Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15459

KMSACLs will fail for other optype if acls is defined for one optype.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Invalid
    • Affects Version/s: 2.8.3
    • Fix Version/s: None
    • Component/s: kms
    • Labels:
      None
    • Target Version/s:

      Description

      Assume subset of kms-acls xml file.

        <property>
          <name>default.key.acl.DECRYPT_EEK</name>
          <value></value>
          <description>
            default ACL for DECRYPT_EEK operations for all key acls that are not
            explicitly defined.
          </description>
        </property>
      
      <configuration>
        <property>
          <name>key.acl.key1.DECRYPT_EEK</name>
          <value>user1</value>
        </property>
      
        <property>
          <name>default.key.acl.READ</name>
          <value>*</value>
          <description>
            default ACL for READ operations for all key acls that are not
            explicitly defined.
          </description>
        </property>
      
      <property>
        <name>whitelist.key.acl.READ</name>
        <value>hdfs</value>
        <description>
          Whitelist ACL for READ operations for all keys.
        </description>
      </property>
      

      For key key1, we restricted DECRYPT_EEK operation to only user1.
      For other READ operation(like getMetadata), by default I still want everyone to access all keys via default.key.acl.READ
      But it doesn't allow anyone to access key1 for any other READ operations.
      As a result of this, if the admin restricted access for one opType then (s)he has to define access for all other opTypes also, which is not desirable.

        Attachments

        1. HADOOP-15459.002.patch
          4 kB
          Rushabh Shah
        2. HADOOP-15459.001.patch
          3 kB
          Rushabh Shah

          Activity

            People

            • Assignee:
              shahrs87 Rushabh Shah
              Reporter:
              shahrs87 Rushabh Shah
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: