HADOOP-19872: Exclude Engine API when building with OpenSSL 3.x

[rohit-kb]

Description of PR

Native build of hadoop-common fails on RHEL 10 with:

error: 'ENGINE_METHOD_RAND' undeclared
make failed with error code 2

Root Cause: RHEL 10 ships OpenSSL 3.2.x, which was compiled with OPENSSL_NO_ENGINE — completely removing the OpenSSL Engine API (ENGINE_* functions and constants). The native file OpensslSecureRandom.c used ENGINE_METHOD_RAND and other Engine API symbols without any OpenSSL 3.x compatibility guard, causing a compile-time failure.

Fix: Added #if OPENSSL_VERSION_NUMBER < 0x30000000L guards in OpensslSecureRandom.c to exclude Engine API usage when building against OpenSSL 3.x

Contains content generated by Claude

How was this patch tested?

RHEL 10 build passed. No breakage reported in RHEL 9 arm64 too.

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

AI Tooling

If an AI tool was used:

• The PR includes the phrase "Contains content generated by "
  where is the name of the AI tool used.
• My use of AI contributions follows the ASF legal policy
  https://www.apache.org/legal/generative-tooling.html

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	20m 8s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 1s		codespell was not available.
+0 🆗	detsecrets	0m 1s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	57m 24s		trunk passed
+1 💚	compile	19m 33s		trunk passed with JDK Red Hat, Inc.-21.0.11+10-LTS
+1 💚	compile	20m 19s		trunk passed with JDK Red Hat, Inc.-17.0.19+10-LTS
+1 💚	mvnsite	3m 9s		trunk passed
+1 💚	shadedclient	138m 20s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	1m 28s		the patch passed
+1 💚	compile	17m 51s		the patch passed with JDK Red Hat, Inc.-21.0.11+10-LTS
+1 💚	cc	17m 51s		root-jdkRedHat,Inc.-21.0.11+10-LTS with JDK Red Hat, Inc.-21.0.11+10-LTS generated 0 new + 142 unchanged - 10 fixed = 142 total (was 152)
+1 💚	golang	17m 51s		the patch passed
+1 💚	javac	17m 51s		the patch passed
+1 💚	compile	20m 1s		the patch passed with JDK Red Hat, Inc.-17.0.19+10-LTS
+1 💚	cc	20m 1s		root-jdkRedHat,Inc.-17.0.19+10-LTS with JDK Red Hat, Inc.-17.0.19+10-LTS generated 0 new + 142 unchanged - 10 fixed = 142 total (was 152)
+1 💚	golang	20m 1s		the patch passed
+1 💚	javac	20m 1s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	3m 6s		the patch passed
+1 💚	shadedclient	40m 7s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	23m 58s		hadoop-common in the patch passed.
+1 💚	asflicense	2m 22s		The patch does not generate ASF License warnings.
		266m 55s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8550/1/artifact/out/Dockerfile
GITHUB PR	#8550
Optional Tests	dupname asflicense compile cc mvnsite javac unit codespell detsecrets golang
uname	Linux c430439e79b0 5.15.0-181-generic #191-Ubuntu SMP Fri May 22 19:09:02 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 8063301
Default Java	Red Hat, Inc.-17.0.19+10-LTS
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-21.0.11.0.10-1.el8_10.x86_64:Red Hat, Inc.-21.0.11+10-LTS /usr/lib/jvm/java-17-openjdk-17.0.19.0.10-1.el8_10.x86_64:Red Hat, Inc.-17.0.19+10-LTS
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8550/1/testReport/
Max. process+thread count	3038 (vs. ulimit of 10000)
modules	C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8550/1/console
versions	git=2.43.7 maven=3.9.15
Powered by	Apache Yetus 0.14.1 https://yetus.apache.org

This message was automatically generated.

[Copilot]

Pull request overview

This PR addresses native hadoop-common build failures against OpenSSL 3.x builds where the legacy Engine API is removed (e.g., RHEL 10 with OPENSSL_NO_ENGINE) by compiling out ENGINE_* usage in OpensslSecureRandom.c.

Changes:

• Guarded Engine API function pointers and dynamic symbol loading on UNIX with #if OPENSSL_VERSION_NUMBER < 0x30000000L.
• Updated UNIX thread-locking callback compilation to only apply to OpenSSL < 1.1.0.
• Disabled rdrand engine initialization/cleanup logic when compiling against OpenSSL 3.x.

Comments suppressed due to low confidence (1)

hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/random/OpensslSecureRandom.c:319

• The OpenSSL 3.x guard added here disables all ENGINE usage at compile time, but the Windows initSR path still unconditionally LOAD_DYNAMIC_SYMBOL()s ENGINE_* symbols. On an OpenSSL 3 build where the Engine API is removed (OPENSSL_NO_ENGINE), Windows will throw UnsatisfiedLinkError during initSR before RAND_bytes/ERR_get_error are usable. Please apply the same OPENSSL_VERSION_NUMBER < 0x30000000L (or equivalent) conditional around the Windows ENGINE_* symbol loads (and related typedef/static declarations if needed), leaving RAND_bytes/ERR_get_error loading unconditional.

#if OPENSSL_VERSION_NUMBER < 0x30000000L
#if OPENSSL_VERSION_NUMBER < 0x10100000L
  locks_setup();
  
  dlsym_ENGINE_load_rdrand();

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	18m 24s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	45m 35s		trunk passed
+1 💚	compile	17m 53s		trunk passed
+1 💚	mvnsite	1m 55s		trunk passed
+1 💚	shadedclient	100m 53s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	1m 13s		the patch passed
+1 💚	compile	16m 30s		the patch passed
-1 ❌	cc	16m 30s	/results-compile-cc-root.txt	root generated 2 new + 167 unchanged - 10 fixed = 169 total (was 177)
+1 💚	golang	16m 30s		the patch passed
+1 💚	javac	16m 30s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	1m 49s		the patch passed
+1 💚	shadedclient	37m 29s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	23m 0s		hadoop-common in the patch passed.
+1 💚	asflicense	1m 12s		The patch does not generate ASF License warnings.
		200m 59s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8550/1/artifact/out/Dockerfile
GITHUB PR	#8550
Optional Tests	dupname asflicense compile cc mvnsite javac unit codespell detsecrets golang
uname	Linux 098bd515294e 5.15.0-181-generic #191-Ubuntu SMP Fri May 22 19:09:02 UTC 2026 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 8063301
Default Java	Debian-25.0.3+9-2-deb13u1-Debian
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8550/1/testReport/
Max. process+thread count	3128 (vs. ulimit of 10000)
modules	C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8550/1/console
versions	git=2.47.3 maven=3.9.15
Powered by	Apache Yetus 0.14.1 https://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	18m 45s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	45m 59s		trunk passed
+1 💚	compile	17m 59s		trunk passed with JDK Ubuntu-21.0.11+10-1-24.04.2-Ubuntu
+1 💚	compile	18m 6s		trunk passed with JDK Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
+1 💚	mvnsite	1m 59s		trunk passed
+1 💚	shadedclient	118m 38s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	1m 16s		the patch passed
+1 💚	compile	16m 50s		the patch passed with JDK Ubuntu-21.0.11+10-1-24.04.2-Ubuntu
-1 ❌	cc	16m 50s	/results-compile-cc-root-jdkUbuntu-21.0.11+10-1-24.04.2-Ubuntu.txt	root-jdkUbuntu-21.0.11+10-1-24.04.2-Ubuntu with JDK Ubuntu-21.0.11+10-1-24.04.2-Ubuntu generated 2 new + 177 unchanged - 10 fixed = 179 total (was 187)
+1 💚	golang	16m 50s		the patch passed
+1 💚	javac	16m 50s		the patch passed
+1 💚	compile	18m 8s		the patch passed with JDK Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
-1 ❌	cc	18m 8s	/results-compile-cc-root-jdkUbuntu-17.0.19+10-1-24.04.2-Ubuntu.txt	root-jdkUbuntu-17.0.19+10-1-24.04.2-Ubuntu with JDK Ubuntu-17.0.19+10-1-24.04.2-Ubuntu generated 2 new + 177 unchanged - 10 fixed = 179 total (was 187)
+1 💚	golang	18m 8s		the patch passed
+1 💚	javac	18m 8s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	1m 56s		the patch passed
+1 💚	shadedclient	35m 47s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	22m 56s		hadoop-common in the patch passed.
+1 💚	asflicense	1m 11s		The patch does not generate ASF License warnings.
		236m 7s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8550/1/artifact/out/Dockerfile
GITHUB PR	#8550
Optional Tests	dupname asflicense compile cc mvnsite javac unit codespell detsecrets golang
uname	Linux 3fa5debf3364 5.15.0-181-generic #191-Ubuntu SMP Fri May 22 19:09:02 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 8063301
Default Java	Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.11+10-1-24.04.2-Ubuntu /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8550/1/testReport/
Max. process+thread count	3140 (vs. ulimit of 10000)
modules	C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8550/1/console
versions	git=2.43.0 maven=3.9.15
Powered by	Apache Yetus 0.14.1 https://yetus.apache.org

This message was automatically generated.

[pan3793]

@rohit-kb, this part has been broken again and again. Actually, the SSL ENGINE API is used solely to opt into Intel's RDRAND hardware RNG as OpenSSL's default random source. And the claim of OpensslSecureRandom

it's much faster than java.security.SecureRandom

is dated and should be qualified. "Much faster" was a reasonable statement circa 2014 (HADOOP-10693) but is no longer a safe blanket claim on modern JDKs.

I'd like to request a re-evaluation of the performance on the modern JDK, and if it does not have a performance advantage over java.security.SecureRandom, just drop it and switch to the JDK's implementation.

[rohit-kb]

Thanks @pan3793 for the review. I will try to benchmark this.
I was hoping for a quick robust fix to unblock our recently introduced RHEL 10 builds in downstream.

We can try to address the JDK implementation for the same (if legit) in a separate jira as that one is going to be a bigger change I think.

[razvan]

Thanks for creating this PR. I can confirm that building on UBI 10 works.

My understanding of this PR is that it turns the functions using the engine api into no-ops without replacement. Is this correct?

If this is true, how does this change impact functionality of existing deployments? Is an upgrade of Hadoop clusters without some form of (meta)data migration even possible?

I don't know enough about how this API is/was used, but I imagine that any keys/certs/secrets or encrypted (meta)data generated previously will not be usable anymore after the upgrade. Am I correct ?

[rohit-kb]

Thanks for confirming UBI 10 build!

Regarding your concern, The ENGINE API change only affects how the random bytes are produced internally (RDRAND via ENGINE vs RDRAND via OpenSSL's built-in provider in version 3.x). The output is on par random bytes in both cases.

Existing keys, certificates, and encrypted data should not be affected. Here is the overall flow I believe:

Encryption:

1. OpensslSecureRandom generates 32 random bytes for the key.
2. Key is stored in KMS
3. File is encrypted with that key and written to HDFS.

Decryption:

1. Fetch the key from KMS
2. Use the key to decrypt the file

OpensslSecureRandom is never used in decryption. Our change only affects how the random bytes are generated inside OpensslSecureRandom. Whether those random bytes came from Intel RDRAND via the ENGINE path or via OpenSSL's built-in provider.