Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-13669. KMS Server should log exceptions before throwing. Contributed by Suraj Acharya. 

(cherry picked from commit fc18c32540ed6a410adb123e1105729e0343b7f5)
This commit is contained in:
Xiao Chen 2016-10-10 12:49:19 -07:00
parent 6c137ea94e
commit eebda43ec1
1 changed files with 382 additions and 309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

691
hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
View File

@ -104,89 +104,101 @@ private static URI getKeyURI(String domain, String keyName) {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public Response createKey(Map jsonKey) throws Exception { public Response createKey(Map jsonKey) throws Exception {
LOG.trace("Entering createKey Method."); try{
KMSWebApp.getAdminCallsMeter().mark(); LOG.trace("Entering createKey Method.");
UserGroupInformation user = HttpUserGroupInformation.get(); KMSWebApp.getAdminCallsMeter().mark();
final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD); UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD); final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
assertAccess(KMSACLs.Type.CREATE, user, KMSOp.CREATE_KEY, name); KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD); assertAccess(KMSACLs.Type.CREATE, user, KMSOp.CREATE_KEY, name);
final String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD); String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD)) final String material;
? (Integer) jsonKey.get(KMSRESTConstants.LENGTH_FIELD) : 0; material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
String description = (String) int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
jsonKey.get(KMSRESTConstants.DESCRIPTION_FIELD); ? (Integer) jsonKey.get(KMSRESTConstants.LENGTH_FIELD) : 0;
LOG.debug("Creating key with name {}, cipher being used{}, " + String description = (String)
"length of key {}, description of key {}", name, cipher, jsonKey.get(KMSRESTConstants.DESCRIPTION_FIELD);
length, description); LOG.debug("Creating key with name {}, cipher being used{}, " +
Map<String, String> attributes = (Map<String, String>) "length of key {}, description of key {}", name, cipher,
jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD); length, description);
if (material != null) { Map<String, String> attributes = (Map<String, String>)
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user, jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
KMSOp.CREATE_KEY, name); if (material != null) {
} assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
final KeyProvider.Options options = new KeyProvider.Options( KMSOp.CREATE_KEY, name);
KMSWebApp.getConfiguration()); }
if (cipher != null) { final KeyProvider.Options options = new KeyProvider.Options(
options.setCipher(cipher); KMSWebApp.getConfiguration());
} if (cipher != null) {
if (length != 0) { options.setCipher(cipher);
options.setBitLength(length); }
} if (length != 0) {
options.setDescription(description); options.setBitLength(length);
options.setAttributes(attributes); }
options.setDescription(description);
options.setAttributes(attributes);
KeyProvider.KeyVersion keyVersion = user.doAs( KeyProvider.KeyVersion keyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() { new PrivilegedExceptionAction<KeyVersion>() {
@Override @Override
public KeyVersion run() throws Exception { public KeyVersion run() throws Exception {
KeyProvider.KeyVersion keyVersion = (material != null) KeyProvider.KeyVersion keyVersion = (material != null)
? provider.createKey(name, Base64.decodeBase64(material), options) ? provider.createKey(name, Base64.decodeBase64(material),
: provider.createKey(name, options); options)
provider.flush(); : provider.createKey(name, options);
return keyVersion; provider.flush();
return keyVersion;
}
} }
} );
);
kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" + kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" +
(material != null) + " Description:" + description); (material != null) + " Description:" + description);
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) { if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) {
keyVersion = removeKeyMaterial(keyVersion); keyVersion = removeKeyMaterial(keyVersion);
}
Map json = KMSServerJSONUtils.toJSON(keyVersion);
String requestURL = KMSMDCFilter.getURL();
int idx = requestURL.lastIndexOf(KMSRESTConstants.KEYS_RESOURCE);
requestURL = requestURL.substring(0, idx);
LOG.trace("Exiting createKey Method.");
return Response.created(getKeyURI(KMSRESTConstants.SERVICE_VERSION, name))
.type(MediaType.APPLICATION_JSON)
.header("Location", getKeyURI(requestURL, name)).entity(json).build();
} catch (Exception e) {
LOG.debug("Exception in createKey.", e);
throw e;
} }
Map json = KMSServerJSONUtils.toJSON(keyVersion);
String requestURL = KMSMDCFilter.getURL();
int idx = requestURL.lastIndexOf(KMSRESTConstants.KEYS_RESOURCE);
requestURL = requestURL.substring(0, idx);
LOG.trace("Exiting createKey Method.");
return Response.created(getKeyURI(KMSRESTConstants.SERVICE_VERSION, name))
.type(MediaType.APPLICATION_JSON)
.header("Location", getKeyURI(requestURL, name)).entity(json).build();
} }
@DELETE @DELETE
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}") @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
public Response deleteKey(@PathParam("name") final String name) public Response deleteKey(@PathParam("name") final String name)
throws Exception { throws Exception {
LOG.trace("Entering deleteKey method."); try {
KMSWebApp.getAdminCallsMeter().mark(); LOG.trace("Entering deleteKey method.");
UserGroupInformation user = HttpUserGroupInformation.get(); KMSWebApp.getAdminCallsMeter().mark();
assertAccess(KMSACLs.Type.DELETE, user, KMSOp.DELETE_KEY, name); UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name"); assertAccess(KMSACLs.Type.DELETE, user, KMSOp.DELETE_KEY, name);
LOG.debug("Deleting key with name {}.", name); KMSClientProvider.checkNotEmpty(name, "name");
user.doAs(new PrivilegedExceptionAction<Void>() { LOG.debug("Deleting key with name {}.", name);
@Override user.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception { @Override
provider.deleteKey(name); public Void run() throws Exception {
provider.flush(); provider.deleteKey(name);
return null; provider.flush();
} return null;
}); }
});
kmsAudit.ok(user, KMSOp.DELETE_KEY, name, ""); kmsAudit.ok(user, KMSOp.DELETE_KEY, name, "");
LOG.trace("Exiting deleteKey method."); LOG.trace("Exiting deleteKey method.");
return Response.ok().build(); return Response.ok().build();
} catch (Exception e) {
LOG.debug("Exception in deleteKey.", e);
throw e;
}
} }
@POST @POST
@ -195,41 +207,49 @@ public Void run() throws Exception {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public Response rolloverKey(@PathParam("name") final String name, public Response rolloverKey(@PathParam("name") final String name,
Map jsonMaterial) throws Exception { Map jsonMaterial) throws Exception {
LOG.trace("Entering rolloverKey Method."); try {
KMSWebApp.getAdminCallsMeter().mark(); LOG.trace("Entering rolloverKey Method.");
UserGroupInformation user = HttpUserGroupInformation.get(); KMSWebApp.getAdminCallsMeter().mark();
assertAccess(KMSACLs.Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name); UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name"); assertAccess(KMSACLs.Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name);
LOG.debug("Rolling key with name {}.", name); KMSClientProvider.checkNotEmpty(name, "name");
final String material = (String) LOG.debug("Rolling key with name {}.", name);
jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD); final String material = (String)
if (material != null) { jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user, if (material != null) {
KMSOp.ROLL_NEW_VERSION, name); assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
KMSOp.ROLL_NEW_VERSION, name);
}
KeyProvider.KeyVersion keyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() {
@Override
public KeyVersion run() throws Exception {
KeyVersion keyVersion = (material != null)
? provider.rollNewVersion(name,
Base64.decodeBase64(material))
: provider.rollNewVersion(name);
provider.flush();
return keyVersion;
}
}
);
kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
(material != null) +
" NewVersion:" + keyVersion.getVersionName());
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) {
keyVersion = removeKeyMaterial(keyVersion);
}
Map json = KMSServerJSONUtils.toJSON(keyVersion);
LOG.trace("Exiting rolloverKey Method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
.build();
} catch (Exception e) {
LOG.debug("Exception in rolloverKey.", e);
throw e;
} }
KeyProvider.KeyVersion keyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() {
@Override
public KeyVersion run() throws Exception {
KeyVersion keyVersion = (material != null)
? provider.rollNewVersion(name, Base64.decodeBase64(material))
: provider.rollNewVersion(name);
provider.flush();
return keyVersion;
}
}
);
kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
(material != null) + " NewVersion:" + keyVersion.getVersionName());
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) {
keyVersion = removeKeyMaterial(keyVersion);
}
Map json = KMSServerJSONUtils.toJSON(keyVersion);
LOG.trace("Exiting rolloverKey Method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
} }
@GET @GET
@ -237,59 +257,76 @@ public KeyVersion run() throws Exception {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY) public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY)
List<String> keyNamesList) throws Exception { List<String> keyNamesList) throws Exception {
LOG.trace("Entering getKeysMetadata method."); try {
KMSWebApp.getAdminCallsMeter().mark(); LOG.trace("Entering getKeysMetadata method.");
UserGroupInformation user = HttpUserGroupInformation.get(); KMSWebApp.getAdminCallsMeter().mark();
final String[] keyNames = keyNamesList.toArray( UserGroupInformation user = HttpUserGroupInformation.get();
new String[keyNamesList.size()]); final String[] keyNames = keyNamesList.toArray(
assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA); new String[keyNamesList.size()]);
assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA);
KeyProvider.Metadata[] keysMeta = user.doAs( KeyProvider.Metadata[] keysMeta = user.doAs(
new PrivilegedExceptionAction<KeyProvider.Metadata[]>() { new PrivilegedExceptionAction<KeyProvider.Metadata[]>() {
@Override @Override
public KeyProvider.Metadata[] run() throws Exception { public KeyProvider.Metadata[] run() throws Exception {
return provider.getKeysMetadata(keyNames); return provider.getKeysMetadata(keyNames);
} }
} }
); );
Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta); Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta);
kmsAudit.ok(user, KMSOp.GET_KEYS_METADATA, ""); kmsAudit.ok(user, KMSOp.GET_KEYS_METADATA, "");
LOG.trace("Exiting getKeysMetadata method."); LOG.trace("Exiting getKeysMetadata method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
.build();
} catch (Exception e) {
LOG.debug("Exception in getKeysmetadata.", e);
throw e;
}
} }
@GET @GET
@Path(KMSRESTConstants.KEYS_NAMES_RESOURCE) @Path(KMSRESTConstants.KEYS_NAMES_RESOURCE)
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public Response getKeyNames() throws Exception { public Response getKeyNames() throws Exception {
LOG.trace("Entering getKeyNames method."); try {
KMSWebApp.getAdminCallsMeter().mark(); LOG.trace("Entering getKeyNames method.");
UserGroupInformation user = HttpUserGroupInformation.get(); KMSWebApp.getAdminCallsMeter().mark();
assertAccess(KMSACLs.Type.GET_KEYS, user, KMSOp.GET_KEYS); UserGroupInformation user = HttpUserGroupInformation.get();
assertAccess(KMSACLs.Type.GET_KEYS, user, KMSOp.GET_KEYS);
List<String> json = user.doAs( List<String> json = user.doAs(
new PrivilegedExceptionAction<List<String>>() { new PrivilegedExceptionAction<List<String>>() {
@Override @Override
public List<String> run() throws Exception { public List<String> run() throws Exception {
return provider.getKeys(); return provider.getKeys();
} }
} }
); );
kmsAudit.ok(user, KMSOp.GET_KEYS, ""); kmsAudit.ok(user, KMSOp.GET_KEYS, "");
LOG.trace("Exiting getKeyNames method."); LOG.trace("Exiting getKeyNames method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
.build();
} catch (Exception e) {
LOG.debug("Exception in getkeyNames.", e);
throw e;
}
} }
@GET @GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}") @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
public Response getKey(@PathParam("name") String name) public Response getKey(@PathParam("name") String name)
throws Exception { throws Exception {
LOG.trace("Entering getKey method."); try {
LOG.debug("Getting key information for key with name {}.", name); LOG.trace("Entering getKey method.");
LOG.trace("Exiting getKey method."); LOG.debug("Getting key information for key with name {}.", name);
return getMetadata(name); LOG.trace("Exiting getKey method.");
return getMetadata(name);
} catch (Exception e) {
LOG.debug("Exception in getKey.", e);
throw e;
}
} }
@GET @GET
@ -298,26 +335,32 @@ public Response getKey(@PathParam("name") String name)
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public Response getMetadata(@PathParam("name") final String name) public Response getMetadata(@PathParam("name") final String name)
throws Exception { throws Exception {
LOG.trace("Entering getMetadata method."); try {
UserGroupInformation user = HttpUserGroupInformation.get(); LOG.trace("Entering getMetadata method.");
KMSClientProvider.checkNotEmpty(name, "name"); UserGroupInformation user = HttpUserGroupInformation.get();
KMSWebApp.getAdminCallsMeter().mark(); KMSClientProvider.checkNotEmpty(name, "name");
assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_METADATA, name); KMSWebApp.getAdminCallsMeter().mark();
LOG.debug("Getting metadata for key with name {}.", name); assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_METADATA, name);
LOG.debug("Getting metadata for key with name {}.", name);
KeyProvider.Metadata metadata = user.doAs( KeyProvider.Metadata metadata = user.doAs(
new PrivilegedExceptionAction<KeyProvider.Metadata>() { new PrivilegedExceptionAction<KeyProvider.Metadata>() {
@Override @Override
public KeyProvider.Metadata run() throws Exception { public KeyProvider.Metadata run() throws Exception {
return provider.getMetadata(name); return provider.getMetadata(name);
} }
} }
); );
Object json = KMSServerJSONUtils.toJSON(name, metadata); Object json = KMSServerJSONUtils.toJSON(name, metadata);
kmsAudit.ok(user, KMSOp.GET_METADATA, name, ""); kmsAudit.ok(user, KMSOp.GET_METADATA, name, "");
LOG.trace("Exiting getMetadata method."); LOG.trace("Exiting getMetadata method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
.build();
} catch (Exception e) {
LOG.debug("Exception in getMetadata.", e);
throw e;
}
} }
@GET @GET
@ -326,26 +369,32 @@ public KeyProvider.Metadata run() throws Exception {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public Response getCurrentVersion(@PathParam("name") final String name) public Response getCurrentVersion(@PathParam("name") final String name)
throws Exception { throws Exception {
LOG.trace("Entering getCurrentVersion method."); try {
UserGroupInformation user = HttpUserGroupInformation.get(); LOG.trace("Entering getCurrentVersion method.");
KMSClientProvider.checkNotEmpty(name, "name"); UserGroupInformation user = HttpUserGroupInformation.get();
KMSWebApp.getKeyCallsMeter().mark(); KMSClientProvider.checkNotEmpty(name, "name");
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name); KMSWebApp.getKeyCallsMeter().mark();
LOG.debug("Getting key version for key with name {}.", name); assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name);
LOG.debug("Getting key version for key with name {}.", name);
KeyVersion keyVersion = user.doAs( KeyVersion keyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() { new PrivilegedExceptionAction<KeyVersion>() {
@Override @Override
public KeyVersion run() throws Exception { public KeyVersion run() throws Exception {
return provider.getCurrentKey(name); return provider.getCurrentKey(name);
} }
} }
); );
Object json = KMSServerJSONUtils.toJSON(keyVersion); Object json = KMSServerJSONUtils.toJSON(keyVersion);
kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, ""); kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
LOG.trace("Exiting getCurrentVersion method."); LOG.trace("Exiting getCurrentVersion method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
.build();
} catch (Exception e) {
LOG.debug("Exception in getCurrentVersion.", e);
throw e;
}
} }
@GET @GET
@ -353,28 +402,34 @@ public KeyVersion run() throws Exception {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersion( public Response getKeyVersion(
@PathParam("versionName") final String versionName) throws Exception { @PathParam("versionName") final String versionName) throws Exception {
LOG.trace("Entering getKeyVersion method."); try {
UserGroupInformation user = HttpUserGroupInformation.get(); LOG.trace("Entering getKeyVersion method.");
KMSClientProvider.checkNotEmpty(versionName, "versionName"); UserGroupInformation user = HttpUserGroupInformation.get();
KMSWebApp.getKeyCallsMeter().mark(); KMSClientProvider.checkNotEmpty(versionName, "versionName");
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION); KMSWebApp.getKeyCallsMeter().mark();
LOG.debug("Getting key with version name {}.", versionName); assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION);
LOG.debug("Getting key with version name {}.", versionName);
KeyVersion keyVersion = user.doAs( KeyVersion keyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() { new PrivilegedExceptionAction<KeyVersion>() {
@Override @Override
public KeyVersion run() throws Exception { public KeyVersion run() throws Exception {
return provider.getKeyVersion(versionName); return provider.getKeyVersion(versionName);
} }
} }
); );
if (keyVersion != null) { if (keyVersion != null) {
kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), ""); kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
}
Object json = KMSServerJSONUtils.toJSON(keyVersion);
LOG.trace("Exiting getKeyVersion method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
.build();
} catch (Exception e) {
LOG.debug("Exception in getKeyVersion.", e);
throw e;
} }
Object json = KMSServerJSONUtils.toJSON(keyVersion);
LOG.trace("Exiting getKeyVersion method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
} }
@SuppressWarnings({ "rawtypes", "unchecked" }) @SuppressWarnings({ "rawtypes", "unchecked" })
@ -388,60 +443,65 @@ public Response generateEncryptedKeys(
@DefaultValue("1") @DefaultValue("1")
@QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys) @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys)
throws Exception { throws Exception {
LOG.trace("Entering generateEncryptedKeys method."); try {
UserGroupInformation user = HttpUserGroupInformation.get(); LOG.trace("Entering generateEncryptedKeys method.");
KMSClientProvider.checkNotEmpty(name, "name"); UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotNull(edekOp, "eekOp"); KMSClientProvider.checkNotEmpty(name, "name");
LOG.debug("Generating encrypted key with name {}," + KMSClientProvider.checkNotNull(edekOp, "eekOp");
" the edek Operation is {}.", name, edekOp); LOG.debug("Generating encrypted key with name {}," +
" the edek Operation is {}.", name, edekOp);
Object retJSON; Object retJSON;
if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) { if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
LOG.debug("edek Operation is Generate."); LOG.debug("edek Operation is Generate.");
assertAccess(KMSACLs.Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name); assertAccess(KMSACLs.Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name);
final List<EncryptedKeyVersion> retEdeks = final List<EncryptedKeyVersion> retEdeks =
new LinkedList<EncryptedKeyVersion>(); new LinkedList<EncryptedKeyVersion>();
try { try {
user.doAs( user.doAs(
new PrivilegedExceptionAction<Void>() { new PrivilegedExceptionAction<Void>() {
@Override @Override
public Void run() throws Exception { public Void run() throws Exception {
LOG.debug("Generated Encrypted key for {} number of keys.", LOG.debug("Generated Encrypted key for {} number of " +
numKeys); "keys.", numKeys);
for (int i = 0; i < numKeys; i++) { for (int i = 0; i < numKeys; i++) {
retEdeks.add(provider.generateEncryptedKey(name)); retEdeks.add(provider.generateEncryptedKey(name));
}
return null;
}
} }
return null; );
}
}
);
} catch (Exception e) { } catch (Exception e) {
LOG.error("Exception in generateEncryptedKeys:", e); LOG.error("Exception in generateEncryptedKeys:", e);
throw new IOException(e); throw new IOException(e);
}
kmsAudit.ok(user, KMSOp.GENERATE_EEK, name, "");
retJSON = new ArrayList();
for (EncryptedKeyVersion edek : retEdeks) {
((ArrayList) retJSON).add(KMSServerJSONUtils.toJSON(edek));
}
} else {
StringBuilder error;
error = new StringBuilder("IllegalArgumentException Wrong ");
error.append(KMSRESTConstants.EEK_OP);
error.append(" value, it must be ");
error.append(KMSRESTConstants.EEK_GENERATE);
error.append(" or ");
error.append(KMSRESTConstants.EEK_DECRYPT);
LOG.error(error.toString());
throw new IllegalArgumentException(error.toString());
} }
kmsAudit.ok(user, KMSOp.GENERATE_EEK, name, ""); KMSWebApp.getGenerateEEKCallsMeter().mark();
retJSON = new ArrayList(); LOG.trace("Exiting generateEncryptedKeys method.");
for (EncryptedKeyVersion edek : retEdeks) { return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
((ArrayList)retJSON).add(KMSServerJSONUtils.toJSON(edek)); .build();
} } catch (Exception e) {
} else { LOG.debug("Exception in generateEncryptedKeys.", e);
StringBuilder error; throw e;
error = new StringBuilder("IllegalArgumentException Wrong ");
error.append(KMSRESTConstants.EEK_OP);
error.append(" value, it must be ");
error.append(KMSRESTConstants.EEK_GENERATE);
error.append(" or ");
error.append(KMSRESTConstants.EEK_DECRYPT);
LOG.error(error.toString());
throw new IllegalArgumentException(error.toString());
} }
KMSWebApp.getGenerateEEKCallsMeter().mark();
LOG.trace("Exiting generateEncryptedKeys method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
.build();
} }
@SuppressWarnings("rawtypes") @SuppressWarnings("rawtypes")
@ -454,57 +514,64 @@ public Response decryptEncryptedKey(
@QueryParam(KMSRESTConstants.EEK_OP) String eekOp, @QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
Map jsonPayload) Map jsonPayload)
throws Exception { throws Exception {
LOG.trace("Entering decryptEncryptedKey method."); try {
UserGroupInformation user = HttpUserGroupInformation.get(); LOG.trace("Entering decryptEncryptedKey method.");
KMSClientProvider.checkNotEmpty(versionName, "versionName"); UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotNull(eekOp, "eekOp"); KMSClientProvider.checkNotEmpty(versionName, "versionName");
LOG.debug("Decrypting key for {}, the edek Operation is {}.", KMSClientProvider.checkNotNull(eekOp, "eekOp");
versionName, eekOp); LOG.debug("Decrypting key for {}, the edek Operation is {}.",
versionName, eekOp);
final String keyName = (String) jsonPayload.get( final String keyName = (String) jsonPayload.get(
KMSRESTConstants.NAME_FIELD); KMSRESTConstants.NAME_FIELD);
String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD); String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
String encMaterialStr = String encMaterialStr =
(String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD); (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
Object retJSON; Object retJSON;
if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) { if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName); assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK,
KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD); keyName);
final byte[] iv = Base64.decodeBase64(ivStr); KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
KMSClientProvider.checkNotNull(encMaterialStr, final byte[] iv = Base64.decodeBase64(ivStr);
KMSRESTConstants.MATERIAL_FIELD); KMSClientProvider.checkNotNull(encMaterialStr,
final byte[] encMaterial = Base64.decodeBase64(encMaterialStr); KMSRESTConstants.MATERIAL_FIELD);
final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);
KeyProvider.KeyVersion retKeyVersion = user.doAs( KeyProvider.KeyVersion retKeyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() { new PrivilegedExceptionAction<KeyVersion>() {
@Override @Override
public KeyVersion run() throws Exception { public KeyVersion run() throws Exception {
return provider.decryptEncryptedKey( return provider.decryptEncryptedKey(
new KMSClientProvider.KMSEncryptedKeyVersion(keyName, new KMSClientProvider.KMSEncryptedKeyVersion(
versionName, iv, KeyProviderCryptoExtension.EEK, keyName, versionName, iv,
encMaterial) KeyProviderCryptoExtension.EEK,
); encMaterial)
} );
} }
); }
);
retJSON = KMSServerJSONUtils.toJSON(retKeyVersion); retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, ""); kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
} else { } else {
StringBuilder error; StringBuilder error;
error = new StringBuilder("IllegalArgumentException Wrong "); error = new StringBuilder("IllegalArgumentException Wrong ");
error.append(KMSRESTConstants.EEK_OP); error.append(KMSRESTConstants.EEK_OP);
error.append(" value, it must be "); error.append(" value, it must be ");
error.append(KMSRESTConstants.EEK_GENERATE); error.append(KMSRESTConstants.EEK_GENERATE);
error.append(" or "); error.append(" or ");
error.append(KMSRESTConstants.EEK_DECRYPT); error.append(KMSRESTConstants.EEK_DECRYPT);
LOG.error(error.toString()); LOG.error(error.toString());
throw new IllegalArgumentException(error.toString()); throw new IllegalArgumentException(error.toString());
}
KMSWebApp.getDecryptEEKCallsMeter().mark();
LOG.trace("Exiting decryptEncryptedKey method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
.build();
} catch (Exception e) {
LOG.debug("Exception in decryptEncryptedKey.", e);
throw e;
} }
KMSWebApp.getDecryptEEKCallsMeter().mark();
LOG.trace("Exiting decryptEncryptedKey method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
.build();
} }
@GET @GET
@ -513,26 +580,32 @@ public KeyVersion run() throws Exception {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersions(@PathParam("name") final String name) public Response getKeyVersions(@PathParam("name") final String name)
throws Exception { throws Exception {
LOG.trace("Entering getKeyVersions method."); try {
UserGroupInformation user = HttpUserGroupInformation.get(); LOG.trace("Entering getKeyVersions method.");
KMSClientProvider.checkNotEmpty(name, "name"); UserGroupInformation user = HttpUserGroupInformation.get();
KMSWebApp.getKeyCallsMeter().mark(); KMSClientProvider.checkNotEmpty(name, "name");
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name); KMSWebApp.getKeyCallsMeter().mark();
LOG.debug("Getting key versions for key {}", name); assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);
LOG.debug("Getting key versions for key {}", name);
List<KeyVersion> ret = user.doAs( List<KeyVersion> ret = user.doAs(
new PrivilegedExceptionAction<List<KeyVersion>>() { new PrivilegedExceptionAction<List<KeyVersion>>() {
@Override @Override
public List<KeyVersion> run() throws Exception { public List<KeyVersion> run() throws Exception {
return provider.getKeyVersions(name); return provider.getKeyVersions(name);
} }
} }
); );
Object json = KMSServerJSONUtils.toJSON(ret); Object json = KMSServerJSONUtils.toJSON(ret);
kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, ""); kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
LOG.trace("Exiting getKeyVersions method."); LOG.trace("Exiting getKeyVersions method.");
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
.build();
} catch (Exception e) {
LOG.debug("Exception in getKeyVersions.", e);
throw e;
}
} }
} }