org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType Java Examples

The following examples show how to use org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RangerKmsAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public boolean isACLPresent(String aclName, KeyOpType opType) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKmsAuthorizer.isACLPresent(" + aclName + ", " + opType + ")");
	}

	boolean ret = false;

	try {
		activatePluginClassLoader();

		ret = implKeyACLs.isACLPresent(aclName,opType);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKmsAuthorizer.isACLPresent(" + aclName + ", " + opType + ")");
	}

	return ret;
}
 
Example #2
Source File: RangerKmsAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi, KeyOpType opType) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
	}

	boolean ret = false;

	try {
		activatePluginClassLoader();

		ret = implKeyACLs.hasAccessToKey(keyName,ugi,opType);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
	}

	return ret;
}
 
Example #3
Source File: KMSACLs.java    From ranger with Apache License 2.0 6 votes vote down vote up
/**
 * Parse the acls from configuration with the specified prefix. Currently
 * only 2 possible prefixes: whitelist and default.
 *
 * @param conf The configuration.
 * @param prefix The prefix.
 * @param keyOp The key operation.
 * @param results The collection of results to add to.
 */
private void parseAclsWithPrefix(final Configuration conf,final String prefix, final KeyOpType keyOp,Map<KeyOpType, AccessControlList> results) {
  String confKey = prefix + keyOp;
  String aclStr = conf.get(confKey);
  if (aclStr != null) {
    if (keyOp == KeyOpType.ALL) {
      // Ignore All operation for default key and whitelist key acls
      LOG.warn("Invalid KEY_OP '{}' for {}, ignoring", keyOp, prefix);
    } else {
      if (aclStr.equals("*")) {
        LOG.info("{} for KEY_OP '{}' is set to '*'", prefix, keyOp);
     }
      results.put(keyOp, new AccessControlList(aclStr));
    }
  }
}
 
Example #4
Source File: KMSACLs.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  Map<KeyOpType, AccessControlList> keyAcl = keyAcls.get(keyName);
  if (keyAcl == null) {
    // If No key acl defined for this key, check to see if
    // there are key defaults configured for this operation
    keyAcl = defaultKeyAcls;
  }
  return checkKeyAccess(keyAcl, ugi, opType);
}
 
Example #5
Source File: KMSACLs.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
    UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    return false;
  } else {
    return acl.isUserAllowed(ugi);
  }
}
 
Example #6
Source File: RangerKmsAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
 public boolean hasAccessToKey(String keyName, UserGroupInformation ugi, KeyOpType opType) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
	}
	
	return true;
}
 
Example #7
Source File: KMSACLs.java    From big-c with Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  Map<KeyOpType, AccessControlList> keyAcl = keyAcls.get(keyName);
  if (keyAcl == null) {
    // If No key acl defined for this key, check to see if
    // there are key defaults configured for this operation
    keyAcl = defaultKeyAcls;
  }
  return checkKeyAccess(keyAcl, ugi, opType);
}
 
Example #8
Source File: KMSACLs.java    From big-c with Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
    UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    return false;
  } else {
    return acl.isUserAllowed(ugi);
  }
}
 
Example #9
Source File: KMSACLs.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  boolean access = checkKeyAccess(keyName, ugi, opType)
    || checkKeyAccess(whitelistKeyAcls, ugi, opType);
  if (!access) {
    KMSWebApp.getKMSAudit().unauthorized(ugi, opType, keyName);
  }
  return access;
}
 
Example #10
Source File: KMSACLs.java    From ranger with Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(String keyName, UserGroupInformation ugi,KeyOpType opType) {
  Map<KeyOpType, AccessControlList> keyAcl = keyAcls.get(keyName);
  if (keyAcl == null) {
    // If No key acl defined for this key, check to see if
    // there are key defaults configured for this operation
    LOG.debug("Key: {} has no ACLs defined, using defaults.", keyName);
    keyAcl = defaultKeyAcls;
  }
  boolean access = checkKeyAccess(keyAcl, ugi, opType);
  if (LOG.isDebugEnabled()) {
    LOG.debug("User: [{}], OpType: {}, KeyName: {} Result: {}",
    ugi.getShortUserName(), opType.toString(), keyName, access);
  }
  return access;
}
 
Example #11
Source File: KMSACLs.java    From ranger with Apache License 2.0 5 votes vote down vote up
private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,UserGroupInformation ugi, KeyOpType opType) {
  AccessControlList acl = keyAcl.get(opType);
  if (acl == null) {
    // If no acl is specified for this operation,
    // deny access
    LOG.debug("No ACL available for key, denying access for {}", opType);
    return false;
  } else {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Checking user [{}] for: {}: {}" + ugi.getShortUserName(),
      opType.toString(), acl.getAclString());
    }
    return acl.isUserAllowed(ugi);
  }
}
 
Example #12
Source File: RangerKmsAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public boolean isACLPresent(String keyName, KeyOpType opType) {
  return true;
}
 
Example #13
Source File: KMSACLs.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  return checkKeyAccess(keyName, ugi, opType)
      || checkKeyAccess(whitelistKeyAcls, ugi, opType);
}
 
Example #14
Source File: TestKeyAuthorizationKeyProvider.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          byte[] seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          KeyVersion kv =
              kpExt.createKey("foo", seed, opt);
          kpExt.rollNewVersion(kv.getName());
          seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          kpExt.rollNewVersion(kv.getName(), seed);
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #15
Source File: KMSACLs.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public boolean isACLPresent(String keyName, KeyOpType opType) {
  return (keyAcls.containsKey(keyName) || defaultKeyAcls.containsKey(opType));
}
 
Example #16
Source File: KMSAudit.java    From ranger with Apache License 2.0 4 votes vote down vote up
public void unauthorized(UserGroupInformation user, KeyOpType op,String key) {
  op(OpStatus.UNAUTHORIZED, op, user, key, "Unknown", "");
}
 
Example #17
Source File: TestKeyAuthorizationKeyProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #18
Source File: KMSACLs.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Override
public boolean isACLPresent(String keyName, KeyOpType opType) {
  return (keyAcls.containsKey(keyName)
      || defaultKeyAcls.containsKey(opType)
      || whitelistKeyAcls.containsKey(opType));
}
 
Example #19
Source File: KMSACLs.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi,
    KeyOpType opType) {
  return checkKeyAccess(keyName, ugi, opType)
      || checkKeyAccess(whitelistKeyAcls, ugi, opType);
}
 
Example #20
Source File: TestKeyAuthorizationKeyProvider.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #21
Source File: KMSACLs.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Override
public boolean isACLPresent(String keyName, KeyOpType opType) {
  return (keyAcls.containsKey(keyName)
      || defaultKeyAcls.containsKey(opType)
      || whitelistKeyAcls.containsKey(opType));
}