Re: Review Request 56487: Ranger Kms support default key ACLs and whitelist key ACLs

Sun, 05 Mar 2017 20:04:02 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56487/
-----------------------------------------------------------

(Updated 三月 6, 2017, 4:03 a.m.)


Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, 
Selvamohan Neethiraj, and Velmurugan Periasamy.


Bugs: RANGER-1294
    https://issues.apache.org/jira/browse/RANGER-1294


Repository: ranger


Description (updated)
-------

Currently,the Hadoop Kms has supported default key ACLs and whitelist key ACLs. 
Ranger don't support related functions. Corresponding to the blacklist 
function, these functions can be more accurate, more direct, and more detailed 
control of data security. So Ranger should support these functions. The 
reference link:  https://issues.apache.org/jira/browse/HADOOP-11341


Diffs
-----

  kms/config/kms-webapp/dbks-site.xml a098db1 
  
kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 
4bf2886 
  
plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
 9bebafa 


Diff: https://reviews.apache.org/r/56487/diff/1/


Testing
-------

steps:
1.add policy to give permission for user xiehh in ranger-admin WebUI
2.create zone
[xiehh@zdh41 ~]$ hdfs dfs -mkdir /keyZone
[xiehh@zdh41 ~]$ hdfs crypto -createZone -keyName key0 -path /keyZone
[xiehh@zdh41 ~]$ hdfs dfs -put a.txt /keyZone

test:
1.configure as following in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd

2.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
cat: User [xiehh] is not authorized to perform [DECRYPT_EEK] on key with ACL 
name [key0]!!

3. configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property> 
--> test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 

4.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property> 
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 
...


Thanks,

Qiang Zhang

Reply via email to