You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Qiang Zhang <zh...@zte.com.cn> on 2017/02/09 11:42:03 UTC

Review Request 56487: Ranger Kms support default key ACLs and whitelist key ACLs

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56487/
-----------------------------------------------------------

Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.


Bugs: RANGER-1294
    https://issues.apache.org/jira/browse/RANGER-1294


Repository: ranger


Description
-------

Currently,the Hadoop Kms has supported default key ACLs and whitelist key ACLs.So the Ranger Kms should also support similar function.

hadoop kms link:  https://issues.apache.org/jira/browse/HADOOP-11341


Diffs
-----

  kms/config/kms-webapp/dbks-site.xml a098db1 
  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 4bf2886 
  plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java 9bebafa 

Diff: https://reviews.apache.org/r/56487/diff/


Testing
-------

steps:
1.add policy to give permission for user xiehh in ranger-admin WebUI
2.create zone
[xiehh@zdh41 ~]$ hdfs dfs -mkdir /keyZone
[xiehh@zdh41 ~]$ hdfs crypto -createZone -keyName key0 -path /keyZone
[xiehh@zdh41 ~]$ hdfs dfs -put a.txt /keyZone

test:
1.configure as following in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd

2.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
cat: User [xiehh] is not authorized to perform [DECRYPT_EEK] on key with ACL name [key0]!!

3. configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property> 
--> test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 

4.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property> 
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 
...


Thanks,

Qiang Zhang

Re: Review Request 56487: Ranger Kms support default key ACLs and whitelist key ACLs

Posted by Qiang Zhang <zh...@zte.com.cn>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56487/
-----------------------------------------------------------

(Updated \u4e09\u6708 6, 2017, 4:41 a.m.)


Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.


Bugs: RANGER-1294
    https://issues.apache.org/jira/browse/RANGER-1294


Repository: ranger


Description (updated)
-------

Currently,the Hadoop Kms has supported default key ACLs and whitelist key ACLs. Ranger doesn't support related functions. Corresponding to the blacklist function, these functions can be more accurate, more direct, and more detailed control of data security. So Ranger should support these functions. The reference link:  https://issues.apache.org/jira/browse/HADOOP-11341


Diffs
-----

  kms/config/kms-webapp/dbks-site.xml a098db1 
  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 4bf2886 
  plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java 9bebafa 


Diff: https://reviews.apache.org/r/56487/diff/1/


Testing
-------

steps:
1.add policy to give permission for user xiehh in ranger-admin WebUI
2.create zone
[xiehh@zdh41 ~]$ hdfs dfs -mkdir /keyZone
[xiehh@zdh41 ~]$ hdfs crypto -createZone -keyName key0 -path /keyZone
[xiehh@zdh41 ~]$ hdfs dfs -put a.txt /keyZone

test:
1.configure as following in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd

2.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
cat: User [xiehh] is not authorized to perform [DECRYPT_EEK] on key with ACL name [key0]!!

3. configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property> 
--> test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 

4.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property> 
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 
...


Thanks,

Qiang Zhang

Re: Review Request 56487: Ranger Kms support default key ACLs and whitelist key ACLs

Posted by Qiang Zhang <zh...@zte.com.cn>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56487/
-----------------------------------------------------------

(Updated \u4e09\u6708 6, 2017, 4:03 a.m.)


Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.


Bugs: RANGER-1294
    https://issues.apache.org/jira/browse/RANGER-1294


Repository: ranger


Description (updated)
-------

Currently,the Hadoop Kms has supported default key ACLs and whitelist key ACLs. Ranger don't support related functions. Corresponding to the blacklist function, these functions can be more accurate, more direct, and more detailed control of data security. So Ranger should support these functions. The reference link:  https://issues.apache.org/jira/browse/HADOOP-11341


Diffs
-----

  kms/config/kms-webapp/dbks-site.xml a098db1 
  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 4bf2886 
  plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java 9bebafa 


Diff: https://reviews.apache.org/r/56487/diff/1/


Testing
-------

steps:
1.add policy to give permission for user xiehh in ranger-admin WebUI
2.create zone
[xiehh@zdh41 ~]$ hdfs dfs -mkdir /keyZone
[xiehh@zdh41 ~]$ hdfs crypto -createZone -keyName key0 -path /keyZone
[xiehh@zdh41 ~]$ hdfs dfs -put a.txt /keyZone

test:
1.configure as following in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd

2.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
cat: User [xiehh] is not authorized to perform [DECRYPT_EEK] on key with ACL name [key0]!!

3. configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property> 
--> test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 

4.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property> 
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 
...


Thanks,

Qiang Zhang