Skip to content

Commit 07b180c

Browse files
urykhyurykhy
committed
test kms
1 parent 631ea9b commit 07b180c

File tree

3 files changed

+86
-2
lines changed

3 files changed

+86
-2
lines changed

.github/scripts/install-hdfs.sh

Lines changed: 53 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,12 @@ else
1515
ENCRYPT_DATA_TRANSFER="false"
1616
fi
1717

18+
CONF_KMS_PROVIDER=""
19+
TRANSPARENT_ENCRYPTION=${TRANSPARENT_ENCRYPTION-"false"}
20+
if [ $TRANSPARENT_ENCRYPTION = "true" ]; then
21+
CONF_KMS_PROVIDER="kms://http@localhost:9600/kms"
22+
fi
23+
1824
CONF_AUTHENTICATION="simple"
1925
KERBEROS_REALM="EXAMPLE.COM"
2026
KERBEROS_PRINCIPLE="administrator"
@@ -50,7 +56,7 @@ EOF
5056
sudo apt-get install -y krb5-user krb5-kdc krb5-admin-server
5157

5258
printf "$KERBEROS_PASSWORD\n$KERBEROS_PASSWORD" | sudo kdb5_util -r "$KERBEROS_REALM" create -s
53-
for p in nn dn $USER gohdfs1 gohdfs2; do
59+
for p in nn dn kms $USER gohdfs1 gohdfs2; do
5460
sudo kadmin.local -q "addprinc -randkey $p/$HOSTNAME@$KERBEROS_REALM"
5561
sudo kadmin.local -q "addprinc -randkey $p/localhost@$KERBEROS_REALM"
5662
sudo kadmin.local -q "xst -k /tmp/$p.keytab $p/$HOSTNAME@$KERBEROS_REALM"
@@ -116,6 +122,10 @@ sudo tee $HADOOP_ROOT/etc/hadoop/core-site.xml <<EOF
116122
<name>hadoop.rpc.protection</name>
117123
<value>$RPC_PROTECTION</value>
118124
</property>
125+
<property>
126+
<name>hadoop.security.key.provider.path</name>
127+
<value>$CONF_KMS_PROVIDER</value>
128+
</property>
119129
</configuration>
120130
EOF
121131

@@ -172,6 +182,40 @@ $HADOOP_ROOT/bin/hdfs namenode -format
172182
sudo groupadd hadoop
173183
sudo usermod -a -G hadoop $USER
174184

185+
sudo tee $HADOOP_ROOT/etc/hadoop/kms-site.xml <<EOF
186+
<configuration>
187+
<property>
188+
<name>hadoop.kms.key.provider.uri</name>
189+
<value>jceks://file@/tmp/hdfs/kms.keystore</value>
190+
</property>
191+
<property>
192+
<name>hadoop.security.keystore.java-keystore-provider.password-file</name>
193+
<value>kms.keystore.password</value>
194+
</property>
195+
<property>
196+
<name>hadoop.kms.authentication.type</name>
197+
<value>$CONF_AUTHENTICATION</value>
198+
</property>
199+
<property>
200+
<name>hadoop.kms.authentication.kerberos.keytab</name>
201+
<value>/tmp/kms.keytab</value>
202+
</property>
203+
<property>
204+
<name>hadoop.kms.authentication.kerberos.principal</name>
205+
<value>kms/localhost@$KERBEROS_REALM</value>
206+
</property>
207+
</configuration>
208+
EOF
209+
210+
sudo tee $HADOOP_ROOT/etc/hadoop/kms.keystore.password <<EOF
211+
123456
212+
EOF
213+
214+
if [ $TRANSPARENT_ENCRYPTION = "true" ]; then
215+
echo "Starting KMS..."
216+
$HADOOP_ROOT/bin/hadoop kms > /tmp/hdfs/kms.log 2>&1 &
217+
fi
218+
175219
echo "Starting namenode..."
176220
$HADOOP_ROOT/bin/hdfs namenode > /tmp/hdfs/namenode.log 2>&1 &
177221

@@ -183,5 +227,12 @@ sleep 5
183227
echo "Waiting for cluster to exit safe mode..."
184228
$HADOOP_ROOT/bin/hdfs dfsadmin -safemode wait
185229

230+
$HADOOP_ROOT/bin/hadoop fs -mkdir -p /_test/kms
231+
if [ $TRANSPARENT_ENCRYPTION = "true" ]; then
232+
echo "Prepare encrypted zone"
233+
$HADOOP_ROOT/bin/hadoop key create key1
234+
$HADOOP_ROOT/bin/hdfs crypto -createZone -keyName key1 -path /_test/kms
235+
fi
236+
186237
echo "HADOOP_CONF_DIR=$(pwd)/$HADOOP_ROOT/etc/hadoop" >> $GITHUB_ENV
187-
echo "$(pwd)/$HADOOP_ROOT/bin" >> $GITHUB_PATH
238+
echo "$(pwd)/$HADOOP_ROOT/bin" >> $GITHUB_PATH

.github/workflows/tests.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ jobs:
1414
include:
1515
- hadoop_version: 2.10.1
1616
- hadoop_version: 3.3.1
17+
- hadoop_version: 3.3.1
18+
transparent_encryption: true
1719
- hadoop_version: 3.3.1
1820
kerberos: true
1921
rpc_protection: authentication
@@ -48,6 +50,7 @@ jobs:
4850
RPC_PROTECTION: ${{ matrix.rpc_protection }}
4951
TRANSFER_PROTECTION: ${{ matrix.transfer_protection }}
5052
AES: ${{ matrix.aes }}
53+
TRANSPARENT_ENCRYPTION: $${{ matrix.transparent_encryption }}
5154

5255
# Similarly, this step adds the bats binary to GITHUB_PATH.
5356
- name: install-bats.sh

cmd/hdfs/test/kms.bats

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
#!/usr/bin/env bats
2+
3+
load helper
4+
5+
@test "put java to go" {
6+
run $HADOOP_FS -put $ROOT_TEST_DIR/testdata/foo.txt /_test/kms/foo1
7+
assert_success
8+
9+
run $HDFS cat /_test/kms/foo1
10+
assert_output "bar"
11+
}
12+
13+
@test "put go to java" {
14+
run $HDFS put $ROOT_TEST_DIR/testdata/foo.txt /_test/kms/foo2
15+
assert_success
16+
17+
run $HADOOP_FS -cat /_test/kms/foo2
18+
assert_output "bar"
19+
}
20+
21+
@test "tail" {
22+
run $HDFS put $ROOT_TEST_DIR/testdata/mobydick.txt /_test/kms/
23+
assert_success
24+
25+
run bash -c "$HDFS tail /_test/kms/mobydick.txt > $BATS_TMPDIR/mobydick_test.txt"
26+
assert_success
27+
28+
SHA=`tail $ROOT_TEST_DIR/testdata/mobydick.txt | shasum | awk '{ print $1 }'`
29+
assert_equal $SHA `shasum < $BATS_TMPDIR/mobydick_test.txt | awk '{ print $1 }'`
30+
}

0 commit comments

Comments
 (0)