HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when loading key acl. (Dian Fu via yliu)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/93f6e7a3 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/93f6e7a3 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/93f6e7a3 Branch: refs/heads/HDFS-EC Commit: 93f6e7a39e06cffdb92b7f73e4e6df2d5c964fd3 Parents: dad98fb Author: yliu <y...@apache.org> Authored: Wed Jan 28 00:07:21 2015 +0800 Committer: Zhe Zhang <z...@apache.org> Committed: Thu Jan 29 10:05:25 2015 -0800 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../hadoop/crypto/key/kms/server/KMSACLs.java | 7 +++++-- .../crypto/key/kms/server/KMSConfiguration.java | 1 + .../hadoop/crypto/key/kms/server/TestKMSACLs.java | 18 +++++++++++++++--- 4 files changed, 24 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/93f6e7a3/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 0396e7d..b87c9ae 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -774,6 +774,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11509. Change parsing sequence in GenericOptionsParser to parse -D parameters before -files. (xgong) + HADOOP-11469. KMS should skip default.key.acl and whitelist.key.acl when + loading key acl. (Dian Fu via yliu) + Release 2.6.1 - UNRELEASED INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/93f6e7a3/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java index c33dd4b..5b67950 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java @@ -36,6 +36,8 @@ import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; import java.util.regex.Pattern; +import com.google.common.annotations.VisibleForTesting; + /** * Provides access to the <code>AccessControlList</code>s used by KMS, * hot-reloading them if the <code>kms-acls.xml</code> file where the ACLs @@ -70,7 +72,8 @@ public class KMSACLs implements Runnable, KeyACLs { private volatile Map<Type, AccessControlList> acls; private volatile Map<Type, AccessControlList> blacklistedAcls; - private volatile Map<String, HashMap<KeyOpType, AccessControlList>> keyAcls; + @VisibleForTesting + volatile Map<String, HashMap<KeyOpType, AccessControlList>> keyAcls; private final Map<KeyOpType, AccessControlList> defaultKeyAcls = new HashMap<KeyOpType, AccessControlList>(); private final Map<KeyOpType, AccessControlList> whitelistKeyAcls = @@ -112,7 +115,7 @@ public class KMSACLs implements Runnable, KeyACLs { Map<String, HashMap<KeyOpType, AccessControlList>> tempKeyAcls = new HashMap<String, HashMap<KeyOpType,AccessControlList>>(); Map<String, String> allKeyACLS = - conf.getValByRegex(Pattern.quote(KMSConfiguration.KEY_ACL_PREFIX)); + conf.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX); for (Map.Entry<String, String> keyAcl : allKeyACLS.entrySet()) { String k = keyAcl.getKey(); // this should be of type "key.acl.<KEY_NAME>.<OP_TYPE>" http://git-wip-us.apache.org/repos/asf/hadoop/blob/93f6e7a3/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java index a67c68e..23c983f 100644 --- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java +++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java @@ -38,6 +38,7 @@ public class KMSConfiguration { public static final String CONFIG_PREFIX = "hadoop.kms."; public static final String KEY_ACL_PREFIX = "key.acl."; + public static final String KEY_ACL_PREFIX_REGEX = "^key\\.acl\\..+"; public static final String DEFAULT_KEY_ACL_PREFIX = "default.key.acl."; public static final String WHITELIST_KEY_ACL_PREFIX = "whitelist.key.acl."; http://git-wip-us.apache.org/repos/asf/hadoop/blob/93f6e7a3/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java index abdf3c2..b4bf504 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java @@ -26,7 +26,7 @@ public class TestKMSACLs { @Test public void testDefaults() { - KMSACLs acls = new KMSACLs(new Configuration(false)); + final KMSACLs acls = new KMSACLs(new Configuration(false)); for (KMSACLs.Type type : KMSACLs.Type.values()) { Assert.assertTrue(acls.hasAccess(type, UserGroupInformation.createRemoteUser("foo"))); @@ -35,11 +35,11 @@ public class TestKMSACLs { @Test public void testCustom() { - Configuration conf = new Configuration(false); + final Configuration conf = new Configuration(false); for (KMSACLs.Type type : KMSACLs.Type.values()) { conf.set(type.getAclConfigKey(), type.toString() + " "); } - KMSACLs acls = new KMSACLs(conf); + final KMSACLs acls = new KMSACLs(conf); for (KMSACLs.Type type : KMSACLs.Type.values()) { Assert.assertTrue(acls.hasAccess(type, UserGroupInformation.createRemoteUser(type.toString()))); @@ -48,4 +48,16 @@ public class TestKMSACLs { } } + @Test + public void testKeyAclConfigurationLoad() { + final Configuration conf = new Configuration(false); + conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_1.MANAGEMENT", "CREATE"); + conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_2.ALL", "CREATE"); + conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key_3.NONEXISTOPERATION", "CREATE"); + conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER"); + conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK"); + final KMSACLs acls = new KMSACLs(conf); + Assert.assertTrue("expected key ACL size is 2 but got " + acls.keyAcls.size(), + acls.keyAcls.size() == 2); + } }