Package org.apache.hadoop.crypto.key.kms
Class LoadBalancingKMSClientProvider
java.lang.Object
org.apache.hadoop.crypto.key.KeyProvider
org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider
- All Implemented Interfaces:
Closeable,AutoCloseable,KeyProviderCryptoExtension.CryptoExtension,KeyProviderDelegationTokenExtension.DelegationTokenExtension,KeyProviderExtension.Extension,DelegationTokenIssuer
public class LoadBalancingKMSClientProvider
extends KeyProvider
implements KeyProviderCryptoExtension.CryptoExtension, KeyProviderDelegationTokenExtension.DelegationTokenExtension
A simple LoadBalancing KMSClientProvider that round-robins requests
across a provided array of KMSClientProviders. It also retries failed
requests on the next available provider in the load balancer group. It
only retries failed requests that result in an IOException, sending back
all other Exceptions to the caller without retry.
-
Nested Class Summary
Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProvider
KeyProvider.KeyVersion, KeyProvider.Metadata, KeyProvider.Options -
Field Summary
FieldsFields inherited from class org.apache.hadoop.crypto.key.KeyProvider
DEFAULT_BITLENGTH, DEFAULT_BITLENGTH_NAME, DEFAULT_CIPHER, DEFAULT_CIPHER_NAME, JCEKS_KEY_SERIAL_FILTER, JCEKS_KEY_SERIALFILTER_DEFAULTFields inherited from interface org.apache.hadoop.security.token.DelegationTokenIssuer
TOKEN_LOG -
Constructor Summary
ConstructorsConstructorDescriptionLoadBalancingKMSClientProvider(URI providerUri, KMSClientProvider[] providers, Configuration conf) -
Method Summary
Modifier and TypeMethodDescriptioncancelDelegationToken(Token<?> token) Cancels the given token.voidclose()Can be used by implementing classes to close any resources that require closingcreateKey(String name, byte[] material, KeyProvider.Options options) Create a new key.createKey(String name, KeyProvider.Options options) Create a new key generating the material for it.decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) Decrypts an encrypted byte[] key material using the given key version name and initialization vector.voidDelete the given key.voidDrains the Queue for the provided key.voidflush()Ensures that any changes to the keys are written to persistent store.generateEncryptedKey(String encryptionKeyName) Generates a key material and encrypts it using the given key name.The service name used as the alias for the token in the credential token map.getCurrentKey(String name) Get the current version of the key, which should be used for encrypting new data.Token<?>getDelegationToken(String renewer) Unconditionally get a new token with the optional renewer.getKeys()Get the key names for all keys.getKeysMetadata(String... names) Get key metadata in bulk.getKeyVersion(String versionName) Get the key material for a specific version of the key.getKeyVersions(String name) Get the key material for all versions of a specific key name.getMetadata(String name) Get metadata about the key.voidinvalidateCache(String keyName) Can be used by implementing classes to invalidate the caches.Re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name in the key provider.voidlongrenewDelegationToken(Token<?> token) Renews the given token.rollNewVersion(String name) Roll a new version of the given key generating the material for it.rollNewVersion(String name, byte[] material) Roll a new version of the given key.Token<? extends TokenIdentifier>selectDelegationToken(Credentials creds) voidwarmUpEncryptedKeys(String... keyNames) Calls to this method allows the underlying KeyProvider to warm-up any implementation specific caches used to store the Encrypted Keys.Methods inherited from class org.apache.hadoop.crypto.key.KeyProvider
buildVersionName, findProvider, generateKey, getBaseName, getConf, isTransient, needsPassword, noPasswordError, noPasswordWarning, optionsMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.hadoop.security.token.DelegationTokenIssuer
addDelegationTokens, getAdditionalTokenIssuers
-
Field Details
-
LOG
public static org.slf4j.Logger LOG
-
-
Constructor Details
-
LoadBalancingKMSClientProvider
public LoadBalancingKMSClientProvider(URI providerUri, KMSClientProvider[] providers, Configuration conf)
-
-
Method Details
-
getProviders
-
selectDelegationToken
- Specified by:
selectDelegationTokenin interfaceKeyProviderDelegationTokenExtension.DelegationTokenExtension
-
getCanonicalServiceName
Description copied from interface:DelegationTokenIssuerThe service name used as the alias for the token in the credential token map. addDelegationTokens will use this to determine if a token exists, and if not, add a new token with this alias.- Specified by:
getCanonicalServiceNamein interfaceDelegationTokenIssuer- Returns:
- the token.
-
getDelegationToken
Description copied from interface:DelegationTokenIssuerUnconditionally get a new token with the optional renewer. Returning null indicates the service does not issue tokens.- Specified by:
getDelegationTokenin interfaceDelegationTokenIssuer- Parameters:
renewer- renewer.- Returns:
- the token.
- Throws:
IOException- raised on errors performing I/O.
-
renewDelegationToken
Description copied from interface:KeyProviderDelegationTokenExtension.DelegationTokenExtensionRenews the given token.- Specified by:
renewDelegationTokenin interfaceKeyProviderDelegationTokenExtension.DelegationTokenExtension- Parameters:
token- The token to be renewed.- Returns:
- The token's lifetime after renewal, or 0 if it can't be renewed.
- Throws:
IOException- raised on errors performing I/O.
-
cancelDelegationToken
Description copied from interface:KeyProviderDelegationTokenExtension.DelegationTokenExtensionCancels the given token.- Specified by:
cancelDelegationTokenin interfaceKeyProviderDelegationTokenExtension.DelegationTokenExtension- Parameters:
token- The token to be cancelled.- Throws:
IOException- raised on errors performing I/O.
-
warmUpEncryptedKeys
Description copied from interface:KeyProviderCryptoExtension.CryptoExtensionCalls to this method allows the underlying KeyProvider to warm-up any implementation specific caches used to store the Encrypted Keys.- Specified by:
warmUpEncryptedKeysin interfaceKeyProviderCryptoExtension.CryptoExtension- Parameters:
keyNames- Array of Key Names- Throws:
IOException- thrown if the key material could not be encrypted.
-
drain
Description copied from interface:KeyProviderCryptoExtension.CryptoExtensionDrains the Queue for the provided key.- Specified by:
drainin interfaceKeyProviderCryptoExtension.CryptoExtension- Parameters:
keyName- the key to drain the Queue for
-
invalidateCache
Description copied from class:KeyProviderCan be used by implementing classes to invalidate the caches. This could be used after rollNewVersion to provide a strong guarantee to return the new version of the given key.- Overrides:
invalidateCachein classKeyProvider- Parameters:
keyName- the basename of the key- Throws:
IOException- raised on errors performing I/O.
-
generateEncryptedKey
public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName) throws IOException, GeneralSecurityException Description copied from interface:KeyProviderCryptoExtension.CryptoExtensionGenerates a key material and encrypts it using the given key name. The generated key material is of the same length as theKeyVersionmaterial of the latest key version of the key and is encrypted using the same cipher.NOTE: The generated key is not stored by the
KeyProvider- Specified by:
generateEncryptedKeyin interfaceKeyProviderCryptoExtension.CryptoExtension- Parameters:
encryptionKeyName- The latest KeyVersion of this key's material will be encrypted.- Returns:
- EncryptedKeyVersion with the generated key material, the version name is 'EEK' (for Encrypted Encryption Key)
- Throws:
IOException- thrown if the key material could not be generatedGeneralSecurityException- thrown if the key material could not be encrypted because of a cryptographic issue.
-
decryptEncryptedKey
public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException Description copied from interface:KeyProviderCryptoExtension.CryptoExtensionDecrypts an encrypted byte[] key material using the given key version name and initialization vector.- Specified by:
decryptEncryptedKeyin interfaceKeyProviderCryptoExtension.CryptoExtension- Parameters:
encryptedKeyVersion- contains keyVersionName and IV to decrypt the encrypted key material- Returns:
- a KeyVersion with the decrypted key material, the version name is 'EK' (For Encryption Key)
- Throws:
IOException- thrown if the key material could not be decryptedGeneralSecurityException- thrown if the key material could not be decrypted because of a cryptographic issue.
-
reencryptEncryptedKey
public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException Description copied from interface:KeyProviderCryptoExtension.CryptoExtensionRe-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name in the key provider.If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.
NOTE: The generated key is not stored by the
KeyProvider- Specified by:
reencryptEncryptedKeyin interfaceKeyProviderCryptoExtension.CryptoExtension- Parameters:
ekv- The EncryptedKeyVersion containing keyVersionName and IV.- Returns:
- The re-encrypted EncryptedKeyVersion.
- Throws:
IOException- If the key material could not be re-encrypted.GeneralSecurityException- If the key material could not be re-encrypted because of a cryptographic issue.
-
reencryptEncryptedKeys
public void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs) throws IOException, GeneralSecurityException Description copied from interface:KeyProviderCryptoExtension.CryptoExtensionBatched version ofKeyProviderCryptoExtension.CryptoExtension.reencryptEncryptedKey(EncryptedKeyVersion).For each encrypted key version, re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name. If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.
NOTE: The generated key is not stored by the
KeyProvider- Specified by:
reencryptEncryptedKeysin interfaceKeyProviderCryptoExtension.CryptoExtension- Parameters:
ekvs- List containing the EncryptedKeyVersion's- Throws:
IOException- If any EncryptedKeyVersion could not be re-encryptedGeneralSecurityException- If any EncryptedKeyVersion could not be re-encrypted because of a cryptographic issue.
-
getKeyVersion
Description copied from class:KeyProviderGet the key material for a specific version of the key. This method is used when decrypting data.- Specified by:
getKeyVersionin classKeyProvider- Parameters:
versionName- the name of a specific version of the key- Returns:
- the key material
- Throws:
IOException- raised on errors performing I/O.
-
getKeys
Description copied from class:KeyProviderGet the key names for all keys.- Specified by:
getKeysin classKeyProvider- Returns:
- the list of key names
- Throws:
IOException- raised on errors performing I/O.
-
getKeysMetadata
Description copied from class:KeyProviderGet key metadata in bulk.- Overrides:
getKeysMetadatain classKeyProvider- Parameters:
names- the names of the keys to get- Returns:
- Metadata Array.
- Throws:
IOException- raised on errors performing I/O.
-
getKeyVersions
Description copied from class:KeyProviderGet the key material for all versions of a specific key name.- Specified by:
getKeyVersionsin classKeyProvider- Parameters:
name- the base name of the key.- Returns:
- the list of key material
- Throws:
IOException- raised on errors performing I/O.
-
getCurrentKey
Description copied from class:KeyProviderGet the current version of the key, which should be used for encrypting new data.- Overrides:
getCurrentKeyin classKeyProvider- Parameters:
name- the base name of the key- Returns:
- the version name of the current version of the key or null if the key version doesn't exist
- Throws:
IOException- raised on errors performing I/O.
-
getMetadata
Description copied from class:KeyProviderGet metadata about the key.- Specified by:
getMetadatain classKeyProvider- Parameters:
name- the basename of the key- Returns:
- the key's metadata or null if the key doesn't exist
- Throws:
IOException- raised on errors performing I/O.
-
createKey
public KeyProvider.KeyVersion createKey(String name, byte[] material, KeyProvider.Options options) throws IOException Description copied from class:KeyProviderCreate a new key. The given key must not already exist.- Specified by:
createKeyin classKeyProvider- Parameters:
name- the base name of the keymaterial- the key material for the first version of the key.options- the options for the new key.- Returns:
- the version name of the first version of the key.
- Throws:
IOException- raised on errors performing I/O.
-
createKey
public KeyProvider.KeyVersion createKey(String name, KeyProvider.Options options) throws NoSuchAlgorithmException, IOException Description copied from class:KeyProviderCreate a new key generating the material for it. The given key must not already exist.This implementation generates the key material and calls the
KeyProvider.createKey(String, byte[], Options)method.- Overrides:
createKeyin classKeyProvider- Parameters:
name- the base name of the keyoptions- the options for the new key.- Returns:
- the version name of the first version of the key.
- Throws:
NoSuchAlgorithmException- no such algorithm exception.IOException- raised on errors performing I/O.
-
deleteKey
Description copied from class:KeyProviderDelete the given key.- Specified by:
deleteKeyin classKeyProvider- Parameters:
name- the name of the key to delete- Throws:
IOException- raised on errors performing I/O.
-
rollNewVersion
Description copied from class:KeyProviderRoll a new version of the given key.- Specified by:
rollNewVersionin classKeyProvider- Parameters:
name- the basename of the keymaterial- the new key material- Returns:
- the name of the new version of the key
- Throws:
IOException- raised on errors performing I/O.
-
rollNewVersion
public KeyProvider.KeyVersion rollNewVersion(String name) throws NoSuchAlgorithmException, IOException Description copied from class:KeyProviderRoll a new version of the given key generating the material for it.This implementation generates the key material and calls the
KeyProvider.rollNewVersion(String, byte[])method.- Overrides:
rollNewVersionin classKeyProvider- Parameters:
name- the basename of the key- Returns:
- the name of the new version of the key
- Throws:
NoSuchAlgorithmException- This exception is thrown when a particular cryptographic algorithm is requested but is not available in the environment.IOException- raised on errors performing I/O.
-
close
Description copied from class:KeyProviderCan be used by implementing classes to close any resources that require closing- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable- Overrides:
closein classKeyProvider- Throws:
IOException
-
flush
Description copied from class:KeyProviderEnsures that any changes to the keys are written to persistent store.- Specified by:
flushin classKeyProvider- Throws:
IOException- raised on errors performing I/O.
-