org.apache.hadoop.crypto.key.KeyProvider.KeyVersion Java Examples
The following examples show how to use
org.apache.hadoop.crypto.key.KeyProvider.KeyVersion.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: DFSClient.java From hadoop with Apache License 2.0 | 6 votes |
/** * Wraps the stream in a CryptoInputStream if the underlying file is * encrypted. */ public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis) throws IOException { final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo(); if (feInfo != null) { // File is encrypted, wrap the stream in a crypto stream. // Currently only one version, so no special logic based on the version # getCryptoProtocolVersion(feInfo); final CryptoCodec codec = getCryptoCodec(conf, feInfo); final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo); final CryptoInputStream cryptoIn = new CryptoInputStream(dfsis, codec, decrypted.getMaterial(), feInfo.getIV()); return new HdfsDataInputStream(cryptoIn); } else { // No FileEncryptionInfo so no encryption. return new HdfsDataInputStream(dfsis); } }
Example #2
Source File: KMS.java From big-c with Apache License 2.0 | 6 votes |
@GET @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.VERSIONS_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) public Response getKeyVersions(@PathParam("name") final String name) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(name, "name"); KMSWebApp.getKeyCallsMeter().mark(); assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name); List<KeyVersion> ret = user.doAs( new PrivilegedExceptionAction<List<KeyVersion>>() { @Override public List<KeyVersion> run() throws Exception { return provider.getKeyVersions(name); } } ); Object json = KMSServerJSONUtils.toJSON(ret); kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, ""); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); }
Example #3
Source File: KMS.java From big-c with Apache License 2.0 | 6 votes |
@GET @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}") @Produces(MediaType.APPLICATION_JSON) public Response getKeyVersion( @PathParam("versionName") final String versionName) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(versionName, "versionName"); KMSWebApp.getKeyCallsMeter().mark(); assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION); KeyVersion keyVersion = user.doAs( new PrivilegedExceptionAction<KeyVersion>() { @Override public KeyVersion run() throws Exception { return provider.getKeyVersion(versionName); } } ); if (keyVersion != null) { kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), ""); } Object json = KMSServerJSONUtils.toJSON(keyVersion); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); }
Example #4
Source File: KMS.java From big-c with Apache License 2.0 | 6 votes |
@GET @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) public Response getCurrentVersion(@PathParam("name") final String name) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(name, "name"); KMSWebApp.getKeyCallsMeter().mark(); assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name); KeyVersion keyVersion = user.doAs( new PrivilegedExceptionAction<KeyVersion>() { @Override public KeyVersion run() throws Exception { return provider.getCurrentKey(name); } } ); Object json = KMSServerJSONUtils.toJSON(keyVersion); kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, ""); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); }
Example #5
Source File: DFSClient.java From big-c with Apache License 2.0 | 6 votes |
/** * Wraps the stream in a CryptoOutputStream if the underlying file is * encrypted. */ public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos, FileSystem.Statistics statistics, long startPos) throws IOException { final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo(); if (feInfo != null) { // File is encrypted, wrap the stream in a crypto stream. // Currently only one version, so no special logic based on the version # getCryptoProtocolVersion(feInfo); final CryptoCodec codec = getCryptoCodec(conf, feInfo); KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo); final CryptoOutputStream cryptoOut = new CryptoOutputStream(dfsos, codec, decrypted.getMaterial(), feInfo.getIV(), startPos); return new HdfsDataOutputStream(cryptoOut, statistics, startPos); } else { // No FileEncryptionInfo present so no encryption. return new HdfsDataOutputStream(dfsos, statistics, startPos); } }
Example #6
Source File: DFSClient.java From big-c with Apache License 2.0 | 6 votes |
/** * Wraps the stream in a CryptoInputStream if the underlying file is * encrypted. */ public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis) throws IOException { final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo(); if (feInfo != null) { // File is encrypted, wrap the stream in a crypto stream. // Currently only one version, so no special logic based on the version # getCryptoProtocolVersion(feInfo); final CryptoCodec codec = getCryptoCodec(conf, feInfo); final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo); final CryptoInputStream cryptoIn = new CryptoInputStream(dfsis, codec, decrypted.getMaterial(), feInfo.getIV()); return new HdfsDataInputStream(cryptoIn); } else { // No FileEncryptionInfo so no encryption. return new HdfsDataInputStream(dfsis); } }
Example #7
Source File: DFSClient.java From big-c with Apache License 2.0 | 6 votes |
/** * Decrypts a EDEK by consulting the KeyProvider. */ private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo feInfo) throws IOException { TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler); try { KeyProvider provider = getKeyProvider(); if (provider == null) { throw new IOException("No KeyProvider is configured, cannot access" + " an encrypted file"); } EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption( feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(), feInfo.getEncryptedDataEncryptionKey()); try { KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension .createKeyProviderCryptoExtension(provider); return cryptoProvider.decryptEncryptedKey(ekv); } catch (GeneralSecurityException e) { throw new IOException(e); } } finally { scope.close(); } }
Example #8
Source File: KMS.java From hadoop with Apache License 2.0 | 6 votes |
@GET @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.VERSIONS_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) public Response getKeyVersions(@PathParam("name") final String name) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(name, "name"); KMSWebApp.getKeyCallsMeter().mark(); assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSIONS, name); List<KeyVersion> ret = user.doAs( new PrivilegedExceptionAction<List<KeyVersion>>() { @Override public List<KeyVersion> run() throws Exception { return provider.getKeyVersions(name); } } ); Object json = KMSServerJSONUtils.toJSON(ret); kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, ""); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); }
Example #9
Source File: KMS.java From hadoop with Apache License 2.0 | 6 votes |
@GET @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}") @Produces(MediaType.APPLICATION_JSON) public Response getKeyVersion( @PathParam("versionName") final String versionName) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(versionName, "versionName"); KMSWebApp.getKeyCallsMeter().mark(); assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_KEY_VERSION); KeyVersion keyVersion = user.doAs( new PrivilegedExceptionAction<KeyVersion>() { @Override public KeyVersion run() throws Exception { return provider.getKeyVersion(versionName); } } ); if (keyVersion != null) { kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), ""); } Object json = KMSServerJSONUtils.toJSON(keyVersion); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); }
Example #10
Source File: KMS.java From hadoop with Apache License 2.0 | 6 votes |
@GET @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) public Response getCurrentVersion(@PathParam("name") final String name) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(name, "name"); KMSWebApp.getKeyCallsMeter().mark(); assertAccess(KMSACLs.Type.GET, user, KMSOp.GET_CURRENT_KEY, name); KeyVersion keyVersion = user.doAs( new PrivilegedExceptionAction<KeyVersion>() { @Override public KeyVersion run() throws Exception { return provider.getCurrentKey(name); } } ); Object json = KMSServerJSONUtils.toJSON(keyVersion); kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, ""); return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); }
Example #11
Source File: DFSClient.java From hadoop with Apache License 2.0 | 6 votes |
/** * Decrypts a EDEK by consulting the KeyProvider. */ private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo feInfo) throws IOException { TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler); try { KeyProvider provider = getKeyProvider(); if (provider == null) { throw new IOException("No KeyProvider is configured, cannot access" + " an encrypted file"); } EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption( feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(), feInfo.getEncryptedDataEncryptionKey()); try { KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension .createKeyProviderCryptoExtension(provider); return cryptoProvider.decryptEncryptedKey(ekv); } catch (GeneralSecurityException e) { throw new IOException(e); } } finally { scope.close(); } }
Example #12
Source File: DFSClient.java From hadoop with Apache License 2.0 | 6 votes |
/** * Wraps the stream in a CryptoOutputStream if the underlying file is * encrypted. */ public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos, FileSystem.Statistics statistics, long startPos) throws IOException { final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo(); if (feInfo != null) { // File is encrypted, wrap the stream in a crypto stream. // Currently only one version, so no special logic based on the version # getCryptoProtocolVersion(feInfo); final CryptoCodec codec = getCryptoCodec(conf, feInfo); KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo); final CryptoOutputStream cryptoOut = new CryptoOutputStream(dfsos, codec, decrypted.getMaterial(), feInfo.getIV(), startPos); return new HdfsDataOutputStream(cryptoOut, statistics, startPos); } else { // No FileEncryptionInfo present so no encryption. return new HdfsDataOutputStream(dfsos, statistics, startPos); } }
Example #13
Source File: RangerKeyStoreProviderTest.java From ranger with Apache License 2.0 | 5 votes |
@Test public void testCreateDeleteKey() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return; } Path configDir = Paths.get("src/test/resources/kms"); System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, configDir.toFile().getAbsolutePath()); Configuration conf = new Configuration(); RangerKeyStoreProvider keyProvider = new RangerKeyStoreProvider(conf); // Create a key Options options = new Options(conf); options.setBitLength(128); options.setCipher("AES"); KeyVersion keyVersion = keyProvider.createKey("newkey1", options); Assert.assertEquals("newkey1", keyVersion.getName()); Assert.assertEquals(128 / 8, keyVersion.getMaterial().length); Assert.assertEquals("newkey1@0", keyVersion.getVersionName()); keyProvider.flush(); Assert.assertEquals(1, keyProvider.getKeys().size()); keyProvider.deleteKey("newkey1"); keyProvider.flush(); Assert.assertEquals(0, keyProvider.getKeys().size()); // Try to delete a key that isn't there try { keyProvider.deleteKey("newkey2"); Assert.fail("Failure expected on trying to delete an unknown key"); } catch (IOException ex) { // expected } }
Example #14
Source File: RangerKeyStoreProviderTest.java From ranger with Apache License 2.0 | 5 votes |
@Test public void testRolloverKey() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return; } Path configDir = Paths.get("src/test/resources/kms"); System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, configDir.toFile().getAbsolutePath()); Configuration conf = new Configuration(); RangerKeyStoreProvider keyProvider = new RangerKeyStoreProvider(conf); // Create a key Options options = new Options(conf); options.setBitLength(192); options.setCipher("AES"); KeyVersion keyVersion = keyProvider.createKey("newkey1", options); Assert.assertEquals("newkey1", keyVersion.getName()); Assert.assertEquals(192 / 8, keyVersion.getMaterial().length); Assert.assertEquals("newkey1@0", keyVersion.getVersionName()); keyProvider.flush(); // Rollover a new key byte[] oldKey = keyVersion.getMaterial(); keyVersion = keyProvider.rollNewVersion("newkey1"); Assert.assertEquals("newkey1", keyVersion.getName()); Assert.assertEquals(192 / 8, keyVersion.getMaterial().length); Assert.assertEquals("newkey1@1", keyVersion.getVersionName()); Assert.assertFalse(Arrays.equals(oldKey, keyVersion.getMaterial())); keyProvider.deleteKey("newkey1"); keyProvider.flush(); Assert.assertEquals(0, keyProvider.getKeys().size()); }
Example #15
Source File: KMS.java From ranger with Apache License 2.0 | 5 votes |
@GET @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.VERSIONS_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) public Response getKeyVersions(@PathParam("name") final String name, @Context HttpServletRequest request) throws Exception { try { if (LOG.isDebugEnabled()) { LOG.debug("Entering getKeyVersions method."); } UserGroupInformation user = HttpUserGroupInformation.get(); checkNotEmpty(name, "name"); KMSWebApp.getKeyCallsMeter().mark(); assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name, request.getRemoteAddr()); LOG.debug("Getting key versions for key {}", name); List<KeyVersion> ret = user.doAs(new PrivilegedExceptionAction<List<KeyVersion>>() { @Override public List<KeyVersion> run() throws Exception { return provider.getKeyVersions(name); } }); Object json = KMSServerJSONUtils.toJSON(ret); kmsAudit.ok(user, KMSOp.GET_KEY_VERSIONS, name, ""); if (LOG.isDebugEnabled()) { LOG.debug("Exiting getKeyVersions method."); } return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); } catch (Exception e) { LOG.error("Exception in getKeyVersions.", e); throw e; } }
Example #16
Source File: KMS.java From ranger with Apache License 2.0 | 5 votes |
@GET @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}") @Produces(MediaType.APPLICATION_JSON) public Response getKeyVersion( @PathParam("versionName") final String versionName, @Context HttpServletRequest request) throws Exception { try { if (LOG.isDebugEnabled()) { LOG.debug("Entering getKeyVersion method."); } UserGroupInformation user = HttpUserGroupInformation.get(); checkNotEmpty(versionName, "versionName"); KMSWebApp.getKeyCallsMeter().mark(); assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION, request.getRemoteAddr()); LOG.debug("Getting key with version name {}.", versionName); KeyVersion keyVersion = user.doAs(new PrivilegedExceptionAction<KeyVersion>() { @Override public KeyVersion run() throws Exception { return provider.getKeyVersion(versionName); } }); if (keyVersion != null) { kmsAudit.ok(user, KMSOp.GET_KEY_VERSION, keyVersion.getName(), ""); } Object json = KMSUtil.toJSON(keyVersion); if (LOG.isDebugEnabled()) { LOG.debug("Exiting getKeyVersion method."); } return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); } catch (Exception e) { LOG.error("Exception in getKeyVersion.", e); throw e; } }
Example #17
Source File: KMS.java From ranger with Apache License 2.0 | 5 votes |
@GET @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) public Response getCurrentVersion(@PathParam("name") final String name, @Context HttpServletRequest request) throws Exception { try { if (LOG.isDebugEnabled()) { LOG.debug("Entering getCurrentVersion method."); } UserGroupInformation user = HttpUserGroupInformation.get(); checkNotEmpty(name, "name"); KMSWebApp.getKeyCallsMeter().mark(); assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name, request.getRemoteAddr()); LOG.debug("Getting key version for key with name {}.", name); KeyVersion keyVersion = user.doAs(new PrivilegedExceptionAction<KeyVersion>() { @Override public KeyVersion run() throws Exception { return provider.getCurrentKey(name); } }); Object json = KMSUtil.toJSON(keyVersion); kmsAudit.ok(user, KMSOp.GET_CURRENT_KEY, name, ""); if (LOG.isDebugEnabled()) { LOG.debug("Exiting getCurrentVersion method."); } return Response.ok().type(MediaType.APPLICATION_JSON).entity(json).build(); } catch (Exception e) { LOG.error("Exception in getCurrentVersion.", e); throw e; } }
Example #18
Source File: TestKeyAuthorizationKeyProvider.java From ranger with Apache License 2.0 | 4 votes |
@Test(expected = IllegalArgumentException.class) public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception { final Configuration conf = new Configuration(); KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf); KeyACLs mock = mock(KeyACLs.class); when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true); when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true); when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true); when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true); UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1"); UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2"); UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3"); UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo"); when(mock.hasAccessToKey("testKey", u1, KeyOpType.MANAGEMENT)).thenReturn(true); when(mock.hasAccessToKey("testKey", u2, KeyOpType.GENERATE_EEK)).thenReturn(true); when(mock.hasAccessToKey("testKey", u3, KeyOpType.DECRYPT_EEK)).thenReturn(true); when(mock.hasAccessToKey("testKey", sudo, KeyOpType.ALL)).thenReturn(true); final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider( KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock); sudo.doAs( new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Options opt = newOptions(conf); Map<String, String> m = new HashMap<String, String>(); m.put("key.acl.name", "testKey"); opt.setAttributes(m); byte[] seed = new byte[16]; SECURE_RANDOM.nextBytes(seed); KeyVersion kv = kpExt.createKey("foo", seed, opt); kpExt.rollNewVersion(kv.getName()); seed = new byte[16]; SECURE_RANDOM.nextBytes(seed); kpExt.rollNewVersion(kv.getName(), seed); EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName()); ekv = EncryptedKeyVersion.createForDecryption( ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial()); kpExt.decryptEncryptedKey(ekv); return null; } } ); }
Example #19
Source File: KMS.java From ranger with Apache License 2.0 | 4 votes |
private static KeyProvider.KeyVersion removeKeyMaterial( KeyProvider.KeyVersion keyVersion) { return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(), keyVersion.getVersionName(), null); }
Example #20
Source File: TestKeyAuthorizationKeyProvider.java From big-c with Apache License 2.0 | 4 votes |
@Test(expected = IllegalArgumentException.class) public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception { final Configuration conf = new Configuration(); KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf); KeyACLs mock = mock(KeyACLs.class); when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true); when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true); when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true); when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true); UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1"); UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2"); UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3"); UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo"); when(mock.hasAccessToKey("testKey", u1, KeyOpType.MANAGEMENT)).thenReturn(true); when(mock.hasAccessToKey("testKey", u2, KeyOpType.GENERATE_EEK)).thenReturn(true); when(mock.hasAccessToKey("testKey", u3, KeyOpType.DECRYPT_EEK)).thenReturn(true); when(mock.hasAccessToKey("testKey", sudo, KeyOpType.ALL)).thenReturn(true); final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider( KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock); sudo.doAs( new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Options opt = newOptions(conf); Map<String, String> m = new HashMap<String, String>(); m.put("key.acl.name", "testKey"); opt.setAttributes(m); KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt); kpExt.rollNewVersion(kv.getName()); kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16)); EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName()); ekv = EncryptedKeyVersion.createForDecryption( ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial()); kpExt.decryptEncryptedKey(ekv); return null; } } ); }
Example #21
Source File: KMS.java From big-c with Apache License 2.0 | 4 votes |
@SuppressWarnings("rawtypes") @POST @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" + KMSRESTConstants.EEK_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) public Response decryptEncryptedKey( @PathParam("versionName") final String versionName, @QueryParam(KMSRESTConstants.EEK_OP) String eekOp, Map jsonPayload) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(versionName, "versionName"); KMSClientProvider.checkNotNull(eekOp, "eekOp"); final String keyName = (String) jsonPayload.get( KMSRESTConstants.NAME_FIELD); String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD); String encMaterialStr = (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD); Object retJSON; if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) { assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName); KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD); final byte[] iv = Base64.decodeBase64(ivStr); KMSClientProvider.checkNotNull(encMaterialStr, KMSRESTConstants.MATERIAL_FIELD); final byte[] encMaterial = Base64.decodeBase64(encMaterialStr); KeyProvider.KeyVersion retKeyVersion = user.doAs( new PrivilegedExceptionAction<KeyVersion>() { @Override public KeyVersion run() throws Exception { return provider.decryptEncryptedKey( new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName, iv, KeyProviderCryptoExtension.EEK, encMaterial) ); } } ); retJSON = KMSServerJSONUtils.toJSON(retKeyVersion); kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, ""); } else { throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP + " value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " + KMSRESTConstants.EEK_DECRYPT); } KMSWebApp.getDecryptEEKCallsMeter().mark(); return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON) .build(); }
Example #22
Source File: KMS.java From big-c with Apache License 2.0 | 4 votes |
private static KeyProvider.KeyVersion removeKeyMaterial( KeyProvider.KeyVersion keyVersion) { return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(), keyVersion.getVersionName(), null); }
Example #23
Source File: TestKeyAuthorizationKeyProvider.java From hadoop with Apache License 2.0 | 4 votes |
@Test(expected = IllegalArgumentException.class) public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception { final Configuration conf = new Configuration(); KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf); KeyACLs mock = mock(KeyACLs.class); when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true); when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true); when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true); when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true); UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1"); UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2"); UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3"); UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo"); when(mock.hasAccessToKey("testKey", u1, KeyOpType.MANAGEMENT)).thenReturn(true); when(mock.hasAccessToKey("testKey", u2, KeyOpType.GENERATE_EEK)).thenReturn(true); when(mock.hasAccessToKey("testKey", u3, KeyOpType.DECRYPT_EEK)).thenReturn(true); when(mock.hasAccessToKey("testKey", sudo, KeyOpType.ALL)).thenReturn(true); final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider( KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock); sudo.doAs( new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Options opt = newOptions(conf); Map<String, String> m = new HashMap<String, String>(); m.put("key.acl.name", "testKey"); opt.setAttributes(m); KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt); kpExt.rollNewVersion(kv.getName()); kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16)); EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName()); ekv = EncryptedKeyVersion.createForDecryption( ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial()); kpExt.decryptEncryptedKey(ekv); return null; } } ); }
Example #24
Source File: KMS.java From hadoop with Apache License 2.0 | 4 votes |
@SuppressWarnings("rawtypes") @POST @Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" + KMSRESTConstants.EEK_SUB_RESOURCE) @Produces(MediaType.APPLICATION_JSON) public Response decryptEncryptedKey( @PathParam("versionName") final String versionName, @QueryParam(KMSRESTConstants.EEK_OP) String eekOp, Map jsonPayload) throws Exception { UserGroupInformation user = HttpUserGroupInformation.get(); KMSClientProvider.checkNotEmpty(versionName, "versionName"); KMSClientProvider.checkNotNull(eekOp, "eekOp"); final String keyName = (String) jsonPayload.get( KMSRESTConstants.NAME_FIELD); String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD); String encMaterialStr = (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD); Object retJSON; if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) { assertAccess(KMSACLs.Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName); KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD); final byte[] iv = Base64.decodeBase64(ivStr); KMSClientProvider.checkNotNull(encMaterialStr, KMSRESTConstants.MATERIAL_FIELD); final byte[] encMaterial = Base64.decodeBase64(encMaterialStr); KeyProvider.KeyVersion retKeyVersion = user.doAs( new PrivilegedExceptionAction<KeyVersion>() { @Override public KeyVersion run() throws Exception { return provider.decryptEncryptedKey( new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName, iv, KeyProviderCryptoExtension.EEK, encMaterial) ); } } ); retJSON = KMSServerJSONUtils.toJSON(retKeyVersion); kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, ""); } else { throw new IllegalArgumentException("Wrong " + KMSRESTConstants.EEK_OP + " value, it must be " + KMSRESTConstants.EEK_GENERATE + " or " + KMSRESTConstants.EEK_DECRYPT); } KMSWebApp.getDecryptEEKCallsMeter().mark(); return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON) .build(); }
Example #25
Source File: KMS.java From hadoop with Apache License 2.0 | 4 votes |
private static KeyProvider.KeyVersion removeKeyMaterial( KeyProvider.KeyVersion keyVersion) { return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(), keyVersion.getVersionName(), null); }