This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.6 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit b84ef66f9230a9894c28aa1032bc66e3ed170dca Author: Vikas Kumar <[email protected]> AuthorDate: Thu Nov 14 19:00:01 2024 +0530 RANGER-3641: KMS API to generate EDEK and DEK together (cherry picked from commit 6c729a25645eaf507138ed9919352d5129cfdc64) --- .../apache/hadoop/crypto/key/kms/server/KMS.java | 55 ++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java index 5bc0e7132..1fe7e25d6 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java @@ -53,6 +53,7 @@ import java.io.IOException; import java.net.URI; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; +import java.util.HashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -79,6 +80,8 @@ public class KMS { private static final String KEY_NAME_VALIDATION = "[a-z,A-Z,0-9](?!.*--)(?!.*__)(?!.*-_)(?!.*_-)[\\w\\-\\_]*"; private static final int MAX_NUM_PER_BATCH = 10000; + private final static String GENERATE_DEK_PATH_CONST = "_dek"; + public enum KMSOp { CREATE_KEY, DELETE_KEY, ROLL_NEW_VERSION, INVALIDATE_CACHE, GET_KEYS, GET_KEYS_METADATA, @@ -539,6 +542,58 @@ public class KMS { } } } + @GET + @Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" + GENERATE_DEK_PATH_CONST) + @Produces(MediaType.APPLICATION_JSON) + public Response generateDataKey(@PathParam("name") final String name, @Context HttpServletRequest request) throws Exception{ + + if (LOG.isDebugEnabled()) { + LOG.debug("==> generateDataKey(name={}", name); + } + + Stopwatch sw = Stopwatch.createStarted(); + + try { + UserGroupInformation user = HttpUserGroupInformation.get(); + checkNotEmpty(name, "name"); + + this.kmsMetricsCollector.incrementCounter(KMSMetrics.KMSMetric.EEK_GENERATE_COUNT); + assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name,request.getRemoteAddr()); + + EncryptedKeyVersion encryptedKeyVersion = user.doAs((PrivilegedExceptionAction<EncryptedKeyVersion>) () -> provider.generateEncryptedKey(name)); + this.kmsMetricsCollector.updateMetric(KMSMetrics.KMSMetric.EEK_GENERATE_ELAPSED_TIME, sw.stop().elapsed(TimeUnit.MILLISECONDS)); + kmsAudit.ok(user, KMSOp.GENERATE_EEK, name, "generateDataKey execution"); + sw.reset(); + sw.start(); + + this.kmsMetricsCollector.incrementCounter(KMSMetrics.KMSMetric.EEK_DECRYPT_COUNT); + assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, name, request.getRemoteAddr()); + + KeyVersion retKeyVersion = user.doAs((PrivilegedExceptionAction<KeyVersion>) () -> { + KMSEncryptedKeyVersion ekv = new KMSEncryptedKeyVersion(encryptedKeyVersion.getEncryptionKeyName(), encryptedKeyVersion.getEncryptionKeyVersionName(), + encryptedKeyVersion.getEncryptedKeyIv(), KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()); + + return provider.decryptEncryptedKey(ekv); + }); + + kmsAudit.ok(user, KMSOp.DECRYPT_EEK, name, "generateDataKey execution"); + this.kmsMetricsCollector.updateMetric(KMSMetrics.KMSMetric.EEK_DECRYPT_ELAPSED_TIME, sw.stop().elapsed(TimeUnit.MILLISECONDS)); + + Map<String,Object> response = new HashMap<>(); + response.put("edek", KMSUtil.toJSON(encryptedKeyVersion)); + response.put("dek", KMSUtil.toJSON(retKeyVersion)); + + return Response.ok().type(MediaType.APPLICATION_JSON).entity(response).build(); + } catch(Exception e){ + LOG.error("Exception in generateDataKey:", e); + throw new IOException(e); + } finally { + if (LOG.isDebugEnabled()) { + LOG.debug("<== generateDataKey(name={}", name); + } + } + + } @SuppressWarnings({ "rawtypes", "unchecked" }) @GET
