HADOOP-10862. Miscellaneous trivial corrections to KMS classes. (asuresh via tucu)
Conflicts: hadoop-common-project/hadoop-common/CHANGES.txt git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619548 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
daed032553
commit
6d2281b4c6
|
@ -292,6 +292,9 @@ Release 2.6.0 - UNRELEASED
|
||||||
HADOOP-10939. Fix TestKeyProviderFactory testcases to use default 128 bit
|
HADOOP-10939. Fix TestKeyProviderFactory testcases to use default 128 bit
|
||||||
length keys. (Arun Suresh via wang)
|
length keys. (Arun Suresh via wang)
|
||||||
|
|
||||||
|
HADOOP-10862. Miscellaneous trivial corrections to KMS classes.
|
||||||
|
(asuresh via tucu)
|
||||||
|
|
||||||
Release 2.5.0 - 2014-08-11
|
Release 2.5.0 - 2014-08-11
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -512,7 +512,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension {
|
||||||
List<String> batch = new ArrayList<String>();
|
List<String> batch = new ArrayList<String>();
|
||||||
int batchLen = 0;
|
int batchLen = 0;
|
||||||
for (String name : keyNames) {
|
for (String name : keyNames) {
|
||||||
int additionalLen = KMSRESTConstants.KEY_OP.length() + 1 + name.length();
|
int additionalLen = KMSRESTConstants.KEY.length() + 1 + name.length();
|
||||||
batchLen += additionalLen;
|
batchLen += additionalLen;
|
||||||
// topping at 1500 to account for initial URL and encoded names
|
// topping at 1500 to account for initial URL and encoded names
|
||||||
if (batchLen > 1500) {
|
if (batchLen > 1500) {
|
||||||
|
@ -536,7 +536,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension {
|
||||||
for (String[] keySet : keySets) {
|
for (String[] keySet : keySets) {
|
||||||
if (keyNames.length > 0) {
|
if (keyNames.length > 0) {
|
||||||
Map<String, Object> queryStr = new HashMap<String, Object>();
|
Map<String, Object> queryStr = new HashMap<String, Object>();
|
||||||
queryStr.put(KMSRESTConstants.KEY_OP, keySet);
|
queryStr.put(KMSRESTConstants.KEY, keySet);
|
||||||
URL url = createURL(KMSRESTConstants.KEYS_METADATA_RESOURCE, null,
|
URL url = createURL(KMSRESTConstants.KEYS_METADATA_RESOURCE, null,
|
||||||
null, queryStr);
|
null, queryStr);
|
||||||
HttpURLConnection conn = createConnection(url, HTTP_GET);
|
HttpURLConnection conn = createConnection(url, HTTP_GET);
|
||||||
|
|
|
@ -37,7 +37,7 @@ public class KMSRESTConstants {
|
||||||
public static final String EEK_SUB_RESOURCE = "_eek";
|
public static final String EEK_SUB_RESOURCE = "_eek";
|
||||||
public static final String CURRENT_VERSION_SUB_RESOURCE = "_currentversion";
|
public static final String CURRENT_VERSION_SUB_RESOURCE = "_currentversion";
|
||||||
|
|
||||||
public static final String KEY_OP = "key";
|
public static final String KEY = "key";
|
||||||
public static final String EEK_OP = "eek_op";
|
public static final String EEK_OP = "eek_op";
|
||||||
public static final String EEK_GENERATE = "generate";
|
public static final String EEK_GENERATE = "generate";
|
||||||
public static final String EEK_DECRYPT = "decrypt";
|
public static final String EEK_DECRYPT = "decrypt";
|
||||||
|
|
|
@ -47,7 +47,6 @@ import java.io.IOException;
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
import java.net.URISyntaxException;
|
import java.net.URISyntaxException;
|
||||||
import java.security.Principal;
|
import java.security.Principal;
|
||||||
import java.text.MessageFormat;
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.LinkedList;
|
import java.util.LinkedList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -59,18 +58,13 @@ import java.util.Map;
|
||||||
@Path(KMSRESTConstants.SERVICE_VERSION)
|
@Path(KMSRESTConstants.SERVICE_VERSION)
|
||||||
@InterfaceAudience.Private
|
@InterfaceAudience.Private
|
||||||
public class KMS {
|
public class KMS {
|
||||||
public static final String CREATE_KEY = "CREATE_KEY";
|
|
||||||
public static final String DELETE_KEY = "DELETE_KEY";
|
|
||||||
public static final String ROLL_NEW_VERSION = "ROLL_NEW_VERSION";
|
|
||||||
public static final String GET_KEYS = "GET_KEYS";
|
|
||||||
public static final String GET_KEYS_METADATA = "GET_KEYS_METADATA";
|
|
||||||
public static final String GET_KEY_VERSIONS = "GET_KEY_VERSIONS";
|
|
||||||
public static final String GET_METADATA = "GET_METADATA";
|
|
||||||
|
|
||||||
public static final String GET_KEY_VERSION = "GET_KEY_VERSION";
|
public static enum KMSOp {
|
||||||
public static final String GET_CURRENT_KEY = "GET_CURRENT_KEY";
|
CREATE_KEY, DELETE_KEY, ROLL_NEW_VERSION,
|
||||||
public static final String GENERATE_EEK = "GENERATE_EEK";
|
GET_KEYS, GET_KEYS_METADATA,
|
||||||
public static final String DECRYPT_EEK = "DECRYPT_EEK";
|
GET_KEY_VERSIONS, GET_METADATA, GET_KEY_VERSION, GET_CURRENT_KEY,
|
||||||
|
GENERATE_EEK, DECRYPT_EEK
|
||||||
|
}
|
||||||
|
|
||||||
private KeyProviderCryptoExtension provider;
|
private KeyProviderCryptoExtension provider;
|
||||||
private KMSAudit kmsAudit;
|
private KMSAudit kmsAudit;
|
||||||
|
@ -91,22 +85,22 @@ public class KMS {
|
||||||
|
|
||||||
|
|
||||||
private static final String UNAUTHORIZED_MSG_WITH_KEY =
|
private static final String UNAUTHORIZED_MSG_WITH_KEY =
|
||||||
"User:{0} not allowed to do ''{1}'' on ''{2}''";
|
"User:%s not allowed to do '%s' on '%s'";
|
||||||
|
|
||||||
private static final String UNAUTHORIZED_MSG_WITHOUT_KEY =
|
private static final String UNAUTHORIZED_MSG_WITHOUT_KEY =
|
||||||
"User:{0} not allowed to do ''{1}''";
|
"User:%s not allowed to do '%s'";
|
||||||
|
|
||||||
private void assertAccess(KMSACLs.Type aclType, Principal principal,
|
private void assertAccess(KMSACLs.Type aclType, Principal principal,
|
||||||
String operation) throws AccessControlException {
|
KMSOp operation) throws AccessControlException {
|
||||||
assertAccess(aclType, principal, operation, null);
|
assertAccess(aclType, principal, operation, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void assertAccess(KMSACLs.Type aclType, Principal principal,
|
private void assertAccess(KMSACLs.Type aclType, Principal principal,
|
||||||
String operation, String key) throws AccessControlException {
|
KMSOp operation, String key) throws AccessControlException {
|
||||||
if (!KMSWebApp.getACLs().hasAccess(aclType, principal.getName())) {
|
if (!KMSWebApp.getACLs().hasAccess(aclType, principal.getName())) {
|
||||||
KMSWebApp.getUnauthorizedCallsMeter().mark();
|
KMSWebApp.getUnauthorizedCallsMeter().mark();
|
||||||
kmsAudit.unauthorized(principal, operation, key);
|
kmsAudit.unauthorized(principal, operation, key);
|
||||||
throw new AuthorizationException(MessageFormat.format(
|
throw new AuthorizationException(String.format(
|
||||||
(key != null) ? UNAUTHORIZED_MSG_WITH_KEY
|
(key != null) ? UNAUTHORIZED_MSG_WITH_KEY
|
||||||
: UNAUTHORIZED_MSG_WITHOUT_KEY,
|
: UNAUTHORIZED_MSG_WITHOUT_KEY,
|
||||||
principal.getName(), operation, key));
|
principal.getName(), operation, key));
|
||||||
|
@ -135,7 +129,7 @@ public class KMS {
|
||||||
Principal user = getPrincipal(securityContext);
|
Principal user = getPrincipal(securityContext);
|
||||||
String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
|
String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
|
||||||
KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
|
KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
|
||||||
assertAccess(KMSACLs.Type.CREATE, user, CREATE_KEY, name);
|
assertAccess(KMSACLs.Type.CREATE, user, KMSOp.CREATE_KEY, name);
|
||||||
String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
|
String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
|
||||||
String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
|
String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
|
||||||
int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
|
int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
|
||||||
|
@ -146,7 +140,7 @@ public class KMS {
|
||||||
jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
|
jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
|
||||||
if (material != null) {
|
if (material != null) {
|
||||||
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
|
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
|
||||||
CREATE_KEY + " with user provided material", name);
|
KMSOp.CREATE_KEY, name);
|
||||||
}
|
}
|
||||||
KeyProvider.Options options = new KeyProvider.Options(
|
KeyProvider.Options options = new KeyProvider.Options(
|
||||||
KMSWebApp.getConfiguration());
|
KMSWebApp.getConfiguration());
|
||||||
|
@ -165,7 +159,7 @@ public class KMS {
|
||||||
|
|
||||||
provider.flush();
|
provider.flush();
|
||||||
|
|
||||||
kmsAudit.ok(user, CREATE_KEY, name, "UserProvidedMaterial:" +
|
kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" +
|
||||||
(material != null) + " Description:" + description);
|
(material != null) + " Description:" + description);
|
||||||
|
|
||||||
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
|
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
|
||||||
|
@ -186,12 +180,12 @@ public class KMS {
|
||||||
@PathParam("name") String name) throws Exception {
|
@PathParam("name") String name) throws Exception {
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
Principal user = getPrincipal(securityContext);
|
Principal user = getPrincipal(securityContext);
|
||||||
assertAccess(KMSACLs.Type.DELETE, user, DELETE_KEY, name);
|
assertAccess(KMSACLs.Type.DELETE, user, KMSOp.DELETE_KEY, name);
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
provider.deleteKey(name);
|
provider.deleteKey(name);
|
||||||
provider.flush();
|
provider.flush();
|
||||||
|
|
||||||
kmsAudit.ok(user, DELETE_KEY, name, "");
|
kmsAudit.ok(user, KMSOp.DELETE_KEY, name, "");
|
||||||
|
|
||||||
return Response.ok().build();
|
return Response.ok().build();
|
||||||
}
|
}
|
||||||
|
@ -205,13 +199,13 @@ public class KMS {
|
||||||
throws Exception {
|
throws Exception {
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
Principal user = getPrincipal(securityContext);
|
Principal user = getPrincipal(securityContext);
|
||||||
assertAccess(KMSACLs.Type.ROLLOVER, user, ROLL_NEW_VERSION, name);
|
assertAccess(KMSACLs.Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name);
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
String material = (String)
|
String material = (String)
|
||||||
jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
|
jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
|
||||||
if (material != null) {
|
if (material != null) {
|
||||||
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
|
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
|
||||||
ROLL_NEW_VERSION + " with user provided material", name);
|
KMSOp.ROLL_NEW_VERSION, name);
|
||||||
}
|
}
|
||||||
KeyProvider.KeyVersion keyVersion = (material != null)
|
KeyProvider.KeyVersion keyVersion = (material != null)
|
||||||
? provider.rollNewVersion(name, Base64.decodeBase64(material))
|
? provider.rollNewVersion(name, Base64.decodeBase64(material))
|
||||||
|
@ -219,7 +213,7 @@ public class KMS {
|
||||||
|
|
||||||
provider.flush();
|
provider.flush();
|
||||||
|
|
||||||
kmsAudit.ok(user, ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
|
kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
|
||||||
(material != null) + " NewVersion:" + keyVersion.getVersionName());
|
(material != null) + " NewVersion:" + keyVersion.getVersionName());
|
||||||
|
|
||||||
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
|
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user.getName())) {
|
||||||
|
@ -233,15 +227,15 @@ public class KMS {
|
||||||
@Path(KMSRESTConstants.KEYS_METADATA_RESOURCE)
|
@Path(KMSRESTConstants.KEYS_METADATA_RESOURCE)
|
||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
public Response getKeysMetadata(@Context SecurityContext securityContext,
|
public Response getKeysMetadata(@Context SecurityContext securityContext,
|
||||||
@QueryParam(KMSRESTConstants.KEY_OP) List<String> keyNamesList)
|
@QueryParam(KMSRESTConstants.KEY) List<String> keyNamesList)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
Principal user = getPrincipal(securityContext);
|
Principal user = getPrincipal(securityContext);
|
||||||
String[] keyNames = keyNamesList.toArray(new String[keyNamesList.size()]);
|
String[] keyNames = keyNamesList.toArray(new String[keyNamesList.size()]);
|
||||||
assertAccess(KMSACLs.Type.GET_METADATA, user, GET_KEYS_METADATA);
|
assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA);
|
||||||
KeyProvider.Metadata[] keysMeta = provider.getKeysMetadata(keyNames);
|
KeyProvider.Metadata[] keysMeta = provider.getKeysMetadata(keyNames);
|
||||||
Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta);
|
Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta);
|
||||||
kmsAudit.ok(user, GET_KEYS_METADATA, "");
|
kmsAudit.ok(user, KMSOp.GET_KEYS_METADATA, "");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -252,9 +246,9 @@ public class KMS {
|
||||||
throws Exception {
|
throws Exception {
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
Principal user = getPrincipal(securityContext);
|
Principal user = getPrincipal(securityContext);
|
||||||
assertAccess(KMSACLs.Type.GET_KEYS, user, GET_KEYS);
|
assertAccess(KMSACLs.Type.GET_KEYS, user, KMSOp.GET_KEYS);
|
||||||
Object json = provider.getKeys();
|
Object json = provider.getKeys();
|
||||||
kmsAudit.ok(user, GET_KEYS, "");
|
kmsAudit.ok(user, KMSOp.GET_KEYS, "");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -276,9 +270,9 @@ public class KMS {
|
||||||
Principal user = getPrincipal(securityContext);
|
Principal user = getPrincipal(securityContext);
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
assertAccess(KMSACLs.Type.GET_METADATA, user, GET_METADATA, name);
|
assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_METADATA, name);
|
||||||
Object json = KMSServerJSONUtils.toJSON(name, provider.getMetadata(name));
|
Object json = KMSServerJSONUtils.toJSON(name, provider.getMetadata(name));
|
||||||
kmsAudit.ok(user, GET_METADATA, name, "");
|
kmsAudit.ok(user, KMSOp.GET_METADATA, name, "");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -292,9 +286,9 @@ public class KMS {
|
||||||
Principal user = getPrincipal(securityContext);
|
Principal user = getPrincipal(securityContext);
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
KMSWebApp.getKeyCallsMeter().mark();
|
KMSWebApp.getKeyCallsMeter().mark();
|
||||||
assertAccess(KMSACLs.Type.GET, user, GET_CURRENT_KEY, name);
|
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name);
|
||||||
Object json = KMSServerJSONUtils.toJSON(provider.getCurrentKey(name));
|
Object json = KMSServerJSONUtils.toJSON(provider.getCurrentKey(name));
|
||||||
kmsAudit.ok(user, GET_CURRENT_KEY, name, "");
|
kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -308,9 +302,9 @@ public class KMS {
|
||||||
KMSClientProvider.checkNotEmpty(versionName, "versionName");
|
KMSClientProvider.checkNotEmpty(versionName, "versionName");
|
||||||
KMSWebApp.getKeyCallsMeter().mark();
|
KMSWebApp.getKeyCallsMeter().mark();
|
||||||
KeyVersion keyVersion = provider.getKeyVersion(versionName);
|
KeyVersion keyVersion = provider.getKeyVersion(versionName);
|
||||||
assertAccess(KMSACLs.Type.GET, user, GET_KEY_VERSION);
|
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION);
|
||||||
if (keyVersion != null) {
|
if (keyVersion != null) {
|
||||||
kmsAudit.ok(user, GET_KEY_VERSION, keyVersion.getName(), "");
|
kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
|
||||||
}
|
}
|
||||||
Object json = KMSServerJSONUtils.toJSON(keyVersion);
|
Object json = KMSServerJSONUtils.toJSON(keyVersion);
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
||||||
|
@ -334,7 +328,7 @@ public class KMS {
|
||||||
|
|
||||||
Object retJSON;
|
Object retJSON;
|
||||||
if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
|
if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
|
||||||
assertAccess(KMSACLs.Type.GENERATE_EEK, user, GENERATE_EEK, name);
|
assertAccess(KMSACLs.Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name);
|
||||||
|
|
||||||
List<EncryptedKeyVersion> retEdeks =
|
List<EncryptedKeyVersion> retEdeks =
|
||||||
new LinkedList<EncryptedKeyVersion>();
|
new LinkedList<EncryptedKeyVersion>();
|
||||||
|
@ -345,7 +339,7 @@ public class KMS {
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
throw new IOException(e);
|
throw new IOException(e);
|
||||||
}
|
}
|
||||||
kmsAudit.ok(user, GENERATE_EEK, name, "");
|
kmsAudit.ok(user, KMSOp.GENERATE_EEK, name, "");
|
||||||
retJSON = new ArrayList();
|
retJSON = new ArrayList();
|
||||||
for (EncryptedKeyVersion edek : retEdeks) {
|
for (EncryptedKeyVersion edek : retEdeks) {
|
||||||
((ArrayList)retJSON).add(KMSServerJSONUtils.toJSON(edek));
|
((ArrayList)retJSON).add(KMSServerJSONUtils.toJSON(edek));
|
||||||
|
@ -380,7 +374,7 @@ public class KMS {
|
||||||
(String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
|
(String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
|
||||||
Object retJSON;
|
Object retJSON;
|
||||||
if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
|
if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
|
||||||
assertAccess(KMSACLs.Type.DECRYPT_EEK, user, DECRYPT_EEK, keyName);
|
assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
|
||||||
KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
|
KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
|
||||||
byte[] iv = Base64.decodeBase64(ivStr);
|
byte[] iv = Base64.decodeBase64(ivStr);
|
||||||
KMSClientProvider.checkNotNull(encMaterialStr,
|
KMSClientProvider.checkNotNull(encMaterialStr,
|
||||||
|
@ -391,7 +385,7 @@ public class KMS {
|
||||||
new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName,
|
new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName,
|
||||||
iv, KeyProviderCryptoExtension.EEK, encMaterial));
|
iv, KeyProviderCryptoExtension.EEK, encMaterial));
|
||||||
retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
|
retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
|
||||||
kmsAudit.ok(user, DECRYPT_EEK, keyName, "");
|
kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
|
||||||
} else {
|
} else {
|
||||||
throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP +
|
throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP +
|
||||||
" value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " +
|
" value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " +
|
||||||
|
@ -412,9 +406,9 @@ public class KMS {
|
||||||
Principal user = getPrincipal(securityContext);
|
Principal user = getPrincipal(securityContext);
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
KMSWebApp.getKeyCallsMeter().mark();
|
KMSWebApp.getKeyCallsMeter().mark();
|
||||||
assertAccess(KMSACLs.Type.GET, user, GET_KEY_VERSIONS, name);
|
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);
|
||||||
Object json = KMSServerJSONUtils.toJSON(provider.getKeyVersions(name));
|
Object json = KMSServerJSONUtils.toJSON(provider.getKeyVersions(name));
|
||||||
kmsAudit.ok(user, GET_KEY_VERSIONS, name, "");
|
kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -50,11 +50,11 @@ public class KMSAudit {
|
||||||
private final AtomicLong accessCount = new AtomicLong(-1);
|
private final AtomicLong accessCount = new AtomicLong(-1);
|
||||||
private final String keyName;
|
private final String keyName;
|
||||||
private final String user;
|
private final String user;
|
||||||
private final String op;
|
private final KMS.KMSOp op;
|
||||||
private final String extraMsg;
|
private final String extraMsg;
|
||||||
private final long startTime = System.currentTimeMillis();
|
private final long startTime = System.currentTimeMillis();
|
||||||
|
|
||||||
private AuditEvent(String keyName, String user, String op, String msg) {
|
private AuditEvent(String keyName, String user, KMS.KMSOp op, String msg) {
|
||||||
this.keyName = keyName;
|
this.keyName = keyName;
|
||||||
this.user = user;
|
this.user = user;
|
||||||
this.op = op;
|
this.op = op;
|
||||||
|
@ -77,7 +77,7 @@ public class KMSAudit {
|
||||||
return user;
|
return user;
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getOp() {
|
public KMS.KMSOp getOp() {
|
||||||
return op;
|
return op;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -90,8 +90,9 @@ public class KMSAudit {
|
||||||
OK, UNAUTHORIZED, UNAUTHENTICATED, ERROR;
|
OK, UNAUTHORIZED, UNAUTHENTICATED, ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static Set<String> AGGREGATE_OPS_WHITELIST = Sets.newHashSet(
|
private static Set<KMS.KMSOp> AGGREGATE_OPS_WHITELIST = Sets.newHashSet(
|
||||||
KMS.GET_KEY_VERSION, KMS.GET_CURRENT_KEY, KMS.DECRYPT_EEK, KMS.GENERATE_EEK
|
KMS.KMSOp.GET_KEY_VERSION, KMS.KMSOp.GET_CURRENT_KEY,
|
||||||
|
KMS.KMSOp.DECRYPT_EEK, KMS.KMSOp.GENERATE_EEK
|
||||||
);
|
);
|
||||||
|
|
||||||
private Cache<String, AuditEvent> cache;
|
private Cache<String, AuditEvent> cache;
|
||||||
|
@ -137,10 +138,10 @@ public class KMSAudit {
|
||||||
event.getExtraMsg());
|
event.getExtraMsg());
|
||||||
}
|
}
|
||||||
|
|
||||||
private void op(OpStatus opStatus, final String op, final String user,
|
private void op(OpStatus opStatus, final KMS.KMSOp op, final String user,
|
||||||
final String key, final String extraMsg) {
|
final String key, final String extraMsg) {
|
||||||
if (!Strings.isNullOrEmpty(user) && !Strings.isNullOrEmpty(key)
|
if (!Strings.isNullOrEmpty(user) && !Strings.isNullOrEmpty(key)
|
||||||
&& !Strings.isNullOrEmpty(op)
|
&& (op != null)
|
||||||
&& AGGREGATE_OPS_WHITELIST.contains(op)) {
|
&& AGGREGATE_OPS_WHITELIST.contains(op)) {
|
||||||
String cacheKey = createCacheKey(user, key, op);
|
String cacheKey = createCacheKey(user, key, op);
|
||||||
if (opStatus == OpStatus.UNAUTHORIZED) {
|
if (opStatus == OpStatus.UNAUTHORIZED) {
|
||||||
|
@ -167,7 +168,7 @@ public class KMSAudit {
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
List<String> kvs = new LinkedList<String>();
|
List<String> kvs = new LinkedList<String>();
|
||||||
if (!Strings.isNullOrEmpty(op)) {
|
if (op != null) {
|
||||||
kvs.add("op=" + op);
|
kvs.add("op=" + op);
|
||||||
}
|
}
|
||||||
if (!Strings.isNullOrEmpty(key)) {
|
if (!Strings.isNullOrEmpty(key)) {
|
||||||
|
@ -185,16 +186,16 @@ public class KMSAudit {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void ok(Principal user, String op, String key,
|
public void ok(Principal user, KMS.KMSOp op, String key,
|
||||||
String extraMsg) {
|
String extraMsg) {
|
||||||
op(OpStatus.OK, op, user.getName(), key, extraMsg);
|
op(OpStatus.OK, op, user.getName(), key, extraMsg);
|
||||||
}
|
}
|
||||||
|
|
||||||
public void ok(Principal user, String op, String extraMsg) {
|
public void ok(Principal user, KMS.KMSOp op, String extraMsg) {
|
||||||
op(OpStatus.OK, op, user.getName(), null, extraMsg);
|
op(OpStatus.OK, op, user.getName(), null, extraMsg);
|
||||||
}
|
}
|
||||||
|
|
||||||
public void unauthorized(Principal user, String op, String key) {
|
public void unauthorized(Principal user, KMS.KMSOp op, String key) {
|
||||||
op(OpStatus.UNAUTHORIZED, op, user.getName(), key, "");
|
op(OpStatus.UNAUTHORIZED, op, user.getName(), key, "");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -211,7 +212,7 @@ public class KMSAudit {
|
||||||
+ " URL:" + url + " ErrorMsg:'" + extraMsg + "'");
|
+ " URL:" + url + " ErrorMsg:'" + extraMsg + "'");
|
||||||
}
|
}
|
||||||
|
|
||||||
private static String createCacheKey(String user, String key, String op) {
|
private static String createCacheKey(String user, String key, KMS.KMSOp op) {
|
||||||
return user + "#" + key + "#" + op;
|
return user + "#" + key + "#" + op;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,7 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.hadoop.crypto.key.kms.server;
|
package org.apache.hadoop.crypto.key.kms.server;
|
||||||
|
|
||||||
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
|
@ -26,6 +27,7 @@ import java.net.URL;
|
||||||
/**
|
/**
|
||||||
* Utility class to load KMS configuration files.
|
* Utility class to load KMS configuration files.
|
||||||
*/
|
*/
|
||||||
|
@InterfaceAudience.Private
|
||||||
public class KMSConfiguration {
|
public class KMSConfiguration {
|
||||||
|
|
||||||
public static final String KMS_CONFIG_DIR = "kms.config.dir";
|
public static final String KMS_CONFIG_DIR = "kms.config.dir";
|
||||||
|
|
|
@ -17,12 +17,15 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.hadoop.crypto.key.kms.server;
|
package org.apache.hadoop.crypto.key.kms.server;
|
||||||
|
|
||||||
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.jmx.JMXJsonServlet;
|
import org.apache.hadoop.jmx.JMXJsonServlet;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
|
@InterfaceAudience.Private
|
||||||
public class KMSJMXServlet extends JMXJsonServlet {
|
public class KMSJMXServlet extends JMXJsonServlet {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -23,6 +23,7 @@ import java.io.OutputStream;
|
||||||
import java.io.PrintStream;
|
import java.io.PrintStream;
|
||||||
import java.security.Principal;
|
import java.security.Principal;
|
||||||
|
|
||||||
|
import org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp;
|
||||||
import org.apache.log4j.LogManager;
|
import org.apache.log4j.LogManager;
|
||||||
import org.apache.log4j.PropertyConfigurator;
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
import org.junit.After;
|
import org.junit.After;
|
||||||
|
@ -82,16 +83,16 @@ public class TestKMSAudit {
|
||||||
public void testAggregation() throws Exception {
|
public void testAggregation() throws Exception {
|
||||||
Principal luser = Mockito.mock(Principal.class);
|
Principal luser = Mockito.mock(Principal.class);
|
||||||
Mockito.when(luser.getName()).thenReturn("luser");
|
Mockito.when(luser.getName()).thenReturn("luser");
|
||||||
kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.DELETE_KEY, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DELETE_KEY, "k1", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.ROLL_NEW_VERSION, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.ROLL_NEW_VERSION, "k1", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
Thread.sleep(1500);
|
Thread.sleep(1500);
|
||||||
kmsAudit.ok(luser, KMS.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
Thread.sleep(1500);
|
Thread.sleep(1500);
|
||||||
String out = getAndResetLogOutput();
|
String out = getAndResetLogOutput();
|
||||||
System.out.println(out);
|
System.out.println(out);
|
||||||
|
@ -110,15 +111,15 @@ public class TestKMSAudit {
|
||||||
public void testAggregationUnauth() throws Exception {
|
public void testAggregationUnauth() throws Exception {
|
||||||
Principal luser = Mockito.mock(Principal.class);
|
Principal luser = Mockito.mock(Principal.class);
|
||||||
Mockito.when(luser.getName()).thenReturn("luser");
|
Mockito.when(luser.getName()).thenReturn("luser");
|
||||||
kmsAudit.unauthorized(luser, KMS.GENERATE_EEK, "k2");
|
kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
|
||||||
Thread.sleep(1000);
|
Thread.sleep(1000);
|
||||||
kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.unauthorized(luser, KMS.GENERATE_EEK, "k3");
|
kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k3");
|
||||||
kmsAudit.ok(luser, KMS.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
Thread.sleep(2000);
|
Thread.sleep(2000);
|
||||||
String out = getAndResetLogOutput();
|
String out = getAndResetLogOutput();
|
||||||
System.out.println(out);
|
System.out.println(out);
|
||||||
|
|
Loading…
Reference in New Issue