You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Qiang Zhang <zh...@zte.com.cn> on 2016/11/15 02:25:16 UTC
Review Request 53751: ranger-kms,
The acl configuration file is incorrect
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53751/
-----------------------------------------------------------
Review request for ranger, Don Bosco Durai, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-1217
https://issues.apache.org/jira/browse/RANGER-1217
Repository: ranger
Description
-------
currently,KMS_ACLS_XML = "dbks-site.xml".
we should change KMS_ACLS_XML = "kms-acls.xml".
therefore,in ranger-kms-plugin
we should add the following line in setup.sh,
cp ${WEBAPP_ROOT}/mini-kms-acls-default.xml ${WEBAPP_ROOT}/WEB-INF/classes/conf/kms-acls.xml
when we execute the setup.sh command
Also, if I configure as follows in kms-site.xml,
<property>
<name>hadoop.kms.security.authorization.manager</name>
<value>org.apache.hadoop.crypto.key.kms.server.KMSACLs</value>
</property>
,the regex of getting the Configuration item "key.acl.<KEY_NAME>.<OP_TYPE>" is incorrect,
we should add as follows in KMSConfiguration.java,
public static final String KEY_ACL_PREFIX_REGEX = "^key\\.acl\\..+";
then change
Map<String, String> allKeyACLS = conf.getValByRegex(Pattern.quote(KMSConfiguration.KEY_ACL_PREFIX));
to
Map<String, String> allKeyACLS = conf.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX);
in KMSACLs.java
Diffs
-----
kms/scripts/setup.sh 568350b
kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java ff2f6d9
kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 4bf2886
Diff: https://reviews.apache.org/r/53751/diff/
Testing
-------
Thanks,
Qiang Zhang
Re: Review Request 53751: ranger-kms,
The acl configuration file is incorrect
Posted by Ankita Sinha <an...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53751/#review160071
-----------------------------------------------------------
kms/scripts/setup.sh (line 668)
<https://reviews.apache.org/r/53751/#comment231066>
Ranger KMS uses its own ACL through ranger policies, that's the reason default KMS ACLs are not required. Where as dbks-site.xml is the configuration file which is required for Ranger KMS installation only.
As per my knowledge, Ranger KMS implementation is correct.
- Ankita Sinha
On Nov. 15, 2016, 2:25 a.m., Qiang Zhang wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53751/
> -----------------------------------------------------------
>
> (Updated Nov. 15, 2016, 2:25 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1217
> https://issues.apache.org/jira/browse/RANGER-1217
>
>
> Repository: ranger
>
>
> Description
> -------
>
> currently,KMS_ACLS_XML = "dbks-site.xml".
> we should change KMS_ACLS_XML = "kms-acls.xml".
> therefore,in ranger-kms-plugin
> we should add the following line in setup.sh,
> cp ${WEBAPP_ROOT}/mini-kms-acls-default.xml ${WEBAPP_ROOT}/WEB-INF/classes/conf/kms-acls.xml
> when we execute the setup.sh command
> Also, if I configure as follows in kms-site.xml,
> <property>
> <name>hadoop.kms.security.authorization.manager</name>
> <value>org.apache.hadoop.crypto.key.kms.server.KMSACLs</value>
> </property>
> ,the regex of getting the Configuration item "key.acl.<KEY_NAME>.<OP_TYPE>" is incorrect,
> we should add as follows in KMSConfiguration.java,
> public static final String KEY_ACL_PREFIX_REGEX = "^key\\.acl\\..+";
> then change
> Map<String, String> allKeyACLS = conf.getValByRegex(Pattern.quote(KMSConfiguration.KEY_ACL_PREFIX));
> to
> Map<String, String> allKeyACLS = conf.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX);
> in KMSACLs.java
>
>
> Diffs
> -----
>
> kms/scripts/setup.sh 568350b
> kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java ff2f6d9
> kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 4bf2886
>
> Diff: https://reviews.apache.org/r/53751/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Qiang Zhang
>
>