You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Zsombor Gegesy (JIRA)" <ji...@apache.org> on 2018/01/10 00:01:00 UTC
[jira] [Commented] (RANGER-1949) KMS getKeys should filter based on
name policy
[ https://issues.apache.org/jira/browse/RANGER-1949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16319428#comment-16319428 ]
Zsombor Gegesy commented on RANGER-1949:
----------------------------------------
It looks like a bug - or a missing feature. The original Hadoop KMS code is not structured to be extendable by an other KMS (like Ranger), and assumes a very simplistic permission model. As it is copied into the ranger codebase, we can fix it with either passing the user information down through the _KeyProvider_/_KeyProviderExtension_ layers - to _RangerKeyStoreProvider_ which would be a bigger change, or we can apply the filtering with introducing a new method on _KMSWebApp.getACLs().filterKeys(UserGroupInformation,String clientIp, List<String> keys)_ - which looks a bit better for me.
However, it would be good, if these changes could be upstreamed to Hadoop KMS as well - so in the future, we can remove lot of copy-pasted, and slightly modified code from Ranger. I've started working on these issue a couple of month ago (for RANGER-1869, in HADOOP-14951 and HADOOP-15014 ) but it's haven't merged yet.
> KMS getKeys should filter based on name policy
> ----------------------------------------------
>
> Key: RANGER-1949
> URL: https://issues.apache.org/jira/browse/RANGER-1949
> Project: Ranger
> Issue Type: Bug
> Components: kms
> Reporter: Owen O'Malley
>
> Currently when there are policies that limit users to certain keys, such as "pii*" those users can't call KMS.getKeyNames() even if they have the "getkeys" permission.
> This is because the method passes a null down for the key name, which will only match if the user can see all keys. A much better solution would be to filter each key individually and just returns the ones that should be visible. So if they have permission to see "pii*" and the keys were {"pii", "pii256", and "secret"} they would get back a list of "pii" and "pii256".
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)