HDDS-8164. Authorize secret key APIs

hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java

@@ -287,6 +287,18 @@ private HddsConfigKeys() {
   public static final String HDDS_SECURITY_CLIENT_SCM_CERTIFICATE_PROTOCOL_ACL =
       "hdds.security.client.scm.certificate.protocol.acl";
 
+  public static final String
+      HDDS_SECURITY_CLIENT_SCM_SECRET_KEY_OM_PROTOCOL_ACL =
+      "hdds.security.client.scm.secretkey.om.protocol.acl";
+
+  public static final String
+      HDDS_SECURITY_CLIENT_SCM_SECRET_KEY_SCM_PROTOCOL_ACL =
+      "hdds.security.client.scm.secretkey.scm.protocol.acl";
+
+  public static final String
+      HDDS_SECURITY_CLIENT_SCM_SECRET_KEY_DATANODE_PROTOCOL_ACL =
+      "hdds.security.client.scm.secretkey.datanode.protocol.acl";
+
   // Determines if the Container Chunk Manager will write user data to disk
   // Set to false only for specific performance tests
   public static final String HDDS_CONTAINER_PERSISTDATA =

hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/exception/SCMSecretKeyException.java

@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.apache.hadoop.hdds.security.exception;
+
+import java.io.IOException;
+
+/**
+ * Exception for all secret key related errors.
+ */
+public class SCMSecretKeyException extends IOException {
+  private final ErrorCode errorCode;
+
+  public SCMSecretKeyException(String message, ErrorCode errorCode) {
+    super(message);
+    this.errorCode = errorCode;
+  }
+
+  public ErrorCode getErrorCode() {
+    return errorCode;
+  }
+
+  /**
+   * Error codes to make it easy to decode these exceptions.
+   */
+  public enum ErrorCode {
+    OK,
+    INTERNAL_ERROR,
+    SECRET_KEY_NOT_ENABLED,
+    SECRET_KEY_NOT_INITIALIZED
+  }
+}

hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/exception/SCMSecurityException.java

@@ -109,8 +109,6 @@ public enum ErrorCode {
     MISSING_BLOCK_TOKEN,
     BLOCK_TOKEN_VERIFICATION_FAILED,
     GET_ROOT_CA_CERT_FAILED,
-    NOT_A_PRIMARY_SCM,
-    SECRET_KEY_NOT_ENABLED,
-    SECRET_KEY_NOT_INITIALIZED
+    NOT_A_PRIMARY_SCM
   }
 }

hadoop-hdds/common/src/main/resources/ozone-default.xml

@@ -2484,6 +2484,33 @@
       client scm container protocol.
     </description>
   </property>
+  <property>
+    <name>hdds.security.client.scm.secretkey.om.protocol.acl</name>
+    <value>*</value>
+    <tag>SECURITY</tag>
+    <description>
+      Comma separated list of users and groups allowed to access
+      client scm secret key protocol for om.
+    </description>
+  </property>
+  <property>
+    <name>hdds.security.client.scm.secretkey.scm.protocol.acl</name>
+    <value>*</value>
+    <tag>SECURITY</tag>
+    <description>
+      Comma separated list of users and groups allowed to access
+      client scm secret key protocol for om.
+    </description>
+  </property>
+  <property>
+    <name>hdds.security.client.scm.secretkey.datanode.protocol.acl</name>
+    <value>*</value>
+    <tag>SECURITY</tag>
+    <description>
+      Comma separated list of users and groups allowed to access
+      client scm secret key protocol for datanodes.
+    </description>
+  </property>
   <property>
     <name>ozone.om.security.client.protocol.acl</name>
     <value>*</value>

hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java

@@ -40,6 +40,7 @@
 import org.apache.hadoop.hdds.datanode.metadata.DatanodeCRLStore;
 import org.apache.hadoop.hdds.datanode.metadata.DatanodeCRLStoreImpl;
 import org.apache.hadoop.hdds.protocol.DatanodeDetails;
+import org.apache.hadoop.hdds.protocol.SecretKeyProtocol;
 import org.apache.hadoop.hdds.security.symmetric.DefaultSecretKeyClient;
 import org.apache.hadoop.hdds.security.symmetric.SecretKeyClient;
 import org.apache.hadoop.hdds.security.x509.SecurityConfig;
@@ -298,7 +299,10 @@ public void start() {
         dnCertClient = initializeCertificateClient(dnCertClient);
 
         if (secConf.isTokenEnabled()) {
-          secretKeyClient = DefaultSecretKeyClient.create(conf);
+          SecretKeyProtocol secretKeyProtocol =
+              HddsServerUtil.getSecretKeyClientForDatanode(conf);
+          secretKeyClient = DefaultSecretKeyClient.create(conf,
+              secretKeyProtocol);
           secretKeyClient.start(conf);
         }
       }

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocol/SCMSecurityProtocol.java

@@ -18,7 +18,6 @@
 
 import java.io.IOException;
 import java.util.List;
-import java.util.UUID;
 
 import org.apache.hadoop.hdds.annotation.InterfaceAudience;
 import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
@@ -27,7 +26,6 @@
 import org.apache.hadoop.hdds.protocol.proto.HddsProtos.ScmNodeDetailsProto;
 import org.apache.hadoop.hdds.protocol.proto.HddsProtos.NodeDetailsProto;
 import org.apache.hadoop.hdds.scm.ScmConfig;
-import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
 import org.apache.hadoop.hdds.security.x509.crl.CRLInfo;
 import org.apache.hadoop.security.KerberosInfo;
 
@@ -173,24 +171,4 @@ long revokeCertificates(List<String> certIds, int reason, long revocationTime)
   String getCertificate(NodeDetailsProto nodeDetails,
       String certSignReq) throws IOException;
 
-
-  /**
-   * Get the current SecretKey that is used for signing tokens.
-   * @return ManagedSecretKey
-   */
-  ManagedSecretKey getCurrentSecretKey() throws IOException;
-
-  /**
-   * Get a particular SecretKey by ID.
-   *
-   * @param id the id to get SecretKey.
-   * @return ManagedSecretKey.
-   */
-  ManagedSecretKey getSecretKey(UUID id) throws IOException;
-
-  /**
-   * Get all the non-expired SecretKey managed by SCM.
-   * @return list of ManagedSecretKey.
-   */
-  List<ManagedSecretKey> getAllSecretKeys() throws IOException;
 }

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocol/SecretKeyProtocol.java

@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.hdds.protocol;
+
+import org.apache.hadoop.hdds.annotation.InterfaceAudience;
+import org.apache.hadoop.hdds.scm.ScmConfig;
+import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
+import org.apache.hadoop.security.KerberosInfo;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.UUID;
+
+/**
+ * The protocol used to expose secret keys in SCM.
+ */
+@KerberosInfo(
+    serverPrincipal = ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY)
+@InterfaceAudience.Private
+public interface SecretKeyProtocol {
+
+  /**
+   * Get the current SecretKey that is used for signing tokens.
+   * @return ManagedSecretKey
+   */
+  ManagedSecretKey getCurrentSecretKey() throws IOException;
+
+  /**
+   * Get a particular SecretKey by ID.
+   *
+   * @param id the id to get SecretKey.
+   * @return ManagedSecretKey.
+   */
+  ManagedSecretKey getSecretKey(UUID id) throws IOException;
+
+  /**
+   * Get all the non-expired SecretKey managed by SCM.
+   * @return list of ManagedSecretKey.
+   */
+  List<ManagedSecretKey> getAllSecretKeys() throws IOException;
+}

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocol/SecretKeyProtocolDatanode.java

@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.hdds.protocol;
+
+import org.apache.hadoop.hdds.annotation.InterfaceAudience;
+import org.apache.hadoop.security.KerberosInfo;
+
+import static org.apache.hadoop.hdds.scm.ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY;
+import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY;
+
+/**
+ * The client protocol to access secret key from Datanode.
+ */
+@KerberosInfo(
+    serverPrincipal = HDDS_SCM_KERBEROS_PRINCIPAL_KEY,
+    clientPrincipal = DFS_DATANODE_KERBEROS_PRINCIPAL_KEY
+)
+@InterfaceAudience.Private
+public interface SecretKeyProtocolDatanode extends SecretKeyProtocol {
+}

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocol/SecretKeyProtocolOm.java

@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.hdds.protocol;
+
+import org.apache.hadoop.security.KerberosInfo;
+
+import static org.apache.hadoop.hdds.scm.ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY;
+
+/**
+ * The client protocol to access secret key from OM.
+ */
+@KerberosInfo(
+    serverPrincipal = HDDS_SCM_KERBEROS_PRINCIPAL_KEY,
+    // TODO: move OMConfigKeys.OZONE_OM_KERBEROS_PRINCIPAL_KEY to hdds-common.
+    clientPrincipal = "ozone.om.kerberos.principal"
+)
+public interface SecretKeyProtocolOm extends SecretKeyProtocol {
+}

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocol/SecretKeyProtocolScm.java

@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership.  The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.hadoop.hdds.protocol;
+
+import org.apache.hadoop.security.KerberosInfo;
+
+import static org.apache.hadoop.hdds.scm.ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY;
+
+/**
+ * The client protocol to access secret key from SCM.
+ */
+@KerberosInfo(
+    serverPrincipal = HDDS_SCM_KERBEROS_PRINCIPAL_KEY,
+    clientPrincipal = HDDS_SCM_KERBEROS_PRINCIPAL_KEY
+)
+public interface SecretKeyProtocolScm extends SecretKeyProtocol {
+}

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/protocolPB/SCMSecurityProtocolClientSideTranslatorPB.java

@@ -22,9 +22,7 @@
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.UUID;
 import java.util.function.Consumer;
-import java.util.stream.Collectors;
 
 import com.google.common.base.Preconditions;
 import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol;
@@ -42,8 +40,6 @@
 import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCrlsRequestProto;
 import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetDataNodeCertRequestProto;
 import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertRequestProto;
-import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetSecretKeyRequest;
-import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetSecretKeyResponse;
 import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMListCACertificateRequestProto;
 import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetLatestCrlIdRequestProto;
 import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMListCertificateRequestProto;
@@ -55,7 +51,6 @@
 import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.Type;
 import org.apache.hadoop.hdds.scm.proxy.SCMSecurityProtocolFailoverProxyProvider;
 import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
 import org.apache.hadoop.hdds.security.x509.crl.CRLInfo;
 import org.apache.hadoop.hdds.tracing.TracingUtil;
 import org.apache.hadoop.io.retry.RetryProxy;
@@ -195,38 +190,6 @@ public String getCertificate(NodeDetailsProto nodeDetails,
         .getX509Certificate();
   }
 
-  @Override
-  public ManagedSecretKey getCurrentSecretKey() throws IOException {
-    SCMSecurityProtocolProtos.ManagedSecretKey secretKeyProto =
-        submitRequest(Type.GetCurrentSecretKey, builder -> {
-        }).getCurrentSecretKeyResponseProto().getSecretKey();
-    return ManagedSecretKey.fromProtobuf(secretKeyProto);
-  }
-
-  @Override
-  public ManagedSecretKey getSecretKey(UUID id) throws IOException {
-    SCMGetSecretKeyRequest request = SCMGetSecretKeyRequest.newBuilder()
-        .setSecretKeyId(HddsProtos.UUID.newBuilder()
-            .setMostSigBits(id.getMostSignificantBits())
-            .setLeastSigBits(id.getLeastSignificantBits())).build();
-    SCMGetSecretKeyResponse response = submitRequest(Type.GetSecretKey,
-        builder -> builder.setGetSecretKeyRequest(request))
-        .getGetSecretKeyResponseProto();
-
-    return response.hasSecretKey() ?
-        ManagedSecretKey.fromProtobuf(response.getSecretKey()) : null;
-  }
-
-  @Override
-  public List<ManagedSecretKey> getAllSecretKeys() throws IOException {
-    List<SCMSecurityProtocolProtos.ManagedSecretKey> secretKeysList =
-        submitRequest(Type.GetAllSecretKeys, builder -> {
-        }).getSecretKeysListResponseProto().getSecretKeysList();
-    return secretKeysList.stream()
-        .map(ManagedSecretKey::fromProtobuf)
-        .collect(Collectors.toList());
-  }
-
   /**
    * Get signed certificate for SCM node.
    *