Java Code Examples for org.apache.hadoop.fs.FileEncryptionInfo

The following examples show how to use org.apache.hadoop.fs.FileEncryptionInfo. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop-ozone   Source File: OzoneKMSUtil.java    License: Apache License 2.0 6 votes vote down vote up
public static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(
    FileEncryptionInfo feInfo, KeyProvider keyProvider) throws IOException {
  if (keyProvider == null) {
    throw new IOException("No KeyProvider is configured, " +
        "cannot access an encrypted file");
  } else {
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());

    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(keyProvider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException gse) {
      throw new IOException(gse);
    }
  }
}
 
Example 2
Source Project: hadoop-ozone   Source File: OzoneKMSUtil.java    License: Apache License 2.0 6 votes vote down vote up
public static CryptoCodec getCryptoCodec(ConfigurationSource conf,
    FileEncryptionInfo feInfo) throws IOException {
  CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID " +
            suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  } else {
    Configuration hadoopConfig =
        LegacyHadoopConfigurationSource.asHadoopConfiguration(conf);
    CryptoCodec codec = CryptoCodec.getInstance(hadoopConfig, suite);
    if (codec == null) {
      throw new OMException("No configuration found for the cipher suite " +
              suite.getConfigSuffix() + " prefixed with " +
              "hadoop.security.crypto.codec.classes. Please see the" +
              " example configuration hadoop.security.crypto.codec.classes." +
              "EXAMPLE CIPHER SUITE at core-default.xml for details.",
              OMException.ResultCodes.UNKNOWN_CIPHER_SUITE);
    } else {
      return codec;
    }
  }
}
 
Example 3
Source Project: hadoop-ozone   Source File: KeyManagerImpl.java    License: Apache License 2.0 6 votes vote down vote up
private OmKeyInfo prepareKeyInfo(
    OmKeyArgs keyArgs, String dbKeyName, long size,
    List<OmKeyLocationInfo> locations, FileEncryptionInfo encInfo)
    throws IOException {
  OmKeyInfo keyInfo = null;
  if (keyArgs.getIsMultipartKey()) {
    keyInfo = prepareMultipartKeyInfo(keyArgs, size, locations, encInfo);
  } else if (metadataManager.getKeyTable().isExist(dbKeyName)) {
    keyInfo = metadataManager.getKeyTable().get(dbKeyName);
    // the key already exist, the new blocks will be added as new version
    // when locations.size = 0, the new version will have identical blocks
    // as its previous version
    keyInfo.addNewVersion(locations, true);
    keyInfo.setDataSize(size + keyInfo.getDataSize());
  }
  if(keyInfo != null) {
    keyInfo.setMetadata(keyArgs.getMetadata());
  }
  return keyInfo;
}
 
Example 4
Source Project: hadoop-ozone   Source File: KeyManagerImpl.java    License: Apache License 2.0 6 votes vote down vote up
private OmKeyInfo createDirectoryKey(String volumeName, String bucketName,
    String keyName, List<OzoneAcl> acls) throws IOException {
  // verify bucket exists
  OmBucketInfo bucketInfo = getBucketInfo(volumeName, bucketName);

  String dir = OzoneFSUtils.addTrailingSlashIfNeeded(keyName);
  FileEncryptionInfo encInfo = getFileEncryptionInfo(bucketInfo);
  return new OmKeyInfo.Builder()
      .setVolumeName(volumeName)
      .setBucketName(bucketName)
      .setKeyName(dir)
      .setOmKeyLocationInfos(Collections.singletonList(
          new OmKeyLocationInfoGroup(0, new ArrayList<>())))
      .setCreationTime(Time.now())
      .setModificationTime(Time.now())
      .setDataSize(0)
      .setReplicationType(ReplicationType.RATIS)
      .setReplicationFactor(ReplicationFactor.ONE)
      .setFileEncryptionInfo(encInfo)
      .setAcls(acls)
      .build();
}
 
Example 5
Source Project: hadoop   Source File: HdfsFileStatus.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Constructor
 * @param length the number of bytes the file has
 * @param isdir if the path is a directory
 * @param block_replication the replication factor
 * @param blocksize the block size
 * @param modification_time modification time
 * @param access_time access time
 * @param permission permission
 * @param owner the owner of the path
 * @param group the group of the path
 * @param path the local name in java UTF8 encoding the same as that in-memory
 * @param fileId the file id
 * @param feInfo the file's encryption info
 */
public HdfsFileStatus(long length, boolean isdir, int block_replication,
    long blocksize, long modification_time, long access_time,
    FsPermission permission, String owner, String group, byte[] symlink,
    byte[] path, long fileId, int childrenNum, FileEncryptionInfo feInfo,
    byte storagePolicy) {
  this.length = length;
  this.isdir = isdir;
  this.block_replication = (short)block_replication;
  this.blocksize = blocksize;
  this.modification_time = modification_time;
  this.access_time = access_time;
  this.permission = (permission == null) ? 
      ((isdir || symlink!=null) ? 
          FsPermission.getDefault() : 
          FsPermission.getFileDefault()) :
      permission;
  this.owner = (owner == null) ? "" : owner;
  this.group = (group == null) ? "" : group;
  this.symlink = symlink;
  this.path = path;
  this.fileId = fileId;
  this.childrenNum = childrenNum;
  this.feInfo = feInfo;
  this.storagePolicy = storagePolicy;
}
 
Example 6
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example 7
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
    FileEncryptionInfo feInfo) throws IOException {
  final CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID "
        + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  }
  final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
  if (codec == null) {
    throw new UnknownCipherSuiteException(
        "No configuration found for the cipher suite "
        + suite.getConfigSuffix() + " prefixed with "
        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
        + ". Please see the example configuration "
        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
        + "at core-default.xml for details.");
  }
  return codec;
}
 
Example 8
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoInputStream if the underlying file is
 * encrypted.
 */
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
    throws IOException {
  final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoInputStream cryptoIn =
        new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
            feInfo.getIV());
    return new HdfsDataInputStream(cryptoIn);
  } else {
    // No FileEncryptionInfo so no encryption.
    return new HdfsDataInputStream(dfsis);
  }
}
 
Example 9
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoOutputStream if the underlying file is
 * encrypted.
 */
public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
    FileSystem.Statistics statistics, long startPos) throws IOException {
  final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoOutputStream cryptoOut =
        new CryptoOutputStream(dfsos, codec,
            decrypted.getMaterial(), feInfo.getIV(), startPos);
    return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
  } else {
    // No FileEncryptionInfo present so no encryption.
    return new HdfsDataOutputStream(dfsos, statistics, startPos);
  }
}
 
Example 10
Source Project: hadoop   Source File: FSDirectory.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Set the FileEncryptionInfo for an INode.
 */
void setFileEncryptionInfo(String src, FileEncryptionInfo info)
    throws IOException {
  // Make the PB for the xattr
  final HdfsProtos.PerFileEncryptionInfoProto proto =
      PBHelper.convertPerFileEncInfo(info);
  final byte[] protoBytes = proto.toByteArray();
  final XAttr fileEncryptionAttr =
      XAttrHelper.buildXAttr(CRYPTO_XATTR_FILE_ENCRYPTION_INFO, protoBytes);
  final List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
  xAttrs.add(fileEncryptionAttr);

  writeLock();
  try {
    FSDirXAttrOp.unprotectedSetXAttrs(this, src, xAttrs,
                                      EnumSet.of(XAttrSetFlag.CREATE));
  } finally {
    writeUnlock();
  }
}
 
Example 11
Source Project: hadoop   Source File: TestEncryptionZones.java    License: Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
private static void mockCreate(ClientProtocol mcp,
    CipherSuite suite, CryptoProtocolVersion version) throws Exception {
  Mockito.doReturn(
      new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
          (short) 777), "owner", "group", new byte[0], new byte[0],
          1010, 0, new FileEncryptionInfo(suite,
          version, new byte[suite.getAlgorithmBlockSize()],
          new byte[suite.getAlgorithmBlockSize()],
          "fakeKey", "fakeVersion"),
          (byte) 0))
      .when(mcp)
      .create(anyString(), (FsPermission) anyObject(), anyString(),
          (EnumSetWritable<CreateFlag>) anyObject(), anyBoolean(),
          anyShort(), anyLong(), (CryptoProtocolVersion[]) anyObject());
}
 
Example 12
Source Project: big-c   Source File: HdfsFileStatus.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Constructor
 * @param length the number of bytes the file has
 * @param isdir if the path is a directory
 * @param block_replication the replication factor
 * @param blocksize the block size
 * @param modification_time modification time
 * @param access_time access time
 * @param permission permission
 * @param owner the owner of the path
 * @param group the group of the path
 * @param path the local name in java UTF8 encoding the same as that in-memory
 * @param fileId the file id
 * @param feInfo the file's encryption info
 */
public HdfsFileStatus(long length, boolean isdir, int block_replication,
    long blocksize, long modification_time, long access_time,
    FsPermission permission, String owner, String group, byte[] symlink,
    byte[] path, long fileId, int childrenNum, FileEncryptionInfo feInfo,
    byte storagePolicy) {
  this.length = length;
  this.isdir = isdir;
  this.block_replication = (short)block_replication;
  this.blocksize = blocksize;
  this.modification_time = modification_time;
  this.access_time = access_time;
  this.permission = (permission == null) ? 
      ((isdir || symlink!=null) ? 
          FsPermission.getDefault() : 
          FsPermission.getFileDefault()) :
      permission;
  this.owner = (owner == null) ? "" : owner;
  this.group = (group == null) ? "" : group;
  this.symlink = symlink;
  this.path = path;
  this.fileId = fileId;
  this.childrenNum = childrenNum;
  this.feInfo = feInfo;
  this.storagePolicy = storagePolicy;
}
 
Example 13
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example 14
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
    FileEncryptionInfo feInfo) throws IOException {
  final CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID "
        + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  }
  final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
  if (codec == null) {
    throw new UnknownCipherSuiteException(
        "No configuration found for the cipher suite "
        + suite.getConfigSuffix() + " prefixed with "
        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
        + ". Please see the example configuration "
        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
        + "at core-default.xml for details.");
  }
  return codec;
}
 
Example 15
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoInputStream if the underlying file is
 * encrypted.
 */
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
    throws IOException {
  final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoInputStream cryptoIn =
        new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
            feInfo.getIV());
    return new HdfsDataInputStream(cryptoIn);
  } else {
    // No FileEncryptionInfo so no encryption.
    return new HdfsDataInputStream(dfsis);
  }
}
 
Example 16
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoOutputStream if the underlying file is
 * encrypted.
 */
public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
    FileSystem.Statistics statistics, long startPos) throws IOException {
  final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoOutputStream cryptoOut =
        new CryptoOutputStream(dfsos, codec,
            decrypted.getMaterial(), feInfo.getIV(), startPos);
    return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
  } else {
    // No FileEncryptionInfo present so no encryption.
    return new HdfsDataOutputStream(dfsos, statistics, startPos);
  }
}
 
Example 17
Source Project: big-c   Source File: FSDirectory.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Set the FileEncryptionInfo for an INode.
 */
void setFileEncryptionInfo(String src, FileEncryptionInfo info)
    throws IOException {
  // Make the PB for the xattr
  final HdfsProtos.PerFileEncryptionInfoProto proto =
      PBHelper.convertPerFileEncInfo(info);
  final byte[] protoBytes = proto.toByteArray();
  final XAttr fileEncryptionAttr =
      XAttrHelper.buildXAttr(CRYPTO_XATTR_FILE_ENCRYPTION_INFO, protoBytes);
  final List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
  xAttrs.add(fileEncryptionAttr);

  writeLock();
  try {
    FSDirXAttrOp.unprotectedSetXAttrs(this, src, xAttrs,
                                      EnumSet.of(XAttrSetFlag.CREATE));
  } finally {
    writeUnlock();
  }
}
 
Example 18
Source Project: big-c   Source File: TestEncryptionZones.java    License: Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
private static void mockCreate(ClientProtocol mcp,
    CipherSuite suite, CryptoProtocolVersion version) throws Exception {
  Mockito.doReturn(
      new HdfsFileStatus(0, false, 1, 1024, 0, 0, new FsPermission(
          (short) 777), "owner", "group", new byte[0], new byte[0],
          1010, 0, new FileEncryptionInfo(suite,
          version, new byte[suite.getAlgorithmBlockSize()],
          new byte[suite.getAlgorithmBlockSize()],
          "fakeKey", "fakeVersion"),
          (byte) 0))
      .when(mcp)
      .create(anyString(), (FsPermission) anyObject(), anyString(),
          (EnumSetWritable<CreateFlag>) anyObject(), anyBoolean(),
          anyShort(), anyLong(), (CryptoProtocolVersion[]) anyObject());
}
 
Example 19
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
        throws IOException {
    final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
    if (feInfo != null) {
        // File is encrypted, wrap the stream in a crypto stream.
        // Currently only one version, so no special logic based on the version #
        getCryptoProtocolVersion(feInfo);
        final CryptoCodec codec = getCryptoCodec(getConfiguration(), feInfo);
        final KeyProvider.KeyVersion decrypted = decryptEncryptedDataEncryptionKey(dfsis, feInfo);
        final CryptoInputStream cryptoIn =
                new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
                        feInfo.getIV());
        return new HdfsDataInputStream(cryptoIn);
    } else {
        // No FileEncryptionInfo so no encryption.
        return new HdfsDataInputStream(dfsis);
    }
}
 
Example 20
/**
 * O
 * btain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
                                          FileEncryptionInfo feInfo) throws IOException {
    final CipherSuite suite = feInfo.getCipherSuite();
    if (suite.equals(CipherSuite.UNKNOWN)) {
        throw new IOException("NameNode specified unknown CipherSuite with ID "
                + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
    }
    final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
    if (codec == null) {
        throw new UnknownCipherSuiteException(
                "No configuration found for the cipher suite "
                        + suite.getConfigSuffix() + " prefixed with "
                        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
                        + ". Please see the example configuration "
                        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
                        + "at core-default.xml for details.");
    }
    return codec;
}
 
Example 21
Source Project: spliceengine   Source File: HDFSUtil.java    License: GNU Affero General Public License v3.0 6 votes vote down vote up
private static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(DistributedFileSystem dfs, FileEncryptionInfo feInfo) throws IOException {
    KeyProvider provider = dfs.dfs.getKeyProvider();
    if (provider == null) {
        throw new IOException("No KeyProvider is configured, cannot access" +
                " an encrypted file");
    }
    KeyProviderCryptoExtension.EncryptedKeyVersion ekv = KeyProviderCryptoExtension.EncryptedKeyVersion.createForDecryption(
            feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
            feInfo.getEncryptedDataEncryptionKey());
    try {
        KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
                .createKeyProviderCryptoExtension(provider);
        return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
        throw new IOException(e);
    }
}
 
Example 22
Source Project: hadoop-ozone   Source File: OzoneKMSUtil.java    License: Apache License 2.0 5 votes vote down vote up
public static CryptoProtocolVersion getCryptoProtocolVersion(
    FileEncryptionInfo feInfo) throws IOException {
  CryptoProtocolVersion version = feInfo.getCryptoProtocolVersion();
  if (!CryptoProtocolVersion.supports(version)) {
    throw new IOException("Client does not support specified " +
            "CryptoProtocolVersion " + version.getDescription() +
            " version number" + version.getVersion());
  } else {
    return version;
  }
}
 
Example 23
Source Project: hadoop-ozone   Source File: OzoneKMSUtil.java    License: Apache License 2.0 5 votes vote down vote up
public static void checkCryptoProtocolVersion(
        FileEncryptionInfo feInfo) throws IOException {
  CryptoProtocolVersion version = feInfo.getCryptoProtocolVersion();
  if (!CryptoProtocolVersion.supports(version)) {
    throw new IOException("Client does not support specified " +
            "CryptoProtocolVersion " + version.getDescription() +
            " version number" + version.getVersion());
  }
}
 
Example 24
Source Project: hadoop-ozone   Source File: RpcClient.java    License: Apache License 2.0 5 votes vote down vote up
private KeyProvider.KeyVersion getDEK(FileEncryptionInfo feInfo)
    throws IOException {
  // check crypto protocol version
  OzoneKMSUtil.checkCryptoProtocolVersion(feInfo);
  KeyProvider.KeyVersion decrypted;
  decrypted = OzoneKMSUtil.decryptEncryptedDataEncryptionKey(feInfo,
      getKeyProvider());
  return decrypted;
}
 
Example 25
Source Project: hadoop-ozone   Source File: RpcClient.java    License: Apache License 2.0 5 votes vote down vote up
private OzoneInputStream createInputStream(
    OmKeyInfo keyInfo, Function<OmKeyInfo, OmKeyInfo> retryFunction)
    throws IOException {
  LengthInputStream lengthInputStream = KeyInputStream
      .getFromOmKeyInfo(keyInfo, xceiverClientManager,
          verifyChecksum, retryFunction);
  FileEncryptionInfo feInfo = keyInfo.getFileEncryptionInfo();
  if (feInfo != null) {
    final KeyProvider.KeyVersion decrypted = getDEK(feInfo);
    final CryptoInputStream cryptoIn =
        new CryptoInputStream(lengthInputStream.getWrappedStream(),
            OzoneKMSUtil.getCryptoCodec(conf, feInfo),
            decrypted.getMaterial(), feInfo.getIV());
    return new OzoneInputStream(cryptoIn);
  } else {
    try{
      GDPRSymmetricKey gk;
      Map<String, String> keyInfoMetadata = keyInfo.getMetadata();
      if(Boolean.valueOf(keyInfoMetadata.get(OzoneConsts.GDPR_FLAG))){
        gk = new GDPRSymmetricKey(
            keyInfoMetadata.get(OzoneConsts.GDPR_SECRET),
            keyInfoMetadata.get(OzoneConsts.GDPR_ALGORITHM)
        );
        gk.getCipher().init(Cipher.DECRYPT_MODE, gk.getSecretKey());
        return new OzoneInputStream(
            new CipherInputStream(lengthInputStream, gk.getCipher()));
      }
    }catch (Exception ex){
      throw new IOException(ex);
    }
  }
  return new OzoneInputStream(lengthInputStream.getWrappedStream());
}
 
Example 26
Source Project: hadoop-ozone   Source File: OzoneKeyDetails.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Constructs OzoneKeyDetails from OmKeyInfo.
 */
@SuppressWarnings("parameternumber")
public OzoneKeyDetails(String volumeName, String bucketName, String keyName,
                       long size, long creationTime, long modificationTime,
                       List<OzoneKeyLocation> ozoneKeyLocations,
                       ReplicationType type, Map<String, String> metadata,
                       FileEncryptionInfo feInfo, int replicationFactor) {
  super(volumeName, bucketName, keyName, size, creationTime,
      modificationTime, type, replicationFactor);
  this.ozoneKeyLocations = ozoneKeyLocations;
  this.metadata = metadata;
  this.feInfo = feInfo;
}
 
Example 27
Source Project: hadoop-ozone   Source File: OmKeyInfo.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("parameternumber")
OmKeyInfo(String volumeName, String bucketName, String keyName,
    List<OmKeyLocationInfoGroup> versions, long dataSize,
    long creationTime, long modificationTime,
    HddsProtos.ReplicationType type,
    HddsProtos.ReplicationFactor factor,
    Map<String, String> metadata,
    FileEncryptionInfo encInfo, List<OzoneAcl> acls,
    long objectID, long updateID) {
  this.volumeName = volumeName;
  this.bucketName = bucketName;
  this.keyName = keyName;
  this.dataSize = dataSize;
  // it is important that the versions are ordered from old to new.
  // Do this sanity check when versions got loaded on creating OmKeyInfo.
  // TODO : this is not necessary, here only because versioning is still a
  // work in-progress, remove this following check when versioning is
  // complete and prove correctly functioning
  long currentVersion = -1;
  for (OmKeyLocationInfoGroup version : versions) {
    Preconditions.checkArgument(
          currentVersion + 1 == version.getVersion());
    currentVersion = version.getVersion();
  }
  this.keyLocationVersions = versions;
  this.creationTime = creationTime;
  this.modificationTime = modificationTime;
  this.factor = factor;
  this.type = type;
  this.metadata = metadata;
  this.encInfo = encInfo;
  this.acls = acls;
  this.objectID = objectID;
  this.updateID = updateID;
}
 
Example 28
Source Project: hadoop-ozone   Source File: OMPBHelper.java    License: Apache License 2.0 5 votes vote down vote up
public static FileEncryptionInfoProto convert(
    FileEncryptionInfo info) {
  if (info == null) {
    return null;
  }
  return OzoneManagerProtocolProtos.FileEncryptionInfoProto.newBuilder()
      .setSuite(convert(info.getCipherSuite()))
      .setCryptoProtocolVersion(convert(info.getCryptoProtocolVersion()))
      .setKey(getByteString(info.getEncryptedDataEncryptionKey()))
      .setIv(getByteString(info.getIV()))
      .setEzKeyVersionName(info.getEzKeyVersionName())
      .setKeyName(info.getKeyName())
      .build();
}
 
Example 29
Source Project: hadoop-ozone   Source File: OMPBHelper.java    License: Apache License 2.0 5 votes vote down vote up
public static FileEncryptionInfo convert(FileEncryptionInfoProto proto) {
  if (proto == null) {
    return null;
  }
  CipherSuite suite = convert(proto.getSuite());
  CryptoProtocolVersion version = convert(proto.getCryptoProtocolVersion());
  byte[] key = proto.getKey().toByteArray();
  byte[] iv = proto.getIv().toByteArray();
  String ezKeyVersionName = proto.getEzKeyVersionName();
  String keyName = proto.getKeyName();
  return new FileEncryptionInfo(suite, version, key, iv, keyName,
      ezKeyVersionName);
}
 
Example 30
Source Project: hadoop-ozone   Source File: OMKeyRequest.java    License: Apache License 2.0 5 votes vote down vote up
protected static Optional<FileEncryptionInfo> getFileEncryptionInfo(
    OzoneManager ozoneManager, OmBucketInfo bucketInfo) throws IOException {
  Optional<FileEncryptionInfo> encInfo = Optional.absent();
  BucketEncryptionKeyInfo ezInfo = bucketInfo.getEncryptionKeyInfo();
  if (ezInfo != null) {
    final String ezKeyName = ezInfo.getKeyName();
    EncryptedKeyVersion edek = generateEDEK(ozoneManager, ezKeyName);
    encInfo = Optional.of(new FileEncryptionInfo(ezInfo.getSuite(),
      ezInfo.getVersion(),
        edek.getEncryptedKeyVersion().getMaterial(),
        edek.getEncryptedKeyIv(), ezKeyName,
        edek.getEncryptionKeyVersionName()));
  }
  return encInfo;
}