Package org.apache.hadoop.crypto.key

Class JavaKeyStoreProvider

java.lang.Object

org.apache.hadoop.crypto.key.KeyProvider

org.apache.hadoop.crypto.key.JavaKeyStoreProvider

All Implemented Interfaces:

java.io.Closeable, java.lang.AutoCloseable

@Private
public class JavaKeyStoreProvider
extends KeyProvider

KeyProvider based on Java's KeyStore file format. The file may be stored in any Hadoop FileSystem using the following name mangling: jks://hdfs@nn1.example.com/my/keys.jks -> hdfs://nn1.example.com/my/keys.jks jks://file/home/owen/keys.jks -> file:///home/owen/keys.jks

If the HADOOP_KEYSTORE_PASSWORD environment variable is set, its value is used as the password for the keystore.

If the HADOOP_KEYSTORE_PASSWORD environment variable is not set, the password for the keystore is read from file specified in the KEYSTORE_PASSWORD_FILE_KEY configuration property. The password file is looked up in Hadoop's configuration directory via the classpath.

NOTE: Make sure the password in the password file does not have an ENTER at the end, else it won't be valid for the Java KeyStore.

If the environment variable, nor the property are not set, the password used is 'none'.

It is expected for encrypted InputFormats and OutputFormats to copy the keys from the original provider into the job's Credentials object, which is accessed via the UserProvider. Therefore, this provider won't be used by MapReduce tasks.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	JavaKeyStoreProvider.Factory	The factory to create JksProviders, which is used by the ServiceLoader.
static class	JavaKeyStoreProvider.KeyMetadata	An adapter between a KeyStore Key and our Metadata.

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProvider

KeyProvider.KeyVersion, KeyProvider.Metadata, KeyProvider.Options

Field Summary

Fields

Modifier and Type	Field	Description
static char[]	KEYSTORE_PASSWORD_DEFAULT
static java.lang.String	KEYSTORE_PASSWORD_ENV_VAR
static java.lang.String	KEYSTORE_PASSWORD_FILE_KEY
static java.lang.String	SCHEME_NAME

Fields inherited from class org.apache.hadoop.crypto.key.KeyProvider

DEFAULT_BITLENGTH, DEFAULT_BITLENGTH_NAME, DEFAULT_CIPHER, DEFAULT_CIPHER_NAME, JCEKS_KEY_SERIAL_FILTER, JCEKS_KEY_SERIALFILTER_DEFAULT

Method Summary

Modifier and Type	Method	Description
protected boolean	backupToOld(Path oldPath)
KeyProvider.KeyVersion	createKey(java.lang.String name, byte[] material, KeyProvider.Options options)	Create a new key.
void	deleteKey(java.lang.String name)	Delete the given key.
void	flush()	Ensures that any changes to the keys are written to persistent store.
java.util.List<java.lang.String>	getKeys()	Get the key names for all keys.
KeyProvider.KeyVersion	getKeyVersion(java.lang.String versionName)	Get the key material for a specific version of the key.
java.util.List<KeyProvider.KeyVersion>	getKeyVersions(java.lang.String name)	Get the key material for all versions of a specific key name.
KeyProvider.Metadata	getMetadata(java.lang.String name)	Get metadata about the key.
boolean	needsPassword()	Does this provider require a password? This means that a password is required for normal operation, and it has not been found through normal means.
java.lang.String	noPasswordError()	If a password for the provider is needed, but is not provided, this will return an error message and instructions for supplying said password to the provider.
java.lang.String	noPasswordWarning()	If a password for the provider is needed, but is not provided, this will return a warning and instructions for supplying said password to the provider.
KeyProvider.KeyVersion	rollNewVersion(java.lang.String name, byte[] material)	Roll a new version of the given key.
java.lang.String	toString()
protected void	writeToNew(Path newPath)

Methods inherited from class org.apache.hadoop.crypto.key.KeyProvider

buildVersionName, close, createKey, findProvider, generateKey, getBaseName, getConf, getCurrentKey, getKeysMetadata, invalidateCache, isTransient, options, rollNewVersion

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

SCHEME_NAME

public static final java.lang.String SCHEME_NAME

See Also:

Constant Field Values

KEYSTORE_PASSWORD_FILE_KEY

public static final java.lang.String KEYSTORE_PASSWORD_FILE_KEY

See Also:

Constant Field Values

KEYSTORE_PASSWORD_ENV_VAR

public static final java.lang.String KEYSTORE_PASSWORD_ENV_VAR

See Also:

Constant Field Values

KEYSTORE_PASSWORD_DEFAULT

public static final char[] KEYSTORE_PASSWORD_DEFAULT

Method Detail

needsPassword

public boolean needsPassword()
                      throws java.io.IOException

Description copied from class: KeyProvider

Does this provider require a password? This means that a password is required for normal operation, and it has not been found through normal means. If true, the password should be provided by the caller using setPassword().

Overrides:

needsPassword in class KeyProvider

Returns:

Whether or not the provider requires a password

Throws:

java.io.IOException - raised on errors performing I/O.

noPasswordWarning

public java.lang.String noPasswordWarning()

Description copied from class: KeyProvider

If a password for the provider is needed, but is not provided, this will return a warning and instructions for supplying said password to the provider.

Overrides:

noPasswordWarning in class KeyProvider

Returns:

A warning and instructions for supplying the password

noPasswordError

public java.lang.String noPasswordError()

Description copied from class: KeyProvider

If a password for the provider is needed, but is not provided, this will return an error message and instructions for supplying said password to the provider.

Overrides:

noPasswordError in class KeyProvider

Returns:

An error message and instructions for supplying the password

getKeyVersion

public KeyProvider.KeyVersion getKeyVersion(java.lang.String versionName)
                                     throws java.io.IOException

Description copied from class: KeyProvider

Get the key material for a specific version of the key. This method is used when decrypting data.

Specified by:

getKeyVersion in class KeyProvider

Parameters:

versionName - the name of a specific version of the key

Returns:

the key material

Throws:

java.io.IOException - raised on errors performing I/O.

getKeys

public java.util.List<java.lang.String> getKeys()
                                         throws java.io.IOException

Description copied from class: KeyProvider

Get the key names for all keys.

Specified by:

getKeys in class KeyProvider

Returns:

the list of key names

Throws:

java.io.IOException - raised on errors performing I/O.

getKeyVersions

public java.util.List<KeyProvider.KeyVersion> getKeyVersions(java.lang.String name)
                                                      throws java.io.IOException

Description copied from class: KeyProvider

Get the key material for all versions of a specific key name.

Specified by:

getKeyVersions in class KeyProvider

Parameters:

name - the base name of the key.

Returns:

the list of key material

Throws:

java.io.IOException - raised on errors performing I/O.

getMetadata

public KeyProvider.Metadata getMetadata(java.lang.String name)
                                 throws java.io.IOException

Description copied from class: KeyProvider

Get metadata about the key.

Specified by:

getMetadata in class KeyProvider

Parameters:

name - the basename of the key

Returns:

the key's metadata or null if the key doesn't exist

Throws:

java.io.IOException - raised on errors performing I/O.

createKey

public KeyProvider.KeyVersion createKey(java.lang.String name,
                                        byte[] material,
                                        KeyProvider.Options options)
                                 throws java.io.IOException

Description copied from class: KeyProvider

Create a new key. The given key must not already exist.

Specified by:

createKey in class KeyProvider

Parameters:

name - the base name of the key

material - the key material for the first version of the key.

options - the options for the new key.

Returns:

the version name of the first version of the key.

Throws:

java.io.IOException - raised on errors performing I/O.

deleteKey

public void deleteKey(java.lang.String name)
               throws java.io.IOException

Description copied from class: KeyProvider

Delete the given key.

Specified by:

deleteKey in class KeyProvider

Parameters:

name - the name of the key to delete

Throws:

java.io.IOException - raised on errors performing I/O.

rollNewVersion

public KeyProvider.KeyVersion rollNewVersion(java.lang.String name,
                                             byte[] material)
                                      throws java.io.IOException

Description copied from class: KeyProvider

Roll a new version of the given key.

Specified by:

rollNewVersion in class KeyProvider

Parameters:

name - the basename of the key

material - the new key material

Returns:

the name of the new version of the key

Throws:

java.io.IOException - raised on errors performing I/O.

flush

public void flush()
           throws java.io.IOException

Description copied from class: KeyProvider

Ensures that any changes to the keys are written to persistent store.

Specified by:

flush in class KeyProvider

Throws:

java.io.IOException - raised on errors performing I/O.

writeToNew

protected void writeToNew(Path newPath)
                   throws java.io.IOException

Throws:

java.io.IOException

backupToOld

protected boolean backupToOld(Path oldPath)
                       throws java.io.IOException

Throws:

java.io.IOException

toString

public java.lang.String toString()

Overrides:

toString in class java.lang.Object