From 696e15f0d1f06dca7109b00d2d79c8b07cf8d055 Mon Sep 17 00:00:00 2001 From: Andrew Wang Date: Wed, 3 Dec 2014 12:00:14 -0800 Subject: [PATCH] HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL and whitelist key ACL. Contributed by Dian Fu. (cherry picked from commit 1812241ee10c0a98844bffb9341f770d54655f52) --- .../hadoop-common/CHANGES.txt | 3 +++ .../hadoop/crypto/key/kms/server/KMSACLs.java | 26 ++++++++++++++----- .../hadoop/crypto/key/kms/server/TestKMS.java | 5 +++- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 1c41002be75..62f7ea9760c 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -130,6 +130,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11344. KMS kms-config.sh sets a default value for the keystore password even in non-ssl setup. (Arun Suresh via wang) + HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL + and whitelist key ACL. (Dian Fu via wang) + Release 2.6.0 - 2014-11-18 INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java index 0217589a4c0..c33dd4b60df 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java @@ -152,20 +152,30 @@ public class KMSACLs implements Runnable, KeyACLs { String confKey = KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + keyOp; String aclStr = conf.get(confKey); if (aclStr != null) { - if (aclStr.equals("*")) { - LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp); + if (keyOp == KeyOpType.ALL) { + // Ignore All operation for default key acl + LOG.warn("Should not configure default key ACL for KEY_OP '{}'", keyOp); + } else { + if (aclStr.equals("*")) { + LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp); + } + defaultKeyAcls.put(keyOp, new AccessControlList(aclStr)); } - defaultKeyAcls.put(keyOp, new AccessControlList(aclStr)); } } if (!whitelistKeyAcls.containsKey(keyOp)) { String confKey = KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + keyOp; String aclStr = conf.get(confKey); if (aclStr != null) { - if (aclStr.equals("*")) { - LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp); + if (keyOp == KeyOpType.ALL) { + // Ignore All operation for whitelist key acl + LOG.warn("Should not configure whitelist key ACL for KEY_OP '{}'", keyOp); + } else { + if (aclStr.equals("*")) { + LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp); + } + whitelistKeyAcls.put(keyOp, new AccessControlList(aclStr)); } - whitelistKeyAcls.put(keyOp, new AccessControlList(aclStr)); } } } @@ -271,7 +281,9 @@ public class KMSACLs implements Runnable, KeyACLs { @Override public boolean isACLPresent(String keyName, KeyOpType opType) { - return (keyAcls.containsKey(keyName) || defaultKeyAcls.containsKey(opType)); + return (keyAcls.containsKey(keyName) + || defaultKeyAcls.containsKey(opType) + || whitelistKeyAcls.containsKey(opType)); } } diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java index d840646f449..b9409ca4459 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java @@ -619,16 +619,19 @@ public class TestKMS { } conf.set(KMSACLs.Type.CREATE.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK"); conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK"); - conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK"); + conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK"); conf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key.MANAGEMENT", "CREATE"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "some_key.MANAGEMENT", "ROLLOVER"); conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK"); + conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "ALL", "DECRYPT_EEK"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.ALL", "GENERATE_EEK"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.DECRYPT_EEK", "ROLLOVER"); conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER"); + conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "SOMEBODY"); + conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "ALL", "ROLLOVER"); writeConf(testDir, conf);