Package org.apache.hadoop.crypto.key

Class JavaKeyStoreProvider

java.lang.Object
org.apache.hadoop.crypto.key.KeyProvider
org.apache.hadoop.crypto.key.JavaKeyStoreProvider
All Implemented Interfaces:
Closeable, AutoCloseable
@Private public class JavaKeyStoreProvider extends KeyProvider
KeyProvider based on Java's KeyStore file format. The file may be stored in any Hadoop FileSystem using the following name mangling: jks://hdfs@nn1.example.com/my/keys.jks -> hdfs://nn1.example.com/my/keys.jks jks://file/home/owen/keys.jks -> file:///home/owen/keys.jks

If the HADOOP_KEYSTORE_PASSWORD environment variable is set, its value is used as the password for the keystore.

If the HADOOP_KEYSTORE_PASSWORD environment variable is not set, the password for the keystore is read from file specified in the KEYSTORE_PASSWORD_FILE_KEY configuration property. The password file is looked up in Hadoop's configuration directory via the classpath.

NOTE: Make sure the password in the password file does not have an ENTER at the end, else it won't be valid for the Java KeyStore.

If the environment variable, nor the property are not set, the password used is 'none'.

It is expected for encrypted InputFormats and OutputFormats to copy the keys from the original provider into the job's Credentials object, which is accessed via the UserProvider. Therefore, this provider won't be used by MapReduce tasks.

  • Field Details

  • Method Details

    • needsPassword

      public boolean needsPassword() throws IOException
      Description copied from class: KeyProvider
      Does this provider require a password? This means that a password is required for normal operation, and it has not been found through normal means. If true, the password should be provided by the caller using setPassword().
      Overrides:
      needsPassword in class KeyProvider
      Returns:
      Whether or not the provider requires a password
      Throws:
      IOException - raised on errors performing I/O.

    • noPasswordWarning

      public String noPasswordWarning()
      Description copied from class: KeyProvider
      If a password for the provider is needed, but is not provided, this will return a warning and instructions for supplying said password to the provider.
      Overrides:
      noPasswordWarning in class KeyProvider
      Returns:
      A warning and instructions for supplying the password

    • noPasswordError

      public String noPasswordError()
      Description copied from class: KeyProvider
      If a password for the provider is needed, but is not provided, this will return an error message and instructions for supplying said password to the provider.
      Overrides:
      noPasswordError in class KeyProvider
      Returns:
      An error message and instructions for supplying the password

    • getKeyVersion

      public KeyProvider.KeyVersion getKeyVersion(String versionName) throws IOException
      Description copied from class: KeyProvider
      Get the key material for a specific version of the key. This method is used when decrypting data.
      Specified by:
      getKeyVersion in class KeyProvider
      Parameters:
      versionName - the name of a specific version of the key
      Returns:
      the key material
      Throws:
      IOException - raised on errors performing I/O.

    • getKeys

      public List<String> getKeys() throws IOException
      Description copied from class: KeyProvider
      Get the key names for all keys.
      Specified by:
      getKeys in class KeyProvider
      Returns:
      the list of key names
      Throws:
      IOException - raised on errors performing I/O.

    • getKeyVersions

      public List<KeyProvider.KeyVersion> getKeyVersions(String name) throws IOException
      Description copied from class: KeyProvider
      Get the key material for all versions of a specific key name.
      Specified by:
      getKeyVersions in class KeyProvider
      Parameters:
      name - the base name of the key.
      Returns:
      the list of key material
      Throws:
      IOException - raised on errors performing I/O.

    • getMetadata

      public KeyProvider.Metadata getMetadata(String name) throws IOException
      Description copied from class: KeyProvider
      Get metadata about the key.
      Specified by:
      getMetadata in class KeyProvider
      Parameters:
      name - the basename of the key
      Returns:
      the key's metadata or null if the key doesn't exist
      Throws:
      IOException - raised on errors performing I/O.

    • createKey

      public KeyProvider.KeyVersion createKey(String name, byte[] material, KeyProvider.Options options) throws IOException
      Description copied from class: KeyProvider
      Create a new key. The given key must not already exist.
      Specified by:
      createKey in class KeyProvider
      Parameters:
      name - the base name of the key
      material - the key material for the first version of the key.
      options - the options for the new key.
      Returns:
      the version name of the first version of the key.
      Throws:
      IOException - raised on errors performing I/O.

    • deleteKey

      public void deleteKey(String name) throws IOException
      Description copied from class: KeyProvider
      Delete the given key.
      Specified by:
      deleteKey in class KeyProvider
      Parameters:
      name - the name of the key to delete
      Throws:
      IOException - raised on errors performing I/O.

    • rollNewVersion

      public KeyProvider.KeyVersion rollNewVersion(String name, byte[] material) throws IOException
      Description copied from class: KeyProvider
      Roll a new version of the given key.
      Specified by:
      rollNewVersion in class KeyProvider
      Parameters:
      name - the basename of the key
      material - the new key material
      Returns:
      the name of the new version of the key
      Throws:
      IOException - raised on errors performing I/O.

    • flush

      public void flush() throws IOException
      Description copied from class: KeyProvider
      Ensures that any changes to the keys are written to persistent store.
      Specified by:
      flush in class KeyProvider
      Throws:
      IOException - raised on errors performing I/O.

    • writeToNew

      protected void writeToNew(Path newPath) throws IOException
      Throws:
      IOException

    • backupToOld

      protected boolean backupToOld(Path oldPath) throws IOException
      Throws:
      IOException

    • toString

      public String toString()
      Overrides:
      toString in class Object