public virtual Response RolloverKey(string name, IDictionary jsonMaterial)
{
KMSWebApp.GetAdminCallsMeter().Mark();
UserGroupInformation user = HttpUserGroupInformation.Get();
AssertAccess(KMSACLs.Type.Rollover, user, KMS.KMSOp.RollNewVersion, name);
KMSClientProvider.CheckNotEmpty(name, "name");
string material = (string)jsonMaterial[KMSRESTConstants.MaterialField];
if (material != null)
{
AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.RollNewVersion, name);
}
KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_200(
this, material, name));
kmsAudit.Ok(user, KMS.KMSOp.RollNewVersion, name, "UserProvidedMaterial:" + (material
!= null) + " NewVersion:" + keyVersion.GetVersionName());
if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user))
{
keyVersion = RemoveKeyMaterial(keyVersion);
}
IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion);
return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build());
}
public virtual Response DecryptEncryptedKey(string versionName, string eekOp, IDictionary
jsonPayload)
{
UserGroupInformation user = HttpUserGroupInformation.Get();
KMSClientProvider.CheckNotEmpty(versionName, "versionName");
KMSClientProvider.CheckNotNull(eekOp, "eekOp");
string keyName = (string)jsonPayload[KMSRESTConstants.NameField];
string ivStr = (string)jsonPayload[KMSRESTConstants.IvField];
string encMaterialStr = (string)jsonPayload[KMSRESTConstants.MaterialField];
object retJSON;
if (eekOp.Equals(KMSRESTConstants.EekDecrypt))
{
AssertAccess(KMSACLs.Type.DecryptEek, user, KMS.KMSOp.DecryptEek, keyName);
KMSClientProvider.CheckNotNull(ivStr, KMSRESTConstants.IvField);
byte[] iv = Base64.DecodeBase64(ivStr);
KMSClientProvider.CheckNotNull(encMaterialStr, KMSRESTConstants.MaterialField);
byte[] encMaterial = Base64.DecodeBase64(encMaterialStr);
KeyProvider.KeyVersion retKeyVersion = user.DoAs(new _PrivilegedExceptionAction_433
(this, keyName, versionName, iv, encMaterial));
retJSON = KMSServerJSONUtils.ToJSON(retKeyVersion);
kmsAudit.Ok(user, KMS.KMSOp.DecryptEek, keyName, string.Empty);
}
else
{
throw new ArgumentException("Wrong " + KMSRESTConstants.EekOp + " value, it must be "
+ KMSRESTConstants.EekGenerate + " or " + KMSRESTConstants.EekDecrypt);
}
KMSWebApp.GetDecryptEEKCallsMeter().Mark();
return(Response.Ok().Type(MediaType.ApplicationJson).Entity(retJSON).Build());
}
protected override Properties GetConfiguration(string configPrefix, FilterConfig
filterConfig)
{
Properties props = new Properties();
Configuration conf = KMSWebApp.GetConfiguration();
foreach (KeyValuePair <string, string> entry in conf)
{
string name = entry.Key;
if (name.StartsWith(ConfigPrefix))
{
string value = conf.Get(name);
name = Runtime.Substring(name, ConfigPrefix.Length);
props.SetProperty(name, value);
}
}
string authType = props.GetProperty(AuthType);
if (authType.Equals(PseudoAuthenticationHandler.Type))
{
props.SetProperty(AuthType, typeof(PseudoDelegationTokenAuthenticationHandler).FullName
);
}
else
{
if (authType.Equals(KerberosAuthenticationHandler.Type))
{
props.SetProperty(AuthType, typeof(KerberosDelegationTokenAuthenticationHandler).
FullName);
}
}
props.SetProperty(DelegationTokenAuthenticationHandler.TokenKind, KMSClientProvider
.TokenKind);
return(props);
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Javax.Servlet.ServletException"/>
public override void DoFilter(ServletRequest request, ServletResponse response, FilterChain
filterChain)
{
KMSAuthenticationFilter.KMSResponse kmsResponse = new KMSAuthenticationFilter.KMSResponse
(response);
base.DoFilter(request, kmsResponse, filterChain);
if (kmsResponse.statusCode != HttpServletResponse.ScOk && kmsResponse.statusCode
!= HttpServletResponse.ScCreated && kmsResponse.statusCode != HttpServletResponse
.ScUnauthorized)
{
KMSWebApp.GetInvalidCallsMeter().Mark();
}
// HttpServletResponse.SC_UNAUTHORIZED is because the request does not
// belong to an authenticated user.
if (kmsResponse.statusCode == HttpServletResponse.ScUnauthorized)
{
KMSWebApp.GetUnauthenticatedCallsMeter().Mark();
string method = ((HttpServletRequest)request).GetMethod();
StringBuilder requestURL = ((HttpServletRequest)request).GetRequestURL();
string queryString = ((HttpServletRequest)request).GetQueryString();
if (queryString != null)
{
requestURL.Append("?").Append(queryString);
}
KMSWebApp.GetKMSAudit().Unauthenticated(request.GetRemoteHost(), method, requestURL
.ToString(), kmsResponse.msg);
}
}
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/>
public virtual void AssertAccess(KMSACLs.Type aclType, UserGroupInformation ugi,
KMS.KMSOp operation, string key)
{
if (!KMSWebApp.GetACLs().HasAccess(aclType, ugi))
{
KMSWebApp.GetUnauthorizedCallsMeter().Mark();
KMSWebApp.GetKMSAudit().Unauthorized(ugi, operation, key);
throw new AuthorizationException(string.Format((key != null) ? UnauthorizedMsgWithKey
: UnauthorizedMsgWithoutKey, ugi.GetShortUserName(), operation, key));
}
}
public virtual Response GetKeyNames()
{
KMSWebApp.GetAdminCallsMeter().Mark();
UserGroupInformation user = HttpUserGroupInformation.Get();
AssertAccess(KMSACLs.Type.GetKeys, user, KMS.KMSOp.GetKeys);
IList <string> json = user.DoAs(new _PrivilegedExceptionAction_256(this));
kmsAudit.Ok(user, KMS.KMSOp.GetKeys, string.Empty);
return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build());
}
public virtual Response DeleteKey(string name)
{
KMSWebApp.GetAdminCallsMeter().Mark();
UserGroupInformation user = HttpUserGroupInformation.Get();
AssertAccess(KMSACLs.Type.Delete, user, KMS.KMSOp.DeleteKey, name);
KMSClientProvider.CheckNotEmpty(name, "name");
user.DoAs(new _PrivilegedExceptionAction_168(this, name));
kmsAudit.Ok(user, KMS.KMSOp.DeleteKey, name, string.Empty);
return(Response.Ok().Build());
}
protected override Configuration GetProxyuserConfiguration(FilterConfig filterConfig
)
{
IDictionary <string, string> proxyuserConf = KMSWebApp.GetConfiguration().GetValByRegex
("hadoop\\.kms\\.proxyuser\\.");
Configuration conf = new Configuration(false);
foreach (KeyValuePair <string, string> entry in proxyuserConf)
{
conf.Set(Runtime.Substring(entry.Key, "hadoop.kms.".Length), entry.Value);
}
return(conf);
}
public virtual Response CreateKey(IDictionary jsonKey)
{
KMSWebApp.GetAdminCallsMeter().Mark();
UserGroupInformation user = HttpUserGroupInformation.Get();
string name = (string)jsonKey[KMSRESTConstants.NameField];
KMSClientProvider.CheckNotEmpty(name, KMSRESTConstants.NameField);
AssertAccess(KMSACLs.Type.Create, user, KMS.KMSOp.CreateKey, name);
string cipher = (string)jsonKey[KMSRESTConstants.CipherField];
string material = (string)jsonKey[KMSRESTConstants.MaterialField];
int length = (jsonKey.Contains(KMSRESTConstants.LengthField)) ? (int)jsonKey[KMSRESTConstants
.LengthField] : 0;
string description = (string)jsonKey[KMSRESTConstants.DescriptionField];
IDictionary <string, string> attributes = (IDictionary <string, string>)jsonKey[KMSRESTConstants
.AttributesField];
if (material != null)
{
AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.CreateKey, name);
}
KeyProvider.Options options = new KeyProvider.Options(KMSWebApp.GetConfiguration(
));
if (cipher != null)
{
options.SetCipher(cipher);
}
if (length != 0)
{
options.SetBitLength(length);
}
options.SetDescription(description);
options.SetAttributes(attributes);
KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_132(
this, material, name, options));
kmsAudit.Ok(user, KMS.KMSOp.CreateKey, name, "UserProvidedMaterial:" + (material
!= null) + " Description:" + description);
if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user))
{
keyVersion = RemoveKeyMaterial(keyVersion);
}
IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion);
string requestURL = KMSMDCFilter.GetURL();
int idx = requestURL.LastIndexOf(KMSRESTConstants.KeysResource);
requestURL = Runtime.Substring(requestURL, 0, idx);
string keyURL = requestURL + KMSRESTConstants.KeyResource + "/" + name;
return(Response.Created(GetKeyURI(name)).Type(MediaType.ApplicationJson).Header("Location"
, keyURL).Entity(json).Build());
}
public virtual Response GetKeyVersions(string name)
{
UserGroupInformation user = HttpUserGroupInformation.Get();
KMSClientProvider.CheckNotEmpty(name, "name");
KMSWebApp.GetKeyCallsMeter().Mark();
AssertAccess(KMSACLs.Type.Get, user, KMS.KMSOp.GetKeyVersions, name);
IList <KeyProvider.KeyVersion> ret = user.DoAs(new _PrivilegedExceptionAction_469(
this, name));
object json = KMSServerJSONUtils.ToJSON(ret);
kmsAudit.Ok(user, KMS.KMSOp.GetKeyVersions, name, string.Empty);
return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build());
}
public virtual Response GetKeysMetadata(IList <string> keyNamesList)
{
KMSWebApp.GetAdminCallsMeter().Mark();
UserGroupInformation user = HttpUserGroupInformation.Get();
string[] keyNames = Collections.ToArray(keyNamesList, new string[keyNamesList
.Count]);
AssertAccess(KMSACLs.Type.GetMetadata, user, KMS.KMSOp.GetKeysMetadata);
KeyProvider.Metadata[] keysMeta = user.DoAs(new _PrivilegedExceptionAction_234(this
, keyNames));
object json = KMSServerJSONUtils.ToJSON(keyNames, keysMeta);
kmsAudit.Ok(user, KMS.KMSOp.GetKeysMetadata, string.Empty);
return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build());
}
public virtual Response GetKeyVersion(string versionName)
{
UserGroupInformation user = HttpUserGroupInformation.Get();
KMSClientProvider.CheckNotEmpty(versionName, "versionName");
KMSWebApp.GetKeyCallsMeter().Mark();
AssertAccess(KMSACLs.Type.Get, user, KMS.KMSOp.GetKeyVersion);
KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_336(
this, versionName));
if (keyVersion != null)
{
kmsAudit.Ok(user, KMS.KMSOp.GetKeyVersion, keyVersion.GetName(), string.Empty);
}
object json = KMSServerJSONUtils.ToJSON(keyVersion);
return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build());
}
public virtual Response GenerateEncryptedKeys(string name, string edekOp, int numKeys
)
{
UserGroupInformation user = HttpUserGroupInformation.Get();
KMSClientProvider.CheckNotEmpty(name, "name");
KMSClientProvider.CheckNotNull(edekOp, "eekOp");
object retJSON;
if (edekOp.Equals(KMSRESTConstants.EekGenerate))
{
AssertAccess(KMSACLs.Type.GenerateEek, user, KMS.KMSOp.GenerateEek, name);
IList <KeyProviderCryptoExtension.EncryptedKeyVersion> retEdeks = new List <KeyProviderCryptoExtension.EncryptedKeyVersion
>();
try
{
user.DoAs(new _PrivilegedExceptionAction_375(this, numKeys, retEdeks, name));
}
catch (Exception e)
{
throw new IOException(e);
}
kmsAudit.Ok(user, KMS.KMSOp.GenerateEek, name, string.Empty);
retJSON = new ArrayList();
foreach (KeyProviderCryptoExtension.EncryptedKeyVersion edek in retEdeks)
{
((ArrayList)retJSON).AddItem(KMSServerJSONUtils.ToJSON(edek));
}
}
else
{
throw new ArgumentException("Wrong " + KMSRESTConstants.EekOp + " value, it must be "
+ KMSRESTConstants.EekGenerate + " or " + KMSRESTConstants.EekDecrypt);
}
KMSWebApp.GetGenerateEEKCallsMeter().Mark();
return(Response.Ok().Type(MediaType.ApplicationJson).Entity(retJSON).Build());
}
/// <summary>Maps different exceptions thrown by KMS to HTTP status codes.</summary>
public virtual Response ToResponse(Exception exception)
{
Response.Status status;
bool doAudit = true;
Exception throwable = exception;
if (exception is ContainerException)
{
throwable = exception.InnerException;
}
if (throwable is SecurityException)
{
status = Response.Status.Forbidden;
}
else
{
if (throwable is AuthenticationException)
{
status = Response.Status.Forbidden;
// we don't audit here because we did it already when checking access
doAudit = false;
}
else
{
if (throwable is AuthorizationException)
{
status = Response.Status.Forbidden;
// we don't audit here because we did it already when checking access
doAudit = false;
}
else
{
if (throwable is AccessControlException)
{
status = Response.Status.Forbidden;
}
else
{
if (exception is IOException)
{
status = Response.Status.InternalServerError;
}
else
{
if (exception is NotSupportedException)
{
status = Response.Status.BadRequest;
}
else
{
if (exception is ArgumentException)
{
status = Response.Status.BadRequest;
}
else
{
status = Response.Status.InternalServerError;
}
}
}
}
}
}
}
if (doAudit)
{
KMSWebApp.GetKMSAudit().Error(KMSMDCFilter.GetUgi(), KMSMDCFilter.GetMethod(), KMSMDCFilter
.GetURL(), GetOneLineMessage(exception));
}
return(CreateResponse(status, throwable));
}
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/>
private void AssertAccess(KMSACLs.Type aclType, UserGroupInformation ugi, KMS.KMSOp
operation, string key)
{
KMSWebApp.GetACLs().AssertAccess(aclType, ugi, operation, key);
}
/// <exception cref="System.Exception"/>
public KMS()
{
provider = KMSWebApp.GetKeyProvider();
kmsAudit = KMSWebApp.GetKMSAudit();
}
