org.apache.hadoop.crypto.key.KeyProvider.Options Java Examples

The following examples show how to use org.apache.hadoop.crypto.key.KeyProvider.Options. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TestLoadBalancingKMSClientProvider.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Test
public void testLoadBalancing() throws Exception {
  Configuration conf = new Configuration();
  KMSClientProvider p1 = mock(KMSClientProvider.class);
  when(p1.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p1", "v1", new byte[0]));
  KMSClientProvider p2 = mock(KMSClientProvider.class);
  when(p2.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p2", "v2", new byte[0]));
  KMSClientProvider p3 = mock(KMSClientProvider.class);
  when(p3.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p3", "v3", new byte[0]));
  KeyProvider kp = new LoadBalancingKMSClientProvider(
      new KMSClientProvider[] { p1, p2, p3 }, 0, conf);
  assertEquals("p1", kp.createKey("test1", new Options(conf)).getName());
  assertEquals("p2", kp.createKey("test2", new Options(conf)).getName());
  assertEquals("p3", kp.createKey("test3", new Options(conf)).getName());
  assertEquals("p1", kp.createKey("test4", new Options(conf)).getName());
}
 
Example #2
Source File: TestLoadBalancingKMSClientProvider.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Test
public void testLoadBalancing() throws Exception {
  Configuration conf = new Configuration();
  KMSClientProvider p1 = mock(KMSClientProvider.class);
  when(p1.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p1", "v1", new byte[0]));
  KMSClientProvider p2 = mock(KMSClientProvider.class);
  when(p2.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p2", "v2", new byte[0]));
  KMSClientProvider p3 = mock(KMSClientProvider.class);
  when(p3.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p3", "v3", new byte[0]));
  KeyProvider kp = new LoadBalancingKMSClientProvider(
      new KMSClientProvider[] { p1, p2, p3 }, 0, conf);
  assertEquals("p1", kp.createKey("test1", new Options(conf)).getName());
  assertEquals("p2", kp.createKey("test2", new Options(conf)).getName());
  assertEquals("p3", kp.createKey("test3", new Options(conf)).getName());
  assertEquals("p1", kp.createKey("test4", new Options(conf)).getName());
}
 
Example #3
Source File: TestLoadBalancingKMSClientProvider.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testLoadBalancingWithFailure() throws Exception {
  Configuration conf = new Configuration();
  KMSClientProvider p1 = mock(KMSClientProvider.class);
  when(p1.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p1", "v1", new byte[0]));
  when(p1.getKMSUrl()).thenReturn("p1");
  // This should not be retried
  KMSClientProvider p2 = mock(KMSClientProvider.class);
  when(p2.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new NoSuchAlgorithmException("p2"));
  when(p2.getKMSUrl()).thenReturn("p2");
  KMSClientProvider p3 = mock(KMSClientProvider.class);
  when(p3.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p3", "v3", new byte[0]));
  when(p3.getKMSUrl()).thenReturn("p3");
  // This should be retried
  KMSClientProvider p4 = mock(KMSClientProvider.class);
  when(p4.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p4"));
  when(p4.getKMSUrl()).thenReturn("p4");
  KeyProvider kp = new LoadBalancingKMSClientProvider(
      new KMSClientProvider[] { p1, p2, p3, p4 }, 0, conf);

  assertEquals("p1", kp.createKey("test4", new Options(conf)).getName());
  // Exceptions other than IOExceptions will not be retried
  try {
    kp.createKey("test1", new Options(conf)).getName();
    fail("Should fail since its not an IOException");
  } catch (Exception e) {
    assertTrue(e instanceof NoSuchAlgorithmException);
  }
  assertEquals("p3", kp.createKey("test2", new Options(conf)).getName());
  // IOException will trigger retry in next provider
  assertEquals("p1", kp.createKey("test3", new Options(conf)).getName());
}
 
Example #4
Source File: TestLoadBalancingKMSClientProvider.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testLoadBalancingWithAllBadNodes() throws Exception {
  Configuration conf = new Configuration();
  KMSClientProvider p1 = mock(KMSClientProvider.class);
  when(p1.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p1"));
  KMSClientProvider p2 = mock(KMSClientProvider.class);
  when(p2.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p2"));
  KMSClientProvider p3 = mock(KMSClientProvider.class);
  when(p3.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p3"));
  KMSClientProvider p4 = mock(KMSClientProvider.class);
  when(p4.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p4"));
  when(p1.getKMSUrl()).thenReturn("p1");
  when(p2.getKMSUrl()).thenReturn("p2");
  when(p3.getKMSUrl()).thenReturn("p3");
  when(p4.getKMSUrl()).thenReturn("p4");
  KeyProvider kp = new LoadBalancingKMSClientProvider(
      new KMSClientProvider[] { p1, p2, p3, p4 }, 0, conf);
  try {
    kp.createKey("test3", new Options(conf)).getName();
    fail("Should fail since all providers threw an IOException");
  } catch (Exception e) {
    assertTrue(e instanceof IOException);
  }
}
 
Example #5
Source File: TestLoadBalancingKMSClientProvider.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testLoadBalancingWithFailure() throws Exception {
  Configuration conf = new Configuration();
  KMSClientProvider p1 = mock(KMSClientProvider.class);
  when(p1.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p1", "v1", new byte[0]));
  when(p1.getKMSUrl()).thenReturn("p1");
  // This should not be retried
  KMSClientProvider p2 = mock(KMSClientProvider.class);
  when(p2.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new NoSuchAlgorithmException("p2"));
  when(p2.getKMSUrl()).thenReturn("p2");
  KMSClientProvider p3 = mock(KMSClientProvider.class);
  when(p3.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenReturn(
          new KMSClientProvider.KMSKeyVersion("p3", "v3", new byte[0]));
  when(p3.getKMSUrl()).thenReturn("p3");
  // This should be retried
  KMSClientProvider p4 = mock(KMSClientProvider.class);
  when(p4.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p4"));
  when(p4.getKMSUrl()).thenReturn("p4");
  KeyProvider kp = new LoadBalancingKMSClientProvider(
      new KMSClientProvider[] { p1, p2, p3, p4 }, 0, conf);

  assertEquals("p1", kp.createKey("test4", new Options(conf)).getName());
  // Exceptions other than IOExceptions will not be retried
  try {
    kp.createKey("test1", new Options(conf)).getName();
    fail("Should fail since its not an IOException");
  } catch (Exception e) {
    assertTrue(e instanceof NoSuchAlgorithmException);
  }
  assertEquals("p3", kp.createKey("test2", new Options(conf)).getName());
  // IOException will trigger retry in next provider
  assertEquals("p1", kp.createKey("test3", new Options(conf)).getName());
}
 
Example #6
Source File: TestLoadBalancingKMSClientProvider.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testLoadBalancingWithAllBadNodes() throws Exception {
  Configuration conf = new Configuration();
  KMSClientProvider p1 = mock(KMSClientProvider.class);
  when(p1.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p1"));
  KMSClientProvider p2 = mock(KMSClientProvider.class);
  when(p2.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p2"));
  KMSClientProvider p3 = mock(KMSClientProvider.class);
  when(p3.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p3"));
  KMSClientProvider p4 = mock(KMSClientProvider.class);
  when(p4.createKey(Mockito.anyString(), Mockito.any(Options.class)))
      .thenThrow(new IOException("p4"));
  when(p1.getKMSUrl()).thenReturn("p1");
  when(p2.getKMSUrl()).thenReturn("p2");
  when(p3.getKMSUrl()).thenReturn("p3");
  when(p4.getKMSUrl()).thenReturn("p4");
  KeyProvider kp = new LoadBalancingKMSClientProvider(
      new KMSClientProvider[] { p1, p2, p3, p4 }, 0, conf);
  try {
    kp.createKey("test3", new Options(conf)).getName();
    fail("Should fail since all providers threw an IOException");
  } catch (Exception e) {
    assertTrue(e instanceof IOException);
  }
}
 
Example #7
Source File: RangerKeyStoreProviderTest.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Test
public void testCreateDeleteKey() throws Throwable {
	if (!UNRESTRICTED_POLICIES_INSTALLED) {
		return;
	}
	
    Path configDir = Paths.get("src/test/resources/kms");
    System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, configDir.toFile().getAbsolutePath());

    Configuration conf = new Configuration();
    RangerKeyStoreProvider keyProvider = new RangerKeyStoreProvider(conf);

    // Create a key
    Options options = new Options(conf);
    options.setBitLength(128);
    options.setCipher("AES");
    KeyVersion keyVersion = keyProvider.createKey("newkey1", options);
    Assert.assertEquals("newkey1", keyVersion.getName());
    Assert.assertEquals(128 / 8, keyVersion.getMaterial().length);
    Assert.assertEquals("newkey1@0", keyVersion.getVersionName());

    keyProvider.flush();
    Assert.assertEquals(1, keyProvider.getKeys().size());
    keyProvider.deleteKey("newkey1");

    keyProvider.flush();
    Assert.assertEquals(0, keyProvider.getKeys().size());

    // Try to delete a key that isn't there
    try {
        keyProvider.deleteKey("newkey2");
        Assert.fail("Failure expected on trying to delete an unknown key");
    } catch (IOException ex) {
        // expected
    }
}
 
Example #8
Source File: RangerKeyStoreProviderTest.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Test
public void testRolloverKey() throws Throwable {
	if (!UNRESTRICTED_POLICIES_INSTALLED) {
		return;
	}
	
    Path configDir = Paths.get("src/test/resources/kms");
    System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, configDir.toFile().getAbsolutePath());

    Configuration conf = new Configuration();
    RangerKeyStoreProvider keyProvider = new RangerKeyStoreProvider(conf);

    // Create a key
    Options options = new Options(conf);
    options.setBitLength(192);
    options.setCipher("AES");
    KeyVersion keyVersion = keyProvider.createKey("newkey1", options);
    Assert.assertEquals("newkey1", keyVersion.getName());
    Assert.assertEquals(192 / 8, keyVersion.getMaterial().length);
    Assert.assertEquals("newkey1@0", keyVersion.getVersionName());

    keyProvider.flush();

    // Rollover a new key
    byte[] oldKey = keyVersion.getMaterial();
    keyVersion = keyProvider.rollNewVersion("newkey1");
    Assert.assertEquals("newkey1", keyVersion.getName());
    Assert.assertEquals(192 / 8, keyVersion.getMaterial().length);
    Assert.assertEquals("newkey1@1", keyVersion.getVersionName());
    Assert.assertFalse(Arrays.equals(oldKey, keyVersion.getMaterial()));

    keyProvider.deleteKey("newkey1");

    keyProvider.flush();
    Assert.assertEquals(0, keyProvider.getKeys().size());

}
 
Example #9
Source File: KeyShell.java    From hadoop with Apache License 2.0 4 votes vote down vote up
public CreateCommand(String keyName, Options options) {
  this.keyName = keyName;
  this.options = options;
}
 
Example #10
Source File: TestKeyAuthorizationKeyProvider.java    From hadoop with Apache License 2.0 4 votes vote down vote up
private static KeyProvider.Options newOptions(Configuration conf) {
  KeyProvider.Options options = new KeyProvider.Options(conf);
  options.setCipher(CIPHER);
  options.setBitLength(128);
  return options;
}
 
Example #11
Source File: TestKeyAuthorizationKeyProvider.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #12
Source File: KeyShell.java    From big-c with Apache License 2.0 4 votes vote down vote up
public CreateCommand(String keyName, Options options) {
  this.keyName = keyName;
  this.options = options;
}
 
Example #13
Source File: TestKeyAuthorizationKeyProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
private static KeyProvider.Options newOptions(Configuration conf) {
  KeyProvider.Options options = new KeyProvider.Options(conf);
  options.setCipher(CIPHER);
  options.setBitLength(128);
  return options;
}
 
Example #14
Source File: TestKeyAuthorizationKeyProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #15
Source File: TestKeyAuthorizationKeyProvider.java    From ranger with Apache License 2.0 4 votes vote down vote up
private static KeyProvider.Options newOptions(Configuration conf) {
  KeyProvider.Options options = new KeyProvider.Options(conf);
  options.setCipher(CIPHER);
  options.setBitLength(128);
  return options;
}
 
Example #16
Source File: TestKeyAuthorizationKeyProvider.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          byte[] seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          KeyVersion kv =
              kpExt.createKey("foo", seed, opt);
          kpExt.rollNewVersion(kv.getName());
          seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          kpExt.rollNewVersion(kv.getName(), seed);
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}