Java Code Examples for org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType

The following examples show how to use org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: ranger   Source File: KMSACLs.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Parse the acls from configuration with the specified prefix. Currently
 * only 2 possible prefixes: whitelist and default.
 *
 * @param conf The configuration.
 * @param prefix The prefix.
 * @param keyOp The key operation.
 * @param results The collection of results to add to.
 */
private void parseAclsWithPrefix(final Configuration conf,final String prefix, final KeyOpType keyOp,Map<KeyOpType, AccessControlList> results) {
  String confKey = prefix + keyOp;
  String aclStr = conf.get(confKey);
  if (aclStr != null) {
    if (keyOp == KeyOpType.ALL) {
      // Ignore All operation for default key and whitelist key acls
      LOG.warn("Invalid KEY_OP '{}' for {}, ignoring", keyOp, prefix);
    } else {
      if (aclStr.equals("*")) {
        LOG.info("{} for KEY_OP '{}' is set to '*'", prefix, keyOp);
     }
      results.put(keyOp, new AccessControlList(aclStr));
    }
  }
}
 
Example 2
Source Project: ranger   Source File: RangerKmsAuthorizer.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi, KeyOpType opType) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
	}

	boolean ret = false;

	try {
		activatePluginClassLoader();

		ret = implKeyACLs.hasAccessToKey(keyName,ugi,opType);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
	}

	return ret;
}
 
Example 3
Source Project: ranger   Source File: RangerKmsAuthorizer.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public boolean isACLPresent(String aclName, KeyOpType opType) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKmsAuthorizer.isACLPresent(" + aclName + ", " + opType + ")");
	}

	boolean ret = false;

	try {
		activatePluginClassLoader();

		ret = implKeyACLs.isACLPresent(aclName,opType);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKmsAuthorizer.isACLPresent(" + aclName + ", " + opType + ")");
	}

	return ret;
}
 
Example 4
Source Project: hadoop   Source File: KMSACLs.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  Map<KeyOpType, AccessControlList> keyAcl = keyAcls.get(keyName);
  if (keyAcl == null) {
    // If No key acl defined for this key, check to see if
    // there are key defaults configured for this operation
    keyAcl = defaultKeyAcls;
  }
  return checkKeyAccess(keyAcl, ugi, opType);
}
 
Example 5
Source Project: hadoop   Source File: KMSACLs.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
    UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    return false;
  } else {
    return acl.isUserAllowed(ugi);
  }
}
 
Example 6
Source Project: big-c   Source File: KMSACLs.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  Map<KeyOpType, AccessControlList> keyAcl = keyAcls.get(keyName);
  if (keyAcl == null) {
    // If No key acl defined for this key, check to see if
    // there are key defaults configured for this operation
    keyAcl = defaultKeyAcls;
  }
  return checkKeyAccess(keyAcl, ugi, opType);
}
 
Example 7
Source Project: big-c   Source File: KMSACLs.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
    UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    return false;
  } else {
    return acl.isUserAllowed(ugi);
  }
}
 
Example 8
Source Project: ranger   Source File: KMSACLs.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  boolean access = checkKeyAccess(keyName, ugi, opType)
    || checkKeyAccess(whitelistKeyAcls, ugi, opType);
  if (!access) {
    KMSWebApp.getKMSAudit().unauthorized(ugi, opType, keyName);
  }
  return access;
}
 
Example 9
Source Project: ranger   Source File: KMSACLs.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(String keyName, UserGroupInformation ugi,KeyOpType opType) {
  Map<KeyOpType, AccessControlList> keyAcl = keyAcls.get(keyName);
  if (keyAcl == null) {
    // If No key acl defined for this key, check to see if
    // there are key defaults configured for this operation
    LOG.debug("Key: {} has no ACLs defined, using defaults.", keyName);
    keyAcl = defaultKeyAcls;
  }
  boolean access = checkKeyAccess(keyAcl, ugi, opType);
  if (LOG.isDebugEnabled()) {
    LOG.debug("User: [{}], OpType: {}, KeyName: {} Result: {}",
    ugi.getShortUserName(), opType.toString(), keyName, access);
  }
  return access;
}
 
Example 10
Source Project: ranger   Source File: KMSACLs.java    License: Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    LOG.debug("No ACL available for key, denying access for {}", opType);
    return false;
  } else {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Checking user [{}] for: {}: {}" + ugi.getShortUserName(),
      opType.toString(), acl.getAclString());
    }
    return acl.isUserAllowed(ugi);
  }
}
 
Example 11
Source Project: ranger   Source File: RangerKmsAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
 public boolean hasAccessToKey(String keyName, UserGroupInformation ugi, KeyOpType opType) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
	}
	
	return true;
}
 
Example 12
Source Project: hadoop   Source File: KMSACLs.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  return checkKeyAccess(keyName, ugi, opType)
      || checkKeyAccess(whitelistKeyAcls, ugi, opType);
}
 
Example 13
Source Project: hadoop   Source File: KMSACLs.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public boolean isACLPresent(String keyName, KeyOpType opType) {
  return (keyAcls.containsKey(keyName)
      || defaultKeyAcls.containsKey(opType)
      || whitelistKeyAcls.containsKey(opType));
}
 
Example 14
Source Project: hadoop   Source File: TestKeyAuthorizationKeyProvider.java    License: Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example 15
Source Project: big-c   Source File: KMSACLs.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  return checkKeyAccess(keyName, ugi, opType)
      || checkKeyAccess(whitelistKeyAcls, ugi, opType);
}
 
Example 16
Source Project: big-c   Source File: KMSACLs.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public boolean isACLPresent(String keyName, KeyOpType opType) {
  return (keyAcls.containsKey(keyName)
      || defaultKeyAcls.containsKey(opType)
      || whitelistKeyAcls.containsKey(opType));
}
 
Example 17
Source Project: big-c   Source File: TestKeyAuthorizationKeyProvider.java    License: Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example 18
Source Project: ranger   Source File: KMSAudit.java    License: Apache License 2.0 4 votes vote down vote up
public void unauthorized(UserGroupInformation user, KeyOpType op,String key) {
  op(OpStatus.UNAUTHORIZED, op, user, key, "Unknown", "");
}
 
Example 19
Source Project: ranger   Source File: KMSACLs.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public boolean isACLPresent(String keyName, KeyOpType opType) {
  return (keyAcls.containsKey(keyName) || defaultKeyAcls.containsKey(opType));
}
 
Example 20
Source Project: ranger   Source File: TestKeyAuthorizationKeyProvider.java    License: Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          byte[] seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          KeyVersion kv =
              kpExt.createKey("foo", seed, opt);
          kpExt.rollNewVersion(kv.getName());
          seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          kpExt.rollNewVersion(kv.getName(), seed);
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example 21
Source Project: ranger   Source File: RangerKmsAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public boolean isACLPresent(String keyName, KeyOpType opType) {
  return true;
}