/// <exception cref="System.Exception"/>
public virtual void TestDecryptWithKeyVersionNameKeyMismatch()
{
Configuration conf = new Configuration();
KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf
);
KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs
>();
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.GenerateEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.DecryptEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.All)).ThenReturn(true);
UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1");
UserGroupInformation u2 = UserGroupInformation.CreateRemoteUser("u2");
UserGroupInformation u3 = UserGroupInformation.CreateRemoteUser("u3");
UserGroupInformation sudo = UserGroupInformation.CreateRemoteUser("sudo");
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u1, KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u2, KeyAuthorizationKeyProvider.KeyOpType
.GenerateEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u3, KeyAuthorizationKeyProvider.KeyOpType
.DecryptEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", sudo, KeyAuthorizationKeyProvider.KeyOpType
.All)).ThenReturn(true);
KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension
.CreateKeyProviderCryptoExtension(kp), mock);
sudo.DoAs(new _PrivilegedExceptionAction_247(conf, kpExt));
}
public virtual void SetupCluster()
{
conf = new Configuration();
conf.SetInt(DFSConfigKeys.DfsHaTaileditsPeriodKey, 1);
HAUtil.SetAllowStandbyReads(conf, true);
fsHelper = new FileSystemTestHelper();
string testRoot = fsHelper.GetTestRootDir();
testRootDir = new FilePath(testRoot).GetAbsoluteFile();
conf.Set(DFSConfigKeys.DfsEncryptionKeyProviderUri, JavaKeyStoreProvider.SchemeName
+ "://file" + new Path(testRootDir.ToString(), "test.jks").ToUri());
cluster = new MiniDFSCluster.Builder(conf).NnTopology(MiniDFSNNTopology.SimpleHATopology
()).NumDataNodes(1).Build();
cluster.WaitActive();
cluster.TransitionToActive(0);
fs = (DistributedFileSystem)HATestUtil.ConfigureFailoverFs(cluster, conf);
DFSTestUtil.CreateKey(TestKey, cluster, 0, conf);
DFSTestUtil.CreateKey(TestKey, cluster, 1, conf);
nn0 = cluster.GetNameNode(0);
nn1 = cluster.GetNameNode(1);
dfsAdmin0 = new HdfsAdmin(cluster.GetURI(0), conf);
dfsAdmin1 = new HdfsAdmin(cluster.GetURI(1), conf);
KeyProviderCryptoExtension nn0Provider = cluster.GetNameNode(0).GetNamesystem().GetProvider
();
fs.GetClient().SetKeyProvider(nn0Provider);
}
public _PrivilegedExceptionAction_173(KeyProviderCryptoExtension kpExt, KeyProvider.KeyVersion
barKv, KeyProviderCryptoExtension.EncryptedKeyVersion barEKv)
{
this.kpExt = kpExt;
this.barKv = barKv;
this.barEKv = barEKv;
}
/// <summary>
/// The constructor takes a
/// <see cref="Org.Apache.Hadoop.Crypto.Key.KeyProviderCryptoExtension"/>
/// and an
/// implementation of <code>KeyACLs</code>. All calls are delegated to the
/// provider keyProvider after authorization check (if required)
/// </summary>
/// <param name="keyProvider"></param>
/// <param name="acls"/>
public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider, KeyAuthorizationKeyProvider.KeyACLs
acls)
: base(keyProvider, null)
{
this.provider = keyProvider;
this.acls = acls;
ReadWriteLock Lock = new ReentrantReadWriteLock(true);
readLock = Lock.ReadLock();
writeLock = Lock.WriteLock();
}
public CryptoExtension(Configuration conf, KeyProviderCryptoExtension keyProviderCryptoExtension
)
{
this.keyProviderCryptoExtension = keyProviderCryptoExtension;
encKeyVersionQueue = new ValueQueue <KeyProviderCryptoExtension.EncryptedKeyVersion
>(conf.GetInt(KmsKeyCacheSize, KmsKeyCacheSizeDefault), conf.GetFloat(KmsKeyCacheLowWatermark
, KmsKeyCacheLowWatermarkDefault), conf.GetInt(KmsKeyCacheExpiryMs, KmsKeyCacheExpiryDefault
), conf.GetInt(KmsKeyCacheNumRefillThreads, KmsKeyCacheNumRefillThreadsDefault),
ValueQueue.SyncGenerationPolicy.LowWatermark, new EagerKeyGeneratorKeyProviderCryptoExtension.CryptoExtension.EncryptedQueueRefiller
(this));
}
public virtual void TestCreateKey()
{
Configuration conf = new Configuration();
KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf
);
KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs
>();
Org.Mockito.Mockito.When(mock.IsACLPresent("foo", KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1");
Org.Mockito.Mockito.When(mock.HasAccessToKey("foo", u1, KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension
.CreateKeyProviderCryptoExtension(kp), mock);
u1.DoAs(new _PrivilegedExceptionAction_62(kpExt, conf));
// "bar" key not configured
// Ignore
// Unauthorized User
UserGroupInformation.CreateRemoteUser("badGuy").DoAs(new _PrivilegedExceptionAction_87
(kpExt, conf));
}
public _PrivilegedExceptionAction_87(KeyProviderCryptoExtension kpExt, Configuration
conf)
{
this.kpExt = kpExt;
this.conf = conf;
}
public _PrivilegedExceptionAction_247(Configuration conf, KeyProviderCryptoExtension
kpExt)
{
this.conf = conf;
this.kpExt = kpExt;
}
public virtual void ContextInitialized(ServletContextEvent sce)
{
try
{
string confDir = Runtime.GetProperty(KMSConfiguration.KmsConfigDir);
if (confDir == null)
{
throw new RuntimeException("System property '" + KMSConfiguration.KmsConfigDir +
"' not defined");
}
kmsConf = KMSConfiguration.GetKMSConf();
InitLogging(confDir);
Log.Info("-------------------------------------------------------------");
Log.Info(" Java runtime version : {}", Runtime.GetProperty("java.runtime.version"
));
Log.Info(" KMS Hadoop Version: " + VersionInfo.GetVersion());
Log.Info("-------------------------------------------------------------");
kmsAcls = new KMSACLs();
kmsAcls.StartReloader();
metricRegistry = new MetricRegistry();
jmxReporter = JmxReporter.ForRegistry(metricRegistry).Build();
jmxReporter.Start();
generateEEKCallsMeter = metricRegistry.Register(GenerateEekMeter, new Meter());
decryptEEKCallsMeter = metricRegistry.Register(DecryptEekMeter, new Meter());
adminCallsMeter = metricRegistry.Register(AdminCallsMeter, new Meter());
keyCallsMeter = metricRegistry.Register(KeyCallsMeter, new Meter());
invalidCallsMeter = metricRegistry.Register(InvalidCallsMeter, new Meter());
unauthorizedCallsMeter = metricRegistry.Register(UnauthorizedCallsMeter, new Meter
());
unauthenticatedCallsMeter = metricRegistry.Register(UnauthenticatedCallsMeter, new
Meter());
kmsAudit = new KMSAudit(kmsConf.GetLong(KMSConfiguration.KmsAuditAggregationWindow
, KMSConfiguration.KmsAuditAggregationWindowDefault));
// this is required for the the JMXJsonServlet to work properly.
// the JMXJsonServlet is behind the authentication filter,
// thus the '*' ACL.
sce.GetServletContext().SetAttribute(HttpServer2.ConfContextAttribute, kmsConf);
sce.GetServletContext().SetAttribute(HttpServer2.AdminsAcl, new AccessControlList
(AccessControlList.WildcardAclValue));
// intializing the KeyProvider
string providerString = kmsConf.Get(KMSConfiguration.KeyProviderUri);
if (providerString == null)
{
throw new InvalidOperationException("No KeyProvider has been defined");
}
KeyProvider keyProvider = KeyProviderFactory.Get(new URI(providerString), kmsConf
);
if (kmsConf.GetBoolean(KMSConfiguration.KeyCacheEnable, KMSConfiguration.KeyCacheEnableDefault
))
{
long keyTimeOutMillis = kmsConf.GetLong(KMSConfiguration.KeyCacheTimeoutKey, KMSConfiguration
.KeyCacheTimeoutDefault);
long currKeyTimeOutMillis = kmsConf.GetLong(KMSConfiguration.CurrKeyCacheTimeoutKey
, KMSConfiguration.CurrKeyCacheTimeoutDefault);
keyProvider = new CachingKeyProvider(keyProvider, keyTimeOutMillis, currKeyTimeOutMillis
);
}
Log.Info("Initialized KeyProvider " + keyProvider);
keyProviderCryptoExtension = KeyProviderCryptoExtension.CreateKeyProviderCryptoExtension
(keyProvider);
keyProviderCryptoExtension = new EagerKeyGeneratorKeyProviderCryptoExtension(kmsConf
, keyProviderCryptoExtension);
if (kmsConf.GetBoolean(KMSConfiguration.KeyAuthorizationEnable, KMSConfiguration.
KeyAuthorizationEnableDefault))
{
keyProviderCryptoExtension = new KeyAuthorizationKeyProvider(keyProviderCryptoExtension
, kmsAcls);
}
Log.Info("Initialized KeyProviderCryptoExtension " + keyProviderCryptoExtension);
int defaultBitlength = kmsConf.GetInt(KeyProvider.DefaultBitlengthName, KeyProvider
.DefaultBitlength);
Log.Info("Default key bitlength is {}", defaultBitlength);
Log.Info("KMS Started");
}
catch (Exception ex)
{
System.Console.Out.WriteLine();
System.Console.Out.WriteLine("ERROR: Hadoop KMS could not be started");
System.Console.Out.WriteLine();
System.Console.Out.WriteLine("REASON: " + ex.ToString());
System.Console.Out.WriteLine();
System.Console.Out.WriteLine("Stacktrace:");
System.Console.Out.WriteLine("---------------------------------------------------"
);
Runtime.PrintStackTrace(ex, System.Console.Out);
System.Console.Out.WriteLine("---------------------------------------------------"
);
System.Console.Out.WriteLine();
System.Environment.Exit(1);
}
}
/// <summary>
/// This class is a proxy for a <code>KeyProviderCryptoExtension</code> that
/// decorates the underlying <code>CryptoExtension</code> with one that eagerly
/// caches pre-generated Encrypted Keys using a <code>ValueQueue</code>
/// </summary>
/// <param name="conf">Configuration object to load parameters from</param>
/// <param name="keyProviderCryptoExtension">
/// <code>KeyProviderCryptoExtension</code>
/// to delegate calls to.
/// </param>
public EagerKeyGeneratorKeyProviderCryptoExtension(Configuration conf, KeyProviderCryptoExtension
keyProviderCryptoExtension)
: base(keyProviderCryptoExtension, new EagerKeyGeneratorKeyProviderCryptoExtension.CryptoExtension
(conf, keyProviderCryptoExtension))
{
}
/// <exception cref="System.Exception"/>
public KMS()
{
provider = KMSWebApp.GetKeyProvider();
kmsAudit = KMSWebApp.GetKMSAudit();
}
