Package org.apache.hadoop.crypto.key.kms.server

Class KMSACLs

java.lang.Object

org.apache.hadoop.crypto.key.kms.server.KMSACLs

All Implemented Interfaces:

java.lang.Runnable, KeyAuthorizationKeyProvider.KeyACLs

@Private
public class KMSACLs
extends java.lang.Object
implements java.lang.Runnable, KeyAuthorizationKeyProvider.KeyACLs

Provides access to the AccessControlLists used by KMS, hot-reloading them if the kms-acls.xml file where the ACLs are defined has been updated.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	KMSACLs.Type

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	ACL_DEFAULT
static java.util.EnumSet<KMSACLs.Type>	INVALIDATE_CACHE_TYPES
static int	RELOADER_SLEEP_MILLIS

Constructor Summary

Constructors

Constructor	Description
KMSACLs()

Method Summary

Modifier and Type	Method	Description
void	assertAccess(java.util.EnumSet<KMSACLs.Type> aclTypes, org.apache.hadoop.security.UserGroupInformation ugi, KMS.KMSOp operation, java.lang.String key)
void	assertAccess(KMSACLs.Type aclType, org.apache.hadoop.security.UserGroupInformation ugi, KMS.KMSOp operation, java.lang.String key)
boolean	hasAccess(KMSACLs.Type type, org.apache.hadoop.security.UserGroupInformation ugi)	First Check if user is in ACL for the KMS operation, if yes, then return true if user is not present in any configured blacklist for the operation
boolean	hasAccessToKey(java.lang.String keyName, org.apache.hadoop.security.UserGroupInformation ugi, KeyAuthorizationKeyProvider.KeyOpType opType)	This is called by the KeyProvider to check if the given user is authorized to perform the specified operation on the given acl name.
boolean	isACLPresent(java.lang.String keyName, KeyAuthorizationKeyProvider.KeyOpType opType)
void	run()
void	startReloader()
void	stopReloader()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ACL_DEFAULT

public static final java.lang.String ACL_DEFAULT

See Also:

Constant Field Values

RELOADER_SLEEP_MILLIS

public static final int RELOADER_SLEEP_MILLIS

See Also:

Constant Field Values

INVALIDATE_CACHE_TYPES

public static final java.util.EnumSet<KMSACLs.Type> INVALIDATE_CACHE_TYPES

Constructor Detail

KMSACLs

public KMSACLs()

Method Detail

run

public void run()

Specified by:

run in interface java.lang.Runnable

startReloader

public void startReloader()

stopReloader

public void stopReloader()

hasAccess

public boolean hasAccess(KMSACLs.Type type,
                         org.apache.hadoop.security.UserGroupInformation ugi)

First Check if user is in ACL for the KMS operation, if yes, then return true if user is not present in any configured blacklist for the operation

Parameters:

type - KMS Operation

ugi - UserGroupInformation of user

Returns:

true is user has access

assertAccess

public void assertAccess(KMSACLs.Type aclType,
                         org.apache.hadoop.security.UserGroupInformation ugi,
                         KMS.KMSOp operation,
                         java.lang.String key)
                  throws org.apache.hadoop.security.AccessControlException

Throws:

org.apache.hadoop.security.AccessControlException

assertAccess

public void assertAccess(java.util.EnumSet<KMSACLs.Type> aclTypes,
                         org.apache.hadoop.security.UserGroupInformation ugi,
                         KMS.KMSOp operation,
                         java.lang.String key)
                  throws org.apache.hadoop.security.AccessControlException

Throws:

org.apache.hadoop.security.AccessControlException

hasAccessToKey

public boolean hasAccessToKey(java.lang.String keyName,
                              org.apache.hadoop.security.UserGroupInformation ugi,
                              KeyAuthorizationKeyProvider.KeyOpType opType)

Description copied from interface: KeyAuthorizationKeyProvider.KeyACLs

This is called by the KeyProvider to check if the given user is authorized to perform the specified operation on the given acl name.

Specified by:

hasAccessToKey in interface KeyAuthorizationKeyProvider.KeyACLs

Parameters:

keyName - name of the key ACL

ugi - User's UserGroupInformation

opType - Operation Type

Returns:

true if user has access to the aclName and opType else false

isACLPresent

public boolean isACLPresent(java.lang.String keyName,
                            KeyAuthorizationKeyProvider.KeyOpType opType)

Specified by:

isACLPresent in interface KeyAuthorizationKeyProvider.KeyACLs

Parameters:

keyName - ACL name

opType - Operation Type

Returns:

true if AclName exists else false