HBASE-26582 Prune use of Random and SecureRandom objects

Avoid the pattern where a Random object is allocated, used once or twice, and
then left for GC. This pattern triggers warnings from some static analysis tools
because this pattern leads to poor effective randomness. In a few cases we were
legitimately suffering from this issue; in others a change is still good to
reduce noise in analysis results.

Use ThreadLocalRandom where there is no requirement to set the seed to gain
good reuse.

Where useful relax use of SecureRandom to simply Random or ThreadLocalRandom,
which are unlikely to block if the system entropy pool is low, if we don't need
crypographically strong randomness for the use case. The exception to this is
normalization of use of Bytes#random to fill byte arrays with randomness.
Because Bytes#random may be used to generate key material it must be backed by
SecureRandom.

Author: apurtell

hbase-asyncfs/src/test/java/org/apache/hadoop/hbase/io/asyncfs/TestFanOutOneBlockAsyncDFSOutput.java

@@ -72,14 +72,11 @@ public class TestFanOutOneBlockAsyncDFSOutput extends AsyncFSTestBase {
     HBaseClassTestRule.forClass(TestFanOutOneBlockAsyncDFSOutput.class);
 
   private static final Logger LOG = LoggerFactory.getLogger(TestFanOutOneBlockAsyncDFSOutput.class);
-
   private static DistributedFileSystem FS;
-
   private static EventLoopGroup EVENT_LOOP_GROUP;
-
   private static Class<? extends Channel> CHANNEL_CLASS;
-
   private static int READ_TIMEOUT_MS = 2000;
+  private static final Random RNG = new Random();
 
   private static StreamSlowMonitor MONITOR;
 
@@ -108,10 +105,10 @@ static void writeAndVerify(FileSystem fs, Path f, AsyncFSOutput out)
     throws IOException, InterruptedException, ExecutionException {
     List<CompletableFuture<Long>> futures = new ArrayList<>();
     byte[] b = new byte[10];
-    Random rand = new Random(12345);
     // test pipelined flush
+    RNG.setSeed(12345);
     for (int i = 0; i < 10; i++) {
-      rand.nextBytes(b);
+      RNG.nextBytes(b);
       out.write(b);
       futures.add(out.flush(false));
       futures.add(out.flush(false));
@@ -123,11 +120,11 @@ static void writeAndVerify(FileSystem fs, Path f, AsyncFSOutput out)
     out.close();
     assertEquals(b.length * 10, fs.getFileStatus(f).getLen());
     byte[] actual = new byte[b.length];
-    rand.setSeed(12345);
+    RNG.setSeed(12345);
     try (FSDataInputStream in = fs.open(f)) {
       for (int i = 0; i < 10; i++) {
         in.readFully(actual);
-        rand.nextBytes(b);
+        RNG.nextBytes(b);
         assertArrayEquals(b, actual);
       }
       assertEquals(-1, in.read());

hbase-balancer/src/test/java/org/apache/hadoop/hbase/master/balancer/TestRegionHDFSBlockLocationFinder.java

@@ -63,19 +63,19 @@ public class TestRegionHDFSBlockLocationFinder {
   public static final HBaseClassTestRule CLASS_RULE =
     HBaseClassTestRule.forClass(TestRegionHDFSBlockLocationFinder.class);
 
+  private static final Random RNG = new Random();
   private static TableDescriptor TD;
-
   private static List<RegionInfo> REGIONS;
 
   private RegionHDFSBlockLocationFinder finder;
 
   private static HDFSBlocksDistribution generate(RegionInfo region) {
     HDFSBlocksDistribution distribution = new HDFSBlocksDistribution();
     int seed = region.hashCode();
-    Random rand = new Random(seed);
-    int size = 1 + rand.nextInt(10);
+    RNG.setSeed(seed);
+    int size = 1 + RNG.nextInt(10);
     for (int i = 0; i < size; i++) {
-      distribution.addHostsAndBlockWeight(new String[] { "host-" + i }, 1 + rand.nextInt(100));
+      distribution.addHostsAndBlockWeight(new String[] { "host-" + i }, 1 + RNG.nextInt(100));
     }
     return distribution;
   }

hbase-client/src/main/java/org/apache/hadoop/hbase/client/PerClientRandomNonceGenerator.java

@@ -19,9 +19,8 @@
 package org.apache.hadoop.hbase.client;
 
 import java.util.Arrays;
-import java.util.Random;
-
 import org.apache.hadoop.hbase.HConstants;
+import org.apache.hbase.thirdparty.io.netty.util.internal.ThreadLocalRandom;
 import org.apache.yetus.audience.InterfaceAudience;
 
 /**
@@ -33,12 +32,12 @@ public final class PerClientRandomNonceGenerator implements NonceGenerator {
 
   private static final PerClientRandomNonceGenerator INST = new PerClientRandomNonceGenerator();
 
-  private final Random rdm = new Random();
   private final long clientId;
 
   private PerClientRandomNonceGenerator() {
     byte[] clientIdBase = ClientIdGenerator.generateClientId();
-    this.clientId = (((long) Arrays.hashCode(clientIdBase)) << 32) + rdm.nextInt();
+    this.clientId = (((long) Arrays.hashCode(clientIdBase)) << 32) +
+      ThreadLocalRandom.current().nextInt();
   }
 
   @Override
@@ -50,7 +49,7 @@ public long getNonceGroup() {
   public long newNonce() {
     long result = HConstants.NO_NONCE;
     do {
-      result = rdm.nextLong();
+      result = ThreadLocalRandom.current().nextLong();
     } while (result == HConstants.NO_NONCE);
     return result;
   }

hbase-client/src/main/java/org/apache/hadoop/hbase/filter/RandomRowFilter.java

@@ -20,7 +20,7 @@
 package org.apache.hadoop.hbase.filter;
 
 import java.util.Objects;
-import java.util.Random;
+import java.util.concurrent.ThreadLocalRandom;
 
 import org.apache.hadoop.hbase.Cell;
 import org.apache.yetus.audience.InterfaceAudience;
@@ -35,7 +35,6 @@
  */
 @InterfaceAudience.Public
 public class RandomRowFilter extends FilterBase {
-  protected static final Random random = new Random();
 
   protected float chance;
   protected boolean filterOutRow;
@@ -98,7 +97,7 @@ public boolean filterRowKey(Cell firstRowCell) {
       filterOutRow = false;
     } else {
       // roll the dice
-      filterOutRow = !(random.nextFloat() < chance);
+      filterOutRow = !(ThreadLocalRandom.current().nextFloat() < chance);
     }
     return filterOutRow;
   }

hbase-client/src/main/java/org/apache/hadoop/hbase/slowlog/SlowLogTableAccessor.java

@@ -22,7 +22,8 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Random;
+import java.util.concurrent.ThreadLocalRandom;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HConstants;
 import org.apache.hadoop.hbase.NamespaceDescriptor;
@@ -49,8 +50,6 @@ public class SlowLogTableAccessor {
 
   private static final Logger LOG = LoggerFactory.getLogger(SlowLogTableAccessor.class);
 
-  private static final Random RANDOM = new Random();
-
   private static Connection connection;
 
   /**
@@ -139,7 +138,7 @@ private static byte[] getRowKey(final TooSlowLog.SlowLogPayload slowLogPayload)
     String lastFiveDig =
       hashcode.substring((hashcode.length() > 5) ? (hashcode.length() - 5) : 0);
     if (lastFiveDig.startsWith("-")) {
-      lastFiveDig = String.valueOf(RANDOM.nextInt(99999));
+      lastFiveDig = String.valueOf(ThreadLocalRandom.current().nextInt(99999));
     }
     final long currentTime = EnvironmentEdgeManager.currentTime();
     final String timeAndHashcode = currentTime + lastFiveDig;

hbase-client/src/test/java/org/apache/hadoop/hbase/security/TestEncryptionUtil.java

@@ -23,7 +23,7 @@
 
 import java.security.Key;
 import java.security.KeyException;
-import java.security.SecureRandom;
+
 import javax.crypto.spec.SecretKeySpec;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseClassTestRule;
@@ -110,7 +110,7 @@ public void testWALKeyWrappingWithIncorrectKey() throws Exception {
 
     // generate a test key
     byte[] keyBytes = new byte[AES.KEY_LENGTH];
-    new SecureRandom().nextBytes(keyBytes);
+    Bytes.random(keyBytes);
     String algorithm = conf.get(HConstants.CRYPTO_WAL_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
     Key key = new SecretKeySpec(keyBytes, algorithm);
 
@@ -152,7 +152,7 @@ private void testKeyWrapping(String hashAlgorithm) throws Exception {
 
     // generate a test key
     byte[] keyBytes = new byte[AES.KEY_LENGTH];
-    new SecureRandom().nextBytes(keyBytes);
+    Bytes.random(keyBytes);
     String algorithm =
       conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
     Key key = new SecretKeySpec(keyBytes, algorithm);
@@ -189,7 +189,7 @@ private void testWALKeyWrapping(String hashAlgorithm) throws Exception {
 
     // generate a test key
     byte[] keyBytes = new byte[AES.KEY_LENGTH];
-    new SecureRandom().nextBytes(keyBytes);
+    Bytes.random(keyBytes);
     String algorithm = conf.get(HConstants.CRYPTO_WAL_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
     Key key = new SecretKeySpec(keyBytes, algorithm);
 
@@ -214,7 +214,7 @@ private void testKeyWrappingWithMismatchingAlgorithms(Configuration conf) throws
 
     // generate a test key
     byte[] keyBytes = new byte[AES.KEY_LENGTH];
-    new SecureRandom().nextBytes(keyBytes);
+    Bytes.random(keyBytes);
     String algorithm =
       conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
     Key key = new SecretKeySpec(keyBytes, algorithm);

hbase-client/src/test/java/org/apache/hadoop/hbase/util/TestRoundRobinPoolMap.java

@@ -25,11 +25,9 @@
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
-import java.util.Random;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionException;
 import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ThreadLocalRandom;
 import java.util.concurrent.atomic.AtomicInteger;
 import org.apache.hadoop.hbase.HBaseClassTestRule;
 import org.apache.hadoop.hbase.testclassification.MiscTests;

hbase-client/src/test/java/org/apache/hadoop/hbase/util/TestThreadLocalPoolMap.java

@@ -20,11 +20,9 @@
 import static org.junit.Assert.assertEquals;
 
 import java.io.IOException;
-import java.util.Random;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionException;
 import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ThreadLocalRandom;
 import java.util.concurrent.atomic.AtomicInteger;
 import org.apache.hadoop.hbase.HBaseClassTestRule;
 import org.apache.hadoop.hbase.testclassification.MiscTests;

hbase-common/src/main/java/org/apache/hadoop/hbase/io/encoding/HFileBlockDefaultEncodingContext.java

@@ -21,7 +21,6 @@
 import java.io.DataOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.security.SecureRandom;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.io.ByteArrayOutputStream;
@@ -110,7 +109,7 @@ public HFileBlockDefaultEncodingContext(Configuration conf, DataBlockEncoding en
     if (cryptoContext != Encryption.Context.NONE) {
       cryptoByteStream = new ByteArrayOutputStream();
       iv = new byte[cryptoContext.getCipher().getIvLength()];
-      new SecureRandom().nextBytes(iv);
+      Bytes.random(iv);
     }
 
     dummyHeader = Preconditions.checkNotNull(headerBytes,

hbase-common/src/main/java/org/apache/hadoop/hbase/util/Bytes.java

@@ -2358,6 +2358,8 @@ public static void zero(byte[] b, int offset, int length) {
     Arrays.fill(b, offset, offset + length, (byte) 0);
   }
 
+  // SecureRandom is more expensive than other options but Bytes.random may be used to create
+  // key material.
   private static final SecureRandom RNG = new SecureRandom();
 
   /**