Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
apache
/
hadoop
mirror of https://github.com/apache/hadoop.git
2
0
Fork 1
Các tập tin Các vấn đề 0 Wiki
Browse Source

HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when loading key acl. (Dian Fu via yliu)

yliu 10 năm trước cách đây
mục cha
d483ba25d7
commit
3ac8f88989
4 tập tin đã thay đổi với 24 bổ sung5 xóa
View chưa được định nghĩa Hiển thị tình trạng sai khác
  1. 3 0
      hadoop-common-project/hadoop-common/CHANGES.txt
  2. 5 2
      hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
  3. 1 0
      hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
  4. 15 3
      hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java

+ 3 - 0
hadoop-common-project/hadoop-common/CHANGES.txt
Xem Tập Tin 

@@ -418,6 +418,9 @@ Release 2.7.0 - UNRELEASED
 
     HADOOP-11509. Change parsing sequence in GenericOptionsParser to parse -D
 
     HADOOP-11509. Change parsing sequence in GenericOptionsParser to parse -D
 
     parameters before -files. (xgong)
 
     parameters before -files. (xgong)
 
 
 
+    HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when
 
+    loading key acl. (Dian Fu via yliu)
 
+
 
 Release 2.6.1 - UNRELEASED
 
 Release 2.6.1 - UNRELEASED
 
 
 
   INCOMPATIBLE CHANGES
 
   INCOMPATIBLE CHANGES

+ 5 - 2
hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
Xem Tập Tin 

@@ -36,6 +36,8 @@ import java.util.concurrent.ScheduledExecutorService;
 
 import java.util.concurrent.TimeUnit;
 
 import java.util.concurrent.TimeUnit;
 
 import java.util.regex.Pattern;
 
 import java.util.regex.Pattern;
 
 
 
+import com.google.common.annotations.VisibleForTesting;
 
+
 
 /**
 
 /**
 
  * Provides access to the <code>AccessControlList</code>s used by KMS,
 
  * Provides access to the <code>AccessControlList</code>s used by KMS,
 
  * hot-reloading them if the <code>kms-acls.xml</code> file where the ACLs
 
  * hot-reloading them if the <code>kms-acls.xml</code> file where the ACLs
 
@@ -70,7 +72,8 @@ public class KMSACLs implements Runnable, KeyACLs {
 
 
 
   private volatile Map<Type, AccessControlList> acls;
 
   private volatile Map<Type, AccessControlList> acls;
 
   private volatile Map<Type, AccessControlList> blacklistedAcls;
 
   private volatile Map<Type, AccessControlList> blacklistedAcls;
 
-  private volatile Map<String, HashMap<KeyOpType, AccessControlList>> keyAcls;
 
+  @VisibleForTesting
 
+  volatile Map<String, HashMap<KeyOpType, AccessControlList>> keyAcls;
 
   private final Map<KeyOpType, AccessControlList> defaultKeyAcls =
 
   private final Map<KeyOpType, AccessControlList> defaultKeyAcls =
 
       new HashMap<KeyOpType, AccessControlList>();
 
       new HashMap<KeyOpType, AccessControlList>();
 
   private final Map<KeyOpType, AccessControlList> whitelistKeyAcls =
 
   private final Map<KeyOpType, AccessControlList> whitelistKeyAcls =
 
@@ -112,7 +115,7 @@ public class KMSACLs implements Runnable, KeyACLs {
 
     Map<String, HashMap<KeyOpType, AccessControlList>> tempKeyAcls =
 
     Map<String, HashMap<KeyOpType, AccessControlList>> tempKeyAcls =
 
         new HashMap<String, HashMap<KeyOpType,AccessControlList>>();
 
         new HashMap<String, HashMap<KeyOpType,AccessControlList>>();
 
     Map<String, String> allKeyACLS =
 
     Map<String, String> allKeyACLS =
 
-        conf.getValByRegex(Pattern.quote(KMSConfiguration.KEY_ACL_PREFIX));
 
+        conf.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX);
 
     for (Map.Entry<String, String> keyAcl : allKeyACLS.entrySet()) {
 
     for (Map.Entry<String, String> keyAcl : allKeyACLS.entrySet()) {
 
       String k = keyAcl.getKey();
 
       String k = keyAcl.getKey();
 
       // this should be of type "key.acl.<KEY_NAME>.<OP_TYPE>"
 
       // this should be of type "key.acl.<KEY_NAME>.<OP_TYPE>"

+ 1 - 0
hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
Xem Tập Tin 

@@ -38,6 +38,7 @@ public class KMSConfiguration {
 
   public static final String CONFIG_PREFIX = "hadoop.kms.";
 
   public static final String CONFIG_PREFIX = "hadoop.kms.";
 
 
 
   public static final String KEY_ACL_PREFIX = "key.acl.";
 
   public static final String KEY_ACL_PREFIX = "key.acl.";
 
+  public static final String KEY_ACL_PREFIX_REGEX = "^key\\.acl\\..+";
 
   public static final String DEFAULT_KEY_ACL_PREFIX = "default.key.acl.";
 
   public static final String DEFAULT_KEY_ACL_PREFIX = "default.key.acl.";
 
   public static final String WHITELIST_KEY_ACL_PREFIX = "whitelist.key.acl.";
 
   public static final String WHITELIST_KEY_ACL_PREFIX = "whitelist.key.acl.";

+ 15 - 3
hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
Xem Tập Tin 

@@ -26,7 +26,7 @@ public class TestKMSACLs {
 
 
 
   @Test
 
   @Test
 
   public void testDefaults() {
 
   public void testDefaults() {
 
-    KMSACLs acls = new KMSACLs(new Configuration(false));
 
+    final KMSACLs acls = new KMSACLs(new Configuration(false));
 
     for (KMSACLs.Type type : KMSACLs.Type.values()) {
 
     for (KMSACLs.Type type : KMSACLs.Type.values()) {
 
       Assert.assertTrue(acls.hasAccess(type,
 
       Assert.assertTrue(acls.hasAccess(type,
 
           UserGroupInformation.createRemoteUser("foo")));
 
           UserGroupInformation.createRemoteUser("foo")));
 
@@ -35,11 +35,11 @@ public class TestKMSACLs {
 
 
 
   @Test
 
   @Test
 
   public void testCustom() {
 
   public void testCustom() {
 
-    Configuration conf = new Configuration(false);
 
+    final Configuration conf = new Configuration(false);
 
     for (KMSACLs.Type type : KMSACLs.Type.values()) {
 
     for (KMSACLs.Type type : KMSACLs.Type.values()) {
 
       conf.set(type.getAclConfigKey(), type.toString() + " ");
 
       conf.set(type.getAclConfigKey(), type.toString() + " ");
 
     }
 
     }
 
-    KMSACLs acls = new KMSACLs(conf);
 
+    final KMSACLs acls = new KMSACLs(conf);
 
     for (KMSACLs.Type type : KMSACLs.Type.values()) {
 
     for (KMSACLs.Type type : KMSACLs.Type.values()) {
 
       Assert.assertTrue(acls.hasAccess(type,
 
       Assert.assertTrue(acls.hasAccess(type,
 
           UserGroupInformation.createRemoteUser(type.toString())));
 
           UserGroupInformation.createRemoteUser(type.toString())));
 
@@ -48,4 +48,16 @@ public class TestKMSACLs {
 
     }
 
     }
 
   }
 
   }
 
 
 
+  @Test
 
+  public void testKeyAclConfigurationLoad() {
 
+    final Configuration conf = new Configuration(false);
 
+    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_1.MANAGEMENT", "CREATE");
 
+    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_2.ALL", "CREATE");
 
+    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_3.NONEXISTOPERATION", "CREATE");
 
+    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER");
 
+    conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK");
 
+    final KMSACLs acls = new KMSACLs(conf);
 
+    Assert.assertTrue("expected key ACL size is 2 but got " + acls.keyAcls.size(),
 
+        acls.keyAcls.size() == 2);
 
+  }
 
 }
 
 }