org.apache.hadoop.crypto.key.kms

Class LoadBalancingKMSClientProvider

java.lang.Object

org.apache.hadoop.crypto.key.KeyProvider

org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider

All Implemented Interfaces:

KeyProviderCryptoExtension.CryptoExtension, KeyProviderDelegationTokenExtension.DelegationTokenExtension, KeyProviderExtension.Extension

public class LoadBalancingKMSClientProvider
extends KeyProvider
implements KeyProviderCryptoExtension.CryptoExtension, KeyProviderDelegationTokenExtension.DelegationTokenExtension

A simple LoadBalancing KMSClientProvider that round-robins requests across a provided array of KMSClientProviders. It also retries failed requests on the next available provider in the load balancer group. It only retries failed requests that result in an IOException, sending back all other Exceptions to the caller without retry.

Nested Class Summary

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProvider

KeyProvider.KeyVersion, KeyProvider.Metadata, KeyProvider.Options

Field Summary

Fields

Modifier and Type	Field and Description
static org.slf4j.Logger	LOG

Fields inherited from class org.apache.hadoop.crypto.key.KeyProvider

DEFAULT_BITLENGTH, DEFAULT_BITLENGTH_NAME, DEFAULT_CIPHER, DEFAULT_CIPHER_NAME, JCEKS_KEY_SERIAL_FILTER, JCEKS_KEY_SERIALFILTER_DEFAULT

Constructor Summary

Constructors

Constructor and Description
LoadBalancingKMSClientProvider(org.apache.hadoop.crypto.key.kms.KMSClientProvider[] providers, Configuration conf)

Method Summary

Methods

Modifier and Type	Method and Description
Token<?>[]	addDelegationTokens(String renewer, Credentials credentials) The implementer of this class will take a renewer and add all delegation tokens associated with the renewer to the Credentials object if it is not already present,
Void	cancelDelegationToken(Token<?> token) Cancels the given token.
void	close() Can be used by implementing classes to close any resources that require closing
KeyProvider.KeyVersion	createKey(String name, byte[] material, KeyProvider.Options options) Create a new key.
KeyProvider.KeyVersion	createKey(String name, KeyProvider.Options options) Create a new key generating the material for it.
KeyProvider.KeyVersion	decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) Decrypts an encrypted byte[] key material using the given a key version name and initialization vector.
void	deleteKey(String name) Delete the given key.
void	drain(String keyName) Drains the Queue for the provided key.
void	flush() Ensures that any changes to the keys are written to persistent store.
KeyProviderCryptoExtension.EncryptedKeyVersion	generateEncryptedKey(String encryptionKeyName) Generates a key material and encrypts it using the given key version name and initialization vector.
KeyProvider.KeyVersion	getCurrentKey(String name) Get the current version of the key, which should be used for encrypting new data.
List<String>	getKeys() Get the key names for all keys.
KeyProvider.Metadata[]	getKeysMetadata(String... names) Get key metadata in bulk.
KeyProvider.KeyVersion	getKeyVersion(String versionName) Get the key material for a specific version of the key.
List<KeyProvider.KeyVersion>	getKeyVersions(String name) Get the key material for all versions of a specific key name.
KeyProvider.Metadata	getMetadata(String name) Get metadata about the key.
org.apache.hadoop.crypto.key.kms.KMSClientProvider[]	getProviders()
long	renewDelegationToken(Token<?> token) Renews the given token.
KeyProvider.KeyVersion	rollNewVersion(String name) Roll a new version of the given key generating the material for it.
KeyProvider.KeyVersion	rollNewVersion(String name, byte[] material) Roll a new version of the given key.
void	warmUpEncryptedKeys(String... keyNames) Calls to this method allows the underlying KeyProvider to warm-up any implementation specific caches used to store the Encrypted Keys.

Methods inherited from class org.apache.hadoop.crypto.key.KeyProvider

buildVersionName, findProvider, generateKey, getBaseName, getConf, isTransient, needsPassword, noPasswordError, noPasswordWarning, options

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

public static org.slf4j.Logger LOG

Constructor Detail

LoadBalancingKMSClientProvider

public LoadBalancingKMSClientProvider(org.apache.hadoop.crypto.key.kms.KMSClientProvider[] providers,
                              Configuration conf)

Method Detail

getProviders

public org.apache.hadoop.crypto.key.kms.KMSClientProvider[] getProviders()

addDelegationTokens

public Token<?>[] addDelegationTokens(String renewer,
                             Credentials credentials)
                               throws IOException

Description copied from interface: KeyProviderDelegationTokenExtension.DelegationTokenExtension

The implementer of this class will take a renewer and add all delegation tokens associated with the renewer to the Credentials object if it is not already present,

Specified by:

addDelegationTokens in interface KeyProviderDelegationTokenExtension.DelegationTokenExtension

Parameters:

renewer - the user allowed to renew the delegation tokens

credentials - cache in which to add new delegation tokens

Returns:

list of new delegation tokens

Throws:

IOException - thrown if IOException if an IO error occurs.

renewDelegationToken

public long renewDelegationToken(Token<?> token)
                          throws IOException

Description copied from interface: KeyProviderDelegationTokenExtension.DelegationTokenExtension

Renews the given token.

Specified by:

renewDelegationToken in interface KeyProviderDelegationTokenExtension.DelegationTokenExtension

Parameters:

token - The token to be renewed.

Returns:

The token's lifetime after renewal, or 0 if it can't be renewed.

Throws:

IOException

cancelDelegationToken

public Void cancelDelegationToken(Token<?> token)
                           throws IOException

Description copied from interface: KeyProviderDelegationTokenExtension.DelegationTokenExtension

Cancels the given token.

Specified by:

cancelDelegationToken in interface KeyProviderDelegationTokenExtension.DelegationTokenExtension

Parameters:

token - The token to be cancelled.

Throws:

IOException

warmUpEncryptedKeys

public void warmUpEncryptedKeys(String... keyNames)
                         throws IOException

Description copied from interface: KeyProviderCryptoExtension.CryptoExtension

Calls to this method allows the underlying KeyProvider to warm-up any implementation specific caches used to store the Encrypted Keys.

Specified by:

warmUpEncryptedKeys in interface KeyProviderCryptoExtension.CryptoExtension

Parameters:

keyNames - Array of Key Names

Throws:

IOException

drain

public void drain(String keyName)

Description copied from interface: KeyProviderCryptoExtension.CryptoExtension

Drains the Queue for the provided key.

Specified by:

drain in interface KeyProviderCryptoExtension.CryptoExtension

Parameters:

keyName - the key to drain the Queue for

generateEncryptedKey

public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
                                                                    throws IOException,
                                                                           GeneralSecurityException

Description copied from interface: KeyProviderCryptoExtension.CryptoExtension

Generates a key material and encrypts it using the given key version name and initialization vector. The generated key material is of the same length as the KeyVersion material of the latest key version of the key and is encrypted using the same cipher.

NOTE: The generated key is not stored by the KeyProvider

Specified by:

generateEncryptedKey in interface KeyProviderCryptoExtension.CryptoExtension

Parameters:

encryptionKeyName - The latest KeyVersion of this key's material will be encrypted.

Returns:

EncryptedKeyVersion with the generated key material, the version name is 'EEK' (for Encrypted Encryption Key)

Throws:

IOException - thrown if the key material could not be generated

GeneralSecurityException - thrown if the key material could not be encrypted because of a cryptographic issue.

decryptEncryptedKey

public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion)
                                           throws IOException,
                                                  GeneralSecurityException

Description copied from interface: KeyProviderCryptoExtension.CryptoExtension

Decrypts an encrypted byte[] key material using the given a key version name and initialization vector.

Specified by:

decryptEncryptedKey in interface KeyProviderCryptoExtension.CryptoExtension

Parameters:

encryptedKeyVersion - contains keyVersionName and IV to decrypt the encrypted key material

Returns:

a KeyVersion with the decrypted key material, the version name is 'EK' (For Encryption Key)

Throws:

IOException - thrown if the key material could not be decrypted

GeneralSecurityException - thrown if the key material could not be decrypted because of a cryptographic issue.

getKeyVersion

public KeyProvider.KeyVersion getKeyVersion(String versionName)
                                     throws IOException

Description copied from class: KeyProvider

Get the key material for a specific version of the key. This method is used when decrypting data.

Specified by:

getKeyVersion in class KeyProvider

Parameters:

versionName - the name of a specific version of the key

Returns:

the key material

Throws:

IOException

getKeys

public List<String> getKeys()
                     throws IOException

Description copied from class: KeyProvider

Get the key names for all keys.

Specified by:

getKeys in class KeyProvider

Returns:

the list of key names

Throws:

IOException

getKeysMetadata

public KeyProvider.Metadata[] getKeysMetadata(String... names)
                                       throws IOException

Description copied from class: KeyProvider

Get key metadata in bulk.

Overrides:

getKeysMetadata in class KeyProvider

Parameters:

names - the names of the keys to get

Throws:

IOException

getKeyVersions

public List<KeyProvider.KeyVersion> getKeyVersions(String name)
                                            throws IOException

Description copied from class: KeyProvider

Get the key material for all versions of a specific key name.

Specified by:

getKeyVersions in class KeyProvider

Returns:

the list of key material

Throws:

IOException

getCurrentKey

public KeyProvider.KeyVersion getCurrentKey(String name)
                                     throws IOException

Description copied from class: KeyProvider

Get the current version of the key, which should be used for encrypting new data.

Overrides:

getCurrentKey in class KeyProvider

Parameters:

name - the base name of the key

Returns:

the version name of the current version of the key or null if the key version doesn't exist

Throws:

IOException

getMetadata

public KeyProvider.Metadata getMetadata(String name)
                                 throws IOException

Description copied from class: KeyProvider

Get metadata about the key.

Specified by:

getMetadata in class KeyProvider

Parameters:

name - the basename of the key

Returns:

the key's metadata or null if the key doesn't exist

Throws:

IOException

createKey

public KeyProvider.KeyVersion createKey(String name,
                               byte[] material,
                               KeyProvider.Options options)
                                 throws IOException

Description copied from class: KeyProvider

Create a new key. The given key must not already exist.

Specified by:

createKey in class KeyProvider

Parameters:

name - the base name of the key

material - the key material for the first version of the key.

options - the options for the new key.

Returns:

the version name of the first version of the key.

Throws:

IOException

createKey

public KeyProvider.KeyVersion createKey(String name,
                               KeyProvider.Options options)
                                 throws NoSuchAlgorithmException,
                                        IOException

Description copied from class: KeyProvider

Create a new key generating the material for it. The given key must not already exist.

This implementation generates the key material and calls the KeyProvider.createKey(String, byte[], Options) method.

Overrides:

createKey in class KeyProvider

Parameters:

name - the base name of the key

options - the options for the new key.

Returns:

the version name of the first version of the key.

Throws:

NoSuchAlgorithmException

IOException

deleteKey

public void deleteKey(String name)
               throws IOException

Description copied from class: KeyProvider

Delete the given key.

Specified by:

deleteKey in class KeyProvider

Parameters:

name - the name of the key to delete

Throws:

IOException

rollNewVersion

public KeyProvider.KeyVersion rollNewVersion(String name,
                                    byte[] material)
                                      throws IOException

Description copied from class: KeyProvider

Roll a new version of the given key.

Specified by:

rollNewVersion in class KeyProvider

Parameters:

name - the basename of the key

material - the new key material

Returns:

the name of the new version of the key

Throws:

IOException

rollNewVersion

public KeyProvider.KeyVersion rollNewVersion(String name)
                                      throws NoSuchAlgorithmException,
                                             IOException

Description copied from class: KeyProvider

Roll a new version of the given key generating the material for it.

This implementation generates the key material and calls the KeyProvider.rollNewVersion(String, byte[]) method.

Overrides:

rollNewVersion in class KeyProvider

Parameters:

name - the basename of the key

Returns:

the name of the new version of the key

Throws:

IOException

NoSuchAlgorithmException

close

public void close()
           throws IOException

Description copied from class: KeyProvider

Can be used by implementing classes to close any resources that require closing

Overrides:

close in class KeyProvider

Throws:

IOException

flush

public void flush()
           throws IOException

Description copied from class: KeyProvider

Ensures that any changes to the keys are written to persistent store.

Specified by:

flush in class KeyProvider

Throws:

IOException