[hadoop] branch trunk updated: HADOOP-17304. KMS ACL: Allow DeleteKey Operation to Invalidate Cache. Contributed by Xiaoyu.

hexiaoqiao Wed, 14 Oct 2020 01:27:03 -0700

This is an automated email from the ASF dual-hosted git repository.

hexiaoqiao pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git



The following commit(s) were added to refs/heads/trunk by this push:
     new ddc0ee2  HADOOP-17304. KMS ACL: Allow DeleteKey Operation to 
Invalidate Cache. Contributed by Xiaoyu.
ddc0ee2 is described below

commit ddc0ee27fa86b1a99154b3a2ebdba0984e8514ea
Author: He Xiaoqiao <hexiaoq...@apache.org>
AuthorDate: Wed Oct 14 16:00:37 2020 +0800

    HADOOP-17304. KMS ACL: Allow DeleteKey Operation to Invalidate Cache. 
Contributed by Xiaoyu.
    
    Reviewed-by: Ayush Saxena <ayushsax...@apache.org>
    Signed-off-by: He Xiaoqiao <hexiaoq...@apache.org>
---
 .../apache/hadoop/crypto/key/kms/server/KMS.java   | 10 ++++++++-
 .../hadoop/crypto/key/kms/server/KMSACLs.java      | 26 ++++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git 
a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
 
b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
index b6b42544..59a40a3 100644
--- 
a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
+++ 
b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
@@ -52,10 +52,12 @@ import java.io.IOException;
 import java.net.URI;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
+import java.util.EnumSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 
+import static 
org.apache.hadoop.crypto.key.kms.server.KMSACLs.INVALIDATE_CACHE_TYPES;
 import static org.apache.hadoop.util.KMSUtil.checkNotEmpty;
 import static org.apache.hadoop.util.KMSUtil.checkNotNull;
 
@@ -95,6 +97,12 @@ public class KMS {
     KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key);
   }
 
+  private void assertAccess(EnumSet<KMSACLs.Type> aclTypes,
+      UserGroupInformation ugi, KMSOp operation, String key)
+      throws AccessControlException {
+    KMSWebApp.getACLs().assertAccess(aclTypes, ugi, operation, key);
+  }
+
   private static KeyProvider.KeyVersion removeKeyMaterial(
       KeyProvider.KeyVersion keyVersion) {
     return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(),
@@ -270,7 +278,7 @@ public class KMS {
       KMSWebApp.getAdminCallsMeter().mark();
       checkNotEmpty(name, "name");
       UserGroupInformation user = HttpUserGroupInformation.get();
-      assertAccess(KMSACLs.Type.ROLLOVER, user, KMSOp.INVALIDATE_CACHE, name);
+      assertAccess(INVALIDATE_CACHE_TYPES, user, KMSOp.INVALIDATE_CACHE, name);
       LOG.debug("Invalidating cache with key name {}.", name);
 
       user.doAs(new PrivilegedExceptionAction<Void>() {
diff --git 
a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
 
b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
index ba0fe82..6536b63 100644
--- 
a/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
+++ 
b/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
@@ -29,6 +29,7 @@ import 
org.apache.hadoop.security.authorize.AuthorizationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.Executors;
@@ -69,6 +70,10 @@ public class KMSACLs implements Runnable, KeyACLs {
 
   public static final int RELOADER_SLEEP_MILLIS = 1000;
 
+  // Allow both ROLLOVER and DELETE to invalidate cache.
+  public static final EnumSet<KMSACLs.Type> INVALIDATE_CACHE_TYPES =
+      EnumSet.of(KMSACLs.Type.ROLLOVER, KMSACLs.Type.DELETE);
+
   private volatile Map<Type, AccessControlList> acls;
   private volatile Map<Type, AccessControlList> blacklistedAcls;
   @VisibleForTesting
@@ -273,6 +278,27 @@ public class KMSACLs implements Runnable, KeyACLs {
     }
   }
 
+  public void assertAccess(EnumSet<Type> aclTypes,
+      UserGroupInformation ugi, KMSOp operation, String key)
+      throws AccessControlException {
+    boolean accessAllowed = false;
+    for (KMSACLs.Type type : aclTypes) {
+      if (KMSWebApp.getACLs().hasAccess(type, ugi)){
+        accessAllowed = true;
+        break;
+      }
+    }
+
+    if (!accessAllowed) {
+      KMSWebApp.getUnauthorizedCallsMeter().mark();
+      KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
+      throw new AuthorizationException(String.format(
+          (key != null) ? UNAUTHORIZED_MSG_WITH_KEY
+              : UNAUTHORIZED_MSG_WITHOUT_KEY,
+          ugi.getShortUserName(), operation, key));
+    }
+  }
+
   @Override
   public boolean hasAccessToKey(String keyName, UserGroupInformation ugi,
       KeyOpType opType) {


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org

[hadoop] branch trunk updated: HADOOP-17304. KMS ACL: Allow DeleteKey Operation to Invalidate Cache. Contributed by Xiaoyu.

Reply via email to