HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL and whitelist key ACL. Contributed by Dian Fu.
This commit is contained in:
parent
03ab24aa01
commit
1812241ee1
@ -493,6 +493,9 @@ Release 2.7.0 - UNRELEASED
|
||||
HADOOP-11344. KMS kms-config.sh sets a default value for the keystore
|
||||
password even in non-ssl setup. (Arun Suresh via wang)
|
||||
|
||||
HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL
|
||||
and whitelist key ACL. (Dian Fu via wang)
|
||||
|
||||
Release 2.6.0 - 2014-11-18
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
@ -152,20 +152,30 @@ private void setKeyACLs(Configuration conf) {
|
||||
String confKey = KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + keyOp;
|
||||
String aclStr = conf.get(confKey);
|
||||
if (aclStr != null) {
|
||||
if (aclStr.equals("*")) {
|
||||
LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp);
|
||||
if (keyOp == KeyOpType.ALL) {
|
||||
// Ignore All operation for default key acl
|
||||
LOG.warn("Should not configure default key ACL for KEY_OP '{}'", keyOp);
|
||||
} else {
|
||||
if (aclStr.equals("*")) {
|
||||
LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp);
|
||||
}
|
||||
defaultKeyAcls.put(keyOp, new AccessControlList(aclStr));
|
||||
}
|
||||
defaultKeyAcls.put(keyOp, new AccessControlList(aclStr));
|
||||
}
|
||||
}
|
||||
if (!whitelistKeyAcls.containsKey(keyOp)) {
|
||||
String confKey = KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + keyOp;
|
||||
String aclStr = conf.get(confKey);
|
||||
if (aclStr != null) {
|
||||
if (aclStr.equals("*")) {
|
||||
LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp);
|
||||
if (keyOp == KeyOpType.ALL) {
|
||||
// Ignore All operation for whitelist key acl
|
||||
LOG.warn("Should not configure whitelist key ACL for KEY_OP '{}'", keyOp);
|
||||
} else {
|
||||
if (aclStr.equals("*")) {
|
||||
LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp);
|
||||
}
|
||||
whitelistKeyAcls.put(keyOp, new AccessControlList(aclStr));
|
||||
}
|
||||
whitelistKeyAcls.put(keyOp, new AccessControlList(aclStr));
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -271,7 +281,9 @@ private boolean checkKeyAccess(Map<KeyOpType, AccessControlList> keyAcl,
|
||||
|
||||
@Override
|
||||
public boolean isACLPresent(String keyName, KeyOpType opType) {
|
||||
return (keyAcls.containsKey(keyName) || defaultKeyAcls.containsKey(opType));
|
||||
return (keyAcls.containsKey(keyName)
|
||||
|| defaultKeyAcls.containsKey(opType)
|
||||
|| whitelistKeyAcls.containsKey(opType));
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -619,16 +619,19 @@ public void testKeyACLs() throws Exception {
|
||||
}
|
||||
conf.set(KMSACLs.Type.CREATE.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
|
||||
conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
|
||||
conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
|
||||
conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
|
||||
conf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
|
||||
|
||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key.MANAGEMENT", "CREATE");
|
||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "some_key.MANAGEMENT", "ROLLOVER");
|
||||
conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK");
|
||||
conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "ALL", "DECRYPT_EEK");
|
||||
|
||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.ALL", "GENERATE_EEK");
|
||||
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.DECRYPT_EEK", "ROLLOVER");
|
||||
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER");
|
||||
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "SOMEBODY");
|
||||
conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "ALL", "ROLLOVER");
|
||||
|
||||
writeConf(testDir, conf);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user