Repository: incubator-ranger Updated Branches: refs/heads/master a171cdbb4 -> 8411c64a6
Some KMS cleanup Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/6116f91f Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/6116f91f Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/6116f91f Branch: refs/heads/master Commit: 6116f91f0edddac4ba6e96f29c23d7a88a106cd1 Parents: a171cdb Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Aug 4 09:47:01 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Aug 4 09:47:01 2016 +0100 ---------------------------------------------------------------------- .../hadoop/crypto/key/kms/server/MiniKMS.java | 231 ------------------- .../kms/authorizer/RangerKmsAuthorizer.java | 60 ++--- 2 files changed, 18 insertions(+), 273 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6116f91f/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java ---------------------------------------------------------------------- diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java deleted file mode 100755 index 7080e14..0000000 --- a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java +++ /dev/null @@ -1,231 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.crypto.key.kms.server; - -import com.google.common.base.Preconditions; -import org.apache.commons.io.IOUtils; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.crypto.key.kms.KMSRESTConstants; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.security.ssl.SslSocketConnectorSecure; -import org.mortbay.jetty.Connector; -import org.mortbay.jetty.Server; -import org.mortbay.jetty.security.SslSocketConnector; -import org.mortbay.jetty.webapp.WebAppContext; - -import java.io.File; -import java.io.FileOutputStream; -import java.io.FileWriter; -import java.io.InputStream; -import java.io.OutputStream; -import java.io.Writer; -import java.net.InetAddress; -import java.net.MalformedURLException; -import java.net.ServerSocket; -import java.net.URI; -import java.net.URISyntaxException; -import java.net.URL; -import java.util.UUID; - -public class MiniKMS { - - private static Server createJettyServer(String keyStore, String password, int inPort) { - try { - boolean ssl = keyStore != null; - InetAddress localhost = InetAddress.getByName("localhost"); - String host = "localhost"; - ServerSocket ss = new ServerSocket((inPort < 0) ? 0 : inPort, 50, localhost); - int port = ss.getLocalPort(); - ss.close(); - Server server = new Server(0); - if (!ssl) { - server.getConnectors()[0].setHost(host); - server.getConnectors()[0].setPort(port); - } else { - SslSocketConnector c = new SslSocketConnectorSecure(); - c.setHost(host); - c.setPort(port); - c.setNeedClientAuth(false); - c.setKeystore(keyStore); - c.setKeystoreType("jks"); - c.setKeyPassword(password); - server.setConnectors(new Connector[]{c}); - } - return server; - } catch (Exception ex) { - throw new RuntimeException("Could not start embedded servlet container, " - + ex.getMessage(), ex); - } - } - - private static URL getJettyURL(Server server) { - boolean ssl = server.getConnectors()[0].getClass() - == SslSocketConnectorSecure.class; - try { - String scheme = (ssl) ? "https" : "http"; - return new URL(scheme + "://" + - server.getConnectors()[0].getHost() + ":" + - server.getConnectors()[0].getPort()); - } catch (MalformedURLException ex) { - throw new RuntimeException("It should never happen, " + ex.getMessage(), - ex); - } - } - - public static class Builder { - private File kmsConfDir; - private String log4jConfFile; - private File keyStoreFile; - private String keyStorePassword; - private int inPort = -1; - - public Builder() { - kmsConfDir = new File("target/test-classes").getAbsoluteFile(); - log4jConfFile = "kms-log4j.properties"; - } - - public Builder setKmsConfDir(File confDir) { - Preconditions.checkNotNull(confDir, "KMS conf dir is NULL"); - Preconditions.checkArgument(confDir.exists(), - "KMS conf dir does not exist"); - kmsConfDir = confDir; - return this; - } - - public Builder setLog4jConfFile(String log4jConfFile) { - Preconditions.checkNotNull(log4jConfFile, "log4jconf file is NULL"); - this.log4jConfFile = log4jConfFile; - return this; - } - - public Builder setPort(int port) { - Preconditions.checkArgument(port > 0, "input port must be greater than 0"); - this.inPort = port; - return this; - } - - public Builder setSslConf(File keyStoreFile, String keyStorePassword) { - Preconditions.checkNotNull(keyStoreFile, "keystore file is NULL"); - Preconditions.checkNotNull(keyStorePassword, "keystore password is NULL"); - Preconditions.checkArgument(keyStoreFile.exists(), - "keystore file does not exist"); - this.keyStoreFile = keyStoreFile; - this.keyStorePassword = keyStorePassword; - return this; - } - - public MiniKMS build() { - Preconditions.checkArgument(kmsConfDir.exists(), - "KMS conf dir does not exist"); - return new MiniKMS(kmsConfDir.getAbsolutePath(), log4jConfFile, - (keyStoreFile != null) ? keyStoreFile.getAbsolutePath() : null, - keyStorePassword, inPort); - } - } - - private String kmsConfDir; - private String log4jConfFile; - private String keyStore; - private String keyStorePassword; - private Server jetty; - private int inPort; - private URL kmsURL; - - public MiniKMS(String kmsConfDir, String log4ConfFile, String keyStore, - String password, int inPort) { - this.kmsConfDir = kmsConfDir; - this.log4jConfFile = log4ConfFile; - this.keyStore = keyStore; - this.keyStorePassword = password; - this.inPort = inPort; - } - - public void start() throws Exception { - ClassLoader cl = Thread.currentThread().getContextClassLoader(); - System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, kmsConfDir); - File aclsFile = new File(kmsConfDir, "dbks-site.xml"); - if (!aclsFile.exists()) { - InputStream is = cl.getResourceAsStream("mini-kms-acls-default.xml"); - OutputStream os = new FileOutputStream(aclsFile); - IOUtils.copy(is, os); - is.close(); - os.close(); - } - File kmsFile = new File(kmsConfDir, "kms-site.xml"); - if (!kmsFile.exists()) { - Configuration kms = new Configuration(false); - kms.set(KMSConfiguration.KEY_PROVIDER_URI, - "jceks://file@" + new Path(kmsConfDir, "kms.keystore").toUri()); - kms.set("hadoop.kms.authentication.type", "simple"); - Writer writer = new FileWriter(kmsFile); - kms.writeXml(writer); - writer.close(); - } - System.setProperty("log4j.configuration", log4jConfFile); - jetty = createJettyServer(keyStore, keyStorePassword, inPort); - - // we need to do a special handling for MiniKMS to work when in a dir and - // when in a JAR in the classpath thanks to Jetty way of handling of webapps - // when they are in the a DIR, WAR or JAR. - URL webXmlUrl = cl.getResource("kms-webapp/WEB-INF/web.xml"); - if (webXmlUrl == null) { - throw new RuntimeException( - "Could not find kms-webapp/ dir in test classpath"); - } - boolean webXmlInJar = webXmlUrl.getPath().contains(".jar!/"); - String webappPath; - if (webXmlInJar) { - File webInf = new File("target/" + UUID.randomUUID().toString() + - "/kms-webapp/WEB-INF"); - webInf.mkdirs(); - new File(webInf, "web.xml").delete(); - InputStream is = cl.getResourceAsStream("kms-webapp/WEB-INF/web.xml"); - OutputStream os = new FileOutputStream(new File(webInf, "web.xml")); - IOUtils.copy(is, os); - is.close(); - os.close(); - webappPath = webInf.getParentFile().getAbsolutePath(); - } else { - webappPath = cl.getResource("kms-webapp").getPath(); - } - WebAppContext context = new WebAppContext(webappPath, "/kms"); - if (webXmlInJar) { - context.setClassLoader(cl); - } - jetty.addHandler(context); - jetty.start(); - kmsURL = new URL(getJettyURL(jetty), "kms"); - } - - public URL getKMSUrl() { - return kmsURL; - } - - public void stop() { - if (jetty != null && jetty.isRunning()) { - try { - jetty.stop(); - jetty = null; - } catch (Exception ex) { - throw new RuntimeException("Could not stop MiniKMS embedded Jetty, " + - ex.getMessage(), ex); - } - } - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6116f91f/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java index 75e25c2..4d09a79 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java +++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java @@ -67,6 +67,8 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { public static final int RELOADER_SLEEP_MILLIS = 1000; + private static final Map<KMSACLsType.Type, String> ACCESS_TYPE_MAP = new HashMap<>(); + private volatile Map<Type, AccessControlList> blacklistedAcls; private long lastReload; @@ -99,6 +101,18 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { * Constant for the configuration property that indicates the keytab file path. */ public static final String KEYTAB = TYPE + ".keytab"; + + static { + ACCESS_TYPE_MAP.put(KMSACLsType.Type.CREATE, RangerKmsAuthorizer.ACCESS_TYPE_CREATE); + ACCESS_TYPE_MAP.put(KMSACLsType.Type.DELETE, RangerKmsAuthorizer.ACCESS_TYPE_DELETE); + ACCESS_TYPE_MAP.put(KMSACLsType.Type.ROLLOVER, RangerKmsAuthorizer.ACCESS_TYPE_ROLLOVER); + ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET, RangerKmsAuthorizer.ACCESS_TYPE_GET); + ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET_KEYS, RangerKmsAuthorizer.ACCESS_TYPE_GET_KEYS); + ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET_METADATA, RangerKmsAuthorizer.ACCESS_TYPE_GET_METADATA); + ACCESS_TYPE_MAP.put(KMSACLsType.Type.SET_KEY_MATERIAL, RangerKmsAuthorizer.ACCESS_TYPE_SET_KEY_MATERIAL); + ACCESS_TYPE_MAP.put(KMSACLsType.Type.GENERATE_EEK, RangerKmsAuthorizer.ACCESS_TYPE_GENERATE_EEK); + ACCESS_TYPE_MAP.put(KMSACLsType.Type.DECRYPT_EEK, RangerKmsAuthorizer.ACCESS_TYPE_DECRYPT_EEK); + } RangerKmsAuthorizer(Configuration conf) { LOG.info("RangerKmsAuthorizer(conf)..."); @@ -253,9 +267,6 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { @Override public boolean hasAccessToKey(String keyName, UserGroupInformation ugi, KeyOpType opType) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")"); - } if(LOG.isDebugEnabled()) { LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")"); } @@ -307,46 +318,11 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { } private static String getRangerAccessType(KMSACLsType.Type accessType) { - String ret = null; - - switch(accessType) { - case CREATE: - ret = RangerKmsAuthorizer.ACCESS_TYPE_CREATE; - break; - - case DELETE: - ret = RangerKmsAuthorizer.ACCESS_TYPE_DELETE; - break; - - case ROLLOVER: - ret = RangerKmsAuthorizer.ACCESS_TYPE_ROLLOVER; - break; - - case GET: - ret = RangerKmsAuthorizer.ACCESS_TYPE_GET; - break; - - case GET_KEYS: - ret = RangerKmsAuthorizer.ACCESS_TYPE_GET_KEYS; - break; - - case GET_METADATA: - ret = RangerKmsAuthorizer.ACCESS_TYPE_GET_METADATA; - break; - - case SET_KEY_MATERIAL: - ret = RangerKmsAuthorizer.ACCESS_TYPE_SET_KEY_MATERIAL; - break; - - case GENERATE_EEK: - ret = RangerKmsAuthorizer.ACCESS_TYPE_GENERATE_EEK; - break; - - case DECRYPT_EEK: - ret = RangerKmsAuthorizer.ACCESS_TYPE_DECRYPT_EEK; - break; + if (ACCESS_TYPE_MAP.containsKey(accessType)) { + return ACCESS_TYPE_MAP.get(accessType); } - return ret; + + return null; } }
