ACLs supported by Ranger KMS and Ranger KMS Mapping
The following ACLs are supported by Ranger KMS and Ranger KMS mapping.
- whitelist.key.acl.<operation> and
hadoop.kms.blacklist.<Operation>
In this case, you create a Global Override policy under the service
cm_kms.Service : cm_kms
Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission Global Override Policy * Override whitelist.key.acl.MANAGEMENTALLOW CREATE, DELETE, ROLLOVERwhitelist.key.acl.GENERATE_EEKALLOW GENERATE_EEKwhitelist.key.acl.DECRYPT_EEKALLOW DECRYPT_EEKwhitelist.key.acl.READALLOW GET, GET KEYS, GET METADATAhadoop.kms.blacklist.CREATEDENY CREATEhadoop.kms.blacklist.DELETEDENY DELETEhadoop.kms.blacklist.ROLLOVERDENY ROLLOVERhadoop.kms.blacklist.GETDENY GEThadoop.kms.blacklist.GET_KEYSDENY GET KEYShadoop.kms.blacklist.GET_METADATADENY GET METADATAhadoop.kms.blacklist.SET_KEY_MATERIALDENY SET KEY MATERIALhadoop.kms.blacklist.GENERATE_EEKDENY GENERATE_EEKhadoop.kms.blacklist.DECRYPT_EEKDENY DECRYPT_EEK - default.key.acl.<operation>
Service : cm_kms
Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission Default Policy
all-keyname
* Normal default.key.acl.MANAGEMENTALLOW CREATE, DELETE, ROLLOVERdefault.key.acl.GENERATE_EEKALLOW GENERATE_EEKdefault.key.acl.DECRYPT_EEKALLOW DECRYPT_EEKdefault.key.acl.READALLOW GET, GET KEYS, GET METADATA - key.acl.<key-name>.<OPERATION> Key Specific ACL
In this case, you create a Key Resource Specific policy under the service
cm_kms.Service : cm_kms
Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission Key Resource Specific policy
<keyname>
<keyname> Normal key.acl.<key-name>.MANAGEMENTALLOW CREATE, DELETE, ROLLOVERkey.acl.<key-name>.GENERATE_EEKALLOW GENERATE_EEKkey.acl.<key-name>.DECRYPT_EEKALLOW DECRYPT_EEKkey.acl.<key-name>.READALLOW GET, GET KEYS, GET METADATAkey.acl.<key-name>.ALLALLOW SELECT ALL
