HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL and whitelist key ACL. Contributed by Dian Fu.
(cherry picked from commit 1812241ee1
)
This commit is contained in:
parent
db723a8499
commit
696e15f0d1
|
@ -130,6 +130,9 @@ Release 2.7.0 - UNRELEASED
|
||||||
HADOOP-11344. KMS kms-config.sh sets a default value for the keystore
|
HADOOP-11344. KMS kms-config.sh sets a default value for the keystore
|
||||||
password even in non-ssl setup. (Arun Suresh via wang)
|
password even in non-ssl setup. (Arun Suresh via wang)
|
||||||
|
|
||||||
|
HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL
|
||||||
|
and whitelist key ACL. (Dian Fu via wang)
|
||||||
|
|
||||||
Release 2.6.0 - 2014-11-18
|
Release 2.6.0 - 2014-11-18
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -152,16 +152,25 @@ public class KMSACLs implements Runnable, KeyACLs {
|
||||||
String confKey = KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + keyOp;
|
String confKey = KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + keyOp;
|
||||||
String aclStr = conf.get(confKey);
|
String aclStr = conf.get(confKey);
|
||||||
if (aclStr != null) {
|
if (aclStr != null) {
|
||||||
|
if (keyOp == KeyOpType.ALL) {
|
||||||
|
// Ignore All operation for default key acl
|
||||||
|
LOG.warn("Should not configure default key ACL for KEY_OP '{}'", keyOp);
|
||||||
|
} else {
|
||||||
if (aclStr.equals("*")) {
|
if (aclStr.equals("*")) {
|
||||||
LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp);
|
LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp);
|
||||||
}
|
}
|
||||||
defaultKeyAcls.put(keyOp, new AccessControlList(aclStr));
|
defaultKeyAcls.put(keyOp, new AccessControlList(aclStr));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
if (!whitelistKeyAcls.containsKey(keyOp)) {
|
if (!whitelistKeyAcls.containsKey(keyOp)) {
|
||||||
String confKey = KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + keyOp;
|
String confKey = KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + keyOp;
|
||||||
String aclStr = conf.get(confKey);
|
String aclStr = conf.get(confKey);
|
||||||
if (aclStr != null) {
|
if (aclStr != null) {
|
||||||
|
if (keyOp == KeyOpType.ALL) {
|
||||||
|
// Ignore All operation for whitelist key acl
|
||||||
|
LOG.warn("Should not configure whitelist key ACL for KEY_OP '{}'", keyOp);
|
||||||
|
} else {
|
||||||
if (aclStr.equals("*")) {
|
if (aclStr.equals("*")) {
|
||||||
LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp);
|
LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp);
|
||||||
}
|
}
|
||||||
|
@ -170,6 +179,7 @@ public class KMSACLs implements Runnable, KeyACLs {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void run() {
|
public void run() {
|
||||||
|
@ -271,7 +281,9 @@ public class KMSACLs implements Runnable, KeyACLs {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean isACLPresent(String keyName, KeyOpType opType) {
|
public boolean isACLPresent(String keyName, KeyOpType opType) {
|
||||||
return (keyAcls.containsKey(keyName) || defaultKeyAcls.containsKey(opType));
|
return (keyAcls.containsKey(keyName)
|
||||||
|
|| defaultKeyAcls.containsKey(opType)
|
||||||
|
|| whitelistKeyAcls.containsKey(opType));
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -619,16 +619,19 @@ public class TestKMS {
|
||||||
}
|
}
|
||||||
conf.set(KMSACLs.Type.CREATE.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
|
conf.set(KMSACLs.Type.CREATE.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
|
||||||
conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
|
conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
|
||||||
conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
|
conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
|
||||||
conf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
|
conf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
|
||||||
|
|
||||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key.MANAGEMENT", "CREATE");
|
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key.MANAGEMENT", "CREATE");
|
||||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "some_key.MANAGEMENT", "ROLLOVER");
|
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "some_key.MANAGEMENT", "ROLLOVER");
|
||||||
conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK");
|
conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK");
|
||||||
|
conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "ALL", "DECRYPT_EEK");
|
||||||
|
|
||||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.ALL", "GENERATE_EEK");
|
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.ALL", "GENERATE_EEK");
|
||||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.DECRYPT_EEK", "ROLLOVER");
|
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.DECRYPT_EEK", "ROLLOVER");
|
||||||
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER");
|
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER");
|
||||||
|
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "SOMEBODY");
|
||||||
|
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "ALL", "ROLLOVER");
|
||||||
|
|
||||||
writeConf(testDir, conf);
|
writeConf(testDir, conf);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue