Examples with CryptoExtension org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension used on opensource projects

Example 1 with CryptoExtension

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension in project hadoop by apache.

the class TestKMS method testKMSBlackList.

@Test
public void testKMSBlackList() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.type", "kerberos");
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
        conf.set(type.getAclConfigKey(), " ");
    }
    conf.set(KMSACLs.Type.CREATE.getAclConfigKey(), "client,hdfs,otheradmin");
    conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(), "client,hdfs,otheradmin");
    conf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(), "client,hdfs,otheradmin");
    conf.set(KMSACLs.Type.DECRYPT_EEK.getBlacklistConfigKey(), "hdfs,otheradmin");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "ck0.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "ck1.ALL", "*");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    try {
                        KeyProvider kp = createProvider(uri, conf);
                        KeyProvider.KeyVersion kv = kp.createKey("ck0", new KeyProvider.Options(conf));
                        EncryptedKeyVersion eek = ((CryptoExtension) kp).generateEncryptedKey("ck0");
                        ((CryptoExtension) kp).decryptEncryptedKey(eek);
                        Assert.assertNull(kv.getMaterial());
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("hdfs", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    try {
                        KeyProvider kp = createProvider(uri, conf);
                        KeyProvider.KeyVersion kv = kp.createKey("ck1", new KeyProvider.Options(conf));
                        EncryptedKeyVersion eek = ((CryptoExtension) kp).generateEncryptedKey("ck1");
                        ((CryptoExtension) kp).decryptEncryptedKey(eek);
                        Assert.fail("admin user must not be allowed to decrypt !!");
                    } catch (Exception ex) {
                    }
                    return null;
                }
            });
            doAs("otheradmin", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    try {
                        KeyProvider kp = createProvider(uri, conf);
                        KeyProvider.KeyVersion kv = kp.createKey("ck2", new KeyProvider.Options(conf));
                        EncryptedKeyVersion eek = ((CryptoExtension) kp).generateEncryptedKey("ck2");
                        ((CryptoExtension) kp).decryptEncryptedKey(eek);
                        Assert.fail("admin user must not be allowed to decrypt !!");
                    } catch (Exception ex) {
                    }
                    return null;
                }
            });
            return null;
        }
    });
}