HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL and whitelist key ACL. Contributed by Dian Fu.

This commit is contained in:
Andrew Wang 2014-12-03 12:00:14 -08:00
parent 03ab24aa01
commit 1812241ee1
3 changed files with 26 additions and 8 deletions

View File

@ -493,6 +493,9 @@ Release 2.7.0 - UNRELEASED
HADOOP-11344. KMS kms-config.sh sets a default value for the keystore
password even in non-ssl setup. (Arun Suresh via wang)
HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL
and whitelist key ACL. (Dian Fu via wang)
Release 2.6.0 - 2014-11-18
INCOMPATIBLE CHANGES

View File

@ -152,20 +152,30 @@ private void setKeyACLs(Configuration conf) {
String confKey = KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + keyOp;
String aclStr = conf.get(confKey);
if (aclStr != null) {
if (aclStr.equals("*")) {
LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp);
if (keyOp == KeyOpType.ALL) {
// Ignore All operation for default key acl
LOG.warn("Should not configure default key ACL for KEY_OP '{}'", keyOp);
} else {
if (aclStr.equals("*")) {
LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp);
}
defaultKeyAcls.put(keyOp, new AccessControlList(aclStr));
}
defaultKeyAcls.put(keyOp, new AccessControlList(aclStr));
}
}
if (!whitelistKeyAcls.containsKey(keyOp)) {
String confKey = KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + keyOp;
String aclStr = conf.get(confKey);
if (aclStr != null) {
if (aclStr.equals("*")) {
LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp);
if (keyOp == KeyOpType.ALL) {
// Ignore All operation for whitelist key acl
LOG.warn("Should not configure whitelist key ACL for KEY_OP '{}'", keyOp);
} else {
if (aclStr.equals("*")) {
LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp);
}
whitelistKeyAcls.put(keyOp, new AccessControlList(aclStr));
}
whitelistKeyAcls.put(keyOp, new AccessControlList(aclStr));
}
}
}
@ -271,7 +281,9 @@ private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
@Override
public boolean isACLPresent(String keyName, KeyOpType opType) {
return (keyAcls.containsKey(keyName) || defaultKeyAcls.containsKey(opType));
return (keyAcls.containsKey(keyName)
|| defaultKeyAcls.containsKey(opType)
|| whitelistKeyAcls.containsKey(opType));
}
}

View File

@ -619,16 +619,19 @@ public void testKeyACLs() throws Exception {
}
conf.set(KMSACLs.Type.CREATE.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
conf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key.MANAGEMENT", "CREATE");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "some_key.MANAGEMENT", "ROLLOVER");
conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK");
conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "ALL", "DECRYPT_EEK");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.ALL", "GENERATE_EEK");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.DECRYPT_EEK", "ROLLOVER");
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER");
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "SOMEBODY");
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "ALL", "ROLLOVER");
writeConf(testDir, conf);