ACLs supported by Ranger KMS and Ranger KMS Mapping

The following ACLs are supported by Ranger KMS and Ranger KMS mapping.

  • whitelist.key.acl.<operation> and hadoop.kms.blacklist.<Operation>

    In this case, you create a Global Override policy under the service cm_kms.

    Service : cm_kms

    Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission
    Global Override Policy * Override whitelist.key.acl.MANAGEMENT ALLOW CREATE, DELETE, ROLLOVER
    whitelist.key.acl.GENERATE_EEK ALLOW GENERATE_EEK
    whitelist.key.acl.DECRYPT_EEK ALLOW DECRYPT_EEK
    whitelist.key.acl.READ ALLOW

    GET, GET KEYS, GET METADATA

    hadoop.kms.blacklist.CREATE DENY CREATE
    hadoop.kms.blacklist.DELETE DENY DELETE
    hadoop.kms.blacklist.ROLLOVER DENY ROLLOVER
    hadoop.kms.blacklist.GET DENY GET
    hadoop.kms.blacklist.GET_KEYS DENY GET KEYS
    hadoop.kms.blacklist.GET_METADATA DENY GET METADATA
    hadoop.kms.blacklist.SET_KEY_MATERIAL DENY SET KEY MATERIAL
    hadoop.kms.blacklist.GENERATE_EEK DENY GENERATE_EEK
    hadoop.kms.blacklist.DECRYPT_EEK DENY DECRYPT_EEK
  • default.key.acl.<operation>

    Service : cm_kms

    Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission

    Default Policy

    all-keyname

    * Normal default.key.acl.MANAGEMENT ALLOW CREATE, DELETE, ROLLOVER
    default.key.acl.GENERATE_EEK ALLOW GENERATE_EEK
    default.key.acl.DECRYPT_EEK ALLOW DECRYPT_EEK
    default.key.acl.READ ALLOW

    GET, GET KEYS, GET METADATA

  • key.acl.<key-name>.<OPERATION> Key Specific ACL

    In this case, you create a Key Resource Specific policy under the service cm_kms.

    Service : cm_kms

    Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission

    Key Resource Specific policy

    <keyname>

    <keyname> Normal key.acl.<key-name>.MANAGEMENT ALLOW CREATE, DELETE, ROLLOVER
    key.acl.<key-name>.GENERATE_EEK ALLOW GENERATE_EEK
    key.acl.<key-name>.DECRYPT_EEK ALLOW DECRYPT_EEK
    key.acl.<key-name>.READ ALLOW

    GET, GET KEYS, GET METADATA

    key.acl.<key-name>.ALL ALLOW SELECT ALL