[HADOOP-15459] KMSACLs will fail for other optype if acls is defined for one optype. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Invalid
Affects Version/s: 2.8.3
Fix Version/s: None
Component/s: kms
Labels:
None

Target Version/s:

2.8.5

Description

Assume subset of kms-acls xml file.

  <property>
    <name>default.key.acl.DECRYPT_EEK</name>
    <value></value>
    <description>
      default ACL for DECRYPT_EEK operations for all key acls that are not
      explicitly defined.
    </description>
  </property>

<configuration>
  <property>
    <name>key.acl.key1.DECRYPT_EEK</name>
    <value>user1</value>
  </property>

  <property>
    <name>default.key.acl.READ</name>
    <value>*</value>
    <description>
      default ACL for READ operations for all key acls that are not
      explicitly defined.
    </description>
  </property>

<property>
  <name>whitelist.key.acl.READ</name>
  <value>hdfs</value>
  <description>
    Whitelist ACL for READ operations for all keys.
  </description>
</property>

For key key1, we restricted DECRYPT_EEK operation to only user1.
For other READ operation(like getMetadata), by default I still want everyone to access all keys via default.key.acl.READ
But it doesn't allow anyone to access key1 for any other READ operations.
As a result of this, if the admin restricted access for one opType then (s)he has to define access for all other opTypes also, which is not desirable.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-15459.002.patch
16/May/18 22:08
4 kB
Rushabh Shah
HADOOP-15459.001.patch
16/May/18 15:30
3 kB
Rushabh Shah

Activity

People

Assignee:: Rushabh Shah

Reporter:: Rushabh Shah

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 14/May/18 02:58

Updated:: 02/Oct/19 17:15

Resolved:: 17/May/18 18:22