From common-commits-return-97927-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Tue Jan 21 16:51:36 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 9F0B0180657 for ; Tue, 21 Jan 2020 17:51:35 +0100 (CET) Received: (qmail 65630 invoked by uid 500); 21 Jan 2020 16:51:34 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 65621 invoked by uid 99); 21 Jan 2020 16:51:34 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Jan 2020 16:51:34 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id A4BA4819D2; Tue, 21 Jan 2020 16:51:34 +0000 (UTC) Date: Tue, 21 Jan 2020 16:51:34 +0000 To: "common-commits@hadoop.apache.org" Subject: [hadoop] branch trunk updated: HADOOP-16346. Stabilize S3A OpenSSL support. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <157962549396.32042.4849874057640625867@gitbox.apache.org> From: stevel@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: hadoop X-Git-Refname: refs/heads/trunk X-Git-Reftype: branch X-Git-Oldrev: d887e49dd4ed2b94bbb53b7608586f5da6cee037 X-Git-Newrev: f206b736f0b370d212a399937c7a84e432f12eb5 X-Git-Rev: f206b736f0b370d212a399937c7a84e432f12eb5 X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. stevel pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/hadoop.git The following commit(s) were added to refs/heads/trunk by this push: new f206b73 HADOOP-16346. Stabilize S3A OpenSSL support. f206b73 is described below commit f206b736f0b370d212a399937c7a84e432f12eb5 Author: Sahil Takiar AuthorDate: Tue Jan 21 16:37:51 2020 +0000 HADOOP-16346. Stabilize S3A OpenSSL support. Introduces `openssl` as an option for `fs.s3a.ssl.channel.mode`. The new option is documented and marked as experimental. For details on how to use this, consult the peformance document in the s3a documentation. This patch is the successor to HADOOP-16050 "S3A SSL connections should use OpenSSL" -which was reverted because of incompatibilities between the wildfly OpenSSL client and the AWS HTTPS servers (HADOOP-16347). With the Wildfly release moved up to 1.0.7.Final (HADOOP-16405) everything should now work. Related issues: * HADOOP-15669. ABFS: Improve HTTPS Performance * HADOOP-16050: S3A SSL connections should use OpenSSL * HADOOP-16371: Option to disable GCM for SSL connections when running on Java 8 * HADOOP-16405: Upgrade Wildfly Openssl version to 1.0.7.Final Contributed by Sahil Takiar Change-Id: I80a4bc5051519f186b7383b2c1cea140be42444e --- hadoop-common-project/hadoop-common/pom.xml | 5 ++ .../security/ssl/DelegatingSSLSocketFactory.java | 10 ++++ .../src/main/resources/core-default.xml | 15 ++++-- hadoop-project/pom.xml | 8 ++- hadoop-tools/hadoop-aws/pom.xml | 5 ++ .../apache/hadoop/fs/s3a/impl/NetworkBinding.java | 7 --- .../site/markdown/tools/hadoop-aws/performance.md | 61 ++++++++++++++++++---- .../fs/contract/s3a/ITestS3AContractSeek.java | 15 +++++- hadoop-tools/hadoop-azure/pom.xml | 2 +- 9 files changed, 103 insertions(+), 25 deletions(-) diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml index 896ac42..aff03c2 100644 --- a/hadoop-common-project/hadoop-common/pom.xml +++ b/hadoop-common-project/hadoop-common/pom.xml @@ -346,6 +346,11 @@ org.wildfly.openssl wildfly-openssl + test + + + org.wildfly.openssl + wildfly-openssl-java provided diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/DelegatingSSLSocketFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/DelegatingSSLSocketFactory.java index ad97a99..c961364 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/DelegatingSSLSocketFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/DelegatingSSLSocketFactory.java @@ -58,6 +58,10 @@ import org.wildfly.openssl.SSL; * SSL with no modification to the list of enabled ciphers. * *

+ * + * In order to load OpenSSL, applications must ensure the wildfly-openssl + * artifact is on the classpath. Currently, only ABFS and S3A provide + * wildfly-openssl as a runtime dependency. */ public final class DelegatingSSLSocketFactory extends SSLSocketFactory { @@ -170,8 +174,14 @@ public final class DelegatingSSLSocketFactory extends SSLSocketFactory { OpenSSLProvider.register(); openSSLProviderRegistered = true; } + java.util.logging.Logger logger = java.util.logging.Logger.getLogger( + SSL.class.getName()); + logger.setLevel(Level.WARNING); ctx = SSLContext.getInstance("openssl.TLS"); ctx.init(null, null, null); + // Strong reference needs to be kept to logger until initialization of + // SSLContext finished (see HADOOP-16174): + logger.setLevel(Level.INFO); channelMode = SSLChannelMode.OpenSSL; break; case Default_JSSE: diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index 9aadd74..3e9beb9 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -1978,11 +1978,16 @@ If secure connections to S3 are enabled, configures the SSL implementation used to encrypt connections to S3. Supported values are: - "default_jsse" and "default_jsse_with_gcm". "default_jsse" uses the Java - Secure Socket Extension package (JSSE). However, when running on Java 8, - the GCM cipher is removed from the list of enabled ciphers. This is due - to performance issues with GCM in Java 8. "default_jsse_with_gcm" uses - the JSSE with the default list of cipher suites. + "default_jsse", "default_jsse_with_gcm", "default", and "openssl". + "default_jsse" uses the Java Secure Socket Extension package (JSSE). + However, when running on Java 8, the GCM cipher is removed from the list + of enabled ciphers. This is due to performance issues with GCM in Java 8. + "default_jsse_with_gcm" uses the JSSE with the default list of cipher + suites. "default_jsse_with_gcm" is equivalent to the behavior prior to + this feature being introduced. "default" attempts to use OpenSSL rather + than the JSSE for SSL encryption, if OpenSSL libraries cannot be loaded, + it falls back to the "default_jsse" behavior. "openssl" attempts to use + OpenSSL as well, but fails if OpenSSL libraries cannot be loaded. diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml index 274bfd8..f5ffa76 100644 --- a/hadoop-project/pom.xml +++ b/hadoop-project/pom.xml @@ -196,6 +196,7 @@ 3.9.0 1.5.6 7.7.0 + 1.0.7.Final @@ -1370,7 +1371,12 @@ org.wildfly.openssl wildfly-openssl - 1.0.7.Final + ${openssl-wildfly.version} + + + org.wildfly.openssl + wildfly-openssl-java + ${openssl-wildfly.version} diff --git a/hadoop-tools/hadoop-aws/pom.xml b/hadoop-tools/hadoop-aws/pom.xml index bd204b0..21c91dd 100644 --- a/hadoop-tools/hadoop-aws/pom.xml +++ b/hadoop-tools/hadoop-aws/pom.xml @@ -431,6 +431,11 @@ test + org.wildfly.openssl + wildfly-openssl + runtime + + junit junit test diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/NetworkBinding.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/NetworkBinding.java index 94882f2..7ff4451 100644 --- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/NetworkBinding.java +++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/NetworkBinding.java @@ -80,13 +80,6 @@ public class NetworkBinding { throw new IllegalArgumentException(channelModeString + " is not a valid value for " + SSL_CHANNEL_MODE); } - if (channelMode == DelegatingSSLSocketFactory.SSLChannelMode.OpenSSL || - channelMode == DelegatingSSLSocketFactory.SSLChannelMode.Default) { - throw new UnsupportedOperationException("S3A does not support " + - "setting " + SSL_CHANNEL_MODE + " " + - DelegatingSSLSocketFactory.SSLChannelMode.OpenSSL + " or " + - DelegatingSSLSocketFactory.SSLChannelMode.Default); - } // Look for AWS_SOCKET_FACTORY_CLASSNAME on the classpath and instantiate // an instance using the DelegatingSSLSocketFactory as the diff --git a/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/performance.md b/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/performance.md index 6a9b3f7..5543263 100644 --- a/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/performance.md +++ b/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/performance.md @@ -535,10 +535,41 @@ GCM cipher is only disabled on Java 8. GCM performance has been improved in Java 9, so if `default_jsse` is specified and applications run on Java 9, they should see no difference compared to running with the vanilla JSSE. -Other options for `fs.s3a.ssl.channel.mode` include `default_jsse_with_gcm`. -This option includes GCM in the list of cipher suites on Java 8, so it is -equivalent to running with the vanilla JSSE. The naming convention is setup -in order to preserve backwards compatibility with HADOOP-15669. +`fs.s3a.ssl.channel.mode` can be set to `default_jsse_with_gcm`. This option +includes GCM in the list of cipher suites on Java 8, so it is equivalent to +running with the vanilla JSSE. + +### OpenSSL Acceleration + +**Experimental Feature** + +As of HADOOP-16050 and HADOOP-16346, `fs.s3a.ssl.channel.mode` can be set to +either `default` or `openssl` to enable native OpenSSL acceleration of HTTPS +requests. OpenSSL implements the SSL and TLS protocols using native code. For +users reading a large amount of data over HTTPS, OpenSSL can provide a +significant performance benefit over the JSSE. + +S3A uses the +[WildFly OpenSSL](https://github.com/wildfly-security/wildfly-openssl) library +to bind OpenSSL to the Java JSSE APIs. This library allows S3A to +transparently read data using OpenSSL. The wildfly-openssl library is a +runtime dependency of S3A and contains native libraries for binding the Java +JSSE to OpenSSL. + +WildFly OpenSSL must load OpenSSL itself. This can be done using the system +property `org.wildfly.openssl.path`. For example, +`HADOOP_OPTS="-Dorg.wildfly.openssl.path= +${HADOOP_OPTS}"`. See WildFly OpenSSL documentation for more details. + +When `fs.s3a.ssl.channel.mode` is set to `default`, S3A will attempt to load +the OpenSSL libraries using the WildFly library. If it is unsuccessful, it +will fall back to the `default_jsse` behavior. + +When `fs.s3a.ssl.channel.mode` is set to `openssl`, S3A will attempt to load +the OpenSSL libraries using WildFly. If it is unsuccessful, it will throw an +exception and S3A initialization will fail. + +### `fs.s3a.ssl.channel.mode` Configuration `fs.s3a.ssl.channel.mode` can be configured as follows: @@ -549,11 +580,16 @@ in order to preserve backwards compatibility with HADOOP-15669. If secure connections to S3 are enabled, configures the SSL implementation used to encrypt connections to S3. Supported values are: - "default_jsse" and "default_jsse_with_gcm". "default_jsse" uses the Java - Secure Socket Extension package (JSSE). However, when running on Java 8, - the GCM cipher is removed from the list of enabled ciphers. This is due - to performance issues with GCM in Java 8. "default_jsse_with_gcm" uses - the JSSE with the default list of cipher suites. + "default_jsse", "default_jsse_with_gcm", "default", and "openssl". + "default_jsse" uses the Java Secure Socket Extension package (JSSE). + However, when running on Java 8, the GCM cipher is removed from the list + of enabled ciphers. This is due to performance issues with GCM in Java 8. + "default_jsse_with_gcm" uses the JSSE with the default list of cipher + suites. "default_jsse_with_gcm" is equivalent to the behavior prior to + this feature being introduced. "default" attempts to use OpenSSL rather + than the JSSE for SSL encryption, if OpenSSL libraries cannot be loaded, + it falls back to the "default_jsse" behavior. "openssl" attempts to use + OpenSSL as well, but fails if OpenSSL libraries cannot be loaded. ``` @@ -564,6 +600,11 @@ Supported values for `fs.s3a.ssl.channel.mode`: |-------------------------------|-------------| | default_jsse | Uses Java JSSE without GCM on Java 8 | | default_jsse_with_gcm | Uses Java JSSE | +| default | Uses OpenSSL, falls back to default_jsse if OpenSSL cannot be loaded | +| openssl | Uses OpenSSL, fails if OpenSSL cannot be loaded | + +The naming convention is setup in order to preserve backwards compatibility +with HADOOP-15669. Other options may be added to `fs.s3a.ssl.channel.mode` in the future as -further SSL optimizations are made. \ No newline at end of file +further SSL optimizations are made. diff --git a/hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/contract/s3a/ITestS3AContractSeek.java b/hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/contract/s3a/ITestS3AContractSeek.java index 9332621..fca1004 100644 --- a/hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/contract/s3a/ITestS3AContractSeek.java +++ b/hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/contract/s3a/ITestS3AContractSeek.java @@ -24,6 +24,7 @@ import java.net.URISyntaxException; import java.util.Arrays; import java.util.Collection; +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.Parameterized; @@ -41,6 +42,7 @@ import org.apache.hadoop.fs.s3a.S3AFileSystem; import org.apache.hadoop.fs.s3a.S3AInputPolicy; import org.apache.hadoop.fs.s3a.S3ATestUtils; import org.apache.hadoop.security.ssl.DelegatingSSLSocketFactory; +import org.apache.hadoop.util.NativeCodeLoader; import static com.google.common.base.Preconditions.checkNotNull; import static org.apache.hadoop.fs.s3a.Constants.INPUT_FADVISE; @@ -55,6 +57,9 @@ import static org.apache.hadoop.security.ssl.DelegatingSSLSocketFactory. SSLChannelMode.Default_JSSE; import static org.apache.hadoop.security.ssl.DelegatingSSLSocketFactory. SSLChannelMode.Default_JSSE_with_GCM; +import static org.apache.hadoop.security.ssl.DelegatingSSLSocketFactory. + SSLChannelMode.OpenSSL; +import static org.junit.Assume.assumeTrue; /** @@ -84,7 +89,7 @@ public class ITestS3AContractSeek extends AbstractContractSeekTest { public static Collection params() { return Arrays.asList(new Object[][]{ {INPUT_FADV_SEQUENTIAL, Default_JSSE}, - {INPUT_FADV_RANDOM, Default_JSSE_with_GCM}, + {INPUT_FADV_RANDOM, OpenSSL}, {INPUT_FADV_NORMAL, Default_JSSE_with_GCM}, }); } @@ -200,6 +205,14 @@ public class ITestS3AContractSeek extends AbstractContractSeekTest { return (S3AFileSystem) super.getFileSystem(); } + @Before + public void validateSSLChannelMode() { + if (this.sslChannelMode == OpenSSL) { + assumeTrue(NativeCodeLoader.isNativeCodeLoaded() && + NativeCodeLoader.buildSupportsOpenssl()); + } + } + @Test public void testReadPolicyInFS() throws Throwable { describe("Verify the read policy is being consistently set"); diff --git a/hadoop-tools/hadoop-azure/pom.xml b/hadoop-tools/hadoop-azure/pom.xml index f2af5a9..0dc8102 100644 --- a/hadoop-tools/hadoop-azure/pom.xml +++ b/hadoop-tools/hadoop-azure/pom.xml @@ -194,7 +194,7 @@ org.wildfly.openssl wildfly-openssl - compile + runtime --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-commits-help@hadoop.apache.org