HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when loading key acl. (Dian Fu via yliu)

2015-01-28 00:07:21 +08:00 · 2015-01-28 00:07:21 +08:00 · ee1e06a3ab
commit ee1e06a3ab
parent 9ca565e970
4 changed files with 24 additions and 5 deletions
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@ -774,6 +774,9 @@ Release 2.7.0 - UNRELEASED
    HADOOP-11509. Change parsing sequence in GenericOptionsParser to parse -D
    parameters before -files. (xgong)

+    HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when
+    loading key acl. (Dian Fu via yliu)
+
 Release 2.6.1 - UNRELEASED

  INCOMPATIBLE CHANGES
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
@ -36,6 +36,8 @@
 import java.util.concurrent.TimeUnit;
 import java.util.regex.Pattern;

+import com.google.common.annotations.VisibleForTesting;
+
 /**
 * Provides access to the <code>AccessControlList</code>s used by KMS,
 * hot-reloading them if the <code>kms-acls.xml</code> file where the ACLs
@ -70,7 +72,8 @@ public String getBlacklistConfigKey() {

  private volatile Map<Type, AccessControlList> acls;
  private volatile Map<Type, AccessControlList> blacklistedAcls;
-  private volatile Map<String, HashMap<KeyOpType, AccessControlList>> keyAcls;
+  @VisibleForTesting
+  volatile Map<String, HashMap<KeyOpType, AccessControlList>> keyAcls;
  private final Map<KeyOpType, AccessControlList> defaultKeyAcls =
      new HashMap<KeyOpType, AccessControlList>();
  private final Map<KeyOpType, AccessControlList> whitelistKeyAcls =
@ -112,7 +115,7 @@ private void setKeyACLs(Configuration conf) {
    Map<String, HashMap<KeyOpType, AccessControlList>> tempKeyAcls =
        new HashMap<String, HashMap<KeyOpType,AccessControlList>>();
    Map<String, String> allKeyACLS =
-        conf.getValByRegex(Pattern.quote(KMSConfiguration.KEY_ACL_PREFIX));
+        conf.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX);
    for (Map.Entry<String, String> keyAcl : allKeyACLS.entrySet()) {
      String k = keyAcl.getKey();
      // this should be of type "key.acl.<KEY_NAME>.<OP_TYPE>"
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
@ -38,6 +38,7 @@ public class KMSConfiguration {
  public static final String CONFIG_PREFIX = "hadoop.kms.";

  public static final String KEY_ACL_PREFIX = "key.acl.";
+  public static final String KEY_ACL_PREFIX_REGEX = "^key\\.acl\\..+";
  public static final String DEFAULT_KEY_ACL_PREFIX = "default.key.acl.";
  public static final String WHITELIST_KEY_ACL_PREFIX = "whitelist.key.acl.";

--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
@ -26,7 +26,7 @@ public class TestKMSACLs {

  @Test
  public void testDefaults() {
-    KMSACLs acls = new KMSACLs(new Configuration(false));
+    final KMSACLs acls = new KMSACLs(new Configuration(false));
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
      Assert.assertTrue(acls.hasAccess(type,
          UserGroupInformation.createRemoteUser("foo")));
@ -35,11 +35,11 @@ public void testDefaults() {

  @Test
  public void testCustom() {
-    Configuration conf = new Configuration(false);
+    final Configuration conf = new Configuration(false);
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
      conf.set(type.getAclConfigKey(), type.toString() + " ");
    }
-    KMSACLs acls = new KMSACLs(conf);
+    final KMSACLs acls = new KMSACLs(conf);
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
      Assert.assertTrue(acls.hasAccess(type,
          UserGroupInformation.createRemoteUser(type.toString())));
@ -48,4 +48,16 @@ public void testCustom() {
    }
  }

+  @Test
+  public void testKeyAclConfigurationLoad() {
+    final Configuration conf = new Configuration(false);
+    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_1.MANAGEMENT", "CREATE");
+    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_2.ALL", "CREATE");
+    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_3.NONEXISTOPERATION", "CREATE");
+    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER");
+    conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK");
+    final KMSACLs acls = new KMSACLs(conf);
+    Assert.assertTrue("expected key ACL size is 2 but got " + acls.keyAcls.size(),
+        acls.keyAcls.size() == 2);
+  }
 }