Search in sources :

Example 6 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class KMSSecureStore method getSecureData.

/**
   * Returns the data stored in the secure store. Makes two calls to the provider, one to get the metadata and another
   * to get the data.
   * @param namespace The namespace this key belongs to.
   * @param name Name of the key.
   * @return An object representing the securely stored data associated with the name.
   * @throws NamespaceNotFoundException If the specified namespace does not exist.
   * @throws IOException If there was a problem getting the key or the metadata from the underlying key provider.
   */
// Unfortunately KeyProvider does not specify the underlying cause except in the message, so we can not throw a
// more specific exception.
@Override
public SecureStoreData getSecureData(String namespace, String name) throws Exception {
    checkNamespaceExists(namespace);
    String keyName = getKeyName(namespace, name);
    KeyProvider.Metadata metadata = provider.getMetadata(keyName);
    // Provider returns null if the key is not found.
    if (metadata == null) {
        throw new NotFoundException(new SecureKeyId(namespace, name));
    }
    SecureStoreMetadata meta = SecureStoreMetadata.of(name, metadata.getDescription(), metadata.getAttributes());
    KeyProvider.KeyVersion keyVersion = provider.getCurrentKey(keyName);
    return new SecureStoreData(meta, keyVersion.getMaterial());
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) SecureStoreData(co.cask.cdap.api.security.store.SecureStoreData) SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) SecureStoreMetadata(co.cask.cdap.api.security.store.SecureStoreMetadata) NamespaceNotFoundException(co.cask.cdap.common.NamespaceNotFoundException) NotFoundException(co.cask.cdap.common.NotFoundException)

Example 7 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class SecureStoreHandler method create.

@Path("/{key-name}")
@PUT
@AuditPolicy(AuditDetail.REQUEST_BODY)
public void create(HttpRequest httpRequest, HttpResponder httpResponder, @PathParam("namespace-id") String namespace, @PathParam("key-name") String name) throws Exception {
    SecureKeyId secureKeyId = new SecureKeyId(namespace, name);
    SecureKeyCreateRequest secureKeyCreateRequest = parseBody(httpRequest, SecureKeyCreateRequest.class);
    if (secureKeyCreateRequest == null) {
        SecureKeyCreateRequest dummy = new SecureKeyCreateRequest("<description>", "<data>", ImmutableMap.of("key", "value"));
        throw new BadRequestException("Unable to parse the request. The request body should be of the following format." + " \n" + GSON.toJson(dummy));
    }
    secureStoreManager.putSecureData(namespace, name, secureKeyCreateRequest.getData(), secureKeyCreateRequest.getDescription(), secureKeyCreateRequest.getProperties());
    httpResponder.sendStatus(HttpResponseStatus.OK);
}
Also used : SecureKeyCreateRequest(co.cask.cdap.proto.security.SecureKeyCreateRequest) SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) BadRequestException(co.cask.cdap.common.BadRequestException) Path(javax.ws.rs.Path) AuditPolicy(co.cask.cdap.common.security.AuditPolicy) PUT(javax.ws.rs.PUT)

Example 8 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class SecureStoreClientTest method testSecureKeys.

@Test
public void testSecureKeys() throws Exception {
    // no secure keys to begin with
    Map<String, String> secureKeys = client.listKeys(NamespaceId.DEFAULT);
    Assert.assertTrue(secureKeys.isEmpty());
    // create a key
    String key = "securekey";
    String desc = "SomeDesc";
    String data = "secureData";
    Map<String, String> properties = ImmutableMap.of("k1", "v1");
    long creationTime = System.currentTimeMillis();
    SecureKeyId secureKeyId = new SecureKeyId(NamespaceId.DEFAULT.getNamespace(), key);
    client.createKey(secureKeyId, new SecureKeyCreateRequest(desc, data, properties));
    Assert.assertEquals(data, client.getData(secureKeyId));
    Assert.assertEquals(1, client.listKeys(NamespaceId.DEFAULT).size());
    SecureStoreMetadata metadata = client.getKeyMetadata(secureKeyId);
    Assert.assertEquals(desc, metadata.getDescription());
    Assert.assertTrue(metadata.getLastModifiedTime() >= creationTime);
    Assert.assertEquals(properties, metadata.getProperties());
    // delete the key
    client.deleteKey(secureKeyId);
    Assert.assertTrue(client.listKeys(NamespaceId.DEFAULT).isEmpty());
}
Also used : SecureKeyCreateRequest(co.cask.cdap.proto.security.SecureKeyCreateRequest) SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) SecureStoreMetadata(co.cask.cdap.api.security.store.SecureStoreMetadata) Test(org.junit.Test)

Example 9 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class DefaultSecureStoreService method listSecureData.

/**
   * Lists all the secure keys in the given namespace that the user has access to. Returns an empty list if the user
   * does not have access to the namespace or any of the keys in the namespace.
   * @return A map of key names accessible by the user and their descriptions.
   * @throws NamespaceNotFoundException If the specified namespace does not exist.
   * @throws IOException If there was a problem reading from the store.
   *
   */
@Override
public final Map<String, String> listSecureData(String namespace) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    final Predicate<EntityId> filter = authorizationEnforcer.createFilter(principal);
    Map<String, String> metadatas = secureStore.listSecureData(namespace);
    Map<String, String> result = new HashMap<>(metadatas.size());
    for (String name : metadatas.keySet()) {
        if (filter.apply(new SecureKeyId(namespace, name))) {
            result.put(name, metadatas.get(name));
        }
    }
    return result;
}
Also used : EntityId(co.cask.cdap.proto.id.EntityId) SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) HashMap(java.util.HashMap) Principal(co.cask.cdap.proto.security.Principal)

Example 10 with SecureKeyId

use of co.cask.cdap.proto.id.SecureKeyId in project cdap by caskdata.

the class DefaultSecureStoreService method putSecureData.

/**
   * Puts the user provided data in the secure store, if the user has write access to the namespace. Grants the user
   * all access to the newly created entity.
   * @throws BadRequestException If the request does not contain the value to be stored.
   * @throws UnauthorizedException If the user does not have write permissions on the namespace.
   * @throws NamespaceNotFoundException If the specified namespace does not exist.
   * @throws AlreadyExistsException If the key already exists in the namespace. Updating is not supported.
   * @throws IOException If there was a problem storing the key to underlying provider.
   */
@Override
public final synchronized void putSecureData(String namespace, String name, String value, String description, Map<String, String> properties) throws Exception {
    Principal principal = authenticationContext.getPrincipal();
    NamespaceId namespaceId = new NamespaceId(namespace);
    authorizationEnforcer.enforce(namespaceId, principal, Action.WRITE);
    if (Strings.isNullOrEmpty(value)) {
        throw new BadRequestException("The data field should not be empty. This is the data that will be stored " + "securely.");
    }
    privilegesManager.grant(new SecureKeyId(namespace, name), principal, EnumSet.allOf(Action.class));
    secureStoreManager.putSecureData(namespace, name, value, description, properties);
}
Also used : Action(co.cask.cdap.proto.security.Action) SecureKeyId(co.cask.cdap.proto.id.SecureKeyId) BadRequestException(co.cask.cdap.common.BadRequestException) NamespaceId(co.cask.cdap.proto.id.NamespaceId) Principal(co.cask.cdap.proto.security.Principal)

Aggregations

SecureKeyId (co.cask.cdap.proto.id.SecureKeyId)13 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)4 Principal (co.cask.cdap.proto.security.Principal)4 SecureStoreMetadata (co.cask.cdap.api.security.store.SecureStoreMetadata)3 NotFoundException (co.cask.cdap.common.NotFoundException)3 SecureKeyCreateRequest (co.cask.cdap.proto.security.SecureKeyCreateRequest)3 IOException (java.io.IOException)3 KeyStoreException (java.security.KeyStoreException)3 Test (org.junit.Test)3 SecureStoreData (co.cask.cdap.api.security.store.SecureStoreData)2 BadRequestException (co.cask.cdap.common.BadRequestException)2 EntityId (co.cask.cdap.proto.id.EntityId)2 NamespaceId (co.cask.cdap.proto.id.NamespaceId)2 Action (co.cask.cdap.proto.security.Action)2 UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)2 Key (java.security.Key)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 UnrecoverableKeyException (java.security.UnrecoverableKeyException)2 Path (javax.ws.rs.Path)2 AlreadyExistsException (co.cask.cdap.common.AlreadyExistsException)1