ACLs supported by Ranger KMS and Ranger KMS Mapping
The ACLs mentioned here are supported by Ranger KMS and Ranger KMS mapping.
- whitelist.key.acl.<operation> and
hadoop.kms.blacklist.<Operation>
In this case, you create a Global Override policy under the service
cm_kms
.Service : cm_kms
Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission Global Override Policy * Override whitelist.key.acl.MANAGEMENT
ALLOW CREATE, DELETE, ROLLOVER
whitelist.key.acl.GENERATE_EEK
ALLOW GENERATE_EEK
whitelist.key.acl.DECRYPT_EEK
ALLOW DECRYPT_EEK
whitelist.key.acl.READ
ALLOW GET, GET KEYS, GET METADATA
hadoop.kms.blacklist.CREATE
DENY CREATE
hadoop.kms.blacklist.DELETE
DENY DELETE
hadoop.kms.blacklist.ROLLOVER
DENY ROLLOVER
hadoop.kms.blacklist.GET
DENY GET
hadoop.kms.blacklist.GET_KEYS
DENY GET KEYS
hadoop.kms.blacklist.GET_METADATA
DENY GET METADATA
hadoop.kms.blacklist.SET_KEY_MATERIAL
DENY SET KEY MATERIAL
hadoop.kms.blacklist.GENERATE_EEK
DENY GENERATE_EEK
hadoop.kms.blacklist.DECRYPT_EEK
DENY DECRYPT_EEK
- default.key.acl.<operation>
Service : cm_kms
Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission Default Policy
all-keyname
* Normal default.key.acl.MANAGEMENT
ALLOW CREATE, DELETE, ROLLOVER
default.key.acl.GENERATE_EEK
ALLOW GENERATE_EEK
default.key.acl.DECRYPT_EEK
ALLOW DECRYPT_EEK
default.key.acl.READ
ALLOW GET, GET KEYS, GET METADATA
- key.acl.<key-name>.<OPERATION> Key Specific ACL
In this case, you create a Key Resource Specific policy under the service
cm_kms
.Service : cm_kms
Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission Key Resource Specific policy
<keyname>
<keyname> Normal key.acl.<key-name>.MANAGEMENT
ALLOW CREATE, DELETE, ROLLOVER
key.acl.<key-name>.GENERATE_EEK
ALLOW GENERATE_EEK
key.acl.<key-name>.DECRYPT_EEK
ALLOW DECRYPT_EEK
key.acl.<key-name>.READ
ALLOW GET, GET KEYS, GET METADATA
key.acl.<key-name>.ALL
ALLOW SELECT ALL