public virtual Response RolloverKey(string name, IDictionary jsonMaterial) { KMSWebApp.GetAdminCallsMeter().Mark(); UserGroupInformation user = HttpUserGroupInformation.Get(); AssertAccess(KMSACLs.Type.Rollover, user, KMS.KMSOp.RollNewVersion, name); KMSClientProvider.CheckNotEmpty(name, "name"); string material = (string)jsonMaterial[KMSRESTConstants.MaterialField]; if (material != null) { AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.RollNewVersion, name); } KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_200( this, material, name)); kmsAudit.Ok(user, KMS.KMSOp.RollNewVersion, name, "UserProvidedMaterial:" + (material != null) + " NewVersion:" + keyVersion.GetVersionName()); if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user)) { keyVersion = RemoveKeyMaterial(keyVersion); } IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build()); }
public virtual Response DecryptEncryptedKey(string versionName, string eekOp, IDictionary jsonPayload) { UserGroupInformation user = HttpUserGroupInformation.Get(); KMSClientProvider.CheckNotEmpty(versionName, "versionName"); KMSClientProvider.CheckNotNull(eekOp, "eekOp"); string keyName = (string)jsonPayload[KMSRESTConstants.NameField]; string ivStr = (string)jsonPayload[KMSRESTConstants.IvField]; string encMaterialStr = (string)jsonPayload[KMSRESTConstants.MaterialField]; object retJSON; if (eekOp.Equals(KMSRESTConstants.EekDecrypt)) { AssertAccess(KMSACLs.Type.DecryptEek, user, KMS.KMSOp.DecryptEek, keyName); KMSClientProvider.CheckNotNull(ivStr, KMSRESTConstants.IvField); byte[] iv = Base64.DecodeBase64(ivStr); KMSClientProvider.CheckNotNull(encMaterialStr, KMSRESTConstants.MaterialField); byte[] encMaterial = Base64.DecodeBase64(encMaterialStr); KeyProvider.KeyVersion retKeyVersion = user.DoAs(new _PrivilegedExceptionAction_433 (this, keyName, versionName, iv, encMaterial)); retJSON = KMSServerJSONUtils.ToJSON(retKeyVersion); kmsAudit.Ok(user, KMS.KMSOp.DecryptEek, keyName, string.Empty); } else { throw new ArgumentException("Wrong " + KMSRESTConstants.EekOp + " value, it must be " + KMSRESTConstants.EekGenerate + " or " + KMSRESTConstants.EekDecrypt); } KMSWebApp.GetDecryptEEKCallsMeter().Mark(); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(retJSON).Build()); }
protected override Properties GetConfiguration(string configPrefix, FilterConfig filterConfig) { Properties props = new Properties(); Configuration conf = KMSWebApp.GetConfiguration(); foreach (KeyValuePair <string, string> entry in conf) { string name = entry.Key; if (name.StartsWith(ConfigPrefix)) { string value = conf.Get(name); name = Runtime.Substring(name, ConfigPrefix.Length); props.SetProperty(name, value); } } string authType = props.GetProperty(AuthType); if (authType.Equals(PseudoAuthenticationHandler.Type)) { props.SetProperty(AuthType, typeof(PseudoDelegationTokenAuthenticationHandler).FullName ); } else { if (authType.Equals(KerberosAuthenticationHandler.Type)) { props.SetProperty(AuthType, typeof(KerberosDelegationTokenAuthenticationHandler). FullName); } } props.SetProperty(DelegationTokenAuthenticationHandler.TokenKind, KMSClientProvider .TokenKind); return(props); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="Javax.Servlet.ServletException"/> public override void DoFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) { KMSAuthenticationFilter.KMSResponse kmsResponse = new KMSAuthenticationFilter.KMSResponse (response); base.DoFilter(request, kmsResponse, filterChain); if (kmsResponse.statusCode != HttpServletResponse.ScOk && kmsResponse.statusCode != HttpServletResponse.ScCreated && kmsResponse.statusCode != HttpServletResponse .ScUnauthorized) { KMSWebApp.GetInvalidCallsMeter().Mark(); } // HttpServletResponse.SC_UNAUTHORIZED is because the request does not // belong to an authenticated user. if (kmsResponse.statusCode == HttpServletResponse.ScUnauthorized) { KMSWebApp.GetUnauthenticatedCallsMeter().Mark(); string method = ((HttpServletRequest)request).GetMethod(); StringBuilder requestURL = ((HttpServletRequest)request).GetRequestURL(); string queryString = ((HttpServletRequest)request).GetQueryString(); if (queryString != null) { requestURL.Append("?").Append(queryString); } KMSWebApp.GetKMSAudit().Unauthenticated(request.GetRemoteHost(), method, requestURL .ToString(), kmsResponse.msg); } }
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/> public virtual void AssertAccess(KMSACLs.Type aclType, UserGroupInformation ugi, KMS.KMSOp operation, string key) { if (!KMSWebApp.GetACLs().HasAccess(aclType, ugi)) { KMSWebApp.GetUnauthorizedCallsMeter().Mark(); KMSWebApp.GetKMSAudit().Unauthorized(ugi, operation, key); throw new AuthorizationException(string.Format((key != null) ? UnauthorizedMsgWithKey : UnauthorizedMsgWithoutKey, ugi.GetShortUserName(), operation, key)); } }
public virtual Response GetKeyNames() { KMSWebApp.GetAdminCallsMeter().Mark(); UserGroupInformation user = HttpUserGroupInformation.Get(); AssertAccess(KMSACLs.Type.GetKeys, user, KMS.KMSOp.GetKeys); IList <string> json = user.DoAs(new _PrivilegedExceptionAction_256(this)); kmsAudit.Ok(user, KMS.KMSOp.GetKeys, string.Empty); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build()); }
public virtual Response DeleteKey(string name) { KMSWebApp.GetAdminCallsMeter().Mark(); UserGroupInformation user = HttpUserGroupInformation.Get(); AssertAccess(KMSACLs.Type.Delete, user, KMS.KMSOp.DeleteKey, name); KMSClientProvider.CheckNotEmpty(name, "name"); user.DoAs(new _PrivilegedExceptionAction_168(this, name)); kmsAudit.Ok(user, KMS.KMSOp.DeleteKey, name, string.Empty); return(Response.Ok().Build()); }
protected override Configuration GetProxyuserConfiguration(FilterConfig filterConfig ) { IDictionary <string, string> proxyuserConf = KMSWebApp.GetConfiguration().GetValByRegex ("hadoop\\.kms\\.proxyuser\\."); Configuration conf = new Configuration(false); foreach (KeyValuePair <string, string> entry in proxyuserConf) { conf.Set(Runtime.Substring(entry.Key, "hadoop.kms.".Length), entry.Value); } return(conf); }
public virtual Response CreateKey(IDictionary jsonKey) { KMSWebApp.GetAdminCallsMeter().Mark(); UserGroupInformation user = HttpUserGroupInformation.Get(); string name = (string)jsonKey[KMSRESTConstants.NameField]; KMSClientProvider.CheckNotEmpty(name, KMSRESTConstants.NameField); AssertAccess(KMSACLs.Type.Create, user, KMS.KMSOp.CreateKey, name); string cipher = (string)jsonKey[KMSRESTConstants.CipherField]; string material = (string)jsonKey[KMSRESTConstants.MaterialField]; int length = (jsonKey.Contains(KMSRESTConstants.LengthField)) ? (int)jsonKey[KMSRESTConstants .LengthField] : 0; string description = (string)jsonKey[KMSRESTConstants.DescriptionField]; IDictionary <string, string> attributes = (IDictionary <string, string>)jsonKey[KMSRESTConstants .AttributesField]; if (material != null) { AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.CreateKey, name); } KeyProvider.Options options = new KeyProvider.Options(KMSWebApp.GetConfiguration( )); if (cipher != null) { options.SetCipher(cipher); } if (length != 0) { options.SetBitLength(length); } options.SetDescription(description); options.SetAttributes(attributes); KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_132( this, material, name, options)); kmsAudit.Ok(user, KMS.KMSOp.CreateKey, name, "UserProvidedMaterial:" + (material != null) + " Description:" + description); if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user)) { keyVersion = RemoveKeyMaterial(keyVersion); } IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion); string requestURL = KMSMDCFilter.GetURL(); int idx = requestURL.LastIndexOf(KMSRESTConstants.KeysResource); requestURL = Runtime.Substring(requestURL, 0, idx); string keyURL = requestURL + KMSRESTConstants.KeyResource + "/" + name; return(Response.Created(GetKeyURI(name)).Type(MediaType.ApplicationJson).Header("Location" , keyURL).Entity(json).Build()); }
public virtual Response GetKeyVersions(string name) { UserGroupInformation user = HttpUserGroupInformation.Get(); KMSClientProvider.CheckNotEmpty(name, "name"); KMSWebApp.GetKeyCallsMeter().Mark(); AssertAccess(KMSACLs.Type.Get, user, KMS.KMSOp.GetKeyVersions, name); IList <KeyProvider.KeyVersion> ret = user.DoAs(new _PrivilegedExceptionAction_469( this, name)); object json = KMSServerJSONUtils.ToJSON(ret); kmsAudit.Ok(user, KMS.KMSOp.GetKeyVersions, name, string.Empty); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build()); }
public virtual Response GetKeysMetadata(IList <string> keyNamesList) { KMSWebApp.GetAdminCallsMeter().Mark(); UserGroupInformation user = HttpUserGroupInformation.Get(); string[] keyNames = Collections.ToArray(keyNamesList, new string[keyNamesList .Count]); AssertAccess(KMSACLs.Type.GetMetadata, user, KMS.KMSOp.GetKeysMetadata); KeyProvider.Metadata[] keysMeta = user.DoAs(new _PrivilegedExceptionAction_234(this , keyNames)); object json = KMSServerJSONUtils.ToJSON(keyNames, keysMeta); kmsAudit.Ok(user, KMS.KMSOp.GetKeysMetadata, string.Empty); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build()); }
public virtual Response GetKeyVersion(string versionName) { UserGroupInformation user = HttpUserGroupInformation.Get(); KMSClientProvider.CheckNotEmpty(versionName, "versionName"); KMSWebApp.GetKeyCallsMeter().Mark(); AssertAccess(KMSACLs.Type.Get, user, KMS.KMSOp.GetKeyVersion); KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_336( this, versionName)); if (keyVersion != null) { kmsAudit.Ok(user, KMS.KMSOp.GetKeyVersion, keyVersion.GetName(), string.Empty); } object json = KMSServerJSONUtils.ToJSON(keyVersion); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build()); }
public virtual Response GenerateEncryptedKeys(string name, string edekOp, int numKeys ) { UserGroupInformation user = HttpUserGroupInformation.Get(); KMSClientProvider.CheckNotEmpty(name, "name"); KMSClientProvider.CheckNotNull(edekOp, "eekOp"); object retJSON; if (edekOp.Equals(KMSRESTConstants.EekGenerate)) { AssertAccess(KMSACLs.Type.GenerateEek, user, KMS.KMSOp.GenerateEek, name); IList <KeyProviderCryptoExtension.EncryptedKeyVersion> retEdeks = new List <KeyProviderCryptoExtension.EncryptedKeyVersion >(); try { user.DoAs(new _PrivilegedExceptionAction_375(this, numKeys, retEdeks, name)); } catch (Exception e) { throw new IOException(e); } kmsAudit.Ok(user, KMS.KMSOp.GenerateEek, name, string.Empty); retJSON = new ArrayList(); foreach (KeyProviderCryptoExtension.EncryptedKeyVersion edek in retEdeks) { ((ArrayList)retJSON).AddItem(KMSServerJSONUtils.ToJSON(edek)); } } else { throw new ArgumentException("Wrong " + KMSRESTConstants.EekOp + " value, it must be " + KMSRESTConstants.EekGenerate + " or " + KMSRESTConstants.EekDecrypt); } KMSWebApp.GetGenerateEEKCallsMeter().Mark(); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(retJSON).Build()); }
/// <summary>Maps different exceptions thrown by KMS to HTTP status codes.</summary> public virtual Response ToResponse(Exception exception) { Response.Status status; bool doAudit = true; Exception throwable = exception; if (exception is ContainerException) { throwable = exception.InnerException; } if (throwable is SecurityException) { status = Response.Status.Forbidden; } else { if (throwable is AuthenticationException) { status = Response.Status.Forbidden; // we don't audit here because we did it already when checking access doAudit = false; } else { if (throwable is AuthorizationException) { status = Response.Status.Forbidden; // we don't audit here because we did it already when checking access doAudit = false; } else { if (throwable is AccessControlException) { status = Response.Status.Forbidden; } else { if (exception is IOException) { status = Response.Status.InternalServerError; } else { if (exception is NotSupportedException) { status = Response.Status.BadRequest; } else { if (exception is ArgumentException) { status = Response.Status.BadRequest; } else { status = Response.Status.InternalServerError; } } } } } } } if (doAudit) { KMSWebApp.GetKMSAudit().Error(KMSMDCFilter.GetUgi(), KMSMDCFilter.GetMethod(), KMSMDCFilter .GetURL(), GetOneLineMessage(exception)); } return(CreateResponse(status, throwable)); }
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/> private void AssertAccess(KMSACLs.Type aclType, UserGroupInformation ugi, KMS.KMSOp operation, string key) { KMSWebApp.GetACLs().AssertAccess(aclType, ugi, operation, key); }
/// <exception cref="System.Exception"/> public KMS() { provider = KMSWebApp.GetKeyProvider(); kmsAudit = KMSWebApp.GetKMSAudit(); }