org.apache.hadoop.crypto.key.kms.server

Class KeyAuthorizationKeyProvider

java.lang.Object

org.apache.hadoop.crypto.key.KeyProvider

org.apache.hadoop.crypto.key.KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider

public class KeyAuthorizationKeyProvider
extends KeyProviderCryptoExtension

A KeyProvider proxy that checks whether the current user derived via UserGroupInformation, is authorized to perform the following type of operations on a Key :

1. MANAGEMENT operations : createKey, rollNewVersion, deleteKey
2. GENERATE_EEK operations : generateEncryptedKey, warmUpEncryptedKeys
3. DECRYPT_EEK operation : decryptEncryptedKey
4. READ operations : getKeyVersion, getKeyVersions, getMetadata, getKeysMetadata, getCurrentKey

The read operations (getCurrentKeyVersion / getMetadata) etc are not checked.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	KeyAuthorizationKeyProvider.KeyACLs Interface that needs to be implemented by a client of the KeyAuthorizationKeyProvider.
static class	KeyAuthorizationKeyProvider.KeyOpType

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

KeyProviderCryptoExtension.CryptoExtension, KeyProviderCryptoExtension.EncryptedKeyVersion

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProviderExtension

KeyProviderExtension.Extension

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProvider

KeyProvider.KeyVersion, KeyProvider.Metadata, KeyProvider.Options

Field Summary

Fields

Modifier and Type	Field and Description
static String	KEY_ACL

Fields inherited from class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

EEK, EK

Fields inherited from class org.apache.hadoop.crypto.key.KeyProvider

DEFAULT_BITLENGTH, DEFAULT_BITLENGTH_NAME, DEFAULT_CIPHER, DEFAULT_CIPHER_NAME

Constructor Summary

Constructors

Constructor and Description
KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider, KeyAuthorizationKeyProvider.KeyACLs acls) The constructor takes a KeyProviderCryptoExtension and an implementation of KeyACLs.

Method Summary

Modifier and Type	Method and Description
KeyProvider.KeyVersion	createKey(String name, byte[] material, KeyProvider.Options options)
KeyProvider.KeyVersion	createKey(String name, KeyProvider.Options options)
KeyProvider.KeyVersion	decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion)
void	deleteKey(String name)
void	flush()
KeyProviderCryptoExtension.EncryptedKeyVersion	generateEncryptedKey(String encryptionKeyName)
KeyProvider.KeyVersion	getCurrentKey(String name)
protected KeyProvider	getKeyProvider()
List<String>	getKeys()
KeyProvider.Metadata[]	getKeysMetadata(String... names)
KeyProvider.KeyVersion	getKeyVersion(String versionName)
List<KeyProvider.KeyVersion>	getKeyVersions(String name)
KeyProvider.Metadata	getMetadata(String name)
boolean	isTransient()
KeyProvider.KeyVersion	rollNewVersion(String name)
KeyProvider.KeyVersion	rollNewVersion(String name, byte[] material)
String	toString()
void	warmUpEncryptedKeys(String... names)

Methods inherited from class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

close, createKeyProviderCryptoExtension

Methods inherited from class org.apache.hadoop.crypto.key.KeyProviderExtension

getExtension

Methods inherited from class org.apache.hadoop.crypto.key.KeyProvider

buildVersionName, findProvider, generateKey, getBaseName, getConf, options

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

KEY_ACL

public static final String KEY_ACL

See Also:

Constant Field Values

Constructor Detail

KeyAuthorizationKeyProvider

public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProvider,
                                   KeyAuthorizationKeyProvider.KeyACLs acls)

The constructor takes a KeyProviderCryptoExtension and an implementation of KeyACLs. All calls are delegated to the provider keyProvider after authorization check (if required)

Parameters:

keyProvider -

acls -

Method Detail

createKey

public KeyProvider.KeyVersion createKey(String name,
                                        KeyProvider.Options options)
                                 throws NoSuchAlgorithmException,
                                        IOException

Overrides:

createKey in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

NoSuchAlgorithmException

IOException

createKey

public KeyProvider.KeyVersion createKey(String name,
                                        byte[] material,
                                        KeyProvider.Options options)
                                 throws IOException

Overrides:

createKey in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

rollNewVersion

public KeyProvider.KeyVersion rollNewVersion(String name)
                                      throws NoSuchAlgorithmException,
                                             IOException

Overrides:

rollNewVersion in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

NoSuchAlgorithmException

IOException

deleteKey

public void deleteKey(String name)
               throws IOException

Overrides:

deleteKey in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

rollNewVersion

public KeyProvider.KeyVersion rollNewVersion(String name,
                                             byte[] material)
                                      throws IOException

Overrides:

rollNewVersion in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

warmUpEncryptedKeys

public void warmUpEncryptedKeys(String... names)
                         throws IOException

Overrides:

warmUpEncryptedKeys in class KeyProviderCryptoExtension

Throws:

IOException

generateEncryptedKey

public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
                                                                    throws IOException,
                                                                           GeneralSecurityException

Overrides:

generateEncryptedKey in class KeyProviderCryptoExtension

Throws:

IOException

GeneralSecurityException

decryptEncryptedKey

public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion)
                                           throws IOException,
                                                  GeneralSecurityException

Overrides:

decryptEncryptedKey in class KeyProviderCryptoExtension

Throws:

IOException

GeneralSecurityException

getKeyVersion

public KeyProvider.KeyVersion getKeyVersion(String versionName)
                                     throws IOException

Overrides:

getKeyVersion in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getKeys

public List<String> getKeys()
                     throws IOException

Overrides:

getKeys in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getKeyVersions

public List<KeyProvider.KeyVersion> getKeyVersions(String name)
                                            throws IOException

Overrides:

getKeyVersions in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getMetadata

public KeyProvider.Metadata getMetadata(String name)
                                 throws IOException

Overrides:

getMetadata in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getKeysMetadata

public KeyProvider.Metadata[] getKeysMetadata(String... names)
                                       throws IOException

Overrides:

getKeysMetadata in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getCurrentKey

public KeyProvider.KeyVersion getCurrentKey(String name)
                                     throws IOException

Overrides:

getCurrentKey in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

flush

public void flush()
           throws IOException

Overrides:

flush in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

isTransient

public boolean isTransient()

Overrides:

isTransient in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

getKeyProvider

protected KeyProvider getKeyProvider()

Overrides:

getKeyProvider in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

toString

public String toString()

Overrides:

toString in class KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>