Review Request 56487: Ranger Kms support default key ACLs and whitelist key ACLs

Thu, 09 Feb 2017 03:43:08 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56487/
-----------------------------------------------------------

Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, 
Selvamohan Neethiraj, and Velmurugan Periasamy.


Bugs: RANGER-1294
    https://issues.apache.org/jira/browse/RANGER-1294


Repository: ranger


Description
-------

Currently,the Hadoop Kms has supported default key ACLs and whitelist key 
ACLs.So the Ranger Kms should also support similar function.

hadoop kms link:  https://issues.apache.org/jira/browse/HADOOP-11341


Diffs
-----

  kms/config/kms-webapp/dbks-site.xml a098db1 
  
kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java 
4bf2886 
  
plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
 9bebafa 

Diff: https://reviews.apache.org/r/56487/diff/


Testing
-------

steps:
1.add policy to give permission for user xiehh in ranger-admin WebUI
2.create zone
[xiehh@zdh41 ~]$ hdfs dfs -mkdir /keyZone
[xiehh@zdh41 ~]$ hdfs crypto -createZone -keyName key0 -path /keyZone
[xiehh@zdh41 ~]$ hdfs dfs -put a.txt /keyZone

test:
1.configure as following in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd

2.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
cat: User [xiehh] is not authorized to perform [DECRYPT_EEK] on key with ACL 
name [key0]!!

3. configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property> 
--> test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 

4.configure as follows in dbks-site.xml
 <property>
        <name>default.key.acl.DECRYPT_EEK</name>
        <value>mysql</value>
 </property>
 <property>
        <name>whitelist.key.acl.DECRYPT_EEK</name>
        <value>*</value>
 </property> 
-->test with user xiehh
[xiehh@zdh41 ~]$ hdfs dfs -cat /keyZone/a.txt
dasdads
asdasd 
...


Thanks,

Qiang Zhang

Reply via email to