Skip to content

Commit

Permalink
Use getKey/TrustManager instead of mngrFactory in prod code
Browse files Browse the repository at this point in the history
  • Loading branch information
Galsza committed Jul 12, 2024
1 parent 1b57459 commit c8c406e
Show file tree
Hide file tree
Showing 18 changed files with 96 additions and 374 deletions.

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,11 @@
package org.apache.hadoop.hdds.security.x509.certificate.client;

import org.apache.hadoop.hdds.security.exception.OzoneSecurityException;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;

import javax.net.ssl.KeyManager;
import javax.net.ssl.TrustManager;
import java.io.Closeable;
import java.io.IOException;
import java.security.PrivateKey;
Expand Down Expand Up @@ -174,15 +175,9 @@ default void assertValidKeysAndCertificate() throws OzoneSecurityException {
}
}

/**
* Return the store factory for key manager and trust manager for server.
*/
KeyStoresFactory getServerKeyStoresFactory() throws CertificateException;
KeyManager getKeyManager() throws CertificateException;

/**
* Return the store factory for key manager and trust manager for client.
*/
KeyStoresFactory getClientKeyStoresFactory() throws CertificateException;
TrustManager getTrustManager() throws CertificateException;

/**
* Register a receiver that will be called after the certificate renewed.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ public XceiverServerGrpc(DatanodeDetails datanodeDetails,
if (secConf.isSecurityEnabled() && secConf.isGrpcTlsEnabled()) {
try {
SslContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(
caClient.getServerKeyStoresFactory().getKeyManagers()[0]);
caClient.getKeyManager());
SslContextBuilder sslContextBuilder = GrpcSslContexts.configure(
sslClientContextBuilder, secConf.getGrpcSslProvider());
nettyServerBuilder.sslContext(sslContextBuilder.build());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@
import org.apache.hadoop.hdds.ratis.RatisHelper;
import org.apache.hadoop.hdds.scm.pipeline.PipelineID;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.tracing.TracingUtil;
import org.apache.hadoop.hdds.utils.HddsServerUtil;
Expand Down Expand Up @@ -542,14 +541,12 @@ public static XceiverServerRatis newXceiverServerRatis(
private static Parameters createTlsParameters(SecurityConfig conf,
CertificateClient caClient) throws IOException {
if (conf.isSecurityEnabled() && conf.isGrpcTlsEnabled()) {
KeyStoresFactory managerFactory =
caClient.getServerKeyStoresFactory();
GrpcTlsConfig serverConfig = new GrpcTlsConfig(
managerFactory.getKeyManagers()[0],
managerFactory.getTrustManagers()[0], true);
caClient.getKeyManager(),
caClient.getTrustManager(), true);
GrpcTlsConfig clientConfig = new GrpcTlsConfig(
managerFactory.getKeyManagers()[0],
managerFactory.getTrustManagers()[0], false);
caClient.getKeyManager(),
caClient.getTrustManager(), false);
return RatisHelper.setServerTlsConf(serverConfig, clientConfig);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -260,8 +260,8 @@ public OzoneContainer(

if (certClient != null && secConf.isGrpcTlsEnabled()) {
tlsClientConfig = new GrpcTlsConfig(
certClient.getClientKeyStoresFactory().getKeyManagers()[0],
certClient.getClientKeyStoresFactory().getTrustManagers()[0], true);
certClient.getKeyManager(),
certClient.getTrustManager(), true);
} else {
tlsClientConfig = null;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
import org.apache.hadoop.hdds.protocol.datanode.proto.IntraDatanodeProtocolServiceGrpc;
import org.apache.hadoop.hdds.protocol.datanode.proto.IntraDatanodeProtocolServiceGrpc.IntraDatanodeProtocolServiceStub;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.ozone.OzoneConsts;

Expand Down Expand Up @@ -82,11 +81,10 @@ public GrpcReplicationClient(

SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
if (certClient != null) {
KeyStoresFactory factory = certClient.getClientKeyStoresFactory();
sslContextBuilder
.trustManager(factory.getTrustManagers()[0])
.trustManager(certClient.getTrustManager())
.clientAuth(ClientAuth.REQUIRE)
.keyManager(factory.getKeyManagers()[0]);
.keyManager(certClient.getKeyManager());
}
if (secConfig.useTestCert()) {
channelBuilder.overrideAuthority("localhost");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,15 +115,13 @@ public void init(boolean enableZeroCopy) {

if (secConf.isSecurityEnabled() && secConf.isGrpcTlsEnabled()) {
try {
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(
caClient.getServerKeyStoresFactory().getKeyManagers()[0]);
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(caClient.getKeyManager());

sslContextBuilder = GrpcSslContexts.configure(
sslContextBuilder, secConf.getGrpcSslProvider());

sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
sslContextBuilder.trustManager(
caClient.getServerKeyStoresFactory().getTrustManagers()[0]);
sslContextBuilder.trustManager(caClient.getTrustManager());

nettyServerBuilder.sslContext(sslContextBuilder.build());
} catch (IOException ex) {
Expand Down
Loading

0 comments on commit c8c406e

Please sign in to comment.