You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by he...@apache.org on 2020/10/14 08:26:54 UTC
[hadoop] branch trunk updated: HADOOP-17304. KMS ACL: Allow
DeleteKey Operation to Invalidate Cache. Contributed by Xiaoyu.
This is an automated email from the ASF dual-hosted git repository.
hexiaoqiao pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new ddc0ee2 HADOOP-17304. KMS ACL: Allow DeleteKey Operation to Invalidate Cache. Contributed by Xiaoyu.
ddc0ee2 is described below
commit ddc0ee27fa86b1a99154b3a2ebdba0984e8514ea
Author: He Xiaoqiao <he...@apache.org>
AuthorDate: Wed Oct 14 16:00:37 2020 +0800
HADOOP-17304. KMS ACL: Allow DeleteKey Operation to Invalidate Cache. Contributed by Xiaoyu.
Reviewed-by: Ayush Saxena <ay...@apache.org>
Signed-off-by: He Xiaoqiao <he...@apache.org>
---
.../apache/hadoop/crypto/key/kms/server/KMS.java | 10 ++++++++-
.../hadoop/crypto/key/kms/server/KMSACLs.java | 26 ++++++++++++++++++++++
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
index b6b42544..59a40a3 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
@@ -52,10 +52,12 @@ import java.io.IOException;
import java.net.URI;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
+import java.util.EnumSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import static org.apache.hadoop.crypto.key.kms.server.KMSACLs.INVALIDATE_CACHE_TYPES;
import static org.apache.hadoop.util.KMSUtil.checkNotEmpty;
import static org.apache.hadoop.util.KMSUtil.checkNotNull;
@@ -95,6 +97,12 @@ public class KMS {
KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key);
}
+ private void assertAccess(EnumSet<KMSACLs.Type> aclTypes,
+ UserGroupInformation ugi, KMSOp operation, String key)
+ throws AccessControlException {
+ KMSWebApp.getACLs().assertAccess(aclTypes, ugi, operation, key);
+ }
+
private static KeyProvider.KeyVersion removeKeyMaterial(
KeyProvider.KeyVersion keyVersion) {
return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(),
@@ -270,7 +278,7 @@ public class KMS {
KMSWebApp.getAdminCallsMeter().mark();
checkNotEmpty(name, "name");
UserGroupInformation user = HttpUserGroupInformation.get();
- assertAccess(KMSACLs.Type.ROLLOVER, user, KMSOp.INVALIDATE_CACHE, name);
+ assertAccess(INVALIDATE_CACHE_TYPES, user, KMSOp.INVALIDATE_CACHE, name);
LOG.debug("Invalidating cache with key name {}.", name);
user.doAs(new PrivilegedExceptionAction<Void>() {
diff --git a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
index ba0fe82..6536b63 100644
--- a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
+++ b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
@@ -29,6 +29,7 @@ import org.apache.hadoop.security.authorize.AuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.util.EnumSet;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.Executors;
@@ -69,6 +70,10 @@ public class KMSACLs implements Runnable, KeyACLs {
public static final int RELOADER_SLEEP_MILLIS = 1000;
+ // Allow both ROLLOVER and DELETE to invalidate cache.
+ public static final EnumSet<KMSACLs.Type> INVALIDATE_CACHE_TYPES =
+ EnumSet.of(KMSACLs.Type.ROLLOVER, KMSACLs.Type.DELETE);
+
private volatile Map<Type, AccessControlList> acls;
private volatile Map<Type, AccessControlList> blacklistedAcls;
@VisibleForTesting
@@ -273,6 +278,27 @@ public class KMSACLs implements Runnable, KeyACLs {
}
}
+ public void assertAccess(EnumSet<Type> aclTypes,
+ UserGroupInformation ugi, KMSOp operation, String key)
+ throws AccessControlException {
+ boolean accessAllowed = false;
+ for (KMSACLs.Type type : aclTypes) {
+ if (KMSWebApp.getACLs().hasAccess(type, ugi)){
+ accessAllowed = true;
+ break;
+ }
+ }
+
+ if (!accessAllowed) {
+ KMSWebApp.getUnauthorizedCallsMeter().mark();
+ KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
+ throw new AuthorizationException(String.format(
+ (key != null) ? UNAUTHORIZED_MSG_WITH_KEY
+ : UNAUTHORIZED_MSG_WITHOUT_KEY,
+ ugi.getShortUserName(), operation, key));
+ }
+ }
+
@Override
public boolean hasAccessToKey(String keyName, UserGroupInformation ugi,
KeyOpType opType) {
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org