Search in sources :

Example 21 with EncryptedKeyVersion

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion in project ranger by apache.

the class KMS method handleEncryptedKeyOp.

@SuppressWarnings("rawtypes")
@POST
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}/" + KMSRESTConstants.EEK_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response handleEncryptedKeyOp(@PathParam("versionName") final String versionName, @QueryParam(KMSRESTConstants.EEK_OP) String eekOp, Map jsonPayload, @Context HttpServletRequest request) throws Exception {
    try {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Entering handleEncryptedKeyOp method.");
        }
        UserGroupInformation user = HttpUserGroupInformation.get();
        checkNotEmpty(versionName, "versionName");
        checkNotNull(eekOp, "eekOp");
        LOG.debug("Decrypting key for {}, the edek Operation is {}.", versionName, eekOp);
        final String keyName = (String) jsonPayload.get(KMSRESTConstants.NAME_FIELD);
        String ivStr = (String) jsonPayload.get(KMSRESTConstants.IV_FIELD);
        String encMaterialStr = (String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
        checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
        final byte[] iv = Base64.decodeBase64(ivStr);
        checkNotNull(encMaterialStr, KMSRESTConstants.MATERIAL_FIELD);
        final byte[] encMaterial = Base64.decodeBase64(encMaterialStr);
        Object retJSON;
        if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
            KMSWebApp.getDecryptEEKCallsMeter().mark();
            assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName, request.getRemoteAddr());
            KeyProvider.KeyVersion retKeyVersion = user.doAs(new PrivilegedExceptionAction<KeyVersion>() {

                @Override
                public KeyVersion run() throws Exception {
                    return provider.decryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName, iv, KeyProviderCryptoExtension.EEK, encMaterial));
                }
            });
            retJSON = KMSUtil.toJSON(retKeyVersion);
            kmsAudit.ok(user, KMSOp.DECRYPT_EEK, keyName, "");
        } else if (eekOp.equals(KMSRESTConstants.EEK_REENCRYPT)) {
            KMSWebApp.getReencryptEEKCallsMeter().mark();
            assertAccess(Type.GENERATE_EEK, user, KMSOp.REENCRYPT_EEK, keyName);
            EncryptedKeyVersion retEncryptedKeyVersion = user.doAs(new PrivilegedExceptionAction<EncryptedKeyVersion>() {

                @Override
                public EncryptedKeyVersion run() throws Exception {
                    return provider.reencryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName, iv, KeyProviderCryptoExtension.EEK, encMaterial));
                }
            });
            retJSON = KMSUtil.toJSON(retEncryptedKeyVersion);
            kmsAudit.ok(user, KMSOp.REENCRYPT_EEK, keyName, "");
        } else {
            StringBuilder error;
            error = new StringBuilder("IllegalArgumentException Wrong ");
            error.append(KMSRESTConstants.EEK_OP);
            error.append(" value, it must be ");
            error.append(KMSRESTConstants.EEK_GENERATE);
            error.append(" or ");
            error.append(KMSRESTConstants.EEK_DECRYPT);
            LOG.error(error.toString());
            throw new IllegalArgumentException(error.toString());
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Exiting handleEncryptedKeyOp method.");
        }
        return Response.ok().type(MediaType.APPLICATION_JSON).entity(retJSON).build();
    } catch (Exception e) {
        LOG.error("Exception in handleEncryptedKeyOp.", e);
        throw e;
    }
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) KMSClientProvider(org.apache.hadoop.crypto.key.kms.KMSClientProvider) IOException(java.io.IOException) AccessControlException(org.apache.hadoop.security.AccessControlException) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) HttpUserGroupInformation(org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 22 with EncryptedKeyVersion

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion in project ranger by apache.

the class TestKeyAuthorizationKeyProvider method testDecryptWithKeyVersionNameKeyMismatch.

@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
    final Configuration conf = new Configuration();
    KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
    KeyACLs mock = mock(KeyACLs.class);
    when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
    UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
    UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
    UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
    UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
    when(mock.hasAccessToKey("testKey", u1, KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u2, KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u3, KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", sudo, KeyOpType.ALL)).thenReturn(true);
    final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock);
    sudo.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            Options opt = newOptions(conf);
            Map<String, String> m = new HashMap<String, String>();
            m.put("key.acl.name", "testKey");
            opt.setAttributes(m);
            byte[] seed = new byte[16];
            SECURE_RANDOM.nextBytes(seed);
            KeyVersion kv = kpExt.createKey("foo", seed, opt);
            kpExt.rollNewVersion(kv.getName());
            seed = new byte[16];
            SECURE_RANDOM.nextBytes(seed);
            kpExt.rollNewVersion(kv.getName(), seed);
            EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
            ekv = EncryptedKeyVersion.createForDecryption(ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial());
            kpExt.decryptEncryptedKey(ekv);
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension) URI(java.net.URI) IOException(java.io.IOException) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) UserProvider(org.apache.hadoop.crypto.key.UserProvider) KeyACLs(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs) HashMap(java.util.HashMap) Map(java.util.Map) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 23 with EncryptedKeyVersion

use of org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion in project ranger by apache.

the class TestKeyAuthorizationKeyProvider method testOpsWhenACLAttributeExists.

@Test
public void testOpsWhenACLAttributeExists() throws Exception {
    final Configuration conf = new Configuration();
    KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
    KeyACLs mock = mock(KeyACLs.class);
    when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
    UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
    UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
    UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
    UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
    when(mock.hasAccessToKey("testKey", u1, KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u2, KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u3, KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", sudo, KeyOpType.ALL)).thenReturn(true);
    final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock);
    final KeyVersion barKv = u1.doAs(new PrivilegedExceptionAction<KeyVersion>() {

        @Override
        public KeyVersion run() throws Exception {
            Options opt = newOptions(conf);
            Map<String, String> m = new HashMap<String, String>();
            m.put("key.acl.name", "testKey");
            opt.setAttributes(m);
            try {
                byte[] seed = new byte[16];
                SECURE_RANDOM.nextBytes(seed);
                KeyVersion kv = kpExt.createKey("foo", seed, opt);
                kpExt.rollNewVersion(kv.getName());
                seed = new byte[16];
                SECURE_RANDOM.nextBytes(seed);
                kpExt.rollNewVersion(kv.getName(), seed);
                kpExt.deleteKey(kv.getName());
            } catch (IOException ioe) {
                Assert.fail("User should be Authorized !!");
            }
            KeyVersion retkv = null;
            try {
                byte[] seed = new byte[16];
                SECURE_RANDOM.nextBytes(seed);
                retkv = kpExt.createKey("bar", seed, opt);
                kpExt.generateEncryptedKey(retkv.getName());
                Assert.fail("User should NOT be Authorized to generate EEK !!");
            } catch (IOException ioe) {
            }
            Assert.assertNotNull(retkv);
            return retkv;
        }
    });
    final EncryptedKeyVersion barEKv = u2.doAs(new PrivilegedExceptionAction<EncryptedKeyVersion>() {

        @Override
        public EncryptedKeyVersion run() throws Exception {
            try {
                kpExt.deleteKey(barKv.getName());
                Assert.fail("User should NOT be Authorized to " + "perform any other operation !!");
            } catch (IOException ioe) {
            }
            return kpExt.generateEncryptedKey(barKv.getName());
        }
    });
    u3.doAs(new PrivilegedExceptionAction<KeyVersion>() {

        @Override
        public KeyVersion run() throws Exception {
            try {
                kpExt.deleteKey(barKv.getName());
                Assert.fail("User should NOT be Authorized to " + "perform any other operation !!");
            } catch (IOException ioe) {
            }
            return kpExt.decryptEncryptedKey(barEKv);
        }
    });
    sudo.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            Options opt = newOptions(conf);
            Map<String, String> m = new HashMap<String, String>();
            m.put("key.acl.name", "testKey");
            opt.setAttributes(m);
            try {
                byte[] seed = new byte[16];
                SECURE_RANDOM.nextBytes(seed);
                KeyVersion kv = kpExt.createKey("foo", seed, opt);
                kpExt.rollNewVersion(kv.getName());
                seed = new byte[16];
                SECURE_RANDOM.nextBytes(seed);
                kpExt.rollNewVersion(kv.getName(), seed);
                EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
                kpExt.decryptEncryptedKey(ekv);
                kpExt.deleteKey(kv.getName());
            } catch (IOException ioe) {
                Assert.fail("User should be Allowed to do everything !!");
            }
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension) IOException(java.io.IOException) URI(java.net.URI) IOException(java.io.IOException) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) UserProvider(org.apache.hadoop.crypto.key.UserProvider) KeyACLs(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs) HashMap(java.util.HashMap) Map(java.util.Map) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

EncryptedKeyVersion (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion)23 IOException (java.io.IOException)17 Test (org.junit.Test)14 Configuration (org.apache.hadoop.conf.Configuration)13 KeyProvider (org.apache.hadoop.crypto.key.KeyProvider)13 KeyVersion (org.apache.hadoop.crypto.key.KeyProvider.KeyVersion)13 URI (java.net.URI)12 Options (org.apache.hadoop.crypto.key.KeyProvider.Options)10 KeyProviderCryptoExtension (org.apache.hadoop.crypto.key.KeyProviderCryptoExtension)10 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)9 HashMap (java.util.HashMap)7 Map (java.util.Map)6 File (java.io.File)5 SocketTimeoutException (java.net.SocketTimeoutException)5 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5 Path (javax.ws.rs.Path)5 Produces (javax.ws.rs.Produces)5 AccessControlException (org.apache.hadoop.security.AccessControlException)5 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)5 HttpUserGroupInformation (org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation)5