org.apache.hadoop.crypto.key.kms.server

Class KeyAuthorizationKeyProvider

java.lang.Object

org.apache.hadoop.crypto.key.KeyProvider

org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider

public class KeyAuthorizationKeyProvider
extends org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

A KeyProvider proxy that checks whether the current user derived via UserGroupInformation, is authorized to perform the following type of operations on a Key :

1. MANAGEMENT operations : createKey, rollNewVersion, deleteKey
2. GENERATE_EEK operations : generateEncryptedKey, warmUpEncryptedKeys
3. DECRYPT_EEK operation : decryptEncryptedKey
4. READ operations : getKeyVersion, getKeyVersions, getMetadata, getKeysMetadata, getCurrentKey

The read operations (getCurrentKeyVersion / getMetadata) etc are not checked.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	KeyAuthorizationKeyProvider.KeyACLs Interface that needs to be implemented by a client of the KeyAuthorizationKeyProvider.
static class	KeyAuthorizationKeyProvider.KeyOpType

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension, org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProviderExtension

org.apache.hadoop.crypto.key.KeyProviderExtension.Extension

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProvider

org.apache.hadoop.crypto.key.KeyProvider.KeyVersion, org.apache.hadoop.crypto.key.KeyProvider.Metadata, org.apache.hadoop.crypto.key.KeyProvider.Options

Field Summary

Fields

Modifier and Type	Field and Description
static String	KEY_ACL

Fields inherited from class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

EEK, EK

Fields inherited from class org.apache.hadoop.crypto.key.KeyProvider

DEFAULT_BITLENGTH, DEFAULT_BITLENGTH_NAME, DEFAULT_CIPHER, DEFAULT_CIPHER_NAME, JCEKS_KEY_SERIAL_FILTER, JCEKS_KEY_SERIALFILTER_DEFAULT

Constructor Summary

Constructors

Constructor and Description
KeyAuthorizationKeyProvider(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension keyProvider, KeyAuthorizationKeyProvider.KeyACLs acls) The constructor takes a KeyProviderCryptoExtension and an implementation of KeyACLs.

Method Summary

Modifier and Type	Method and Description
org.apache.hadoop.crypto.key.KeyProvider.KeyVersion	createKey(String name, byte[] material, org.apache.hadoop.crypto.key.KeyProvider.Options options)
org.apache.hadoop.crypto.key.KeyProvider.KeyVersion	createKey(String name, org.apache.hadoop.crypto.key.KeyProvider.Options options)
org.apache.hadoop.crypto.key.KeyProvider.KeyVersion	decryptEncryptedKey(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion)
void	deleteKey(String name)
void	flush()
org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion	generateEncryptedKey(String encryptionKeyName)
org.apache.hadoop.crypto.key.KeyProvider.KeyVersion	getCurrentKey(String name)
protected org.apache.hadoop.crypto.key.KeyProvider	getKeyProvider()
List<String>	getKeys()
org.apache.hadoop.crypto.key.KeyProvider.Metadata[]	getKeysMetadata(String... names)
org.apache.hadoop.crypto.key.KeyProvider.KeyVersion	getKeyVersion(String versionName)
List<org.apache.hadoop.crypto.key.KeyProvider.KeyVersion>	getKeyVersions(String name)
org.apache.hadoop.crypto.key.KeyProvider.Metadata	getMetadata(String name)
void	invalidateCache(String name)
boolean	isTransient()
org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion	reencryptEncryptedKey(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion ekv)
void	reencryptEncryptedKeys(List<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs)
org.apache.hadoop.crypto.key.KeyProvider.KeyVersion	rollNewVersion(String name)
org.apache.hadoop.crypto.key.KeyProvider.KeyVersion	rollNewVersion(String name, byte[] material)
String	toString()
void	warmUpEncryptedKeys(String... names)

Methods inherited from class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

close, createKeyProviderCryptoExtension, drain

Methods inherited from class org.apache.hadoop.crypto.key.KeyProviderExtension

getExtension

Methods inherited from class org.apache.hadoop.crypto.key.KeyProvider

buildVersionName, findProvider, generateKey, getBaseName, getConf, needsPassword, noPasswordError, noPasswordWarning, options

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

KEY_ACL

public static final String KEY_ACL

See Also:

Constant Field Values

Constructor Detail

KeyAuthorizationKeyProvider

public KeyAuthorizationKeyProvider(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension keyProvider,
                                   KeyAuthorizationKeyProvider.KeyACLs acls)

The constructor takes a KeyProviderCryptoExtension and an implementation of KeyACLs. All calls are delegated to the provider keyProvider after authorization check (if required)

Parameters:

keyProvider - the key provider

acls - the Key ACLs

Method Detail

createKey

public org.apache.hadoop.crypto.key.KeyProvider.KeyVersion createKey(String name,
                                                                     org.apache.hadoop.crypto.key.KeyProvider.Options options)
                                                              throws NoSuchAlgorithmException,
                                                                     IOException

Overrides:

createKey in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

NoSuchAlgorithmException

IOException

createKey

public org.apache.hadoop.crypto.key.KeyProvider.KeyVersion createKey(String name,
                                                                     byte[] material,
                                                                     org.apache.hadoop.crypto.key.KeyProvider.Options options)
                                                              throws IOException

Overrides:

createKey in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

rollNewVersion

public org.apache.hadoop.crypto.key.KeyProvider.KeyVersion rollNewVersion(String name)
                                                                   throws NoSuchAlgorithmException,
                                                                          IOException

Overrides:

rollNewVersion in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

NoSuchAlgorithmException

IOException

deleteKey

public void deleteKey(String name)
               throws IOException

Overrides:

deleteKey in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

rollNewVersion

public org.apache.hadoop.crypto.key.KeyProvider.KeyVersion rollNewVersion(String name,
                                                                          byte[] material)
                                                                   throws IOException

Overrides:

rollNewVersion in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

invalidateCache

public void invalidateCache(String name)
                     throws IOException

Overrides:

invalidateCache in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

warmUpEncryptedKeys

public void warmUpEncryptedKeys(String... names)
                         throws IOException

Overrides:

warmUpEncryptedKeys in class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

Throws:

IOException

generateEncryptedKey

public org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
                                                                                                 throws IOException,
                                                                                                        GeneralSecurityException

Overrides:

generateEncryptedKey in class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

Throws:

IOException

GeneralSecurityException

decryptEncryptedKey

public org.apache.hadoop.crypto.key.KeyProvider.KeyVersion decryptEncryptedKey(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion)
                                                                        throws IOException,
                                                                               GeneralSecurityException

Overrides:

decryptEncryptedKey in class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

Throws:

IOException

GeneralSecurityException

reencryptEncryptedKey

public org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion ekv)
                                                                                                  throws IOException,
                                                                                                         GeneralSecurityException

Overrides:

reencryptEncryptedKey in class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

Throws:

IOException

GeneralSecurityException

reencryptEncryptedKeys

public void reencryptEncryptedKeys(List<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs)
                            throws IOException,
                                   GeneralSecurityException

Overrides:

reencryptEncryptedKeys in class org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

Throws:

IOException

GeneralSecurityException

getKeyVersion

public org.apache.hadoop.crypto.key.KeyProvider.KeyVersion getKeyVersion(String versionName)
                                                                  throws IOException

Overrides:

getKeyVersion in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getKeys

public List<String> getKeys()
                     throws IOException

Overrides:

getKeys in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getKeyVersions

public List<org.apache.hadoop.crypto.key.KeyProvider.KeyVersion> getKeyVersions(String name)
                                                                         throws IOException

Overrides:

getKeyVersions in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getMetadata

public org.apache.hadoop.crypto.key.KeyProvider.Metadata getMetadata(String name)
                                                              throws IOException

Overrides:

getMetadata in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getKeysMetadata

public org.apache.hadoop.crypto.key.KeyProvider.Metadata[] getKeysMetadata(String... names)
                                                                    throws IOException

Overrides:

getKeysMetadata in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

getCurrentKey

public org.apache.hadoop.crypto.key.KeyProvider.KeyVersion getCurrentKey(String name)
                                                                  throws IOException

Overrides:

getCurrentKey in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

flush

public void flush()
           throws IOException

Overrides:

flush in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

Throws:

IOException

isTransient

public boolean isTransient()

Overrides:

isTransient in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

getKeyProvider

protected org.apache.hadoop.crypto.key.KeyProvider getKeyProvider()

Overrides:

getKeyProvider in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>

toString

public String toString()

Overrides:

toString in class org.apache.hadoop.crypto.key.KeyProviderExtension<org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension>