This is an automated email from the ASF dual-hosted git repository. boroknagyz pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/impala.git
commit 7fbb83749b1aeb3e359313fa5f084a450f85f083 Author: Michael Smith <[email protected]> AuthorDate: Mon Jan 12 16:12:34 2026 -0800 IMPALA-14679: Avoid authentication hash reload on partial write Removes IN_MODIFY from the list of inotify triggers for reloading authentication hashes. IN_MODIFY appears to trigger when a `write` system call begins, which resulted in tests running into Authentication hash from /tmp/junit...tmp did not contain 32 bytes This would delay loading the hash because ReloadMonitor waits 1000ms before trying again. IN_CLOSE_WRITE is sufficient to cover the same cases, as it receives a notification when a file opened for writing is closed. Adds a test that failed with IN_MODIFY, and now passes 30+ runs. Change-Id: I9549c7a4ec0e8ebfc8a49444f2f217ffd9311525 Reviewed-on: http://gerrit.cloudera.org:8080/23862 Reviewed-by: Impala Public Jenkins <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> --- be/src/util/openssl-util-test.cc | 39 +++++++++++++++++++++++++++++++++++++++ be/src/util/openssl-util.cc | 2 +- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/be/src/util/openssl-util-test.cc b/be/src/util/openssl-util-test.cc index 8ada6deb0..e3e71f8da 100644 --- a/be/src/util/openssl-util-test.cc +++ b/be/src/util/openssl-util-test.cc @@ -548,6 +548,45 @@ TEST_F(OpenSSLUtilTest, AuthenticationHashFromFile) { EXPECT_FALSE(auth_hash.Verify(buf.data(), buffer_size, signature)); } +TEST_F(OpenSSLUtilTest, AuthenticationHashFromFileReload) { + // Create a temporary file with a random key. + KeyFile key = MakeKeyFile(); + + // Create an AuthenticationHashFromFile and check we can Compute/Verify. + const int buffer_size = 1024 * 1024; + vector<uint8_t> buf(buffer_size); + GenerateRandomData(buf.data(), buffer_size); + + AuthenticationHashFromFile auth_hash(key.path); + ASSERT_OK(auth_hash.Init()); + + uint8_t signature[AuthenticationHash::HashLen()]; + ASSERT_OK(auth_hash.Compute(buf.data(), buffer_size, signature)); + EXPECT_TRUE(auth_hash.Verify(buf.data(), buffer_size, signature)); + + // Overwrite the file with a new valid key. Perform multiple write system calls. + { + vector<uint8_t> k(AuthenticationHash::HashLen()-1); + std::ofstream key_file(key.path, std::ios::binary); + GenerateRandomBytes(k.data(), k.size()); + key_file.write("b", 1); + SleepForMs(100); + key_file.write(reinterpret_cast<const char*>(k.data()), k.size()); + } + // Verify it's reloaded in less than a second. Longer means it likely hit an error + // prompting retry. + const int max_retries = 8; + int retries = 0; + while (retries++ < max_retries) { + SleepForMs(100); + if (!auth_hash.Verify(buf.data(), buffer_size, signature)) break; + } + ASSERT_LT(retries, max_retries) << "Timed out waiting for key reload"; + + // Should not verify with the original signature, since the key has changed. + EXPECT_FALSE(auth_hash.Verify(buf.data(), buffer_size, signature)); +} + TEST_F(OpenSSLUtilTest, MissingAuthenticationHashFromFile) { // Try to create an AuthenticationHashFromFile with a non-existent key file. string missing_key_path = Substitute("/tmp/auth_key_missing_$0", getpid()); diff --git a/be/src/util/openssl-util.cc b/be/src/util/openssl-util.cc index 4f1a9227d..e34cd8e14 100644 --- a/be/src/util/openssl-util.cc +++ b/be/src/util/openssl-util.cc @@ -306,7 +306,7 @@ Status AuthenticationHashFromFile::Init() { } int wd = inotify_add_watch( - fd, path_.c_str(), IN_MODIFY | IN_CLOSE_WRITE | IN_MOVE_SELF | IN_ATTRIB); + fd, path_.c_str(), IN_CLOSE_WRITE | IN_MOVE_SELF | IN_ATTRIB); if (wd < 0) { close(stop_pipe_read_fd_); close(fd);
