use of org.apache.hadoop.hbase.io.crypto.Cipher in project hbase by apache.
the class SecureProtobufLogReader method readHeader.
@Override
protected WALHdrContext readHeader(WALHeader.Builder builder, FSDataInputStream stream) throws IOException {
WALHdrContext hdrCtxt = super.readHeader(builder, stream);
WALHdrResult result = hdrCtxt.getResult();
// no longer set in the site configuration.
if (result == WALHdrResult.SUCCESS && builder.hasEncryptionKey()) {
// Serialized header data has been merged into the builder from the
// stream.
EncryptionTest.testKeyProvider(conf);
EncryptionTest.testCipherProvider(conf);
// Retrieve a usable key
byte[] keyBytes = builder.getEncryptionKey().toByteArray();
Key key = null;
String walKeyName = conf.get(HConstants.CRYPTO_WAL_KEY_NAME_CONF_KEY);
// First try the WAL key, if one is configured
if (walKeyName != null) {
try {
key = EncryptionUtil.unwrapWALKey(conf, walKeyName, keyBytes);
} catch (KeyException e) {
if (LOG.isDebugEnabled()) {
LOG.debug("Unable to unwrap key with WAL key '" + walKeyName + "'");
}
key = null;
}
}
if (key == null) {
String masterKeyName = conf.get(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, User.getCurrent().getShortName());
try {
// Then, try the cluster master key
key = EncryptionUtil.unwrapWALKey(conf, masterKeyName, keyBytes);
} catch (KeyException e) {
// one is configured
if (LOG.isDebugEnabled()) {
LOG.debug("Unable to unwrap key with current master key '" + masterKeyName + "'");
}
String alternateKeyName = conf.get(HConstants.CRYPTO_MASTERKEY_ALTERNATE_NAME_CONF_KEY);
if (alternateKeyName != null) {
try {
key = EncryptionUtil.unwrapWALKey(conf, alternateKeyName, keyBytes);
} catch (KeyException ex) {
throw new IOException(ex);
}
} else {
throw new IOException(e);
}
}
}
// Use the algorithm the key wants
Cipher cipher = Encryption.getCipher(conf, key.getAlgorithm());
if (cipher == null) {
throw new IOException("Cipher '" + key.getAlgorithm() + "' is not available");
}
// Set up the decryptor for this WAL
decryptor = cipher.getDecryptor();
decryptor.setKey(key);
if (LOG.isTraceEnabled()) {
LOG.trace("Initialized secure protobuf WAL: cipher=" + cipher.getName());
}
}
return hdrCtxt;
}
use of org.apache.hadoop.hbase.io.crypto.Cipher in project hbase by apache.
the class AbstractProtobufLogWriter method buildSecureWALHeader.
// should be called in sub classes's buildWALHeader method to build WALHeader for secure
// environment. Do not forget to override the setEncryptor method as it will be called in this
// method to init your encryptor.
protected final WALHeader buildSecureWALHeader(Configuration conf, WALHeader.Builder builder) throws IOException {
builder.setWriterClsName(getWriterClassName());
if (conf.getBoolean(HConstants.ENABLE_WAL_ENCRYPTION, false)) {
EncryptionTest.testKeyProvider(conf);
EncryptionTest.testCipherProvider(conf);
// Get an instance of our cipher
final String cipherName = conf.get(HConstants.CRYPTO_WAL_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
Cipher cipher = Encryption.getCipher(conf, cipherName);
if (cipher == null) {
throw new RuntimeException("Cipher '" + cipherName + "' is not available");
}
// Generate an encryption key for this WAL
SecureRandom rng = new SecureRandom();
byte[] keyBytes = new byte[cipher.getKeyLength()];
rng.nextBytes(keyBytes);
Key key = new SecretKeySpec(keyBytes, cipher.getName());
builder.setEncryptionKey(UnsafeByteOperations.unsafeWrap(EncryptionUtil.wrapKey(conf, conf.get(HConstants.CRYPTO_WAL_KEY_NAME_CONF_KEY, conf.get(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, User.getCurrent().getShortName())), key)));
// Set up the encryptor
Encryptor encryptor = cipher.getEncryptor();
encryptor.setKey(key);
setEncryptor(encryptor);
if (LOG.isTraceEnabled()) {
LOG.trace("Initialized secure protobuf WAL: cipher=" + cipher.getName());
}
}
builder.setCellCodecClsName(SecureWALCellCodec.class.getName());
return buildWALHeader0(conf, builder);
}
Aggregations