/// <exception cref="System.Exception"/> public virtual void TestDecryptWithKeyVersionNameKeyMismatch() { Configuration conf = new Configuration(); KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf ); KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs >(); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .GenerateEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .DecryptEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .All)).ThenReturn(true); UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1"); UserGroupInformation u2 = UserGroupInformation.CreateRemoteUser("u2"); UserGroupInformation u3 = UserGroupInformation.CreateRemoteUser("u3"); UserGroupInformation sudo = UserGroupInformation.CreateRemoteUser("sudo"); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u1, KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u2, KeyAuthorizationKeyProvider.KeyOpType .GenerateEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u3, KeyAuthorizationKeyProvider.KeyOpType .DecryptEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", sudo, KeyAuthorizationKeyProvider.KeyOpType .All)).ThenReturn(true); KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension .CreateKeyProviderCryptoExtension(kp), mock); sudo.DoAs(new _PrivilegedExceptionAction_247(conf, kpExt)); }
public virtual void SetupCluster() { conf = new Configuration(); conf.SetInt(DFSConfigKeys.DfsHaTaileditsPeriodKey, 1); HAUtil.SetAllowStandbyReads(conf, true); fsHelper = new FileSystemTestHelper(); string testRoot = fsHelper.GetTestRootDir(); testRootDir = new FilePath(testRoot).GetAbsoluteFile(); conf.Set(DFSConfigKeys.DfsEncryptionKeyProviderUri, JavaKeyStoreProvider.SchemeName + "://file" + new Path(testRootDir.ToString(), "test.jks").ToUri()); cluster = new MiniDFSCluster.Builder(conf).NnTopology(MiniDFSNNTopology.SimpleHATopology ()).NumDataNodes(1).Build(); cluster.WaitActive(); cluster.TransitionToActive(0); fs = (DistributedFileSystem)HATestUtil.ConfigureFailoverFs(cluster, conf); DFSTestUtil.CreateKey(TestKey, cluster, 0, conf); DFSTestUtil.CreateKey(TestKey, cluster, 1, conf); nn0 = cluster.GetNameNode(0); nn1 = cluster.GetNameNode(1); dfsAdmin0 = new HdfsAdmin(cluster.GetURI(0), conf); dfsAdmin1 = new HdfsAdmin(cluster.GetURI(1), conf); KeyProviderCryptoExtension nn0Provider = cluster.GetNameNode(0).GetNamesystem().GetProvider (); fs.GetClient().SetKeyProvider(nn0Provider); }
public _PrivilegedExceptionAction_173(KeyProviderCryptoExtension kpExt, KeyProvider.KeyVersion barKv, KeyProviderCryptoExtension.EncryptedKeyVersion barEKv) { this.kpExt = kpExt; this.barKv = barKv; this.barEKv = barEKv; }
/// <summary> /// The constructor takes a /// <see cref="Org.Apache.Hadoop.Crypto.Key.KeyProviderCryptoExtension"/> /// and an /// implementation of <code>KeyACLs</code>. All calls are delegated to the /// provider keyProvider after authorization check (if required) /// </summary> /// <param name="keyProvider"></param> /// <param name="acls"/> public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider, KeyAuthorizationKeyProvider.KeyACLs acls) : base(keyProvider, null) { this.provider = keyProvider; this.acls = acls; ReadWriteLock Lock = new ReentrantReadWriteLock(true); readLock = Lock.ReadLock(); writeLock = Lock.WriteLock(); }
public CryptoExtension(Configuration conf, KeyProviderCryptoExtension keyProviderCryptoExtension ) { this.keyProviderCryptoExtension = keyProviderCryptoExtension; encKeyVersionQueue = new ValueQueue <KeyProviderCryptoExtension.EncryptedKeyVersion >(conf.GetInt(KmsKeyCacheSize, KmsKeyCacheSizeDefault), conf.GetFloat(KmsKeyCacheLowWatermark , KmsKeyCacheLowWatermarkDefault), conf.GetInt(KmsKeyCacheExpiryMs, KmsKeyCacheExpiryDefault ), conf.GetInt(KmsKeyCacheNumRefillThreads, KmsKeyCacheNumRefillThreadsDefault), ValueQueue.SyncGenerationPolicy.LowWatermark, new EagerKeyGeneratorKeyProviderCryptoExtension.CryptoExtension.EncryptedQueueRefiller (this)); }
public virtual void TestCreateKey() { Configuration conf = new Configuration(); KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf ); KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs >(); Org.Mockito.Mockito.When(mock.IsACLPresent("foo", KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1"); Org.Mockito.Mockito.When(mock.HasAccessToKey("foo", u1, KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension .CreateKeyProviderCryptoExtension(kp), mock); u1.DoAs(new _PrivilegedExceptionAction_62(kpExt, conf)); // "bar" key not configured // Ignore // Unauthorized User UserGroupInformation.CreateRemoteUser("badGuy").DoAs(new _PrivilegedExceptionAction_87 (kpExt, conf)); }
public _PrivilegedExceptionAction_87(KeyProviderCryptoExtension kpExt, Configuration conf) { this.kpExt = kpExt; this.conf = conf; }
public _PrivilegedExceptionAction_247(Configuration conf, KeyProviderCryptoExtension kpExt) { this.conf = conf; this.kpExt = kpExt; }
public virtual void ContextInitialized(ServletContextEvent sce) { try { string confDir = Runtime.GetProperty(KMSConfiguration.KmsConfigDir); if (confDir == null) { throw new RuntimeException("System property '" + KMSConfiguration.KmsConfigDir + "' not defined"); } kmsConf = KMSConfiguration.GetKMSConf(); InitLogging(confDir); Log.Info("-------------------------------------------------------------"); Log.Info(" Java runtime version : {}", Runtime.GetProperty("java.runtime.version" )); Log.Info(" KMS Hadoop Version: " + VersionInfo.GetVersion()); Log.Info("-------------------------------------------------------------"); kmsAcls = new KMSACLs(); kmsAcls.StartReloader(); metricRegistry = new MetricRegistry(); jmxReporter = JmxReporter.ForRegistry(metricRegistry).Build(); jmxReporter.Start(); generateEEKCallsMeter = metricRegistry.Register(GenerateEekMeter, new Meter()); decryptEEKCallsMeter = metricRegistry.Register(DecryptEekMeter, new Meter()); adminCallsMeter = metricRegistry.Register(AdminCallsMeter, new Meter()); keyCallsMeter = metricRegistry.Register(KeyCallsMeter, new Meter()); invalidCallsMeter = metricRegistry.Register(InvalidCallsMeter, new Meter()); unauthorizedCallsMeter = metricRegistry.Register(UnauthorizedCallsMeter, new Meter ()); unauthenticatedCallsMeter = metricRegistry.Register(UnauthenticatedCallsMeter, new Meter()); kmsAudit = new KMSAudit(kmsConf.GetLong(KMSConfiguration.KmsAuditAggregationWindow , KMSConfiguration.KmsAuditAggregationWindowDefault)); // this is required for the the JMXJsonServlet to work properly. // the JMXJsonServlet is behind the authentication filter, // thus the '*' ACL. sce.GetServletContext().SetAttribute(HttpServer2.ConfContextAttribute, kmsConf); sce.GetServletContext().SetAttribute(HttpServer2.AdminsAcl, new AccessControlList (AccessControlList.WildcardAclValue)); // intializing the KeyProvider string providerString = kmsConf.Get(KMSConfiguration.KeyProviderUri); if (providerString == null) { throw new InvalidOperationException("No KeyProvider has been defined"); } KeyProvider keyProvider = KeyProviderFactory.Get(new URI(providerString), kmsConf ); if (kmsConf.GetBoolean(KMSConfiguration.KeyCacheEnable, KMSConfiguration.KeyCacheEnableDefault )) { long keyTimeOutMillis = kmsConf.GetLong(KMSConfiguration.KeyCacheTimeoutKey, KMSConfiguration .KeyCacheTimeoutDefault); long currKeyTimeOutMillis = kmsConf.GetLong(KMSConfiguration.CurrKeyCacheTimeoutKey , KMSConfiguration.CurrKeyCacheTimeoutDefault); keyProvider = new CachingKeyProvider(keyProvider, keyTimeOutMillis, currKeyTimeOutMillis ); } Log.Info("Initialized KeyProvider " + keyProvider); keyProviderCryptoExtension = KeyProviderCryptoExtension.CreateKeyProviderCryptoExtension (keyProvider); keyProviderCryptoExtension = new EagerKeyGeneratorKeyProviderCryptoExtension(kmsConf , keyProviderCryptoExtension); if (kmsConf.GetBoolean(KMSConfiguration.KeyAuthorizationEnable, KMSConfiguration. KeyAuthorizationEnableDefault)) { keyProviderCryptoExtension = new KeyAuthorizationKeyProvider(keyProviderCryptoExtension , kmsAcls); } Log.Info("Initialized KeyProviderCryptoExtension " + keyProviderCryptoExtension); int defaultBitlength = kmsConf.GetInt(KeyProvider.DefaultBitlengthName, KeyProvider .DefaultBitlength); Log.Info("Default key bitlength is {}", defaultBitlength); Log.Info("KMS Started"); } catch (Exception ex) { System.Console.Out.WriteLine(); System.Console.Out.WriteLine("ERROR: Hadoop KMS could not be started"); System.Console.Out.WriteLine(); System.Console.Out.WriteLine("REASON: " + ex.ToString()); System.Console.Out.WriteLine(); System.Console.Out.WriteLine("Stacktrace:"); System.Console.Out.WriteLine("---------------------------------------------------" ); Runtime.PrintStackTrace(ex, System.Console.Out); System.Console.Out.WriteLine("---------------------------------------------------" ); System.Console.Out.WriteLine(); System.Environment.Exit(1); } }
/// <summary> /// This class is a proxy for a <code>KeyProviderCryptoExtension</code> that /// decorates the underlying <code>CryptoExtension</code> with one that eagerly /// caches pre-generated Encrypted Keys using a <code>ValueQueue</code> /// </summary> /// <param name="conf">Configuration object to load parameters from</param> /// <param name="keyProviderCryptoExtension"> /// <code>KeyProviderCryptoExtension</code> /// to delegate calls to. /// </param> public EagerKeyGeneratorKeyProviderCryptoExtension(Configuration conf, KeyProviderCryptoExtension keyProviderCryptoExtension) : base(keyProviderCryptoExtension, new EagerKeyGeneratorKeyProviderCryptoExtension.CryptoExtension (conf, keyProviderCryptoExtension)) { }
/// <exception cref="System.Exception"/> public KMS() { provider = KMSWebApp.GetKeyProvider(); kmsAudit = KMSWebApp.GetKMSAudit(); }