From common-commits-return-96803-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Tue Oct 1 01:06:40 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 7437F180656 for ; Tue, 1 Oct 2019 03:06:40 +0200 (CEST) Received: (qmail 98253 invoked by uid 500); 1 Oct 2019 01:06:39 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 98244 invoked by uid 99); 1 Oct 2019 01:06:39 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Oct 2019 01:06:39 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 51C7F81E87; Tue, 1 Oct 2019 01:06:39 +0000 (UTC) Date: Tue, 01 Oct 2019 01:06:39 +0000 To: "common-commits@hadoop.apache.org" Subject: [hadoop] branch branch-2 updated: HDFS-14305. Fix serial number calculation in BlockTokenSecretManager to avoid token key ID overlap between NameNodes. Contributed by Konstantin V Shvachko. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <156989199883.20089.15022837100785847638@gitbox.apache.org> From: shv@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: hadoop X-Git-Refname: refs/heads/branch-2 X-Git-Reftype: branch X-Git-Oldrev: 9482da7053a5a6acc825a9f62a278cfe5bf2ea1d X-Git-Newrev: dc2b838a8e6dfe58598cac8ec37546332eeedeb2 X-Git-Rev: dc2b838a8e6dfe58598cac8ec37546332eeedeb2 X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. shv pushed a commit to branch branch-2 in repository https://gitbox.apache.org/repos/asf/hadoop.git The following commit(s) were added to refs/heads/branch-2 by this push: new dc2b838 HDFS-14305. Fix serial number calculation in BlockTokenSecretManager to avoid token key ID overlap between NameNodes. Contributed by Konstantin V Shvachko. dc2b838 is described below commit dc2b838a8e6dfe58598cac8ec37546332eeedeb2 Author: Konstantin V Shvachko AuthorDate: Mon Sep 30 18:04:16 2019 -0700 HDFS-14305. Fix serial number calculation in BlockTokenSecretManager to avoid token key ID overlap between NameNodes. Contributed by Konstantin V Shvachko. --- .../token/block/BlockTokenSecretManager.java | 12 +++++++---- .../hdfs/security/token/block/TestBlockToken.java | 24 ++++++++++++++++++++++ .../ha/TestFailoverWithBlockTokensEnabled.java | 5 ++--- 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java index a934232..dae89c3 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java @@ -116,8 +116,6 @@ public class BlockTokenSecretManager extends encryptionAlgorithm, nnIndex, numNNs, shouldWrapQOP); Preconditions.checkArgument(nnIndex >= 0); Preconditions.checkArgument(numNNs > 0); - setSerialNo(new SecureRandom().nextInt()); - generateKeys(); } public BlockTokenSecretManager(long keyUpdateInterval, @@ -140,13 +138,19 @@ public class BlockTokenSecretManager extends this.encryptionAlgorithm = encryptionAlgorithm; this.shouldWrapQOP = shouldWrapQOP; this.timer = new Timer(); + setSerialNo(new SecureRandom().nextInt(Integer.MAX_VALUE)); + LOG.info("Block token key range: [" + + nnRangeStart + ", " + (nnRangeStart + intRange) + ")"); generateKeys(); } @VisibleForTesting - public synchronized void setSerialNo(int serialNo) { + public synchronized void setSerialNo(int nextNo) { // we mod the serial number by the range and then add that times the index - this.serialNo = (serialNo % intRange) + (nnRangeStart); + this.serialNo = (nextNo % intRange) + (nnRangeStart); + assert serialNo >= nnRangeStart && serialNo < (nnRangeStart + intRange) : + "serialNo " + serialNo + " is not in the designated range: [" + + nnRangeStart + ", " + (nnRangeStart + intRange) + ")"; } public void setBlockPoolId(String blockPoolId) { diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java index 55e9d30..7d0c90f 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/token/block/TestBlockToken.java @@ -411,4 +411,28 @@ public class TestBlockToken { cluster.shutdown(); } } + + /** + * Verify that block token serialNo is always within the range designated to + * to the NameNode. + */ + @Test + public void testBlockTokenRanges() throws IOException { + final int interval = 1024; + final int numNNs = Integer.MAX_VALUE / interval; + for(int nnIdx = 0; nnIdx < 64; nnIdx++) { + BlockTokenSecretManager sm = new BlockTokenSecretManager( + blockKeyUpdateInterval, blockTokenLifetime, nnIdx, numNNs, + "fake-pool", null, false); + int rangeStart = nnIdx * interval; + for(int i = 0; i < interval * 3; i++) { + int serialNo = sm.getSerialNoForTesting(); + assertTrue( + "serialNo " + serialNo + " is not in the designated range: [" + + rangeStart + ", " + (rangeStart + interval) + ")", + serialNo >= rangeStart && serialNo < (rangeStart + interval)); + sm.updateKeys(); + } + } + } } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java index 43ab69d..ff90121 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/ha/TestFailoverWithBlockTokensEnabled.java @@ -92,11 +92,10 @@ public class TestFailoverWithBlockTokensEnabled { setAndCheckSerialNumber(0, btsm1, btsm2, btsm3); setAndCheckSerialNumber(Integer.MAX_VALUE, btsm1, btsm2, btsm3); - setAndCheckSerialNumber(Integer.MIN_VALUE, btsm1, btsm2, btsm3); setAndCheckSerialNumber(Integer.MAX_VALUE / 2, btsm1, btsm2, btsm3); - setAndCheckSerialNumber(Integer.MIN_VALUE / 2, btsm1, btsm2, btsm3); setAndCheckSerialNumber(Integer.MAX_VALUE / 3, btsm1, btsm2, btsm3); - setAndCheckSerialNumber(Integer.MIN_VALUE / 3, btsm1, btsm2, btsm3); + setAndCheckSerialNumber(Integer.MAX_VALUE / 171717, + btsm1, btsm2, btsm3); } private void setAndCheckSerialNumber(int serialNumber, BlockTokenSecretManager... btsms) { --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-commits-help@hadoop.apache.org