org.apache.hadoop.crypto.key.KeyProvider.KeyVersion Java Examples

The following examples show how to use org.apache.hadoop.crypto.key.KeyProvider.KeyVersion. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: DFSClient.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoInputStream if the underlying file is
 * encrypted.
 */
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
    throws IOException {
  final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoInputStream cryptoIn =
        new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
            feInfo.getIV());
    return new HdfsDataInputStream(cryptoIn);
  } else {
    // No FileEncryptionInfo so no encryption.
    return new HdfsDataInputStream(dfsis);
  }
}
 
Example #2
Source File: KMS.java    From big-c with Apache License 2.0 6 votes vote down vote up
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
    KMSRESTConstants.VERSIONS_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersions(@PathParam("name") final String name)
    throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(name, "name");
  KMSWebApp.getKeyCallsMeter().mark();
  assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);

  List<KeyVersion> ret = user.doAs(
      new PrivilegedExceptionAction<List<KeyVersion>>() {
        @Override
        public List<KeyVersion> run() throws Exception {
          return provider.getKeyVersions(name);
        }
      }
  );

  Object json = KMSServerJSONUtils.toJSON(ret);
  kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
}
 
Example #3
Source File: KMS.java    From big-c with Apache License 2.0 6 votes vote down vote up
@GET
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}")
@Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersion(
    @PathParam("versionName") final String versionName) throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(versionName, "versionName");
  KMSWebApp.getKeyCallsMeter().mark();
  assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION);

  KeyVersion keyVersion = user.doAs(
      new PrivilegedExceptionAction<KeyVersion>() {
        @Override
        public KeyVersion run() throws Exception {
          return provider.getKeyVersion(versionName);
        }
      }
  );

  if (keyVersion != null) {
    kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
  }
  Object json = KMSServerJSONUtils.toJSON(keyVersion);
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
}
 
Example #4
Source File: KMS.java    From big-c with Apache License 2.0 6 votes vote down vote up
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
    KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response getCurrentVersion(@PathParam("name") final String name)
    throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(name, "name");
  KMSWebApp.getKeyCallsMeter().mark();
  assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name);

  KeyVersion keyVersion = user.doAs(
      new PrivilegedExceptionAction<KeyVersion>() {
        @Override
        public KeyVersion run() throws Exception {
          return provider.getCurrentKey(name);
        }
      }
  );

  Object json = KMSServerJSONUtils.toJSON(keyVersion);
  kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
}
 
Example #5
Source File: DFSClient.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoOutputStream if the underlying file is
 * encrypted.
 */
public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
    FileSystem.Statistics statistics, long startPos) throws IOException {
  final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoOutputStream cryptoOut =
        new CryptoOutputStream(dfsos, codec,
            decrypted.getMaterial(), feInfo.getIV(), startPos);
    return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
  } else {
    // No FileEncryptionInfo present so no encryption.
    return new HdfsDataOutputStream(dfsos, statistics, startPos);
  }
}
 
Example #6
Source File: DFSClient.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoInputStream if the underlying file is
 * encrypted.
 */
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
    throws IOException {
  final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoInputStream cryptoIn =
        new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
            feInfo.getIV());
    return new HdfsDataInputStream(cryptoIn);
  } else {
    // No FileEncryptionInfo so no encryption.
    return new HdfsDataInputStream(dfsis);
  }
}
 
Example #7
Source File: DFSClient.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example #8
Source File: KMS.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
    KMSRESTConstants.VERSIONS_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersions(@PathParam("name") final String name)
    throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(name, "name");
  KMSWebApp.getKeyCallsMeter().mark();
  assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);

  List<KeyVersion> ret = user.doAs(
      new PrivilegedExceptionAction<List<KeyVersion>>() {
        @Override
        public List<KeyVersion> run() throws Exception {
          return provider.getKeyVersions(name);
        }
      }
  );

  Object json = KMSServerJSONUtils.toJSON(ret);
  kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
}
 
Example #9
Source File: KMS.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@GET
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}")
@Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersion(
    @PathParam("versionName") final String versionName) throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(versionName, "versionName");
  KMSWebApp.getKeyCallsMeter().mark();
  assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION);

  KeyVersion keyVersion = user.doAs(
      new PrivilegedExceptionAction<KeyVersion>() {
        @Override
        public KeyVersion run() throws Exception {
          return provider.getKeyVersion(versionName);
        }
      }
  );

  if (keyVersion != null) {
    kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
  }
  Object json = KMSServerJSONUtils.toJSON(keyVersion);
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
}
 
Example #10
Source File: KMS.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
    KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response getCurrentVersion(@PathParam("name") final String name)
    throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(name, "name");
  KMSWebApp.getKeyCallsMeter().mark();
  assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name);

  KeyVersion keyVersion = user.doAs(
      new PrivilegedExceptionAction<KeyVersion>() {
        @Override
        public KeyVersion run() throws Exception {
          return provider.getCurrentKey(name);
        }
      }
  );

  Object json = KMSServerJSONUtils.toJSON(keyVersion);
  kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
}
 
Example #11
Source File: DFSClient.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example #12
Source File: DFSClient.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoOutputStream if the underlying file is
 * encrypted.
 */
public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
    FileSystem.Statistics statistics, long startPos) throws IOException {
  final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoOutputStream cryptoOut =
        new CryptoOutputStream(dfsos, codec,
            decrypted.getMaterial(), feInfo.getIV(), startPos);
    return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
  } else {
    // No FileEncryptionInfo present so no encryption.
    return new HdfsDataOutputStream(dfsos, statistics, startPos);
  }
}
 
Example #13
Source File: RangerKeyStoreProviderTest.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Test
public void testCreateDeleteKey() throws Throwable {
	if (!UNRESTRICTED_POLICIES_INSTALLED) {
		return;
	}
	
    Path configDir = Paths.get("src/test/resources/kms");
    System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, configDir.toFile().getAbsolutePath());

    Configuration conf = new Configuration();
    RangerKeyStoreProvider keyProvider = new RangerKeyStoreProvider(conf);

    // Create a key
    Options options = new Options(conf);
    options.setBitLength(128);
    options.setCipher("AES");
    KeyVersion keyVersion = keyProvider.createKey("newkey1", options);
    Assert.assertEquals("newkey1", keyVersion.getName());
    Assert.assertEquals(128 / 8, keyVersion.getMaterial().length);
    Assert.assertEquals("newkey1@0", keyVersion.getVersionName());

    keyProvider.flush();
    Assert.assertEquals(1, keyProvider.getKeys().size());
    keyProvider.deleteKey("newkey1");

    keyProvider.flush();
    Assert.assertEquals(0, keyProvider.getKeys().size());

    // Try to delete a key that isn't there
    try {
        keyProvider.deleteKey("newkey2");
        Assert.fail("Failure expected on trying to delete an unknown key");
    } catch (IOException ex) {
        // expected
    }
}
 
Example #14
Source File: RangerKeyStoreProviderTest.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Test
public void testRolloverKey() throws Throwable {
	if (!UNRESTRICTED_POLICIES_INSTALLED) {
		return;
	}
	
    Path configDir = Paths.get("src/test/resources/kms");
    System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, configDir.toFile().getAbsolutePath());

    Configuration conf = new Configuration();
    RangerKeyStoreProvider keyProvider = new RangerKeyStoreProvider(conf);

    // Create a key
    Options options = new Options(conf);
    options.setBitLength(192);
    options.setCipher("AES");
    KeyVersion keyVersion = keyProvider.createKey("newkey1", options);
    Assert.assertEquals("newkey1", keyVersion.getName());
    Assert.assertEquals(192 / 8, keyVersion.getMaterial().length);
    Assert.assertEquals("newkey1@0", keyVersion.getVersionName());

    keyProvider.flush();

    // Rollover a new key
    byte[] oldKey = keyVersion.getMaterial();
    keyVersion = keyProvider.rollNewVersion("newkey1");
    Assert.assertEquals("newkey1", keyVersion.getName());
    Assert.assertEquals(192 / 8, keyVersion.getMaterial().length);
    Assert.assertEquals("newkey1@1", keyVersion.getVersionName());
    Assert.assertFalse(Arrays.equals(oldKey, keyVersion.getMaterial()));

    keyProvider.deleteKey("newkey1");

    keyProvider.flush();
    Assert.assertEquals(0, keyProvider.getKeys().size());

}
 
Example #15
Source File: KMS.java    From ranger with Apache License 2.0 5 votes vote down vote up
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
    KMSRESTConstants.VERSIONS_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersions(@PathParam("name") final String name, @Context HttpServletRequest request)
    throws Exception {
  try {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Entering getKeyVersions method.");
    }
    UserGroupInformation user = HttpUserGroupInformation.get();
    checkNotEmpty(name, "name");
    KMSWebApp.getKeyCallsMeter().mark();
    assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name, request.getRemoteAddr());
    LOG.debug("Getting key versions for key {}", name);
    List<KeyVersion> ret = user.doAs(new PrivilegedExceptionAction<List<KeyVersion>>() {
      @Override
      public List<KeyVersion> run() throws Exception {
        return provider.getKeyVersions(name);
      }
    });
    Object json = KMSServerJSONUtils.toJSON(ret);
    kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
    if (LOG.isDebugEnabled()) {
        LOG.debug("Exiting getKeyVersions method.");
    }
    return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
  } catch (Exception e) {
      LOG.error("Exception in getKeyVersions.", e);
    throw e;
  }
 }
 
Example #16
Source File: KMS.java    From ranger with Apache License 2.0 5 votes vote down vote up
@GET
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}")
@Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersion(
    @PathParam("versionName") final String versionName, @Context HttpServletRequest request) throws Exception {
  try {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Entering getKeyVersion method.");
    }
    UserGroupInformation user = HttpUserGroupInformation.get();
    checkNotEmpty(versionName, "versionName");
    KMSWebApp.getKeyCallsMeter().mark();
    assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION, request.getRemoteAddr());
    LOG.debug("Getting key with version name {}.", versionName);
    KeyVersion keyVersion = user.doAs(new PrivilegedExceptionAction<KeyVersion>() {
      @Override
      public KeyVersion run() throws Exception {
        return provider.getKeyVersion(versionName);
      }
    });
    if (keyVersion != null) {
      kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
    }
    Object json = KMSUtil.toJSON(keyVersion);
    if (LOG.isDebugEnabled()) {
        LOG.debug("Exiting getKeyVersion method.");
    }
    return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
  } catch (Exception e) {
    LOG.error("Exception in getKeyVersion.", e);
    throw e;
  }
}
 
Example #17
Source File: KMS.java    From ranger with Apache License 2.0 5 votes vote down vote up
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
    KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response getCurrentVersion(@PathParam("name") final String name, @Context HttpServletRequest request)
    throws Exception {
  try {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Entering getCurrentVersion method.");
    }
    UserGroupInformation user = HttpUserGroupInformation.get();
    checkNotEmpty(name, "name");
    KMSWebApp.getKeyCallsMeter().mark();
    assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name, request.getRemoteAddr());
    LOG.debug("Getting key version for key with name {}.", name);
    KeyVersion keyVersion = user.doAs(new PrivilegedExceptionAction<KeyVersion>() {
      @Override
      public KeyVersion run() throws Exception {
        return provider.getCurrentKey(name);
      }
    });
    Object json = KMSUtil.toJSON(keyVersion);
    kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
    if (LOG.isDebugEnabled()) {
      LOG.debug("Exiting getCurrentVersion method.");
    }
    return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
  } catch (Exception e) {
    LOG.error("Exception in getCurrentVersion.", e);
    throw e;
  }
}
 
Example #18
Source File: TestKeyAuthorizationKeyProvider.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          byte[] seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          KeyVersion kv =
              kpExt.createKey("foo", seed, opt);
          kpExt.rollNewVersion(kv.getName());
          seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          kpExt.rollNewVersion(kv.getName(), seed);
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #19
Source File: KMS.java    From ranger with Apache License 2.0 4 votes vote down vote up
private static KeyProvider.KeyVersion removeKeyMaterial(
    KeyProvider.KeyVersion keyVersion) {
  return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(),
      keyVersion.getVersionName(), null);
}
 
Example #20
Source File: TestKeyAuthorizationKeyProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #21
Source File: KMS.java    From big-c with Apache License 2.0 4 votes vote down vote up
@SuppressWarnings("rawtypes")
@POST
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" +
    KMSRESTConstants.EEK_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response decryptEncryptedKey(
    @PathParam("versionName") final String versionName,
    @QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
    Map jsonPayload)
    throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(versionName, "versionName");
  KMSClientProvider.checkNotNull(eekOp, "eekOp");

  final String keyName = (String) jsonPayload.get(
      KMSRESTConstants.NAME_FIELD);
  String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
  String encMaterialStr = 
      (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
  Object retJSON;
  if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
    assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
    KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
    final byte[] iv = Base64.decodeBase64(ivStr);
    KMSClientProvider.checkNotNull(encMaterialStr,
        KMSRESTConstants.MATERIAL_FIELD);
    final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);

    KeyProvider.KeyVersion retKeyVersion = user.doAs(
        new PrivilegedExceptionAction<KeyVersion>() {
          @Override
          public KeyVersion run() throws Exception {
            return provider.decryptEncryptedKey(
                new KMSClientProvider.KMSEncryptedKeyVersion(keyName,
                    versionName, iv, KeyProviderCryptoExtension.EEK,
                    encMaterial)
            );
          }
        }
    );

    retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
    kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
  } else {
    throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP +
        " value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " +
        KMSRESTConstants.EEK_DECRYPT);
  }
  KMSWebApp.getDecryptEEKCallsMeter().mark();
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
      .build();
}
 
Example #22
Source File: KMS.java    From big-c with Apache License 2.0 4 votes vote down vote up
private static KeyProvider.KeyVersion removeKeyMaterial(
    KeyProvider.KeyVersion keyVersion) {
  return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(),
      keyVersion.getVersionName(), null);
}
 
Example #23
Source File: TestKeyAuthorizationKeyProvider.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #24
Source File: KMS.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@SuppressWarnings("rawtypes")
@POST
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" +
    KMSRESTConstants.EEK_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response decryptEncryptedKey(
    @PathParam("versionName") final String versionName,
    @QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
    Map jsonPayload)
    throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(versionName, "versionName");
  KMSClientProvider.checkNotNull(eekOp, "eekOp");

  final String keyName = (String) jsonPayload.get(
      KMSRESTConstants.NAME_FIELD);
  String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
  String encMaterialStr = 
      (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
  Object retJSON;
  if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
    assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
    KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
    final byte[] iv = Base64.decodeBase64(ivStr);
    KMSClientProvider.checkNotNull(encMaterialStr,
        KMSRESTConstants.MATERIAL_FIELD);
    final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);

    KeyProvider.KeyVersion retKeyVersion = user.doAs(
        new PrivilegedExceptionAction<KeyVersion>() {
          @Override
          public KeyVersion run() throws Exception {
            return provider.decryptEncryptedKey(
                new KMSClientProvider.KMSEncryptedKeyVersion(keyName,
                    versionName, iv, KeyProviderCryptoExtension.EEK,
                    encMaterial)
            );
          }
        }
    );

    retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
    kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
  } else {
    throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP +
        " value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " +
        KMSRESTConstants.EEK_DECRYPT);
  }
  KMSWebApp.getDecryptEEKCallsMeter().mark();
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
      .build();
}
 
Example #25
Source File: KMS.java    From hadoop with Apache License 2.0 4 votes vote down vote up
private static KeyProvider.KeyVersion removeKeyMaterial(
    KeyProvider.KeyVersion keyVersion) {
  return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(),
      keyVersion.getVersionName(), null);
}