Example 16 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class FSDirEncryptionZoneOp method ensureKeyIsInitialized.
static KeyProvider.Metadata ensureKeyIsInitialized(final FSDirectory fsd, final String keyName, final String src) throws IOException {
KeyProviderCryptoExtension provider = fsd.getProvider();
if (provider == null) {
throw new IOException("Can't create an encryption zone for " + src + " since no key provider is available.");
}
if (keyName == null || keyName.isEmpty()) {
throw new IOException("Must specify a key name when creating an " + "encryption zone");
}
KeyProvider.Metadata metadata = provider.getMetadata(keyName);
if (metadata == null) {
/*
* It would be nice if we threw something more specific than
* IOException when the key is not found, but the KeyProvider API
* doesn't provide for that. If that API is ever changed to throw
* something more specific (e.g. UnknownKeyException) then we can
* update this to match it, or better yet, just rethrow the
* KeyProvider's exception.
*/
throw new IOException("Key " + keyName + " doesn't exist.");
}
// If the provider supports pool for EDEKs, this will fill in the pool
provider.warmUpEncryptedKeys(keyName);
return metadata;
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension)
IOException(java.io.IOException)
Example 17 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class DFSTestUtil method createKey.
/**
* Helper function to create a key in the Key Provider.
*
* @param keyName The name of the key to create
* @param cluster The cluster to create it in
* @param idx The NameNode index
* @param conf Configuration to use
*/
public static void createKey(String keyName, MiniDFSCluster cluster, int idx, Configuration conf) throws NoSuchAlgorithmException, IOException {
NameNode nn = cluster.getNameNode(idx);
KeyProvider provider = nn.getNamesystem().getProvider();
final KeyProvider.Options options = KeyProvider.options(conf);
options.setDescription(keyName);
options.setBitLength(128);
provider.createKey(keyName, options);
provider.flush();
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
NameNode(org.apache.hadoop.hdfs.server.namenode.NameNode)
Example 18 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class TestKeyProviderCache method testCache.
@Test
public void testCache() throws Exception {
KeyProviderCache kpCache = new KeyProviderCache(10000);
Configuration conf = new Configuration();
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH, "dummy://foo:bar@test_provider1");
KeyProvider keyProvider1 = kpCache.get(conf);
Assert.assertNotNull("Returned Key Provider is null !!", keyProvider1);
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH, "dummy://foo:bar@test_provider1");
KeyProvider keyProvider2 = kpCache.get(conf);
Assert.assertTrue("Different KeyProviders returned !!", keyProvider1 == keyProvider2);
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH, "dummy://test_provider3");
KeyProvider keyProvider3 = kpCache.get(conf);
Assert.assertFalse("Same KeyProviders returned !!", keyProvider1 == keyProvider3);
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH, "dummy://hello:there@test_provider1");
KeyProvider keyProvider4 = kpCache.get(conf);
Assert.assertFalse("Same KeyProviders returned !!", keyProvider1 == keyProvider4);
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
Configuration(org.apache.hadoop.conf.Configuration)
Test(org.junit.Test)
Example 19 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class DFSClient method decryptEncryptedDataEncryptionKey.
/**
* Decrypts a EDEK by consulting the KeyProvider.
*/
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo feInfo) throws IOException {
try (TraceScope ignored = tracer.newScope("decryptEDEK")) {
KeyProvider provider = getKeyProvider();
if (provider == null) {
throw new IOException("No KeyProvider is configured, cannot access" + " an encrypted file");
}
EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(), feInfo.getEncryptedDataEncryptionKey());
try {
KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(provider);
return cryptoProvider.decryptEncryptedKey(ekv);
} catch (GeneralSecurityException e) {
throw new IOException(e);
}
}
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion)
GeneralSecurityException(java.security.GeneralSecurityException)
TraceScope(org.apache.htrace.core.TraceScope)
IOException(java.io.IOException)
KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension)
Example 20 with KeyProvider
use of org.apache.hadoop.crypto.key.KeyProvider in project hadoop by apache.
the class TestCryptoAdminCLI method createAKey.
/* Helper function to create a key in the Key Provider. */
private void createAKey(String keyName, Configuration conf) throws NoSuchAlgorithmException, IOException {
final KeyProvider provider = dfsCluster.getNameNode().getNamesystem().getProvider();
final KeyProvider.Options options = KeyProvider.options(conf);
provider.createKey(keyName, options);
provider.flush();
}
Also used :
KeyProvider(org.apache.hadoop.crypto.key.KeyProvider)
Aggregations
KeyProvider (org.apache.hadoop.crypto.key.KeyProvider)38
IOException (java.io.IOException)27
URI (java.net.URI)25
Configuration (org.apache.hadoop.conf.Configuration)25
Test (org.junit.Test)21
File (java.io.File)17
SocketTimeoutException (java.net.SocketTimeoutException)17
Options (org.apache.hadoop.crypto.key.KeyProvider.Options)17
AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)17
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)13
KeyProviderCryptoExtension (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension)10
KeyVersion (org.apache.hadoop.crypto.key.KeyProvider.KeyVersion)8
EncryptedKeyVersion (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion)8
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)8
Credentials (org.apache.hadoop.security.Credentials)6
HashMap (java.util.HashMap)5
KeyProviderDelegationTokenExtension (org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension)5
GeneralSecurityException (java.security.GeneralSecurityException)3
Map (java.util.Map)3
UserProvider (org.apache.hadoop.crypto.key.UserProvider)3
