Search in sources :

Example 16 with EncryptedKeyVersion

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion in project hadoop by apache.

the class TestKMS method testACLs.

@Test
@SuppressWarnings("checkstyle:methodlength")
public void testACLs() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.type", "kerberos");
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
        conf.set(type.getAclConfigKey(), type.toString());
    }
    conf.set(KMSACLs.Type.CREATE.getAclConfigKey(), KMSACLs.Type.CREATE.toString() + ",SET_KEY_MATERIAL");
    conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(), KMSACLs.Type.ROLLOVER.toString() + ",SET_KEY_MATERIAL");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k0.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k1.ALL", "*");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            //nothing allowed
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        kp.createKey("k", new KeyProvider.Options(conf));
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    try {
                        kp.createKey("k", new byte[16], new KeyProvider.Options(conf));
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    try {
                        kp.rollNewVersion("k");
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    try {
                        kp.rollNewVersion("k", new byte[16]);
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    try {
                        kp.getKeys();
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    try {
                        kp.getKeysMetadata("k");
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    try {
                        // we are using JavaKeyStoreProvider for testing, so we know how
                        // the keyversion is created.
                        kp.getKeyVersion("k@0");
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    try {
                        kp.getCurrentKey("k");
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    try {
                        kp.getMetadata("k");
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    try {
                        kp.getKeyVersions("k");
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("CREATE", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        KeyProvider.KeyVersion kv = kp.createKey("k0", new KeyProvider.Options(conf));
                        Assert.assertNull(kv.getMaterial());
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("DELETE", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        kp.deleteKey("k0");
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        KeyProvider.KeyVersion kv = kp.createKey("k1", new byte[16], new KeyProvider.Options(conf));
                        Assert.assertNull(kv.getMaterial());
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("ROLLOVER", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        KeyProvider.KeyVersion kv = kp.rollNewVersion("k1");
                        Assert.assertNull(kv.getMaterial());
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        KeyProvider.KeyVersion kv = kp.rollNewVersion("k1", new byte[16]);
                        Assert.assertNull(kv.getMaterial());
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            final KeyVersion currKv = doAs("GET", new PrivilegedExceptionAction<KeyVersion>() {

                @Override
                public KeyVersion run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        kp.getKeyVersion("k1@0");
                        KeyVersion kv = kp.getCurrentKey("k1");
                        return kv;
                    } catch (Exception ex) {
                        Assert.fail(ex.toString());
                    }
                    return null;
                }
            });
            final EncryptedKeyVersion encKv = doAs("GENERATE_EEK", new PrivilegedExceptionAction<EncryptedKeyVersion>() {

                @Override
                public EncryptedKeyVersion run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        KeyProviderCryptoExtension kpCE = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                        EncryptedKeyVersion ek1 = kpCE.generateEncryptedKey(currKv.getName());
                        return ek1;
                    } catch (Exception ex) {
                        Assert.fail(ex.toString());
                    }
                    return null;
                }
            });
            doAs("GENERATE_EEK", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    KeyProviderCryptoExtension kpCE = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                    kpCE.reencryptEncryptedKey(encKv);
                    return null;
                }
            });
            doAs("DECRYPT_EEK", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        KeyProviderCryptoExtension kpCE = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                        kpCE.decryptEncryptedKey(encKv);
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("GET_KEYS", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        kp.getKeys();
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("GET_METADATA", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        kp.getMetadata("k1");
                        kp.getKeysMetadata("k1");
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            //stop the reloader, to avoid running while we are writing the new file
            KMSWebApp.getACLs().stopReloader();
            // test ACL reloading
            // to ensure the ACLs file modifiedTime is newer
            Thread.sleep(10);
            conf.set(KMSACLs.Type.CREATE.getAclConfigKey(), "foo");
            conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(), "foo");
            writeConf(testDir, conf);
            Thread.sleep(1000);
            // forcing a reload by hand.
            KMSWebApp.getACLs().run();
            // should not be able to create a key now
            doAs("CREATE", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    try {
                        KeyProvider kp = createProvider(uri, conf);
                        KeyProvider.KeyVersion kv = kp.createKey("k2", new KeyProvider.Options(conf));
                        Assert.fail();
                    } catch (AuthorizationException ex) {
                    //NOP
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("GENERATE_EEK", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        KeyProviderCryptoExtension kpCE = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                        kpCE.generateEncryptedKey("k1");
                    } catch (IOException ex) {
                        // through the ValueQueue. See KMSCP#generateEncryptedKey.
                        if (ex.getCause().getCause() instanceof AuthorizationException) {
                            LOG.info("Caught expected exception.", ex);
                        } else {
                            throw ex;
                        }
                    }
                    return null;
                }
            });
            doAs("GENERATE_EEK", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        KeyProviderCryptoExtension kpCE = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                        kpCE.reencryptEncryptedKey(encKv);
                    } catch (AuthorizationException ex) {
                        LOG.info("Caught expected exception.", ex);
                    }
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Configuration(org.apache.hadoop.conf.Configuration) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension) IOException(java.io.IOException) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) Test(org.junit.Test)

Example 17 with EncryptedKeyVersion

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion in project hadoop by apache.

the class TestKMS method testKMSProvider.

@Test
@SuppressWarnings("checkstyle:methodlength")
public void testKMSProvider() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    File confDir = getTestDir();
    conf = createBaseKMSConf(confDir, conf);
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k1.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.MANAGEMENT", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.READ", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k3.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k4.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k5.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k6.ALL", "*");
    writeConf(confDir, conf);
    runServer(null, null, confDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            Date started = new Date();
            Configuration conf = new Configuration();
            URI uri = createKMSUri(getKMSUrl());
            KeyProvider kp = createProvider(uri, conf);
            // getKeys() empty
            Assert.assertTrue(kp.getKeys().isEmpty());
            // getKeysMetadata() empty
            Assert.assertEquals(0, kp.getKeysMetadata().length);
            // createKey()
            KeyProvider.Options options = new KeyProvider.Options(conf);
            options.setCipher("AES/CTR/NoPadding");
            options.setBitLength(128);
            options.setDescription("l1");
            KeyProvider.KeyVersion kv0 = kp.createKey("k1", options);
            Assert.assertNotNull(kv0);
            Assert.assertNotNull(kv0.getVersionName());
            Assert.assertNotNull(kv0.getMaterial());
            // getKeyVersion()
            KeyProvider.KeyVersion kv1 = kp.getKeyVersion(kv0.getVersionName());
            Assert.assertEquals(kv0.getVersionName(), kv1.getVersionName());
            Assert.assertNotNull(kv1.getMaterial());
            // getCurrent()
            KeyProvider.KeyVersion cv1 = kp.getCurrentKey("k1");
            Assert.assertEquals(kv0.getVersionName(), cv1.getVersionName());
            Assert.assertNotNull(cv1.getMaterial());
            // getKeyMetadata() 1 version
            KeyProvider.Metadata m1 = kp.getMetadata("k1");
            Assert.assertEquals("AES/CTR/NoPadding", m1.getCipher());
            Assert.assertEquals("AES", m1.getAlgorithm());
            Assert.assertEquals(128, m1.getBitLength());
            Assert.assertEquals(1, m1.getVersions());
            Assert.assertNotNull(m1.getCreated());
            Assert.assertTrue(started.before(m1.getCreated()));
            // getKeyVersions() 1 version
            List<KeyProvider.KeyVersion> lkv1 = kp.getKeyVersions("k1");
            Assert.assertEquals(1, lkv1.size());
            Assert.assertEquals(kv0.getVersionName(), lkv1.get(0).getVersionName());
            Assert.assertNotNull(kv1.getMaterial());
            // rollNewVersion()
            KeyProvider.KeyVersion kv2 = kp.rollNewVersion("k1");
            Assert.assertNotSame(kv0.getVersionName(), kv2.getVersionName());
            Assert.assertNotNull(kv2.getMaterial());
            // getKeyVersion()
            kv2 = kp.getKeyVersion(kv2.getVersionName());
            boolean eq = true;
            for (int i = 0; i < kv1.getMaterial().length; i++) {
                eq = eq && kv1.getMaterial()[i] == kv2.getMaterial()[i];
            }
            Assert.assertFalse(eq);
            // getCurrent()
            KeyProvider.KeyVersion cv2 = kp.getCurrentKey("k1");
            Assert.assertEquals(kv2.getVersionName(), cv2.getVersionName());
            Assert.assertNotNull(cv2.getMaterial());
            eq = true;
            for (int i = 0; i < kv1.getMaterial().length; i++) {
                eq = eq && cv2.getMaterial()[i] == kv2.getMaterial()[i];
            }
            Assert.assertTrue(eq);
            // getKeyVersions() 2 versions
            List<KeyProvider.KeyVersion> lkv2 = kp.getKeyVersions("k1");
            Assert.assertEquals(2, lkv2.size());
            Assert.assertEquals(kv1.getVersionName(), lkv2.get(0).getVersionName());
            Assert.assertNotNull(lkv2.get(0).getMaterial());
            Assert.assertEquals(kv2.getVersionName(), lkv2.get(1).getVersionName());
            Assert.assertNotNull(lkv2.get(1).getMaterial());
            // getKeyMetadata() 2 version
            KeyProvider.Metadata m2 = kp.getMetadata("k1");
            Assert.assertEquals("AES/CTR/NoPadding", m2.getCipher());
            Assert.assertEquals("AES", m2.getAlgorithm());
            Assert.assertEquals(128, m2.getBitLength());
            Assert.assertEquals(2, m2.getVersions());
            Assert.assertNotNull(m2.getCreated());
            Assert.assertTrue(started.before(m2.getCreated()));
            // getKeys() 1 key
            List<String> ks1 = kp.getKeys();
            Assert.assertEquals(1, ks1.size());
            Assert.assertEquals("k1", ks1.get(0));
            // getKeysMetadata() 1 key 2 versions
            KeyProvider.Metadata[] kms1 = kp.getKeysMetadata("k1");
            Assert.assertEquals(1, kms1.length);
            Assert.assertEquals("AES/CTR/NoPadding", kms1[0].getCipher());
            Assert.assertEquals("AES", kms1[0].getAlgorithm());
            Assert.assertEquals(128, kms1[0].getBitLength());
            Assert.assertEquals(2, kms1[0].getVersions());
            Assert.assertNotNull(kms1[0].getCreated());
            Assert.assertTrue(started.before(kms1[0].getCreated()));
            // test generate and decryption of EEK
            KeyProvider.KeyVersion kv = kp.getCurrentKey("k1");
            KeyProviderCryptoExtension kpExt = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
            EncryptedKeyVersion ek1 = kpExt.generateEncryptedKey(kv.getName());
            Assert.assertEquals(KeyProviderCryptoExtension.EEK, ek1.getEncryptedKeyVersion().getVersionName());
            Assert.assertNotNull(ek1.getEncryptedKeyVersion().getMaterial());
            Assert.assertEquals(kv.getMaterial().length, ek1.getEncryptedKeyVersion().getMaterial().length);
            KeyProvider.KeyVersion k1 = kpExt.decryptEncryptedKey(ek1);
            Assert.assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName());
            KeyProvider.KeyVersion k1a = kpExt.decryptEncryptedKey(ek1);
            Assert.assertArrayEquals(k1.getMaterial(), k1a.getMaterial());
            Assert.assertEquals(kv.getMaterial().length, k1.getMaterial().length);
            EncryptedKeyVersion ek2 = kpExt.generateEncryptedKey(kv.getName());
            KeyProvider.KeyVersion k2 = kpExt.decryptEncryptedKey(ek2);
            boolean isEq = true;
            for (int i = 0; isEq && i < ek2.getEncryptedKeyVersion().getMaterial().length; i++) {
                isEq = k2.getMaterial()[i] == k1.getMaterial()[i];
            }
            Assert.assertFalse(isEq);
            // test re-encrypt
            kpExt.rollNewVersion(ek1.getEncryptionKeyName());
            EncryptedKeyVersion ek1r = kpExt.reencryptEncryptedKey(ek1);
            assertEquals(KeyProviderCryptoExtension.EEK, ek1r.getEncryptedKeyVersion().getVersionName());
            assertFalse(Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(), ek1r.getEncryptedKeyVersion().getMaterial()));
            assertEquals(kv.getMaterial().length, ek1r.getEncryptedKeyVersion().getMaterial().length);
            assertEquals(ek1.getEncryptionKeyName(), ek1r.getEncryptionKeyName());
            assertArrayEquals(ek1.getEncryptedKeyIv(), ek1r.getEncryptedKeyIv());
            assertNotEquals(ek1.getEncryptionKeyVersionName(), ek1r.getEncryptionKeyVersionName());
            KeyProvider.KeyVersion k1r = kpExt.decryptEncryptedKey(ek1r);
            assertEquals(KeyProviderCryptoExtension.EK, k1r.getVersionName());
            assertArrayEquals(k1.getMaterial(), k1r.getMaterial());
            assertEquals(kv.getMaterial().length, k1r.getMaterial().length);
            // deleteKey()
            kp.deleteKey("k1");
            // Check decryption after Key deletion
            try {
                kpExt.decryptEncryptedKey(ek1);
                Assert.fail("Should not be allowed !!");
            } catch (Exception e) {
                Assert.assertTrue(e.getMessage().contains("'k1@1' not found"));
            }
            // getKey()
            Assert.assertNull(kp.getKeyVersion("k1"));
            // getKeyVersions()
            Assert.assertNull(kp.getKeyVersions("k1"));
            // getMetadata()
            Assert.assertNull(kp.getMetadata("k1"));
            // getKeys() empty
            Assert.assertTrue(kp.getKeys().isEmpty());
            // getKeysMetadata() empty
            Assert.assertEquals(0, kp.getKeysMetadata().length);
            // createKey() no description, no tags
            options = new KeyProvider.Options(conf);
            options.setCipher("AES/CTR/NoPadding");
            options.setBitLength(128);
            KeyVersion kVer2 = kp.createKey("k2", options);
            KeyProvider.Metadata meta = kp.getMetadata("k2");
            Assert.assertNull(meta.getDescription());
            Assert.assertEquals("k2", meta.getAttributes().get("key.acl.name"));
            // test key ACL.. k2 is granted only MANAGEMENT Op access
            try {
                kpExt = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                kpExt.generateEncryptedKey(kVer2.getName());
                Assert.fail("User should not be allowed to encrypt !!");
            } catch (Exception ex) {
            // 
            }
            // createKey() description, no tags
            options = new KeyProvider.Options(conf);
            options.setCipher("AES/CTR/NoPadding");
            options.setBitLength(128);
            options.setDescription("d");
            kp.createKey("k3", options);
            meta = kp.getMetadata("k3");
            Assert.assertEquals("d", meta.getDescription());
            Assert.assertEquals("k3", meta.getAttributes().get("key.acl.name"));
            Map<String, String> attributes = new HashMap<String, String>();
            attributes.put("a", "A");
            // createKey() no description, tags
            options = new KeyProvider.Options(conf);
            options.setCipher("AES/CTR/NoPadding");
            options.setBitLength(128);
            attributes.put("key.acl.name", "k4");
            options.setAttributes(attributes);
            kp.createKey("k4", options);
            meta = kp.getMetadata("k4");
            Assert.assertNull(meta.getDescription());
            Assert.assertEquals(attributes, meta.getAttributes());
            // createKey() description, tags
            options = new KeyProvider.Options(conf);
            options.setCipher("AES/CTR/NoPadding");
            options.setBitLength(128);
            options.setDescription("d");
            attributes.put("key.acl.name", "k5");
            options.setAttributes(attributes);
            kp.createKey("k5", options);
            meta = kp.getMetadata("k5");
            Assert.assertEquals("d", meta.getDescription());
            Assert.assertEquals(attributes, meta.getAttributes());
            // test rollover draining
            KeyProviderCryptoExtension kpce = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
            options = new KeyProvider.Options(conf);
            options.setCipher("AES/CTR/NoPadding");
            options.setBitLength(128);
            kpce.createKey("k6", options);
            EncryptedKeyVersion ekv1 = kpce.generateEncryptedKey("k6");
            kpce.rollNewVersion("k6");
            kpce.invalidateCache("k6");
            EncryptedKeyVersion ekv2 = kpce.generateEncryptedKey("k6");
            assertNotEquals("rollover did not generate a new key even after" + " queue is drained", ekv1.getEncryptionKeyVersionName(), ekv2.getEncryptionKeyVersionName());
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) Date(java.util.Date) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) List(java.util.List) ArrayList(java.util.ArrayList) File(java.io.File) Map(java.util.Map) HashMap(java.util.HashMap) Test(org.junit.Test)

Example 18 with EncryptedKeyVersion

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion in project hadoop by apache.

the class TestKMS method testKMSProviderCaching.

@Test
public void testKMSProviderCaching() throws Exception {
    Configuration conf = new Configuration();
    File confDir = getTestDir();
    conf = createBaseKMSConf(confDir, conf);
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k1.ALL", "*");
    writeConf(confDir, conf);
    runServer(null, null, confDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final String keyName = "k1";
            final String mockVersionName = "mock";
            final Configuration conf = new Configuration();
            final URI uri = createKMSUri(getKMSUrl());
            KMSClientProvider kmscp = createKMSClientProvider(uri, conf);
            // get the reference to the internal cache, to test invalidation.
            ValueQueue vq = (ValueQueue) Whitebox.getInternalState(kmscp, "encKeyVersionQueue");
            LoadingCache<String, LinkedBlockingQueue<EncryptedKeyVersion>> kq = ((LoadingCache<String, LinkedBlockingQueue<EncryptedKeyVersion>>) Whitebox.getInternalState(vq, "keyQueues"));
            EncryptedKeyVersion mockEKV = Mockito.mock(EncryptedKeyVersion.class);
            when(mockEKV.getEncryptionKeyName()).thenReturn(keyName);
            when(mockEKV.getEncryptionKeyVersionName()).thenReturn(mockVersionName);
            // createKey()
            KeyProvider.Options options = new KeyProvider.Options(conf);
            options.setCipher("AES/CTR/NoPadding");
            options.setBitLength(128);
            options.setDescription("l1");
            KeyProvider.KeyVersion kv0 = kmscp.createKey(keyName, options);
            assertNotNull(kv0.getVersionName());
            assertEquals("Default key version name is incorrect.", "k1@0", kmscp.generateEncryptedKey(keyName).getEncryptionKeyVersionName());
            kmscp.invalidateCache(keyName);
            kq.get(keyName).put(mockEKV);
            assertEquals("Key version incorrect after invalidating cache + putting" + " mock key.", mockVersionName, kmscp.generateEncryptedKey(keyName).getEncryptionKeyVersionName());
            // test new version is returned after invalidation.
            for (int i = 0; i < 100; ++i) {
                kq.get(keyName).put(mockEKV);
                kmscp.invalidateCache(keyName);
                assertEquals("Cache invalidation guarantee failed.", "k1@0", kmscp.generateEncryptedKey(keyName).getEncryptionKeyVersionName());
            }
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) URI(java.net.URI) KMSClientProvider(org.apache.hadoop.crypto.key.kms.KMSClientProvider) LoadBalancingKMSClientProvider(org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) ValueQueue(org.apache.hadoop.crypto.key.kms.ValueQueue) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) LoadingCache(com.google.common.cache.LoadingCache) File(java.io.File) Test(org.junit.Test)

Example 19 with EncryptedKeyVersion

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion in project hadoop by apache.

the class TestKeyAuthorizationKeyProvider method testOpsWhenACLAttributeExists.

@Test
public void testOpsWhenACLAttributeExists() throws Exception {
    final Configuration conf = new Configuration();
    KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
    KeyACLs mock = mock(KeyACLs.class);
    when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
    UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
    UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
    UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
    UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
    when(mock.hasAccessToKey("testKey", u1, KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u2, KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u3, KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", sudo, KeyOpType.ALL)).thenReturn(true);
    final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock);
    final KeyVersion barKv = u1.doAs(new PrivilegedExceptionAction<KeyVersion>() {

        @Override
        public KeyVersion run() throws Exception {
            Options opt = newOptions(conf);
            Map<String, String> m = new HashMap<String, String>();
            m.put("key.acl.name", "testKey");
            opt.setAttributes(m);
            try {
                KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
                kpExt.rollNewVersion(kv.getName());
                kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
                kpExt.deleteKey(kv.getName());
            } catch (IOException ioe) {
                Assert.fail("User should be Authorized !!");
            }
            KeyVersion retkv = null;
            try {
                retkv = kpExt.createKey("bar", SecureRandom.getSeed(16), opt);
                kpExt.generateEncryptedKey(retkv.getName());
                Assert.fail("User should NOT be Authorized to generate EEK !!");
            } catch (IOException ioe) {
            }
            Assert.assertNotNull(retkv);
            return retkv;
        }
    });
    final EncryptedKeyVersion barEKv = u2.doAs(new PrivilegedExceptionAction<EncryptedKeyVersion>() {

        @Override
        public EncryptedKeyVersion run() throws Exception {
            try {
                kpExt.deleteKey(barKv.getName());
                Assert.fail("User should NOT be Authorized to " + "perform any other operation !!");
            } catch (IOException ioe) {
            }
            return kpExt.generateEncryptedKey(barKv.getName());
        }
    });
    u3.doAs(new PrivilegedExceptionAction<KeyVersion>() {

        @Override
        public KeyVersion run() throws Exception {
            try {
                kpExt.deleteKey(barKv.getName());
                Assert.fail("User should NOT be Authorized to " + "perform any other operation !!");
            } catch (IOException ioe) {
            }
            return kpExt.decryptEncryptedKey(barEKv);
        }
    });
    sudo.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            Options opt = newOptions(conf);
            Map<String, String> m = new HashMap<String, String>();
            m.put("key.acl.name", "testKey");
            opt.setAttributes(m);
            try {
                KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
                kpExt.rollNewVersion(kv.getName());
                kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
                EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
                kpExt.decryptEncryptedKey(ekv);
                kpExt.deleteKey(kv.getName());
            } catch (IOException ioe) {
                Assert.fail("User should be Allowed to do everything !!");
            }
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension) IOException(java.io.IOException) URI(java.net.URI) IOException(java.io.IOException) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) UserProvider(org.apache.hadoop.crypto.key.UserProvider) KeyACLs(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs) HashMap(java.util.HashMap) Map(java.util.Map) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 20 with EncryptedKeyVersion

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion in project ranger by apache.

the class KMS method reencryptEncryptedKeys.

@SuppressWarnings({ "rawtypes", "unchecked" })
@POST
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + KMSRESTConstants.REENCRYPT_BATCH_SUB_RESOURCE)
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response reencryptEncryptedKeys(@PathParam("name") final String name, final List<Map> jsonPayload) throws Exception {
    try {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Entering reencryptEncryptedKeys method.");
        }
        final Stopwatch sw = Stopwatch.createStarted();
        checkNotEmpty(name, "name");
        checkNotNull(jsonPayload, "jsonPayload");
        final UserGroupInformation user = HttpUserGroupInformation.get();
        KMSWebApp.getReencryptEEKBatchCallsMeter().mark();
        if (jsonPayload.size() > MAX_NUM_PER_BATCH) {
            LOG.warn("Payload size {} too big for reencryptEncryptedKeys from" + " user {}.", jsonPayload.size(), user);
        }
        assertAccess(Type.GENERATE_EEK, user, KMSOp.REENCRYPT_EEK_BATCH, name);
        LOG.debug("Batch reencrypting {} Encrypted Keys for key name {}", jsonPayload.size(), name);
        final List<EncryptedKeyVersion> ekvs = KMSUtil.parseJSONEncKeyVersions(name, jsonPayload);
        Preconditions.checkArgument(ekvs.size() == jsonPayload.size(), "EncryptedKey size mismatch after parsing from json");
        for (EncryptedKeyVersion ekv : ekvs) {
            Preconditions.checkArgument(name.equals(ekv.getEncryptionKeyName()), "All EncryptedKeys must be under the given key name " + name);
        }
        user.doAs(new PrivilegedExceptionAction<Void>() {

            @Override
            public Void run() throws Exception {
                provider.reencryptEncryptedKeys(ekvs);
                return null;
            }
        });
        List retJSON = new ArrayList<>(ekvs.size());
        for (EncryptedKeyVersion ekv : ekvs) {
            retJSON.add(KMSUtil.toJSON(ekv));
        }
        kmsAudit.ok(user, KMSOp.REENCRYPT_EEK_BATCH, name, "reencrypted " + ekvs.size() + " keys");
        LOG.info("reencryptEncryptedKeys {} keys for key {} took {}", jsonPayload.size(), name, sw.stop());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Exiting reencryptEncryptedKeys method.");
        }
        return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON).build();
    } catch (Exception e) {
        LOG.error("Exception in reencryptEncryptedKeys.", e);
        throw e;
    }
}
Also used : EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) Stopwatch(com.google.common.base.Stopwatch) ArrayList(java.util.ArrayList) ArrayList(java.util.ArrayList) LinkedList(java.util.LinkedList) List(java.util.List) IOException(java.io.IOException) AccessControlException(org.apache.hadoop.security.AccessControlException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) HttpUserGroupInformation(org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Aggregations

EncryptedKeyVersion (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion)23 IOException (java.io.IOException)17 Test (org.junit.Test)14 Configuration (org.apache.hadoop.conf.Configuration)13 KeyProvider (org.apache.hadoop.crypto.key.KeyProvider)13 KeyVersion (org.apache.hadoop.crypto.key.KeyProvider.KeyVersion)13 URI (java.net.URI)12 Options (org.apache.hadoop.crypto.key.KeyProvider.Options)10 KeyProviderCryptoExtension (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension)10 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)9 HashMap (java.util.HashMap)7 Map (java.util.Map)6 File (java.io.File)5 SocketTimeoutException (java.net.SocketTimeoutException)5 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5 Path (javax.ws.rs.Path)5 Produces (javax.ws.rs.Produces)5 AccessControlException (org.apache.hadoop.security.AccessControlException)5 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)5 HttpUserGroupInformation (org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation)5