----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56487/ -----------------------------------------------------------
(Updated 三月 6, 2017, 4:03 a.m.) Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy. Bugs: RANGER-1294 https://issues.apache.org/jira/browse/RANGER-1294 Repository: ranger Description (updated) ------- Currently,the Hadoop Kms has supported default key ACLs and whitelist key ACLs. Ranger don't support related functions. Corresponding to the blacklist function, these functions can be more accurate, more direct, and more detailed control of data security. So Ranger should support these functions. The reference link: https://issues.apache.org/jira/browse/HADOOP-11341 Diffs ----- kms/config/kms-webapp/dbks-site.xml a098db1 kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 4bf2886 plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java 9bebafa Diff: https://reviews.apache.org/r/56487/diff/1/ Testing ------- steps: 1.add policy to give permission for user xiehh in ranger-admin WebUI 2.create zone [xiehh@zdh41 ~]$ hdfs dfs -mkdir /keyZone [xiehh@zdh41 ~]$ hdfs crypto -createZone -keyName key0 -path /keyZone [xiehh@zdh41 ~]$ hdfs dfs -put a.txt /keyZone test: 1.configure as following in dbks-site.xml <property> <name>default.key.acl.DECRYPT_EEK</name> <value>*</value> </property> <property> <name>whitelist.key.acl.DECRYPT_EEK</name> <value>*</value> </property> -->test with user xiehh [xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt dasdads asdasd 2.configure as follows in dbks-site.xml <property> <name>default.key.acl.DECRYPT_EEK</name> <value>mysql</value> </property> <property> <name>whitelist.key.acl.DECRYPT_EEK</name> <value>mysql</value> </property> -->test with user xiehh [xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt cat: User [xiehh] is not authorized to perform [DECRYPT_EEK] on key with ACL name [key0]!! 3. configure as follows in dbks-site.xml <property> <name>default.key.acl.DECRYPT_EEK</name> <value>*</value> </property> <property> <name>whitelist.key.acl.DECRYPT_EEK</name> <value>mysql</value> </property> --> test with user xiehh [xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt dasdads asdasd 4.configure as follows in dbks-site.xml <property> <name>default.key.acl.DECRYPT_EEK</name> <value>mysql</value> </property> <property> <name>whitelist.key.acl.DECRYPT_EEK</name> <value>*</value> </property> -->test with user xiehh [xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt dasdads asdasd ... Thanks, Qiang Zhang