Key Trustee KMS ACL Conversion to Ranger KMS Policies

Because Key Trustee KMS is not supported in CDP, the CDH to CDP upgrade process converts Key Trustee KMS ACLs to Ranger KMS policies.

Ranger KMS policies for converted Key Trustee KMS ACLs

  • whitelist.key.acl.<operation> and hadoop.kms.blacklist.<operation>

    For these operations, a Global Override policy is created under the Ranger KMS cm_kms service.

    Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission
    Global Override Policy * Override whitelist.key.acl.MANAGEMENT ALLOW CREATE, DELETE, ROLLOVER
    whitelist.key.acl.GENERATE_EEK ALLOW GENERATE_EEK
    whitelist.key.acl.DECRYPT_EEK ALLOW DECRYPT_EEK
    whitelist.key.acl.READ ALLOW

    GET,

    GET KEYS,

    GET METADATA

    hadoop.kms.blacklist.CREATE DENY CREATE
    hadoop.kms.blacklist.DELETE DENY DELETE
    hadoop.kms.blacklist.ROLLOVER DENY ROLLOVER
    hadoop.kms.blacklist.GET DENY GET
    hadoop.kms.blacklist.GET_KEYS DENY GET KEYS
    hadoop.kms.blacklist.GET_METADATA DENY GET METADATA
    hadoop.kms.blacklist.SET_KEY_MATERIAL DENY SET_KEY_MATERIAL
    hadoop.kms.blacklist.GENERATE_EEK DENY GENERATE_EEK
    hadoop.kms.blacklist.DECRYPT_EEK DENY DECRYPT_EEK
  • default.key.acl.<operation>

    For these operations, policies are also created under the Ranger KMS cm_kms service.

    Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission

    Default Policy

    all-keyname

    * Normal default.key.acl.MANAGEMENT ALLOW CREATE, DELETE, ROLLOVER
    default.key.acl.GENERATE_EEK ALLOW GENERATE_EEK
    default.key.acl.DECRYPT_EEK ALLOW DECRYPT_EEK
    default.key.acl.READ ALLOW

    GET,

    GET KEYS,

    GET METADATA

  • key.acl.<key-name>.<operation> key-specific ACLs.

    For these operations, a Key Resource policy is created under the Ranger KMS cm_kms service.

    Policy Key-resource Priority Key Trustee ACL Ranger Policy Condition Ranger Policy Permission

    Key Resource Specific policy

    <keyname>

    <keyname> Normal key.acl.<key-name>.MANAGEMENT ALLOW CREATE, DELETE, ROLLOVER
    key.acl.<key-name>.GENERATE_EEK ALLOW GENERATE_EEK
    key.acl.<key-name>.DECRYPT_EEK ALLOW DECRYPT_EEK
    key.acl.<key-name>.READ ALLOW

    GET,

    GET KEYS,

    GET METADATA

    key.acl.<key-name>.ALL ALLOW SELECT ALL

Key Trustee KMS ACL operations not migrated to Ranger KMS

The following hadoop.kms.acl.<OPERATION> operations are not migrated to Ranger KMS policies.

hadoop.kms.acl.CREATE
hadoop.kms.acl.DELETE
hadoop.kms.acl.ROLLOVER
hadoop.kms.acl.GET
hadoop.kms.acl.GET_KEYS
hadoop.kms.acl.GET_METADATA
hadoop.kms.acl.SET_KEY_MATERIAL
hadoop.kms.acl.GENERATE_EEK
hadoop.kms.acl.DECRYPT_EEK

The following keytrustee.kms.acl.<OPERATION> operations are specific to Key Trustee. They are not migrated to Ranger KMS policies, nor are they supported by Hadoop KMS.

keytrustee.kms.acl.UNDELETE
keytrustee.kms.acl.PURGE

The following table lists Ranger KMS equivalents for some of these non-migrated Key Trustee KMS ACL operations. The SSoD? column in this table identifies whether the ACL is only relevant for strict separation of administrative duties.

Key Trustee ACL Property Key User List Group List Intention Ranger Equivalent SSoD?
hadoop.kms.acl.CREATE keyadmin keyadmingroup Restrict key creation operation to only keyadmin/keyadmingroup Allow CREATE on * limited to keyadmin/keyadmingroup No
hadoop.kms.acl.DELETE keyadmin keyadmingroup Restrict key deletion operation to only keyadmin/keyadmingroup Allow DELETE on * limited to keyadmin/keyadmingroup No
hadoop.kms.acl.ROLLOVER keyadmin keyadmingroup Restrict key rollover to only keyadmin/keyadmingroup Allow ROLLOVER on * limited to keyadmin/keyadmingroup No
hadoop.kms.acl.GET _EMPTY_LIST _EMPTY_LIST Don't restrict GET operation (at this level - blacklisted later) N/A No
hadoop.kms.acl.GET_KEYS keyadmin keyadmingroup Allow key admins to list key metadata (NB: Not keys) Allow GET_KEYS on * limited to keyadmin/keyadmingroup No
hadoop.kms.acl.SET_KEY_MATERIAL _EMPTY_LIST _EMPTY_LIST Don't restrict SET_KEY_MATERIAL operation (at this level - blacklisted later) N/A No
hadoop.kms.acl.GENERATE_EEK hdfs supergroup Allow NN + Superusers to generate EDEKs to populate NN cache etc. Allow GENERATE_EEK on * for hdfs/supergroup No

Key Trustee KMS ACL evaluation vs. Ranger KMS policy evaluation

With Key Trustee KMS ACL the upstream Hadoop project defined an ACL system for KMS that was complex and difficult to understand. This upstream ACL system has several moving parts, including feature-level ACLs, global whitelists and blacklists, default ACLs, and per-key ACLs. The resulting evaluation flow is challenging:

Ranger KMS policies evaluate permissions on a per key-operation basis, with the key(s) being the Ranger resource, and the operations on those keys the permission being granted. This means the KMS-specific concepts of feature ACLs and global blacklist/whitelist operations are not present in Ranger KMS ACL implementations. Instead, global-level settings are implemented as a set of permissions against the pseudo-key "*", referring to the full set of keys. Ranger’s much more flexible and understandable Deny/Allow policy engine can then be used to flexibly grant or deny access to operations on a global or key-specific basis.