10 年之前 · 696e15f0d1
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -130,6 +130,9 @@ Release 2.7.0 - UNRELEASED
 
				     HADOOP-11344. KMS kms-config.sh sets a default value for the keystore
			
 
				     password even in non-ssl setup. (Arun Suresh via wang)
			
 
				 
			
 
				+    HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL
			
 
				+    and whitelist key ACL. (Dian Fu via wang)
			
 
				+
			
 
				 Release 2.6.0 - 2014-11-18
			
 
				 
			
 
				   INCOMPATIBLE CHANGES
			
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
@@ -152,20 +152,30 @@ public class KMSACLs implements Runnable, KeyACLs {
 
				         String confKey = KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + keyOp;
			
 
				         String aclStr = conf.get(confKey);
			
 
				         if (aclStr != null) {
			
 
				-          if (aclStr.equals("*")) {
			
 
				-            LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp);
			
 
				+          if (keyOp == KeyOpType.ALL) {
			
 
				+            // Ignore All operation for default key acl
			
 
				+            LOG.warn("Should not configure default key ACL for KEY_OP '{}'", keyOp);
			
 
				+          } else {
			
 
				+            if (aclStr.equals("*")) {
			
 
				+              LOG.info("Default Key ACL for KEY_OP '{}' is set to '*'", keyOp);
			
 
				+            }
			
 
				+            defaultKeyAcls.put(keyOp, new AccessControlList(aclStr));
			
 
				           }
			
 
				-          defaultKeyAcls.put(keyOp, new AccessControlList(aclStr));
			
 
				         }
			
 
				       }
			
 
				       if (!whitelistKeyAcls.containsKey(keyOp)) {
			
 
				         String confKey = KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + keyOp;
			
 
				         String aclStr = conf.get(confKey);
			
 
				         if (aclStr != null) {
			
 
				-          if (aclStr.equals("*")) {
			
 
				-            LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp);
			
 
				+          if (keyOp == KeyOpType.ALL) {
			
 
				+            // Ignore All operation for whitelist key acl
			
 
				+            LOG.warn("Should not configure whitelist key ACL for KEY_OP '{}'", keyOp);
			
 
				+          } else {
			
 
				+            if (aclStr.equals("*")) {
			
 
				+              LOG.info("Whitelist Key ACL for KEY_OP '{}' is set to '*'", keyOp);
			
 
				+            }
			
 
				+            whitelistKeyAcls.put(keyOp, new AccessControlList(aclStr));
			
 
				           }
			
 
				-          whitelistKeyAcls.put(keyOp, new AccessControlList(aclStr));
			
 
				         }
			
 
				       }
			
 
				     }
			
@@ -271,7 +281,9 @@ public class KMSACLs implements Runnable, KeyACLs {
 
				 
			
 
				   @Override
			
 
				   public boolean isACLPresent(String keyName, KeyOpType opType) {
			
 
				-    return (keyAcls.containsKey(keyName) || defaultKeyAcls.containsKey(opType));
			
 
				+    return (keyAcls.containsKey(keyName)
			
 
				+        || defaultKeyAcls.containsKey(opType)
			
 
				+        || whitelistKeyAcls.containsKey(opType));
			
 
				   }
			
 
				 
			
 
				 }
			
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
@@ -619,16 +619,19 @@ public class TestKMS {
 
				     }
			
 
				     conf.set(KMSACLs.Type.CREATE.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
			
 
				     conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
			
 
				-    conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
			
 
				+    conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
			
 
				     conf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(),"CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
			
 
				 
			
 
				     conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key.MANAGEMENT", "CREATE");
			
 
				     conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "some_key.MANAGEMENT", "ROLLOVER");
			
 
				     conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK");
			
 
				+    conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "ALL", "DECRYPT_EEK");
			
 
				 
			
 
				     conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.ALL", "GENERATE_EEK");
			
 
				     conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.DECRYPT_EEK", "ROLLOVER");
			
 
				     conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER");
			
 
				+    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "SOMEBODY");
			
 
				+    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "ALL", "ROLLOVER");
			
 
				 
			
 
				     writeConf(testDir, conf);