From common-commits-return-83529-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Thu May 31 17:49:57 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 78E1A180632 for ; Thu, 31 May 2018 17:49:56 +0200 (CEST) Received: (qmail 91095 invoked by uid 500); 31 May 2018 15:49:55 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 91079 invoked by uid 99); 31 May 2018 15:49:55 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 May 2018 15:49:55 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 69C44E0C6A; Thu, 31 May 2018 15:49:55 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: xyao@apache.org To: common-commits@hadoop.apache.org Date: Thu, 31 May 2018 15:49:56 -0000 Message-Id: <9d38fb73282244fe8a17695f6dd8a192@git.apache.org> In-Reply-To: <1b35a5e8d37342629b07655527f0a644@git.apache.org> References: <1b35a5e8d37342629b07655527f0a644@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [02/50] [abbrv] hadoop git commit: HADOOP-15473. Configure serialFilter in KeyProvider to avoid UnrecoverableKeyException caused by JDK-8189997. Contributed by Gabor Bota. HADOOP-15473. Configure serialFilter in KeyProvider to avoid UnrecoverableKeyException caused by JDK-8189997. Contributed by Gabor Bota. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/02322de3 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/02322de3 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/02322de3 Branch: refs/heads/HDDS-4 Commit: 02322de3f95ba78a22c057037ef61aa3ab1d3824 Parents: 8d5509c Author: Xiao Chen Authored: Fri May 25 09:08:15 2018 -0700 Committer: Xiao Chen Committed: Fri May 25 09:10:51 2018 -0700 ---------------------------------------------------------------------- .../apache/hadoop/crypto/key/KeyProvider.java | 18 +++++++++++++++ .../fs/CommonConfigurationKeysPublic.java | 7 ++++++ .../src/main/resources/core-default.xml | 23 ++++++++++++++++++++ 3 files changed, 48 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/02322de3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java index 5d670e5..050540b 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java @@ -42,6 +42,8 @@ import org.apache.hadoop.fs.CommonConfigurationKeysPublic; import javax.crypto.KeyGenerator; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_JCEKS_KEY_SERIALFILTER; + /** * A provider of secret key material for Hadoop applications. Provides an * abstraction to separate key storage from users of encryption. It @@ -61,6 +63,14 @@ public abstract class KeyProvider { CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_DEFAULT_BITLENGTH_KEY; public static final int DEFAULT_BITLENGTH = CommonConfigurationKeysPublic. HADOOP_SECURITY_KEY_DEFAULT_BITLENGTH_DEFAULT; + public static final String JCEKS_KEY_SERIALFILTER_DEFAULT = + "java.lang.Enum;" + + "java.security.KeyRep;" + + "java.security.KeyRep$Type;" + + "javax.crypto.spec.SecretKeySpec;" + + "org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata;" + + "!*"; + public static final String JCEKS_KEY_SERIAL_FILTER = "jceks.key.serialFilter"; private final Configuration conf; @@ -394,6 +404,14 @@ public abstract class KeyProvider { */ public KeyProvider(Configuration conf) { this.conf = new Configuration(conf); + // Added for HADOOP-15473. Configured serialFilter property fixes + // java.security.UnrecoverableKeyException in JDK 8u171. + if(System.getProperty(JCEKS_KEY_SERIAL_FILTER) == null) { + String serialFilter = + conf.get(HADOOP_SECURITY_CRYPTO_JCEKS_KEY_SERIALFILTER, + JCEKS_KEY_SERIALFILTER_DEFAULT); + System.setProperty(JCEKS_KEY_SERIAL_FILTER, serialFilter); + } } /** http://git-wip-us.apache.org/repos/asf/hadoop/blob/02322de3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java index 8837cfb..9e0ba20 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java @@ -662,6 +662,13 @@ public class CommonConfigurationKeysPublic { * * core-default.xml */ + public static final String HADOOP_SECURITY_CRYPTO_JCEKS_KEY_SERIALFILTER = + "hadoop.security.crypto.jceks.key.serialfilter"; + /** + * @see + * + * core-default.xml + */ public static final String HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY = "hadoop.security.crypto.buffer.size"; /** Defalt value for HADOOP_SECURITY_CRYPTO_BUFFER_SIZE_KEY */ http://git-wip-us.apache.org/repos/asf/hadoop/blob/02322de3/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index fad2985..9564587 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -2487,6 +2487,29 @@ + hadoop.security.crypto.jceks.key.serialfilter + + Enhanced KeyStore Mechanisms in JDK 8u171 introduced jceks.key.serialFilter. + If jceks.key.serialFilter is configured, the JCEKS KeyStore uses it during + the deserialization of the encrypted Key object stored inside a + SecretKeyEntry. + If jceks.key.serialFilter is not configured it will cause an error when + recovering keystore file in KeyProviderFactory when recovering key from + keystore file using JDK 8u171 or newer. The filter pattern uses the same + format as jdk.serialFilter. + + The value of this property will be used as the following: + 1. The value of jceks.key.serialFilter system property takes precedence + over the value of this property. + 2. In the absence of jceks.key.serialFilter system property the value of + this property will be set as the value of jceks.key.serialFilter. + 3. If the value of this property and jceks.key.serialFilter system + property has not been set, org.apache.hadoop.crypto.key.KeyProvider + sets a default value for jceks.key.serialFilter. + + + + hadoop.security.crypto.buffer.size 8192 --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-commits-help@hadoop.apache.org