Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.hadoop.hdfs;
020
021import java.io.FileInputStream;
022import java.io.IOException;
023import java.net.HttpURLConnection;
024import java.net.InetSocketAddress;
025import java.net.URI;
026import java.net.URISyntaxException;
027import java.net.URL;
028import java.security.KeyStore;
029import java.security.cert.X509Certificate;
030
031import javax.net.ssl.HostnameVerifier;
032import javax.net.ssl.HttpsURLConnection;
033import javax.net.ssl.KeyManager;
034import javax.net.ssl.KeyManagerFactory;
035import javax.net.ssl.SSLContext;
036import javax.net.ssl.SSLSession;
037import javax.net.ssl.TrustManager;
038import javax.net.ssl.TrustManagerFactory;
039import javax.net.ssl.X509TrustManager;
040
041import org.apache.hadoop.classification.InterfaceAudience;
042import org.apache.hadoop.classification.InterfaceStability;
043import org.apache.hadoop.conf.Configuration;
044import org.apache.hadoop.hdfs.web.URLUtils;
045
046/**
047 * An implementation of a protocol for accessing filesystems over HTTPS. The
048 * following implementation provides a limited, read-only interface to a
049 * filesystem over HTTPS.
050 * 
051 * @see org.apache.hadoop.hdfs.server.namenode.ListPathsServlet
052 * @see org.apache.hadoop.hdfs.server.namenode.FileDataServlet
053 */
054@InterfaceAudience.Private
055@InterfaceStability.Evolving
056public class HsftpFileSystem extends HftpFileSystem {
057
058  private static final long MM_SECONDS_PER_DAY = 1000 * 60 * 60 * 24;
059  private volatile int ExpWarnDays = 0;
060
061  @Override
062  public void initialize(URI name, Configuration conf) throws IOException {
063    super.initialize(name, conf);
064    setupSsl(conf);
065    ExpWarnDays = conf.getInt("ssl.expiration.warn.days", 30);
066  }
067
068  /**
069   * Set up SSL resources
070   * 
071   * @throws IOException
072   */
073  private static void setupSsl(Configuration conf) throws IOException {
074    Configuration sslConf = new HdfsConfiguration(false);
075    sslConf.addResource(conf.get(DFSConfigKeys.DFS_CLIENT_HTTPS_KEYSTORE_RESOURCE_KEY,
076                             DFSConfigKeys.DFS_CLIENT_HTTPS_KEYSTORE_RESOURCE_DEFAULT));
077    FileInputStream fis = null;
078    try {
079      SSLContext sc = SSLContext.getInstance("SSL");
080      KeyManager[] kms = null;
081      TrustManager[] tms = null;
082      if (sslConf.get("ssl.client.keystore.location") != null) {
083        // initialize default key manager with keystore file and pass
084        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
085        KeyStore ks = KeyStore.getInstance(sslConf.get(
086            "ssl.client.keystore.type", "JKS"));
087        char[] ksPass = sslConf.get("ssl.client.keystore.password", "changeit")
088            .toCharArray();
089        fis = new FileInputStream(sslConf.get("ssl.client.keystore.location",
090            "keystore.jks"));
091        ks.load(fis, ksPass);
092        kmf.init(ks, sslConf.get("ssl.client.keystore.keypassword", "changeit")
093            .toCharArray());
094        kms = kmf.getKeyManagers();
095        fis.close();
096        fis = null;
097      }
098      // initialize default trust manager with truststore file and pass
099      if (sslConf.getBoolean("ssl.client.do.not.authenticate.server", false)) {
100        // by pass trustmanager validation
101        tms = new DummyTrustManager[] { new DummyTrustManager() };
102      } else {
103        TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
104        KeyStore ts = KeyStore.getInstance(sslConf.get(
105            "ssl.client.truststore.type", "JKS"));
106        char[] tsPass = sslConf.get("ssl.client.truststore.password",
107            "changeit").toCharArray();
108        fis = new FileInputStream(sslConf.get("ssl.client.truststore.location",
109            "truststore.jks"));
110        ts.load(fis, tsPass);
111        tmf.init(ts);
112        tms = tmf.getTrustManagers();
113      }
114      sc.init(kms, tms, new java.security.SecureRandom());
115      HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
116    } catch (Exception e) {
117      throw new IOException("Could not initialize SSLContext", e);
118    } finally {
119      if (fis != null) {
120        fis.close();
121      }
122    }
123  }
124
125  @Override
126  protected int getDefaultPort() {
127    return getDefaultSecurePort();
128  }
129
130  @Override
131  protected InetSocketAddress getNamenodeSecureAddr(URI uri) {
132    return getNamenodeAddr(uri);
133  }
134
135  @Override
136  protected URI getNamenodeUri(URI uri) {
137    return getNamenodeSecureUri(uri);
138  }
139  
140  @Override
141  protected HttpURLConnection openConnection(String path, String query)
142      throws IOException {
143    query = addDelegationTokenParam(query);
144    final URL url = new URL("https", nnUri.getHost(), 
145        nnUri.getPort(), path + '?' + query);
146    HttpsURLConnection conn = (HttpsURLConnection)URLUtils.openConnection(url);
147    // bypass hostname verification
148    conn.setHostnameVerifier(new DummyHostnameVerifier());
149    conn.setRequestMethod("GET");
150    conn.connect();
151
152    // check cert expiration date
153    final int warnDays = ExpWarnDays;
154    if (warnDays > 0) { // make sure only check once
155      ExpWarnDays = 0;
156      long expTimeThreshold = warnDays * MM_SECONDS_PER_DAY
157          + System.currentTimeMillis();
158      X509Certificate[] clientCerts = (X509Certificate[]) conn
159          .getLocalCertificates();
160      if (clientCerts != null) {
161        for (X509Certificate cert : clientCerts) {
162          long expTime = cert.getNotAfter().getTime();
163          if (expTime < expTimeThreshold) {
164            StringBuilder sb = new StringBuilder();
165            sb.append("\n Client certificate "
166                + cert.getSubjectX500Principal().getName());
167            int dayOffSet = (int) ((expTime - System.currentTimeMillis()) / MM_SECONDS_PER_DAY);
168            sb.append(" have " + dayOffSet + " days to expire");
169            LOG.warn(sb.toString());
170          }
171        }
172      }
173    }
174    return (HttpURLConnection) conn;
175  }
176
177  /**
178   * Dummy hostname verifier that is used to bypass hostname checking
179   */
180  protected static class DummyHostnameVerifier implements HostnameVerifier {
181    public boolean verify(String hostname, SSLSession session) {
182      return true;
183    }
184  }
185
186  /**
187   * Dummy trustmanager that is used to trust all server certificates
188   */
189  protected static class DummyTrustManager implements X509TrustManager {
190    public void checkClientTrusted(X509Certificate[] chain, String authType) {
191    }
192
193    public void checkServerTrusted(X509Certificate[] chain, String authType) {
194    }
195
196    public X509Certificate[] getAcceptedIssuers() {
197      return null;
198    }
199  }
200
201}