From a2b5d602201a4f619f6a68ec2168a884190d8de6 Mon Sep 17 00:00:00 2001 From: Xiao Chen Date: Mon, 5 Dec 2016 12:19:26 -0800 Subject: [PATCH] HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder. --- .../ssl/FileBasedKeyStoresFactory.java | 6 ++++-- .../ssl/ReloadingX509TrustManager.java | 2 +- .../ssl/TestReloadingX509TrustManager.java | 18 ++++++++++++++++++ 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java index 4e5901054d..a01d11ab9c 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java @@ -202,8 +202,10 @@ public void init(SSLFactory.Mode mode) SSL_TRUSTSTORE_PASSWORD_TPL_KEY); String truststorePassword = getPassword(conf, passwordProperty, ""); if (truststorePassword.isEmpty()) { - throw new GeneralSecurityException("The property '" + passwordProperty + - "' has not been set in the ssl configuration file."); + // An empty trust store password is legal; the trust store password + // is only required when writing to a trust store. Otherwise it's + // an optional integrity check. + truststorePassword = null; } long truststoreReloadInterval = conf.getLong( diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java index 597f8d77df..2d3afea69c 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java @@ -167,7 +167,7 @@ X509TrustManager loadTrustManager() KeyStore ks = KeyStore.getInstance(type); FileInputStream in = new FileInputStream(file); try { - ks.load(in, password.toCharArray()); + ks.load(in, (password == null) ? null : password.toCharArray()); lastLoaded = file.lastModified(); LOG.debug("Loaded truststore '" + file + "'"); } finally { diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java index bf058cdd08..3fb203ee2b 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java @@ -199,4 +199,22 @@ public Boolean get() { }, reloadInterval, 10 * 1000); } + /** No password when accessing a trust store is legal. */ + @Test + public void testNoPassword() throws Exception { + KeyPair kp = generateKeyPair("RSA"); + cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA"); + cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA"); + String truststoreLocation = BASEDIR + "/testreload.jks"; + createTrustStore(truststoreLocation, "password", "cert1", cert1); + + final ReloadingX509TrustManager tm = + new ReloadingX509TrustManager("jks", truststoreLocation, null, 10); + try { + tm.init(); + assertEquals(1, tm.getAcceptedIssuers().length); + } finally { + tm.destroy(); + } + } }