6 년 전 · 6028aefb57
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.java
@@ -224,12 +224,16 @@ public class DefaultCAServer implements CertificateServer {
 
				         break;
			
 
				       case KERBEROS_TRUSTED:
			
 
				       case TESTING_AUTOMATIC:
			
 
				-        X509CertificateHolder xcert = approver.sign(config,
			
 
				-            getCAKeys().getPrivate(),
			
 
				-            getCACertificate(), java.sql.Date.valueOf(beginDate),
			
 
				-            java.sql.Date.valueOf(endDate), csr, scmID, clusterID);
			
 
				-        store.storeValidCertificate(xcert.getSerialNumber(),
			
 
				-            CertificateCodec.getX509Certificate(xcert));
			
 
				+        X509CertificateHolder xcert;
			
 
				+        try {
			
 
				+          xcert = signAndStoreCertificate(beginDate, endDate, csr);
			
 
				+        } catch (SCMSecurityException e) {
			
 
				+          // Certificate with conflicting serial id, retry again may resolve
			
 
				+          // this issue.
			
 
				+          LOG.error("Certificate storage failed, retrying one more time.", e);
			
 
				+          xcert = signAndStoreCertificate(beginDate, endDate, csr);
			
 
				+        }
			
 
				+
			
 
				         xcertHolder.complete(xcert);
			
 
				         break;
			
 
				       default:
			
@@ -242,6 +246,18 @@ public class DefaultCAServer implements CertificateServer {
 
				     return xcertHolder;
			
 
				   }
			
 
				 
			
 
				+  private X509CertificateHolder signAndStoreCertificate(LocalDate beginDate, LocalDate endDate,
			
 
				+      PKCS10CertificationRequest csr) throws IOException,
			
 
				+      OperatorCreationException, CertificateException {
			
 
				+    X509CertificateHolder xcert = approver.sign(config,
			
 
				+        getCAKeys().getPrivate(),
			
 
				+        getCACertificate(), java.sql.Date.valueOf(beginDate),
			
 
				+        java.sql.Date.valueOf(endDate), csr, scmID, clusterID);
			
 
				+    store.storeValidCertificate(xcert.getSerialNumber(),
			
 
				+        CertificateCodec.getX509Certificate(xcert));
			
 
				+    return xcert;
			
 
				+  }
			
 
				+
			
 
				   @Override
			
 
				   public Future<X509CertificateHolder> requestCertificate(String csr,
			
 
				       CertificateApprover.ApprovalType type) throws IOException {
			
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml
@@ -38,7 +38,6 @@ services:
 
				     image: apache/hadoop-runner
			
 
				     volumes:
			
 
				       - ../..:/opt/hadoop
			
 
				-    hostname: datanode
			
 
				     ports:
			
 
				       - 9864
			
 
				     command: ["/opt/hadoop/bin/ozone","datanode"]
			
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
@@ -23,6 +23,7 @@ OZONE-SITE.XML_ozone.scm.block.client.address=scm
 
				 OZONE-SITE.XML_ozone.metadata.dirs=/data/metadata
			
 
				 OZONE-SITE.XML_ozone.handler.type=distributed
			
 
				 OZONE-SITE.XML_ozone.scm.client.address=scm
			
 
				+OZONE-SITE.XML_hdds.block.token.enabled=true
			
 
				 OZONE-SITE.XML_ozone.replication=1
			
 
				 OZONE-SITE.XML_hdds.scm.kerberos.principal=scm/scm@EXAMPLE.COM
			
 
				 OZONE-SITE.XML_hdds.scm.kerberos.keytab.file=/etc/security/keytabs/scm.keytab
			
--- a/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure.robot
@@ -23,7 +23,8 @@ Create volume and bucket
 
				     ${rc}              ${output} =                 Run And Return Rc And Output              ozone sh volume create o3://om/fstest --user bilbo --quota 100TB --root
			
 
				                         Should contain       ${output}       Client cannot authenticate via
			
 
				                         # Authenticate testuser
			
 
				-    Execute             kinit -k testuser/datanode@EXAMPLE.COM -t /etc/security/keytabs/testuser.keytab
			
 
				+    ${hostname}=        Execute                    hostname
			
 
				+    Execute             kinit -k testuser/${hostname}@EXAMPLE.COM -t /etc/security/keytabs/testuser.keytab
			
 
				     Execute             ozone sh volume create o3://om/fstest --user bilbo --quota 100TB --root
			
 
				     Execute             ozone sh volume create o3://om/fstest2 --user bilbo --quota 100TB --root
			
 
				     Execute             ozone sh bucket create o3://om/fstest/bucket1
			
@@ -107,5 +108,5 @@ Run ozoneFS tests
 
				                         Execute               ls -l GET.txt
			
 
				     ${rc}  ${result} =  Run And Return Rc And Output        ozone fs -ls o3fs://abcde.pqrs/
			
 
				                         Should Be Equal As Integers     ${rc}                1
			
 
				-                        Should contain    ${result}         VOLUME_NOT_FOUND
			
 
				+                        Should contain    ${result}         Volume pqrs is not found
			
 
				 
			
--- a/hadoop-ozone/dist/src/main/smoketest/test.sh
+++ b/hadoop-ozone/dist/src/main/smoketest/test.sh
@@ -151,6 +151,8 @@ if [ "$RUN_ALL" = true ]; then
 
				    execute_tests ozone-hdfs "${TESTS[@]}"
			
 
				    TESTS=("s3")
			
 
				    execute_tests ozones3 "${TESTS[@]}"
			
 
				+   TESTS=("security")
			
 
				+   execute_tests ozonesecure "${TESTS[@]}"
			
 
				 else
			
 
				    execute_tests "$DOCKERENV" "${POSITIONAL[@]}"
			
 
				 fi