Revert "HADOOP-11016. KMS should support signing cookies with zookeeper secret manager. (tucu)"

This reverts commit 0a495bef5cd675dce4c928cb5331588bb198accf.

hadoop-common-project/hadoop-kms/pom.xml

@@ -187,11 +187,6 @@
       <artifactId>metrics-core</artifactId>
       <scope>compile</scope>
     </dependency>
-    <dependency>
-      <groupId>org.apache.curator</groupId>
-      <artifactId>curator-test</artifactId>
-      <scope>test</scope>
-    </dependency>
   </dependencies>
 
   <build>

hadoop-common-project/hadoop-kms/src/main/conf/kms-site.xml

@@ -68,61 +68,4 @@
     </description>
   </property>
 
-  <!-- Authentication cookie signature source -->
-
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider</name>
-    <value>random</value>
-    <description>
-      Indicates how the secret to sign the authentication cookies will be
-      stored. Options are 'random' (default), 'string' and 'zookeeper'.
-      If using a setup with multiple KMS instances, 'zookeeper' should be used.
-    </description>
-  </property>
-
-  <!-- Configuration for 'zookeeper' authentication cookie signature source -->
-
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name>
-    <value>/hadoop-kms/hadoop-auth-signature-secret</value>
-    <description>
-      The Zookeeper ZNode path where the KMS instances will store and retrieve
-      the secret from.
-    </description>
-  </property>
-
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name>
-    <value>#HOSTNAME#:#PORT#,...</value>
-    <description>
-      The Zookeeper connection string, a list of hostnames and port comma
-      separated.
-    </description>
-  </property>
-
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name>
-    <value>kerberos</value>
-    <description>
-      The Zookeeper authentication type, 'none' or 'sasl' (Kerberos).
-    </description>
-  </property>
-
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name>
-    <value>/etc/hadoop/conf/kms.keytab</value>
-    <description>
-      The absolute path for the Kerberos keytab with the credentials to
-      connect to Zookeeper.
-    </description>
-  </property>
-
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name>
-    <value>kms/#HOSTNAME#</value>
-    <description>
-      The Kerberos service principal used to connect to Zookeeper.
-    </description>
-  </property>
-
 </configuration>

hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java

@@ -46,8 +46,7 @@ import java.util.Properties;
 @InterfaceAudience.Private
 public class KMSAuthenticationFilter
     extends DelegationTokenAuthenticationFilter {
-
-  public static final String CONFIG_PREFIX = KMSConfiguration.CONFIG_PREFIX +
+  private static final String CONF_PREFIX = KMSConfiguration.CONFIG_PREFIX +
       "authentication.";
 
   @Override
@@ -57,9 +56,9 @@ public class KMSAuthenticationFilter
     Configuration conf = KMSWebApp.getConfiguration();
     for (Map.Entry<String, String> entry : conf) {
       String name = entry.getKey();
-      if (name.startsWith(CONFIG_PREFIX)) {
+      if (name.startsWith(CONF_PREFIX)) {
         String value = conf.get(name);
-        name = name.substring(CONFIG_PREFIX.length());
+        name = name.substring(CONF_PREFIX.length());
         props.setProperty(name, value);
       }
     }

hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm

@@ -448,16 +448,16 @@ $ keytool -genkey -alias tomcat -keyalg RSA
   KMS supports access control for all non-read operations at the Key level.
   All Key Access operations are classified as :
 
-    * MANAGEMENT - createKey, deleteKey, rolloverNewVersion
+  * MANAGEMENT - createKey, deleteKey, rolloverNewVersion
 
-    * GENERATE_EEK - generateEncryptedKey, warmUpEncryptedKeys
+  * GENERATE_EEK - generateEncryptedKey, warmUpEncryptedKeys
 
-    * DECRYPT_EEK - decryptEncryptedKey
+  * DECRYPT_EEK - decryptEncryptedKey;
 
-    * READ - getKeyVersion, getKeyVersions, getMetadata, getKeysMetadata,
-             getCurrentKey
+  * READ - getKeyVersion, getKeyVersions, getMetadata, getKeysMetadata,
+           getCurrentKey;
 
-    * ALL - all of the above
+  * ALL - all of the above;
 
   These can be defined in the KMS <<<etc/hadoop/kms-acls.xml>>> as follows
 
@@ -554,123 +554,40 @@ $ keytool -genkey -alias tomcat -keyalg RSA
   KMS delegation token secret manager can be configured with the following
   properties:
 
-+---+
-  <property>
-    <name>hadoop.kms.authentication.delegation-token.update-interval.sec</name>
-    <value>86400</value>
-    <description>
-      How often the master key is rotated, in seconds. Default value 1 day.
-    </description>
-  </property>
-
-  <property>
-    <name>hadoop.kms.authentication.delegation-token.max-lifetime.sec</name>
-    <value>604800</value>
-    <description>
-      Maximum lifetime of a delagation token, in seconds. Default value 7 days.
-    </description>
-  </property>
-
-  <property>
-    <name>hadoop.kms.authentication.delegation-token.renew-interval.sec</name>
-    <value>86400</value>
-    <description>
-      Renewal interval of a delagation token, in seconds. Default value 1 day.
-    </description>
-  </property>
-
-  <property>
-    <name>hadoop.kms.authentication.delegation-token.removal-scan-interval.sec</name>
-    <value>3600</value>
-    <description>
-      Scan interval to remove expired delegation tokens.
-    </description>
-  </property>
-+---+
-
-
-** Using Multiple Instances of KMS Behind a Load-Balancer or VIP
-
-  KMS supports multiple KMS instances behind a load-balancer or VIP for
-  scalability and for HA purposes.
-
-  When using multiple KMS instances behind a load-balancer or VIP, requests from
-  the same user may be handled by different KMS instances.
-
-  KMS instances behind a load-balancer or VIP must be specially configured to
-  work properly as a single logical service.
-
-*** HTTP Kerberos Principals Configuration
-
-  TBD
-
-*** HTTP Authentication Signature
-
-  KMS uses Hadoop Authentication for HTTP authentication. Hadoop Authentication
-  issues a signed HTTP Cookie once the client has authenticated successfully.
-  This HTTP Cookie has an expiration time, after which it will trigger a new
-  authentication sequence. This is done to avoid triggering the authentication
-  on every HTTP request of a client.
-
-  A KMS instance must verify the HTTP Cookie signatures signed by other KMS
-  instances. To do this all KMS instances must share the signing secret.
-
-  This secret sharing can be done using a Zookeeper service which is configured
-  in KMS with the following properties in the <<<kms-site.xml>>>:
-
-+---+
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider</name>
-    <value>zookeeper</value>
-    <description>
-      Indicates how the secret to sign the authentication cookies will be
-      stored. Options are 'random' (default), 'string' and 'zookeeper'.
-      If using a setup with multiple KMS instances, 'zookeeper' should be used.
-    </description>
-  </property>
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name>
-    <value>/hadoop-kms/hadoop-auth-signature-secret</value>
-    <description>
-      The Zookeeper ZNode path where the KMS instances will store and retrieve
-      the secret from.
-    </description>
-  </property>
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name>
-    <value>#HOSTNAME#:#PORT#,...</value>
-    <description>
-      The Zookeeper connection string, a list of hostnames and port comma
-      separated.
-    </description>
-  </property>
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name>
-    <value>kerberos</value>
-    <description>
-      The Zookeeper authentication type, 'none' or 'sasl' (Kerberos).
-    </description>
-  </property>
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name>
-    <value>/etc/hadoop/conf/kms.keytab</value>
-    <description>
-      The absolute path for the Kerberos keytab with the credentials to
-      connect to Zookeeper.
-    </description>
-  </property>
-  <property>
-    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name>
-    <value>kms/#HOSTNAME#</value>
-    <description>
-      The Kerberos service principal used to connect to Zookeeper.
-    </description>
-  </property>
-+---+
-
-*** Delegation Tokens
+  +---+
+    <property>
+      <name>hadoop.kms.authentication.delegation-token.update-interval.sec</name>
+      <value>86400</value>
+      <description>
+        How often the master key is rotated, in seconds. Default value 1 day.
+      </description>
+    </property>
+
+    <property>
+      <name>hadoop.kms.authentication.delegation-token.max-lifetime.sec</name>
+      <value>604800</value>
+      <description>
+        Maximum lifetime of a delagation token, in seconds. Default value 7 days.
+      </description>
+    </property>
+
+    <property>
+      <name>hadoop.kms.authentication.delegation-token.renew-interval.sec</name>
+      <value>86400</value>
+      <description>
+        Renewal interval of a delagation token, in seconds. Default value 1 day.
+      </description>
+    </property>
+
+    <property>
+      <name>hadoop.kms.authentication.delegation-token.removal-scan-interval.sec</name>
+      <value>3600</value>
+      <description>
+        Scan interval to remove expired delegation tokens.
+      </description>
+    </property>
+  +---+
 
-  TBD
 
 ** KMS HTTP REST API
 

hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java

@@ -123,8 +123,7 @@ public class TestKMS {
     return conf;
   }
 
-  public static void writeConf(File confDir, Configuration conf)
-      throws Exception {
+  protected void writeConf(File confDir, Configuration conf) throws Exception {
     Writer writer = new FileWriter(new File(confDir,
         KMSConfiguration.KMS_SITE_XML));
     conf.writeXml(writer);
@@ -140,7 +139,7 @@ public class TestKMS {
     writer.close();
   }
 
-  public static URI createKMSUri(URL kmsUrl) throws Exception {
+  protected URI createKMSUri(URL kmsUrl) throws Exception {
     String str = kmsUrl.toString();
     str = str.replaceFirst("://", "@");
     return new URI("kms://" + str);

hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSWithZK.java

@@ -1,179 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.crypto.key.kms.server;
-
-import org.apache.curator.test.TestingServer;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.crypto.key.KeyProvider;
-import org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
-import org.apache.hadoop.crypto.key.KeyProvider.Options;
-import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
-import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
-import org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension;
-import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
-import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.io.Text;
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.apache.hadoop.security.Credentials;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider;
-import org.apache.hadoop.security.authorize.AuthorizationException;
-import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
-import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.login.AppConfigurationEntry;
-import javax.security.auth.login.LoginContext;
-import java.io.File;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.io.Writer;
-import java.net.HttpURLConnection;
-import java.net.InetAddress;
-import java.net.InetSocketAddress;
-import java.net.ServerSocket;
-import java.net.SocketTimeoutException;
-import java.net.URI;
-import java.net.URL;
-import java.security.Principal;
-import java.security.PrivilegedExceptionAction;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.UUID;
-import java.util.concurrent.Callable;
-
-public class TestKMSWithZK {
-
-  protected Configuration createBaseKMSConf(File keyStoreDir) throws Exception {
-    Configuration conf = new Configuration(false);
-    conf.set("hadoop.security.key.provider.path",
-        "jceks://file@" + new Path(keyStoreDir.getAbsolutePath(),
-            "kms.keystore").toUri());
-    conf.set("hadoop.kms.authentication.type", "simple");
-    conf.setBoolean(KMSConfiguration.KEY_AUTHORIZATION_ENABLE, false);
-
-    conf.set(KMSACLs.Type.GET_KEYS.getAclConfigKey(), "foo");
-    return conf;
-  }
-
-  @Test
-  public void testMultipleKMSInstancesWithZKSigner() throws Exception {
-    final File testDir = TestKMS.getTestDir();
-    Configuration conf = createBaseKMSConf(testDir);
-
-    TestingServer zkServer = new TestingServer();
-    zkServer.start();
-
-    MiniKMS kms1 = null;
-    MiniKMS kms2 = null;
-
-    conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
-        AuthenticationFilter.SIGNER_SECRET_PROVIDER, "zookeeper");
-    conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
-            ZKSignerSecretProvider.ZOOKEEPER_CONNECTION_STRING,
-        zkServer.getConnectString());
-    conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
-            ZKSignerSecretProvider.ZOOKEEPER_PATH, "/secret");
-    TestKMS.writeConf(testDir, conf);
-
-    try {
-      kms1 = new MiniKMS.Builder()
-          .setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
-      kms1.start();
-
-      kms2 = new MiniKMS.Builder()
-          .setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
-      kms2.start();
-
-      final URL url1 = new URL(kms1.getKMSUrl().toExternalForm() +
-          KMSRESTConstants.SERVICE_VERSION +  "/" +
-          KMSRESTConstants.KEYS_NAMES_RESOURCE);
-      final URL url2 = new URL(kms2.getKMSUrl().toExternalForm() +
-          KMSRESTConstants.SERVICE_VERSION + "/" +
-          KMSRESTConstants.KEYS_NAMES_RESOURCE);
-
-      final DelegationTokenAuthenticatedURL.Token token =
-          new DelegationTokenAuthenticatedURL.Token();
-      final DelegationTokenAuthenticatedURL aUrl =
-          new DelegationTokenAuthenticatedURL();
-
-      UserGroupInformation ugiFoo = UserGroupInformation.createUserForTesting(
-          "foo", new String[]{"gfoo"});
-      UserGroupInformation ugiBar = UserGroupInformation.createUserForTesting(
-          "bar", new String[]{"gBar"});
-
-      ugiFoo.doAs(new PrivilegedExceptionAction<Object>() {
-        @Override
-        public Object run() throws Exception {
-          HttpURLConnection conn = aUrl.openConnection(url1, token);
-          Assert.assertEquals(HttpURLConnection.HTTP_OK,
-              conn.getResponseCode());
-          return null;
-        }
-      });
-
-      ugiBar.doAs(new PrivilegedExceptionAction<Object>() {
-        @Override
-        public Object run() throws Exception {
-          HttpURLConnection conn = aUrl.openConnection(url2, token);
-          Assert.assertEquals(HttpURLConnection.HTTP_OK,
-              conn.getResponseCode());
-          return null;
-        }
-      });
-
-      ugiBar.doAs(new PrivilegedExceptionAction<Object>() {
-        @Override
-        public Object run() throws Exception {
-          final DelegationTokenAuthenticatedURL.Token emptyToken =
-              new DelegationTokenAuthenticatedURL.Token();
-          HttpURLConnection conn = aUrl.openConnection(url2, emptyToken);
-          Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
-              conn.getResponseCode());
-          return null;
-        }
-      });
-
-    } finally {
-      if (kms2 != null) {
-        kms2.stop();
-      }
-      if (kms1 != null) {
-        kms1.stop();
-      }
-      zkServer.stop();
-    }
-
-  }
-
-}