HADOOP-19639. SecretManager configuration at runtime

K0K0V0K · K0K0V0K · commit 62cb8b55bf58 · 2025-07-24T18:54:11.000+02:00
- fix style
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManagerConfig.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManagerConfig.java
@@ -6,9 +6,9 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -21,12 +21,12 @@
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.Mac;
-import javax.crypto.SecretKey;
 import java.security.NoSuchAlgorithmException;
 
 /**
@@ -42,88 +42,88 @@
 @InterfaceAudience.Public
 @InterfaceStability.Evolving
 public class SecretManagerConfig {
-    private static final Logger LOG = LoggerFactory.getLogger(SecretManagerConfig.class);
-    private static String SELECTED_ALGORITHM;
-    private static int SELECTED_LENGTH;
-    private static boolean INITIALIZED;
+  private static final Logger LOG = LoggerFactory.getLogger(SecretManagerConfig.class);
+  private static String SELECTED_ALGORITHM;
+  private static int SELECTED_LENGTH;
+  private static boolean INITIALIZED;
 
-    static {
-        update(new Configuration());
-    }
+  static {
+    update(new Configuration());
+  }
 
-    /**
-     * Updates the selected cryptographic algorithm and key length using the provided
-     * Hadoop {@link Configuration}. This method reads the values for
-     * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY} and
-     * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY}, or uses default values if not set.
-     *
-     * @param conf the configuration object containing cryptographic settings
-     */
-    public static synchronized void update(Configuration conf) {
-        if (INITIALIZED) {
-            LOG.warn("Keygen or Mac was already initialized with older configuration, those will not be updated");
-        }
-        SELECTED_ALGORITHM = conf.get(
-                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
-                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT);
-        LOG.debug("Selected hash algorithm: {}", SELECTED_ALGORITHM);
-        SELECTED_LENGTH = conf.getInt(
-                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
-                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT);
-        LOG.debug("Selected hash key length: {}", SELECTED_LENGTH);
+  /**
+   * Updates the selected cryptographic algorithm and key length using the provided
+   * Hadoop {@link Configuration}. This method reads the values for
+   * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY} and
+   * {@code HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY}, or uses default values if not set.
+   *
+   * @param conf the configuration object containing cryptographic settings
+   */
+  public static synchronized void update(Configuration conf) {
+    if (INITIALIZED) {
+      LOG.warn(
+          "Keygen or Mac was already initialized with older configuration, those will not be updated");
     }
+    SELECTED_ALGORITHM = conf.get(
+        CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
+        CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT);
+    LOG.debug("Selected hash algorithm: {}", SELECTED_ALGORITHM);
+    SELECTED_LENGTH =
+        conf.getInt(CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
+            CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT);
+    LOG.debug("Selected hash key length: {}", SELECTED_LENGTH);
+  }
 
-    /**
-     * Returns the currently selected cryptographic algorithm.
-     *
-     * @return the name of the selected algorithm
-     */
-    public static synchronized String getSelectedAlgorithm() {
-        return SELECTED_ALGORITHM;
-    }
-
-    /**
-     * Returns the currently selected key length in bits.
-     *
-     * @return the selected key length
-     */
-    public static synchronized int getSelectedLength() {
-        return SELECTED_LENGTH;
-    }
+  /**
+   * Returns the currently selected cryptographic algorithm.
+   *
+   * @return the name of the selected algorithm
+   */
+  public static synchronized String getSelectedAlgorithm() {
+    return SELECTED_ALGORITHM;
+  }
 
+  /**
+   * Returns the currently selected key length in bits.
+   *
+   * @return the selected key length
+   */
+  public static synchronized int getSelectedLength() {
+    return SELECTED_LENGTH;
+  }
 
-    /**
-     * Creates a new {@link KeyGenerator} instance configured with the currently selected
-     * algorithm and key length.
-     *
-     * @return a new {@code KeyGenerator} instance
-     * @throws IllegalArgumentException if the specified algorithm is not available
-     */
-    public static synchronized KeyGenerator createKeyGenerator() {
-        LOG.debug("Creating key generator instance {}, {}", SELECTED_ALGORITHM, SELECTED_LENGTH);
-        INITIALIZED = true;
-        try {
-            KeyGenerator keyGen = KeyGenerator.getInstance(SELECTED_ALGORITHM);
-            keyGen.init(SELECTED_LENGTH);
-            return keyGen;
-        } catch (NoSuchAlgorithmException nsa) {
-            throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
-        }
+  /**
+   * Creates a new {@link KeyGenerator} instance configured with the currently selected
+   * algorithm and key length.
+   *
+   * @return a new {@code KeyGenerator} instance
+   * @throws IllegalArgumentException if the specified algorithm is not available
+   */
+  public static synchronized KeyGenerator createKeyGenerator() {
+    LOG.debug("Creating key generator instance {}, {}", SELECTED_ALGORITHM, SELECTED_LENGTH);
+    INITIALIZED = true;
+    try {
+      KeyGenerator keyGen = KeyGenerator.getInstance(SELECTED_ALGORITHM);
+      keyGen.init(SELECTED_LENGTH);
+      return keyGen;
+    } catch (NoSuchAlgorithmException nsa) {
+      throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
     }
+  }
 
-    /**
-     * Creates a new {@link Mac} instance using the currently selected algorithm.
-     *
-     * @return a new {@code Mac} instance
-     * @throws IllegalArgumentException if the specified algorithm is not available
-     */
-    public static synchronized Mac createMac() {
-        LOG.debug("Creating mac instance {}", SELECTED_ALGORITHM);
-        INITIALIZED = true;
-        try {
-            return Mac.getInstance(SELECTED_ALGORITHM);
-        } catch (NoSuchAlgorithmException nsa) {
-            throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
-        }
+  /**
+   * Creates a new {@link Mac} instance using the currently selected algorithm.
+   *
+   * @return a new {@code Mac} instance
+   * @throws IllegalArgumentException if the specified algorithm is not available
+   */
+  public static synchronized Mac createMac() {
+    LOG.debug("Creating mac instance {}", SELECTED_ALGORITHM);
+    INITIALIZED = true;
+    try {
+      return Mac.getInstance(SELECTED_ALGORITHM);
+    } catch (NoSuchAlgorithmException nsa) {
+      throw new IllegalArgumentException("Can't find " + SELECTED_ALGORITHM, nsa);
     }
+  }
 }
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/TestSecurityManagerConfig.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/token/TestSecurityManagerConfig.java
@@ -6,9 +6,9 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -19,6 +19,7 @@
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 
@@ -30,75 +31,74 @@
 
 public class TestSecurityManagerConfig {
 
-    private final String defaultAlgorithm =
-            CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT;
-    private final int defaultLength =
-            CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT;
-    private final String strongAlgorithm = "HmacSHA256";
-    private final int strongLength = 256;
+  private final String defaultAlgorithm =
+      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_DEFAULT;
+  private final int defaultLength =
+      CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_DEFAULT;
+  private final String strongAlgorithm = "HmacSHA256";
+  private final int strongLength = 256;
 
-    @Test
-    public void testDefaults() {
-        assertEquals(defaultAlgorithm, SecretManagerConfig.getSelectedAlgorithm());
-        assertEquals(defaultLength, SecretManagerConfig.getSelectedLength());
-    }
+  @Test
+  public void testDefaults() {
+    assertEquals(defaultAlgorithm, SecretManagerConfig.getSelectedAlgorithm());
+    assertEquals(defaultLength, SecretManagerConfig.getSelectedLength());
+  }
 
-    @Test
-    public void testUpdateByConfig() {
-        SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
-        assertEquals(strongAlgorithm, SecretManagerConfig.getSelectedAlgorithm());
-        assertEquals(strongLength, SecretManagerConfig.getSelectedLength());
-    }
+  @Test
+  public void testUpdateByConfig() {
+    SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
+    assertEquals(strongAlgorithm, SecretManagerConfig.getSelectedAlgorithm());
+    assertEquals(strongLength, SecretManagerConfig.getSelectedLength());
+  }
 
-    @Test
-    public void testMacCreation() {
-        SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
-        Mac mac = SecretManagerConfig.createMac();
-        assertEquals(strongAlgorithm, mac.getAlgorithm());
-    }
+  @Test
+  public void testMacCreation() {
+    SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
+    Mac mac = SecretManagerConfig.createMac();
+    assertEquals(strongAlgorithm, mac.getAlgorithm());
+  }
 
-    @Test
-    public void testMacCreationUnknownAlgorithm() {
-        SecretManagerConfig.update(
-                createConfiguration("testMacCreationUnknownAlgorithm_NO_ALG", defaultLength));
-        assertThrows(IllegalArgumentException.class, SecretManagerConfig::createMac);
-    }
+  @Test
+  public void testMacCreationUnknownAlgorithm() {
+    SecretManagerConfig.update(
+        createConfiguration("testMacCreationUnknownAlgorithm_NO_ALG", defaultLength));
+    assertThrows(IllegalArgumentException.class, SecretManagerConfig::createMac);
+  }
 
-    @Test
-    public void testKeygenCreation() {
-        SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
-        KeyGenerator keyGenerator = SecretManagerConfig.createKeyGenerator();
-        assertEquals(strongAlgorithm, keyGenerator.getAlgorithm());
-    }
+  @Test
+  public void testKeygenCreation() {
+    SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
+    KeyGenerator keyGenerator = SecretManagerConfig.createKeyGenerator();
+    assertEquals(strongAlgorithm, keyGenerator.getAlgorithm());
+  }
 
-    @Test
-    public void testKeygenCreationUnknownAlgorithm() {
-        SecretManagerConfig.update(
-                createConfiguration("testKeygenCreationUnknownAlgorithm_NO_ALG", defaultLength));
-        assertThrows(IllegalArgumentException.class, SecretManagerConfig::createKeyGenerator);
-    }
+  @Test
+  public void testKeygenCreationUnknownAlgorithm() {
+    SecretManagerConfig.update(
+        createConfiguration("testKeygenCreationUnknownAlgorithm_NO_ALG", defaultLength));
+    assertThrows(IllegalArgumentException.class, SecretManagerConfig::createKeyGenerator);
+  }
 
-    @Test
-    public void testConfigUpdateAfterKeygenCreation() {
-        SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
-        KeyGenerator keyGenerator = SecretManagerConfig.createKeyGenerator();
-        SecretManagerConfig.update(createConfiguration(defaultAlgorithm, defaultLength));
-        assertEquals(strongAlgorithm, keyGenerator.getAlgorithm());
-    }
+  @Test
+  public void testConfigUpdateAfterKeygenCreation() {
+    SecretManagerConfig.update(createConfiguration(strongAlgorithm, strongLength));
+    KeyGenerator keyGenerator = SecretManagerConfig.createKeyGenerator();
+    SecretManagerConfig.update(createConfiguration(defaultAlgorithm, defaultLength));
+    assertEquals(strongAlgorithm, keyGenerator.getAlgorithm());
+  }
 
-    @AfterEach
-    public void tearDown() {
-        SecretManagerConfig.update(createConfiguration(defaultAlgorithm, defaultLength));
-    }
+  @AfterEach
+  public void tearDown() {
+    SecretManagerConfig.update(createConfiguration(defaultAlgorithm, defaultLength));
+  }
 
-    private Configuration createConfiguration(String algorithm, int length) {
-        Configuration conf = new Configuration();
-        conf.set(
-                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
-                algorithm);
-        conf.setInt(
-                CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
-                length);
-        return conf;
-    }
+  private Configuration createConfiguration(String algorithm, int length) {
+    Configuration conf = new Configuration();
+    conf.set(
+        CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_GENERATOR_ALGORITHM_KEY,
+        algorithm);
+    conf.setInt(CommonConfigurationKeysPublic.HADOOP_SECURITY_SECRET_MANAGER_KEY_LENGTH_KEY,
+        length);
+    return conf;
+  }
 }
