Search in sources :

Example 1 with GDPRSymmetricKey

use of org.apache.hadoop.ozone.security.GDPRSymmetricKey in project ozone by apache.

the class RpcClient method createKey.

@Override
public OzoneOutputStream createKey(String volumeName, String bucketName, String keyName, long size, ReplicationConfig replicationConfig, Map<String, String> metadata) throws IOException {
    verifyVolumeName(volumeName);
    verifyBucketName(bucketName);
    if (checkKeyNameEnabled) {
        HddsClientUtils.verifyKeyName(keyName);
    }
    HddsClientUtils.checkNotNull(keyName, replicationConfig);
    String requestId = UUID.randomUUID().toString();
    OmKeyArgs.Builder builder = new OmKeyArgs.Builder().setVolumeName(volumeName).setBucketName(bucketName).setKeyName(keyName).setDataSize(size).setReplicationConfig(replicationConfig).addAllMetadata(metadata).setAcls(getAclList()).setLatestVersionLocation(getLatestVersionLocation);
    if (Boolean.parseBoolean(metadata.get(OzoneConsts.GDPR_FLAG))) {
        try {
            GDPRSymmetricKey gKey = new GDPRSymmetricKey(new SecureRandom());
            builder.addAllMetadata(gKey.getKeyDetails());
        } catch (Exception e) {
            if (e instanceof InvalidKeyException && e.getMessage().contains("Illegal key size or default parameters")) {
                LOG.error("Missing Unlimited Strength Policy jars. Please install " + "Java Cryptography Extension (JCE) Unlimited Strength " + "Jurisdiction Policy Files");
            }
            throw new IOException(e);
        }
    }
    OpenKeySession openKey = ozoneManagerClient.openKey(builder.build());
    return createOutputStream(openKey, requestId, replicationConfig);
}
Also used : GDPRSymmetricKey(org.apache.hadoop.ozone.security.GDPRSymmetricKey) CacheBuilder(com.google.common.cache.CacheBuilder) SecureRandom(java.security.SecureRandom) IOException(java.io.IOException) OpenKeySession(org.apache.hadoop.ozone.om.helpers.OpenKeySession) InvalidKeyException(java.security.InvalidKeyException) OmKeyArgs(org.apache.hadoop.ozone.om.helpers.OmKeyArgs) InvalidKeyException(java.security.InvalidKeyException) IOException(java.io.IOException) OMException(org.apache.hadoop.ozone.om.exceptions.OMException)

Example 2 with GDPRSymmetricKey

use of org.apache.hadoop.ozone.security.GDPRSymmetricKey in project ozone by apache.

the class RpcClient method createInputStream.

private OzoneInputStream createInputStream(OmKeyInfo keyInfo, Function<OmKeyInfo, OmKeyInfo> retryFunction) throws IOException {
    // When Key is not MPU or when Key is MPU and encryption is not enabled
    // Need to revisit for GDP.
    FileEncryptionInfo feInfo = keyInfo.getFileEncryptionInfo();
    if (feInfo == null) {
        LengthInputStream lengthInputStream = KeyInputStream.getFromOmKeyInfo(keyInfo, xceiverClientManager, clientConfig.isChecksumVerify(), retryFunction);
        try {
            Map<String, String> keyInfoMetadata = keyInfo.getMetadata();
            if (Boolean.valueOf(keyInfoMetadata.get(OzoneConsts.GDPR_FLAG))) {
                GDPRSymmetricKey gk = new GDPRSymmetricKey(keyInfoMetadata.get(OzoneConsts.GDPR_SECRET), keyInfoMetadata.get(OzoneConsts.GDPR_ALGORITHM));
                gk.getCipher().init(Cipher.DECRYPT_MODE, gk.getSecretKey());
                return new OzoneInputStream(new CipherInputStream(lengthInputStream, gk.getCipher()));
            }
        } catch (Exception ex) {
            throw new IOException(ex);
        }
        return new OzoneInputStream(lengthInputStream.getWrappedStream());
    } else if (!keyInfo.getLatestVersionLocations().isMultipartKey()) {
        // Regular Key with FileEncryptionInfo
        LengthInputStream lengthInputStream = KeyInputStream.getFromOmKeyInfo(keyInfo, xceiverClientManager, clientConfig.isChecksumVerify(), retryFunction);
        final KeyProvider.KeyVersion decrypted = getDEK(feInfo);
        final CryptoInputStream cryptoIn = new CryptoInputStream(lengthInputStream.getWrappedStream(), OzoneKMSUtil.getCryptoCodec(conf, feInfo), decrypted.getMaterial(), feInfo.getIV());
        return new OzoneInputStream(cryptoIn);
    } else {
        // Multipart Key with FileEncryptionInfo
        List<LengthInputStream> lengthInputStreams = KeyInputStream.getStreamsFromKeyInfo(keyInfo, xceiverClientManager, clientConfig.isChecksumVerify(), retryFunction);
        final KeyProvider.KeyVersion decrypted = getDEK(feInfo);
        List<OzoneCryptoInputStream> cryptoInputStreams = new ArrayList<>();
        for (LengthInputStream lengthInputStream : lengthInputStreams) {
            final OzoneCryptoInputStream ozoneCryptoInputStream = new OzoneCryptoInputStream(lengthInputStream, OzoneKMSUtil.getCryptoCodec(conf, feInfo), decrypted.getMaterial(), feInfo.getIV());
            cryptoInputStreams.add(ozoneCryptoInputStream);
        }
        return new MultipartCryptoKeyInputStream(keyInfo.getKeyName(), cryptoInputStreams);
    }
}
Also used : OzoneInputStream(org.apache.hadoop.ozone.client.io.OzoneInputStream) GDPRSymmetricKey(org.apache.hadoop.ozone.security.GDPRSymmetricKey) CipherInputStream(javax.crypto.CipherInputStream) IOException(java.io.IOException) FileEncryptionInfo(org.apache.hadoop.fs.FileEncryptionInfo) InvalidKeyException(java.security.InvalidKeyException) IOException(java.io.IOException) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) OzoneCryptoInputStream(org.apache.hadoop.ozone.client.io.OzoneCryptoInputStream) CryptoInputStream(org.apache.hadoop.crypto.CryptoInputStream) LengthInputStream(org.apache.hadoop.ozone.client.io.LengthInputStream) MultipartCryptoKeyInputStream(org.apache.hadoop.ozone.client.io.MultipartCryptoKeyInputStream) ArrayList(java.util.ArrayList) OmMultipartUploadCompleteList(org.apache.hadoop.ozone.om.helpers.OmMultipartUploadCompleteList) OzoneMultipartUploadList(org.apache.hadoop.ozone.client.OzoneMultipartUploadList) List(java.util.List) OmMultipartUploadList(org.apache.hadoop.ozone.om.helpers.OmMultipartUploadList) OzoneCryptoInputStream(org.apache.hadoop.ozone.client.io.OzoneCryptoInputStream)

Example 3 with GDPRSymmetricKey

use of org.apache.hadoop.ozone.security.GDPRSymmetricKey in project ozone by apache.

the class RpcClient method createOutputStream.

private OzoneOutputStream createOutputStream(OpenKeySession openKey, String requestId, ReplicationConfig replicationConfig) throws IOException {
    KeyOutputStream keyOutputStream = new KeyOutputStream.Builder().setHandler(openKey).setXceiverClientManager(xceiverClientManager).setOmClient(ozoneManagerClient).setRequestID(requestId).setReplicationConfig(replicationConfig).enableUnsafeByteBufferConversion(unsafeByteBufferConversion).setConfig(clientConfig).build();
    keyOutputStream.addPreallocateBlocks(openKey.getKeyInfo().getLatestVersionLocations(), openKey.getOpenVersion());
    final FileEncryptionInfo feInfo = openKey.getKeyInfo().getFileEncryptionInfo();
    if (feInfo != null) {
        KeyProvider.KeyVersion decrypted = getDEK(feInfo);
        final CryptoOutputStream cryptoOut = new CryptoOutputStream(keyOutputStream, OzoneKMSUtil.getCryptoCodec(conf, feInfo), decrypted.getMaterial(), feInfo.getIV());
        return new OzoneOutputStream(cryptoOut);
    } else {
        try {
            GDPRSymmetricKey gk;
            Map<String, String> openKeyMetadata = openKey.getKeyInfo().getMetadata();
            if (Boolean.valueOf(openKeyMetadata.get(OzoneConsts.GDPR_FLAG))) {
                gk = new GDPRSymmetricKey(openKeyMetadata.get(OzoneConsts.GDPR_SECRET), openKeyMetadata.get(OzoneConsts.GDPR_ALGORITHM));
                gk.getCipher().init(Cipher.ENCRYPT_MODE, gk.getSecretKey());
                return new OzoneOutputStream(new CipherOutputStream(keyOutputStream, gk.getCipher()));
            }
        } catch (Exception ex) {
            throw new IOException(ex);
        }
        return new OzoneOutputStream(keyOutputStream);
    }
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) GDPRSymmetricKey(org.apache.hadoop.ozone.security.GDPRSymmetricKey) CipherOutputStream(javax.crypto.CipherOutputStream) CacheBuilder(com.google.common.cache.CacheBuilder) OzoneOutputStream(org.apache.hadoop.ozone.client.io.OzoneOutputStream) IOException(java.io.IOException) FileEncryptionInfo(org.apache.hadoop.fs.FileEncryptionInfo) InvalidKeyException(java.security.InvalidKeyException) IOException(java.io.IOException) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) CryptoOutputStream(org.apache.hadoop.crypto.CryptoOutputStream) KeyOutputStream(org.apache.hadoop.ozone.client.io.KeyOutputStream)

Aggregations

IOException (java.io.IOException)3 InvalidKeyException (java.security.InvalidKeyException)3 OMException (org.apache.hadoop.ozone.om.exceptions.OMException)3 GDPRSymmetricKey (org.apache.hadoop.ozone.security.GDPRSymmetricKey)3 CacheBuilder (com.google.common.cache.CacheBuilder)2 FileEncryptionInfo (org.apache.hadoop.fs.FileEncryptionInfo)2 SecureRandom (java.security.SecureRandom)1 ArrayList (java.util.ArrayList)1 List (java.util.List)1 CipherInputStream (javax.crypto.CipherInputStream)1 CipherOutputStream (javax.crypto.CipherOutputStream)1 CryptoInputStream (org.apache.hadoop.crypto.CryptoInputStream)1 CryptoOutputStream (org.apache.hadoop.crypto.CryptoOutputStream)1 KeyProvider (org.apache.hadoop.crypto.key.KeyProvider)1 OzoneMultipartUploadList (org.apache.hadoop.ozone.client.OzoneMultipartUploadList)1 KeyOutputStream (org.apache.hadoop.ozone.client.io.KeyOutputStream)1 LengthInputStream (org.apache.hadoop.ozone.client.io.LengthInputStream)1 MultipartCryptoKeyInputStream (org.apache.hadoop.ozone.client.io.MultipartCryptoKeyInputStream)1 OzoneCryptoInputStream (org.apache.hadoop.ozone.client.io.OzoneCryptoInputStream)1 OzoneInputStream (org.apache.hadoop.ozone.client.io.OzoneInputStream)1