[HOPS-1622] Configurable key size for application certificates

hopshadoop · Jan 24, 2021 · 80b454a · 80b454a
1 parent f0e226b
commit 80b454a
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/...oop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/...oop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -4029,6 +4029,9 @@ public static void main(String[] args) throws Exception {
   public static final String RM_APP_CERTIFICATE_REVOCATION_MONITOR_INTERVAL = RM_PREFIX + X509_PREFIX
       + "revocation-monitor-interval";
   public static final String DEFAULT_RM_APP_CERTIFICATE_REVOCATION_MONITOR_INTERVAL = "10h";
+
+  public static final String RM_APP_CERTIFICATE_KEY_SIZE = RM_PREFIX + X509_PREFIX + "key-size";
+  public static final int DEFAULT_RM_APP_CERTIFICATE_KEY_SIZE = 2048;
 
   /**
    * Application JWT configuration

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -4055,6 +4055,12 @@
     <value>10h</value>
   </property>
 
+  <property>
+    <description>Key size for the application certificates</description>
+    <name>yarn.resourcemanager.rmappsecurity.x509.key-size</name>
+    <value>2048</value>
+  </property>
+
   <property>
     <description>Enable JWT management for containers</description>
     <name>yarn.resourcemanager.rmappsecurity.jwt.enabled</name>

diff --git a/...main/java/org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler.java b/...main/java/org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler.java
@@ -87,7 +87,6 @@ public class X509SecurityHandler
   private final static String SECURITY_PROVIDER = "BC";
   private final static String KEY_ALGORITHM = "RSA";
   private final static String SIGNATURE_ALGORITHM = "SHA256withRSA";
-  private final static int KEY_SIZE = 1024;
   private final static int REVOCATION_QUEUE_SIZE = 100;
 
   private final String TMP = System.getProperty("java.io.tmpdir");
@@ -156,13 +155,16 @@ public void init(Configuration config) throws Exception {
         YarnConfiguration.RM_APP_CERTIFICATE_REVOCATION_MONITOR_INTERVAL);
     revocationMonitorInterval = monitorIntervalUnit.getFirst();
     revocationUnitOfInterval = monitorIntervalUnit.getSecond();
+
+    int keySize = config.getInt(YarnConfiguration.RM_APP_CERTIFICATE_KEY_SIZE,
+            YarnConfiguration.DEFAULT_RM_APP_CERTIFICATE_KEY_SIZE);
 
     if (isHopsTLSEnabled()) {
       superuserKeystoresLoader = new SuperuserKeystoresLoader(config);
       this.certificateLocalizationService = rmContext.getCertificateLocalizationService();
       rmAppSecurityActions = rmAppSecurityManager.getRmAppCertificateActions();
       keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM, SECURITY_PROVIDER);
-      keyPairGenerator.initialize(KEY_SIZE);
+      keyPairGenerator.initialize(keySize);
     }
   }