HADOOP-19639. SecretManager configuration at runtime

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java

@@ -20,7 +20,6 @@
 
 import java.io.IOException;
 import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.Mac;
@@ -32,8 +31,6 @@
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.ipc.RetriableException;
 import org.apache.hadoop.ipc.StandbyException;
 
@@ -115,61 +112,29 @@ public void checkAvailableForRead() throws StandbyException {
     // Default to being available for read.
   }
 
-  private static final String SELECTED_ALGORITHM;
-  private static final int SELECTED_LENGTH;
-
-  static {
-    Configuration conf = new Configuration();
-    String algorithm = conf.get(
-      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
-      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT);
-    LOG.debug("Selected hash algorithm: {}", algorithm);
-    SELECTED_ALGORITHM = algorithm;
-    int length = conf.getInt(
-      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
-      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT);
-    LOG.debug("Selected hash key length:{}", length);
-    SELECTED_LENGTH = length;
-  }
-
   /**
    * A thread local store for the Macs.
    */
   private static final ThreadLocal<Mac> threadLocalMac =
-    new ThreadLocal<Mac>(){
-    @Override
-    protected Mac initialValue() {
-      try {
-        return Mac.getInstance(SELECTED_ALGORITHM);
-      } catch (NoSuchAlgorithmException nsa) {
-        throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
-      }
-    }
-  };
+          ThreadLocal.withInitial(SecretManagerConfig::createMac);
 
   /**
    * Key generator to use.
    */
-  private final KeyGenerator keyGen;
-  {
-    try {
-      keyGen = KeyGenerator.getInstance(SELECTED_ALGORITHM);
-      keyGen.init(SELECTED_LENGTH);
-    } catch (NoSuchAlgorithmException nsa) {
-      throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
-    }
-  }
+  private volatile KeyGenerator keyGen;
+  private final Object keyGenLock = new Object();
 
   /**
    * Generate a new random secret key.
    * @return the new key
    */
   protected SecretKey generateSecret() {
-    SecretKey key;
-    synchronized (keyGen) {
-      key = keyGen.generateKey();
+    synchronized (keyGenLock) {
+      if (keyGen == null) {
+        keyGen = SecretManagerConfig.createKeyGenerator();
+      }
+      return keyGen.generateKey();
     }
-    return key;
   }
 
   /**
@@ -197,6 +162,6 @@ public static byte[] createPassword(byte[] identifier,
    * @return the secret key
    */
   protected static SecretKey createSecretKey(byte[] key) {
-    return new SecretKeySpec(key, SELECTED_ALGORITHM);
+    return new SecretKeySpec(key, SecretManagerConfig.getSelectedAlgorithm());
   }
 }

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManagerConfig.java

@@ -0,0 +1,133 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.token;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import java.security.NoSuchAlgorithmException;
+
+/**
+ * Provides configuration and utility methods for managing cryptographic key generation
+ * and message authentication code (MAC) generation using specified algorithms and key lengths.
+ * <p>
+ * This class supports static access to the selected cryptographic algorithm and key length,
+ * and provides methods to create configured {@link javax.crypto.KeyGenerator}
+ * and {@link javax.crypto.Mac} instances.
+ * The configuration is initialized statically from a provided {@link Configuration} object.
+ * <p>
+ * The {@link SecretManager} has some static method, so static configuration is required
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public class SecretManagerConfig {
+  private static final Logger LOG = LoggerFactory.getLogger(SecretManagerConfig.class);
+  private static String selectedAlgorithm;
+  private static int selectedLength;
+  private static boolean initialized;
+
+  static {
+    update(new Configuration());
+  }
+
+  private SecretManagerConfig() {
+  }
+
+  /**
+   * Updates the selected cryptographic algorithm and key length using the provided
+   * Hadoop {@link Configuration}. This method reads the values for
+   * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY} and
+   * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY}, or uses default values if not set.
+   *
+   * @param conf the configuration object containing cryptographic settings
+   */
+  public static synchronized void update(Configuration conf) {
+    if (initialized) {
+      LOG.warn(
+        "Keygen or Mac was already initialized with older config, those will not be updated");
+    }
+    selectedAlgorithm = conf.get(
+      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
+      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT);
+    LOG.debug("Selected hash algorithm: {}", selectedAlgorithm);
+    selectedLength = conf.getInt(
+      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
+      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT);
+    LOG.debug("Selected hash key length: {}", selectedLength);
+  }
+
+  /**
+   * Returns the currently selected cryptographic algorithm.
+   *
+   * @return the name of the selected algorithm
+   */
+  public static synchronized String getSelectedAlgorithm() {
+    return selectedAlgorithm;
+  }
+
+  /**
+   * Returns the currently selected key length in bits.
+   *
+   * @return the selected key length
+   */
+  public static synchronized int getSelectedLength() {
+    return selectedLength;
+  }
+
+  /**
+   * Creates a new {@link KeyGenerator} instance configured with the currently selected
+   * algorithm and key length.
+   *
+   * @return a new {@code KeyGenerator} instance
+   * @throws IllegalArgumentException if the specified algorithm is not available
+   */
+  public static synchronized KeyGenerator createKeyGenerator() {
+    LOG.debug("Creating key generator instance {}, {}", selectedAlgorithm, selectedLength);
+    initialized = true;
+    try {
+      KeyGenerator keyGen = KeyGenerator.getInstance(selectedAlgorithm);
+      keyGen.init(selectedLength);
+      return keyGen;
+    } catch (NoSuchAlgorithmException nsa) {
+      throw new IllegalArgumentException("Can't find " + selectedAlgorithm, nsa);
+    }
+  }
+
+  /**
+   * Creates a new {@link Mac} instance using the currently selected algorithm.
+   *
+   * @return a new {@code Mac} instance
+   * @throws IllegalArgumentException if the specified algorithm is not available
+   */
+  public static synchronized Mac createMac() {
+    LOG.debug("Creating mac instance {}", selectedAlgorithm);
+    initialized = true;
+    try {
+      return Mac.getInstance(selectedAlgorithm);
+    } catch (NoSuchAlgorithmException nsa) {
+      throw new IllegalArgumentException("Can't find " + selectedAlgorithm, nsa);
+    }
+  }
+}

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/TestSecurityManagerConfig.java

@@ -0,0 +1,104 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.token;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class TestSecurityManagerConfig {
+
+  private final String defaultAlgorithm =
+      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT;
+  private final int defaultLength =
+      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT;
+  private final String strongAlgorithm = "HmacSHA256";
+  private final int strongLength = 256;
+
+  @Test
+  public void testDefaults() {
+    assertEquals(defaultAlgorithm, SecretManagerConfig.getSelectedAlgorithm());
+    assertEquals(defaultLength, SecretManagerConfig.getSelectedLength());
+  }
+
+  @Test
+  public void testUpdateByConfig() {
+    SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
+    assertEquals(strongAlgorithm, SecretManagerConfig.getSelectedAlgorithm());
+    assertEquals(strongLength, SecretManagerConfig.getSelectedLength());
+  }
+
+  @Test
+  public void testMacCreation() {
+    SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
+    Mac mac = SecretManagerConfig.createMac();
+    assertEquals(strongAlgorithm, mac.getAlgorithm());
+  }
+
+  @Test
+  public void testMacCreationUnknownAlgorithm() {
+    SecretManagerConfig.update(
+        createConfiguration("testMacCreationUnknownAlgorithm_NO_ALG", defaultLength));
+    assertThrows(IllegalArgumentException.class, SecretManagerConfig::createMac);
+  }
+
+  @Test
+  public void testKeygenCreation() {
+    SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
+    KeyGenerator keyGenerator = SecretManagerConfig.createKeyGenerator();
+    assertEquals(strongAlgorithm, keyGenerator.getAlgorithm());
+  }
+
+  @Test
+  public void testKeygenCreationUnknownAlgorithm() {
+    SecretManagerConfig.update(
+        createConfiguration("testKeygenCreationUnknownAlgorithm_NO_ALG", defaultLength));
+    assertThrows(IllegalArgumentException.class, SecretManagerConfig::createKeyGenerator);
+  }
+
+  @Test
+  public void testConfigUpdateAfterKeygenCreation() {
+    SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
+    KeyGenerator keyGenerator = SecretManagerConfig.createKeyGenerator();
+    SecretManagerConfig.update(createConfiguration(defaultAlgorithm, defaultLength));
+    assertEquals(strongAlgorithm, keyGenerator.getAlgorithm());
+  }
+
+  @AfterEach
+  public void tearDown() {
+    SecretManagerConfig.update(createConfiguration(defaultAlgorithm, defaultLength));
+  }
+
+  private Configuration createConfiguration(String algorithm, int length) {
+    Configuration conf = new Configuration();
+    conf.set(
+        CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
+        algorithm);
+    conf.setInt(CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
+        length);
+    return conf;
+  }
+}