/** * Constructor for masters. * * @param keyUpdateInterval how often a new key will be generated * @param tokenLifetime how long an individual token is valid * @param nnIndex namenode index of the namenode for which we are creating the manager * @param blockPoolId block pool ID * @param encryptionAlgorithm encryption algorithm to use * @param numNNs number of namenodes possible * @param useProto should we use new protobuf style tokens */ public BlockTokenSecretManager(long keyUpdateInterval, long tokenLifetime, int nnIndex, int numNNs, String blockPoolId, String encryptionAlgorithm, boolean useProto) { this(true, keyUpdateInterval, tokenLifetime, blockPoolId, encryptionAlgorithm, nnIndex, numNNs, useProto); Preconditions.checkArgument(nnIndex >= 0); Preconditions.checkArgument(numNNs > 0); setSerialNo(new SecureRandom().nextInt()); generateKeys(); }
/** Initialize block keys */ private synchronized void generateKeys() { if (!isMaster) { return; } /* * Need to set estimated expiry dates for currentKey and nextKey so that if * NN crashes, DN can still expire those keys. NN will stop using the newly * generated currentKey after the first keyUpdateInterval, however it may * still be used by DN and Balancer to generate new tokens before they get a * chance to sync their keys with NN. Since we require keyUpdInterval to be * long enough so that all live DN's and Balancer will sync their keys with * NN at least once during the period, the estimated expiry date for * currentKey is set to now() + 2 * keyUpdateInterval + tokenLifetime. * Similarly, the estimated expiry date for nextKey is one keyUpdateInterval * more. */ setSerialNo(serialNo + 1); currentKey = new BlockKey(serialNo, timer.now() + 2 * keyUpdateInterval + tokenLifetime, generateSecret()); setSerialNo(serialNo + 1); nextKey = new BlockKey(serialNo, timer.now() + 3 * keyUpdateInterval + tokenLifetime, generateSecret()); allKeys.put(currentKey.getKeyId(), currentKey); allKeys.put(nextKey.getKeyId(), nextKey); }
/** * Update block keys, only to be used in master mode */ synchronized boolean updateKeys() throws IOException { if (!isMaster) { return false; } LOG.info("Updating block keys"); removeExpiredKeys(); // set final expiry date of retiring currentKey allKeys.put(currentKey.getKeyId(), new BlockKey(currentKey.getKeyId(), timer.now() + keyUpdateInterval + tokenLifetime, currentKey.getKey())); // update the estimated expiry date of new currentKey currentKey = new BlockKey(nextKey.getKeyId(), timer.now() + 2 * keyUpdateInterval + tokenLifetime, nextKey.getKey()); allKeys.put(currentKey.getKeyId(), currentKey); // generate a new nextKey setSerialNo(serialNo + 1); nextKey = new BlockKey(serialNo, timer.now() + 3 * keyUpdateInterval + tokenLifetime, generateSecret()); allKeys.put(nextKey.getKeyId(), nextKey); return true; }
/** * Constructor for masters. * * @param keyUpdateInterval how often a new key will be generated * @param tokenLifetime how long an individual token is valid * @param nnIndex namenode index * @param blockPoolId block pool ID * @param encryptionAlgorithm encryption algorithm to use */ public BlockTokenSecretManager(long keyUpdateInterval, long tokenLifetime, int nnIndex, String blockPoolId, String encryptionAlgorithm) { this(true, keyUpdateInterval, tokenLifetime, blockPoolId, encryptionAlgorithm); Preconditions.checkArgument(nnIndex == 0 || nnIndex == 1); this.nnIndex = nnIndex; setSerialNo(new SecureRandom().nextInt()); generateKeys(); }
/** * Constructor for masters. * * @param keyUpdateInterval how often a new key will be generated * @param tokenLifetime how long an individual token is valid * @param nnIndex namenode index * @param blockPoolId block pool ID * @param encryptionAlgorithm encryption algorithm to use */ public BlockTokenSecretManager(long keyUpdateInterval, long tokenLifetime, int nnIndex, String blockPoolId, String encryptionAlgorithm) { this(true, keyUpdateInterval, tokenLifetime, blockPoolId, encryptionAlgorithm); Preconditions.checkArgument(nnIndex == 0 || nnIndex == 1); this.nnIndex = nnIndex; setSerialNo(new SecureRandom().nextInt()); generateKeys(); }
/** Initialize block keys */ private synchronized void generateKeys() { if (!isMaster) return; /* * Need to set estimated expiry dates for currentKey and nextKey so that if * NN crashes, DN can still expire those keys. NN will stop using the newly * generated currentKey after the first keyUpdateInterval, however it may * still be used by DN and Balancer to generate new tokens before they get a * chance to sync their keys with NN. Since we require keyUpdInterval to be * long enough so that all live DN's and Balancer will sync their keys with * NN at least once during the period, the estimated expiry date for * currentKey is set to now() + 2 * keyUpdateInterval + tokenLifetime. * Similarly, the estimated expiry date for nextKey is one keyUpdateInterval * more. */ setSerialNo(serialNo + 1); currentKey = new BlockKey(serialNo, timer.now() + 2 * keyUpdateInterval + tokenLifetime, generateSecret()); setSerialNo(serialNo + 1); nextKey = new BlockKey(serialNo, timer.now() + 3 * keyUpdateInterval + tokenLifetime, generateSecret()); allKeys.put(currentKey.getKeyId(), currentKey); allKeys.put(nextKey.getKeyId(), nextKey); }
/** Initialize block keys */ private synchronized void generateKeys() { if (!isMaster) return; /* * Need to set estimated expiry dates for currentKey and nextKey so that if * NN crashes, DN can still expire those keys. NN will stop using the newly * generated currentKey after the first keyUpdateInterval, however it may * still be used by DN and Balancer to generate new tokens before they get a * chance to sync their keys with NN. Since we require keyUpdInterval to be * long enough so that all live DN's and Balancer will sync their keys with * NN at least once during the period, the estimated expiry date for * currentKey is set to now() + 2 * keyUpdateInterval + tokenLifetime. * Similarly, the estimated expiry date for nextKey is one keyUpdateInterval * more. */ setSerialNo(serialNo + 1); currentKey = new BlockKey(serialNo, timer.now() + 2 * keyUpdateInterval + tokenLifetime, generateSecret()); setSerialNo(serialNo + 1); nextKey = new BlockKey(serialNo, timer.now() + 3 * keyUpdateInterval + tokenLifetime, generateSecret()); allKeys.put(currentKey.getKeyId(), currentKey); allKeys.put(nextKey.getKeyId(), nextKey); }
@Test public void ensureSerialNumbersNeverOverlap() { BlockTokenSecretManager btsm1 = cluster.getNamesystem(0).getBlockManager() .getBlockTokenSecretManager(); BlockTokenSecretManager btsm2 = cluster.getNamesystem(1).getBlockManager() .getBlockTokenSecretManager(); btsm1.setSerialNo(0); btsm2.setSerialNo(0); assertFalse(btsm1.getSerialNoForTesting() == btsm2.getSerialNoForTesting()); btsm1.setSerialNo(Integer.MAX_VALUE); btsm2.setSerialNo(Integer.MAX_VALUE); assertFalse(btsm1.getSerialNoForTesting() == btsm2.getSerialNoForTesting()); btsm1.setSerialNo(Integer.MIN_VALUE); btsm2.setSerialNo(Integer.MIN_VALUE); assertFalse(btsm1.getSerialNoForTesting() == btsm2.getSerialNoForTesting()); btsm1.setSerialNo(Integer.MAX_VALUE / 2); btsm2.setSerialNo(Integer.MAX_VALUE / 2); assertFalse(btsm1.getSerialNoForTesting() == btsm2.getSerialNoForTesting()); btsm1.setSerialNo(Integer.MIN_VALUE / 2); btsm2.setSerialNo(Integer.MIN_VALUE / 2); assertFalse(btsm1.getSerialNoForTesting() == btsm2.getSerialNoForTesting()); }
/** * Update block keys, only to be used in master mode */ synchronized boolean updateKeys() throws IOException { if (!isMaster) return false; LOG.info("Updating block keys"); removeExpiredKeys(); // set final expiry date of retiring currentKey allKeys.put(currentKey.getKeyId(), new BlockKey(currentKey.getKeyId(), timer.now() + keyUpdateInterval + tokenLifetime, currentKey.getKey())); // update the estimated expiry date of new currentKey currentKey = new BlockKey(nextKey.getKeyId(), timer.now() + 2 * keyUpdateInterval + tokenLifetime, nextKey.getKey()); allKeys.put(currentKey.getKeyId(), currentKey); // generate a new nextKey setSerialNo(serialNo + 1); nextKey = new BlockKey(serialNo, timer.now() + 3 * keyUpdateInterval + tokenLifetime, generateSecret()); allKeys.put(nextKey.getKeyId(), nextKey); return true; }
/** * Update block keys, only to be used in master mode */ synchronized boolean updateKeys() throws IOException { if (!isMaster) return false; LOG.info("Updating block keys"); removeExpiredKeys(); // set final expiry date of retiring currentKey allKeys.put(currentKey.getKeyId(), new BlockKey(currentKey.getKeyId(), timer.now() + keyUpdateInterval + tokenLifetime, currentKey.getKey())); // update the estimated expiry date of new currentKey currentKey = new BlockKey(nextKey.getKeyId(), timer.now() + 2 * keyUpdateInterval + tokenLifetime, nextKey.getKey()); allKeys.put(currentKey.getKeyId(), currentKey); // generate a new nextKey setSerialNo(serialNo + 1); nextKey = new BlockKey(serialNo, timer.now() + 3 * keyUpdateInterval + tokenLifetime, generateSecret()); allKeys.put(nextKey.getKeyId(), nextKey); return true; }