big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HADOOP-13864. KMS should not require truststore password. Contributed by Mike Yoder.

Browse Source
This commit is contained in:
Xiao Chen 2016-12-05 12:19:26 -08:00
parent f3b8ff54ab
commit a2b5d60220
3 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java
View File

@ -202,8 +202,10 @@ public void init(SSLFactory.Mode mode)
SSL_TRUSTSTORE_PASSWORD_TPL_KEY); SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
String truststorePassword = getPassword(conf, passwordProperty, ""); String truststorePassword = getPassword(conf, passwordProperty, "");
if (truststorePassword.isEmpty()) { if (truststorePassword.isEmpty()) {
throw new GeneralSecurityException("The property '" + passwordProperty + // An empty trust store password is legal; the trust store password
"' has not been set in the ssl configuration file."); // is only required when writing to a trust store. Otherwise it's
// an optional integrity check.
truststorePassword = null;
} }
long truststoreReloadInterval = long truststoreReloadInterval =
conf.getLong( conf.getLong(

2
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java
View File

@ -167,7 +167,7 @@ X509TrustManager loadTrustManager()
KeyStore ks = KeyStore.getInstance(type); KeyStore ks = KeyStore.getInstance(type);
FileInputStream in = new FileInputStream(file); FileInputStream in = new FileInputStream(file);
try { try {
ks.load(in, password.toCharArray()); ks.load(in, (password == null) ? null : password.toCharArray());
lastLoaded = file.lastModified(); lastLoaded = file.lastModified();
LOG.debug("Loaded truststore '" + file + "'"); LOG.debug("Loaded truststore '" + file + "'");
} finally { } finally {

18
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/ssl/TestReloadingX509TrustManager.java
View File

@ -199,4 +199,22 @@ public Boolean get() {
}, reloadInterval, 10 * 1000); }, reloadInterval, 10 * 1000);
} }
/** No password when accessing a trust store is legal. */
@Test
public void testNoPassword() throws Exception {
KeyPair kp = generateKeyPair("RSA");
cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
String truststoreLocation = BASEDIR + "/testreload.jks";
createTrustStore(truststoreLocation, "password", "cert1", cert1);
final ReloadingX509TrustManager tm =
new ReloadingX509TrustManager("jks", truststoreLocation, null, 10);
try {
tm.init();
assertEquals(1, tm.getAcceptedIssuers().length);
} finally {
tm.destroy();
}
}
} }