KMS ACL Evaluation Flow

Before diving into the details of how KMS ACLs are evaluated, it is critical that you understand the key rules that the KMS uses in performing this evaluation.

KMS ACL Flow Rules:
  • The whitelist class bypasses key.acl and default.key.acl controls.
  • The key.acl definitions override all default definitions.

The better you understand these rules, the more likely it is that you will be successful creating and managing KMS ACL sets to achieve your desired goals.

Encryption key access is evaluated as follows:

The KMS evaluates hadoop.kms.acl.<OPERATION> and hadoop.kms.blacklist.<OPERATION> classes to determine whether or not access to a specific KMS feature or function is authorized.

In other words, a user must be allowed by hadoop.kms.acl.<OPERATION>, and not be disallowed by hadoop.kms.blacklist.<OPERATION>.

If a user is blacklisted or otherwise not allowed access to a KMS-wide operation, then the flow halts and returns the result "Denied".

If a user is allowed access to a KMS-wide operation, then the evaluation flow proceeds.

The KMS evaluates whitelist.key.acl class.

The KMS ACL workflow evaluates the whitelist.key.acl.<OPERATION>, and if the user is allowed access, then it is granted ("Allowed") . If not, then the flow continues with the evaluation.

The KMS evaluates default.key.acl.<OPERATION>, and key.acl.<OPERATION> classes.

The KMS evaluates whether or not there is a key.acl.KEY.<OPERATION> that matches the action the user is attempting to perform. If there is, it then evaluates that value to determine whether or not the user can perform the requested operation.

Depending on the result of the KMS ACL evaluation, controls are applied to the key and results (Allowed or Denied).