10 years ago · 3ac8f88989
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -418,6 +418,9 @@ Release 2.7.0 - UNRELEASED
 
				     HADOOP-11509. Change parsing sequence in GenericOptionsParser to parse -D
			
 
				     parameters before -files. (xgong)
			
 
				 
			
 
				+    HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when
			
 
				+    loading key acl. (Dian Fu via yliu)
			
 
				+
			
 
				 Release 2.6.1 - UNRELEASED
			
 
				 
			
 
				   INCOMPATIBLE CHANGES
			
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
@@ -36,6 +36,8 @@ import java.util.concurrent.ScheduledExecutorService;
 
				 import java.util.concurrent.TimeUnit;
			
 
				 import java.util.regex.Pattern;
			
 
				 
			
 
				+import com.google.common.annotations.VisibleForTesting;
			
 
				+
			
 
				 /**
			
 
				  * Provides access to the <code>AccessControlList</code>s used by KMS,
			
 
				  * hot-reloading them if the <code>kms-acls.xml</code> file where the ACLs
			
@@ -70,7 +72,8 @@ public class KMSACLs implements Runnable, KeyACLs {
 
				 
			
 
				   private volatile Map<Type, AccessControlList> acls;
			
 
				   private volatile Map<Type, AccessControlList> blacklistedAcls;
			
 
				-  private volatile Map<String, HashMap<KeyOpType, AccessControlList>> keyAcls;
			
 
				+  @VisibleForTesting
			
 
				+  volatile Map<String, HashMap<KeyOpType, AccessControlList>> keyAcls;
			
 
				   private final Map<KeyOpType, AccessControlList> defaultKeyAcls =
			
 
				       new HashMap<KeyOpType, AccessControlList>();
			
 
				   private final Map<KeyOpType, AccessControlList> whitelistKeyAcls =
			
@@ -112,7 +115,7 @@ public class KMSACLs implements Runnable, KeyACLs {
 
				     Map<String, HashMap<KeyOpType, AccessControlList>> tempKeyAcls =
			
 
				         new HashMap<String, HashMap<KeyOpType,AccessControlList>>();
			
 
				     Map<String, String> allKeyACLS =
			
 
				-        conf.getValByRegex(Pattern.quote(KMSConfiguration.KEY_ACL_PREFIX));
			
 
				+        conf.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX);
			
 
				     for (Map.Entry<String, String> keyAcl : allKeyACLS.entrySet()) {
			
 
				       String k = keyAcl.getKey();
			
 
				       // this should be of type "key.acl.<KEY_NAME>.<OP_TYPE>"
			
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
@@ -38,6 +38,7 @@ public class KMSConfiguration {
 
				   public static final String CONFIG_PREFIX = "hadoop.kms.";
			
 
				 
			
 
				   public static final String KEY_ACL_PREFIX = "key.acl.";
			
 
				+  public static final String KEY_ACL_PREFIX_REGEX = "^key\\.acl\\..+";
			
 
				   public static final String DEFAULT_KEY_ACL_PREFIX = "default.key.acl.";
			
 
				   public static final String WHITELIST_KEY_ACL_PREFIX = "whitelist.key.acl.";
			
 
				 
			
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
@@ -26,7 +26,7 @@ public class TestKMSACLs {
 
				 
			
 
				   @Test
			
 
				   public void testDefaults() {
			
 
				-    KMSACLs acls = new KMSACLs(new Configuration(false));
			
 
				+    final KMSACLs acls = new KMSACLs(new Configuration(false));
			
 
				     for (KMSACLs.Type type : KMSACLs.Type.values()) {
			
 
				       Assert.assertTrue(acls.hasAccess(type,
			
 
				           UserGroupInformation.createRemoteUser("foo")));
			
@@ -35,11 +35,11 @@ public class TestKMSACLs {
 
				 
			
 
				   @Test
			
 
				   public void testCustom() {
			
 
				-    Configuration conf = new Configuration(false);
			
 
				+    final Configuration conf = new Configuration(false);
			
 
				     for (KMSACLs.Type type : KMSACLs.Type.values()) {
			
 
				       conf.set(type.getAclConfigKey(), type.toString() + " ");
			
 
				     }
			
 
				-    KMSACLs acls = new KMSACLs(conf);
			
 
				+    final KMSACLs acls = new KMSACLs(conf);
			
 
				     for (KMSACLs.Type type : KMSACLs.Type.values()) {
			
 
				       Assert.assertTrue(acls.hasAccess(type,
			
 
				           UserGroupInformation.createRemoteUser(type.toString())));
			
@@ -48,4 +48,16 @@ public class TestKMSACLs {
 
				     }
			
 
				   }
			
 
				 
			
 
				+  @Test
			
 
				+  public void testKeyAclConfigurationLoad() {
			
 
				+    final Configuration conf = new Configuration(false);
			
 
				+    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_1.MANAGEMENT", "CREATE");
			
 
				+    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_2.ALL", "CREATE");
			
 
				+    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_3.NONEXISTOPERATION", "CREATE");
			
 
				+    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER");
			
 
				+    conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK");
			
 
				+    final KMSACLs acls = new KMSACLs(conf);
			
 
				+    Assert.assertTrue("expected key ACL size is 2 but got " + acls.keyAcls.size(),
			
 
				+        acls.keyAcls.size() == 2);
			
 
				+  }
			
 
				 }