Example 1 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class TestLoadBalancingKMSClientProvider method testCreation.
@Test
public void testCreation() throws Exception {
Configuration conf = new Configuration();
KeyProvider kp = new KMSClientProvider.Factory().createProvider(new URI("kms://http@host1/kms/foo"), conf);
assertTrue(kp instanceof KMSClientProvider);
assertEquals("http://host1/kms/foo/v1/", ((KMSClientProvider) kp).getKMSUrl());
kp = new KMSClientProvider.Factory().createProvider(new URI("kms://http@host1;host2;host3/kms/foo"), conf);
assertTrue(kp instanceof LoadBalancingKMSClientProvider);
KMSClientProvider[] providers = ((LoadBalancingKMSClientProvider) kp).getProviders();
assertEquals(3, providers.length);
assertEquals(Sets.newHashSet("http://host1/kms/foo/v1/", "http://host2/kms/foo/v1/", "http://host3/kms/foo/v1/"), Sets.newHashSet(providers[0].getKMSUrl(), providers[1].getKMSUrl(), providers[2].getKMSUrl()));
kp = new KMSClientProvider.Factory().createProvider(new URI("kms://http@host1;host2;host3:9600/kms/foo"), conf);
assertTrue(kp instanceof LoadBalancingKMSClientProvider);
providers = ((LoadBalancingKMSClientProvider) kp).getProviders();
assertEquals(3, providers.length);
assertEquals(Sets.newHashSet("http://host1:9600/kms/foo/v1/", "http://host2:9600/kms/foo/v1/", "http://host3:9600/kms/foo/v1/"), Sets.newHashSet(providers[0].getKMSUrl(), providers[1].getKMSUrl(), providers[2].getKMSUrl()));
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
Configuration(org.apache.hadoop.conf.Configuration)
URI(java.net.URI)
Test(org.junit.Test)
Example 2 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class TestLoadBalancingKMSClientProvider method testLoadBalancingWithFailure.
@Test
public void testLoadBalancingWithFailure() throws Exception {
Configuration conf = new Configuration();
KMSClientProvider p1 = mock(KMSClientProvider.class);
when(p1.createKey(Mockito.anyString(), Mockito.any(Options.class))).thenReturn(new KMSClientProvider.KMSKeyVersion("p1", "v1", new byte[0]));
when(p1.getKMSUrl()).thenReturn("p1");
// This should not be retried
KMSClientProvider p2 = mock(KMSClientProvider.class);
when(p2.createKey(Mockito.anyString(), Mockito.any(Options.class))).thenThrow(new NoSuchAlgorithmException("p2"));
when(p2.getKMSUrl()).thenReturn("p2");
KMSClientProvider p3 = mock(KMSClientProvider.class);
when(p3.createKey(Mockito.anyString(), Mockito.any(Options.class))).thenReturn(new KMSClientProvider.KMSKeyVersion("p3", "v3", new byte[0]));
when(p3.getKMSUrl()).thenReturn("p3");
// This should be retried
KMSClientProvider p4 = mock(KMSClientProvider.class);
when(p4.createKey(Mockito.anyString(), Mockito.any(Options.class))).thenThrow(new IOException("p4"));
when(p4.getKMSUrl()).thenReturn("p4");
KeyProvider kp = new LoadBalancingKMSClientProvider(new KMSClientProvider[] { p1, p2, p3, p4 }, 0, conf);
assertEquals("p1", kp.createKey("test4", new Options(conf)).getName());
// Exceptions other than IOExceptions will not be retried
try {
kp.createKey("test1", new Options(conf)).getName();
fail("Should fail since its not an IOException");
} catch (Exception e) {
assertTrue(e instanceof NoSuchAlgorithmException);
}
assertEquals("p3", kp.createKey("test2", new Options(conf)).getName());
// IOException will trigger retry in next provider
assertEquals("p1", kp.createKey("test3", new Options(conf)).getName());
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
Options(org.apache.hadoop.crypto.key.KeyProvider.Options)
Configuration(org.apache.hadoop.conf.Configuration)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException)
IOException(java.io.IOException)
GeneralSecurityException(java.security.GeneralSecurityException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Test(org.junit.Test)
Example 3 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class TestKeyAuthorizationKeyProvider method testCreateKey.
@Test
public void testCreateKey() throws Exception {
final Configuration conf = new Configuration();
KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
KeyACLs mock = mock(KeyACLs.class);
when(mock.isACLPresent("foo", KeyOpType.MANAGEMENT)).thenReturn(true);
UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
when(mock.hasAccessToKey("foo", u1, KeyOpType.MANAGEMENT)).thenReturn(true);
final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock);
u1.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try {
kpExt.createKey("foo", SecureRandom.getSeed(16), newOptions(conf));
} catch (IOException ioe) {
Assert.fail("User should be Authorized !!");
}
// "bar" key not configured
try {
kpExt.createKey("bar", SecureRandom.getSeed(16), newOptions(conf));
Assert.fail("User should NOT be Authorized !!");
} catch (IOException ioe) {
// Ignore
}
return null;
}
});
// Unauthorized User
UserGroupInformation.createRemoteUser("badGuy").doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try {
kpExt.createKey("foo", SecureRandom.getSeed(16), newOptions(conf));
Assert.fail("User should NOT be Authorized !!");
} catch (IOException ioe) {
// Ignore
}
return null;
}
});
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
Configuration(org.apache.hadoop.conf.Configuration)
KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension)
IOException(java.io.IOException)
URI(java.net.URI)
IOException(java.io.IOException)
UserProvider(org.apache.hadoop.crypto.key.UserProvider)
KeyACLs(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 4 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class TestKeyAuthorizationKeyProvider method testDecryptWithKeyVersionNameKeyMismatch.
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
final Configuration conf = new Configuration();
KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
KeyACLs mock = mock(KeyACLs.class);
when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
when(mock.hasAccessToKey("testKey", u1, KeyOpType.MANAGEMENT)).thenReturn(true);
when(mock.hasAccessToKey("testKey", u2, KeyOpType.GENERATE_EEK)).thenReturn(true);
when(mock.hasAccessToKey("testKey", u3, KeyOpType.DECRYPT_EEK)).thenReturn(true);
when(mock.hasAccessToKey("testKey", sudo, KeyOpType.ALL)).thenReturn(true);
final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock);
sudo.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
Options opt = newOptions(conf);
Map<String, String> m = new HashMap<String, String>();
m.put("key.acl.name", "testKey");
opt.setAttributes(m);
KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
kpExt.rollNewVersion(kv.getName());
kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
ekv = EncryptedKeyVersion.createForDecryption(ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial());
kpExt.decryptEncryptedKey(ekv);
return null;
}
});
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
Options(org.apache.hadoop.crypto.key.KeyProvider.Options)
Configuration(org.apache.hadoop.conf.Configuration)
KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion)
EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion)
KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension)
URI(java.net.URI)
IOException(java.io.IOException)
EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion)
UserProvider(org.apache.hadoop.crypto.key.UserProvider)
KeyACLs(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs)
HashMap(java.util.HashMap)
Map(java.util.Map)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 5 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class TestKMS method testDelegationTokensOps.
private void testDelegationTokensOps(final boolean ssl, final boolean kerb) throws Exception {
final File confDir = getTestDir();
final Configuration conf;
if (kerb) {
conf = setupConfForKerberos(confDir);
} else {
conf = createBaseKMSConf(confDir, null);
}
final String keystore;
final String password;
if (ssl) {
final String sslConfDir = KeyStoreTestUtil.getClasspathDir(TestKMS.class);
KeyStoreTestUtil.setupSSLConfig(confDir.getAbsolutePath(), sslConfDir, conf, false);
keystore = confDir.getAbsolutePath() + "/serverKS.jks";
password = "serverP";
} else {
keystore = null;
password = null;
}
writeConf(confDir, conf);
runServer(keystore, password, confDir, new KMSCallable<Void>() {
@Override
public Void call() throws Exception {
final Configuration clientConf = new Configuration();
final URI uri = createKMSUri(getKMSUrl());
clientConf.set(KeyProviderFactory.KEY_PROVIDER_PATH, createKMSUri(getKMSUrl()).toString());
doAs("client", new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
KeyProvider kp = createProvider(uri, clientConf);
// test delegation token retrieval
KeyProviderDelegationTokenExtension kpdte = KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(kp);
final Credentials credentials = new Credentials();
final Token<?>[] tokens = kpdte.addDelegationTokens("client1", credentials);
Assert.assertEquals(1, credentials.getAllTokens().size());
InetSocketAddress kmsAddr = new InetSocketAddress(getKMSUrl().getHost(), getKMSUrl().getPort());
Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, credentials.getToken(SecurityUtil.buildTokenService(kmsAddr)).getKind());
// Test non-renewer user cannot renew.
for (Token<?> token : tokens) {
if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) {
LOG.info("Skipping token {}", token);
continue;
}
LOG.info("Got dt for " + uri + "; " + token);
try {
token.renew(clientConf);
Assert.fail("client should not be allowed to renew token with" + "renewer=client1");
} catch (Exception e) {
final DelegationTokenIdentifier identifier = (DelegationTokenIdentifier) token.decodeIdentifier();
GenericTestUtils.assertExceptionContains("tries to renew a token (" + identifier + ") with non-matching renewer", e);
}
}
final UserGroupInformation otherUgi;
if (kerb) {
UserGroupInformation.loginUserFromKeytab("client1", keytab.getAbsolutePath());
otherUgi = UserGroupInformation.getLoginUser();
} else {
otherUgi = UserGroupInformation.createUserForTesting("client1", new String[] { "other group" });
UserGroupInformation.setLoginUser(otherUgi);
}
try {
// test delegation token renewal via renewer
otherUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
boolean renewed = false;
for (Token<?> token : tokens) {
if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) {
LOG.info("Skipping token {}", token);
continue;
}
LOG.info("Got dt for " + uri + "; " + token);
long tokenLife = token.renew(clientConf);
LOG.info("Renewed token of kind {}, new lifetime:{}", token.getKind(), tokenLife);
Thread.sleep(100);
long newTokenLife = token.renew(clientConf);
LOG.info("Renewed token of kind {}, new lifetime:{}", token.getKind(), newTokenLife);
Assert.assertTrue(newTokenLife > tokenLife);
renewed = true;
}
Assert.assertTrue(renewed);
// test delegation token cancellation
for (Token<?> token : tokens) {
if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) {
LOG.info("Skipping token {}", token);
continue;
}
LOG.info("Got dt for " + uri + "; " + token);
token.cancel(clientConf);
LOG.info("Cancelled token of kind {}", token.getKind());
try {
token.renew(clientConf);
Assert.fail("should not be able to renew a canceled token");
} catch (Exception e) {
LOG.info("Expected exception when renewing token", e);
}
}
return null;
}
});
// Close the client provider. We will verify all providers'
// Truststore reloader threads are closed later.
kp.close();
return null;
} finally {
otherUgi.logoutUserFromKeytab();
}
}
});
return null;
}
});
// verify that providers created by KMSTokenRenewer are closed.
if (ssl) {
GenericTestUtils.waitFor(new Supplier<Boolean>() {
@Override
public Boolean get() {
final Set<Thread> threadSet = Thread.getAllStackTraces().keySet();
for (Thread t : threadSet) {
if (t.getName().contains(SSL_RELOADER_THREAD_NAME)) {
return false;
}
}
return true;
}
}, 1000, 10000);
}
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension)
Set(java.util.Set)
HashSet(java.util.HashSet)
Configuration(org.apache.hadoop.conf.Configuration)
DelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier)
InetSocketAddress(java.net.InetSocketAddress)
KMSDelegationToken(org.apache.hadoop.crypto.key.kms.KMSDelegationToken)
Token(org.apache.hadoop.security.token.Token)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
URI(java.net.URI)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
SocketTimeoutException(java.net.SocketTimeoutException)
IOException(java.io.IOException)
File(java.io.File)
Credentials(org.apache.hadoop.security.Credentials)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Aggregations
KeyProvider (org.apache.hadoop.crypto.key.KeyProvider)38
IOException (java.io.IOException)27
URI (java.net.URI)25
Configuration (org.apache.hadoop.conf.Configuration)25
Test (org.junit.Test)21
File (java.io.File)17
SocketTimeoutException (java.net.SocketTimeoutException)17
Options (org.apache.hadoop.crypto.key.KeyProvider.Options)17
AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)17
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)13
KeyProviderCryptoExtension (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension)10
KeyVersion (org.apache.hadoop.crypto.key.KeyProvider.KeyVersion)8
EncryptedKeyVersion (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion)8
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)8
Credentials (org.apache.hadoop.security.Credentials)6
HashMap (java.util.HashMap)5
KeyProviderDelegationTokenExtension (org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension)5
GeneralSecurityException (java.security.GeneralSecurityException)3
Map (java.util.Map)3
UserProvider (org.apache.hadoop.crypto.key.UserProvider)3
