Skip to content

Commit 7007a6a

Browse files
urykhyurykhy
committed
test kms
1 parent 631ea9b commit 7007a6a

File tree

3 files changed

+104
-4
lines changed

3 files changed

+104
-4
lines changed

.github/scripts/install-hdfs.sh

+56-4
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
set -e
44

5-
KERBEROS=${KERBEROS-"false"}
5+
KERBEROS="${KERBEROS-false}"
66
AES=${AES-"false"}
77
if [ "$DATA_TRANSFER_PROTECTION" = "privacy" ]; then
88
KERBEROS="true"
@@ -15,11 +15,17 @@ else
1515
ENCRYPT_DATA_TRANSFER="false"
1616
fi
1717

18+
CONF_KMS_PROVIDER=""
19+
TRANSPARENT_ENCRYPTION="${TRANSPARENT_ENCRYPTION-false}"
20+
if [ "$TRANSPARENT_ENCRYPTION" = "true" ]; then
21+
CONF_KMS_PROVIDER="kms://http@localhost:9600/kms"
22+
fi
23+
1824
CONF_AUTHENTICATION="simple"
1925
KERBEROS_REALM="EXAMPLE.COM"
2026
KERBEROS_PRINCIPLE="administrator"
2127
KERBEROS_PASSWORD="password1234"
22-
if [ $KERBEROS = "true" ]; then
28+
if [ "$KERBEROS" = "true" ]; then
2329
CONF_AUTHENTICATION="kerberos"
2430

2531
HOSTNAME=$(hostname)
@@ -50,7 +56,7 @@ EOF
5056
sudo apt-get install -y krb5-user krb5-kdc krb5-admin-server
5157

5258
printf "$KERBEROS_PASSWORD\n$KERBEROS_PASSWORD" | sudo kdb5_util -r "$KERBEROS_REALM" create -s
53-
for p in nn dn $USER gohdfs1 gohdfs2; do
59+
for p in nn dn kms $USER gohdfs1 gohdfs2; do
5460
sudo kadmin.local -q "addprinc -randkey $p/$HOSTNAME@$KERBEROS_REALM"
5561
sudo kadmin.local -q "addprinc -randkey $p/localhost@$KERBEROS_REALM"
5662
sudo kadmin.local -q "xst -k /tmp/$p.keytab $p/$HOSTNAME@$KERBEROS_REALM"
@@ -116,6 +122,10 @@ sudo tee $HADOOP_ROOT/etc/hadoop/core-site.xml <<EOF
116122
<name>hadoop.rpc.protection</name>
117123
<value>$RPC_PROTECTION</value>
118124
</property>
125+
<property>
126+
<name>hadoop.security.key.provider.path</name>
127+
<value>$CONF_KMS_PROVIDER</value>
128+
</property>
119129
</configuration>
120130
EOF
121131

@@ -172,6 +182,41 @@ $HADOOP_ROOT/bin/hdfs namenode -format
172182
sudo groupadd hadoop
173183
sudo usermod -a -G hadoop $USER
174184

185+
sudo tee $HADOOP_ROOT/etc/hadoop/kms-site.xml <<EOF
186+
<configuration>
187+
<property>
188+
<name>hadoop.kms.key.provider.uri</name>
189+
<value>jceks://file@/tmp/hdfs/kms.keystore</value>
190+
</property>
191+
<property>
192+
<name>hadoop.security.keystore.java-keystore-provider.password-file</name>
193+
<value>kms.keystore.password</value>
194+
</property>
195+
<property>
196+
<name>hadoop.kms.authentication.type</name>
197+
<value>$CONF_AUTHENTICATION</value>
198+
</property>
199+
<property>
200+
<name>hadoop.kms.authentication.kerberos.keytab</name>
201+
<value>/tmp/kms.keytab</value>
202+
</property>
203+
<property>
204+
<name>hadoop.kms.authentication.kerberos.principal</name>
205+
<value>kms/localhost@$KERBEROS_REALM</value>
206+
</property>
207+
</configuration>
208+
EOF
209+
210+
sudo tee $HADOOP_ROOT/etc/hadoop/kms.keystore.password <<EOF
211+
123456
212+
EOF
213+
214+
if [ "$TRANSPARENT_ENCRYPTION" = "true" ]; then
215+
echo "Starting KMS..."
216+
rm $HADOOP_ROOT/etc/hadoop/kms-log4j.properties
217+
$HADOOP_ROOT/bin/hadoop kms > /tmp/hdfs/kms.log 2>&1 &
218+
fi
219+
175220
echo "Starting namenode..."
176221
$HADOOP_ROOT/bin/hdfs namenode > /tmp/hdfs/namenode.log 2>&1 &
177222

@@ -183,5 +228,12 @@ sleep 5
183228
echo "Waiting for cluster to exit safe mode..."
184229
$HADOOP_ROOT/bin/hdfs dfsadmin -safemode wait
185230

231+
$HADOOP_ROOT/bin/hadoop fs -mkdir -p /_test/kms
232+
if [ "$TRANSPARENT_ENCRYPTION" = "true" ]; then
233+
echo "Prepare encrypted zone"
234+
$HADOOP_ROOT/bin/hadoop key create key1
235+
$HADOOP_ROOT/bin/hdfs crypto -createZone -keyName key1 -path /_test/kms
236+
fi
237+
186238
echo "HADOOP_CONF_DIR=$(pwd)/$HADOOP_ROOT/etc/hadoop" >> $GITHUB_ENV
187-
echo "$(pwd)/$HADOOP_ROOT/bin" >> $GITHUB_PATH
239+
echo "$(pwd)/$HADOOP_ROOT/bin" >> $GITHUB_PATH

.github/workflows/tests.yml

+15
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ jobs:
1414
include:
1515
- hadoop_version: 2.10.1
1616
- hadoop_version: 3.3.1
17+
- hadoop_version: 3.3.1
18+
transparent_encryption: true
1719
- hadoop_version: 3.3.1
1820
kerberos: true
1921
rpc_protection: authentication
@@ -48,6 +50,7 @@ jobs:
4850
RPC_PROTECTION: ${{ matrix.rpc_protection }}
4951
TRANSFER_PROTECTION: ${{ matrix.transfer_protection }}
5052
AES: ${{ matrix.aes }}
53+
TRANSPARENT_ENCRYPTION: ${{ matrix.transparent_encryption }}
5154

5255
# Similarly, this step adds the bats binary to GITHUB_PATH.
5356
- name: install-bats.sh
@@ -62,9 +65,21 @@ jobs:
6265
run: find -name '*.pb.go' -exec touch {} \; && make
6366

6467
- name: make test
68+
env:
69+
HADOOP_VERSION: ${{ matrix.hadoop_version }}
6570
run: |
6671
make test
6772
73+
- name: cat kms.log
74+
if: always()
75+
run: |
76+
if [ -f /tmp/hdfs/kms.log ]
77+
then
78+
cat /tmp/hdfs/kms.log
79+
else
80+
echo "not exists"
81+
fi
82+
6883
- name: cat namenode.log
6984
if: always()
7085
run: cat /tmp/hdfs/namenode.log

cmd/hdfs/test/kms.bats

+33
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
#!/usr/bin/env bats
2+
3+
load helper
4+
5+
@test "kms: put java to go" {
6+
run $HADOOP_FS -put $ROOT_TEST_DIR/testdata/foo.txt /_test/kms/foo1
7+
assert_success
8+
9+
run $HDFS cat /_test/kms/foo1
10+
assert_output "bar"
11+
}
12+
13+
@test "kms: put go to java" {
14+
if [ "$HADOOP_VERSION" != "2.10.1" ]; then
15+
run $HDFS put $ROOT_TEST_DIR/testdata/foo.txt /_test/kms/foo2
16+
assert_success
17+
run $HADOOP_FS -cat /_test/kms/foo2
18+
assert_output "bar"
19+
else
20+
skip "workaroud hadoop error: illegal reflective access operation has occurred"
21+
fi
22+
}
23+
24+
@test "kms: tail" {
25+
run $HDFS put $ROOT_TEST_DIR/testdata/mobydick.txt /_test/kms/
26+
assert_success
27+
28+
run bash -c "$HDFS tail /_test/kms/mobydick.txt > $BATS_TMPDIR/mobydick_test.txt"
29+
assert_success
30+
31+
SHA=`tail $ROOT_TEST_DIR/testdata/mobydick.txt | shasum | awk '{ print $1 }'`
32+
assert_equal $SHA `shasum < $BATS_TMPDIR/mobydick_test.txt | awk '{ print $1 }'`
33+
}

0 commit comments

Comments
 (0)