Re: Review Request 53751: ranger-kms, The acl configuration file is incorrect

Fri, 23 Dec 2016 03:51:51 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53751/#review160071
-----------------------------------------------------------




kms/scripts/setup.sh (line 668)
<https://reviews.apache.org/r/53751/#comment231066>

    Ranger KMS uses its own ACL through ranger policies, that's the reason 
default KMS ACLs are not required. Where as dbks-site.xml is the configuration 
file which is required for Ranger KMS installation only. 
    
    As per my knowledge, Ranger KMS implementation is correct.


- Ankita Sinha


On Nov. 15, 2016, 2:25 a.m., Qiang Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53751/
> -----------------------------------------------------------
> 
> (Updated Nov. 15, 2016, 2:25 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Ramesh Mani, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-1217
>     https://issues.apache.org/jira/browse/RANGER-1217
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> currently,KMS_ACLS_XML = "dbks-site.xml".
> we should change KMS_ACLS_XML = "kms-acls.xml".
> therefore,in ranger-kms-plugin
> we should add the following line in setup.sh,
> cp ${WEBAPP_ROOT}/mini-kms-acls-default.xml 
> ${WEBAPP_ROOT}/WEB-INF/classes/conf/kms-acls.xml
> when we execute the setup.sh command
> Also, if I configure as follows in kms-site.xml,
> <property>
>     <name>hadoop.kms.security.authorization.manager</name>
>     <value>org.apache.hadoop.crypto.key.kms.server.KMSACLs</value>
> </property>
> ,the regex of getting the Configuration item "key.acl.<KEY_NAME>.<OP_TYPE>" 
> is incorrect,
> we should add as follows in KMSConfiguration.java,
> public static final String KEY_ACL_PREFIX_REGEX = "^key\\.acl\\..+";
> then change
> Map<String, String> allKeyACLS = 
> conf.getValByRegex(Pattern.quote(KMSConfiguration.KEY_ACL_PREFIX));
> to
> Map<String, String> allKeyACLS = 
> conf.getValByRegex(KMSConfiguration.KEY_ACL_PREFIX_REGEX);
> in KMSACLs.java
> 
> 
> Diffs
> -----
> 
>   kms/scripts/setup.sh 568350b 
>   kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java 
> ff2f6d9 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
>  4bf2886 
> 
> Diff: https://reviews.apache.org/r/53751/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>

Reply via email to