org.apache.hadoop.hdfs.protocol.datatransfer.InvalidEncryptionKeyException Java Examples

The following examples show how to use org.apache.hadoop.hdfs.protocol.datatransfer.InvalidEncryptionKeyException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Reads a SASL negotiation message and negotiation cipher options. 
 * 
 * @param in stream to read
 * @param cipherOptions list to store negotiation cipher options
 * @return byte[] SASL negotiation message
 * @throws IOException for any error
 */
public static byte[] readSaslMessageAndNegotiationCipherOptions(
    InputStream in, List<CipherOption> cipherOptions) throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    List<CipherOptionProto> optionProtos = proto.getCipherOptionList();
    if (optionProtos != null) {
      for (CipherOptionProto optionProto : optionProtos) {
        cipherOptions.add(PBHelper.convert(optionProto));
      }
    }
    return proto.getPayload().toByteArray();
  }
}
 
Example #2
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Read SASL message and negotiated cipher option from server.
 * 
 * @param in stream to read
 * @return SaslResponseWithNegotiatedCipherOption SASL message and 
 * negotiated cipher option
 * @throws IOException for any error
 */
public static SaslResponseWithNegotiatedCipherOption
    readSaslMessageAndNegotiatedCipherOption(InputStream in)
        throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    byte[] response = proto.getPayload().toByteArray();
    List<CipherOption> options = PBHelper.convertCipherOptionProtos(
        proto.getCipherOptionList());
    CipherOption option = null;
    if (options != null && !options.isEmpty()) {
      option = options.get(0);
    }
    return new SaslResponseWithNegotiatedCipherOption(response, option);
  }
}
 
Example #3
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Reads a SASL negotiation message and negotiation cipher options. 
 * 
 * @param in stream to read
 * @param cipherOptions list to store negotiation cipher options
 * @return byte[] SASL negotiation message
 * @throws IOException for any error
 */
public static byte[] readSaslMessageAndNegotiationCipherOptions(
    InputStream in, List<CipherOption> cipherOptions) throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    List<CipherOptionProto> optionProtos = proto.getCipherOptionList();
    if (optionProtos != null) {
      for (CipherOptionProto optionProto : optionProtos) {
        cipherOptions.add(PBHelper.convert(optionProto));
      }
    }
    return proto.getPayload().toByteArray();
  }
}
 
Example #4
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Read SASL message and negotiated cipher option from server.
 * 
 * @param in stream to read
 * @return SaslResponseWithNegotiatedCipherOption SASL message and 
 * negotiated cipher option
 * @throws IOException for any error
 */
public static SaslResponseWithNegotiatedCipherOption
    readSaslMessageAndNegotiatedCipherOption(InputStream in)
        throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    byte[] response = proto.getPayload().toByteArray();
    List<CipherOption> options = PBHelper.convertCipherOptionProtos(
        proto.getCipherOptionList());
    CipherOption option = null;
    if (options != null && !options.isEmpty()) {
      option = options.get(0);
    }
    return new SaslResponseWithNegotiatedCipherOption(response, option);
  }
}
 
Example #5
Source File: BlockTokenSecretManager.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Recreate an encryption key based on the given key id and nonce.
 * 
 * @param keyId identifier of the secret key used to generate the encryption key.
 * @param nonce random value used to create the encryption key
 * @return the encryption key which corresponds to this (keyId, blockPoolId, nonce)
 * @throws InvalidEncryptionKeyException
 */
public byte[] retrieveDataEncryptionKey(int keyId, byte[] nonce)
    throws InvalidEncryptionKeyException {
  BlockKey key = null;
  synchronized (this) {
    key = allKeys.get(keyId);
    if (key == null) {
      throw new InvalidEncryptionKeyException("Can't re-compute encryption key"
          + " for nonce, since the required block key (keyID=" + keyId
          + ") doesn't exist. Current key: " + currentKey.getKeyId());
    }
  }
  return createPassword(nonce, key.getKey());
}
 
Example #6
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Reads a SASL negotiation message.
 *
 * @param in stream to read
 * @return bytes of SASL negotiation messsage
 * @throws IOException for any error
 */
public static byte[] readSaslMessage(InputStream in) throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    return proto.getPayload().toByteArray();
  }
}
 
Example #7
Source File: BlockTokenSecretManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Recreate an encryption key based on the given key id and nonce.
 * 
 * @param keyId identifier of the secret key used to generate the encryption key.
 * @param nonce random value used to create the encryption key
 * @return the encryption key which corresponds to this (keyId, blockPoolId, nonce)
 * @throws InvalidEncryptionKeyException
 */
public byte[] retrieveDataEncryptionKey(int keyId, byte[] nonce)
    throws InvalidEncryptionKeyException {
  BlockKey key = null;
  synchronized (this) {
    key = allKeys.get(keyId);
    if (key == null) {
      throw new InvalidEncryptionKeyException("Can't re-compute encryption key"
          + " for nonce, since the required block key (keyID=" + keyId
          + ") doesn't exist. Current key: " + currentKey.getKeyId());
    }
  }
  return createPassword(nonce, key.getKey());
}
 
Example #8
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Reads a SASL negotiation message.
 *
 * @param in stream to read
 * @return bytes of SASL negotiation messsage
 * @throws IOException for any error
 */
public static byte[] readSaslMessage(InputStream in) throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    return proto.getPayload().toByteArray();
  }
}
 
Example #9
Source File: FanOutOneBlockAsyncDFSOutputSaslHelper.java    From hbase with Apache License 2.0 5 votes vote down vote up
private void check(DataTransferEncryptorMessageProto proto) throws IOException {
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    dfsClient.clearDataEncryptionKey();
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  }
}
 
Example #10
Source File: SaslDataTransferServer.java    From hadoop with Apache License 2.0 4 votes vote down vote up
/**
 * This method actually executes the server-side SASL handshake.
 *
 * @param underlyingOut connection output stream
 * @param underlyingIn connection input stream
 * @param saslProps properties of SASL negotiation
 * @param callbackHandler for responding to SASL callbacks
 * @return new pair of streams, wrapped after SASL negotiation
 * @throws IOException for any error
 */
private IOStreamPair doSaslHandshake(OutputStream underlyingOut,
    InputStream underlyingIn, Map<String, String> saslProps,
    CallbackHandler callbackHandler) throws IOException {

  DataInputStream in = new DataInputStream(underlyingIn);
  DataOutputStream out = new DataOutputStream(underlyingOut);

  SaslParticipant sasl = SaslParticipant.createServerSaslParticipant(saslProps,
    callbackHandler);

  int magicNumber = in.readInt();
  if (magicNumber != SASL_TRANSFER_MAGIC_NUMBER) {
    throw new InvalidMagicNumberException(magicNumber, 
        dnConf.getEncryptDataTransfer());
  }
  try {
    // step 1
    byte[] remoteResponse = readSaslMessage(in);
    byte[] localResponse = sasl.evaluateChallengeOrResponse(remoteResponse);
    sendSaslMessage(out, localResponse);

    // step 2 (server-side only)
    List<CipherOption> cipherOptions = Lists.newArrayList();
    remoteResponse = readSaslMessageAndNegotiationCipherOptions(
        in, cipherOptions);
    localResponse = sasl.evaluateChallengeOrResponse(remoteResponse);

    // SASL handshake is complete
    checkSaslComplete(sasl, saslProps);

    CipherOption cipherOption = null;
    if (sasl.isNegotiatedQopPrivacy()) {
      // Negotiate a cipher option
      cipherOption = negotiateCipherOption(dnConf.getConf(), cipherOptions);
      if (cipherOption != null) {
        if (LOG.isDebugEnabled()) {
          LOG.debug("Server using cipher suite " + 
              cipherOption.getCipherSuite().getName());
        }
      }
    }

    // If negotiated cipher option is not null, wrap it before sending.
    sendSaslMessageAndNegotiatedCipherOption(out, localResponse, 
        wrap(cipherOption, sasl));

    // If negotiated cipher option is not null, we will use it to create 
    // stream pair.
    return cipherOption != null ? createStreamPair(
        dnConf.getConf(), cipherOption, underlyingOut, underlyingIn, true) : 
          sasl.createStreamPair(out, in);
  } catch (IOException ioe) {
    if (ioe instanceof SaslException &&
        ioe.getCause() != null &&
        ioe.getCause() instanceof InvalidEncryptionKeyException) {
      // This could just be because the client is long-lived and hasn't gotten
      // a new encryption key from the NN in a while. Upon receiving this
      // error, the client will get a new encryption key from the NN and retry
      // connecting to this DN.
      sendInvalidKeySaslErrorMessage(out, ioe.getCause().getMessage());
    } else {
      sendGenericSaslErrorMessage(out, ioe.getMessage());
    }
    throw ioe;
  }
}
 
Example #11
Source File: SaslDataTransferServer.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * This method actually executes the server-side SASL handshake.
 *
 * @param underlyingOut connection output stream
 * @param underlyingIn connection input stream
 * @param saslProps properties of SASL negotiation
 * @param callbackHandler for responding to SASL callbacks
 * @return new pair of streams, wrapped after SASL negotiation
 * @throws IOException for any error
 */
private IOStreamPair doSaslHandshake(OutputStream underlyingOut,
    InputStream underlyingIn, Map<String, String> saslProps,
    CallbackHandler callbackHandler) throws IOException {

  DataInputStream in = new DataInputStream(underlyingIn);
  DataOutputStream out = new DataOutputStream(underlyingOut);

  SaslParticipant sasl = SaslParticipant.createServerSaslParticipant(saslProps,
    callbackHandler);

  int magicNumber = in.readInt();
  if (magicNumber != SASL_TRANSFER_MAGIC_NUMBER) {
    throw new InvalidMagicNumberException(magicNumber, 
        dnConf.getEncryptDataTransfer());
  }
  try {
    // step 1
    byte[] remoteResponse = readSaslMessage(in);
    byte[] localResponse = sasl.evaluateChallengeOrResponse(remoteResponse);
    sendSaslMessage(out, localResponse);

    // step 2 (server-side only)
    List<CipherOption> cipherOptions = Lists.newArrayList();
    remoteResponse = readSaslMessageAndNegotiationCipherOptions(
        in, cipherOptions);
    localResponse = sasl.evaluateChallengeOrResponse(remoteResponse);

    // SASL handshake is complete
    checkSaslComplete(sasl, saslProps);

    CipherOption cipherOption = null;
    if (sasl.isNegotiatedQopPrivacy()) {
      // Negotiate a cipher option
      cipherOption = negotiateCipherOption(dnConf.getConf(), cipherOptions);
      if (cipherOption != null) {
        if (LOG.isDebugEnabled()) {
          LOG.debug("Server using cipher suite " + 
              cipherOption.getCipherSuite().getName());
        }
      }
    }

    // If negotiated cipher option is not null, wrap it before sending.
    sendSaslMessageAndNegotiatedCipherOption(out, localResponse, 
        wrap(cipherOption, sasl));

    // If negotiated cipher option is not null, we will use it to create 
    // stream pair.
    return cipherOption != null ? createStreamPair(
        dnConf.getConf(), cipherOption, underlyingOut, underlyingIn, true) : 
          sasl.createStreamPair(out, in);
  } catch (IOException ioe) {
    if (ioe instanceof SaslException &&
        ioe.getCause() != null &&
        ioe.getCause() instanceof InvalidEncryptionKeyException) {
      // This could just be because the client is long-lived and hasn't gotten
      // a new encryption key from the NN in a while. Upon receiving this
      // error, the client will get a new encryption key from the NN and retry
      // connecting to this DN.
      sendInvalidKeySaslErrorMessage(out, ioe.getCause().getMessage());
    } else {
      sendGenericSaslErrorMessage(out, ioe.getMessage());
    }
    throw ioe;
  }
}
 
Example #12
Source File: BlockReaderFactory.java    From hadoop with Apache License 2.0 3 votes vote down vote up
/**
 * Determine if an exception is security-related.
 *
 * We need to handle these exceptions differently than other IOExceptions.
 * They don't indicate a communication problem.  Instead, they mean that there
 * is some action the client needs to take, such as refetching block tokens,
 * renewing encryption keys, etc.
 *
 * @param ioe    The exception
 * @return       True only if the exception is security-related.
 */
private static boolean isSecurityException(IOException ioe) {
  return (ioe instanceof InvalidToken) ||
          (ioe instanceof InvalidEncryptionKeyException) ||
          (ioe instanceof InvalidBlockTokenException) ||
          (ioe instanceof AccessControlException);
}
 
Example #13
Source File: BlockReaderFactory.java    From big-c with Apache License 2.0 3 votes vote down vote up
/**
 * Determine if an exception is security-related.
 *
 * We need to handle these exceptions differently than other IOExceptions.
 * They don't indicate a communication problem.  Instead, they mean that there
 * is some action the client needs to take, such as refetching block tokens,
 * renewing encryption keys, etc.
 *
 * @param ioe    The exception
 * @return       True only if the exception is security-related.
 */
private static boolean isSecurityException(IOException ioe) {
  return (ioe instanceof InvalidToken) ||
          (ioe instanceof InvalidEncryptionKeyException) ||
          (ioe instanceof InvalidBlockTokenException) ||
          (ioe instanceof AccessControlException);
}