org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp Java Examples

The following examples show how to use org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TestKMSAudit.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAggregationUnauth() throws Exception {
  UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
  Mockito.when(luser.getShortUserName()).thenReturn("luser");
  kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
  Thread.sleep(1000);
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k3");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  Thread.sleep(2000);
  String out = getAndResetLogOutput();
  System.out.println(out);
  Assert.assertTrue(
      out.matches(
          "UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] "
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg"
          + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
}
 
Example #2
Source File: TestKMSAudit.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Test
public void testAggregationUnauth() throws Exception {
  UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
  Mockito.when(luser.getShortUserName()).thenReturn("luser");
  kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
  Thread.sleep(1000);
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k3");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  Thread.sleep(2000);
  String out = getAndResetLogOutput();
  System.out.println(out);
  Assert.assertTrue(
      out.matches(
          "UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] "
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg"
          + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
}
 
Example #3
Source File: TestKMSAudit.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Test
public void testAuditLogFormat() throws Exception {
      UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
      Mockito.when(luser.getShortUserName()).thenReturn("luser");
      kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k4", "testmsg");
      kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "testmsg");
      kmsAudit.evictCacheForTesting();
      kmsAudit.unauthorized(luser, KMSOp.DECRYPT_EEK, "k4");
      kmsAudit.error(luser, "method", "url", "testmsg");
      kmsAudit.unauthenticated("remotehost", "method", "url", "testmsg");
      String out = getAndResetLogOutput();
      System.out.println(out);
      Assert.assertTrue(out.matches(
        "OK\\[op=GENERATE_EEK, key=k4, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
         + "OK\\[op=GENERATE_EEK, user=luser\\] testmsg"
         + "OK\\[op=GENERATE_EEK, key=k4, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
         + "UNAUTHORIZED\\[op=DECRYPT_EEK, key=k4, user=luser\\] "
         + "ERROR\\[user=luser\\] Method:'method' Exception:'testmsg'"
         + "UNAUTHENTICATED RemoteHost:remotehost Method:method URL:url ErrorMsg:'testmsg'"));
  }
 
Example #4
Source File: RangerKmsAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public void assertAccess(Type aclType, UserGroupInformation ugi,KMSOp operation, String key, String clientIp) throws AccessControlException {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")");
	}

	try {
		activatePluginClassLoader();

		implKeyACLs.assertAccess(aclType,ugi,operation,key,clientIp);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")");
	}

}
 
Example #5
Source File: RangerKmsAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String key, String clientIp)
    throws AccessControlException {
   if(LOG.isDebugEnabled()) {
	LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")");
}
 	key = (key == null)?"":key;
 	if (!hasAccess(aclType, ugi, key, clientIp)) {
 		KMSWebApp.getUnauthorizedCallsMeter().mark();
 		KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
 		throw new AuthorizationException(String.format(
 				(!key.equals("")) ? UNAUTHORIZED_MSG_WITH_KEY
                      : UNAUTHORIZED_MSG_WITHOUT_KEY,
                      ugi.getShortUserName(), operation, key));
 	}
}
 
Example #6
Source File: KMSACLs.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public void assertAccess(KMSACLs.Type aclType,
    UserGroupInformation ugi, KMSOp operation, String key)
    throws AccessControlException {
  if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) {
    KMSWebApp.getUnauthorizedCallsMeter().mark();
    KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
    throw new AuthorizationException(String.format(
        (key != null) ? UNAUTHORIZED_MSG_WITH_KEY
                      : UNAUTHORIZED_MSG_WITHOUT_KEY,
        ugi.getShortUserName(), operation, key));
  }
}
 
Example #7
Source File: TestKMSAudit.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testAggregation() throws Exception {
  UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
  Mockito.when(luser.getShortUserName()).thenReturn("luser");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DELETE_KEY, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.ROLL_NEW_VERSION, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  Thread.sleep(1500);
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  Thread.sleep(1500);
  String out = getAndResetLogOutput();
  System.out.println(out);
  Assert.assertTrue(
      out.matches(
          "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
          // Not aggregated !!
          + "OK\\[op=DELETE_KEY, key=k1, user=luser\\] testmsg"
          + "OK\\[op=ROLL_NEW_VERSION, key=k1, user=luser\\] testmsg"
          // Aggregated
          + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=6, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
}
 
Example #8
Source File: KMSACLs.java    From big-c with Apache License 2.0 5 votes vote down vote up
public void assertAccess(KMSACLs.Type aclType,
    UserGroupInformation ugi, KMSOp operation, String key)
    throws AccessControlException {
  if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) {
    KMSWebApp.getUnauthorizedCallsMeter().mark();
    KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
    throw new AuthorizationException(String.format(
        (key != null) ? UNAUTHORIZED_MSG_WITH_KEY
                      : UNAUTHORIZED_MSG_WITHOUT_KEY,
        ugi.getShortUserName(), operation, key));
  }
}
 
Example #9
Source File: TestKMSAudit.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testAggregation() throws Exception {
  UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
  Mockito.when(luser.getShortUserName()).thenReturn("luser");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DELETE_KEY, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.ROLL_NEW_VERSION, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  Thread.sleep(1500);
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  Thread.sleep(1500);
  String out = getAndResetLogOutput();
  System.out.println(out);
  Assert.assertTrue(
      out.matches(
          "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
          // Not aggregated !!
          + "OK\\[op=DELETE_KEY, key=k1, user=luser\\] testmsg"
          + "OK\\[op=ROLL_NEW_VERSION, key=k1, user=luser\\] testmsg"
          // Aggregated
          + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=6, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
}
 
Example #10
Source File: KMSACLs.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void assertAccess(Type aclType,
    UserGroupInformation ugi, KMSOp operation, String key, String clientIp)
    throws AccessControlException {
  if (!KMSWebApp.getACLs().hasAccess(aclType, ugi, clientIp)) {
    KMSWebApp.getUnauthorizedCallsMeter().mark();
    KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
    throw new AuthorizationException(String.format(
        (key != null) ? UNAUTHORIZED_MSG_WITH_KEY
                      : UNAUTHORIZED_MSG_WITHOUT_KEY,
        ugi.getShortUserName(), operation, key));
  }
}
 
Example #11
Source File: TestKMSAudit.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Test
@SuppressWarnings("checkstyle:linelength")
public void testAggregationUnauth() throws Exception {
  UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
  Mockito.when(luser.getShortUserName()).thenReturn("luser");
  kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
  kmsAudit.evictCacheForTesting();
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k3");
  // wait a bit so the UNAUTHORIZED-triggered cache invalidation happens.
  Thread.sleep(1000);
  kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
  kmsAudit.evictCacheForTesting();
  String out = getAndResetLogOutput();
  System.out.println(out);
  // The UNAUTHORIZED will trigger cache invalidation, which then triggers
  // the aggregated OK (accessCount=5). But the order of the UNAUTHORIZED and
  // the aggregated OK is arbitrary - no correctness concerns, but flaky here.
  Assert.assertTrue(
      out.matches(
          "UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] "
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg"
          + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg")
          || out.matches("UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] "
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
          + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
}
 
Example #12
Source File: KeyAuthorizationKeyProvider.java    From ranger with Apache License 2.0 4 votes vote down vote up
void assertAccess(KMSACLsType.Type aclType, UserGroupInformation ugi,
KMSOp operation, String key, String clientIp) throws AccessControlException;
 
Example #13
Source File: TestKMSAudit.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Test
@SuppressWarnings("checkstyle:linelength")
public void testAggregation() throws Exception {
  UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
  Mockito.when(luser.getShortUserName()).thenReturn("luser");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DELETE_KEY, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.ROLL_NEW_VERSION, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.INVALIDATE_CACHE, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.evictCacheForTesting();
  kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
  kmsAudit.evictCacheForTesting();
  kmsAudit.ok(luser, KMSOp.REENCRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.REENCRYPT_EEK, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.REENCRYPT_EEK, "k1", "testmsg");
  kmsAudit.evictCacheForTesting();
  kmsAudit.ok(luser, KMSOp.REENCRYPT_EEK_BATCH, "k1", "testmsg");
  kmsAudit.ok(luser, KMSOp.REENCRYPT_EEK_BATCH, "k1", "testmsg");
  kmsAudit.evictCacheForTesting();
  String out = getAndResetLogOutput();
  System.out.println(out);
  Assert.assertTrue(
      out.matches(
          "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
          // Not aggregated !!
          + "OK\\[op=DELETE_KEY, key=k1, user=luser\\] testmsg"
          + "OK\\[op=ROLL_NEW_VERSION, key=k1, user=luser\\] testmsg"
          + "OK\\[op=INVALIDATE_CACHE, key=k1, user=luser\\] testmsg"
          // Aggregated
          + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=6, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=REENCRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=REENCRYPT_EEK, key=k1, user=luser, accessCount=3, interval=[^m]{1,4}ms\\] testmsg"
          + "OK\\[op=REENCRYPT_EEK_BATCH, key=k1, user=luser\\] testmsg"
          + "OK\\[op=REENCRYPT_EEK_BATCH, key=k1, user=luser\\] testmsg"));
}
 
Example #14
Source File: RangerKmsAuthorizerTest.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Test
public void testGetKeys() throws Throwable {
	if (!UNRESTRICTED_POLICIES_INSTALLED) {
		return;
	}
	
    // bob should have permission to get keys
    final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi, KMSOp.GET_KEYS, "newkey1", "127.0.0.1");
            return null;
        }
    });

    // "eve" should not have permission to get keys
    final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
    ugi2.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            try {
                KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi2, KMSOp.GET_KEYS, "newkey1", "127.0.0.1");
                Assert.fail("Failure expected");
            } catch (AuthorizationException ex) {
                LOG.error(ex);
            }
            return null;
        }
    });

    // the IT group should have permission to get keys
    final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[]{"IT"});
    ugi3.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi3, KMSOp.GET_KEYS, "newkey1", "127.0.0.1");
            return null;
        }
    });
}
 
Example #15
Source File: RangerKmsAuthorizerTest.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Test
public void testGetMetadata() throws Throwable {
	if (!UNRESTRICTED_POLICIES_INSTALLED) {
		return;
	}
	
    // bob should have permission to get the metadata
    final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            KMSWebApp.getACLs().assertAccess(Type.GET_METADATA, ugi, KMSOp.GET_METADATA, "newkey1", "127.0.0.1");
            return null;
        }
    });

    // "eve" should not have permission to get the metadata
    final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
    ugi2.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            try {
                KMSWebApp.getACLs().assertAccess(Type.GET_METADATA, ugi2, KMSOp.GET_METADATA, "newkey1", "127.0.0.1");
                Assert.fail("Failure expected");
            } catch (AuthorizationException ex) {
                LOG.error(ex);
            }
            return null;
        }
    });

    // the IT group should have permission to get the metadata
    final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[]{"IT"});
    ugi3.doAs(new PrivilegedExceptionAction<Void>() {

        public Void run() throws Exception {
            KMSWebApp.getACLs().assertAccess(Type.GET_METADATA, ugi3, KMSOp.GET_METADATA, "newkey1", "127.0.0.1");
            return null;
        }
    });

}