HADOOP-19639. SecretManager configuration at runtime

K0K0V0K · K0K0V0K · commit 917e1a914ed3 · 2025-07-24T12:07:24.000+02:00
- static configuration of SecretManager is required because it has some static method what use the selected algorithm
- in case if class path not contains the config values (for example TEZ DAGAppMaster run) the default values will be loaded at runtime
- the default values can cause failers in modern environments (they are not FIPS compliant)
- new SecretManagerConfig created to be able to modify the SecretManager config without core-site.xml present on class path
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java
@@ -20,7 +20,6 @@
 
 import java.io.IOException;
 import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.Mac;
@@ -32,8 +31,6 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.ipc.RetriableException;
 import org.apache.hadoop.ipc.StandbyException;
 
@@ -115,61 +112,29 @@ public void checkAvailableForRead() throws StandbyException {
     // Default to being available for read.
   }
 
-  private static final String SELECTED_ALGORITHM;
-  private static final int SELECTED_LENGTH;
-
-  static {
-    Configuration conf = new Configuration();
-    String algorithm = conf.get(
-      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
-      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT);
-    LOG.debug("Selected hash algorithm: {}", algorithm);
-    SELECTED_ALGORITHM = algorithm;
-    int length = conf.getInt(
-      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
-      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT);
-    LOG.debug("Selected hash key length:{}", length);
-    SELECTED_LENGTH = length;
-  }
-
   /**
    * A thread local store for the Macs.
    */
   private static final ThreadLocal<Mac> threadLocalMac =
-    new ThreadLocal<Mac>(){
-    @Override
-    protected Mac initialValue() {
-      try {
-        return Mac.getInstance(SELECTED_ALGORITHM);
-      } catch (NoSuchAlgorithmException nsa) {
-        throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
-      }
-    }
-  };
+          ThreadLocal.withInitial(SecretManagerConfig::createMac);
 
   /**
    * Key generator to use.
    */
-  private final KeyGenerator keyGen;
-  {
-    try {
-      keyGen = KeyGenerator.getInstance(SELECTED_ALGORITHM);
-      keyGen.init(SELECTED_LENGTH);
-    } catch (NoSuchAlgorithmException nsa) {
-      throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
-    }
-  }
+  private volatile KeyGenerator keyGen;
+  private final Object keyGenLock = new Object();
 
   /**
    * Generate a new random secret key.
    * @return the new key
    */
   protected SecretKey generateSecret() {
-    SecretKey key;
-    synchronized (keyGen) {
-      key = keyGen.generateKey();
+    synchronized (keyGenLock) {
+      if (keyGen == null) {
+        keyGen = SecretManagerConfig.createKeyGenerator();
+      }
+      return keyGen.generateKey();
     }
-    return key;
   }
 
   /**
@@ -197,6 +162,6 @@ public static byte[] createPassword(byte[] identifier,
    * @return the secret key
    */
   protected static SecretKey createSecretKey(byte[] key) {
-    return new SecretKeySpec(key, SELECTED_ALGORITHM);
+    return new SecretKeySpec(key, SecretManagerConfig.getSelectedAlgorithm());
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManagerConfig.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManagerConfig.java
@@ -0,0 +1,126 @@
+
+package org.apache.hadoop.security.token;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import java.security.NoSuchAlgorithmException;
+
+/**
+ * Provides configuration and utility methods for managing cryptographic key generation
+ * and message authentication code (MAC) generation using specified algorithms and key lengths.
+ * <p>
+ * This class supports static access to the selected cryptographic algorithm and key length,
+ * and provides methods to create configured {@link javax.crypto.KeyGenerator} and {@link javax.crypto.Mac} instances.
+ * The configuration is initialized statically from a provided {@link Configuration} object.
+ * <p>
+ * The {@link SecretManager} has some static method, so static configuration is required
+ */
+public class SecretManagerConfig {
+    private static final Logger LOG = LoggerFactory.getLogger(SecretManagerConfig.class);
+    private static String SELECTED_ALGORITHM;
+    private static int SELECTED_LENGTH;
+
+    static {
+        update(new Configuration());
+    }
+
+    /**
+     * Updates the selected cryptographic algorithm and key length using the provided
+     * Hadoop {@link Configuration}. This method reads the values for
+     * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY} and
+     * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY}, or uses default values if not set.
+     *
+     * @param conf the configuration object containing cryptographic settings
+     */
+    public static void update(Configuration conf) {
+        String algorithm = conf.get(
+                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
+                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT);
+        LOG.debug("Selected hash algorithm: {}", algorithm);
+        SELECTED_ALGORITHM = algorithm;
+        int length = conf.getInt(
+                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
+                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT);
+        LOG.debug("Selected hash key length: {}", length);
+        SELECTED_LENGTH = length;
+    }
+
+    /**
+     * Returns the currently selected cryptographic algorithm.
+     *
+     * @return the name of the selected algorithm
+     */
+    public static String getSelectedAlgorithm() {
+        return SELECTED_ALGORITHM;
+    }
+
+    /**
+     * Returns the currently selected key length in bits.
+     *
+     * @return the selected key length
+     */
+    public static int getSelectedLength() {
+        return SELECTED_LENGTH;
+    }
+
+    /**
+     * Sets the cryptographic algorithm to use.
+     *
+     * @param algorithm the algorithm name (e.g., "HmacSHA256", "AES")
+     */
+    public static void setSelectedAlgorithm(String algorithm) {
+        SELECTED_ALGORITHM = algorithm;
+        LOG.debug("Selected hash algorithm set to {}", algorithm);
+
+    }
+
+    /**
+     * Sets the cryptographic key length to use (in bits).
+     *
+     * @param length the key length
+     */
+    public static void setSelectedLength(int length) {
+        SELECTED_LENGTH = length;
+        LOG.debug("Selected hash key length set to{}", length);
+    }
+
+
+    /**
+     * Creates a new {@link KeyGenerator} instance configured with the currently selected
+     * algorithm and key length.
+     *
+     * @return a new {@code KeyGenerator} instance
+     * @throws IllegalArgumentException if the specified algorithm is not available
+     */
+    public static KeyGenerator createKeyGenerator() {
+        LOG.debug("Creating key generator instance {}, {}",  SELECTED_ALGORITHM, SELECTED_LENGTH);
+        try {
+            KeyGenerator keyGen = KeyGenerator.getInstance(SELECTED_ALGORITHM);
+            keyGen.init(SELECTED_LENGTH);
+            return keyGen;
+        } catch (NoSuchAlgorithmException nsa) {
+            throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
+        }
+    }
+
+    /**
+     * Creates a new {@link Mac} instance using the currently selected algorithm.
+     *
+     * @return a new {@code Mac} instance
+     * @throws IllegalArgumentException if the specified algorithm is not available
+     */
+    public static Mac createMac() {
+        LOG.debug("Creating mac instance {}", SELECTED_ALGORITHM);
+        try {
+            return Mac.getInstance(SELECTED_ALGORITHM);
+        } catch (NoSuchAlgorithmException nsa) {
+            throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
+        }
+    }
+}
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/TestSecurityManagerConfig.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/TestSecurityManagerConfig.java
@@ -0,0 +1,91 @@
+package org.apache.hadoop.security.token;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class TestSecurityManagerConfig {
+
+    private static final String DEFAULT_ALGORITHM =
+            CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT;
+    private static final int DEFAULT_LENGTH =
+            CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT;
+
+    private static final String STRONG_ALGORITHM = "HmacSHA256";
+    private static final int STRONG_LENGTH = 256;
+
+    @Test
+    public void testDefaults() {
+        assertEquals(DEFAULT_ALGORITHM, SecretManagerConfig.getSelectedAlgorithm());
+        assertEquals(DEFAULT_LENGTH, SecretManagerConfig.getSelectedLength());
+    }
+
+    @Test
+    public void testUpdateByConfig() {
+        Configuration conf = new Configuration();
+        conf.set(
+                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
+                STRONG_ALGORITHM
+        );
+        conf.setInt(
+                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
+                STRONG_LENGTH
+        );
+        SecretManagerConfig.update(conf);
+        assertEquals(STRONG_ALGORITHM, SecretManagerConfig.getSelectedAlgorithm());
+        assertEquals(STRONG_LENGTH, SecretManagerConfig.getSelectedLength());
+    }
+
+    @Test
+    public void testUpdateAlgorithmBySetter() {
+        SecretManagerConfig.setSelectedAlgorithm(STRONG_ALGORITHM);
+        assertEquals(STRONG_ALGORITHM, SecretManagerConfig.getSelectedAlgorithm());
+        assertEquals(DEFAULT_LENGTH, SecretManagerConfig.getSelectedLength());
+    }
+
+    @Test
+    public void testUpdateLengthBySetter() {
+        SecretManagerConfig.setSelectedLength(STRONG_LENGTH);
+        assertEquals(DEFAULT_ALGORITHM, SecretManagerConfig.getSelectedAlgorithm());
+        assertEquals(STRONG_LENGTH, SecretManagerConfig.getSelectedLength());
+    }
+
+    @Test
+    public void testMacCreation() {
+        SecretManagerConfig.setSelectedAlgorithm(STRONG_ALGORITHM);
+        Mac mac = SecretManagerConfig.createMac();
+        assertEquals(STRONG_ALGORITHM, mac.getAlgorithm());
+    }
+
+    @Test
+    public void testMacCreationUnknownAlgorithm() {
+        SecretManagerConfig.setSelectedAlgorithm("testMacCreationUnknownAlgorithm_NO_ALG");
+        assertThrows(IllegalArgumentException.class, SecretManagerConfig::createMac);
+    }
+
+    @Test
+    public void testKeygenCreation() {
+        SecretManagerConfig.setSelectedAlgorithm(STRONG_ALGORITHM);
+        KeyGenerator keyGenerator = SecretManagerConfig.createKeyGenerator();
+        assertEquals(STRONG_ALGORITHM, keyGenerator.getAlgorithm());
+    }
+
+    @Test
+    public void testKeygenCreationUnknownAlgorithm() {
+        SecretManagerConfig.setSelectedAlgorithm("testKeygenCreationUnknownAlgorithm_NO_ALG");
+        assertThrows(IllegalArgumentException.class, SecretManagerConfig::createKeyGenerator);
+    }
+
+    @AfterEach
+    public void tearDown() {
+        SecretManagerConfig.setSelectedAlgorithm(DEFAULT_ALGORITHM);
+        SecretManagerConfig.setSelectedLength(DEFAULT_LENGTH);
+    }
+}
