Package org.apache.hadoop.hdfs.protocol.datatransfer.sasl

Class DataTransferSaslUtil

java.lang.Object
org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataTransferSaslUtil
@Private public final class DataTransferSaslUtil extends Object
Utility methods implementing SASL negotiation for DataTransferProtocol.

  • Field Details

    • NAME_DELIMITER

      public static final String NAME_DELIMITER
      Delimiter for the three-part SASL username string.
      See Also:

    • SASL_TRANSFER_MAGIC_NUMBER

      public static final int SASL_TRANSFER_MAGIC_NUMBER
      Sent by clients and validated by servers. We use a number that's unlikely to ever be sent as the value of the DATA_TRANSFER_VERSION.
      See Also:

  • Method Details

    • checkSaslComplete

      public static void checkSaslComplete(org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslParticipant sasl, Map<String,String> saslProps) throws IOException
      Checks that SASL negotiation has completed for the given participant, and the negotiated quality of protection is included in the given SASL properties and therefore acceptable.
      Parameters:
      sasl - participant to check
      saslProps - properties of SASL negotiation
      Throws:
      IOException - for any error

    • requestedQopContainsPrivacy

      public static boolean requestedQopContainsPrivacy(Map<String,String> saslProps)
      Check whether requested SASL Qop contains privacy.
      Parameters:
      saslProps - properties of SASL negotiation
      Returns:
      boolean true if privacy exists

    • createSaslPropertiesForEncryption

      public static Map<String,String> createSaslPropertiesForEncryption(String encryptionAlgorithm)
      Creates SASL properties required for an encrypted SASL negotiation.
      Parameters:
      encryptionAlgorithm - to use for SASL negotation
      Returns:
      properties of encrypted SASL negotiation

    • encryptionKeyToPassword

      public static char[] encryptionKeyToPassword(byte[] encryptionKey)
      For an encrypted SASL negotiation, encodes an encryption key to a SASL password.
      Parameters:
      encryptionKey - to encode
      Returns:
      key encoded as SASL password

    • getPeerAddress

      public static InetAddress getPeerAddress(Peer peer)
      Returns InetAddress from peer. The getRemoteAddressString has the form [host][/ip-address]:port. The host may be missing. The IP address (and preceding '/') may be missing. The port preceded by ':' is always present.
      Returns:
      InetAddress from peer

    • getSaslPropertiesResolver

      public static org.apache.hadoop.security.SaslPropertiesResolver getSaslPropertiesResolver(org.apache.hadoop.conf.Configuration conf)
      Creates a SaslPropertiesResolver from the given configuration. This method works by cloning the configuration, translating configuration properties specific to DataTransferProtocol to what SaslPropertiesResolver expects, and then delegating to SaslPropertiesResolver for initialization. This method returns null if SASL protection has not been configured for DataTransferProtocol.
      Parameters:
      conf - configuration to read
      Returns:
      SaslPropertiesResolver for DataTransferProtocol, or null if not configured

    • readSaslMessage

      public static byte[] readSaslMessage(InputStream in) throws IOException
      Reads a SASL negotiation message.
      Parameters:
      in - stream to read
      Returns:
      bytes of SASL negotiation messsage
      Throws:
      IOException - for any error

    • readSaslMessageAndNegotiationCipherOptions

      public static byte[] readSaslMessageAndNegotiationCipherOptions(InputStream in, List<org.apache.hadoop.crypto.CipherOption> cipherOptions) throws IOException
      Reads a SASL negotiation message and negotiation cipher options.
      Parameters:
      in - stream to read
      cipherOptions - list to store negotiation cipher options
      Returns:
      byte[] SASL negotiation message
      Throws:
      IOException - for any error

    • readSaslMessageWithHandshakeSecret

      public static org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataTransferSaslUtil.SaslMessageWithHandshake readSaslMessageWithHandshakeSecret(InputStream in) throws IOException
      Throws:
      IOException

    • negotiateCipherOption

      public static org.apache.hadoop.crypto.CipherOption negotiateCipherOption(org.apache.hadoop.conf.Configuration conf, List<org.apache.hadoop.crypto.CipherOption> options) throws IOException
      Negotiate a cipher option which server supports.
      Parameters:
      conf - the configuration
      options - the cipher options which client supports
      Returns:
      CipherOption negotiated cipher option
      Throws:
      IOException

    • sendSaslMessageAndNegotiatedCipherOption

      public static void sendSaslMessageAndNegotiatedCipherOption(OutputStream out, byte[] payload, org.apache.hadoop.crypto.CipherOption option) throws IOException
      Send SASL message and negotiated cipher option to client.
      Parameters:
      out - stream to receive message
      payload - to send
      option - negotiated cipher option
      Throws:
      IOException - for any error

    • createStreamPair

      public static IOStreamPair createStreamPair(org.apache.hadoop.conf.Configuration conf, org.apache.hadoop.crypto.CipherOption cipherOption, OutputStream out, InputStream in, boolean isServer) throws IOException
      Create IOStreamPair of CryptoInputStream and CryptoOutputStream
      Parameters:
      conf - the configuration
      cipherOption - negotiated cipher option
      out - underlying output stream
      in - underlying input stream
      isServer - is server side
      Returns:
      IOStreamPair the stream pair
      Throws:
      IOException - for any error

    • sendGenericSaslErrorMessage

      public static void sendGenericSaslErrorMessage(OutputStream out, String message) throws IOException
      Sends a SASL negotiation message indicating an error.
      Parameters:
      out - stream to receive message
      message - to send
      Throws:
      IOException - for any error

    • sendSaslMessage

      public static void sendSaslMessage(OutputStream out, byte[] payload) throws IOException
      Sends a SASL negotiation message.
      Parameters:
      out - stream to receive message
      payload - to send
      Throws:
      IOException - for any error

    • sendSaslMessageHandshakeSecret

      public static void sendSaslMessageHandshakeSecret(OutputStream out, byte[] payload, byte[] secret, String bpid) throws IOException
      Throws:
      IOException

    • sendSaslMessageAndNegotiationCipherOptions

      public static void sendSaslMessageAndNegotiationCipherOptions(OutputStream out, byte[] payload, List<org.apache.hadoop.crypto.CipherOption> options) throws IOException
      Send a SASL negotiation message and negotiation cipher options to server.
      Parameters:
      out - stream to receive message
      payload - to send
      options - cipher options to negotiate
      Throws:
      IOException - for any error

    • readSaslMessageAndNegotiatedCipherOption

      public static SaslResponseWithNegotiatedCipherOption readSaslMessageAndNegotiatedCipherOption(InputStream in) throws IOException
      Read SASL message and negotiated cipher option from server.
      Parameters:
      in - stream to read
      Returns:
      SaslResponseWithNegotiatedCipherOption SASL message and negotiated cipher option
      Throws:
      IOException - for any error

    • wrap

      public static org.apache.hadoop.crypto.CipherOption wrap(org.apache.hadoop.crypto.CipherOption option, org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslParticipant sasl) throws IOException
      Encrypt the key and iv of the negotiated cipher option.
      Parameters:
      option - negotiated cipher option
      sasl - SASL participant representing server
      Returns:
      CipherOption negotiated cipher option which contains the encrypted key and iv
      Throws:
      IOException - for any error

    • unwrap

      public static org.apache.hadoop.crypto.CipherOption unwrap(org.apache.hadoop.crypto.CipherOption option, org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslParticipant sasl) throws IOException
      Decrypt the key and iv of the negotiated cipher option.
      Parameters:
      option - negotiated cipher option
      sasl - SASL participant representing client
      Returns:
      CipherOption negotiated cipher option which contains the decrypted key and iv
      Throws:
      IOException - for any error

    • sendSaslMessage

      public static void sendSaslMessage(OutputStream out, org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus status, byte[] payload, String message) throws IOException
      Sends a SASL negotiation message.
      Parameters:
      out - stream to receive message
      status - negotiation status
      payload - to send
      message - to send
      Throws:
      IOException - for any error

    • sendSaslMessage

      public static void sendSaslMessage(OutputStream out, org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus status, byte[] payload, String message, org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.HandshakeSecretProto handshakeSecret) throws IOException
      Throws:
      IOException

    • sendSaslMessage

      public static void sendSaslMessage(OutputStream out, org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus status, byte[] payload, String message, org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.HandshakeSecretProto handshakeSecret, boolean accessTokenError) throws IOException
      Throws:
      IOException

    • sendSaslMessageHandshakeSecret

      public static void sendSaslMessageHandshakeSecret(OutputStream out, org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus status, byte[] payload, String message, byte[] secret, String bpid) throws IOException
      Throws:
      IOException