ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] incubator-ranger git commit: Some KMS cleanup
Date Thu, 04 Aug 2016 11:19:57 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master a171cdbb4 -> 8411c64a6


Some KMS cleanup


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/6116f91f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/6116f91f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/6116f91f

Branch: refs/heads/master
Commit: 6116f91f0edddac4ba6e96f29c23d7a88a106cd1
Parents: a171cdb
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Aug 4 09:47:01 2016 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Aug 4 09:47:01 2016 +0100

----------------------------------------------------------------------
 .../hadoop/crypto/key/kms/server/MiniKMS.java   | 231 -------------------
 .../kms/authorizer/RangerKmsAuthorizer.java     |  60 ++---
 2 files changed, 18 insertions(+), 273 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6116f91f/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
----------------------------------------------------------------------
diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
deleted file mode 100755
index 7080e14..0000000
--- a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
+++ /dev/null
@@ -1,231 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.crypto.key.kms.server;
-
-import com.google.common.base.Preconditions;
-import org.apache.commons.io.IOUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
-import org.mortbay.jetty.Connector;
-import org.mortbay.jetty.Server;
-import org.mortbay.jetty.security.SslSocketConnector;
-import org.mortbay.jetty.webapp.WebAppContext;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.FileWriter;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.Writer;
-import java.net.InetAddress;
-import java.net.MalformedURLException;
-import java.net.ServerSocket;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
-import java.util.UUID;
-
-public class MiniKMS {
-
-  private static Server createJettyServer(String keyStore, String password, int inPort) {
-    try {
-      boolean ssl = keyStore != null;
-      InetAddress localhost = InetAddress.getByName("localhost");
-      String host = "localhost";
-      ServerSocket ss = new ServerSocket((inPort < 0) ? 0 : inPort, 50, localhost);
-      int port = ss.getLocalPort();
-      ss.close();
-      Server server = new Server(0);
-      if (!ssl) {
-        server.getConnectors()[0].setHost(host);
-        server.getConnectors()[0].setPort(port);
-      } else {
-        SslSocketConnector c = new SslSocketConnectorSecure();
-        c.setHost(host);
-        c.setPort(port);
-        c.setNeedClientAuth(false);
-        c.setKeystore(keyStore);
-        c.setKeystoreType("jks");
-        c.setKeyPassword(password);
-        server.setConnectors(new Connector[]{c});
-      }
-      return server;
-    } catch (Exception ex) {
-      throw new RuntimeException("Could not start embedded servlet container, "
-          + ex.getMessage(), ex);
-    }
-  }
-
-  private static URL getJettyURL(Server server) {
-    boolean ssl = server.getConnectors()[0].getClass()
-        == SslSocketConnectorSecure.class;
-    try {
-      String scheme = (ssl) ? "https" : "http";
-      return new URL(scheme + "://" +
-          server.getConnectors()[0].getHost() + ":" +
-          server.getConnectors()[0].getPort());
-    } catch (MalformedURLException ex) {
-      throw new RuntimeException("It should never happen, " + ex.getMessage(),
-          ex);
-    }
-  }
-
-  public static class Builder {
-    private File kmsConfDir;
-    private String log4jConfFile;
-    private File keyStoreFile;
-    private String keyStorePassword;
-    private int inPort = -1;
-
-    public Builder() {
-      kmsConfDir = new File("target/test-classes").getAbsoluteFile();
-      log4jConfFile = "kms-log4j.properties";
-    }
-
-    public Builder setKmsConfDir(File confDir) {
-      Preconditions.checkNotNull(confDir, "KMS conf dir is NULL");
-      Preconditions.checkArgument(confDir.exists(),
-          "KMS conf dir does not exist");
-      kmsConfDir = confDir;
-      return this;
-    }
-
-    public Builder setLog4jConfFile(String log4jConfFile) {
-      Preconditions.checkNotNull(log4jConfFile, "log4jconf file is NULL");
-      this.log4jConfFile = log4jConfFile;
-      return this;
-    }
-
-    public Builder setPort(int port) {
-      Preconditions.checkArgument(port > 0, "input port must be greater than 0");
-      this.inPort = port;
-      return this;
-    }
-
-    public Builder setSslConf(File keyStoreFile, String keyStorePassword) {
-      Preconditions.checkNotNull(keyStoreFile, "keystore file is NULL");
-      Preconditions.checkNotNull(keyStorePassword, "keystore password is NULL");
-      Preconditions.checkArgument(keyStoreFile.exists(),
-          "keystore file does not exist");
-      this.keyStoreFile = keyStoreFile;
-      this.keyStorePassword = keyStorePassword;
-      return this;
-    }
-
-    public MiniKMS build() {
-      Preconditions.checkArgument(kmsConfDir.exists(),
-          "KMS conf dir does not exist");
-      return new MiniKMS(kmsConfDir.getAbsolutePath(), log4jConfFile,
-          (keyStoreFile != null) ? keyStoreFile.getAbsolutePath() : null,
-          keyStorePassword, inPort);
-    }
-  }
-
-  private String kmsConfDir;
-  private String log4jConfFile;
-  private String keyStore;
-  private String keyStorePassword;
-  private Server jetty;
-  private int inPort;
-  private URL kmsURL;
-
-  public MiniKMS(String kmsConfDir, String log4ConfFile, String keyStore,
-      String password, int inPort) {
-    this.kmsConfDir = kmsConfDir;
-    this.log4jConfFile = log4ConfFile;
-    this.keyStore = keyStore;
-    this.keyStorePassword = password;
-    this.inPort = inPort;
-  }
-
-  public void start() throws Exception {
-    ClassLoader cl = Thread.currentThread().getContextClassLoader();
-    System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, kmsConfDir);
-    File aclsFile = new File(kmsConfDir, "dbks-site.xml");
-    if (!aclsFile.exists()) {
-      InputStream is = cl.getResourceAsStream("mini-kms-acls-default.xml");
-      OutputStream os = new FileOutputStream(aclsFile);
-      IOUtils.copy(is, os);
-      is.close();
-      os.close();
-    }
-    File kmsFile = new File(kmsConfDir, "kms-site.xml");
-    if (!kmsFile.exists()) {
-      Configuration kms = new Configuration(false);
-      kms.set(KMSConfiguration.KEY_PROVIDER_URI,
-          "jceks://file@" + new Path(kmsConfDir, "kms.keystore").toUri());
-      kms.set("hadoop.kms.authentication.type", "simple");
-      Writer writer = new FileWriter(kmsFile);
-      kms.writeXml(writer);
-      writer.close();
-    }
-    System.setProperty("log4j.configuration", log4jConfFile);
-    jetty = createJettyServer(keyStore, keyStorePassword, inPort);
-
-    // we need to do a special handling for MiniKMS to work when in a dir and
-    // when in a JAR in the classpath thanks to Jetty way of handling of webapps
-    // when they are in the a DIR, WAR or JAR.
-    URL webXmlUrl = cl.getResource("kms-webapp/WEB-INF/web.xml");
-    if (webXmlUrl == null) {
-      throw new RuntimeException(
-          "Could not find kms-webapp/ dir in test classpath");
-    }
-    boolean webXmlInJar = webXmlUrl.getPath().contains(".jar!/");
-    String webappPath;
-    if (webXmlInJar) {
-      File webInf = new File("target/" + UUID.randomUUID().toString() +
-          "/kms-webapp/WEB-INF");
-      webInf.mkdirs();
-      new File(webInf, "web.xml").delete();
-      InputStream is = cl.getResourceAsStream("kms-webapp/WEB-INF/web.xml");
-      OutputStream os = new FileOutputStream(new File(webInf, "web.xml"));
-      IOUtils.copy(is, os);
-      is.close();
-      os.close();
-      webappPath = webInf.getParentFile().getAbsolutePath();
-    } else {
-      webappPath = cl.getResource("kms-webapp").getPath();
-    }
-    WebAppContext context = new WebAppContext(webappPath, "/kms");
-    if (webXmlInJar) {
-      context.setClassLoader(cl);
-    }
-    jetty.addHandler(context);
-    jetty.start();
-    kmsURL = new URL(getJettyURL(jetty), "kms");
-  }
-
-  public URL getKMSUrl() {
-    return kmsURL;
-  }
-
-  public void stop() {
-    if (jetty != null && jetty.isRunning()) {
-      try {
-        jetty.stop();
-        jetty = null;
-      } catch (Exception ex) {
-        throw new RuntimeException("Could not stop MiniKMS embedded Jetty, " +
-            ex.getMessage(), ex);
-      }
-    }
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6116f91f/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
index 75e25c2..4d09a79 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
@@ -67,6 +67,8 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 
 	  public static final int RELOADER_SLEEP_MILLIS = 1000;
 	  
+	  private static final Map<KMSACLsType.Type, String> ACCESS_TYPE_MAP = new HashMap<>();
+	  
 	  private volatile Map<Type, AccessControlList> blacklistedAcls;
 	  
 	  private long lastReload;
@@ -99,6 +101,18 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 	   * Constant for the configuration property that indicates the keytab file path.
 	   */
 	  public static final String KEYTAB = TYPE + ".keytab";
+	  
+	  static {
+		  ACCESS_TYPE_MAP.put(KMSACLsType.Type.CREATE, RangerKmsAuthorizer.ACCESS_TYPE_CREATE);
+		  ACCESS_TYPE_MAP.put(KMSACLsType.Type.DELETE, RangerKmsAuthorizer.ACCESS_TYPE_DELETE);
+		  ACCESS_TYPE_MAP.put(KMSACLsType.Type.ROLLOVER, RangerKmsAuthorizer.ACCESS_TYPE_ROLLOVER);
+		  ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET, RangerKmsAuthorizer.ACCESS_TYPE_GET);
+		  ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET_KEYS, RangerKmsAuthorizer.ACCESS_TYPE_GET_KEYS);
+		  ACCESS_TYPE_MAP.put(KMSACLsType.Type.GET_METADATA, RangerKmsAuthorizer.ACCESS_TYPE_GET_METADATA);
+		  ACCESS_TYPE_MAP.put(KMSACLsType.Type.SET_KEY_MATERIAL, RangerKmsAuthorizer.ACCESS_TYPE_SET_KEY_MATERIAL);
+		  ACCESS_TYPE_MAP.put(KMSACLsType.Type.GENERATE_EEK, RangerKmsAuthorizer.ACCESS_TYPE_GENERATE_EEK);
+		  ACCESS_TYPE_MAP.put(KMSACLsType.Type.DECRYPT_EEK, RangerKmsAuthorizer.ACCESS_TYPE_DECRYPT_EEK);
+	  }
 
 	  RangerKmsAuthorizer(Configuration conf) {
 		  LOG.info("RangerKmsAuthorizer(conf)...");
@@ -253,9 +267,6 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 
 	  @Override
 	  public boolean hasAccessToKey(String keyName, UserGroupInformation ugi, KeyOpType opType)
{
-		  if(LOG.isDebugEnabled()) {
-				LOG.debug("==> RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " +
opType + ")");
-			}
 			if(LOG.isDebugEnabled()) {
 				LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " +
opType + ")");
 			}
@@ -307,46 +318,11 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
 		}
 
 		private static String getRangerAccessType(KMSACLsType.Type accessType) {
-			String ret = null;
-		
-			switch(accessType) {
-				case CREATE:
-					ret = RangerKmsAuthorizer.ACCESS_TYPE_CREATE;
-				break;
-
-				case DELETE:
-					ret = RangerKmsAuthorizer.ACCESS_TYPE_DELETE;
-				break;
-				
-				case ROLLOVER:
-					ret = RangerKmsAuthorizer.ACCESS_TYPE_ROLLOVER;
-				break;
-				
-				case GET:
-					ret = RangerKmsAuthorizer.ACCESS_TYPE_GET;
-				break;
-				
-				case GET_KEYS:
-					ret = RangerKmsAuthorizer.ACCESS_TYPE_GET_KEYS;
-				break;
-				
-				case GET_METADATA:
-					ret = RangerKmsAuthorizer.ACCESS_TYPE_GET_METADATA;
-				break;
-				
-				case SET_KEY_MATERIAL:
-					ret = RangerKmsAuthorizer.ACCESS_TYPE_SET_KEY_MATERIAL;
-				break;
-				
-				case GENERATE_EEK:
-					ret = RangerKmsAuthorizer.ACCESS_TYPE_GENERATE_EEK;
-				break;
-				
-				case DECRYPT_EEK:
-					ret = RangerKmsAuthorizer.ACCESS_TYPE_DECRYPT_EEK;
-				break;			
+			if (ACCESS_TYPE_MAP.containsKey(accessType)) {
+				return ACCESS_TYPE_MAP.get(accessType);
 			}
-			return ret;
+			
+			return null;
 		}
 	}
 


Mime
View raw message