Java tutorial
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.hadoop.hdfsproxy; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.net.HttpURLConnection; import java.net.InetSocketAddress; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; import java.security.KeyStore; import java.security.cert.X509Certificate; import java.util.Date; import java.util.Set; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import javax.servlet.ServletException; import javax.servlet.http.HttpServletResponse; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FSDataInputStream; import org.apache.hadoop.fs.FSInputStream; import org.apache.hadoop.io.IOUtils; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.HostsFileReader; /** * Proxy Utility . */ public class ProxyUtil { public static final Log LOG = LogFactory.getLog(ProxyUtil.class); private static final long MM_SECONDS_PER_DAY = 1000 * 60 * 60 * 24; private static final int CERT_EXPIRATION_WARNING_THRESHOLD = 30; // 30 days // warning private static enum UtilityOption { RELOAD("-reloadPermFiles"), GET("-get"), CHECKCERTS("-checkcerts"); private String name = null; private UtilityOption(String arg) { this.name = arg; } public String getName() { return name; } } /** * Dummy hostname verifier that is used to bypass hostname checking */ private static class DummyHostnameVerifier implements HostnameVerifier { public boolean verify(String hostname, SSLSession session) { return true; } } /** * Dummy trustmanager that is used to bypass server certificate checking */ private static class DummyTrustManager implements X509TrustManager { public void checkClientTrusted(X509Certificate[] chain, String authType) { } public void checkServerTrusted(X509Certificate[] chain, String authType) { } public X509Certificate[] getAcceptedIssuers() { return null; } } private static HttpsURLConnection openConnection(String hostname, int port, String path) throws IOException { try { final URL url = new URI("https", null, hostname, port, path, null, null).toURL(); HttpsURLConnection conn = (HttpsURLConnection) url.openConnection(); // bypass hostname verification conn.setHostnameVerifier(new DummyHostnameVerifier()); conn.setRequestMethod("GET"); return conn; } catch (URISyntaxException e) { throw (IOException) new IOException().initCause(e); } } private static void setupSslProps(Configuration conf) throws IOException { FileInputStream fis = null; try { SSLContext sc = SSLContext.getInstance("SSL"); KeyManager[] kms = null; TrustManager[] tms = null; if (conf.get("ssl.client.keystore.location") != null) { // initialize default key manager with keystore file and pass KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); KeyStore ks = KeyStore.getInstance(conf.get("ssl.client.keystore.type", "JKS")); char[] ksPass = conf.get("ssl.client.keystore.password", "changeit").toCharArray(); fis = new FileInputStream(conf.get("ssl.client.keystore.location", "keystore.jks")); ks.load(fis, ksPass); kmf.init(ks, conf.get("ssl.client.keystore.keypassword", "changeit").toCharArray()); kms = kmf.getKeyManagers(); fis.close(); fis = null; } // initialize default trust manager with keystore file and pass if (conf.getBoolean("ssl.client.do.not.authenticate.server", false)) { // by pass trustmanager validation tms = new DummyTrustManager[] { new DummyTrustManager() }; } else { TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); KeyStore ts = KeyStore.getInstance(conf.get("ssl.client.truststore.type", "JKS")); char[] tsPass = conf.get("ssl.client.truststore.password", "changeit").toCharArray(); fis = new FileInputStream(conf.get("ssl.client.truststore.location", "truststore.jks")); ts.load(fis, tsPass); tmf.init(ts); tms = tmf.getTrustManagers(); } sc.init(kms, tms, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (Exception e) { throw new IOException("Could not initialize SSLContext", e); } finally { if (fis != null) { fis.close(); } } } static InetSocketAddress getSslAddr(Configuration conf) throws IOException { String addr = conf.get("hdfsproxy.https.address"); if (addr == null) throw new IOException("HdfsProxy address is not specified"); return NetUtils.createSocketAddr(addr); } static boolean sendCommand(Configuration conf, String path) throws IOException { setupSslProps(conf); int sslPort = getSslAddr(conf).getPort(); int err = 0; StringBuilder b = new StringBuilder(); HostsFileReader hostsReader = new HostsFileReader(conf.get("hdfsproxy.hosts", "hdfsproxy-hosts"), ""); Set<String> hostsList = hostsReader.getHosts(); for (String hostname : hostsList) { HttpsURLConnection connection = null; try { connection = openConnection(hostname, sslPort, path); connection.connect(); if (LOG.isDebugEnabled()) { StringBuffer sb = new StringBuffer(); X509Certificate[] clientCerts = (X509Certificate[]) connection.getLocalCertificates(); if (clientCerts != null) { for (X509Certificate cert : clientCerts) sb.append("\n Client certificate Subject Name is " + cert.getSubjectX500Principal().getName()); } else { sb.append("\n No client certificates were found"); } X509Certificate[] serverCerts = (X509Certificate[]) connection.getServerCertificates(); if (serverCerts != null) { for (X509Certificate cert : serverCerts) sb.append("\n Server certificate Subject Name is " + cert.getSubjectX500Principal().getName()); } else { sb.append("\n No server certificates were found"); } LOG.debug(sb.toString()); } if (connection.getResponseCode() != HttpServletResponse.SC_OK) { b.append("\n\t" + hostname + ": " + connection.getResponseCode() + " " + connection.getResponseMessage()); err++; } } catch (IOException e) { b.append("\n\t" + hostname + ": " + e.getLocalizedMessage()); if (LOG.isDebugEnabled()) LOG.debug("Exception happend for host " + hostname, e); err++; } finally { if (connection != null) connection.disconnect(); } } if (err > 0) { System.err.print("Command failed on the following " + err + " host" + (err == 1 ? ":" : "s:") + b.toString() + "\n"); return false; } return true; } static FSDataInputStream open(Configuration conf, String hostname, int port, String path) throws IOException { setupSslProps(conf); HttpURLConnection connection = null; connection = openConnection(hostname, port, path); connection.connect(); final InputStream in = connection.getInputStream(); return new FSDataInputStream(new FSInputStream() { public int read() throws IOException { return in.read(); } public int read(byte[] b, int off, int len) throws IOException { return in.read(b, off, len); } public void close() throws IOException { in.close(); } public void seek(long pos) throws IOException { throw new IOException("Can't seek!"); } public long getPos() throws IOException { throw new IOException("Position unknown!"); } public boolean seekToNewSource(long targetPos) throws IOException { return false; } }); } static void checkServerCertsExpirationDays(Configuration conf, String hostname, int port) throws IOException { setupSslProps(conf); HttpsURLConnection connection = null; connection = openConnection(hostname, port, null); connection.connect(); X509Certificate[] serverCerts = (X509Certificate[]) connection.getServerCertificates(); Date curDate = new Date(); long curTime = curDate.getTime(); if (serverCerts != null) { for (X509Certificate cert : serverCerts) { StringBuffer sb = new StringBuffer(); sb.append("\n Server certificate Subject Name: " + cert.getSubjectX500Principal().getName()); Date expDate = cert.getNotAfter(); long expTime = expDate.getTime(); int dayOffSet = (int) ((expTime - curTime) / MM_SECONDS_PER_DAY); sb.append(" have " + dayOffSet + " days to expire"); if (dayOffSet < CERT_EXPIRATION_WARNING_THRESHOLD) LOG.warn(sb.toString()); else LOG.info(sb.toString()); } } else { LOG.info("\n No Server certs was found"); } if (connection != null) { connection.disconnect(); } } public static UserGroupInformation getProxyUGIFor(String userID) { LOG.debug("Proxying as " + userID); try { return UserGroupInformation.createProxyUser(userID, UserGroupInformation.getLoginUser()); } catch (IOException e) { throw new RuntimeException("Unable get current logged in user", e); } } public static String getNamenode(Configuration conf) throws ServletException { String nn = conf.get("fs.default.name"); if (nn == null) { throw new ServletException("Proxy source cluster name node address not specified"); } return nn; } public static void main(String[] args) throws Exception { if (args.length < 1 || (!UtilityOption.RELOAD.getName().equalsIgnoreCase(args[0]) && !UtilityOption.GET.getName().equalsIgnoreCase(args[0]) && !UtilityOption.CHECKCERTS.getName().equalsIgnoreCase(args[0])) || (UtilityOption.GET.getName().equalsIgnoreCase(args[0]) && args.length != 4) || (UtilityOption.CHECKCERTS.getName().equalsIgnoreCase(args[0]) && args.length != 3)) { System.err.println("Usage: ProxyUtil [" + UtilityOption.RELOAD.getName() + "] | [" + UtilityOption.GET.getName() + " <hostname> <#port> <path> ] | [" + UtilityOption.CHECKCERTS.getName() + " <hostname> <#port> ]"); System.exit(0); } Configuration conf = new Configuration(false); conf.addResource("ssl-client.xml"); conf.addResource("hdfsproxy-default.xml"); if (UtilityOption.RELOAD.getName().equalsIgnoreCase(args[0])) { // reload user-certs.xml and user-permissions.xml files sendCommand(conf, "/reloadPermFiles"); } else if (UtilityOption.CHECKCERTS.getName().equalsIgnoreCase(args[0])) { checkServerCertsExpirationDays(conf, args[1], Integer.parseInt(args[2])); } else { String hostname = args[1]; int port = Integer.parseInt(args[2]); String path = args[3]; InputStream in = open(conf, hostname, port, path); IOUtils.copyBytes(in, System.out, conf, false); in.close(); } } }