You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by co...@apache.org on 2016/08/04 11:19:57 UTC
[1/2] incubator-ranger git commit: Some KMS cleanup
Repository: incubator-ranger
Updated Branches:
refs/heads/master a171cdbb4 -> 8411c64a6
Some KMS cleanup
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/6116f91f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/6116f91f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/6116f91f
Branch: refs/heads/master
Commit: 6116f91f0edddac4ba6e96f29c23d7a88a106cd1
Parents: a171cdb
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Aug 4 09:47:01 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Aug 4 09:47:01 2016 +0100
----------------------------------------------------------------------
.../hadoop/crypto/key/kms/server/MiniKMS.java | 231 -------------------
.../kms/authorizer/RangerKmsAuthorizer.java | 60 ++---
2 files changed, 18 insertions(+), 273 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6116f91f/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
----------------------------------------------------------------------
diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
deleted file mode 100755
index 7080e14..0000000
--- a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
+++ /dev/null
@@ -1,231 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.crypto.key.kms.server;
-
-import com.google.common.base.Preconditions;
-import org.apache.commons.io.IOUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
-import org.mortbay.jetty.Connector;
-import org.mortbay.jetty.Server;
-import org.mortbay.jetty.security.SslSocketConnector;
-import org.mortbay.jetty.webapp.WebAppContext;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.FileWriter;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.Writer;
-import java.net.InetAddress;
-import java.net.MalformedURLException;
-import java.net.ServerSocket;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
-import java.util.UUID;
-
-public class MiniKMS {
-
- private static Server createJettyServer(String keyStore, String password, int inPort) {
- try {
- boolean ssl = keyStore != null;
- InetAddress localhost = InetAddress.getByName("localhost");
- String host = "localhost";
- ServerSocket ss = new ServerSocket((inPort < 0) ? 0 : inPort, 50, localhost);
- int port = ss.getLocalPort();
- ss.close();
- Server server = new Server(0);
- if (!ssl) {
- server.getConnectors()[0].setHost(host);
- server.getConnectors()[0].setPort(port);
- } else {
- SslSocketConnector c = new SslSocketConnectorSecure();
- c.setHost(host);
- c.setPort(port);
- c.setNeedClientAuth(false);
- c.setKeystore(keyStore);
- c.setKeystoreType("jks");
- c.setKeyPassword(password);
- server.setConnectors(new Connector[]{c});
- }
- return server;
- } catch (Exception ex) {
- throw new RuntimeException("Could not start embedded servlet container, "
- + ex.getMessage(), ex);
- }
- }
-
- private static URL getJettyURL(Server server) {
- boolean ssl = server.getConnectors()[0].getClass()
- == SslSocketConnectorSecure.class;
- try {
- String scheme = (ssl) ? "https" : "http";
- return new URL(scheme + "://" +
- server.getConnectors()[0].getHost() + ":" +
- server.getConnectors()[0].getPort());
- } catch (MalformedURLException ex) {
- throw new RuntimeException("It should never happen, " + ex.getMessage(),
- ex);
- }
- }
-
- public static class Builder {
- private File kmsConfDir;
- private String log4jConfFile;
- private File keyStoreFile;
- private String keyStorePassword;
- private int inPort = -1;
-
- public Builder() {
- kmsConfDir = new File("target/test-classes").getAbsoluteFile();
- log4jConfFile = "kms-log4j.properties";
- }
-
- public Builder setKmsConfDir(File confDir) {
- Preconditions.checkNotNull(confDir, "KMS conf dir is NULL");
- Preconditions.checkArgument(confDir.exists(),
- "KMS conf dir does not exist");
- kmsConfDir = confDir;
- return this;
- }
-
- public Builder setLog4jConfFile(String log4jConfFile) {
- Preconditions.checkNotNull(log4jConfFile, "log4jconf file is NULL");
- this.log4jConfFile = log4jConfFile;
- return this;
- }
-
- public Builder setPort(int port) {
- Preconditions.checkArgument(port > 0, "input port must be greater than 0");
- this.inPort = port;
- return this;
- }
-
- public Builder setSslConf(File keyStoreFile, String keyStorePassword) {
- Preconditions.checkNotNull(keyStoreFile, "keystore file is NULL");
- Preconditions.checkNotNull(keyStorePassword, "keystore password is NULL");
- Preconditions.checkArgument(keyStoreFile.exists(),
- "keystore file does not exist");
- this.keyStoreFile = keyStoreFile;
- this.keyStorePassword = keyStorePassword;
- return this;
- }
-
- public MiniKMS build() {
- Preconditions.checkArgument(kmsConfDir.exists(),
- "KMS conf dir does not exist");
- return new MiniKMS(kmsConfDir.getAbsolutePath(), log4jConfFile,
- (keyStoreFile != null) ? keyStoreFile.getAbsolutePath() : null,
- keyStorePassword, inPort);
- }
- }
-
- private String kmsConfDir;
- private String log4jConfFile;
- private String keyStore;
- private String keyStorePassword;
- private Server jetty;
- private int inPort;
- private URL kmsURL;
-
- public MiniKMS(String kmsConfDir, String log4ConfFile, String keyStore,
- String password, int inPort) {
- this.kmsConfDir = kmsConfDir;
- this.log4jConfFile = log4ConfFile;
- this.keyStore = keyStore;
- this.keyStorePassword = password;
- this.inPort = inPort;
- }
-
- public void start() throws Exception {
- ClassLoader cl = Thread.currentThread().getContextClassLoader();
- System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, kmsConfDir);
- File aclsFile = new File(kmsConfDir, "dbks-site.xml");
- if (!aclsFile.exists()) {
- InputStream is = cl.getResourceAsStream("mini-kms-acls-default.xml");
- OutputStream os = new FileOutputStream(aclsFile);
- IOUtils.copy(is, os);
- is.close();
- os.close();
- }
- File kmsFile = new File(kmsConfDir, "kms-site.xml");
- if (!kmsFile.exists()) {
- Configuration kms = new Configuration(false);
- kms.set(KMSConfiguration.KEY_PROVIDER_URI,
- "jceks://file@" + new Path(kmsConfDir, "kms.keystore").toUri());
- kms.set("hadoop.kms.authentication.type", "simple");
- Writer writer = new FileWriter(kmsFile);
- kms.writeXml(writer);
- writer.close();
- }
- System.setProperty("log4j.configuration", log4jConfFile);
- jetty = createJettyServer(keyStore, keyStorePassword, inPort);
-
- // we need to do a special handling for MiniKMS to work when in a dir and
- // when in a JAR in the classpath thanks to Jetty way of handling of webapps
- // when they are in the a DIR, WAR or JAR.
- URL webXmlUrl = cl.getResource("kms-webapp/WEB-INF/web.xml");
- if (webXmlUrl == null) {
- throw new RuntimeException(
- "Could not find kms-webapp/ dir in test classpath");
- }
- boolean webXmlInJar = webXmlUrl.getPath().contains(".jar!/");
- String webappPath;
- if (webXmlInJar) {
- File webInf = new File("target/" + UUID.randomUUID().toString() +
- "/kms-webapp/WEB-INF");
- webInf.mkdirs();
- new File(webInf, "web.xml").delete();
- InputStream is = cl.getResourceAsStream("kms-webapp/WEB-INF/web.xml");
- OutputStream os = new FileOutputStream(new File(webInf, "web.xml"));
- IOUtils.copy(is, os);
- is.close();
- os.close();
- webappPath = webInf.getParentFile().getAbsolutePath();
- } else {
- webappPath = cl.getResource("kms-webapp").getPath();
- }
- WebAppContext context = new WebAppContext(webappPath, "/kms");
- if (webXmlInJar) {
- context.setClassLoader(cl);
- }
- jetty.addHandler(context);
- jetty.start();
- kmsURL = new URL(getJettyURL(jetty), "kms");
- }
-
- public URL getKMSUrl() {
- return kmsURL;
- }
-
- public void stop() {
- if (jetty != null && jetty.isRunning()) {
- try {
- jetty.stop();
- jetty = null;
- } catch (Exception ex) {
- throw new RuntimeException("Could not stop MiniKMS embedded Jetty, " +
- ex.getMessage(), ex);
- }
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6116f91f/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
index 75e25c2..4d09a79 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
@@ -67,6 +67,8 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
public static final int RELOADER_SLEEP_MILLIS = 1000;
+ private static final Map<KMSACLsType.Type, String> ACCESS_TYPE_MAP = new HashMap<>();
+
private volatile Map<Type, AccessControlList> blacklistedAcls;
private long lastReload;
@@ -99,6 +101,18 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
* Constant for the configuration property that indicates the keytab file path.
*/
public static final String KEYTAB = TYPE + ".keytab";
+
+ static {
+ ACCESS_TYPE_MAP.put(KMSACLsType.Type.CREATE, RangerKmsAuthorizer.ACCESS_TYPE_CREATE);
+ ACCESS_TYPE_MAP.put(KMSACLsType.Type.DELETE, RangerKmsAuthorizer.ACCESS_TYPE_DELETE);
+ ACCESS_TYPE_MAP.put(KMSACLsType.Type.ROLLOVER, RangerKmsAuthorizer.ACCESS_TYPE_ROLLOVER);
+ ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET, RangerKmsAuthorizer.ACCESS_TYPE_GET);
+ ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET_KEYS, RangerKmsAuthorizer.ACCESS_TYPE_GET_KEYS);
+ ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET_METADATA, RangerKmsAuthorizer.ACCESS_TYPE_GET_METADATA);
+ ACCESS_TYPE_MAP.put(KMSACLsType.Type.SET_KEY_MATERIAL, RangerKmsAuthorizer.ACCESS_TYPE_SET_KEY_MATERIAL);
+ ACCESS_TYPE_MAP.put(KMSACLsType.Type.GENERATE_EEK, RangerKmsAuthorizer.ACCESS_TYPE_GENERATE_EEK);
+ ACCESS_TYPE_MAP.put(KMSACLsType.Type.DECRYPT_EEK, RangerKmsAuthorizer.ACCESS_TYPE_DECRYPT_EEK);
+ }
RangerKmsAuthorizer(Configuration conf) {
LOG.info("RangerKmsAuthorizer(conf)...");
@@ -253,9 +267,6 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi, KeyOpType opType) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
- }
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
}
@@ -307,46 +318,11 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
private static String getRangerAccessType(KMSACLsType.Type accessType) {
- String ret = null;
-
- switch(accessType) {
- case CREATE:
- ret = RangerKmsAuthorizer.ACCESS_TYPE_CREATE;
- break;
-
- case DELETE:
- ret = RangerKmsAuthorizer.ACCESS_TYPE_DELETE;
- break;
-
- case ROLLOVER:
- ret = RangerKmsAuthorizer.ACCESS_TYPE_ROLLOVER;
- break;
-
- case GET:
- ret = RangerKmsAuthorizer.ACCESS_TYPE_GET;
- break;
-
- case GET_KEYS:
- ret = RangerKmsAuthorizer.ACCESS_TYPE_GET_KEYS;
- break;
-
- case GET_METADATA:
- ret = RangerKmsAuthorizer.ACCESS_TYPE_GET_METADATA;
- break;
-
- case SET_KEY_MATERIAL:
- ret = RangerKmsAuthorizer.ACCESS_TYPE_SET_KEY_MATERIAL;
- break;
-
- case GENERATE_EEK:
- ret = RangerKmsAuthorizer.ACCESS_TYPE_GENERATE_EEK;
- break;
-
- case DECRYPT_EEK:
- ret = RangerKmsAuthorizer.ACCESS_TYPE_DECRYPT_EEK;
- break;
+ if (ACCESS_TYPE_MAP.containsKey(accessType)) {
+ return ACCESS_TYPE_MAP.get(accessType);
}
- return ret;
+
+ return null;
}
}
[2/2] incubator-ranger git commit: Trivial cleanup II
Posted by co...@apache.org.
Trivial cleanup II
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/8411c64a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/8411c64a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/8411c64a
Branch: refs/heads/master
Commit: 8411c64a6ffefba4332e9f0c74b90d1204fd53c7
Parents: 6116f91
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Aug 4 12:19:40 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Aug 4 12:19:40 2016 +0100
----------------------------------------------------------------------
.../hadoop/crypto/key/RangerMasterKey.java | 36 +++++++-------------
1 file changed, 12 insertions(+), 24 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8411c64a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
index b701193..337b82c 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
@@ -70,8 +70,7 @@ public class RangerMasterKey implements RangerKMSMKI{
logger.info("Getting Master Key");
byte masterKeyByte[] = getEncryptedMK();
if(masterKeyByte != null && masterKeyByte.length > 0){
- String masterKey = decryptMasterKey(masterKeyByte, password);
- return masterKey;
+ return decryptMasterKey(masterKeyByte, password);
}else{
throw new Exception("No Master Key Found");
}
@@ -145,8 +144,7 @@ public class RangerMasterKey implements RangerKMSMKI{
}else {
XXRangerMasterKey rangerMasterKey = rangerKMSDao.getById(lstRangerMasterKey.get(0).getId());
String masterKeyStr = rangerMasterKey.getMasterKey();
- byte[] masterKeyFromDBEncrypted = Base64.decode(masterKeyStr) ;
- return masterKeyFromDBEncrypted;
+ return Base64.decode(masterKeyStr) ;
}
}
}catch(Exception e){
@@ -181,16 +179,14 @@ public class RangerMasterKey implements RangerKMSMKI{
Key secretKey = generateMasterKey();
PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
byte[] masterKeyToDB = encryptKey(secretKey.getEncoded(), pbeKeySpec);
- String masterKey = Base64.encode(masterKeyToDB) ;
- return masterKey;
+ return Base64.encode(masterKeyToDB) ;
}
private String encryptMasterKey(String password, byte[] secretKey) throws Throwable {
logger.debug("Encrypting Master Key");
PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
byte[] masterKeyToDB = encryptKey(secretKey, pbeKeySpec);
- String masterKey = Base64.encode(masterKeyToDB) ;
- return masterKey;
+ return Base64.encode(masterKeyToDB) ;
}
private Key generateMasterKey() throws NoSuchAlgorithmException{
@@ -205,34 +201,28 @@ public class RangerMasterKey implements RangerKMSMKI{
byte[] salt = new byte[SALT_SIZE] ;
System.arraycopy(saltGen, 0, salt, 0, SALT_SIZE);
int iteration = password.toCharArray().length + 1 ;
- PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iteration) ;
- return spec ;
+ return new PBEKeySpec(password.toCharArray(), salt, iteration) ;
}
private byte[] encryptKey(byte[] data, PBEKeySpec keyspec) throws Throwable {
SecretKey key = getPasswordKey(keyspec) ;
PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount()) ;
Cipher c = Cipher.getInstance(key.getAlgorithm()) ;
c.init(Cipher.ENCRYPT_MODE, key,paramSpec);
- byte[] encrypted = c.doFinal(data) ;
-
- return encrypted ;
+ return c.doFinal(data) ;
}
private SecretKey getPasswordKey(PBEKeySpec keyspec) throws Throwable {
SecretKeyFactory factory = SecretKeyFactory.getInstance(PBE_ALGO) ;
- SecretKey PbKey = factory.generateSecret(keyspec) ;
- return PbKey ;
+ return factory.generateSecret(keyspec) ;
}
private byte[] decryptKey(byte[] encrypted, PBEKeySpec keyspec) throws Throwable {
SecretKey key = getPasswordKey(keyspec) ;
PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount()) ;
Cipher c = Cipher.getInstance(key.getAlgorithm()) ;
c.init(Cipher.DECRYPT_MODE, key, paramSpec);
- byte[] data = c.doFinal(encrypted) ;
- return data ;
+ return c.doFinal(encrypted) ;
}
private SecretKey getMasterKeyFromBytes(byte[] keyData) throws Throwable {
- SecretKeySpec sks = new SecretKeySpec(keyData, MK_CIPHER) ;
- return sks ;
+ return new SecretKeySpec(keyData, MK_CIPHER) ;
}
public Map<String, String> getPropertiesWithPrefix(Properties props, String prefix) {
@@ -249,11 +239,9 @@ public class RangerMasterKey implements RangerKMSMKI{
if(key.startsWith(prefix)) {
key = key.substring(prefix.length());
- if(key == null) {
- continue;
- }
-
- prefixedProperties.put(key, val);
+ if(key != null) {
+ prefixedProperties.put(key, val);
+ }
}
}
}