YARN-11738. Modernize SecretManager config.

Make hash algorithm at SecretManager configurable. - hadoop.security.hmac-algorithm: The name of the hashing algorithm. Default: HmacSHA1 - hadoop.security.hmac-length: The length of the random keys to use. Default: 64 Change-Id: I735573c1d7b9f256e05722c98cd550cd8dd4acf0
apache · Nov 20, 2024 · d23e2e9 · d23e2e9
1 parent 8c41fbc
commit d23e2e9
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 9 deletions.
diff --git a/...n-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java b/...n-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java
@@ -27,8 +27,12 @@
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.ipc.RetriableException;
 import org.apache.hadoop.ipc.StandbyException;
 
@@ -40,6 +44,8 @@
 @InterfaceAudience.Public
 @InterfaceStability.Evolving
 public abstract class SecretManager<T extends TokenIdentifier> {
+
+  public static final Logger LOG = LoggerFactory.getLogger(SecretManager.class);
   /**
    * The token was invalid and the message explains why.
    */
@@ -111,12 +117,26 @@ public void checkAvailableForRead() throws StandbyException {
   /**
    * The name of the hashing algorithm.
    */
+  private static final String HMAC_ALGORITHM = "hadoop.security.hmac-algorithm";
   private static final String DEFAULT_HMAC_ALGORITHM = "HmacSHA1";
+  private static final String SELECTED_ALGORITHM;
 
   /**
    * The length of the random keys to use.
    */
-  private static final int KEY_LENGTH = 64;
+  private static final String HMAC_LENGTH = "hadoop.security.hmac-length";
+  private static final int DEFAULT_HMAC_LENGTH = 64;
+  private static final int SELECTED_LENGTH;
+
+  static {
+    Configuration conf = new Configuration();
+    String algorithm = conf.get(HMAC_ALGORITHM, DEFAULT_HMAC_ALGORITHM);
+    LOG.info("Selected hash algorithm: {}", algorithm);
+    SELECTED_ALGORITHM = algorithm;
+    int length = conf.getInt(HMAC_LENGTH, DEFAULT_HMAC_LENGTH);
+    LOG.info("Selected hash key length:{}", length);
+    SELECTED_LENGTH = length;
+  }
 
   /**
    * A thread local store for the Macs.
@@ -126,10 +146,9 @@ public void checkAvailableForRead() throws StandbyException {
     @Override
     protected Mac initialValue() {
       try {
-        return Mac.getInstance(DEFAULT_HMAC_ALGORITHM);
+        return Mac.getInstance(SELECTED_ALGORITHM);
       } catch (NoSuchAlgorithmException nsa) {
-        throw new IllegalArgumentException("Can't find " + DEFAULT_HMAC_ALGORITHM +
-                                           " algorithm.");
+        throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM + " algorithm.");
       }
     }
   };
@@ -140,11 +159,10 @@ protected Mac initialValue() {
   private final KeyGenerator keyGen;
   {
     try {
-      keyGen = KeyGenerator.getInstance(DEFAULT_HMAC_ALGORITHM);
-      keyGen.init(KEY_LENGTH);
+      keyGen = KeyGenerator.getInstance(SELECTED_ALGORITHM);
+      keyGen.init(SELECTED_LENGTH);
     } catch (NoSuchAlgorithmException nsa) {
-      throw new IllegalArgumentException("Can't find " + DEFAULT_HMAC_ALGORITHM +
-      " algorithm.");
+      throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM + " algorithm.");
     }
   }
 
@@ -185,6 +203,6 @@ public static byte[] createPassword(byte[] identifier,
    * @return the secret key
    */
   protected static SecretKey createSecretKey(byte[] key) {
-    return new SecretKeySpec(key, DEFAULT_HMAC_ALGORITHM);
+    return new SecretKeySpec(key, SELECTED_ALGORITHM);
   }
 }
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1046,6 +1046,32 @@
   </description>
 </property>
 
+<property>
+  <name>hadoop.security.hmac-algorithm</name>
+  <value>HmacSHA1</value>
+  <description>The configuration key specifying the hashing algorithm used for
+    HMAC (Hash-based Message Authentication Code) operations.
+
+    The HMAC algorithm is used in token management to compute secure
+    message digests. This configuration allows users to specify the
+    algorithm to be used for HMAC operations. The algorithm must be a
+    valid cryptographic hash algorithm supported by the Java Cryptography
+    Architecture (JCA). Common examples include "HmacSHA1", "HmacSHA256",
+    and "HmacSHA512".</description>
+</property>
+
+<property>
+  <name>hadoop.security.hmac-length</name>
+  <value>64</value>
+  <description>The configuration key specifying the key length for HMAC (Hash-based
+    Message Authentication Code) operations.
+
+    This property determines the size of the secret keys generated
+    for HMAC computations. The key length must be appropriate for the
+    selected HMAC algorithm. For example, longer keys are generally
+    more secure but may not be supported by all algorithms.</description>
+</property>
+
   <!-- file system properties -->
 
 <property>

diff --git a/...java/org/apache/hadoop/yarn/server/nodemanager/security/TestNMTokenSecretManagerInNM.java b/...java/org/apache/hadoop/yarn/server/nodemanager/security/TestNMTokenSecretManagerInNM.java
@@ -60,6 +60,8 @@ public void testRecovery() throws IOException {
     secretMgr.setNodeId(nodeId);
     MasterKey currentKey = keygen.generateKey();
     secretMgr.setMasterKey(currentKey);
+    // check key is 64 bit long (8 byte)
+    assertEquals(8, currentKey.getBytes().array().length);
     NMTokenIdentifier attemptToken1 =
         getNMTokenId(secretMgr.createNMToken(attempt1, nodeId, "user1"));
     NMTokenIdentifier attemptToken2 =