public class LoadBalancingKMSClientProvider extends KeyProvider implements KeyProviderCryptoExtension.CryptoExtension, KeyProviderDelegationTokenExtension.DelegationTokenExtension
KeyProvider.KeyVersion, KeyProvider.Metadata, KeyProvider.Options| Modifier and Type | Field and Description |
|---|---|
static org.slf4j.Logger |
LOG |
DEFAULT_BITLENGTH, DEFAULT_BITLENGTH_NAME, DEFAULT_CIPHER, DEFAULT_CIPHER_NAME, JCEKS_KEY_SERIAL_FILTER, JCEKS_KEY_SERIALFILTER_DEFAULT| Constructor and Description |
|---|
LoadBalancingKMSClientProvider(URI providerUri,
org.apache.hadoop.crypto.key.kms.KMSClientProvider[] providers,
Configuration conf) |
| Modifier and Type | Method and Description |
|---|---|
Void |
cancelDelegationToken(Token<?> token)
Cancels the given token.
|
void |
close()
Can be used by implementing classes to close any resources
that require closing
|
KeyProvider.KeyVersion |
createKey(String name,
byte[] material,
KeyProvider.Options options)
Create a new key.
|
KeyProvider.KeyVersion |
createKey(String name,
KeyProvider.Options options)
Create a new key generating the material for it.
|
KeyProvider.KeyVersion |
decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion)
Decrypts an encrypted byte[] key material using the given key version
name and initialization vector.
|
void |
deleteKey(String name)
Delete the given key.
|
void |
drain(String keyName)
Drains the Queue for the provided key.
|
void |
flush()
Ensures that any changes to the keys are written to persistent store.
|
KeyProviderCryptoExtension.EncryptedKeyVersion |
generateEncryptedKey(String encryptionKeyName)
Generates a key material and encrypts it using the given key name.
|
String |
getCanonicalServiceName()
The service name used as the alias for the token in the credential
token map.
|
KeyProvider.KeyVersion |
getCurrentKey(String name)
Get the current version of the key, which should be used for encrypting new
data.
|
Token<?> |
getDelegationToken(String renewer)
Unconditionally get a new token with the optional renewer.
|
List<String> |
getKeys()
Get the key names for all keys.
|
KeyProvider.Metadata[] |
getKeysMetadata(String... names)
Get key metadata in bulk.
|
KeyProvider.KeyVersion |
getKeyVersion(String versionName)
Get the key material for a specific version of the key.
|
List<KeyProvider.KeyVersion> |
getKeyVersions(String name)
Get the key material for all versions of a specific key name.
|
KeyProvider.Metadata |
getMetadata(String name)
Get metadata about the key.
|
org.apache.hadoop.crypto.key.kms.KMSClientProvider[] |
getProviders() |
void |
invalidateCache(String keyName)
Can be used by implementing classes to invalidate the caches.
|
KeyProviderCryptoExtension.EncryptedKeyVersion |
reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv)
Re-encrypts an encrypted key version, using its initialization vector
and key material, but with the latest key version name of its key name
in the key provider.
|
void |
reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs)
Batched version of
KeyProviderCryptoExtension.reencryptEncryptedKey(EncryptedKeyVersion). |
long |
renewDelegationToken(Token<?> token)
Renews the given token.
|
KeyProvider.KeyVersion |
rollNewVersion(String name)
Roll a new version of the given key generating the material for it.
|
KeyProvider.KeyVersion |
rollNewVersion(String name,
byte[] material)
Roll a new version of the given key.
|
Token<? extends TokenIdentifier> |
selectDelegationToken(Credentials creds) |
void |
warmUpEncryptedKeys(String... keyNames)
Calls to this method allows the underlying KeyProvider to warm-up any
implementation specific caches used to store the Encrypted Keys.
|
buildVersionName, findProvider, generateKey, getBaseName, getConf, isTransient, needsPassword, noPasswordError, noPasswordWarning, optionspublic LoadBalancingKMSClientProvider(URI providerUri, org.apache.hadoop.crypto.key.kms.KMSClientProvider[] providers, Configuration conf)
public org.apache.hadoop.crypto.key.kms.KMSClientProvider[] getProviders()
public Token<? extends TokenIdentifier> selectDelegationToken(Credentials creds)
public String getCanonicalServiceName()
org.apache.hadoop.security.token.DelegationTokenIssuergetCanonicalServiceName in interface org.apache.hadoop.security.token.DelegationTokenIssuerpublic Token<?> getDelegationToken(String renewer) throws IOException
org.apache.hadoop.security.token.DelegationTokenIssuergetDelegationToken in interface org.apache.hadoop.security.token.DelegationTokenIssuerIOExceptionpublic long renewDelegationToken(Token<?> token) throws IOException
KeyProviderDelegationTokenExtension.DelegationTokenExtensionrenewDelegationToken in interface KeyProviderDelegationTokenExtension.DelegationTokenExtensiontoken - The token to be renewed.IOExceptionpublic Void cancelDelegationToken(Token<?> token) throws IOException
KeyProviderDelegationTokenExtension.DelegationTokenExtensioncancelDelegationToken in interface KeyProviderDelegationTokenExtension.DelegationTokenExtensiontoken - The token to be cancelled.IOExceptionpublic void warmUpEncryptedKeys(String... keyNames) throws IOException
KeyProviderCryptoExtension.CryptoExtensionwarmUpEncryptedKeys in interface KeyProviderCryptoExtension.CryptoExtensionkeyNames - Array of Key NamesIOExceptionpublic void drain(String keyName)
KeyProviderCryptoExtension.CryptoExtensiondrain in interface KeyProviderCryptoExtension.CryptoExtensionkeyName - the key to drain the Queue forpublic void invalidateCache(String keyName) throws IOException
KeyProviderinvalidateCache in class KeyProviderkeyName - the basename of the keyIOExceptionpublic KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName) throws IOException, GeneralSecurityException
KeyProviderCryptoExtension.CryptoExtensionKeyVersion material of the latest key version
of the key and is encrypted using the same cipher.
NOTE: The generated key is not stored by the KeyProvidergenerateEncryptedKey in interface KeyProviderCryptoExtension.CryptoExtensionencryptionKeyName - The latest KeyVersion of this key's material will be encrypted.IOException - thrown if the key material could not be generatedGeneralSecurityException - thrown if the key material could not be encrypted because of a
cryptographic issue.public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException
KeyProviderCryptoExtension.CryptoExtensiondecryptEncryptedKey in interface KeyProviderCryptoExtension.CryptoExtensionencryptedKeyVersion - contains keyVersionName and IV to decrypt the encrypted key
materialIOException - thrown if the key material could not be decryptedGeneralSecurityException - thrown if the key material could not be decrypted because of a
cryptographic issue.public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException
KeyProviderCryptoExtension.CryptoExtensionIf the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.
NOTE: The generated key is not stored by the KeyProvider
reencryptEncryptedKey in interface KeyProviderCryptoExtension.CryptoExtensionekv - The EncryptedKeyVersion containing keyVersionName and IV.IOException - If the key material could not be re-encrypted.GeneralSecurityException - If the key material could not be
re-encrypted because of a cryptographic issue.public void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs) throws IOException, GeneralSecurityException
KeyProviderCryptoExtension.CryptoExtensionKeyProviderCryptoExtension.reencryptEncryptedKey(EncryptedKeyVersion).
For each encrypted key version, re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name. If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.
NOTE: The generated key is not stored by the KeyProvider
reencryptEncryptedKeys in interface KeyProviderCryptoExtension.CryptoExtensionekvs - List containing the EncryptedKeyVersion'sIOException - If any EncryptedKeyVersion could not be re-encryptedGeneralSecurityException - If any EncryptedKeyVersion could not be
re-encrypted because of a cryptographic issue.public KeyProvider.KeyVersion getKeyVersion(String versionName) throws IOException
KeyProvidergetKeyVersion in class KeyProviderversionName - the name of a specific version of the keyIOExceptionpublic List<String> getKeys() throws IOException
KeyProvidergetKeys in class KeyProviderIOExceptionpublic KeyProvider.Metadata[] getKeysMetadata(String... names) throws IOException
KeyProvidergetKeysMetadata in class KeyProvidernames - the names of the keys to getIOExceptionpublic List<KeyProvider.KeyVersion> getKeyVersions(String name) throws IOException
KeyProvidergetKeyVersions in class KeyProviderIOExceptionpublic KeyProvider.KeyVersion getCurrentKey(String name) throws IOException
KeyProvidergetCurrentKey in class KeyProvidername - the base name of the keyIOExceptionpublic KeyProvider.Metadata getMetadata(String name) throws IOException
KeyProvidergetMetadata in class KeyProvidername - the basename of the keyIOExceptionpublic KeyProvider.KeyVersion createKey(String name, byte[] material, KeyProvider.Options options) throws IOException
KeyProvidercreateKey in class KeyProvidername - the base name of the keymaterial - the key material for the first version of the key.options - the options for the new key.IOExceptionpublic KeyProvider.KeyVersion createKey(String name, KeyProvider.Options options) throws NoSuchAlgorithmException, IOException
KeyProviderKeyProvider.createKey(String, byte[], Options) method.createKey in class KeyProvidername - the base name of the keyoptions - the options for the new key.NoSuchAlgorithmExceptionIOExceptionpublic void deleteKey(String name) throws IOException
KeyProviderdeleteKey in class KeyProvidername - the name of the key to deleteIOExceptionpublic KeyProvider.KeyVersion rollNewVersion(String name, byte[] material) throws IOException
KeyProviderrollNewVersion in class KeyProvidername - the basename of the keymaterial - the new key materialIOExceptionpublic KeyProvider.KeyVersion rollNewVersion(String name) throws NoSuchAlgorithmException, IOException
KeyProviderKeyProvider.rollNewVersion(String, byte[]) method.rollNewVersion in class KeyProvidername - the basename of the keyIOExceptionNoSuchAlgorithmExceptionpublic void close()
throws IOException
KeyProviderclose in interface Closeableclose in interface AutoCloseableclose in class KeyProviderIOExceptionpublic void flush()
throws IOException
KeyProviderflush in class KeyProviderIOExceptionCopyright © 2008–2022 Apache Software Foundation. All rights reserved.