test kms

urykhy · urykhy · commit 07e9b804d44a · 2022-02-13T23:27:36.000+03:00
diff --git a/.github/scripts/install-hdfs.sh b/.github/scripts/install-hdfs.sh
@@ -50,7 +50,7 @@ EOF
   sudo apt-get install -y krb5-user krb5-kdc krb5-admin-server
 
   printf "$KERBEROS_PASSWORD\n$KERBEROS_PASSWORD" | sudo kdb5_util -r "$KERBEROS_REALM" create -s
-  for p in nn dn $USER gohdfs1 gohdfs2; do
+  for p in nn dn kms $USER gohdfs1 gohdfs2; do
     sudo kadmin.local -q "addprinc -randkey $p/$HOSTNAME@$KERBEROS_REALM"
     sudo kadmin.local -q "addprinc -randkey $p/localhost@$KERBEROS_REALM"
     sudo kadmin.local -q "xst -k /tmp/$p.keytab $p/$HOSTNAME@$KERBEROS_REALM"
@@ -116,6 +116,10 @@ sudo tee $HADOOP_ROOT/etc/hadoop/core-site.xml <<EOF
     <name>hadoop.rpc.protection</name>
     <value>$RPC_PROTECTION</value>
   </property>
+  <property>
+    <name>hadoop.security.key.provider.path</name>
+    <value>kms://http@localhost:9600/kms</value>
+  </property>
 </configuration>
 EOF
 
@@ -172,6 +176,40 @@ $HADOOP_ROOT/bin/hdfs namenode -format
 sudo groupadd hadoop
 sudo usermod -a -G hadoop $USER
 
+sudo tee $HADOOP_ROOT/etc/hadoop/kms-site.xml <<EOF
+<configuration>
+  <property>
+    <name>hadoop.kms.key.provider.uri</name>
+    <value>jceks://file@/tmp/hdfs/kms.keystore</value>
+  </property>
+  <property>
+    <name>hadoop.security.keystore.java-keystore-provider.password-file</name>
+    <value>kms.keystore.password</value>
+  </property>
+  <property>
+    <name>hadoop.kms.authentication.type</name>
+    <value>$CONF_AUTHENTICATION</value>
+  </property>
+  <property>
+    <name>hadoop.kms.authentication.kerberos.keytab</name>
+    <value>/tmp/kms.keytab</value>
+  </property>
+  <property>
+    <name>hadoop.kms.authentication.kerberos.principal</name>
+    <value>kms/localhost@$KERBEROS_REALM</value>
+  </property>
+</configuration>
+EOF
+
+sudo tee $HADOOP_ROOT/etc/hadoop/kms.keystore.password <<EOF
+123456
+EOF
+
+echo "Starting KMS..."
+export KMS_SILENT=false
+export KMS_HTTP_PORT=9600
+$HADOOP_ROOT/sbin/kms.sh start > /tmp/hdfs/kms.log 2>&1 &
+
 echo "Starting namenode..."
 $HADOOP_ROOT/bin/hdfs namenode > /tmp/hdfs/namenode.log 2>&1 &
 
@@ -183,5 +221,10 @@ sleep 5
 echo "Waiting for cluster to exit safe mode..."
 $HADOOP_ROOT/bin/hdfs dfsadmin -safemode wait
 
+echo "Prepare encrypted zone"
+$HADOOP_ROOT/bin/hadoop key create key1
+$HADOOP_ROOT/bin/hadoop fs -mkdir -p /_test/kms
+$HADOOP_ROOT/bin/hdfs crypto -createZone -keyName key1 -path /_test/kms
+
 echo "HADOOP_CONF_DIR=$(pwd)/$HADOOP_ROOT/etc/hadoop" >> $GITHUB_ENV
-echo "$(pwd)/$HADOOP_ROOT/bin" >> $GITHUB_PATH
+echo "$(pwd)/$HADOOP_ROOT/bin" >> $GITHUB_PATH
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -65,6 +65,10 @@ jobs:
       run: |
         make test
 
+    - name: cat kms.log
+      if: always()
+      run: cat /tmp/hdfs/kms.log
+
     - name: cat namenode.log
       if: always()
       run: cat /tmp/hdfs/namenode.log
diff --git a/cmd/hdfs/test/kms.bats b/cmd/hdfs/test/kms.bats
@@ -0,0 +1,30 @@
+#!/usr/bin/env bats
+
+load helper
+
+@test "put java to go" {
+  run $HADOOP_FS -put $ROOT_TEST_DIR/testdata/foo.txt /_test/kms/foo1
+  assert_success
+
+  run $HDFS cat /_test/kms/foo1
+  assert_output "bar"
+}
+
+@test "put go to java" {
+  run $HDFS put $ROOT_TEST_DIR/testdata/foo.txt /_test/kms/foo2
+  assert_success
+
+  run HADOOP_FS -cat /_test/kms/foo2
+  assert_output "bar"
+}
+
+@test "tail" {
+  run $HDFS put $ROOT_TEST_DIR/testdata/mobydick.txt /_test/kms/
+  assert_success
+
+  run bash -c "$HDFS tail /_test/kms/mobydick.txt > $BATS_TMPDIR/mobydick_test.txt"
+  assert_success
+
+  SHA=`tail $ROOT_TEST_DIR/testdata/mobydick.txt | shasum | awk '{ print $1 }'`
+  assert_equal $SHA `shasum < $BATS_TMPDIR/mobydick_test.txt | awk '{ print $1 }'`
+}
