public class LoadBalancingKMSClientProvider extends KeyProvider implements KeyProviderCryptoExtension.CryptoExtension, KeyProviderDelegationTokenExtension.DelegationTokenExtension
KeyProvider.KeyVersion, KeyProvider.Metadata, KeyProvider.Options
Modifier and Type | Field and Description |
---|---|
static org.slf4j.Logger |
LOG |
DEFAULT_BITLENGTH, DEFAULT_BITLENGTH_NAME, DEFAULT_CIPHER, DEFAULT_CIPHER_NAME, JCEKS_KEY_SERIAL_FILTER, JCEKS_KEY_SERIALFILTER_DEFAULT
Constructor and Description |
---|
LoadBalancingKMSClientProvider(URI providerUri,
org.apache.hadoop.crypto.key.kms.KMSClientProvider[] providers,
Configuration conf) |
Modifier and Type | Method and Description |
---|---|
Void |
cancelDelegationToken(Token<?> token)
Cancels the given token.
|
void |
close()
Can be used by implementing classes to close any resources
that require closing
|
KeyProvider.KeyVersion |
createKey(String name,
byte[] material,
KeyProvider.Options options)
Create a new key.
|
KeyProvider.KeyVersion |
createKey(String name,
KeyProvider.Options options)
Create a new key generating the material for it.
|
KeyProvider.KeyVersion |
decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion)
Decrypts an encrypted byte[] key material using the given key version
name and initialization vector.
|
void |
deleteKey(String name)
Delete the given key.
|
void |
drain(String keyName)
Drains the Queue for the provided key.
|
void |
flush()
Ensures that any changes to the keys are written to persistent store.
|
KeyProviderCryptoExtension.EncryptedKeyVersion |
generateEncryptedKey(String encryptionKeyName)
Generates a key material and encrypts it using the given key name.
|
String |
getCanonicalServiceName()
The service name used as the alias for the token in the credential
token map.
|
KeyProvider.KeyVersion |
getCurrentKey(String name)
Get the current version of the key, which should be used for encrypting new
data.
|
Token<?> |
getDelegationToken(String renewer)
Unconditionally get a new token with the optional renewer.
|
List<String> |
getKeys()
Get the key names for all keys.
|
KeyProvider.Metadata[] |
getKeysMetadata(String... names)
Get key metadata in bulk.
|
KeyProvider.KeyVersion |
getKeyVersion(String versionName)
Get the key material for a specific version of the key.
|
List<KeyProvider.KeyVersion> |
getKeyVersions(String name)
Get the key material for all versions of a specific key name.
|
KeyProvider.Metadata |
getMetadata(String name)
Get metadata about the key.
|
org.apache.hadoop.crypto.key.kms.KMSClientProvider[] |
getProviders() |
void |
invalidateCache(String keyName)
Can be used by implementing classes to invalidate the caches.
|
KeyProviderCryptoExtension.EncryptedKeyVersion |
reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv)
Re-encrypts an encrypted key version, using its initialization vector
and key material, but with the latest key version name of its key name
in the key provider.
|
void |
reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs)
Batched version of
KeyProviderCryptoExtension.reencryptEncryptedKey(EncryptedKeyVersion) . |
long |
renewDelegationToken(Token<?> token)
Renews the given token.
|
KeyProvider.KeyVersion |
rollNewVersion(String name)
Roll a new version of the given key generating the material for it.
|
KeyProvider.KeyVersion |
rollNewVersion(String name,
byte[] material)
Roll a new version of the given key.
|
Token<? extends TokenIdentifier> |
selectDelegationToken(Credentials creds) |
void |
warmUpEncryptedKeys(String... keyNames)
Calls to this method allows the underlying KeyProvider to warm-up any
implementation specific caches used to store the Encrypted Keys.
|
buildVersionName, findProvider, generateKey, getBaseName, getConf, isTransient, needsPassword, noPasswordError, noPasswordWarning, options
public LoadBalancingKMSClientProvider(URI providerUri, org.apache.hadoop.crypto.key.kms.KMSClientProvider[] providers, Configuration conf)
public org.apache.hadoop.crypto.key.kms.KMSClientProvider[] getProviders()
public Token<? extends TokenIdentifier> selectDelegationToken(Credentials creds)
public String getCanonicalServiceName()
org.apache.hadoop.security.token.DelegationTokenIssuer
getCanonicalServiceName
in interface org.apache.hadoop.security.token.DelegationTokenIssuer
public Token<?> getDelegationToken(String renewer) throws IOException
org.apache.hadoop.security.token.DelegationTokenIssuer
getDelegationToken
in interface org.apache.hadoop.security.token.DelegationTokenIssuer
IOException
public long renewDelegationToken(Token<?> token) throws IOException
KeyProviderDelegationTokenExtension.DelegationTokenExtension
renewDelegationToken
in interface KeyProviderDelegationTokenExtension.DelegationTokenExtension
token
- The token to be renewed.IOException
public Void cancelDelegationToken(Token<?> token) throws IOException
KeyProviderDelegationTokenExtension.DelegationTokenExtension
cancelDelegationToken
in interface KeyProviderDelegationTokenExtension.DelegationTokenExtension
token
- The token to be cancelled.IOException
public void warmUpEncryptedKeys(String... keyNames) throws IOException
KeyProviderCryptoExtension.CryptoExtension
warmUpEncryptedKeys
in interface KeyProviderCryptoExtension.CryptoExtension
keyNames
- Array of Key NamesIOException
public void drain(String keyName)
KeyProviderCryptoExtension.CryptoExtension
drain
in interface KeyProviderCryptoExtension.CryptoExtension
keyName
- the key to drain the Queue forpublic void invalidateCache(String keyName) throws IOException
KeyProvider
invalidateCache
in class KeyProvider
keyName
- the basename of the keyIOException
public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName) throws IOException, GeneralSecurityException
KeyProviderCryptoExtension.CryptoExtension
KeyVersion
material of the latest key version
of the key and is encrypted using the same cipher.
NOTE: The generated key is not stored by the KeyProvider
generateEncryptedKey
in interface KeyProviderCryptoExtension.CryptoExtension
encryptionKeyName
- The latest KeyVersion of this key's material will be encrypted.IOException
- thrown if the key material could not be generatedGeneralSecurityException
- thrown if the key material could not be encrypted because of a
cryptographic issue.public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException
KeyProviderCryptoExtension.CryptoExtension
decryptEncryptedKey
in interface KeyProviderCryptoExtension.CryptoExtension
encryptedKeyVersion
- contains keyVersionName and IV to decrypt the encrypted key
materialIOException
- thrown if the key material could not be decryptedGeneralSecurityException
- thrown if the key material could not be decrypted because of a
cryptographic issue.public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException
KeyProviderCryptoExtension.CryptoExtension
If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.
NOTE: The generated key is not stored by the KeyProvider
reencryptEncryptedKey
in interface KeyProviderCryptoExtension.CryptoExtension
ekv
- The EncryptedKeyVersion containing keyVersionName and IV.IOException
- If the key material could not be re-encrypted.GeneralSecurityException
- If the key material could not be
re-encrypted because of a cryptographic issue.public void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs) throws IOException, GeneralSecurityException
KeyProviderCryptoExtension.CryptoExtension
KeyProviderCryptoExtension.reencryptEncryptedKey(EncryptedKeyVersion)
.
For each encrypted key version, re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name. If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.
NOTE: The generated key is not stored by the KeyProvider
reencryptEncryptedKeys
in interface KeyProviderCryptoExtension.CryptoExtension
ekvs
- List containing the EncryptedKeyVersion'sIOException
- If any EncryptedKeyVersion could not be re-encryptedGeneralSecurityException
- If any EncryptedKeyVersion could not be
re-encrypted because of a cryptographic issue.public KeyProvider.KeyVersion getKeyVersion(String versionName) throws IOException
KeyProvider
getKeyVersion
in class KeyProvider
versionName
- the name of a specific version of the keyIOException
public List<String> getKeys() throws IOException
KeyProvider
getKeys
in class KeyProvider
IOException
public KeyProvider.Metadata[] getKeysMetadata(String... names) throws IOException
KeyProvider
getKeysMetadata
in class KeyProvider
names
- the names of the keys to getIOException
public List<KeyProvider.KeyVersion> getKeyVersions(String name) throws IOException
KeyProvider
getKeyVersions
in class KeyProvider
IOException
public KeyProvider.KeyVersion getCurrentKey(String name) throws IOException
KeyProvider
getCurrentKey
in class KeyProvider
name
- the base name of the keyIOException
public KeyProvider.Metadata getMetadata(String name) throws IOException
KeyProvider
getMetadata
in class KeyProvider
name
- the basename of the keyIOException
public KeyProvider.KeyVersion createKey(String name, byte[] material, KeyProvider.Options options) throws IOException
KeyProvider
createKey
in class KeyProvider
name
- the base name of the keymaterial
- the key material for the first version of the key.options
- the options for the new key.IOException
public KeyProvider.KeyVersion createKey(String name, KeyProvider.Options options) throws NoSuchAlgorithmException, IOException
KeyProvider
This implementation generates the key material and calls the
KeyProvider.createKey(String, byte[], Options)
method.
createKey
in class KeyProvider
name
- the base name of the keyoptions
- the options for the new key.NoSuchAlgorithmException
IOException
public void deleteKey(String name) throws IOException
KeyProvider
deleteKey
in class KeyProvider
name
- the name of the key to deleteIOException
public KeyProvider.KeyVersion rollNewVersion(String name, byte[] material) throws IOException
KeyProvider
rollNewVersion
in class KeyProvider
name
- the basename of the keymaterial
- the new key materialIOException
public KeyProvider.KeyVersion rollNewVersion(String name) throws NoSuchAlgorithmException, IOException
KeyProvider
This implementation generates the key material and calls the
KeyProvider.rollNewVersion(String, byte[])
method.
rollNewVersion
in class KeyProvider
name
- the basename of the keyIOException
NoSuchAlgorithmException
public void close() throws IOException
KeyProvider
close
in interface Closeable
close
in interface AutoCloseable
close
in class KeyProvider
IOException
public void flush() throws IOException
KeyProvider
flush
in class KeyProvider
IOException
Copyright © 2008–2022 Apache Software Foundation. All rights reserved.