public virtual Response RolloverKey(string name, IDictionary jsonMaterial) { KMSWebApp.GetAdminCallsMeter().Mark(); UserGroupInformation user = HttpUserGroupInformation.Get(); AssertAccess(KMSACLs.Type.Rollover, user, KMS.KMSOp.RollNewVersion, name); KMSClientProvider.CheckNotEmpty(name, "name"); string material = (string)jsonMaterial[KMSRESTConstants.MaterialField]; if (material != null) { AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.RollNewVersion, name); } KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_200( this, material, name)); kmsAudit.Ok(user, KMS.KMSOp.RollNewVersion, name, "UserProvidedMaterial:" + (material != null) + " NewVersion:" + keyVersion.GetVersionName()); if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user)) { keyVersion = RemoveKeyMaterial(keyVersion); } IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build()); }
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/> public virtual void AssertAccess(KMSACLs.Type aclType, UserGroupInformation ugi, KMS.KMSOp operation, string key) { if (!KMSWebApp.GetACLs().HasAccess(aclType, ugi)) { KMSWebApp.GetUnauthorizedCallsMeter().Mark(); KMSWebApp.GetKMSAudit().Unauthorized(ugi, operation, key); throw new AuthorizationException(string.Format((key != null) ? UnauthorizedMsgWithKey : UnauthorizedMsgWithoutKey, ugi.GetShortUserName(), operation, key)); } }
public virtual Response CreateKey(IDictionary jsonKey) { KMSWebApp.GetAdminCallsMeter().Mark(); UserGroupInformation user = HttpUserGroupInformation.Get(); string name = (string)jsonKey[KMSRESTConstants.NameField]; KMSClientProvider.CheckNotEmpty(name, KMSRESTConstants.NameField); AssertAccess(KMSACLs.Type.Create, user, KMS.KMSOp.CreateKey, name); string cipher = (string)jsonKey[KMSRESTConstants.CipherField]; string material = (string)jsonKey[KMSRESTConstants.MaterialField]; int length = (jsonKey.Contains(KMSRESTConstants.LengthField)) ? (int)jsonKey[KMSRESTConstants .LengthField] : 0; string description = (string)jsonKey[KMSRESTConstants.DescriptionField]; IDictionary <string, string> attributes = (IDictionary <string, string>)jsonKey[KMSRESTConstants .AttributesField]; if (material != null) { AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.CreateKey, name); } KeyProvider.Options options = new KeyProvider.Options(KMSWebApp.GetConfiguration( )); if (cipher != null) { options.SetCipher(cipher); } if (length != 0) { options.SetBitLength(length); } options.SetDescription(description); options.SetAttributes(attributes); KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_132( this, material, name, options)); kmsAudit.Ok(user, KMS.KMSOp.CreateKey, name, "UserProvidedMaterial:" + (material != null) + " Description:" + description); if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user)) { keyVersion = RemoveKeyMaterial(keyVersion); } IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion); string requestURL = KMSMDCFilter.GetURL(); int idx = requestURL.LastIndexOf(KMSRESTConstants.KeysResource); requestURL = Runtime.Substring(requestURL, 0, idx); string keyURL = requestURL + KMSRESTConstants.KeyResource + "/" + name; return(Response.Created(GetKeyURI(name)).Type(MediaType.ApplicationJson).Header("Location" , keyURL).Entity(json).Build()); }
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/> private void AssertAccess(KMSACLs.Type aclType, UserGroupInformation ugi, KMS.KMSOp operation, string key) { KMSWebApp.GetACLs().AssertAccess(aclType, ugi, operation, key); }