HADOOP-13669. KMS Server should log exceptions before throwing. Contributed by Suraj Acharya.
This commit is contained in:
parent
03060075c5
commit
65912e4027
@ -104,89 +104,101 @@ private static URI getKeyURI(String domain, String keyName) {
|
|||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public Response createKey(Map jsonKey) throws Exception {
|
public Response createKey(Map jsonKey) throws Exception {
|
||||||
LOG.trace("Entering createKey Method.");
|
try{
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
LOG.trace("Entering createKey Method.");
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
|
final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
|
||||||
assertAccess(KMSACLs.Type.CREATE, user, KMSOp.CREATE_KEY, name);
|
KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
|
||||||
String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
|
assertAccess(KMSACLs.Type.CREATE, user, KMSOp.CREATE_KEY, name);
|
||||||
final String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
|
String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
|
||||||
int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
|
final String material;
|
||||||
? (Integer) jsonKey.get(KMSRESTConstants.LENGTH_FIELD) : 0;
|
material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
|
||||||
String description = (String)
|
int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
|
||||||
jsonKey.get(KMSRESTConstants.DESCRIPTION_FIELD);
|
? (Integer) jsonKey.get(KMSRESTConstants.LENGTH_FIELD) : 0;
|
||||||
LOG.debug("Creating key with name {}, cipher being used{}, " +
|
String description = (String)
|
||||||
"length of key {}, description of key {}", name, cipher,
|
jsonKey.get(KMSRESTConstants.DESCRIPTION_FIELD);
|
||||||
length, description);
|
LOG.debug("Creating key with name {}, cipher being used{}, " +
|
||||||
Map<String, String> attributes = (Map<String, String>)
|
"length of key {}, description of key {}", name, cipher,
|
||||||
jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
|
length, description);
|
||||||
if (material != null) {
|
Map<String, String> attributes = (Map<String, String>)
|
||||||
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
|
jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
|
||||||
KMSOp.CREATE_KEY, name);
|
if (material != null) {
|
||||||
}
|
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
|
||||||
final KeyProvider.Options options = new KeyProvider.Options(
|
KMSOp.CREATE_KEY, name);
|
||||||
KMSWebApp.getConfiguration());
|
}
|
||||||
if (cipher != null) {
|
final KeyProvider.Options options = new KeyProvider.Options(
|
||||||
options.setCipher(cipher);
|
KMSWebApp.getConfiguration());
|
||||||
}
|
if (cipher != null) {
|
||||||
if (length != 0) {
|
options.setCipher(cipher);
|
||||||
options.setBitLength(length);
|
}
|
||||||
}
|
if (length != 0) {
|
||||||
options.setDescription(description);
|
options.setBitLength(length);
|
||||||
options.setAttributes(attributes);
|
}
|
||||||
|
options.setDescription(description);
|
||||||
|
options.setAttributes(attributes);
|
||||||
|
|
||||||
KeyProvider.KeyVersion keyVersion = user.doAs(
|
KeyProvider.KeyVersion keyVersion = user.doAs(
|
||||||
new PrivilegedExceptionAction<KeyVersion>() {
|
new PrivilegedExceptionAction<KeyVersion>() {
|
||||||
@Override
|
@Override
|
||||||
public KeyVersion run() throws Exception {
|
public KeyVersion run() throws Exception {
|
||||||
KeyProvider.KeyVersion keyVersion = (material != null)
|
KeyProvider.KeyVersion keyVersion = (material != null)
|
||||||
? provider.createKey(name, Base64.decodeBase64(material), options)
|
? provider.createKey(name, Base64.decodeBase64(material),
|
||||||
: provider.createKey(name, options);
|
options)
|
||||||
provider.flush();
|
: provider.createKey(name, options);
|
||||||
return keyVersion;
|
provider.flush();
|
||||||
|
return keyVersion;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
);
|
||||||
);
|
|
||||||
|
|
||||||
kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" +
|
kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" +
|
||||||
(material != null) + " Description:" + description);
|
(material != null) + " Description:" + description);
|
||||||
|
|
||||||
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) {
|
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) {
|
||||||
keyVersion = removeKeyMaterial(keyVersion);
|
keyVersion = removeKeyMaterial(keyVersion);
|
||||||
|
}
|
||||||
|
Map json = KMSServerJSONUtils.toJSON(keyVersion);
|
||||||
|
String requestURL = KMSMDCFilter.getURL();
|
||||||
|
int idx = requestURL.lastIndexOf(KMSRESTConstants.KEYS_RESOURCE);
|
||||||
|
requestURL = requestURL.substring(0, idx);
|
||||||
|
LOG.trace("Exiting createKey Method.");
|
||||||
|
return Response.created(getKeyURI(KMSRESTConstants.SERVICE_VERSION, name))
|
||||||
|
.type(MediaType.APPLICATION_JSON)
|
||||||
|
.header("Location", getKeyURI(requestURL, name)).entity(json).build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in createKey.", e);
|
||||||
|
throw e;
|
||||||
}
|
}
|
||||||
Map json = KMSServerJSONUtils.toJSON(keyVersion);
|
|
||||||
String requestURL = KMSMDCFilter.getURL();
|
|
||||||
int idx = requestURL.lastIndexOf(KMSRESTConstants.KEYS_RESOURCE);
|
|
||||||
requestURL = requestURL.substring(0, idx);
|
|
||||||
LOG.trace("Exiting createKey Method.");
|
|
||||||
return Response.created(getKeyURI(KMSRESTConstants.SERVICE_VERSION, name))
|
|
||||||
.type(MediaType.APPLICATION_JSON)
|
|
||||||
.header("Location", getKeyURI(requestURL, name)).entity(json).build();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@DELETE
|
@DELETE
|
||||||
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
|
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
|
||||||
public Response deleteKey(@PathParam("name") final String name)
|
public Response deleteKey(@PathParam("name") final String name)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
LOG.trace("Entering deleteKey method.");
|
try {
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
LOG.trace("Entering deleteKey method.");
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
assertAccess(KMSACLs.Type.DELETE, user, KMSOp.DELETE_KEY, name);
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
assertAccess(KMSACLs.Type.DELETE, user, KMSOp.DELETE_KEY, name);
|
||||||
LOG.debug("Deleting key with name {}.", name);
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
user.doAs(new PrivilegedExceptionAction<Void>() {
|
LOG.debug("Deleting key with name {}.", name);
|
||||||
@Override
|
user.doAs(new PrivilegedExceptionAction<Void>() {
|
||||||
public Void run() throws Exception {
|
@Override
|
||||||
provider.deleteKey(name);
|
public Void run() throws Exception {
|
||||||
provider.flush();
|
provider.deleteKey(name);
|
||||||
return null;
|
provider.flush();
|
||||||
}
|
return null;
|
||||||
});
|
}
|
||||||
|
});
|
||||||
|
|
||||||
kmsAudit.ok(user, KMSOp.DELETE_KEY, name, "");
|
kmsAudit.ok(user, KMSOp.DELETE_KEY, name, "");
|
||||||
LOG.trace("Exiting deleteKey method.");
|
LOG.trace("Exiting deleteKey method.");
|
||||||
return Response.ok().build();
|
return Response.ok().build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in deleteKey.", e);
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@POST
|
@POST
|
||||||
@ -195,41 +207,49 @@ public Void run() throws Exception {
|
|||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
public Response rolloverKey(@PathParam("name") final String name,
|
public Response rolloverKey(@PathParam("name") final String name,
|
||||||
Map jsonMaterial) throws Exception {
|
Map jsonMaterial) throws Exception {
|
||||||
LOG.trace("Entering rolloverKey Method.");
|
try {
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
LOG.trace("Entering rolloverKey Method.");
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
assertAccess(KMSACLs.Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name);
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
assertAccess(KMSACLs.Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name);
|
||||||
LOG.debug("Rolling key with name {}.", name);
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
final String material = (String)
|
LOG.debug("Rolling key with name {}.", name);
|
||||||
jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
|
final String material = (String)
|
||||||
if (material != null) {
|
jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
|
||||||
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
|
if (material != null) {
|
||||||
KMSOp.ROLL_NEW_VERSION, name);
|
assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, user,
|
||||||
|
KMSOp.ROLL_NEW_VERSION, name);
|
||||||
|
}
|
||||||
|
|
||||||
|
KeyProvider.KeyVersion keyVersion = user.doAs(
|
||||||
|
new PrivilegedExceptionAction<KeyVersion>() {
|
||||||
|
@Override
|
||||||
|
public KeyVersion run() throws Exception {
|
||||||
|
KeyVersion keyVersion = (material != null)
|
||||||
|
? provider.rollNewVersion(name,
|
||||||
|
Base64.decodeBase64(material))
|
||||||
|
: provider.rollNewVersion(name);
|
||||||
|
provider.flush();
|
||||||
|
return keyVersion;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
|
kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
|
||||||
|
(material != null) +
|
||||||
|
" NewVersion:" + keyVersion.getVersionName());
|
||||||
|
|
||||||
|
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) {
|
||||||
|
keyVersion = removeKeyMaterial(keyVersion);
|
||||||
|
}
|
||||||
|
Map json = KMSServerJSONUtils.toJSON(keyVersion);
|
||||||
|
LOG.trace("Exiting rolloverKey Method.");
|
||||||
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
|
||||||
|
.build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in rolloverKey.", e);
|
||||||
|
throw e;
|
||||||
}
|
}
|
||||||
|
|
||||||
KeyProvider.KeyVersion keyVersion = user.doAs(
|
|
||||||
new PrivilegedExceptionAction<KeyVersion>() {
|
|
||||||
@Override
|
|
||||||
public KeyVersion run() throws Exception {
|
|
||||||
KeyVersion keyVersion = (material != null)
|
|
||||||
? provider.rollNewVersion(name, Base64.decodeBase64(material))
|
|
||||||
: provider.rollNewVersion(name);
|
|
||||||
provider.flush();
|
|
||||||
return keyVersion;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
);
|
|
||||||
|
|
||||||
kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
|
|
||||||
(material != null) + " NewVersion:" + keyVersion.getVersionName());
|
|
||||||
|
|
||||||
if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, user)) {
|
|
||||||
keyVersion = removeKeyMaterial(keyVersion);
|
|
||||||
}
|
|
||||||
Map json = KMSServerJSONUtils.toJSON(keyVersion);
|
|
||||||
LOG.trace("Exiting rolloverKey Method.");
|
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@ -237,59 +257,76 @@ public KeyVersion run() throws Exception {
|
|||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY)
|
public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY)
|
||||||
List<String> keyNamesList) throws Exception {
|
List<String> keyNamesList) throws Exception {
|
||||||
LOG.trace("Entering getKeysMetadata method.");
|
try {
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
LOG.trace("Entering getKeysMetadata method.");
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
final String[] keyNames = keyNamesList.toArray(
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
new String[keyNamesList.size()]);
|
final String[] keyNames = keyNamesList.toArray(
|
||||||
assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA);
|
new String[keyNamesList.size()]);
|
||||||
|
assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA);
|
||||||
|
|
||||||
KeyProvider.Metadata[] keysMeta = user.doAs(
|
KeyProvider.Metadata[] keysMeta = user.doAs(
|
||||||
new PrivilegedExceptionAction<KeyProvider.Metadata[]>() {
|
new PrivilegedExceptionAction<KeyProvider.Metadata[]>() {
|
||||||
@Override
|
@Override
|
||||||
public KeyProvider.Metadata[] run() throws Exception {
|
public KeyProvider.Metadata[] run() throws Exception {
|
||||||
return provider.getKeysMetadata(keyNames);
|
return provider.getKeysMetadata(keyNames);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta);
|
Object json = KMSServerJSONUtils.toJSON(keyNames, keysMeta);
|
||||||
kmsAudit.ok(user, KMSOp.GET_KEYS_METADATA, "");
|
kmsAudit.ok(user, KMSOp.GET_KEYS_METADATA, "");
|
||||||
LOG.trace("Exiting getKeysMetadata method.");
|
LOG.trace("Exiting getKeysMetadata method.");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
|
||||||
|
.build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in getKeysmetadata.", e);
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@Path(KMSRESTConstants.KEYS_NAMES_RESOURCE)
|
@Path(KMSRESTConstants.KEYS_NAMES_RESOURCE)
|
||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
public Response getKeyNames() throws Exception {
|
public Response getKeyNames() throws Exception {
|
||||||
LOG.trace("Entering getKeyNames method.");
|
try {
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
LOG.trace("Entering getKeyNames method.");
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
assertAccess(KMSACLs.Type.GET_KEYS, user, KMSOp.GET_KEYS);
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
|
assertAccess(KMSACLs.Type.GET_KEYS, user, KMSOp.GET_KEYS);
|
||||||
|
|
||||||
List<String> json = user.doAs(
|
List<String> json = user.doAs(
|
||||||
new PrivilegedExceptionAction<List<String>>() {
|
new PrivilegedExceptionAction<List<String>>() {
|
||||||
@Override
|
@Override
|
||||||
public List<String> run() throws Exception {
|
public List<String> run() throws Exception {
|
||||||
return provider.getKeys();
|
return provider.getKeys();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
kmsAudit.ok(user, KMSOp.GET_KEYS, "");
|
kmsAudit.ok(user, KMSOp.GET_KEYS, "");
|
||||||
LOG.trace("Exiting getKeyNames method.");
|
LOG.trace("Exiting getKeyNames method.");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
|
||||||
|
.build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in getkeyNames.", e);
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
|
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
|
||||||
public Response getKey(@PathParam("name") String name)
|
public Response getKey(@PathParam("name") String name)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
LOG.trace("Entering getKey method.");
|
try {
|
||||||
LOG.debug("Getting key information for key with name {}.", name);
|
LOG.trace("Entering getKey method.");
|
||||||
LOG.trace("Exiting getKey method.");
|
LOG.debug("Getting key information for key with name {}.", name);
|
||||||
return getMetadata(name);
|
LOG.trace("Exiting getKey method.");
|
||||||
|
return getMetadata(name);
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in getKey.", e);
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@ -298,26 +335,32 @@ public Response getKey(@PathParam("name") String name)
|
|||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
public Response getMetadata(@PathParam("name") final String name)
|
public Response getMetadata(@PathParam("name") final String name)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
LOG.trace("Entering getMetadata method.");
|
try {
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
LOG.trace("Entering getMetadata method.");
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
KMSWebApp.getAdminCallsMeter().mark();
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_METADATA, name);
|
KMSWebApp.getAdminCallsMeter().mark();
|
||||||
LOG.debug("Getting metadata for key with name {}.", name);
|
assertAccess(KMSACLs.Type.GET_METADATA, user, KMSOp.GET_METADATA, name);
|
||||||
|
LOG.debug("Getting metadata for key with name {}.", name);
|
||||||
|
|
||||||
KeyProvider.Metadata metadata = user.doAs(
|
KeyProvider.Metadata metadata = user.doAs(
|
||||||
new PrivilegedExceptionAction<KeyProvider.Metadata>() {
|
new PrivilegedExceptionAction<KeyProvider.Metadata>() {
|
||||||
@Override
|
@Override
|
||||||
public KeyProvider.Metadata run() throws Exception {
|
public KeyProvider.Metadata run() throws Exception {
|
||||||
return provider.getMetadata(name);
|
return provider.getMetadata(name);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
Object json = KMSServerJSONUtils.toJSON(name, metadata);
|
Object json = KMSServerJSONUtils.toJSON(name, metadata);
|
||||||
kmsAudit.ok(user, KMSOp.GET_METADATA, name, "");
|
kmsAudit.ok(user, KMSOp.GET_METADATA, name, "");
|
||||||
LOG.trace("Exiting getMetadata method.");
|
LOG.trace("Exiting getMetadata method.");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
|
||||||
|
.build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in getMetadata.", e);
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@ -326,26 +369,32 @@ public KeyProvider.Metadata run() throws Exception {
|
|||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
public Response getCurrentVersion(@PathParam("name") final String name)
|
public Response getCurrentVersion(@PathParam("name") final String name)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
LOG.trace("Entering getCurrentVersion method.");
|
try {
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
LOG.trace("Entering getCurrentVersion method.");
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
KMSWebApp.getKeyCallsMeter().mark();
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name);
|
KMSWebApp.getKeyCallsMeter().mark();
|
||||||
LOG.debug("Getting key version for key with name {}.", name);
|
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name);
|
||||||
|
LOG.debug("Getting key version for key with name {}.", name);
|
||||||
|
|
||||||
KeyVersion keyVersion = user.doAs(
|
KeyVersion keyVersion = user.doAs(
|
||||||
new PrivilegedExceptionAction<KeyVersion>() {
|
new PrivilegedExceptionAction<KeyVersion>() {
|
||||||
@Override
|
@Override
|
||||||
public KeyVersion run() throws Exception {
|
public KeyVersion run() throws Exception {
|
||||||
return provider.getCurrentKey(name);
|
return provider.getCurrentKey(name);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
Object json = KMSServerJSONUtils.toJSON(keyVersion);
|
Object json = KMSServerJSONUtils.toJSON(keyVersion);
|
||||||
kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
|
kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, "");
|
||||||
LOG.trace("Exiting getCurrentVersion method.");
|
LOG.trace("Exiting getCurrentVersion method.");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
|
||||||
|
.build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in getCurrentVersion.", e);
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@ -353,28 +402,34 @@ public KeyVersion run() throws Exception {
|
|||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
public Response getKeyVersion(
|
public Response getKeyVersion(
|
||||||
@PathParam("versionName") final String versionName) throws Exception {
|
@PathParam("versionName") final String versionName) throws Exception {
|
||||||
LOG.trace("Entering getKeyVersion method.");
|
try {
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
LOG.trace("Entering getKeyVersion method.");
|
||||||
KMSClientProvider.checkNotEmpty(versionName, "versionName");
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
KMSWebApp.getKeyCallsMeter().mark();
|
KMSClientProvider.checkNotEmpty(versionName, "versionName");
|
||||||
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION);
|
KMSWebApp.getKeyCallsMeter().mark();
|
||||||
LOG.debug("Getting key with version name {}.", versionName);
|
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION);
|
||||||
|
LOG.debug("Getting key with version name {}.", versionName);
|
||||||
|
|
||||||
KeyVersion keyVersion = user.doAs(
|
KeyVersion keyVersion = user.doAs(
|
||||||
new PrivilegedExceptionAction<KeyVersion>() {
|
new PrivilegedExceptionAction<KeyVersion>() {
|
||||||
@Override
|
@Override
|
||||||
public KeyVersion run() throws Exception {
|
public KeyVersion run() throws Exception {
|
||||||
return provider.getKeyVersion(versionName);
|
return provider.getKeyVersion(versionName);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
if (keyVersion != null) {
|
if (keyVersion != null) {
|
||||||
kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
|
kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
|
||||||
|
}
|
||||||
|
Object json = KMSServerJSONUtils.toJSON(keyVersion);
|
||||||
|
LOG.trace("Exiting getKeyVersion method.");
|
||||||
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
|
||||||
|
.build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in getKeyVersion.", e);
|
||||||
|
throw e;
|
||||||
}
|
}
|
||||||
Object json = KMSServerJSONUtils.toJSON(keyVersion);
|
|
||||||
LOG.trace("Exiting getKeyVersion method.");
|
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings({ "rawtypes", "unchecked" })
|
@SuppressWarnings({ "rawtypes", "unchecked" })
|
||||||
@ -388,60 +443,65 @@ public Response generateEncryptedKeys(
|
|||||||
@DefaultValue("1")
|
@DefaultValue("1")
|
||||||
@QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys)
|
@QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
LOG.trace("Entering generateEncryptedKeys method.");
|
try {
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
LOG.trace("Entering generateEncryptedKeys method.");
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
KMSClientProvider.checkNotNull(edekOp, "eekOp");
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
LOG.debug("Generating encrypted key with name {}," +
|
KMSClientProvider.checkNotNull(edekOp, "eekOp");
|
||||||
" the edek Operation is {}.", name, edekOp);
|
LOG.debug("Generating encrypted key with name {}," +
|
||||||
|
" the edek Operation is {}.", name, edekOp);
|
||||||
|
|
||||||
Object retJSON;
|
Object retJSON;
|
||||||
if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
|
if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
|
||||||
LOG.debug("edek Operation is Generate.");
|
LOG.debug("edek Operation is Generate.");
|
||||||
assertAccess(KMSACLs.Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name);
|
assertAccess(KMSACLs.Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name);
|
||||||
|
|
||||||
final List<EncryptedKeyVersion> retEdeks =
|
final List<EncryptedKeyVersion> retEdeks =
|
||||||
new LinkedList<EncryptedKeyVersion>();
|
new LinkedList<EncryptedKeyVersion>();
|
||||||
try {
|
try {
|
||||||
|
|
||||||
user.doAs(
|
user.doAs(
|
||||||
new PrivilegedExceptionAction<Void>() {
|
new PrivilegedExceptionAction<Void>() {
|
||||||
@Override
|
@Override
|
||||||
public Void run() throws Exception {
|
public Void run() throws Exception {
|
||||||
LOG.debug("Generated Encrypted key for {} number of keys.",
|
LOG.debug("Generated Encrypted key for {} number of " +
|
||||||
numKeys);
|
"keys.", numKeys);
|
||||||
for (int i = 0; i < numKeys; i++) {
|
for (int i = 0; i < numKeys; i++) {
|
||||||
retEdeks.add(provider.generateEncryptedKey(name));
|
retEdeks.add(provider.generateEncryptedKey(name));
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return null;
|
);
|
||||||
}
|
|
||||||
}
|
|
||||||
);
|
|
||||||
|
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
LOG.error("Exception in generateEncryptedKeys:", e);
|
LOG.error("Exception in generateEncryptedKeys:", e);
|
||||||
throw new IOException(e);
|
throw new IOException(e);
|
||||||
|
}
|
||||||
|
kmsAudit.ok(user, KMSOp.GENERATE_EEK, name, "");
|
||||||
|
retJSON = new ArrayList();
|
||||||
|
for (EncryptedKeyVersion edek : retEdeks) {
|
||||||
|
((ArrayList) retJSON).add(KMSServerJSONUtils.toJSON(edek));
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
StringBuilder error;
|
||||||
|
error = new StringBuilder("IllegalArgumentException Wrong ");
|
||||||
|
error.append(KMSRESTConstants.EEK_OP);
|
||||||
|
error.append(" value, it must be ");
|
||||||
|
error.append(KMSRESTConstants.EEK_GENERATE);
|
||||||
|
error.append(" or ");
|
||||||
|
error.append(KMSRESTConstants.EEK_DECRYPT);
|
||||||
|
LOG.error(error.toString());
|
||||||
|
throw new IllegalArgumentException(error.toString());
|
||||||
}
|
}
|
||||||
kmsAudit.ok(user, KMSOp.GENERATE_EEK, name, "");
|
KMSWebApp.getGenerateEEKCallsMeter().mark();
|
||||||
retJSON = new ArrayList();
|
LOG.trace("Exiting generateEncryptedKeys method.");
|
||||||
for (EncryptedKeyVersion edek : retEdeks) {
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
|
||||||
((ArrayList)retJSON).add(KMSServerJSONUtils.toJSON(edek));
|
.build();
|
||||||
}
|
} catch (Exception e) {
|
||||||
} else {
|
LOG.debug("Exception in generateEncryptedKeys.", e);
|
||||||
StringBuilder error;
|
throw e;
|
||||||
error = new StringBuilder("IllegalArgumentException Wrong ");
|
|
||||||
error.append(KMSRESTConstants.EEK_OP);
|
|
||||||
error.append(" value, it must be ");
|
|
||||||
error.append(KMSRESTConstants.EEK_GENERATE);
|
|
||||||
error.append(" or ");
|
|
||||||
error.append(KMSRESTConstants.EEK_DECRYPT);
|
|
||||||
LOG.error(error.toString());
|
|
||||||
throw new IllegalArgumentException(error.toString());
|
|
||||||
}
|
}
|
||||||
KMSWebApp.getGenerateEEKCallsMeter().mark();
|
|
||||||
LOG.trace("Exiting generateEncryptedKeys method.");
|
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
|
|
||||||
.build();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("rawtypes")
|
@SuppressWarnings("rawtypes")
|
||||||
@ -454,57 +514,64 @@ public Response decryptEncryptedKey(
|
|||||||
@QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
|
@QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
|
||||||
Map jsonPayload)
|
Map jsonPayload)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
LOG.trace("Entering decryptEncryptedKey method.");
|
try {
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
LOG.trace("Entering decryptEncryptedKey method.");
|
||||||
KMSClientProvider.checkNotEmpty(versionName, "versionName");
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
KMSClientProvider.checkNotNull(eekOp, "eekOp");
|
KMSClientProvider.checkNotEmpty(versionName, "versionName");
|
||||||
LOG.debug("Decrypting key for {}, the edek Operation is {}.",
|
KMSClientProvider.checkNotNull(eekOp, "eekOp");
|
||||||
versionName, eekOp);
|
LOG.debug("Decrypting key for {}, the edek Operation is {}.",
|
||||||
|
versionName, eekOp);
|
||||||
|
|
||||||
final String keyName = (String) jsonPayload.get(
|
final String keyName = (String) jsonPayload.get(
|
||||||
KMSRESTConstants.NAME_FIELD);
|
KMSRESTConstants.NAME_FIELD);
|
||||||
String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
|
String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
|
||||||
String encMaterialStr =
|
String encMaterialStr =
|
||||||
(String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
|
(String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
|
||||||
Object retJSON;
|
Object retJSON;
|
||||||
if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
|
if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
|
||||||
assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
|
assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK,
|
||||||
KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
|
keyName);
|
||||||
final byte[] iv = Base64.decodeBase64(ivStr);
|
KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
|
||||||
KMSClientProvider.checkNotNull(encMaterialStr,
|
final byte[] iv = Base64.decodeBase64(ivStr);
|
||||||
KMSRESTConstants.MATERIAL_FIELD);
|
KMSClientProvider.checkNotNull(encMaterialStr,
|
||||||
final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);
|
KMSRESTConstants.MATERIAL_FIELD);
|
||||||
|
final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);
|
||||||
|
|
||||||
KeyProvider.KeyVersion retKeyVersion = user.doAs(
|
KeyProvider.KeyVersion retKeyVersion = user.doAs(
|
||||||
new PrivilegedExceptionAction<KeyVersion>() {
|
new PrivilegedExceptionAction<KeyVersion>() {
|
||||||
@Override
|
@Override
|
||||||
public KeyVersion run() throws Exception {
|
public KeyVersion run() throws Exception {
|
||||||
return provider.decryptEncryptedKey(
|
return provider.decryptEncryptedKey(
|
||||||
new KMSClientProvider.KMSEncryptedKeyVersion(keyName,
|
new KMSClientProvider.KMSEncryptedKeyVersion(
|
||||||
versionName, iv, KeyProviderCryptoExtension.EEK,
|
keyName, versionName, iv,
|
||||||
encMaterial)
|
KeyProviderCryptoExtension.EEK,
|
||||||
);
|
encMaterial)
|
||||||
}
|
);
|
||||||
}
|
}
|
||||||
);
|
}
|
||||||
|
);
|
||||||
|
|
||||||
retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
|
retJSON = KMSServerJSONUtils.toJSON(retKeyVersion);
|
||||||
kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
|
kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
|
||||||
} else {
|
} else {
|
||||||
StringBuilder error;
|
StringBuilder error;
|
||||||
error = new StringBuilder("IllegalArgumentException Wrong ");
|
error = new StringBuilder("IllegalArgumentException Wrong ");
|
||||||
error.append(KMSRESTConstants.EEK_OP);
|
error.append(KMSRESTConstants.EEK_OP);
|
||||||
error.append(" value, it must be ");
|
error.append(" value, it must be ");
|
||||||
error.append(KMSRESTConstants.EEK_GENERATE);
|
error.append(KMSRESTConstants.EEK_GENERATE);
|
||||||
error.append(" or ");
|
error.append(" or ");
|
||||||
error.append(KMSRESTConstants.EEK_DECRYPT);
|
error.append(KMSRESTConstants.EEK_DECRYPT);
|
||||||
LOG.error(error.toString());
|
LOG.error(error.toString());
|
||||||
throw new IllegalArgumentException(error.toString());
|
throw new IllegalArgumentException(error.toString());
|
||||||
|
}
|
||||||
|
KMSWebApp.getDecryptEEKCallsMeter().mark();
|
||||||
|
LOG.trace("Exiting decryptEncryptedKey method.");
|
||||||
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
|
||||||
|
.build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in decryptEncryptedKey.", e);
|
||||||
|
throw e;
|
||||||
}
|
}
|
||||||
KMSWebApp.getDecryptEEKCallsMeter().mark();
|
|
||||||
LOG.trace("Exiting decryptEncryptedKey method.");
|
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON)
|
|
||||||
.build();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@ -513,26 +580,32 @@ public KeyVersion run() throws Exception {
|
|||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
public Response getKeyVersions(@PathParam("name") final String name)
|
public Response getKeyVersions(@PathParam("name") final String name)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
LOG.trace("Entering getKeyVersions method.");
|
try {
|
||||||
UserGroupInformation user = HttpUserGroupInformation.get();
|
LOG.trace("Entering getKeyVersions method.");
|
||||||
KMSClientProvider.checkNotEmpty(name, "name");
|
UserGroupInformation user = HttpUserGroupInformation.get();
|
||||||
KMSWebApp.getKeyCallsMeter().mark();
|
KMSClientProvider.checkNotEmpty(name, "name");
|
||||||
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);
|
KMSWebApp.getKeyCallsMeter().mark();
|
||||||
LOG.debug("Getting key versions for key {}", name);
|
assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);
|
||||||
|
LOG.debug("Getting key versions for key {}", name);
|
||||||
|
|
||||||
List<KeyVersion> ret = user.doAs(
|
List<KeyVersion> ret = user.doAs(
|
||||||
new PrivilegedExceptionAction<List<KeyVersion>>() {
|
new PrivilegedExceptionAction<List<KeyVersion>>() {
|
||||||
@Override
|
@Override
|
||||||
public List<KeyVersion> run() throws Exception {
|
public List<KeyVersion> run() throws Exception {
|
||||||
return provider.getKeyVersions(name);
|
return provider.getKeyVersions(name);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
Object json = KMSServerJSONUtils.toJSON(ret);
|
Object json = KMSServerJSONUtils.toJSON(ret);
|
||||||
kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
|
kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, "");
|
||||||
LOG.trace("Exiting getKeyVersions method.");
|
LOG.trace("Exiting getKeyVersions method.");
|
||||||
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build();
|
return Response.ok().type(MediaType.APPLICATION_JSON).entity(json)
|
||||||
|
.build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.debug("Exception in getKeyVersions.", e);
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user