grp createpath args, pre-computed key configs, x-ms-version

Author: sumangala17

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/AbfsConfiguration.java

@@ -1039,8 +1039,13 @@ public boolean enableAbfsListIterator() {
     return this.enableAbfsListIterator;
   }
 
-  public String getClientProvidedEncryptionKey() {
-    String accSpecEncKey = accountConf(FS_AZURE_ENCRYPTION_CLIENT_PROVIDED_KEY);
+  public String getEncodedClientProvidedEncryptionKey() {
+    String accSpecEncKey = accountConf(FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY);
+    return rawConfig.get(accSpecEncKey, null);
+  }
+
+  public String getEncodedClientProvidedEncryptionKeySHA() {
+    String accSpecEncKey = accountConf(FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY_SHA);
     return rawConfig.get(accSpecEncKey, null);
   }
 

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/AzureBlobFileSystemStore.java

@@ -563,8 +563,7 @@ public OutputStream createFile(final Path path,
       if (triggerConditionalCreateOverwrite) {
         op = conditionalCreateOverwriteFile(relativePath,
             statistics,
-            isNamespaceEnabled ? getOctalNotation(permission) : null,
-            isNamespaceEnabled ? getOctalNotation(umask) : null,
+            new Permissions(isNamespaceEnabled, permission, umask),
             isAppendBlob,
             encryptionAdapter,
             tracingContext
@@ -573,8 +572,7 @@ public OutputStream createFile(final Path path,
       } else {
         op = client.createPath(relativePath, true,
             overwrite,
-            isNamespaceEnabled ? getOctalNotation(permission) : null,
-            isNamespaceEnabled ? getOctalNotation(umask) : null,
+            new Permissions(isNamespaceEnabled, permission, umask),
             isAppendBlob,
             null,
             encryptionAdapter,
@@ -603,16 +601,14 @@ public OutputStream createFile(final Path path,
    * only if there is match for eTag of existing file.
    * @param relativePath
    * @param statistics
-   * @param permission
-   * @param umask
+   * @param permissions contains permission and umask
    * @param isAppendBlob
    * @return
    * @throws AzureBlobFileSystemException
    */
   private AbfsRestOperation conditionalCreateOverwriteFile(final String relativePath,
       final FileSystem.Statistics statistics,
-      final String permission,
-      final String umask,
+      Permissions permissions,
       final boolean isAppendBlob,
       EncryptionAdapter encryptionAdapter,
       TracingContext tracingContext) throws IOException {
@@ -622,7 +618,7 @@ private AbfsRestOperation conditionalCreateOverwriteFile(final String relativePa
       // Trigger a create with overwrite=false first so that eTag fetch can be
       // avoided for cases when no pre-existing file is present (major portion
       // of create file traffic falls into the case of no pre-existing file).
-      op = client.createPath(relativePath, true, false, permission, umask,
+      op = client.createPath(relativePath, true, false, permissions,
           isAppendBlob, null, encryptionAdapter, tracingContext);
 
     } catch (AbfsRestOperationException e) {
@@ -647,7 +643,7 @@ private AbfsRestOperation conditionalCreateOverwriteFile(final String relativePa
 
         try {
           // overwrite only if eTag matches with the file properties fetched befpre
-          op = client.createPath(relativePath, true, true, permission, umask,
+          op = client.createPath(relativePath, true, true, permissions,
               isAppendBlob, eTag, encryptionAdapter, tracingContext);
         } catch (AbfsRestOperationException ex) {
           if (ex.getStatusCode() == HttpURLConnection.HTTP_PRECON_FAILED) {
@@ -734,11 +730,10 @@ public void createDirectory(final Path path, final FsPermission permission,
 
       boolean overwrite =
           !isNamespaceEnabled || abfsConfiguration.isEnabledMkdirOverwrite();
+      Permissions permissions = new Permissions(isNamespaceEnabled,
+          permission, umask);
       final AbfsRestOperation op = client.createPath(getRelativePath(path),
-          false, overwrite,
-              isNamespaceEnabled ? getOctalNotation(permission) : null,
-              isNamespaceEnabled ? getOctalNotation(umask) : null, false,
-          null, null, tracingContext);
+          false, overwrite, permissions, false, null, null, tracingContext);
       perfInfo.registerResult(op.getResult()).registerSuccess(true);
     }
   }
@@ -1632,16 +1627,21 @@ private void initializeClient(URI uri, String fileSystemName,
       encryptionContextProvider =
           abfsConfiguration.createEncryptionContextProvider();
       if (encryptionContextProvider != null) {
-        if (abfsConfiguration.getClientProvidedEncryptionKey() != null) {
+        if (abfsConfiguration.getEncodedClientProvidedEncryptionKey() != null) {
           throw new IOException(
               "Both global key and encryption context are set, only one allowed");
         }
         encryptionContextProvider.initialize(
             abfsConfiguration.getRawConfiguration(), accountName,
             fileSystemName);
         encryptionType = EncryptionType.ENCRYPTION_CONTEXT;
-      } else if (abfsConfiguration.getClientProvidedEncryptionKey() != null) {
-        encryptionType = EncryptionType.GLOBAL_KEY;
+      } else if (abfsConfiguration.getEncodedClientProvidedEncryptionKey() != null) {
+        if (abfsConfiguration.getEncodedClientProvidedEncryptionKeySHA() != null) {
+          encryptionType = EncryptionType.GLOBAL_KEY;
+        } else {
+          throw new IOException(
+              "Encoded SHA256 hash must be provided for global encryption");
+        }
       }
     }
 
@@ -1655,7 +1655,6 @@ private void initializeClient(URI uri, String fileSystemName,
           sasTokenProvider, encryptionContextProvider,
           populateAbfsClientContext());
     }
-    client.setEncryptionType(encryptionType);
 
     LOG.trace("AbfsClient init complete");
   }
@@ -1674,11 +1673,6 @@ private AbfsClientContext populateAbfsClientContext() {
         .build();
   }
 
-  private String getOctalNotation(FsPermission fsPermission) {
-    Preconditions.checkNotNull(fsPermission, "fsPermission");
-    return String.format(AbfsHttpConstants.PERMISSION_FORMAT, fsPermission.toOctal());
-  }
-
   public String getRelativePath(final Path path) {
     Preconditions.checkNotNull(path, "path");
     return path.toUri().getPath();
@@ -1866,6 +1860,35 @@ public String toString() {
     }
   }
 
+  public static class Permissions {
+    private final String permission;
+    private final String umask;
+
+    Permissions(boolean isNamespaceEnabled, FsPermission permission,
+        FsPermission umask) {
+      if (isNamespaceEnabled) {
+        this.permission = getOctalNotation(permission);
+        this.umask = getOctalNotation(umask);
+      } else {
+        this.permission = null;
+        this.umask = null;
+      }
+    }
+
+    private String getOctalNotation(FsPermission fsPermission) {
+      Preconditions.checkNotNull(fsPermission, "fsPermission");
+      return String.format(AbfsHttpConstants.PERMISSION_FORMAT, fsPermission.toOctal());
+    }
+
+    public String getPermission() {
+      return permission;
+    }
+
+    public String getUmask() {
+      return umask;
+    }
+  }
+
   /**
    * A builder class for AzureBlobFileSystemStore.
    */

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/constants/ConfigurationKeys.java

@@ -188,8 +188,12 @@ public final class ConfigurationKeys {
   public static final String AZURE_KEY_ACCOUNT_SHELLKEYPROVIDER_SCRIPT = "fs.azure.shellkeyprovider.script";
   /** Setting this true will make the driver use it's own RemoteIterator implementation */
   public static final String FS_AZURE_ENABLE_ABFS_LIST_ITERATOR = "fs.azure.enable.abfslistiterator";
-  /** Server side encryption key */
-  public static final String FS_AZURE_ENCRYPTION_CLIENT_PROVIDED_KEY = "fs.azure.encryption.client-provided-key";
+  /** Server side encryption key encoded in Base6format */
+  public static final String FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY =
+      "fs.azure.encryption.encoded.client-provided-key";
+  /** SHA256 hash of encryption key encoded in Base6format */
+  public static final String FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY_SHA =
+      "fs.azure.encryption.encoded.client-provided-key-sha";
   /** Custom EncryptionContextProvider type */
   public static final String FS_AZURE_ENCRYPTION_CONTEXT_PROVIDER_TYPE = "fs.azure.encryption.context.provider.type";
 

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/security/EncryptionAdapter.java

@@ -76,8 +76,9 @@ public SecretKey createEncryptionContext() throws IOException {
   public void computeKeys() throws IOException {
     SecretKey key = getEncryptionKey();
     Preconditions.checkNotNull(key, "Encryption key should not be null.");
-    encodedKey = getBase64EncodedString(new String(key.getEncoded(),
-        StandardCharsets.UTF_8));
+//    encodedKey = getBase64EncodedString(new String(key.getEncoded(),
+//        StandardCharsets.UTF_8));
+    encodedKey = getBase64EncodedString(key.getEncoded());
     encodedKeySHA = getBase64EncodedString(getSHA256Hash(new String(key.getEncoded(),
         StandardCharsets.UTF_8)));
   }

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/services/AbfsClient.java

@@ -26,9 +26,6 @@
 import java.net.URL;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
-import java.time.Instant;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
@@ -39,6 +36,7 @@
 
 import org.apache.hadoop.classification.VisibleForTesting;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.Permissions;
 import org.apache.hadoop.fs.azurebfs.extensions.EncryptionContextProvider;
 import org.apache.hadoop.fs.azurebfs.security.EncryptionAdapter;
 import org.apache.hadoop.fs.azurebfs.utils.EncryptionType;
@@ -88,22 +86,22 @@ public class AbfsClient implements Closeable {
 
   private final URL baseUrl;
   private final SharedKeyCredentials sharedKeyCredentials;
-  private final String xMsVersion = "2021-04-10";//"2019-12-12";
+  private String xMsVersion = "2019-12-12";
   private final ExponentialRetryPolicy retryPolicy;
   private final String filesystem;
   private final AbfsConfiguration abfsConfiguration;
   private final String userAgent;
   private final AbfsPerfTracker abfsPerfTracker;
-  private String clientProvidedEncryptionKey;
-  private final String clientProvidedEncryptionKeySHA;
+  private String clientProvidedEncryptionKey = null;
+  private String clientProvidedEncryptionKeySHA = null;
 
   private final String accountName;
   private final AuthType authType;
   private AccessTokenProvider tokenProvider;
   private SASTokenProvider sasTokenProvider;
   private final AbfsCounters abfsCounters;
-  private EncryptionContextProvider encryptionContextProvider;
-  private EncryptionType encryptionType;
+  private EncryptionContextProvider encryptionContextProvider = null;
+  private EncryptionType encryptionType = EncryptionType.NONE;
 
   private final ListeningScheduledExecutorService executorService;
 
@@ -115,22 +113,23 @@ private AbfsClient(final URL baseUrl,
     this.baseUrl = baseUrl;
     this.sharedKeyCredentials = sharedKeyCredentials;
     String baseUrlString = baseUrl.toString();
-    this.filesystem = baseUrlString.substring(baseUrlString.lastIndexOf(FORWARD_SLASH) + 1);
+    this.filesystem = baseUrlString.substring(
+        baseUrlString.lastIndexOf(FORWARD_SLASH) + 1);
     this.abfsConfiguration = abfsConfiguration;
     this.retryPolicy = abfsClientContext.getExponentialRetryPolicy();
-    this.accountName = abfsConfiguration.getAccountName().substring(0, abfsConfiguration.getAccountName().indexOf(AbfsHttpConstants.DOT));
+    this.accountName = abfsConfiguration.getAccountName().substring(0,
+        abfsConfiguration.getAccountName().indexOf(AbfsHttpConstants.DOT));
     this.authType = abfsConfiguration.getAuthType(accountName);
-    this.encryptionContextProvider = encryptionContextProvider;
-
-    String encryptionKey = this.abfsConfiguration
-        .getClientProvidedEncryptionKey();
-    if (encryptionKey != null) {
-      this.clientProvidedEncryptionKey = EncryptionAdapter.getBase64EncodedString(encryptionKey);
-      this.clientProvidedEncryptionKeySHA = EncryptionAdapter.getBase64EncodedString(
-          EncryptionAdapter.getSHA256Hash(encryptionKey));
-    } else {
-      this.clientProvidedEncryptionKey = null;
-      this.clientProvidedEncryptionKeySHA = null;
+
+    if (encryptionContextProvider != null) {
+      this.encryptionContextProvider = encryptionContextProvider;
+      xMsVersion = "2021-04-10"; // will be default once server change deployed
+      encryptionType = EncryptionType.ENCRYPTION_CONTEXT;
+    } else if ((clientProvidedEncryptionKey =
+        abfsConfiguration.getEncodedClientProvidedEncryptionKey()) != null) {
+      this.clientProvidedEncryptionKeySHA =
+          abfsConfiguration.getEncodedClientProvidedEncryptionKeySHA();
+      encryptionType = EncryptionType.GLOBAL_KEY;
     }
 
     String sslProviderName = null;
@@ -389,7 +388,7 @@ public AbfsRestOperation deleteFilesystem(TracingContext tracingContext) throws
   }
 
   public AbfsRestOperation createPath(final String path, final boolean isFile,
-      final boolean overwrite, final String permission, final String umask,
+      final boolean overwrite, final Permissions permissions,
       final boolean isAppendBlob, final String eTag,
       EncryptionAdapter encryptionAdapter, TracingContext tracingContext)
       throws IOException {
@@ -402,12 +401,15 @@ public AbfsRestOperation createPath(final String path, final boolean isFile,
       requestHeaders.add(new AbfsHttpHeader(IF_NONE_MATCH, AbfsHttpConstants.STAR));
     }
 
-    if (permission != null && !permission.isEmpty()) {
-      requestHeaders.add(new AbfsHttpHeader(HttpHeaderConfigurations.X_MS_PERMISSIONS, permission));
+    if (permissions.getPermission() != null && !permissions.getPermission().isEmpty()) {
+      requestHeaders.add(
+          new AbfsHttpHeader(HttpHeaderConfigurations.X_MS_PERMISSIONS,
+              permissions.getPermission()));
     }
 
-    if (umask != null && !umask.isEmpty()) {
-      requestHeaders.add(new AbfsHttpHeader(HttpHeaderConfigurations.X_MS_UMASK, umask));
+    if (permissions.getUmask() != null && !permissions.getUmask().isEmpty()) {
+      requestHeaders.add(new AbfsHttpHeader(HttpHeaderConfigurations.X_MS_UMASK,
+          permissions.getUmask()));
     }
 
     if (eTag != null && !eTag.isEmpty()) {

hadoop-tools/hadoop-azure/src/test/java/org/apache/hadoop/fs/azurebfs/ITestAzureBlobFileSystemCreate.java

@@ -25,6 +25,7 @@
 import java.util.EnumSet;
 import java.util.UUID;
 
+import org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.Permissions;
 import org.junit.Test;
 
 import org.apache.hadoop.conf.Configuration;
@@ -398,9 +399,8 @@ public void testNegativeScenariosForCreateOverwriteDisabled()
             serverErrorResponseEx) // Scn5: create overwrite=false fails with Http500
         .when(mockClient)
         .createPath(any(String.class), eq(true), eq(false),
-            isNamespaceEnabled ? any(String.class) : eq(null),
-            isNamespaceEnabled ? any(String.class) : eq(null),
-            any(boolean.class), eq(null), any(), any(TracingContext.class));
+            any(Permissions.class), any(boolean.class), eq(null), any(),
+            any(TracingContext.class));
 
     doThrow(fileNotFoundResponseEx) // Scn1: GFS fails with Http404
         .doThrow(serverErrorResponseEx) // Scn2: GFS fails with Http500
@@ -416,9 +416,8 @@ public void testNegativeScenariosForCreateOverwriteDisabled()
             serverErrorResponseEx) // Scn4: create overwrite=true fails with Http500
         .when(mockClient)
         .createPath(any(String.class), eq(true), eq(true),
-            isNamespaceEnabled ? any(String.class) : eq(null),
-            isNamespaceEnabled ? any(String.class) : eq(null),
-            any(boolean.class), eq(null), any(), any(TracingContext.class));
+            any(Permissions.class), any(boolean.class), eq(null), any(),
+            any(TracingContext.class));
 
     // Scn1: GFS fails with Http404
     // Sequence of events expected:

hadoop-tools/hadoop-azure/src/test/java/org/apache/hadoop/fs/azurebfs/ITestCustomEncryption.java

@@ -47,8 +47,9 @@
 import org.apache.hadoop.test.LambdaTestUtils;
 import org.apache.hadoop.util.Lists;
 
-import static org.apache.hadoop.fs.azurebfs.constants.ConfigurationKeys.FS_AZURE_ENCRYPTION_CLIENT_PROVIDED_KEY;
 import static org.apache.hadoop.fs.azurebfs.constants.ConfigurationKeys.FS_AZURE_ENCRYPTION_CONTEXT_PROVIDER_TYPE;
+import static org.apache.hadoop.fs.azurebfs.constants.ConfigurationKeys.FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY;
+import static org.apache.hadoop.fs.azurebfs.constants.ConfigurationKeys.FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY_SHA;
 import static org.apache.hadoop.fs.azurebfs.constants.HttpHeaderConfigurations.X_MS_ENCRYPTION_KEY_SHA256;
 import static org.apache.hadoop.fs.azurebfs.constants.HttpHeaderConfigurations.X_MS_REQUEST_SERVER_ENCRYPTED;
 import static org.apache.hadoop.fs.azurebfs.constants.HttpHeaderConfigurations.X_MS_SERVER_ENCRYPTED;
@@ -252,15 +253,22 @@ private AzureBlobFileSystem getECProviderEnabledFS() throws Exception {
     Configuration configuration = getRawConfiguration();
     configuration.set(FS_AZURE_ENCRYPTION_CONTEXT_PROVIDER_TYPE,
         MockEncryptionContextProvider.class.getCanonicalName());
-    configuration.unset(
-        FS_AZURE_ENCRYPTION_CLIENT_PROVIDED_KEY + "." + getAccountName());
+    configuration.unset(FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY + "."
+        + getAccountName());
+    configuration.unset(FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY_SHA + "."
+        + getAccountName());
     return (AzureBlobFileSystem) FileSystem.newInstance(configuration);
   }
 
   private AzureBlobFileSystem getCPKenabledFS() throws IOException {
     Configuration conf = getRawConfiguration();
-    conf.set(FS_AZURE_ENCRYPTION_CLIENT_PROVIDED_KEY + "." + getAccountName(),
-        cpk);
+    String cpkEncoded = EncryptionAdapter.getBase64EncodedString(cpk);
+    String cpkEncodedSHA = EncryptionAdapter.getBase64EncodedString(
+        EncryptionAdapter.getSHA256Hash(cpk));
+    conf.set(FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY + "."
+        + getAccountName(), cpkEncoded);
+    conf.set(FS_AZURE_ENCRYPTION_ENCODED_CLIENT_PROVIDED_KEY_SHA + "."
+        + getAccountName(), cpkEncodedSHA);
     conf.unset(FS_AZURE_ENCRYPTION_CONTEXT_PROVIDER_TYPE);
     return (AzureBlobFileSystem) FileSystem.newInstance(conf);
   }