You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by yl...@apache.org on 2014/11/25 03:02:47 UTC
hadoop git commit: HADOOP-11322. key based ACL check in KMS always
check KeyOpType.MANAGEMENT even actual KeyOpType is not MANAGEMENT. (Dian Fu
via yliu)
Repository: hadoop
Updated Branches:
refs/heads/trunk 45fa7f023 -> 61a2510b5
HADOOP-11322. key based ACL check in KMS always check KeyOpType.MANAGEMENT even actual KeyOpType is not MANAGEMENT. (Dian Fu via yliu)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/61a2510b
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/61a2510b
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/61a2510b
Branch: refs/heads/trunk
Commit: 61a2510b55317867c8539a4df295f5afb85da5d4
Parents: 45fa7f0
Author: yliu <yl...@apache.org>
Authored: Tue Nov 25 01:08:40 2014 +0800
Committer: yliu <yl...@apache.org>
Committed: Tue Nov 25 01:08:40 2014 +0800
----------------------------------------------------------------------
hadoop-common-project/hadoop-common/CHANGES.txt | 3 ++
.../kms/server/KeyAuthorizationKeyProvider.java | 2 +-
.../hadoop/crypto/key/kms/server/TestKMS.java | 38 +++++++++++++++++---
3 files changed, 38 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/61a2510b/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index fe1eb8e..5540e51 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -462,6 +462,9 @@ Release 2.7.0 - UNRELEASED
HADOOP-11201. Hadoop Archives should support globs resolving to files.
(Gera Shegalov via cnauroth)
+ HADOOP-11322. key based ACL check in KMS always check KeyOpType.MANAGEMENT
+ even actual KeyOpType is not MANAGEMENT. (Dian Fu via yliu)
+
Release 2.6.0 - 2014-11-18
INCOMPATIBLE CHANGES
http://git-wip-us.apache.org/repos/asf/hadoop/blob/61a2510b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
index bccec4a..0e43b47 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
@@ -132,7 +132,7 @@ public class KeyAuthorizationKeyProvider extends KeyProviderCryptoExtension {
KeyOpType opType) throws AuthorizationException {
Preconditions.checkNotNull(aclName, "Key ACL name cannot be null");
Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null");
- if (acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) &&
+ if (acls.isACLPresent(aclName, opType) &&
(acls.hasAccessToKey(aclName, ugi, opType)
|| acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL))) {
return;
http://git-wip-us.apache.org/repos/asf/hadoop/blob/61a2510b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
index 86e0516..97901c8 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
@@ -33,11 +33,9 @@ import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.token.Token;
-import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
@@ -53,8 +51,6 @@ import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.io.Writer;
-import java.lang.reflect.Field;
-import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
@@ -798,6 +794,40 @@ public class TestKMS {
return null;
}
});
+
+ conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "");
+ conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "*");
+ writeConf(testDir, conf);
+
+ runServer(null, null, testDir, new KMSCallable<Void>() {
+
+ @Override
+ public Void call() throws Exception {
+ final Configuration conf = new Configuration();
+ conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
+ final URI uri = createKMSUri(getKMSUrl());
+
+ doAs("GENERATE_EEK", new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ KeyProvider kp = new KMSClientProvider(uri, conf);
+ try {
+ KeyProviderCryptoExtension kpce =
+ KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
+ try {
+ kpce.generateEncryptedKey("k1");
+ } catch (Exception e) {
+ Assert.fail("User [GENERATE_EEK] should be allowed to generate_eek on k1");
+ }
+ } catch (Exception ex) {
+ Assert.fail(ex.getMessage());
+ }
+ return null;
+ }
+ });
+ return null;
+ }
+ });
}
@Test