Examples with KeyProviderCryptoExtension org.apache.hadoop.crypto.key.KeyProviderCryptoExtension used on opensource projects

Example 1 with KeyProviderCryptoExtension

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension in project hadoop by apache.

the class DFSUtil method createKeyProviderCryptoExtension.

/**
   * Creates a new KeyProviderCryptoExtension by wrapping the
   * KeyProvider specified in the given Configuration.
   *
   * @param conf Configuration
   * @return new KeyProviderCryptoExtension, or null if no provider was found.
   * @throws IOException if the KeyProvider is improperly specified in
   *                             the Configuration
   */
public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(final Configuration conf) throws IOException {
    KeyProvider keyProvider = DFSUtilClient.createKeyProvider(conf);
    if (keyProvider == null) {
        return null;
    }
    KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(keyProvider);
    return cryptoProvider;
}

Example 2 with KeyProviderCryptoExtension

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension in project hadoop by apache.

the class FSDirEncryptionZoneOp method ensureKeyIsInitialized.

static KeyProvider.Metadata ensureKeyIsInitialized(final FSDirectory fsd, final String keyName, final String src) throws IOException {
    KeyProviderCryptoExtension provider = fsd.getProvider();
    if (provider == null) {
        throw new IOException("Can't create an encryption zone for " + src + " since no key provider is available.");
    }
    if (keyName == null || keyName.isEmpty()) {
        throw new IOException("Must specify a key name when creating an " + "encryption zone");
    }
    KeyProvider.Metadata metadata = provider.getMetadata(keyName);
    if (metadata == null) {
        /*
       * It would be nice if we threw something more specific than
       * IOException when the key is not found, but the KeyProvider API
       * doesn't provide for that. If that API is ever changed to throw
       * something more specific (e.g. UnknownKeyException) then we can
       * update this to match it, or better yet, just rethrow the
       * KeyProvider's exception.
       */
        throw new IOException("Key " + keyName + " doesn't exist.");
    }
    // If the provider supports pool for EDEKs, this will fill in the pool
    provider.warmUpEncryptedKeys(keyName);
    return metadata;
}

Example 3 with KeyProviderCryptoExtension

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension in project hadoop by apache.

the class DFSClient method decryptEncryptedDataEncryptionKey.

/**
   * Decrypts a EDEK by consulting the KeyProvider.
   */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo feInfo) throws IOException {
    try (TraceScope ignored = tracer.newScope("decryptEDEK")) {
        KeyProvider provider = getKeyProvider();
        if (provider == null) {
            throw new IOException("No KeyProvider is configured, cannot access" + " an encrypted file");
        }
        EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(), feInfo.getEncryptedDataEncryptionKey());
        try {
            KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(provider);
            return cryptoProvider.decryptEncryptedKey(ekv);
        } catch (GeneralSecurityException e) {
            throw new IOException(e);
        }
    }
}

Example 4 with KeyProviderCryptoExtension

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension in project hadoop by apache.

the class TestKeyAuthorizationKeyProvider method testCreateKey.

@Test
public void testCreateKey() throws Exception {
    final Configuration conf = new Configuration();
    KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
    KeyACLs mock = mock(KeyACLs.class);
    when(mock.isACLPresent("foo", KeyOpType.MANAGEMENT)).thenReturn(true);
    UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
    when(mock.hasAccessToKey("foo", u1, KeyOpType.MANAGEMENT)).thenReturn(true);
    final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock);
    u1.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            try {
                kpExt.createKey("foo", SecureRandom.getSeed(16), newOptions(conf));
            } catch (IOException ioe) {
                Assert.fail("User should be Authorized !!");
            }
            // "bar" key not configured
            try {
                kpExt.createKey("bar", SecureRandom.getSeed(16), newOptions(conf));
                Assert.fail("User should NOT be Authorized !!");
            } catch (IOException ioe) {
            // Ignore
            }
            return null;
        }
    });
    // Unauthorized User
    UserGroupInformation.createRemoteUser("badGuy").doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            try {
                kpExt.createKey("foo", SecureRandom.getSeed(16), newOptions(conf));
                Assert.fail("User should NOT be Authorized !!");
            } catch (IOException ioe) {
            // Ignore
            }
            return null;
        }
    });
}

Example 5 with KeyProviderCryptoExtension

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension in project hadoop by apache.

the class TestKeyAuthorizationKeyProvider method testDecryptWithKeyVersionNameKeyMismatch.

@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
    final Configuration conf = new Configuration();
    KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
    KeyACLs mock = mock(KeyACLs.class);
    when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
    UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
    UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
    UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
    UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
    when(mock.hasAccessToKey("testKey", u1, KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u2, KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u3, KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", sudo, KeyOpType.ALL)).thenReturn(true);
    final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock);
    sudo.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            Options opt = newOptions(conf);
            Map<String, String> m = new HashMap<String, String>();
            m.put("key.acl.name", "testKey");
            opt.setAttributes(m);
            KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
            kpExt.rollNewVersion(kv.getName());
            kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
            EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
            ekv = EncryptedKeyVersion.createForDecryption(ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial());
            kpExt.decryptEncryptedKey(ekv);
            return null;
        }
    });
}