Skip to content

Instantly share code, notes, and snippets.

@ajyoung

ajyoung/undelete-and-purge-kt-kms.md

Last active November 4, 2015 19:10
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ajyoung/c292bbefd9c316545a80 to your computer and use it in GitHub Desktop.
Save ajyoung/c292bbefd9c316545a80 to your computer and use it in GitHub Desktop.
Download ZIP
Undeleting and purging KeyTrustee Key Provider methods via the REST interface
Raw
undelete-and-purge-kt-kms.md

Undeleting and purging KeyTrustee Key Provider methods via the REST interface

The delete operation on the Trustee key provider is a "soft delete", meaning that is possible to "undelete" the key. It is also possible to "purge" the key to delete it permanently. Because these operations are not part of the standard Hadoop key provider API, they are not currently exposed through Hadoop KeyShell (hadoop key). However, you can call these operations directly via the Trustee key provider REST API.

See the examples below.

Use KeyShell to list existing keys

$ ./bin/hadoop key list -provider kms://http@localhost:16000/kms

Listing keys for KeyProvider: KMSClientProvider[http://localhost:16000/kms/v1/]
ajy-testkey-1

Use KeyShell to delete an existing key

$ ./bin/hadoop key delete ajy-testkey-1 -provider kms://http@localhost:16000/kms

Deleting key: ajy-testkey-1 from KeyProvider: KMSClientProvider[http://localhost:16000/kms/v1/]
ajy-testkey-1 has been successfully deleted.
KMSClientProvider[http://localhost:16000/kms/v1/] has been updated.

Use KeyShell to verify the key was deleted

$ ./bin/hadoop key list -provider kms://http@localhost:16000/kms

Listing keys for KeyProvider: KMSClientProvider[http://localhost:16000/kms/v1/]
mac-ayoungga-01:hadoop-3.0.0-SNAPSHOT ajyoung$

Use the KeyTrustee key provider REST API to undelete the deleted key

$ curl -L -d "trusteeOp=undelete" "http://localhost:16000/kms/v1/trustee/key/ajy-testkey-1?user.name=anthony&trusteeOp=undelete"

Use KeyShell to verify the key was restored

$ ./bin/hadoop key list -provider kms://http@localhost:16000/kms

Listing keys for KeyProvider: KMSClientProvider[http://localhost:16000/kms/v1/]
ajy-testkey-1

Use the KeyTrustee key provider REST API to purge the restored key

$ curl L -d "trusteeOp=purge" "http://localhost:16000/kms/v1/trustee/key/ajy-testkey-1?user.name=anthony&trusteeOp=purge"

Use KeyShell to verify the key was deleted

$ ./bin/hadoop key list -provider kms://http@localhost:16000/kms

Listing keys for KeyProvider: KMSClientProvider[http://localhost:16000/kms/v1/]
mac-ayoungga-01:hadoop-3.0.0-SNAPSHOT ajyoung$

Use the KeyTrustee key provider REST API to attempt to undelete the purged key

$ curl -L -d "trusteeOp=undelete" "http://localhost:16000/kms/v1/trustee/key/ajy-testkey-1?user.name=anthony&trusteeOp=undelete"
{
  "RemoteException" : {
    "message" : "Key with name ajy-testkey-1 not found in com.cloudera.keytrustee.TrusteeKeyProvider@6786dc7d",
    "exception" : "IOException",
    "javaClassName" : "java.io.IOException"
  }
}

Configure ACLs for KeyTrustee undelete, purge and migrate operations

ACLs for the KeyTrustee specific undelete, purge and migrate operations are configured in kts-acls.xml. Place this file in the same location as your kms-acls.xml file. See example below.

<property>
    <name>keytrustee.kms.acl.UNDELETE</name>
    <value>*</value>
    <description>
        ACL for undelete-key operations.
    </description>
</property>

<property>
    <name>keytrustee.kms.acl.PURGE</name>
    <value>*</value>
    <description>
        ACL for purge-key operations.
    </description>
</property>

<property>
    <name>keytrustee.kms.acl.MIGRATE</name>
    <value>*</value>
    <description>
        ACL for purge-key operations.
    </description>
</property>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment