Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11341

KMS support for whitelist key ACLs



    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.7.0
    • kms, security
    • None


      As reported by dian.fu :
      Key based ACL in KMS is currently implemented as whitelist. So if I configure as follows in kms-acl.xml,


      , then only testUser user can do DECRYPT_EEK call on key testKey. If I want yarn user can also do DECRYPT_EEK call on testKey key, I need add yarn user to the above configuration value manually. This means that if I want to configure key based ACL(DECRYPT_EEK) for some key, I need also add yarn user to configuration DECRYPT_EEK for that key. As I don't know if yarn user will later need to do DECRYPT_EEK for this key.. This is inconvenient and tricky.

      This can be alleviated by slightly modifying the key ACL logic in KMS first checks if the user, in this case yarn, is present in key.acl.<key-name>.<OP-name> list. And if not, then also check if the user is present in default.key.acl.<OP-name>. If yes, then grant access.. else deny.

      Currently, default.key.acl.<OP-name> is consulted only if NO key.acl.<key-name>.<OP-name> is specified.


        1. HADOOP-11341.1.patch
          4 kB
          Arun Suresh
        2. HADOOP-11341.2.patch
          9 kB
          Arun Suresh
        3. HADOOP-11341.3.patch
          9 kB
          Arun Suresh
        4. HADOOP-11341.4.patch
          10 kB
          Arun Suresh

        Issue Links



              asuresh Arun Suresh
              asuresh Arun Suresh
              0 Vote for this issue
              5 Start watching this issue