Table of Contents |
---|
Goals
- Allow CDAP users to securely store sensitive data.
- Allow authorized CDAP users to access stored data at runtime.
- Allow authorized CDAP users to manage the stored data.
Checklist
- User stories documented (Nishith)
- User stories reviewed (Nitin)
- Design documented (Nishith)
- Design reviewed (Andreas/Terence)
- Feature merged (Nishith)
- Blog post
User Stories
- As a CDAP/Hydrator security admin, I want all sensitive information like passwords not be stored in plaintext.
Brief introduction to Hadoop KMS
Hadoop KMS is a cryptographic key management server based on Hadoop’s KeyProvider API.
...
*Image taken from Cloudera engineering Blog
Design
...
The entity stored will be composed of three parts
- AliasName: This will be the identifier, provided by the user, that will be used to retrieve the object.
- Properties: A key value map containing the properties of the object being stored.
- DataValue: The data being stored. Passed in as a byte arraystring.
...
Design decisions
- Hadoop KMS supports versioning for the keys it stores. This is used mainly for key rollovers. In this release, we won't support versioning.
...
- Store
- Get data
- Get metadata
- Get metadata list
- List
- Delete
The system will expose these APIs to clients :
Code Block | ||||
---|---|---|---|---|
| ||||
// Represents the metadata about the data interface SecureStoreMetaData { String getName(); String getDescription(); long getLastModifiedTime(); Map<String, String> getProperties(); } // Represents the secure data interface SecureStoreData { // Returns the meta data about the secure data SecureStoreMetaData getMetaData(); // Returns the secure data byte[]String get(); } // Provides read-only access to secure store interface SecureStore { // Returns a listmap ofwith availablenames secureas datakey inand thedescriptions secureas store.the value of List<String>available list(); // Returnssecure a list of metadata objects fordata in the list ofstore. data items Map<String, String> List<SecureStoreMetaData> getMetadatalist(List<String>String datanamespace); // Gets the secure data SecureStoreData get(String namespace, String name); } // Manager interface for managing secure data interface SecureStoreManager { // Stores the secure data void put(String namespace, String name, byte[]String data, Map<String, String> properties); // Remove the secure data void delete(String namespace, String name); } |
REST API
Operation | REST API | Body | Response | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Put | POST PUT /v3/securitynamespaces/store<namespace>/v1securekeys/<key-name> | Content-Type: application/json
| 201 Created200 OK | ||||||||||||||||||||||||||||||||||
Delete | DELETE /securityv3/storenamespaces/v1<namespace>/keysecurekeys/<key-name> | N/A | 200 OK 404 Not Found | ||||||||||||||||||||||||||||||||||
Get | GET / securityv3/ storenamespaces/ v1<namespace>/ keysecurekeys/<key-name> | N/A | 200 OK Content-Type: application/json Code Block | value 404 Not Found | |||||||||||||||||||||||||||||||||
Get Metadata | GET /securityv3/storenamespaces/v1<namespace>/keysecurekeys/<key-name>/metadata | N/A | 200 OK Content-Type: application/json
404 Not Found | ||||||||||||||||||||||||||||||||||
List | GET /securityv3/storenamespaces/v1<namespace>/keyssecurekeys/names | N/A | 200 OK Content-Type: application/json
| Get multiple Metadata | GET /security/store/v1/keys/metadata?key=<key-name>&key=<key-name>,... | N/A | |||||||||||||||||||||||||||||||
Code Block |
|
|
|
|
| created
| :
| <millis-epoch> //long
| properties
| : {
"key" : "value"
...
}
|
|
|
|
| "created" : <millis-epoch> //long
"properties" : {
"key" : "value"
...
}
}
]
|
Access Control
The secure store can be protected with a key in the CDAP master keystore, which CDAP already requires the user to provide in order to have SSL enabled. Since the program will be executed in the same JVM as the SDK process, access to the sensitive data can be done directly through the proper Guice binding that binds the SecureStore
interface to the actual implementation.
...
Entries are grouped by the (user,key,operation) combined key for a configurable aggregation interval after which the number of accesses to the specified end-point by the user for a given key is flushed to the audit log.
Implementation
Following two implementations will be provided
...
This mode will not be supported in this release.
Code Block | ||||
---|---|---|---|---|
| ||||
//Implementation needs to be thread safe
public class JavaSecureStoreProvider extends KeyProvider {
private JavaSecureStoreProvider(URI uri, Configuration conf) throws IOException {
//Get the file path for local storage
//Get the password for the secure store
//Load or create the store
}
//Since we are not supporting versioning, the KeyVersion will always be current
public KeyVersion getKeyVersion(String versionName) throws IOException {
}
//Lists all the keys that is accessible to this user.
public List<String> getKeys() throws IOException {
}
//Since we are not supporting versioning, this will only have one item
public List<KeyVersion> getKeyVersions(String name) throws IOException{
}
public Metadata getMetadata(String name) throws IOException {
}
public KeyVersion createKey(String name, byte[] material, Options options) throws IOException {
}
public void deleteKey(String name) throws IOException {
}
//No-op for this version
public KeyVersion rollNewVersion(String name, byte[] material) throws IOException {
}
public void flush() throws IOException{
}
public static class Factory extends KeyProviderFactory {
@Override
public KeyProvider createProvider(URI providerName,
Configuration conf) throws IOException {
}
}
} |
Out-of-scope User Stories (4.0 and beyond)
- Support for secure store in distributed mode when KMS is not present.
References
https://hadoop.apache.org/docs/stable/hadoop-kms/index.html
...