This is an automated email from the ASF dual-hosted git repository. dhavalshah9131 pushed a commit to reference refs/for/master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 2f569ee82106c00da57e9447baf1a9bbf86b26e3 Author: mateenmansoori <[email protected]> AuthorDate: Mon Jul 12 16:28:53 2021 +0530 RANGER : 3328 - RANGER-KMS : code improvement --- .../org/apache/hadoop/crypto/key/RangerHSM.java | 5 ++- .../hadoop/crypto/key/RangerKeyStoreProvider.java | 3 -- .../hadoop/crypto/key/kms/server/KMSACLs.java | 4 +- .../key/kms/server/KMSAuthenticationFilter.java | 24 +++++++----- .../hadoop/crypto/key/kms/server/KMSWebApp.java | 6 +++ .../kms/server/KeyAuthorizationKeyProvider.java | 2 +- .../kms/server/TestKMSAuthenticationFilter.java | 45 ++++++++++++++++++++++ 7 files changed, 72 insertions(+), 17 deletions(-) diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java index a531f32..d0a07b9 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java @@ -68,10 +68,11 @@ public class RangerHSM implements RangerKMSMKI { ByteArrayInputStream is1 = new ByteArrayInputStream(("tokenlabel:" + partitionName).getBytes()); logger.debug("Loading HSM tokenlabel : " + partitionName); myStore = KeyStore.getInstance("Luna"); - myStore.load(is1, passwd.toCharArray()); if (myStore == null) { logger.error("Luna not found. Please verify the Ranger KMS HSM configuration setup."); - } + } else { + myStore.load(is1, passwd.toCharArray()); + } } catch (KeyStoreException kse) { logger.error("Unable to create keystore object : " + kse.getMessage()); } catch (NoSuchAlgorithmException nsae) { diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java index 011318b..db8fa69 100755 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java @@ -305,9 +305,6 @@ public class RangerKeyStoreProvider extends KeyProvider { throw new IOException("Key " + name + " already exists"); } - if (dbStore.engineContainsAlias(name) || cache.containsKey(name)) { - throw new IOException("Key " + name + " already exists"); - } Metadata meta = new Metadata(options.getCipher(), options.getBitLength(), options.getDescription(), options.getAttributes(), new Date(), 1); diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java index 5df58e7..e65577c 100755 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java @@ -229,9 +229,9 @@ public class KMSACLs implements Runnable, KeyACLs { if (blacklist == null) { LOG.debug("No blacklist for {}", type.toString()); } else if (access) { - LOG.debug("user is in {}" , blacklist.getAclString()); - } else { LOG.debug("user is not in {}" , blacklist.getAclString()); + } else { + LOG.debug("user is in {}" , blacklist.getAclString()); } } } diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java index ca13a53..274bac9 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java @@ -26,6 +26,9 @@ import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthentica import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler; import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticationHandler; import org.apache.hadoop.security.token.delegation.web.PseudoDelegationTokenAuthenticationHandler; + +import com.google.common.annotations.VisibleForTesting; + import org.apache.hadoop.http.HtmlQuoting; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -54,16 +57,19 @@ public class KMSAuthenticationFilter @Override protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) { - Properties props = new Properties(); Configuration conf = KMSWebApp.getConfiguration(); - for (Map.Entry<String, String> entry : conf) { - String name = entry.getKey(); - if (name.startsWith(CONFIG_PREFIX)) { - String value = conf.get(name); - name = name.substring(CONFIG_PREFIX.length()); - props.setProperty(name, value); - } - } + return this.getKMSConfiguration(conf); + } + + @VisibleForTesting + Properties getKMSConfiguration(Configuration conf) { + Properties props = new Properties(); + Map<String, String> propsWithPrefixMap = conf.getPropsWithPrefix(CONFIG_PREFIX); + + for (Map.Entry<String, String> entry : propsWithPrefixMap.entrySet()) { + props.setProperty(entry.getKey(), entry.getValue()); + } + String authType = props.getProperty(AUTH_TYPE,"simple"); if (authType.equals(PseudoAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java index 1efc521..c974fd6 100755 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java @@ -20,6 +20,7 @@ package org.apache.hadoop.crypto.key.kms.server; import com.codahale.metrics.JmxReporter; import com.codahale.metrics.Meter; import com.codahale.metrics.MetricRegistry; +import com.google.common.base.Preconditions; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.conf.Configuration; @@ -174,6 +175,11 @@ public class KMSWebApp implements ServletContextListener { LOG.info("----------------Instantiating key provider ---------------"); KeyProvider keyProvider = KeyProviderFactory.get(new URI(providerString), kmsConf); + Preconditions.checkNotNull(keyProvider, String.format("No" + + " KeyProvider has been initialized, please" + + " check whether %s '%s' is configured correctly in" + + " kms-site.xml.", KMSConfiguration.KEY_PROVIDER_URI, + providerString)); LOG.info("keyProvider = "+keyProvider.toString()); if (kmsConf.getBoolean(KMSConfiguration.KEY_CACHE_ENABLE, KMSConfiguration.KEY_CACHE_ENABLE_DEFAULT)) { diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java index fb9a261..d9f1b5b 100755 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java @@ -390,7 +390,7 @@ public class KeyAuthorizationKeyProvider extends KeyProviderCryptoExtension { @Override public String toString() { - return provider.toString(); + return this.getClass().getName() + ":" + provider.toString(); } } diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAuthenticationFilter.java b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAuthenticationFilter.java new file mode 100644 index 0000000..e8ca7b7 --- /dev/null +++ b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAuthenticationFilter.java @@ -0,0 +1,45 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.crypto.key.kms.server; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.crypto.key.kms.KMSDelegationToken; +import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler; +import org.apache.hadoop.security.token.delegation.web.PseudoDelegationTokenAuthenticationHandler; +import org.junit.Test; +import java.util.Properties; + +import static org.junit.Assert.assertEquals; + +/** + * Test KMS Authentication Filter. + */ +public class TestKMSAuthenticationFilter { + + @Test + public void testConfiguration() throws Exception { + Configuration conf = new Configuration(); + conf.set("hadoop.kms.authentication.type", "simple"); + + Properties prop = new KMSAuthenticationFilter().getKMSConfiguration(conf); + assertEquals(prop.getProperty(KMSAuthenticationFilter.AUTH_TYPE), + PseudoDelegationTokenAuthenticationHandler.class.getName()); + assertEquals(prop.getProperty(DelegationTokenAuthenticationHandler.TOKEN_KIND), + KMSDelegationToken.TOKEN_KIND_STR); + } +}
