Java Code Examples for org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

The following examples show how to use org.apache.hadoop.crypto.key.KeyProviderCryptoExtension. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop-ozone   Source File: OzoneKMSUtil.java    License: Apache License 2.0 6 votes vote down vote up
public static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(
    FileEncryptionInfo feInfo, KeyProvider keyProvider) throws IOException {
  if (keyProvider == null) {
    throw new IOException("No KeyProvider is configured, " +
        "cannot access an encrypted file");
  } else {
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());

    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(keyProvider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException gse) {
      throw new IOException(gse);
    }
  }
}
 
Example 2
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example 3
public CryptoExtension(Configuration conf,
    KeyProviderCryptoExtension keyProviderCryptoExtension) {
  this.keyProviderCryptoExtension = keyProviderCryptoExtension;
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(KMS_KEY_CACHE_SIZE,
              KMS_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(KMS_KEY_CACHE_LOW_WATERMARK,
              KMS_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_EXPIRY_MS,
              KMS_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_NUM_REFILL_THREADS,
              KMS_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          SyncGenerationPolicy.LOW_WATERMARK, new EncryptedQueueRefiller()
      );
}
 
Example 4
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example 5
public CryptoExtension(Configuration conf,
    KeyProviderCryptoExtension keyProviderCryptoExtension) {
  this.keyProviderCryptoExtension = keyProviderCryptoExtension;
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(KMS_KEY_CACHE_SIZE,
              KMS_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(KMS_KEY_CACHE_LOW_WATERMARK,
              KMS_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_EXPIRY_MS,
              KMS_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_NUM_REFILL_THREADS,
              KMS_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          SyncGenerationPolicy.LOW_WATERMARK, new EncryptedQueueRefiller()
      );
}
 
Example 6
public CryptoExtension(Configuration conf,
    KeyProviderCryptoExtension keyProviderCryptoExtension) {
  this.keyProviderCryptoExtension = keyProviderCryptoExtension;
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(KMS_KEY_CACHE_SIZE,
              KMS_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(KMS_KEY_CACHE_LOW_WATERMARK,
              KMS_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_EXPIRY_MS,
              KMS_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_NUM_REFILL_THREADS,
              KMS_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          SyncGenerationPolicy.LOW_WATERMARK, new EncryptedQueueRefiller()
      );
}
 
Example 7
Source Project: spliceengine   Source File: HDFSUtil.java    License: GNU Affero General Public License v3.0 6 votes vote down vote up
private static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(DistributedFileSystem dfs, FileEncryptionInfo feInfo) throws IOException {
    KeyProvider provider = dfs.dfs.getKeyProvider();
    if (provider == null) {
        throw new IOException("No KeyProvider is configured, cannot access" +
                " an encrypted file");
    }
    KeyProviderCryptoExtension.EncryptedKeyVersion ekv = KeyProviderCryptoExtension.EncryptedKeyVersion.createForDecryption(
            feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
            feInfo.getEncryptedDataEncryptionKey());
    try {
        KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
                .createKeyProviderCryptoExtension(provider);
        return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
        throw new IOException(e);
    }
}
 
Example 8
Source Project: hadoop-ozone   Source File: OMBucketCreateRequest.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {

  // Get original request.
  CreateBucketRequest createBucketRequest =
      getOmRequest().getCreateBucketRequest();
  BucketInfo bucketInfo = createBucketRequest.getBucketInfo();
  // Verify resource name
  OmUtils.validateBucketName(bucketInfo.getBucketName());

  // Get KMS provider.
  KeyProviderCryptoExtension kmsProvider =
      ozoneManager.getKmsProvider();

  // Create new Bucket request with new bucket info.
  CreateBucketRequest.Builder newCreateBucketRequest =
      createBucketRequest.toBuilder();

  BucketInfo.Builder newBucketInfo = bucketInfo.toBuilder();

  // Set creation time & modification time.
  long initialTime = Time.now();
  newBucketInfo.setCreationTime(initialTime)
      .setModificationTime(initialTime);

  if (bucketInfo.hasBeinfo()) {
    newBucketInfo.setBeinfo(getBeinfo(kmsProvider, bucketInfo));
  }

  newCreateBucketRequest.setBucketInfo(newBucketInfo.build());

  return getOmRequest().toBuilder().setUserInfo(getUserInfo())
     .setCreateBucketRequest(newCreateBucketRequest.build()).build();
}
 
Example 9
Source Project: hadoop-ozone   Source File: OMBucketCreateRequest.java    License: Apache License 2.0 5 votes vote down vote up
private BucketEncryptionInfoProto getBeinfo(
    KeyProviderCryptoExtension kmsProvider, BucketInfo bucketInfo)
    throws IOException {
  BucketEncryptionInfoProto bek = bucketInfo.getBeinfo();
  BucketEncryptionInfoProto.Builder bekb = null;
  if (kmsProvider == null) {
    throw new OMException("Invalid KMS provider, check configuration " +
        CommonConfigurationKeys.HADOOP_SECURITY_KEY_PROVIDER_PATH,
        OMException.ResultCodes.INVALID_KMS_PROVIDER);
  }
  if (bek.getKeyName() == null) {
    throw new OMException("Bucket encryption key needed.", OMException
        .ResultCodes.BUCKET_ENCRYPTION_KEY_NOT_FOUND);
  }
  // Talk to KMS to retrieve the bucket encryption key info.
  KeyProvider.Metadata metadata = kmsProvider.getMetadata(
      bek.getKeyName());
  if (metadata == null) {
    throw new OMException("Bucket encryption key " + bek.getKeyName()
        + " doesn't exist.",
        OMException.ResultCodes.BUCKET_ENCRYPTION_KEY_NOT_FOUND);
  }
  // If the provider supports pool for EDEKs, this will fill in the pool
  kmsProvider.warmUpEncryptedKeys(bek.getKeyName());
  bekb = BucketEncryptionInfoProto.newBuilder()
      .setKeyName(bek.getKeyName())
      .setCryptoProtocolVersion(ENCRYPTION_ZONES)
      .setSuite(OMPBHelper.convert(
          CipherSuite.convert(metadata.getCipher())));
  return bekb.build();
}
 
Example 10
Source Project: hadoop-ozone   Source File: KeyManagerImpl.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("parameternumber")
public KeyManagerImpl(OzoneManager om, ScmClient scmClient,
    OMMetadataManager metadataManager, OzoneConfiguration conf, String omId,
    OzoneBlockTokenSecretManager secretManager,
    KeyProviderCryptoExtension kmsProvider, PrefixManager prefixManager) {
  this.scmBlockSize = (long) conf
      .getStorageSize(OZONE_SCM_BLOCK_SIZE, OZONE_SCM_BLOCK_SIZE_DEFAULT,
          StorageUnit.BYTES);
  this.useRatis = conf.getBoolean(DFS_CONTAINER_RATIS_ENABLED_KEY,
      DFS_CONTAINER_RATIS_ENABLED_DEFAULT);
  this.preallocateBlocksMax = conf.getInt(
      OZONE_KEY_PREALLOCATION_BLOCKS_MAX,
      OZONE_KEY_PREALLOCATION_BLOCKS_MAX_DEFAULT);
  this.grpcBlockTokenEnabled = conf.getBoolean(
      HDDS_BLOCK_TOKEN_ENABLED,
      HDDS_BLOCK_TOKEN_ENABLED_DEFAULT);
  this.listTrashKeysMax = conf.getInt(
    OZONE_CLIENT_LIST_TRASH_KEYS_MAX,
    OZONE_CLIENT_LIST_TRASH_KEYS_MAX_DEFAULT);

  this.ozoneManager = om;
  this.omId = omId;
  this.scmClient = scmClient;
  this.metadataManager = metadataManager;
  this.prefixManager = prefixManager;
  this.secretManager = secretManager;
  this.kmsProvider = kmsProvider;

}
 
Example 11
Source Project: hadoop-ozone   Source File: OzoneManager.java    License: Apache License 2.0 5 votes vote down vote up
private KeyProviderCryptoExtension createKeyProviderExt(
    OzoneConfiguration conf) throws IOException {
  KeyProvider keyProvider = KMSUtil.createKeyProvider(conf,
      keyProviderUriKeyName);
  if (keyProvider == null) {
    return null;
  }
  KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
      .createKeyProviderCryptoExtension(keyProvider);
  return cryptoProvider;
}
 
Example 12
Source Project: hadoop-ozone   Source File: TestBucketManagerImpl.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testCreateBucket() throws Exception {
  OmMetadataManagerImpl metaMgr = createSampleVol();

  KeyProviderCryptoExtension kmsProvider = Mockito.mock(
      KeyProviderCryptoExtension.class);
  String testBekName = "key1";
  String testCipherName = "AES/CTR/NoPadding";

  KeyProvider.Metadata mockMetadata = Mockito.mock(KeyProvider.Metadata
      .class);
  Mockito.when(kmsProvider.getMetadata(testBekName)).thenReturn(mockMetadata);
  Mockito.when(mockMetadata.getCipher()).thenReturn(testCipherName);

  BucketManager bucketManager = new BucketManagerImpl(metaMgr,
      kmsProvider);
  OmBucketInfo bucketInfo = OmBucketInfo.newBuilder()
      .setVolumeName("sampleVol")
      .setBucketName("bucketOne")
      .setBucketEncryptionKey(new
          BucketEncryptionKeyInfo.Builder().setKeyName("key1").build())
      .build();
  bucketManager.createBucket(bucketInfo);
  Assert.assertNotNull(bucketManager.getBucketInfo("sampleVol", "bucketOne"));

  OmBucketInfo bucketInfoRead =
      bucketManager.getBucketInfo("sampleVol",  "bucketOne");

  Assert.assertTrue(bucketInfoRead.getEncryptionKeyInfo().getKeyName()
      .equals(bucketInfo.getEncryptionKeyInfo().getKeyName()));
  metaMgr.getStore().close();
}
 
Example 13
Source Project: hadoop   Source File: DFSUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Creates a new KeyProviderCryptoExtension by wrapping the
 * KeyProvider specified in the given Configuration.
 *
 * @param conf Configuration
 * @return new KeyProviderCryptoExtension, or null if no provider was found.
 * @throws IOException if the KeyProvider is improperly specified in
 *                             the Configuration
 */
public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(
    final Configuration conf) throws IOException {
  KeyProvider keyProvider = createKeyProvider(conf);
  if (keyProvider == null) {
    return null;
  }
  KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
      .createKeyProviderCryptoExtension(keyProvider);
  return cryptoProvider;
}
 
Example 14
Source Project: hadoop   Source File: TestEncryptionZonesWithHA.java    License: Apache License 2.0 5 votes vote down vote up
@Before
public void setupCluster() throws Exception {
  conf = new Configuration();
  conf.setInt(DFSConfigKeys.DFS_HA_TAILEDITS_PERIOD_KEY, 1);
  HAUtil.setAllowStandbyReads(conf, true);
  fsHelper = new FileSystemTestHelper();
  String testRoot = fsHelper.getTestRootDir();
  testRootDir = new File(testRoot).getAbsoluteFile();
  conf.set(DFSConfigKeys.DFS_ENCRYPTION_KEY_PROVIDER_URI,
      JavaKeyStoreProvider.SCHEME_NAME + "://file" +
      new Path(testRootDir.toString(), "test.jks").toUri()
  );

  cluster = new MiniDFSCluster.Builder(conf)
    .nnTopology(MiniDFSNNTopology.simpleHATopology())
    .numDataNodes(1)
    .build();
  cluster.waitActive();
  cluster.transitionToActive(0);

  fs = (DistributedFileSystem)HATestUtil.configureFailoverFs(cluster, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 0, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 1, conf);
  nn0 = cluster.getNameNode(0);
  nn1 = cluster.getNameNode(1);
  dfsAdmin0 = new HdfsAdmin(cluster.getURI(0), conf);
  dfsAdmin1 = new HdfsAdmin(cluster.getURI(1), conf);
  KeyProviderCryptoExtension nn0Provider =
      cluster.getNameNode(0).getNamesystem().getProvider();
  fs.getClient().setKeyProvider(nn0Provider);
}
 
Example 15
Source Project: hadoop   Source File: KMSClientProvider.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 
Example 16
Source Project: hadoop   Source File: KeyAuthorizationKeyProvider.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * The constructor takes a {@link KeyProviderCryptoExtension} and an
 * implementation of <code>KeyACLs</code>. All calls are delegated to the
 * provider keyProvider after authorization check (if required)
 * @param keyProvider 
 * @param acls
 */
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
    KeyACLs acls) {
  super(keyProvider, null);
  this.provider = keyProvider;
  this.acls = acls;
  ReadWriteLock lock = new ReentrantReadWriteLock(true);
  readLock = lock.readLock();
  writeLock = lock.writeLock();
}
 
Example 17
Source Project: big-c   Source File: DFSUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Creates a new KeyProviderCryptoExtension by wrapping the
 * KeyProvider specified in the given Configuration.
 *
 * @param conf Configuration
 * @return new KeyProviderCryptoExtension, or null if no provider was found.
 * @throws IOException if the KeyProvider is improperly specified in
 *                             the Configuration
 */
public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(
    final Configuration conf) throws IOException {
  KeyProvider keyProvider = createKeyProvider(conf);
  if (keyProvider == null) {
    return null;
  }
  KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
      .createKeyProviderCryptoExtension(keyProvider);
  return cryptoProvider;
}
 
Example 18
Source Project: big-c   Source File: TestEncryptionZonesWithHA.java    License: Apache License 2.0 5 votes vote down vote up
@Before
public void setupCluster() throws Exception {
  conf = new Configuration();
  conf.setInt(DFSConfigKeys.DFS_HA_TAILEDITS_PERIOD_KEY, 1);
  HAUtil.setAllowStandbyReads(conf, true);
  fsHelper = new FileSystemTestHelper();
  String testRoot = fsHelper.getTestRootDir();
  testRootDir = new File(testRoot).getAbsoluteFile();
  conf.set(DFSConfigKeys.DFS_ENCRYPTION_KEY_PROVIDER_URI,
      JavaKeyStoreProvider.SCHEME_NAME + "://file" +
      new Path(testRootDir.toString(), "test.jks").toUri()
  );

  cluster = new MiniDFSCluster.Builder(conf)
    .nnTopology(MiniDFSNNTopology.simpleHATopology())
    .numDataNodes(1)
    .build();
  cluster.waitActive();
  cluster.transitionToActive(0);

  fs = (DistributedFileSystem)HATestUtil.configureFailoverFs(cluster, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 0, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 1, conf);
  nn0 = cluster.getNameNode(0);
  nn1 = cluster.getNameNode(1);
  dfsAdmin0 = new HdfsAdmin(cluster.getURI(0), conf);
  dfsAdmin1 = new HdfsAdmin(cluster.getURI(1), conf);
  KeyProviderCryptoExtension nn0Provider =
      cluster.getNameNode(0).getNamesystem().getProvider();
  fs.getClient().setKeyProvider(nn0Provider);
}
 
Example 19
Source Project: big-c   Source File: KMSClientProvider.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 
Example 20
Source Project: big-c   Source File: KeyAuthorizationKeyProvider.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * The constructor takes a {@link KeyProviderCryptoExtension} and an
 * implementation of <code>KeyACLs</code>. All calls are delegated to the
 * provider keyProvider after authorization check (if required)
 * @param keyProvider 
 * @param acls
 */
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
    KeyACLs acls) {
  super(keyProvider, null);
  this.provider = keyProvider;
  this.acls = acls;
  ReadWriteLock lock = new ReentrantReadWriteLock(true);
  readLock = lock.readLock();
  writeLock = lock.writeLock();
}
 
Example 21
Source Project: ranger   Source File: KeyAuthorizationKeyProvider.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * The constructor takes a {@link KeyProviderCryptoExtension} and an
 * implementation of <code>KeyACLs</code>. All calls are delegated to the
 * provider keyProvider after authorization check (if required)
 * @param keyProvider  the key provider
 * @param acls the Key ACLs
 */
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
    KeyACLs acls) {
  super(keyProvider, null);
  this.provider = keyProvider;
  this.acls = acls;
  ReadWriteLock lock = new ReentrantReadWriteLock(true);
  readLock = lock.readLock();
  writeLock = lock.writeLock();
}
 
Example 22
Source Project: hadoop-ozone   Source File: KeyManagerImpl.java    License: Apache License 2.0 4 votes vote down vote up
KeyProviderCryptoExtension getKMSProvider() {
  return kmsProvider;
}
 
Example 23
Source Project: hadoop-ozone   Source File: BucketManagerImpl.java    License: Apache License 2.0 4 votes vote down vote up
public BucketManagerImpl(OMMetadataManager metadataManager,
                         KeyProviderCryptoExtension kmsProvider) {
  this(metadataManager, kmsProvider, false);
}
 
Example 24
Source Project: hadoop-ozone   Source File: BucketManagerImpl.java    License: Apache License 2.0 4 votes vote down vote up
public BucketManagerImpl(OMMetadataManager metadataManager,
    KeyProviderCryptoExtension kmsProvider, boolean isRatisEnabled) {
  this.metadataManager = metadataManager;
  this.kmsProvider = kmsProvider;
}
 
Example 25
Source Project: hadoop-ozone   Source File: BucketManagerImpl.java    License: Apache License 2.0 4 votes vote down vote up
KeyProviderCryptoExtension getKMSProvider() {
  return kmsProvider;
}
 
Example 26
Source Project: hadoop-ozone   Source File: OzoneManager.java    License: Apache License 2.0 4 votes vote down vote up
@VisibleForTesting
public KeyProviderCryptoExtension getKmsProvider() {
  return kmsProvider;
}
 
Example 27
Source Project: hadoop   Source File: KMSClientProvider.java    License: Apache License 2.0 4 votes vote down vote up
public KMSClientProvider(URI uri, Configuration conf) throws IOException {
  super(conf);
  kmsUrl = createServiceURL(extractKMSPath(uri));
  if ("https".equalsIgnoreCase(new URL(kmsUrl).getProtocol())) {
    sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
    try {
      sslFactory.init();
    } catch (GeneralSecurityException ex) {
      throw new IOException(ex);
    }
  }
  int timeout = conf.getInt(TIMEOUT_ATTR, DEFAULT_TIMEOUT);
  authRetry = conf.getInt(AUTH_RETRY, DEFAULT_AUTH_RETRY);
  configurator = new TimeoutConnConfigurator(timeout, sslFactory);
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(
              CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_SIZE,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_MS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          new EncryptedQueueRefiller());
  authToken = new DelegationTokenAuthenticatedURL.Token();
  actualUgi =
      (UserGroupInformation.getCurrentUser().getAuthenticationMethod() ==
      UserGroupInformation.AuthenticationMethod.PROXY) ? UserGroupInformation
          .getCurrentUser().getRealUser() : UserGroupInformation
          .getCurrentUser();
}
 
Example 28
Source Project: hadoop   Source File: KMSWebApp.java    License: Apache License 2.0 4 votes vote down vote up
public static KeyProviderCryptoExtension getKeyProvider() {
  return keyProviderCryptoExtension;
}
 
Example 29
Source Project: hadoop   Source File: KMS.java    License: Apache License 2.0 4 votes vote down vote up
@SuppressWarnings("rawtypes")
@POST
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" +
    KMSRESTConstants.EEK_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response decryptEncryptedKey(
    @PathParam("versionName") final String versionName,
    @QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
    Map jsonPayload)
    throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(versionName, "versionName");
  KMSClientProvider.checkNotNull(eekOp, "eekOp");

  final String keyName = (String) jsonPayload.get(
      KMSRESTConstants.NAME_FIELD);
  String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
  String encMaterialStr = 
      (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
  Object retJSON;
  if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
    assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
    KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
    final byte[] iv = Base64.decodeBase64(ivStr);
    KMSClientProvider.checkNotNull(encMaterialStr,
        KMSRESTConstants.MATERIAL_FIELD);
    final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);

    KeyProvider.KeyVersion retKeyVersion = user.doAs(
        new PrivilegedExceptionAction<KeyVersion>() {
          @Override
          public KeyVersion run() throws Exception {
            return provider.decryptEncryptedKey(
                new KMSClientProvider.KMSEncryptedKeyVersion(keyName,
                    versionName, iv, KeyProviderCryptoExtension.EEK,
                    encMaterial)
            );
          }
        }
    );

    retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
    kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
  } else {
    throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP +
        " value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " +
        KMSRESTConstants.EEK_DECRYPT);
  }
  KMSWebApp.getDecryptEEKCallsMeter().mark();
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
      .build();
}
 
Example 30
Source Project: hadoop   Source File: TestKeyAuthorizationKeyProvider.java    License: Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}