HADOOP-10970. Cleanup KMS configuration keys. (wang)
This commit is contained in:
parent
aa1052c34b
commit
adf0b67a71
|
@ -535,6 +535,8 @@ Release 2.6.0 - UNRELEASED
|
||||||
|
|
||||||
HADOOP-11106. Document considerations of HAR and Encryption. (clamb via wang)
|
HADOOP-11106. Document considerations of HAR and Encryption. (clamb via wang)
|
||||||
|
|
||||||
|
HADOOP-10970. Cleanup KMS configuration keys. (wang)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
|
HADOOP-10838. Byte array native checksumming. (James Thomas via todd)
|
||||||
|
|
|
@ -23,7 +23,7 @@
|
||||||
<value>*</value>
|
<value>*</value>
|
||||||
<description>
|
<description>
|
||||||
ACL for create-key operations.
|
ACL for create-key operations.
|
||||||
If the user does is not in the GET ACL, the key material is not returned
|
If the user is not in the GET ACL, the key material is not returned
|
||||||
as part of the response.
|
as part of the response.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
@ -58,7 +58,7 @@
|
||||||
<name>hadoop.kms.acl.GET_KEYS</name>
|
<name>hadoop.kms.acl.GET_KEYS</name>
|
||||||
<value>*</value>
|
<value>*</value>
|
||||||
<description>
|
<description>
|
||||||
ACL for get-keys operation.
|
ACL for get-keys operations.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
@ -66,7 +66,7 @@
|
||||||
<name>hadoop.kms.acl.GET_METADATA</name>
|
<name>hadoop.kms.acl.GET_METADATA</name>
|
||||||
<value>*</value>
|
<value>*</value>
|
||||||
<description>
|
<description>
|
||||||
ACL for get-key-metadata an get-keys-metadata operations.
|
ACL for get-key-metadata and get-keys-metadata operations.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
@ -74,7 +74,7 @@
|
||||||
<name>hadoop.kms.acl.SET_KEY_MATERIAL</name>
|
<name>hadoop.kms.acl.SET_KEY_MATERIAL</name>
|
||||||
<value>*</value>
|
<value>*</value>
|
||||||
<description>
|
<description>
|
||||||
Complimentary ACL for CREATE and ROLLOVER operation to allow the client
|
Complementary ACL for CREATE and ROLLOVER operations to allow the client
|
||||||
to provide the key material when creating or rolling a key.
|
to provide the key material when creating or rolling a key.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
@ -83,7 +83,7 @@
|
||||||
<name>hadoop.kms.acl.GENERATE_EEK</name>
|
<name>hadoop.kms.acl.GENERATE_EEK</name>
|
||||||
<value>*</value>
|
<value>*</value>
|
||||||
<description>
|
<description>
|
||||||
ACL for generateEncryptedKey CryptoExtension operations
|
ACL for generateEncryptedKey CryptoExtension operations.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
@ -91,7 +91,7 @@
|
||||||
<name>hadoop.kms.acl.DECRYPT_EEK</name>
|
<name>hadoop.kms.acl.DECRYPT_EEK</name>
|
||||||
<value>*</value>
|
<value>*</value>
|
||||||
<description>
|
<description>
|
||||||
ACL for decrypt EncryptedKey CryptoExtension operations
|
ACL for decryptEncryptedKey CryptoExtension operations.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
|
|
@ -15,10 +15,12 @@
|
||||||
<configuration>
|
<configuration>
|
||||||
|
|
||||||
<!-- KMS Backend KeyProvider -->
|
<!-- KMS Backend KeyProvider -->
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<name>hadoop.kms.key.provider.uri</name>
|
<name>hadoop.kms.key.provider.uri</name>
|
||||||
<value>jceks://file@/${user.home}/kms.keystore</value>
|
<value>jceks://file@/${user.home}/kms.keystore</value>
|
||||||
<description>
|
<description>
|
||||||
|
URI of the backing KeyProvider for the KMS.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
@ -26,14 +28,52 @@
|
||||||
<name>hadoop.security.keystore.JavaKeyStoreProvider.password</name>
|
<name>hadoop.security.keystore.JavaKeyStoreProvider.password</name>
|
||||||
<value>none</value>
|
<value>none</value>
|
||||||
<description>
|
<description>
|
||||||
|
If using the JavaKeyStoreProvider, the password for the keystore file.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
<!-- KMS Cache -->
|
<!-- KMS Cache -->
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>hadoop.kms.cache.enable</name>
|
||||||
|
<value>true</value>
|
||||||
|
<description>
|
||||||
|
Whether the KMS will act as a cache for the backing KeyProvider.
|
||||||
|
When the cache is enabled, operations like getKeyVersion, getMetadata,
|
||||||
|
and getCurrentKey will sometimes return cached data without consulting
|
||||||
|
the backing KeyProvider. Cached values are flushed when keys are deleted
|
||||||
|
or modified.
|
||||||
|
</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<name>hadoop.kms.cache.timeout.ms</name>
|
<name>hadoop.kms.cache.timeout.ms</name>
|
||||||
|
<value>600000</value>
|
||||||
|
<description>
|
||||||
|
Expiry time for the KMS key version and key metadata cache, in
|
||||||
|
milliseconds. This affects getKeyVersion and getMetadata.
|
||||||
|
</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>hadoop.kms.current.key.cache.timeout.ms</name>
|
||||||
|
<value>30000</value>
|
||||||
|
<description>
|
||||||
|
Expiry time for the KMS current key cache, in milliseconds. This
|
||||||
|
affects getCurrentKey operations.
|
||||||
|
</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
|
<!-- KMS Audit -->
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>hadoop.kms.audit.aggregation.window.ms</name>
|
||||||
<value>10000</value>
|
<value>10000</value>
|
||||||
<description>
|
<description>
|
||||||
|
Duplicate audit log events within the aggregation window (specified in
|
||||||
|
ms) are quashed to reduce log traffic. A single message for aggregated
|
||||||
|
events is printed at the end of the window, along with a count of the
|
||||||
|
number of aggregated events.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
@ -43,7 +83,8 @@
|
||||||
<name>hadoop.kms.authentication.type</name>
|
<name>hadoop.kms.authentication.type</name>
|
||||||
<value>simple</value>
|
<value>simple</value>
|
||||||
<description>
|
<description>
|
||||||
simple or kerberos
|
Authentication type for the KMS. Can be either "simple"
|
||||||
|
or "kerberos".
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
@ -51,6 +92,7 @@
|
||||||
<name>hadoop.kms.authentication.kerberos.keytab</name>
|
<name>hadoop.kms.authentication.kerberos.keytab</name>
|
||||||
<value>${user.home}/kms.keytab</value>
|
<value>${user.home}/kms.keytab</value>
|
||||||
<description>
|
<description>
|
||||||
|
Path to the keytab with credentials for the configured Kerberos principal.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
@ -58,6 +100,8 @@
|
||||||
<name>hadoop.kms.authentication.kerberos.principal</name>
|
<name>hadoop.kms.authentication.kerberos.principal</name>
|
||||||
<value>HTTP/localhost</value>
|
<value>HTTP/localhost</value>
|
||||||
<description>
|
<description>
|
||||||
|
The Kerberos principal to use for the HTTP endpoint.
|
||||||
|
The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
@ -65,6 +109,7 @@
|
||||||
<name>hadoop.kms.authentication.kerberos.name.rules</name>
|
<name>hadoop.kms.authentication.kerberos.name.rules</name>
|
||||||
<value>DEFAULT</value>
|
<value>DEFAULT</value>
|
||||||
<description>
|
<description>
|
||||||
|
Rules used to resolve Kerberos principal names.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
|
|
@ -103,9 +103,17 @@ public class KMSAudit {
|
||||||
|
|
||||||
private static Logger AUDIT_LOG = LoggerFactory.getLogger(KMS_LOGGER_NAME);
|
private static Logger AUDIT_LOG = LoggerFactory.getLogger(KMS_LOGGER_NAME);
|
||||||
|
|
||||||
KMSAudit(long delay) {
|
/**
|
||||||
|
* Create a new KMSAudit.
|
||||||
|
*
|
||||||
|
* @param windowMs Duplicate events within the aggregation window are quashed
|
||||||
|
* to reduce log traffic. A single message for aggregated
|
||||||
|
* events is printed at the end of the window, along with a
|
||||||
|
* count of the number of aggregated events.
|
||||||
|
*/
|
||||||
|
KMSAudit(long windowMs) {
|
||||||
cache = CacheBuilder.newBuilder()
|
cache = CacheBuilder.newBuilder()
|
||||||
.expireAfterWrite(delay, TimeUnit.MILLISECONDS)
|
.expireAfterWrite(windowMs, TimeUnit.MILLISECONDS)
|
||||||
.removalListener(
|
.removalListener(
|
||||||
new RemovalListener<String, AuditEvent>() {
|
new RemovalListener<String, AuditEvent>() {
|
||||||
@Override
|
@Override
|
||||||
|
@ -126,7 +134,7 @@ public class KMSAudit {
|
||||||
public void run() {
|
public void run() {
|
||||||
cache.cleanUp();
|
cache.cleanUp();
|
||||||
}
|
}
|
||||||
}, delay / 10, delay / 10, TimeUnit.MILLISECONDS);
|
}, windowMs / 10, windowMs / 10, TimeUnit.MILLISECONDS);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void logEvent(AuditEvent event) {
|
private void logEvent(AuditEvent event) {
|
||||||
|
|
|
@ -54,8 +54,8 @@ public class KMSConfiguration {
|
||||||
public static final String CURR_KEY_CACHE_TIMEOUT_KEY = CONFIG_PREFIX +
|
public static final String CURR_KEY_CACHE_TIMEOUT_KEY = CONFIG_PREFIX +
|
||||||
"current.key.cache.timeout.ms";
|
"current.key.cache.timeout.ms";
|
||||||
// Delay for Audit logs that need aggregation
|
// Delay for Audit logs that need aggregation
|
||||||
public static final String KMS_AUDIT_AGGREGATION_DELAY = CONFIG_PREFIX +
|
public static final String KMS_AUDIT_AGGREGATION_WINDOW = CONFIG_PREFIX +
|
||||||
"aggregation.delay.ms";
|
"audit.aggregation.window.ms";
|
||||||
|
|
||||||
public static final boolean KEY_CACHE_ENABLE_DEFAULT = true;
|
public static final boolean KEY_CACHE_ENABLE_DEFAULT = true;
|
||||||
// 10 mins
|
// 10 mins
|
||||||
|
@ -63,7 +63,7 @@ public class KMSConfiguration {
|
||||||
// 30 secs
|
// 30 secs
|
||||||
public static final long CURR_KEY_CACHE_TIMEOUT_DEFAULT = 30 * 1000;
|
public static final long CURR_KEY_CACHE_TIMEOUT_DEFAULT = 30 * 1000;
|
||||||
// 10 secs
|
// 10 secs
|
||||||
public static final long KMS_AUDIT_AGGREGATION_DELAY_DEFAULT = 10000;
|
public static final long KMS_AUDIT_AGGREGATION_WINDOW_DEFAULT = 10000;
|
||||||
|
|
||||||
// Property to Enable/Disable per Key authorization
|
// Property to Enable/Disable per Key authorization
|
||||||
public static final String KEY_AUTHORIZATION_ENABLE = CONFIG_PREFIX +
|
public static final String KEY_AUTHORIZATION_ENABLE = CONFIG_PREFIX +
|
||||||
|
|
|
@ -148,8 +148,8 @@ public class KMSWebApp implements ServletContextListener {
|
||||||
|
|
||||||
kmsAudit =
|
kmsAudit =
|
||||||
new KMSAudit(kmsConf.getLong(
|
new KMSAudit(kmsConf.getLong(
|
||||||
KMSConfiguration.KMS_AUDIT_AGGREGATION_DELAY,
|
KMSConfiguration.KMS_AUDIT_AGGREGATION_WINDOW,
|
||||||
KMSConfiguration.KMS_AUDIT_AGGREGATION_DELAY_DEFAULT));
|
KMSConfiguration.KMS_AUDIT_AGGREGATION_WINDOW_DEFAULT));
|
||||||
|
|
||||||
// this is required for the the JMXJsonServlet to work properly.
|
// this is required for the the JMXJsonServlet to work properly.
|
||||||
// the JMXJsonServlet is behind the authentication filter,
|
// the JMXJsonServlet is behind the authentication filter,
|
||||||
|
|
Loading…
Reference in New Issue