You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Qiang Zhang <zh...@zte.com.cn> on 2017/02/09 11:42:03 UTC
Review Request 56487: Ranger Kms support default key ACLs and
whitelist key ACLs
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56487/
-----------------------------------------------------------
Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Bugs: RANGER-1294
https://issues.apache.org/jira/browse/RANGER-1294
Repository: ranger
Description
-------
Currently,the Hadoop Kms has supported default key ACLs and whitelist key ACLs.So the Ranger Kms should also support similar function.
hadoop kms link: https://issues.apache.org/jira/browse/HADOOP-11341
Diffs
-----
kms/config/kms-webapp/dbks-site.xml a098db1
kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 4bf2886
plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java 9bebafa
Diff: https://reviews.apache.org/r/56487/diff/
Testing
-------
steps:
1.add policy to give permission for user xiehh in ranger-admin WebUI
2.create zone
[xiehh@zdh41 ~]$ hdfs dfs -mkdir /keyZone
[xiehh@zdh41 ~]$ hdfs crypto -createZone -keyName key0 -path /keyZone
[xiehh@zdh41 ~]$ hdfs dfs -put a.txt /keyZone
test:
1.configure as following in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd
2.configure as follows in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
cat: User [xiehh] is not authorized to perform [DECRYPT_EEK] on key with ACL name [key0]!!
3. configure as follows in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
--> test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd
4.configure as follows in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd
...
Thanks,
Qiang Zhang
Re: Review Request 56487: Ranger Kms support default key ACLs and
whitelist key ACLs
Posted by Qiang Zhang <zh...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56487/
-----------------------------------------------------------
(Updated \u4e09\u6708 6, 2017, 4:41 a.m.)
Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Bugs: RANGER-1294
https://issues.apache.org/jira/browse/RANGER-1294
Repository: ranger
Description (updated)
-------
Currently,the Hadoop Kms has supported default key ACLs and whitelist key ACLs. Ranger doesn't support related functions. Corresponding to the blacklist function, these functions can be more accurate, more direct, and more detailed control of data security. So Ranger should support these functions. The reference link: https://issues.apache.org/jira/browse/HADOOP-11341
Diffs
-----
kms/config/kms-webapp/dbks-site.xml a098db1
kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 4bf2886
plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java 9bebafa
Diff: https://reviews.apache.org/r/56487/diff/1/
Testing
-------
steps:
1.add policy to give permission for user xiehh in ranger-admin WebUI
2.create zone
[xiehh@zdh41 ~]$ hdfs dfs -mkdir /keyZone
[xiehh@zdh41 ~]$ hdfs crypto -createZone -keyName key0 -path /keyZone
[xiehh@zdh41 ~]$ hdfs dfs -put a.txt /keyZone
test:
1.configure as following in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd
2.configure as follows in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
cat: User [xiehh] is not authorized to perform [DECRYPT_EEK] on key with ACL name [key0]!!
3. configure as follows in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
--> test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd
4.configure as follows in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd
...
Thanks,
Qiang Zhang
Re: Review Request 56487: Ranger Kms support default key ACLs and
whitelist key ACLs
Posted by Qiang Zhang <zh...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56487/
-----------------------------------------------------------
(Updated \u4e09\u6708 6, 2017, 4:03 a.m.)
Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Bugs: RANGER-1294
https://issues.apache.org/jira/browse/RANGER-1294
Repository: ranger
Description (updated)
-------
Currently,the Hadoop Kms has supported default key ACLs and whitelist key ACLs. Ranger don't support related functions. Corresponding to the blacklist function, these functions can be more accurate, more direct, and more detailed control of data security. So Ranger should support these functions. The reference link: https://issues.apache.org/jira/browse/HADOOP-11341
Diffs
-----
kms/config/kms-webapp/dbks-site.xml a098db1
kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 4bf2886
plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java 9bebafa
Diff: https://reviews.apache.org/r/56487/diff/1/
Testing
-------
steps:
1.add policy to give permission for user xiehh in ranger-admin WebUI
2.create zone
[xiehh@zdh41 ~]$ hdfs dfs -mkdir /keyZone
[xiehh@zdh41 ~]$ hdfs crypto -createZone -keyName key0 -path /keyZone
[xiehh@zdh41 ~]$ hdfs dfs -put a.txt /keyZone
test:
1.configure as following in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd
2.configure as follows in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
cat: User [xiehh] is not authorized to perform [DECRYPT_EEK] on key with ACL name [key0]!!
3. configure as follows in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
--> test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd
4.configure as follows in dbks-site.xml
<property>
<name>default.key.acl.DECRYPT_EEK</name>
<value>mysql</value>
</property>
<property>
<name>whitelist.key.acl.DECRYPT_EEK</name>
<value>*</value>
</property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd
...
Thanks,
Qiang Zhang