Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11341

KMS support for whitelist key ACLs

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.7.0
    • kms, security
    • None

    Description

      As reported by dian.fu :
      Key based ACL in KMS is currently implemented as whitelist. So if I configure as follows in kms-acl.xml,

       <property>
          <name>key.acl.testKey.DECRYPT_EEK</name>
          <value>testUser</value>
        </property>
      

      , then only testUser user can do DECRYPT_EEK call on key testKey. If I want yarn user can also do DECRYPT_EEK call on testKey key, I need add yarn user to the above configuration value manually. This means that if I want to configure key based ACL(DECRYPT_EEK) for some key, I need also add yarn user to configuration DECRYPT_EEK for that key. As I don't know if yarn user will later need to do DECRYPT_EEK for this key.. This is inconvenient and tricky.

      This can be alleviated by slightly modifying the key ACL logic in KMS first checks if the user, in this case yarn, is present in key.acl.<key-name>.<OP-name> list. And if not, then also check if the user is present in default.key.acl.<OP-name>. If yes, then grant access.. else deny.

      Currently, default.key.acl.<OP-name> is consulted only if NO key.acl.<key-name>.<OP-name> is specified.

      Attachments

        1. HADOOP-11341.4.patch
          10 kB
          Arun Suresh
        2. HADOOP-11341.3.patch
          9 kB
          Arun Suresh
        3. HADOOP-11341.2.patch
          9 kB
          Arun Suresh
        4. HADOOP-11341.1.patch
          4 kB
          Arun Suresh

        Issue Links

          Activity

            People

              asuresh Arun Suresh
              asuresh Arun Suresh
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: