HADOOP-13992. KMS should load SSL configuration the same way as SSLFactory. Contributed by John Zhuge.

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java

@@ -128,9 +128,10 @@ public class SSLFactory implements ConnectionConfigurator {
       throw new IllegalArgumentException("mode cannot be NULL");
     }
     this.mode = mode;
-    requireClientCert = conf.getBoolean(SSL_REQUIRE_CLIENT_CERT_KEY,
+    Configuration sslConf = readSSLConfiguration(conf, mode);
+
+    requireClientCert = sslConf.getBoolean(SSL_REQUIRE_CLIENT_CERT_KEY,
         SSL_REQUIRE_CLIENT_CERT_DEFAULT);
-    Configuration sslConf = readSSLConfiguration(mode);
 
     Class<? extends KeyStoresFactory> klass
       = conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
@@ -149,9 +150,11 @@ public class SSLFactory implements ConnectionConfigurator {
     }
   }
 
-  private Configuration readSSLConfiguration(Mode mode) {
+  public static Configuration readSSLConfiguration(Configuration conf,
+                                                   Mode mode) {
     Configuration sslConf = new Configuration(false);
-    sslConf.setBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, requireClientCert);
+    sslConf.setBoolean(SSL_REQUIRE_CLIENT_CERT_KEY, conf.getBoolean(
+        SSL_REQUIRE_CLIENT_CERT_KEY, SSL_REQUIRE_CLIENT_CERT_DEFAULT));
     String sslConfResource;
     if (mode == Mode.CLIENT) {
       sslConfResource = conf.get(SSL_CLIENT_CONF_KEY,

hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebServer.java

@@ -46,13 +46,7 @@ public class KMSWebServer {
   private final HttpServer2 httpServer;
   private final String scheme;
 
-  KMSWebServer(Configuration cnf) throws Exception {
-    ConfigurationWithLogging conf = new ConfigurationWithLogging(cnf);
-
-    // Add SSL configuration file
-    conf.addResource(conf.get(SSLFactory.SSL_SERVER_CONF_KEY,
-        SSLFactory.SSL_SERVER_CONF_DEFAULT));
-
+  KMSWebServer(Configuration conf, Configuration sslConf) throws Exception {
     // Override configuration with deprecated environment variables.
     deprecateEnv("KMS_TEMP", conf, HttpServer2.HTTP_TEMP_DIR_KEY,
         KMSConfiguration.KMS_SITE_XML);
@@ -68,10 +62,10 @@ public class KMSWebServer {
         KMSConfiguration.KMS_SITE_XML);
     deprecateEnv("KMS_SSL_ENABLED", conf,
         KMSConfiguration.SSL_ENABLED_KEY, KMSConfiguration.KMS_SITE_XML);
-    deprecateEnv("KMS_SSL_KEYSTORE_FILE", conf,
+    deprecateEnv("KMS_SSL_KEYSTORE_FILE", sslConf,
         SSLFactory.SSL_SERVER_KEYSTORE_LOCATION,
         SSLFactory.SSL_SERVER_CONF_DEFAULT);
-    deprecateEnv("KMS_SSL_KEYSTORE_PASS", conf,
+    deprecateEnv("KMS_SSL_KEYSTORE_PASS", sslConf,
         SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD,
         SSLFactory.SSL_SERVER_CONF_DEFAULT);
 
@@ -88,7 +82,7 @@ public class KMSWebServer {
     httpServer = new HttpServer2.Builder()
         .setName(NAME)
         .setConf(conf)
-        .setSSLConf(conf)
+        .setSSLConf(sslConf)
         .authFilterConfigurationPrefix(KMSAuthenticationFilter.CONFIG_PREFIX)
         .addEndpoint(endpoint)
         .build();
@@ -147,8 +141,11 @@ public class KMSWebServer {
 
   public static void main(String[] args) throws Exception {
     StringUtils.startupShutdownMessage(KMSWebServer.class, args, LOG);
-    Configuration conf = KMSConfiguration.getKMSConf();
-    KMSWebServer kmsWebServer = new KMSWebServer(conf);
+    Configuration conf = new ConfigurationWithLogging(
+        KMSConfiguration.getKMSConf());
+    Configuration sslConf = new ConfigurationWithLogging(
+        SSLFactory.readSSLConfiguration(conf, SSLFactory.Mode.SERVER));
+    KMSWebServer kmsWebServer = new KMSWebServer(conf, sslConf);
     kmsWebServer.start();
     kmsWebServer.join();
   }

hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java

@@ -145,14 +145,17 @@ public class MiniKMS {
     final Configuration conf = KMSConfiguration.getKMSConf();
     conf.set(KMSConfiguration.HTTP_HOST_KEY, "localhost");
     conf.setInt(KMSConfiguration.HTTP_PORT_KEY, inPort);
+
+    Configuration sslConf = null;
     if (keyStore != null) {
       conf.setBoolean(KMSConfiguration.SSL_ENABLED_KEY, true);
-      conf.set(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION, keyStore);
-      conf.set(SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD, keyStorePassword);
-      conf.set(SSLFactory.SSL_SERVER_KEYSTORE_TYPE, "jks");
+      sslConf = SSLFactory.readSSLConfiguration(conf, SSLFactory.Mode.SERVER);
+      sslConf.set(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION, keyStore);
+      sslConf.set(SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD, keyStorePassword);
+      sslConf.set(SSLFactory.SSL_SERVER_KEYSTORE_TYPE, "jks");
     }
 
-    jetty = new KMSWebServer(conf);
+    jetty = new KMSWebServer(conf, sslConf);
     jetty.start();
     kmsURL = jetty.getKMSUrl();
   }