EnumSet.of(XAttrSetFlag.CREATE));
|
||||
// Re-get the new encryption zone add the latest key version
|
||||
ezi = getEncryptionZoneForPath(srcIIP);
|
||||
return keyIdXAttr;
|
||||
return ezXAttr;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -17,7 +17,6 @@
|
||||
*/
|
||||
package org.apache.hadoop.hdfs.server.namenode;
|
||||
|
||||
import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
|
||||
import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_ENCRYPTION_ZONE;
|
||||
import static org.apache.hadoop.hdfs.server.common.HdfsServerConstants.CRYPTO_XATTR_FILE_ENCRYPTION_INFO;
|
||||
import static org.apache.hadoop.util.Time.now;
|
||||
@ -36,7 +35,6 @@
|
||||
import org.apache.hadoop.HadoopIllegalArgumentException;
|
||||
import org.apache.hadoop.classification.InterfaceAudience;
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.crypto.key.KeyProvider;
|
||||
import org.apache.hadoop.fs.ContentSummary;
|
||||
import org.apache.hadoop.fs.FileAlreadyExistsException;
|
||||
import org.apache.hadoop.fs.FileEncryptionInfo;
|
||||
@ -227,7 +225,7 @@ public int getWriteHoldCount() {
|
||||
nameCache = new NameCache<ByteArray>(threshold);
|
||||
namesystem = ns;
|
||||
|
||||
ezManager = new EncryptionZoneManager(this, ns.getProvider());
|
||||
ezManager = new EncryptionZoneManager(this);
|
||||
}
|
||||
|
||||
private FSNamesystem getFSNamesystem() {
|
||||
@ -2632,11 +2630,11 @@ String getKeyName(INodesInPath iip) {
|
||||
}
|
||||
}
|
||||
|
||||
XAttr createEncryptionZone(String src, String keyId, KeyVersion keyVersion)
|
||||
XAttr createEncryptionZone(String src, String keyName)
|
||||
throws IOException {
|
||||
writeLock();
|
||||
try {
|
||||
return ezManager.createEncryptionZone(src, keyId, keyVersion);
|
||||
return ezManager.createEncryptionZone(src, keyName);
|
||||
} finally {
|
||||
writeUnlock();
|
||||
}
|
||||
|
@ -8421,13 +8421,13 @@ AclStatus getAclStatus(String src) throws IOException {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an encryption zone on directory src either using keyIdArg if
|
||||
* supplied or generating a keyId if it's null.
|
||||
* Create an encryption zone on directory src. If provided,
|
||||
* will use an existing key, else will generate a new key.
|
||||
*
|
||||
* @param src the path of a directory which will be the root of the
|
||||
* encryption zone. The directory must be empty.
|
||||
*
|
||||
* @param keyIdArg an optional keyId of a key in the configured
|
||||
* @param keyNameArg an optional name of a key in the configured
|
||||
* KeyProvider. If this is null, then a a new key is generated.
|
||||
*
|
||||
* @throws AccessControlException if the caller is not the superuser.
|
||||
@ -8436,7 +8436,7 @@ AclStatus getAclStatus(String src) throws IOException {
|
||||
*
|
||||
* @throws SafeModeException if the Namenode is in safe mode.
|
||||
*/
|
||||
void createEncryptionZone(final String src, String keyIdArg)
|
||||
void createEncryptionZone(final String src, String keyNameArg)
|
||||
throws IOException, UnresolvedLinkException,
|
||||
SafeModeException, AccessControlException {
|
||||
final CacheEntry cacheEntry = RetryCache.waitForCompletion(retryCache);
|
||||
@ -8445,16 +8445,15 @@ void createEncryptionZone(final String src, String keyIdArg)
|
||||
}
|
||||
|
||||
boolean createdKey = false;
|
||||
String keyId = keyIdArg;
|
||||
String keyName = keyNameArg;
|
||||
boolean success = false;
|
||||
try {
|
||||
KeyVersion keyVersion;
|
||||
if (keyId == null || keyId.isEmpty()) {
|
||||
keyId = UUID.randomUUID().toString();
|
||||
keyVersion = createNewKey(keyId, src);
|
||||
if (keyName == null || keyName.isEmpty()) {
|
||||
keyName = UUID.randomUUID().toString();
|
||||
createNewKey(keyName, src);
|
||||
createdKey = true;
|
||||
} else {
|
||||
keyVersion = provider.getCurrentKey(keyId);
|
||||
KeyVersion keyVersion = provider.getCurrentKey(keyName);
|
||||
if (keyVersion == null) {
|
||||
/*
|
||||
* It would be nice if we threw something more specific than
|
||||
@ -8464,10 +8463,10 @@ void createEncryptionZone(final String src, String keyIdArg)
|
||||
* update this to match it, or better yet, just rethrow the
|
||||
* KeyProvider's exception.
|
||||
*/
|
||||
throw new IOException("Key " + keyId + " doesn't exist.");
|
||||
throw new IOException("Key " + keyName + " doesn't exist.");
|
||||
}
|
||||
}
|
||||
createEncryptionZoneInt(src, keyId, keyVersion, cacheEntry != null);
|
||||
createEncryptionZoneInt(src, keyName, cacheEntry != null);
|
||||
success = true;
|
||||
} catch (AccessControlException e) {
|
||||
logAuditEvent(false, "createEncryptionZone", src);
|
||||
@ -8476,14 +8475,13 @@ void createEncryptionZone(final String src, String keyIdArg)
|
||||
RetryCache.setState(cacheEntry, success);
|
||||
if (!success && createdKey) {
|
||||
/* Unwind key creation. */
|
||||
provider.deleteKey(keyId);
|
||||
provider.deleteKey(keyName);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void createEncryptionZoneInt(final String srcArg, String keyId,
|
||||
final KeyVersion keyVersion, final boolean logRetryCache) throws
|
||||
IOException {
|
||||
private void createEncryptionZoneInt(final String srcArg, String keyName,
|
||||
final boolean logRetryCache) throws IOException {
|
||||
String src = srcArg;
|
||||
HdfsFileStatus resultingStat = null;
|
||||
checkSuperuserPrivilege();
|
||||
@ -8497,9 +8495,9 @@ private void createEncryptionZoneInt(final String srcArg, String keyId,
|
||||
checkNameNodeSafeMode("Cannot create encryption zone on " + src);
|
||||
src = FSDirectory.resolvePath(src, pathComponents, dir);
|
||||
|
||||
final XAttr keyIdXAttr = dir.createEncryptionZone(src, keyId, keyVersion);
|
||||
final XAttr ezXAttr = dir.createEncryptionZone(src, keyName);
|
||||
List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
|
||||
xAttrs.add(keyIdXAttr);
|
||||
xAttrs.add(ezXAttr);
|
||||
getEditLog().logSetXAttrs(src, xAttrs, logRetryCache);
|
||||
resultingStat = getAuditFileInfo(src, false);
|
||||
} finally {
|
||||
@ -8512,14 +8510,14 @@ private void createEncryptionZoneInt(final String srcArg, String keyId,
|
||||
/**
|
||||
* Create a new key on the KeyProvider for an encryption zone.
|
||||
*
|
||||
* @param keyIdArg id of the key
|
||||
* @param keyNameArg name of the key
|
||||
* @param src path of the encryption zone.
|
||||
* @return KeyVersion of the created key
|
||||
* @throws IOException
|
||||
*/
|
||||
private KeyVersion createNewKey(String keyIdArg, String src)
|
||||
private KeyVersion createNewKey(String keyNameArg, String src)
|
||||
throws IOException {
|
||||
Preconditions.checkNotNull(keyIdArg);
|
||||
Preconditions.checkNotNull(keyNameArg);
|
||||
Preconditions.checkNotNull(src);
|
||||
final StringBuilder sb = new StringBuilder("hdfs://");
|
||||
if (nameserviceId != null) {
|
||||
@ -8529,14 +8527,14 @@ private KeyVersion createNewKey(String keyIdArg, String src)
|
||||
if (!src.endsWith("/")) {
|
||||
sb.append('/');
|
||||
}
|
||||
sb.append(keyIdArg);
|
||||
final String keyId = sb.toString();
|
||||
providerOptions.setDescription(keyId);
|
||||
sb.append(keyNameArg);
|
||||
final String keyName = sb.toString();
|
||||
providerOptions.setDescription(keyName);
|
||||
providerOptions.setBitLength(codec.getCipherSuite()
|
||||
.getAlgorithmBlockSize()*8);
|
||||
KeyVersion version = null;
|
||||
try {
|
||||
version = provider.createKey(keyIdArg, providerOptions);
|
||||
version = provider.createKey(keyNameArg, providerOptions);
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
throw new IOException(e);
|
||||
}
|
||||
|
@ -1413,9 +1413,9 @@ public AclStatus getAclStatus(String src) throws IOException {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void createEncryptionZone(String src, String keyId)
|
||||
public void createEncryptionZone(String src, String keyName)
|
||||
throws IOException {
|
||||
namesystem.createEncryptionZone(src, keyId);
|
||||
namesystem.createEncryptionZone(src, keyName);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -124,7 +124,7 @@ public String getName() {
|
||||
|
||||
@Override
|
||||
public String getShortUsage() {
|
||||
return "[" + getName() + " [-keyId <keyId>] -path <path> " + "]\n";
|
||||
return "[" + getName() + " [-keyName <keyName>] -path <path> " + "]\n";
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -132,7 +132,8 @@ public String getLongUsage() {
|
||||
final TableListing listing = getOptionDescriptionListing();
|
||||
listing.addRow("<path>", "The path of the encryption zone to create. " +
|
||||
"It must be an empty directory.");
|
||||
listing.addRow("<keyId>", "The keyId of the new encryption zone.");
|
||||
listing.addRow("<keyName>", "Name of the key to use for the " +
|
||||
"encryption zone. A new key will be generated if unspecified.");
|
||||
return getShortUsage() + "\n" +
|
||||
"Create a new encryption zone.\n\n" +
|
||||
listing.toString();
|
||||
@ -146,8 +147,8 @@ public int run(Configuration conf, List<String> args) throws IOException {
|
||||
return 1;
|
||||
}
|
||||
|
||||
final String keyId =
|
||||
StringUtils.popOptionWithArgument("-keyId", args);
|
||||
final String keyName =
|
||||
StringUtils.popOptionWithArgument("-keyName", args);
|
||||
|
||||
if (!args.isEmpty()) {
|
||||
System.err.println("Can't understand argument: " + args.get(0));
|
||||
@ -156,7 +157,7 @@ public int run(Configuration conf, List<String> args) throws IOException {
|
||||
|
||||
final DistributedFileSystem dfs = getDFS(conf);
|
||||
try {
|
||||
dfs.createEncryptionZone(new Path(path), keyId);
|
||||
dfs.createEncryptionZone(new Path(path), keyName);
|
||||
System.out.println("Added encryption zone " + path);
|
||||
} catch (IOException e) {
|
||||
System.err.println(prettifyException(e));
|
||||
@ -198,7 +199,7 @@ public int run(Configuration conf, List<String> args) throws IOException {
|
||||
.wrapWidth(MAX_LINE_WIDTH).hideHeaders().build();
|
||||
final List<EncryptionZone> ezs = dfs.listEncryptionZones();
|
||||
for (EncryptionZone ez : ezs) {
|
||||
listing.addRow(ez.getPath(), ez.getKeyId());
|
||||
listing.addRow(ez.getPath(), ez.getKeyName());
|
||||
}
|
||||
System.out.println(listing.toString());
|
||||
} catch (IOException e) {
|
||||
|
@ -35,7 +35,7 @@ import "hdfs.proto";
|
||||
|
||||
message CreateEncryptionZoneRequestProto {
|
||||
required string src = 1;
|
||||
optional string keyId = 2;
|
||||
optional string keyName = 2;
|
||||
}
|
||||
|
||||
message CreateEncryptionZoneResponseProto {
|
||||
@ -46,7 +46,7 @@ message ListEncryptionZonesRequestProto {
|
||||
|
||||
message EncryptionZoneProto {
|
||||
required string path = 1;
|
||||
required string keyId = 2;
|
||||
required string keyName = 2;
|
||||
}
|
||||
|
||||
message ListEncryptionZonesResponseProto {
|
||||
|
@ -93,12 +93,12 @@ public void tearDown() throws Exception {
|
||||
}
|
||||
|
||||
/* Helper function to create a key in the Key Provider. */
|
||||
private void createAKey(String keyId, Configuration conf)
|
||||
private void createAKey(String keyName, Configuration conf)
|
||||
throws NoSuchAlgorithmException, IOException {
|
||||
final KeyProvider provider =
|
||||
dfsCluster.getNameNode().getNamesystem().getProvider();
|
||||
final KeyProvider.Options options = KeyProvider.options(conf);
|
||||
provider.createKey(keyId, options);
|
||||
provider.createKey(keyName, options);
|
||||
provider.flush();
|
||||
}
|
||||
|
||||
|
@ -105,18 +105,18 @@ public void assertNumZones(final int numZones) throws IOException {
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks that an encryption zone with the specified keyId and path (if not
|
||||
* Checks that an encryption zone with the specified keyName and path (if not
|
||||
* null) is present.
|
||||
*
|
||||
* @throws IOException if a matching zone could not be found
|
||||
*/
|
||||
public void assertZonePresent(String keyId, String path) throws IOException {
|
||||
public void assertZonePresent(String keyName, String path) throws IOException {
|
||||
final List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
|
||||
boolean match = false;
|
||||
for (EncryptionZone zone : zones) {
|
||||
boolean matchKey = (keyId == null);
|
||||
boolean matchKey = (keyName == null);
|
||||
boolean matchPath = (path == null);
|
||||
if (keyId != null && zone.getKeyId().equals(keyId)) {
|
||||
if (keyName != null && zone.getKeyName().equals(keyName)) {
|
||||
matchKey = true;
|
||||
}
|
||||
if (path != null && zone.getPath().equals(path)) {
|
||||
@ -127,7 +127,7 @@ public void assertZonePresent(String keyId, String path) throws IOException {
|
||||
break;
|
||||
}
|
||||
}
|
||||
assertTrue("Did not find expected encryption zone with keyId " + keyId +
|
||||
assertTrue("Did not find expected encryption zone with keyName " + keyName +
|
||||
" path " + path, match
|
||||
);
|
||||
}
|
||||
@ -135,11 +135,11 @@ public void assertZonePresent(String keyId, String path) throws IOException {
|
||||
/**
|
||||
* Helper function to create a key in the Key Provider.
|
||||
*/
|
||||
private void createKey(String keyId)
|
||||
private void createKey(String keyName)
|
||||
throws NoSuchAlgorithmException, IOException {
|
||||
KeyProvider provider = cluster.getNameNode().getNamesystem().getProvider();
|
||||
final KeyProvider.Options options = KeyProvider.options(conf);
|
||||
provider.createKey(keyId, options);
|
||||
provider.createKey(keyName, options);
|
||||
provider.flush();
|
||||
}
|
||||
|
||||
@ -204,9 +204,9 @@ public void testBasicOperations() throws Exception {
|
||||
/* Test failure of creating an EZ passing a key that doesn't exist. */
|
||||
final Path zone2 = new Path("/zone2");
|
||||
fsWrapper.mkdir(zone2, FsPermission.getDirDefault(), false);
|
||||
final String myKeyId = "mykeyid";
|
||||
final String myKeyName = "mykeyname";
|
||||
try {
|
||||
dfsAdmin.createEncryptionZone(zone2, myKeyId);
|
||||
dfsAdmin.createEncryptionZone(zone2, myKeyName);
|
||||
fail("expected key doesn't exist");
|
||||
} catch (IOException e) {
|
||||
assertExceptionContains("doesn't exist.", e);
|
||||
@ -214,10 +214,10 @@ public void testBasicOperations() throws Exception {
|
||||
assertNumZones(1);
|
||||
|
||||
/* Test success of creating an EZ when they key exists. */
|
||||
createKey(myKeyId);
|
||||
dfsAdmin.createEncryptionZone(zone2, myKeyId);
|
||||
createKey(myKeyName);
|
||||
dfsAdmin.createEncryptionZone(zone2, myKeyName);
|
||||
assertNumZones(++numZones);
|
||||
assertZonePresent(myKeyId, zone2.toString());
|
||||
assertZonePresent(myKeyName, zone2.toString());
|
||||
|
||||
/* Test failure of create encryption zones as a non super user. */
|
||||
final UserGroupInformation user = UserGroupInformation.
|
||||
@ -345,8 +345,8 @@ public void testReadWrite() throws Exception {
|
||||
// Roll the key of the encryption zone
|
||||
List<EncryptionZone> zones = dfsAdmin.listEncryptionZones();
|
||||
assertEquals("Expected 1 EZ", 1, zones.size());
|
||||
String keyId = zones.get(0).getKeyId();
|
||||
cluster.getNamesystem().getProvider().rollNewVersion(keyId);
|
||||
String keyName = zones.get(0).getKeyName();
|
||||
cluster.getNamesystem().getProvider().rollNewVersion(keyName);
|
||||
// Read them back in and compare byte-by-byte
|
||||
validateFiles(baseFile, encFile1, len);
|
||||
// Write a new enc file and validate
|
||||
|
@ -145,7 +145,7 @@
|
||||
<test-commands>
|
||||
<command>-fs NAMENODE -mkdir /foo</command>
|
||||
<command>-fs NAMENODE -ls /</command>-
|
||||
<crypto-admin-command>-createZone -path /foo -keyId doesntexist</crypto-admin-command>
|
||||
<crypto-admin-command>-createZone -path /foo -keyName doesntexist</crypto-admin-command>
|
||||
</test-commands>
|
||||
<cleanup-commands>
|
||||
<command>-fs NAMENODE -rmdir /foo</command>
|
||||
@ -163,7 +163,7 @@
|
||||
<test-commands>
|
||||
<command>-fs NAMENODE -mkdir /foo</command>
|
||||
<command>-fs NAMENODE -ls /</command>-
|
||||
<crypto-admin-command>-createZone -path /foo -keyId mykey</crypto-admin-command>
|
||||
<crypto-admin-command>-createZone -path /foo -keyName mykey</crypto-admin-command>
|
||||
</test-commands>
|
||||
<cleanup-commands>
|
||||
<command>-fs NAMENODE -rmdir /foo</command>
|
||||
|
Loading…
Reference in New Issue
Block a user