public HdfsEncryptionShim(URI uri, Configuration conf) throws IOException { DistributedFileSystem dfs = (DistributedFileSystem)FileSystem.get(uri, conf); this.conf = conf; this.keyProvider = dfs.getClient().getKeyProvider(); this.hdfsAdmin = new HdfsAdmin(uri, conf); }
@Override public Encryptor createEncryptor(Configuration conf, FileEncryptionInfo feInfo, DFSClient client) throws IOException { try { KeyVersion decryptedKey = (KeyVersion) decryptEncryptedDataEncryptionKeyMethod .invoke(null, feInfo, client.getKeyProvider()); CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf, feInfo.getCipherSuite()); Encryptor encryptor = cryptoCodec.createEncryptor(); encryptor.init(decryptedKey.getMaterial(), feInfo.getIV()); return encryptor; } catch (InvocationTargetException e) { Throwables.propagateIfPossible(e.getTargetException(), IOException.class); throw new RuntimeException(e.getTargetException()); } catch (GeneralSecurityException e) { throw new IOException(e); } catch (IllegalAccessException e) { throw new RuntimeException(e); } } };
@Override public KeyProvider getKeyProvider() throws IOException { return dfs.getKeyProvider(); }
/** * Get KeyProvider if present. * * @return the key provider if encryption is enabled on HDFS. * Otherwise, it returns null. * @throws IOException on RPC exception to the NN. */ public KeyProvider getKeyProvider() throws IOException { return dfs.getClient().getKeyProvider(); }
public HdfsEncryptionShim(URI uri, Configuration conf) throws IOException { DistributedFileSystem dfs = (DistributedFileSystem)FileSystem.get(uri, conf); this.conf = conf; this.keyProvider = dfs.getClient().getKeyProvider(); this.hdfsAdmin = new HdfsAdmin(uri, conf); }
public HdfsEncryptionShim(URI uri, Configuration conf) throws IOException { DistributedFileSystem dfs = (DistributedFileSystem)FileSystem.get(uri, conf); this.conf = conf; this.keyProvider = dfs.getClient().getKeyProvider(); this.hdfsAdmin = new HdfsAdmin(uri, conf); }
public HdfsEncryptionShim(URI uri, Configuration conf) throws IOException { DistributedFileSystem dfs = (DistributedFileSystem)FileSystem.get(uri, conf); this.conf = conf; this.keyProvider = dfs.getClient().getKeyProvider(); this.hdfsAdmin = new HdfsAdmin(uri, conf); }
public HdfsEncryptionShim(URI uri, Configuration conf) throws IOException { DistributedFileSystem dfs = (DistributedFileSystem)FileSystem.get(uri, conf); this.conf = conf; this.keyProvider = dfs.getClient().getKeyProvider(); this.hdfsAdmin = new HdfsAdmin(uri, conf); }
@Override public Token<?>[] addDelegationTokens( final String renewer, Credentials credentials) throws IOException { Token<?>[] tokens = super.addDelegationTokens(renewer, credentials); if (dfs.isHDFSEncryptionEnabled()) { KeyProviderDelegationTokenExtension keyProviderDelegationTokenExtension = KeyProviderDelegationTokenExtension. createKeyProviderDelegationTokenExtension(dfs.getKeyProvider()); Token<?>[] kpTokens = keyProviderDelegationTokenExtension. addDelegationTokens(renewer, credentials); if (tokens != null && kpTokens != null) { Token<?>[] all = new Token<?>[tokens.length + kpTokens.length]; System.arraycopy(tokens, 0, all, 0, tokens.length); System.arraycopy(kpTokens, 0, all, tokens.length, kpTokens.length); tokens = all; } else { tokens = (tokens != null) ? tokens : kpTokens; } } return tokens; }
@Override public Token<?>[] addDelegationTokens( final String renewer, Credentials credentials) throws IOException { Token<?>[] tokens = super.addDelegationTokens(renewer, credentials); if (dfs.isHDFSEncryptionEnabled()) { KeyProviderDelegationTokenExtension keyProviderDelegationTokenExtension = KeyProviderDelegationTokenExtension. createKeyProviderDelegationTokenExtension(dfs.getKeyProvider()); Token<?>[] kpTokens = keyProviderDelegationTokenExtension. addDelegationTokens(renewer, credentials); if (tokens != null && kpTokens != null) { Token<?>[] all = new Token<?>[tokens.length + kpTokens.length]; System.arraycopy(tokens, 0, all, 0, tokens.length); System.arraycopy(kpTokens, 0, all, tokens.length, kpTokens.length); tokens = all; } else { tokens = (tokens != null) ? tokens : kpTokens; } } return tokens; }
/** * Wraps the stream in a CryptoOutputStream if the underlying file is * encrypted. */ public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos, FileSystem.Statistics statistics, long startPos) throws IOException { final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo(); if (feInfo != null) { // File is encrypted, wrap the stream in a crypto stream. // Currently only one version, so no special logic based on the version # HdfsKMSUtil.getCryptoProtocolVersion(feInfo); final CryptoCodec codec = HdfsKMSUtil.getCryptoCodec(conf, feInfo); KeyVersion decrypted; try (TraceScope ignored = tracer.newScope("decryptEDEK")) { LOG.debug("Start decrypting EDEK for file: {}, output stream: 0x{}", dfsos.getSrc(), Integer.toHexString(dfsos.hashCode())); decrypted = HdfsKMSUtil.decryptEncryptedDataEncryptionKey(feInfo, getKeyProvider()); LOG.debug("Decrypted EDEK for file: {}, output stream: 0x{}", dfsos.getSrc(), Integer.toHexString(dfsos.hashCode())); } final CryptoOutputStream cryptoOut = new CryptoOutputStream(dfsos, codec, decrypted.getMaterial(), feInfo.getIV(), startPos); return new HdfsDataOutputStream(cryptoOut, statistics, startPos); } else { // No FileEncryptionInfo present so no encryption. return new HdfsDataOutputStream(dfsos, statistics, startPos); } }
/** * Decrypts a EDEK by consulting the KeyProvider. */ private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo feInfo) throws IOException { TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler); try { KeyProvider provider = getKeyProvider(); if (provider == null) { throw new IOException("No KeyProvider is configured, cannot access" + " an encrypted file"); } EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption( feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(), feInfo.getEncryptedDataEncryptionKey()); try { KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension .createKeyProviderCryptoExtension(provider); return cryptoProvider.decryptEncryptedKey(ekv); } catch (GeneralSecurityException e) { throw new IOException(e); } } finally { scope.close(); } }
/** * Decrypts a EDEK by consulting the KeyProvider. */ private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo feInfo) throws IOException { TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler); try { KeyProvider provider = getKeyProvider(); if (provider == null) { throw new IOException("No KeyProvider is configured, cannot access" + " an encrypted file"); } EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption( feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(), feInfo.getEncryptedDataEncryptionKey()); try { KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension .createKeyProviderCryptoExtension(provider); return cryptoProvider.decryptEncryptedKey(ekv); } catch (GeneralSecurityException e) { throw new IOException(e); } } finally { scope.close(); } }
/** * Wraps the stream in a CryptoInputStream if the underlying file is * encrypted. */ public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis) throws IOException { FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo(); if (feInfo != null) { CryptoInputStream cryptoIn; try (TraceScope ignored = getTracer().newScope("decryptEDEK")) { cryptoIn = HdfsKMSUtil.createWrappedInputStream(dfsis, getKeyProvider(), feInfo, getConfiguration()); } return new HdfsDataInputStream(cryptoIn); } else { // No FileEncryptionInfo so no encryption. return new HdfsDataInputStream(dfsis); } }
@Test(timeout = 120000) public void testCreateEZPopulatesEDEKCache() throws Exception { final Path zonePath = new Path("/TestEncryptionZone"); fsWrapper.mkdir(zonePath, FsPermission.getDirDefault(), false); dfsAdmin.createEncryptionZone(zonePath, TEST_KEY); assertTrue(((KMSClientProvider)fs.getClient().getKeyProvider()). getEncKeyQueueSize(TEST_KEY) > 0); }