Revert "HADOOP-16524. Reloading SSL keystore for both DataNode and NameNode (#2470)"

This reverts commit e306f59.

Author: saintstack

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java

@@ -27,17 +27,14 @@
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URL;
-import java.nio.file.Paths;
-import java.util.List;
+import java.util.Arrays;
 import java.util.ArrayList;
-import java.util.Map;
-import java.util.HashMap;
 import java.util.Collections;
-import java.util.Optional;
-import java.util.Properties;
 import java.util.Enumeration;
-import java.util.Arrays;
-import java.util.Timer;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -77,8 +74,6 @@
 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
 import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
 import org.apache.hadoop.security.authorize.AccessControlList;
-import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
-import org.apache.hadoop.security.ssl.FileMonitoringTimerTask;
 import org.apache.hadoop.security.ssl.SSLFactory;
 import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.util.Shell;
@@ -189,7 +184,6 @@ public final class HttpServer2 implements FilterContainer {
   static final String STATE_DESCRIPTION_ALIVE = " - alive";
   static final String STATE_DESCRIPTION_NOT_LIVE = " - not live";
   private final SignerSecretProvider secretProvider;
-  private final Optional<java.util.Timer> configurationChangeMonitor;
   private XFrameOption xFrameOption;
   private boolean xFrameOptionIsEnabled;
   public static final String HTTP_HEADER_PREFIX = "hadoop.http.header.";
@@ -245,8 +239,6 @@ public static class Builder {
 
     private boolean sniHostCheckEnabled;
 
-    private Optional<Timer> configurationChangeMonitor = Optional.empty();
-
     public Builder setName(String name){
       this.name = name;
       return this;
@@ -577,45 +569,12 @@ private ServerConnector createHttpsChannelConnector(
       }
 
       setEnabledProtocols(sslContextFactory);
-
-      long storesReloadInterval =
-          conf.getLong(FileBasedKeyStoresFactory.SSL_STORES_RELOAD_INTERVAL_TPL_KEY,
-              FileBasedKeyStoresFactory.DEFAULT_SSL_STORES_RELOAD_INTERVAL);
-
-      if (storesReloadInterval > 0) {
-        this.configurationChangeMonitor = Optional.of(
-            this.makeConfigurationChangeMonitor(storesReloadInterval, sslContextFactory));
-      }
-
       conn.addFirstConnectionFactory(new SslConnectionFactory(sslContextFactory,
           HttpVersion.HTTP_1_1.asString()));
 
       return conn;
     }
 
-    private Timer makeConfigurationChangeMonitor(long reloadInterval,
-        SslContextFactory.Server sslContextFactory) {
-      Timer timer = new Timer("SSL Certificates Store Monitor", true);
-      //
-      // The Jetty SSLContextFactory provides a 'reload' method which will reload both
-      // truststore and keystore certificates.
-      //
-      timer.schedule(new FileMonitoringTimerTask(
-              Paths.get(keyStore),
-              path -> {
-                LOG.info("Reloading certificates from store keystore " + keyStore);
-                try {
-                  sslContextFactory.reload(factory -> { });
-                } catch (Exception ex) {
-                  LOG.error("Failed to reload SSL keystore certificates", ex);
-                }
-              },null),
-          reloadInterval,
-          reloadInterval
-      );
-      return timer;
-    }
-
     private void setEnabledProtocols(SslContextFactory sslContextFactory) {
       String enabledProtocols = conf.get(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY,
           SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT);
@@ -658,7 +617,6 @@ private HttpServer2(final Builder b) throws IOException {
     this.webAppContext = createWebAppContext(b, adminsAcl, appDir);
     this.xFrameOptionIsEnabled = b.xFrameEnabled;
     this.xFrameOption = b.xFrameOption;
-    this.configurationChangeMonitor = b.configurationChangeMonitor;
 
     try {
       this.secretProvider =
@@ -1426,16 +1384,6 @@ void openListeners() throws Exception {
    */
   public void stop() throws Exception {
     MultiException exception = null;
-    if (this.configurationChangeMonitor.isPresent()) {
-      try {
-        this.configurationChangeMonitor.get().cancel();
-      } catch (Exception e) {
-        LOG.error(
-            "Error while canceling configuration monitoring timer for webapp"
-                + webAppContext.getDisplayName(), e);
-        exception = addMultiException(exception, e);
-      }
-    }
     for (ServerConnector c : listeners) {
       try {
         c.close();

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/FileBasedKeyStoresFactory.java

@@ -29,20 +29,20 @@
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManager;
 import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.text.MessageFormat;
-import java.util.Timer;
 
 /**
  * {@link KeyStoresFactory} implementation that reads the certificates from
  * keystore files.
  * <p>
- * If either the truststore or the keystore certificates file changes, it
- * would be refreshed under the corresponding wrapper implementation -
- * {@link ReloadingX509KeystoreManager} or {@link ReloadingX509TrustManager}.
- * </p>
+ * if the trust certificates keystore file changes, the {@link TrustManager}
+ * is refreshed with the new trust certificate entries (using a
+ * {@link ReloadingX509TrustManager} trustmanager).
  */
 @InterfaceAudience.Private
 @InterfaceStability.Evolving
@@ -51,13 +51,6 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory {
   private static final Logger LOG =
       LoggerFactory.getLogger(FileBasedKeyStoresFactory.class);
 
-  /**
-   * The refresh interval used to check if either of the truststore or keystore
-   * certificate file has changed.
-   */
-  public static final String SSL_STORES_RELOAD_INTERVAL_TPL_KEY =
-    "ssl.{0}.stores.reload.interval";
-
   public static final String SSL_KEYSTORE_LOCATION_TPL_KEY =
     "ssl.{0}.keystore.location";
   public static final String SSL_KEYSTORE_PASSWORD_TPL_KEY =
@@ -84,119 +77,14 @@ public class FileBasedKeyStoresFactory implements KeyStoresFactory {
   public static final String DEFAULT_KEYSTORE_TYPE = "jks";
 
   /**
-   * The default time interval in milliseconds used to check if either
-   * of the truststore or keystore certificates file has changed and needs reloading.
+   * Reload interval in milliseconds.
    */
-  public static final int DEFAULT_SSL_STORES_RELOAD_INTERVAL = 10000;
+  public static final int DEFAULT_SSL_TRUSTSTORE_RELOAD_INTERVAL = 10000;
 
   private Configuration conf;
   private KeyManager[] keyManagers;
   private TrustManager[] trustManagers;
   private ReloadingX509TrustManager trustManager;
-  private Timer fileMonitoringTimer;
-
-
-  private void createTrustManagersFromConfiguration(SSLFactory.Mode mode,
-                                                    String truststoreType,
-                                                    String truststoreLocation,
-                                                    long storesReloadInterval)
-      throws IOException, GeneralSecurityException {
-    String passwordProperty = resolvePropertyName(mode,
-        SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
-    String truststorePassword = getPassword(conf, passwordProperty, "");
-    if (truststorePassword.isEmpty()) {
-      // An empty trust store password is legal; the trust store password
-      // is only required when writing to a trust store. Otherwise it's
-      // an optional integrity check.
-      truststorePassword = null;
-    }
-
-    // Check if obsolete truststore specific reload interval is present for backward compatible
-    long truststoreReloadInterval =
-        conf.getLong(
-            resolvePropertyName(mode, SSL_TRUSTSTORE_RELOAD_INTERVAL_TPL_KEY),
-            storesReloadInterval);
-
-    if (LOG.isDebugEnabled()) {
-      LOG.debug(mode.toString() + " TrustStore: " + truststoreLocation +
-          ", reloading at " + truststoreReloadInterval + " millis.");
-    }
-
-    trustManager = new ReloadingX509TrustManager(
-        truststoreType,
-        truststoreLocation,
-        truststorePassword);
-
-    if (truststoreReloadInterval > 0) {
-      fileMonitoringTimer.schedule(
-          new FileMonitoringTimerTask(
-              Paths.get(truststoreLocation),
-              path -> trustManager.loadFrom(path),
-              exception -> LOG.error(ReloadingX509TrustManager.RELOAD_ERROR_MESSAGE, exception)),
-          truststoreReloadInterval,
-          truststoreReloadInterval);
-    }
-
-    if (LOG.isDebugEnabled()) {
-      LOG.debug(mode.toString() + " Loaded TrustStore: " + truststoreLocation);
-    }
-    trustManagers = new TrustManager[]{trustManager};
-  }
-
-  /**
-   * Implements logic of initializing the KeyManagers with the options
-   * to reload keystores.
-   * @param mode client or server
-   * @param keystoreType The keystore type.
-   * @param storesReloadInterval The interval to check if the keystore certificates
-   *                             file has changed.
-   */
-  private void createKeyManagersFromConfiguration(SSLFactory.Mode mode,
-                                                  String keystoreType, long storesReloadInterval)
-      throws GeneralSecurityException, IOException {
-    String locationProperty =
-        resolvePropertyName(mode, SSL_KEYSTORE_LOCATION_TPL_KEY);
-    String keystoreLocation = conf.get(locationProperty, "");
-    if (keystoreLocation.isEmpty()) {
-      throw new GeneralSecurityException("The property '" + locationProperty +
-          "' has not been set in the ssl configuration file.");
-    }
-    String passwordProperty =
-        resolvePropertyName(mode, SSL_KEYSTORE_PASSWORD_TPL_KEY);
-    String keystorePassword = getPassword(conf, passwordProperty, "");
-    if (keystorePassword.isEmpty()) {
-      throw new GeneralSecurityException("The property '" + passwordProperty +
-          "' has not been set in the ssl configuration file.");
-    }
-    String keyPasswordProperty =
-        resolvePropertyName(mode, SSL_KEYSTORE_KEYPASSWORD_TPL_KEY);
-    // Key password defaults to the same value as store password for
-    // compatibility with legacy configurations that did not use a separate
-    // configuration property for key password.
-    String keystoreKeyPassword = getPassword(
-        conf, keyPasswordProperty, keystorePassword);
-    if (LOG.isDebugEnabled()) {
-      LOG.debug(mode.toString() + " KeyStore: " + keystoreLocation);
-    }
-
-    ReloadingX509KeystoreManager keystoreManager =  new ReloadingX509KeystoreManager(
-        keystoreType,
-        keystoreLocation,
-        keystorePassword,
-        keystoreKeyPassword);
-
-    if (storesReloadInterval > 0) {
-      fileMonitoringTimer.schedule(
-          new FileMonitoringTimerTask(
-              Paths.get(keystoreLocation),
-              path -> keystoreManager.loadFrom(path),
-              exception -> LOG.error(ReloadingX509KeystoreManager.RELOAD_ERROR_MESSAGE, exception)),
-          storesReloadInterval,
-          storesReloadInterval);
-    }
-
-    keyManagers = new KeyManager[] { keystoreManager };
-  }
 
   /**
    * Resolves a property name to its client/server version if applicable.
@@ -251,28 +139,56 @@ public void init(SSLFactory.Mode mode)
       conf.getBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY,
           SSLFactory.SSL_REQUIRE_CLIENT_CERT_DEFAULT);
 
-    long storesReloadInterval = conf.getLong(
-        resolvePropertyName(mode, SSL_STORES_RELOAD_INTERVAL_TPL_KEY),
-        DEFAULT_SSL_STORES_RELOAD_INTERVAL);
-
-    fileMonitoringTimer = new Timer("SSL Certificates Store Monitor", true);
-
     // certificate store
     String keystoreType =
-        conf.get(resolvePropertyName(mode, SSL_KEYSTORE_TYPE_TPL_KEY),
-                 DEFAULT_KEYSTORE_TYPE);
-
+      conf.get(resolvePropertyName(mode, SSL_KEYSTORE_TYPE_TPL_KEY),
+               DEFAULT_KEYSTORE_TYPE);
+    KeyStore keystore = KeyStore.getInstance(keystoreType);
+    String keystoreKeyPassword = null;
     if (requireClientCert || mode == SSLFactory.Mode.SERVER) {
-      createKeyManagersFromConfiguration(mode, keystoreType, storesReloadInterval);
+      String locationProperty =
+        resolvePropertyName(mode, SSL_KEYSTORE_LOCATION_TPL_KEY);
+      String keystoreLocation = conf.get(locationProperty, "");
+      if (keystoreLocation.isEmpty()) {
+        throw new GeneralSecurityException("The property '" + locationProperty +
+          "' has not been set in the ssl configuration file.");
+      }
+      String passwordProperty =
+        resolvePropertyName(mode, SSL_KEYSTORE_PASSWORD_TPL_KEY);
+      String keystorePassword = getPassword(conf, passwordProperty, "");
+      if (keystorePassword.isEmpty()) {
+        throw new GeneralSecurityException("The property '" + passwordProperty +
+          "' has not been set in the ssl configuration file.");
+      }
+      String keyPasswordProperty =
+        resolvePropertyName(mode, SSL_KEYSTORE_KEYPASSWORD_TPL_KEY);
+      // Key password defaults to the same value as store password for
+      // compatibility with legacy configurations that did not use a separate
+      // configuration property for key password.
+      keystoreKeyPassword = getPassword(
+          conf, keyPasswordProperty, keystorePassword);
+      if (LOG.isDebugEnabled()) {
+        LOG.debug(mode.toString() + " KeyStore: " + keystoreLocation);
+      }
+
+      InputStream is = Files.newInputStream(Paths.get(keystoreLocation));
+      try {
+        keystore.load(is, keystorePassword.toCharArray());
+      } finally {
+        is.close();
+      }
+      if (LOG.isDebugEnabled()) {
+        LOG.debug(mode.toString() + " Loaded KeyStore: " + keystoreLocation);
+      }
     } else {
-      KeyStore keystore = KeyStore.getInstance(keystoreType);
       keystore.load(null, null);
-      KeyManagerFactory keyMgrFactory = KeyManagerFactory
-              .getInstance(SSLFactory.SSLCERTIFICATE);
-
-      keyMgrFactory.init(keystore, null);
-      keyManagers = keyMgrFactory.getKeyManagers();
     }
+    KeyManagerFactory keyMgrFactory = KeyManagerFactory
+        .getInstance(SSLFactory.SSLCERTIFICATE);
+      
+    keyMgrFactory.init(keystore, (keystoreKeyPassword != null) ?
+                                 keystoreKeyPassword.toCharArray() : null);
+    keyManagers = keyMgrFactory.getKeyManagers();
 
     //trust store
     String truststoreType =
@@ -283,7 +199,33 @@ public void init(SSLFactory.Mode mode)
       resolvePropertyName(mode, SSL_TRUSTSTORE_LOCATION_TPL_KEY);
     String truststoreLocation = conf.get(locationProperty, "");
     if (!truststoreLocation.isEmpty()) {
-      createTrustManagersFromConfiguration(mode, truststoreType, truststoreLocation, storesReloadInterval);
+      String passwordProperty = resolvePropertyName(mode,
+          SSL_TRUSTSTORE_PASSWORD_TPL_KEY);
+      String truststorePassword = getPassword(conf, passwordProperty, "");
+      if (truststorePassword.isEmpty()) {
+        // An empty trust store password is legal; the trust store password
+        // is only required when writing to a trust store. Otherwise it's
+        // an optional integrity check.
+        truststorePassword = null;
+      }
+      long truststoreReloadInterval =
+          conf.getLong(
+              resolvePropertyName(mode, SSL_TRUSTSTORE_RELOAD_INTERVAL_TPL_KEY),
+              DEFAULT_SSL_TRUSTSTORE_RELOAD_INTERVAL);
+
+      if (LOG.isDebugEnabled()) {
+        LOG.debug(mode.toString() + " TrustStore: " + truststoreLocation);
+      }
+
+      trustManager = new ReloadingX509TrustManager(truststoreType,
+          truststoreLocation,
+          truststorePassword,
+          truststoreReloadInterval);
+      trustManager.init();
+      if (LOG.isDebugEnabled()) {
+        LOG.debug(mode.toString() + " Loaded TrustStore: " + truststoreLocation);
+      }
+      trustManagers = new TrustManager[]{trustManager};
     } else {
       if (LOG.isDebugEnabled()) {
         LOG.debug("The property '" + locationProperty + "' has not been set, " +
@@ -314,7 +256,7 @@ String getPassword(Configuration conf, String alias, String defaultPass) {
   @Override
   public synchronized void destroy() {
     if (trustManager != null) {
-      fileMonitoringTimer.cancel();
+      trustManager.destroy();
       trustManager = null;
       keyManagers = null;
       trustManagers = null;