Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11341

KMS support for whitelist key ACLs

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.7.0
    • Component/s: kms, security
    • Labels:
      None

      Description

      As reported by Dian Fu :
      Key based ACL in KMS is currently implemented as whitelist. So if I configure as follows in kms-acl.xml,

       <property>
          <name>key.acl.testKey.DECRYPT_EEK</name>
          <value>testUser</value>
        </property>
      

      , then only testUser user can do DECRYPT_EEK call on key testKey. If I want yarn user can also do DECRYPT_EEK call on testKey key, I need add yarn user to the above configuration value manually. This means that if I want to configure key based ACL(DECRYPT_EEK) for some key, I need also add yarn user to configuration DECRYPT_EEK for that key. As I don't know if yarn user will later need to do DECRYPT_EEK for this key.. This is inconvenient and tricky.

      This can be alleviated by slightly modifying the key ACL logic in KMS first checks if the user, in this case yarn, is present in key.acl.<key-name>.<OP-name> list. And if not, then also check if the user is present in default.key.acl.<OP-name>. If yes, then grant access.. else deny.

      Currently, default.key.acl.<OP-name> is consulted only if NO key.acl.<key-name>.<OP-name> is specified.

        Attachments

        1. HADOOP-11341.4.patch
          10 kB
          Arun Suresh
        2. HADOOP-11341.3.patch
          9 kB
          Arun Suresh
        3. HADOOP-11341.2.patch
          9 kB
          Arun Suresh
        4. HADOOP-11341.1.patch
          4 kB
          Arun Suresh

          Issue Links

            Activity

              People

              • Assignee:
                asuresh Arun Suresh
                Reporter:
                asuresh Arun Suresh
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: