Hadoop Common
  1. Hadoop Common
  2. HADOOP-10237

JavaKeyStoreProvider needs to set keystore permissions properly

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0
    • Component/s: security
    • Labels:
      None

      Description

      In order protect access to the created keystores permissions should initially be set to 700 by the JavaKeyStoreProvider. Subsequent permission changes can then be done using FS.

      1. HADOOP-10237.patch
        3 kB
        Larry McCay
      2. HADOOP-10237-2.patch
        3 kB
        Larry McCay
      3. HADOOP-10237-3.patch
        5 kB
        Larry McCay

        Activity

        Hide
        Hudson added a comment -

        FAILURE: Integrated in Hadoop-Hdfs-trunk #1716 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1716/)
        HADOOP-10237. JavaKeyStoreProvider needs to set keystore permissions
        correctly. (Larry McCay via omalley) (omalley: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1582784)

        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
        Show
        Hudson added a comment - FAILURE: Integrated in Hadoop-Hdfs-trunk #1716 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1716/ ) HADOOP-10237 . JavaKeyStoreProvider needs to set keystore permissions correctly. (Larry McCay via omalley) (omalley: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1582784 ) /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in Hadoop-Yarn-trunk #524 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/524/)
        HADOOP-10237. JavaKeyStoreProvider needs to set keystore permissions
        correctly. (Larry McCay via omalley) (omalley: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1582784)

        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
        Show
        Hudson added a comment - SUCCESS: Integrated in Hadoop-Yarn-trunk #524 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/524/ ) HADOOP-10237 . JavaKeyStoreProvider needs to set keystore permissions correctly. (Larry McCay via omalley) (omalley: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1582784 ) /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
        Hide
        Hudson added a comment -

        FAILURE: Integrated in Hadoop-Mapreduce-trunk #1741 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1741/)
        HADOOP-10237. JavaKeyStoreProvider needs to set keystore permissions
        correctly. (Larry McCay via omalley) (omalley: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1582784)

        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
        Show
        Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk #1741 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1741/ ) HADOOP-10237 . JavaKeyStoreProvider needs to set keystore permissions correctly. (Larry McCay via omalley) (omalley: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1582784 ) /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in Hadoop-trunk-Commit #5420 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5420/)
        HADOOP-10237. JavaKeyStoreProvider needs to set keystore permissions
        correctly. (Larry McCay via omalley) (omalley: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1582784)

        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java
        • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
        Show
        Hudson added a comment - SUCCESS: Integrated in Hadoop-trunk-Commit #5420 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5420/ ) HADOOP-10237 . JavaKeyStoreProvider needs to set keystore permissions correctly. (Larry McCay via omalley) (omalley: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1582784 ) /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/JavaKeyStoreProvider.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderFactory.java
        Hide
        Owen O'Malley added a comment -

        I just committed this. Thanks, Larry!

        Show
        Owen O'Malley added a comment - I just committed this. Thanks, Larry!
        Hide
        Owen O'Malley added a comment -

        +1

        Show
        Owen O'Malley added a comment - +1
        Hide
        Larry McCay added a comment -

        The audit and IPCTest regressions are unrelated to this patch.

        Show
        Larry McCay added a comment - The audit and IPCTest regressions are unrelated to this patch.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12633554/HADOOP-10237-3.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 1 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. There were no new javadoc warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        -1 release audit. The applied patch generated 1 release audit warnings.

        -1 core tests. The patch failed these unit tests in hadoop-common-project/hadoop-common:

        org.apache.hadoop.ipc.TestIPC

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3648//testReport/
        Release audit warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/3648//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3648//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12633554/HADOOP-10237-3.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. -1 release audit . The applied patch generated 1 release audit warnings. -1 core tests . The patch failed these unit tests in hadoop-common-project/hadoop-common: org.apache.hadoop.ipc.TestIPC +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3648//testReport/ Release audit warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/3648//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3648//console This message is automatically generated.
        Hide
        Larry McCay added a comment -

        Latest revision to accommodate permission retention from existing keystores on change.

        Show
        Larry McCay added a comment - Latest revision to accommodate permission retention from existing keystores on change.
        Hide
        Larry McCay added a comment -

        Retains preexisting keystore permissions on flush() to disk for changes.

        Show
        Larry McCay added a comment - Retains preexisting keystore permissions on flush() to disk for changes.
        Hide
        Larry McCay added a comment -

        We need to retain previous keystore permissions on write.

        Show
        Larry McCay added a comment - We need to retain previous keystore permissions on write.
        Hide
        Benoy Antony added a comment -

        +1

        Show
        Benoy Antony added a comment - +1
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12631528/HADOOP-10237-2.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 1 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. There were no new javadoc warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3615//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3615//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12631528/HADOOP-10237-2.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3615//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3615//console This message is automatically generated.
        Hide
        Larry McCay added a comment -

        Changed to set permissions and create the file in one call per Owen's review.

        Show
        Larry McCay added a comment - Changed to set permissions and create the file in one call per Owen's review.
        Hide
        Larry McCay added a comment -

        Switched to using the static method that takes an FsPermissions object.

        Show
        Larry McCay added a comment - Switched to using the static method that takes an FsPermissions object.
        Hide
        Larry McCay added a comment -

        Understood.
        Thanks for the review.
        I will more deeply investigate the additional parameters for the signature of create that take an FsPermissions object. Like progressable for instance. Can this be null? Block size?
        Javadocs are a bit lacking there.

        Show
        Larry McCay added a comment - Understood. Thanks for the review. I will more deeply investigate the additional parameters for the signature of create that take an FsPermissions object. Like progressable for instance. Can this be null? Block size? Javadocs are a bit lacking there.
        Hide
        Owen O'Malley added a comment -

        You should pass the permission in to the create call instead of the doing it as a second step. Otherwise, you have a race condition where the data is visible to outsiders until the chmod happens.

        Show
        Owen O'Malley added a comment - You should pass the permission in to the create call instead of the doing it as a second step. Otherwise, you have a race condition where the data is visible to outsiders until the chmod happens.
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12629431/HADOOP-10237.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 1 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. There were no new javadoc warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3587//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3587//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12629431/HADOOP-10237.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3587//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3587//console This message is automatically generated.
        Hide
        Larry McCay added a comment -

        initial patch

        Show
        Larry McCay added a comment - initial patch

          People

          • Assignee:
            Larry McCay
            Reporter:
            Larry McCay
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development