org.apache.hadoop.crypto.key.KeyProviderCryptoExtension Java Examples

The following examples show how to use org.apache.hadoop.crypto.key.KeyProviderCryptoExtension. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: OzoneKMSUtil.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
public static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(
    FileEncryptionInfo feInfo, KeyProvider keyProvider) throws IOException {
  if (keyProvider == null) {
    throw new IOException("No KeyProvider is configured, " +
        "cannot access an encrypted file");
  } else {
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());

    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(keyProvider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException gse) {
      throw new IOException(gse);
    }
  }
}
 
Example #2
Source File: HDFSUtil.java    From spliceengine with GNU Affero General Public License v3.0 6 votes vote down vote up
private static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(DistributedFileSystem dfs, FileEncryptionInfo feInfo) throws IOException {
    KeyProvider provider = dfs.dfs.getKeyProvider();
    if (provider == null) {
        throw new IOException("No KeyProvider is configured, cannot access" +
                " an encrypted file");
    }
    KeyProviderCryptoExtension.EncryptedKeyVersion ekv = KeyProviderCryptoExtension.EncryptedKeyVersion.createForDecryption(
            feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
            feInfo.getEncryptedDataEncryptionKey());
    try {
        KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
                .createKeyProviderCryptoExtension(provider);
        return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
        throw new IOException(e);
    }
}
 
Example #3
Source File: EagerKeyGeneratorKeyProviderCryptoExtension.java    From ranger with Apache License 2.0 6 votes vote down vote up
public CryptoExtension(Configuration conf,
    KeyProviderCryptoExtension keyProviderCryptoExtension) {
  this.keyProviderCryptoExtension = keyProviderCryptoExtension;
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(KMS_KEY_CACHE_SIZE,
              KMS_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(KMS_KEY_CACHE_LOW_WATERMARK,
              KMS_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_EXPIRY_MS,
              KMS_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_NUM_REFILL_THREADS,
              KMS_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          SyncGenerationPolicy.LOW_WATERMARK, new EncryptedQueueRefiller()
      );
}
 
Example #4
Source File: EagerKeyGeneratorKeyProviderCryptoExtension.java    From big-c with Apache License 2.0 6 votes vote down vote up
public CryptoExtension(Configuration conf,
    KeyProviderCryptoExtension keyProviderCryptoExtension) {
  this.keyProviderCryptoExtension = keyProviderCryptoExtension;
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(KMS_KEY_CACHE_SIZE,
              KMS_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(KMS_KEY_CACHE_LOW_WATERMARK,
              KMS_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_EXPIRY_MS,
              KMS_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_NUM_REFILL_THREADS,
              KMS_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          SyncGenerationPolicy.LOW_WATERMARK, new EncryptedQueueRefiller()
      );
}
 
Example #5
Source File: DFSClient.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example #6
Source File: EagerKeyGeneratorKeyProviderCryptoExtension.java    From hadoop with Apache License 2.0 6 votes vote down vote up
public CryptoExtension(Configuration conf,
    KeyProviderCryptoExtension keyProviderCryptoExtension) {
  this.keyProviderCryptoExtension = keyProviderCryptoExtension;
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(KMS_KEY_CACHE_SIZE,
              KMS_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(KMS_KEY_CACHE_LOW_WATERMARK,
              KMS_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_EXPIRY_MS,
              KMS_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(KMS_KEY_CACHE_NUM_REFILL_THREADS,
              KMS_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          SyncGenerationPolicy.LOW_WATERMARK, new EncryptedQueueRefiller()
      );
}
 
Example #7
Source File: DFSClient.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example #8
Source File: OMBucketCreateRequest.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
@Override
public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {

  // Get original request.
  CreateBucketRequest createBucketRequest =
      getOmRequest().getCreateBucketRequest();
  BucketInfo bucketInfo = createBucketRequest.getBucketInfo();
  // Verify resource name
  OmUtils.validateBucketName(bucketInfo.getBucketName());

  // Get KMS provider.
  KeyProviderCryptoExtension kmsProvider =
      ozoneManager.getKmsProvider();

  // Create new Bucket request with new bucket info.
  CreateBucketRequest.Builder newCreateBucketRequest =
      createBucketRequest.toBuilder();

  BucketInfo.Builder newBucketInfo = bucketInfo.toBuilder();

  // Set creation time & modification time.
  long initialTime = Time.now();
  newBucketInfo.setCreationTime(initialTime)
      .setModificationTime(initialTime);

  if (bucketInfo.hasBeinfo()) {
    newBucketInfo.setBeinfo(getBeinfo(kmsProvider, bucketInfo));
  }

  newCreateBucketRequest.setBucketInfo(newBucketInfo.build());

  return getOmRequest().toBuilder().setUserInfo(getUserInfo())
     .setCreateBucketRequest(newCreateBucketRequest.build()).build();
}
 
Example #9
Source File: KeyAuthorizationKeyProvider.java    From ranger with Apache License 2.0 5 votes vote down vote up
/**
 * The constructor takes a {@link KeyProviderCryptoExtension} and an
 * implementation of <code>KeyACLs</code>. All calls are delegated to the
 * provider keyProvider after authorization check (if required)
 * @param keyProvider  the key provider
 * @param acls the Key ACLs
 */
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
    KeyACLs acls) {
  super(keyProvider, null);
  this.provider = keyProvider;
  this.acls = acls;
  ReadWriteLock lock = new ReentrantReadWriteLock(true);
  readLock = lock.readLock();
  writeLock = lock.writeLock();
}
 
Example #10
Source File: KeyAuthorizationKeyProvider.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * The constructor takes a {@link KeyProviderCryptoExtension} and an
 * implementation of <code>KeyACLs</code>. All calls are delegated to the
 * provider keyProvider after authorization check (if required)
 * @param keyProvider 
 * @param acls
 */
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
    KeyACLs acls) {
  super(keyProvider, null);
  this.provider = keyProvider;
  this.acls = acls;
  ReadWriteLock lock = new ReentrantReadWriteLock(true);
  readLock = lock.readLock();
  writeLock = lock.writeLock();
}
 
Example #11
Source File: KMSClientProvider.java    From big-c with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 
Example #12
Source File: TestEncryptionZonesWithHA.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Before
public void setupCluster() throws Exception {
  conf = new Configuration();
  conf.setInt(DFSConfigKeys.DFS_HA_TAILEDITS_PERIOD_KEY, 1);
  HAUtil.setAllowStandbyReads(conf, true);
  fsHelper = new FileSystemTestHelper();
  String testRoot = fsHelper.getTestRootDir();
  testRootDir = new File(testRoot).getAbsoluteFile();
  conf.set(DFSConfigKeys.DFS_ENCRYPTION_KEY_PROVIDER_URI,
      JavaKeyStoreProvider.SCHEME_NAME + "://file" +
      new Path(testRootDir.toString(), "test.jks").toUri()
  );

  cluster = new MiniDFSCluster.Builder(conf)
    .nnTopology(MiniDFSNNTopology.simpleHATopology())
    .numDataNodes(1)
    .build();
  cluster.waitActive();
  cluster.transitionToActive(0);

  fs = (DistributedFileSystem)HATestUtil.configureFailoverFs(cluster, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 0, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 1, conf);
  nn0 = cluster.getNameNode(0);
  nn1 = cluster.getNameNode(1);
  dfsAdmin0 = new HdfsAdmin(cluster.getURI(0), conf);
  dfsAdmin1 = new HdfsAdmin(cluster.getURI(1), conf);
  KeyProviderCryptoExtension nn0Provider =
      cluster.getNameNode(0).getNamesystem().getProvider();
  fs.getClient().setKeyProvider(nn0Provider);
}
 
Example #13
Source File: DFSUtil.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Creates a new KeyProviderCryptoExtension by wrapping the
 * KeyProvider specified in the given Configuration.
 *
 * @param conf Configuration
 * @return new KeyProviderCryptoExtension, or null if no provider was found.
 * @throws IOException if the KeyProvider is improperly specified in
 *                             the Configuration
 */
public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(
    final Configuration conf) throws IOException {
  KeyProvider keyProvider = createKeyProvider(conf);
  if (keyProvider == null) {
    return null;
  }
  KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
      .createKeyProviderCryptoExtension(keyProvider);
  return cryptoProvider;
}
 
Example #14
Source File: KeyAuthorizationKeyProvider.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * The constructor takes a {@link KeyProviderCryptoExtension} and an
 * implementation of <code>KeyACLs</code>. All calls are delegated to the
 * provider keyProvider after authorization check (if required)
 * @param keyProvider 
 * @param acls
 */
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
    KeyACLs acls) {
  super(keyProvider, null);
  this.provider = keyProvider;
  this.acls = acls;
  ReadWriteLock lock = new ReentrantReadWriteLock(true);
  readLock = lock.readLock();
  writeLock = lock.writeLock();
}
 
Example #15
Source File: KMSClientProvider.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 
Example #16
Source File: OMBucketCreateRequest.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
private BucketEncryptionInfoProto getBeinfo(
    KeyProviderCryptoExtension kmsProvider, BucketInfo bucketInfo)
    throws IOException {
  BucketEncryptionInfoProto bek = bucketInfo.getBeinfo();
  BucketEncryptionInfoProto.Builder bekb = null;
  if (kmsProvider == null) {
    throw new OMException("Invalid KMS provider, check configuration " +
        CommonConfigurationKeys.HADOOP_SECURITY_KEY_PROVIDER_PATH,
        OMException.ResultCodes.INVALID_KMS_PROVIDER);
  }
  if (bek.getKeyName() == null) {
    throw new OMException("Bucket encryption key needed.", OMException
        .ResultCodes.BUCKET_ENCRYPTION_KEY_NOT_FOUND);
  }
  // Talk to KMS to retrieve the bucket encryption key info.
  KeyProvider.Metadata metadata = kmsProvider.getMetadata(
      bek.getKeyName());
  if (metadata == null) {
    throw new OMException("Bucket encryption key " + bek.getKeyName()
        + " doesn't exist.",
        OMException.ResultCodes.BUCKET_ENCRYPTION_KEY_NOT_FOUND);
  }
  // If the provider supports pool for EDEKs, this will fill in the pool
  kmsProvider.warmUpEncryptedKeys(bek.getKeyName());
  bekb = BucketEncryptionInfoProto.newBuilder()
      .setKeyName(bek.getKeyName())
      .setCryptoProtocolVersion(ENCRYPTION_ZONES)
      .setSuite(OMPBHelper.convert(
          CipherSuite.convert(metadata.getCipher())));
  return bekb.build();
}
 
Example #17
Source File: TestEncryptionZonesWithHA.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Before
public void setupCluster() throws Exception {
  conf = new Configuration();
  conf.setInt(DFSConfigKeys.DFS_HA_TAILEDITS_PERIOD_KEY, 1);
  HAUtil.setAllowStandbyReads(conf, true);
  fsHelper = new FileSystemTestHelper();
  String testRoot = fsHelper.getTestRootDir();
  testRootDir = new File(testRoot).getAbsoluteFile();
  conf.set(DFSConfigKeys.DFS_ENCRYPTION_KEY_PROVIDER_URI,
      JavaKeyStoreProvider.SCHEME_NAME + "://file" +
      new Path(testRootDir.toString(), "test.jks").toUri()
  );

  cluster = new MiniDFSCluster.Builder(conf)
    .nnTopology(MiniDFSNNTopology.simpleHATopology())
    .numDataNodes(1)
    .build();
  cluster.waitActive();
  cluster.transitionToActive(0);

  fs = (DistributedFileSystem)HATestUtil.configureFailoverFs(cluster, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 0, conf);
  DFSTestUtil.createKey(TEST_KEY, cluster, 1, conf);
  nn0 = cluster.getNameNode(0);
  nn1 = cluster.getNameNode(1);
  dfsAdmin0 = new HdfsAdmin(cluster.getURI(0), conf);
  dfsAdmin1 = new HdfsAdmin(cluster.getURI(1), conf);
  KeyProviderCryptoExtension nn0Provider =
      cluster.getNameNode(0).getNamesystem().getProvider();
  fs.getClient().setKeyProvider(nn0Provider);
}
 
Example #18
Source File: DFSUtil.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Creates a new KeyProviderCryptoExtension by wrapping the
 * KeyProvider specified in the given Configuration.
 *
 * @param conf Configuration
 * @return new KeyProviderCryptoExtension, or null if no provider was found.
 * @throws IOException if the KeyProvider is improperly specified in
 *                             the Configuration
 */
public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(
    final Configuration conf) throws IOException {
  KeyProvider keyProvider = createKeyProvider(conf);
  if (keyProvider == null) {
    return null;
  }
  KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
      .createKeyProviderCryptoExtension(keyProvider);
  return cryptoProvider;
}
 
Example #19
Source File: KeyManagerImpl.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("parameternumber")
public KeyManagerImpl(OzoneManager om, ScmClient scmClient,
    OMMetadataManager metadataManager, OzoneConfiguration conf, String omId,
    OzoneBlockTokenSecretManager secretManager,
    KeyProviderCryptoExtension kmsProvider, PrefixManager prefixManager) {
  this.scmBlockSize = (long) conf
      .getStorageSize(OZONE_SCM_BLOCK_SIZE, OZONE_SCM_BLOCK_SIZE_DEFAULT,
          StorageUnit.BYTES);
  this.useRatis = conf.getBoolean(DFS_CONTAINER_RATIS_ENABLED_KEY,
      DFS_CONTAINER_RATIS_ENABLED_DEFAULT);
  this.preallocateBlocksMax = conf.getInt(
      OZONE_KEY_PREALLOCATION_BLOCKS_MAX,
      OZONE_KEY_PREALLOCATION_BLOCKS_MAX_DEFAULT);
  this.grpcBlockTokenEnabled = conf.getBoolean(
      HDDS_BLOCK_TOKEN_ENABLED,
      HDDS_BLOCK_TOKEN_ENABLED_DEFAULT);
  this.listTrashKeysMax = conf.getInt(
    OZONE_CLIENT_LIST_TRASH_KEYS_MAX,
    OZONE_CLIENT_LIST_TRASH_KEYS_MAX_DEFAULT);

  this.ozoneManager = om;
  this.omId = omId;
  this.scmClient = scmClient;
  this.metadataManager = metadataManager;
  this.prefixManager = prefixManager;
  this.secretManager = secretManager;
  this.kmsProvider = kmsProvider;

}
 
Example #20
Source File: TestBucketManagerImpl.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
@Test
public void testCreateBucket() throws Exception {
  OmMetadataManagerImpl metaMgr = createSampleVol();

  KeyProviderCryptoExtension kmsProvider = Mockito.mock(
      KeyProviderCryptoExtension.class);
  String testBekName = "key1";
  String testCipherName = "AES/CTR/NoPadding";

  KeyProvider.Metadata mockMetadata = Mockito.mock(KeyProvider.Metadata
      .class);
  Mockito.when(kmsProvider.getMetadata(testBekName)).thenReturn(mockMetadata);
  Mockito.when(mockMetadata.getCipher()).thenReturn(testCipherName);

  BucketManager bucketManager = new BucketManagerImpl(metaMgr,
      kmsProvider);
  OmBucketInfo bucketInfo = OmBucketInfo.newBuilder()
      .setVolumeName("sampleVol")
      .setBucketName("bucketOne")
      .setBucketEncryptionKey(new
          BucketEncryptionKeyInfo.Builder().setKeyName("key1").build())
      .build();
  bucketManager.createBucket(bucketInfo);
  Assert.assertNotNull(bucketManager.getBucketInfo("sampleVol", "bucketOne"));

  OmBucketInfo bucketInfoRead =
      bucketManager.getBucketInfo("sampleVol",  "bucketOne");

  Assert.assertTrue(bucketInfoRead.getEncryptionKeyInfo().getKeyName()
      .equals(bucketInfo.getEncryptionKeyInfo().getKeyName()));
  metaMgr.getStore().close();
}
 
Example #21
Source File: OzoneManager.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
private KeyProviderCryptoExtension createKeyProviderExt(
    OzoneConfiguration conf) throws IOException {
  KeyProvider keyProvider = KMSUtil.createKeyProvider(conf,
      keyProviderUriKeyName);
  if (keyProvider == null) {
    return null;
  }
  KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
      .createKeyProviderCryptoExtension(keyProvider);
  return cryptoProvider;
}
 
Example #22
Source File: KMSWebApp.java    From big-c with Apache License 2.0 4 votes vote down vote up
public static KeyProviderCryptoExtension getKeyProvider() {
  return keyProviderCryptoExtension;
}
 
Example #23
Source File: TestKeyAuthorizationKeyProvider.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          byte[] seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          KeyVersion kv =
              kpExt.createKey("foo", seed, opt);
          kpExt.rollNewVersion(kv.getName());
          seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          kpExt.rollNewVersion(kv.getName(), seed);
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #24
Source File: KeyManagerImpl.java    From hadoop-ozone with Apache License 2.0 4 votes vote down vote up
KeyProviderCryptoExtension getKMSProvider() {
  return kmsProvider;
}
 
Example #25
Source File: KMS.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public EncryptedKeyVersion run() throws Exception {
  return provider.reencryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(keyName,versionName, iv, KeyProviderCryptoExtension.EEK,
    encMaterial));
}
 
Example #26
Source File: KMSWebApp.java    From ranger with Apache License 2.0 4 votes vote down vote up
public static KeyProviderCryptoExtension getKeyProvider() {
  return keyProviderCryptoExtension;
}
 
Example #27
Source File: TestKeyAuthorizationKeyProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #28
Source File: BucketManagerImpl.java    From hadoop-ozone with Apache License 2.0 4 votes vote down vote up
public BucketManagerImpl(OMMetadataManager metadataManager,
                         KeyProviderCryptoExtension kmsProvider) {
  this(metadataManager, kmsProvider, false);
}
 
Example #29
Source File: BucketManagerImpl.java    From hadoop-ozone with Apache License 2.0 4 votes vote down vote up
public BucketManagerImpl(OMMetadataManager metadataManager,
    KeyProviderCryptoExtension kmsProvider, boolean isRatisEnabled) {
  this.metadataManager = metadataManager;
  this.kmsProvider = kmsProvider;
}
 
Example #30
Source File: KMS.java    From big-c with Apache License 2.0 4 votes vote down vote up
@SuppressWarnings("rawtypes")
@POST
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" +
    KMSRESTConstants.EEK_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response decryptEncryptedKey(
    @PathParam("versionName") final String versionName,
    @QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
    Map jsonPayload)
    throws Exception {
  UserGroupInformation user = HttpUserGroupInformation.get();
  KMSClientProvider.checkNotEmpty(versionName, "versionName");
  KMSClientProvider.checkNotNull(eekOp, "eekOp");

  final String keyName = (String) jsonPayload.get(
      KMSRESTConstants.NAME_FIELD);
  String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
  String encMaterialStr = 
      (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
  Object retJSON;
  if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
    assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
    KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
    final byte[] iv = Base64.decodeBase64(ivStr);
    KMSClientProvider.checkNotNull(encMaterialStr,
        KMSRESTConstants.MATERIAL_FIELD);
    final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);

    KeyProvider.KeyVersion retKeyVersion = user.doAs(
        new PrivilegedExceptionAction<KeyVersion>() {
          @Override
          public KeyVersion run() throws Exception {
            return provider.decryptEncryptedKey(
                new KMSClientProvider.KMSEncryptedKeyVersion(keyName,
                    versionName, iv, KeyProviderCryptoExtension.EEK,
                    encMaterial)
            );
          }
        }
    );

    retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
    kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
  } else {
    throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP +
        " value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " +
        KMSRESTConstants.EEK_DECRYPT);
  }
  KMSWebApp.getDecryptEEKCallsMeter().mark();
  return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
      .build();
}