From ee1e06a3ab9136a3cd32b44c5535dfd2443bfad6 Mon Sep 17 00:00:00 2001 From: yliu Date: Wed, 28 Jan 2015 00:07:21 +0800 Subject: [PATCH] HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when loading key acl. (Dian Fu via yliu) --- .../hadoop-common/CHANGES.txt | 3 +++ .../hadoop/crypto/key/kms/server/KMSACLs.java | 7 +++++-- .../key/kms/server/KMSConfiguration.java | 1 + .../crypto/key/kms/server/TestKMSACLs.java | 18 +++++++++++++++--- 4 files changed, 24 insertions(+), 5 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 0396e7d7f9..b87c9aedf2 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -774,6 +774,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11509. Change parsing sequence in GenericOptionsParser to parse -D parameters before -files. (xgong) + HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when + loading key acl. (Dian Fu via yliu) + Release 2.6.1 - UNRELEASED INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java index c33dd4b60d..5b67950a30 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java @@ -36,6 +36,8 @@ import java.util.concurrent.TimeUnit; import java.util.regex.Pattern; +import com.google.common.annotations.VisibleForTesting; + /** * Provides access to the AccessControlLists used by KMS, * hot-reloading them if the kms-acls.xml file where the ACLs @@ -70,7 +72,8 @@ public String getBlacklistConfigKey() { private volatile Map acls; private volatile Map blacklistedAcls; - private volatile Map> keyAcls; + @VisibleForTesting + volatile Map> keyAcls; private final Map defaultKeyAcls = new HashMap(); private final Map whitelistKeyAcls = @@ -112,7 +115,7 @@ private void setKeyACLs(Configuration conf) { Map> tempKeyAcls = new HashMap>(); Map allKeyACLS = - conf.getValByRegex(Pattern.quote(KMSConfiguration.KEY_ACL_PREFIX)); + conf.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX); for (Map.Entry keyAcl : allKeyACLS.entrySet()) { String k = keyAcl.getKey(); // this should be of type "key.acl.." diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java index a67c68ee0a..23c983f4e5 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java @@ -38,6 +38,7 @@ public class KMSConfiguration { public static final String CONFIG_PREFIX = "hadoop.kms."; public static final String KEY_ACL_PREFIX = "key.acl."; + public static final String KEY_ACL_PREFIX_REGEX = "^key\\.acl\\..+"; public static final String DEFAULT_KEY_ACL_PREFIX = "default.key.acl."; public static final String WHITELIST_KEY_ACL_PREFIX = "whitelist.key.acl."; diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java index abdf3c21d0..b4bf50402e 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java @@ -26,7 +26,7 @@ public class TestKMSACLs { @Test public void testDefaults() { - KMSACLs acls = new KMSACLs(new Configuration(false)); + final KMSACLs acls = new KMSACLs(new Configuration(false)); for (KMSACLs.Type type : KMSACLs.Type.values()) { Assert.assertTrue(acls.hasAccess(type, UserGroupInformation.createRemoteUser("foo"))); @@ -35,11 +35,11 @@ public void testDefaults() { @Test public void testCustom() { - Configuration conf = new Configuration(false); + final Configuration conf = new Configuration(false); for (KMSACLs.Type type : KMSACLs.Type.values()) { conf.set(type.getAclConfigKey(), type.toString() + " "); } - KMSACLs acls = new KMSACLs(conf); + final KMSACLs acls = new KMSACLs(conf); for (KMSACLs.Type type : KMSACLs.Type.values()) { Assert.assertTrue(acls.hasAccess(type, UserGroupInformation.createRemoteUser(type.toString()))); @@ -48,4 +48,16 @@ public void testCustom() { } } + @Test + public void testKeyAclConfigurationLoad() { + final Configuration conf = new Configuration(false); + conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_1.MANAGEMENT", "CREATE"); + conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_2.ALL", "CREATE"); + conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_3.NONEXISTOPERATION", "CREATE"); + conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER"); + conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK"); + final KMSACLs acls = new KMSACLs(conf); + Assert.assertTrue("expected key ACL size is 2 but got " + acls.keyAcls.size(), + acls.keyAcls.size() == 2); + } }