Class LocalWrapKmsClient

  • All Implemented Interfaces:
    KmsClient

    public abstract class LocalWrapKmsClient
    extends Object
    implements KmsClient
    Typically, KMS systems support in-server key wrapping. Their clients should implement KmsClient interface directly. An extension of the LocalWrapKmsClient class should used only in rare situations where in-server wrapping is not supported. The wrapping will be done locally then - the MEKs will be fetched from the KMS server via the getMasterKeyFromServer function, and used to encrypt a DEK or KEK inside the LocalWrapKmsClient code. Note: master key rotation is not supported with local wrapping.
    • Field Detail

      • kmsInstanceID

        protected String kmsInstanceID
      • kmsInstanceURL

        protected String kmsInstanceURL
      • kmsToken

        protected String kmsToken
      • hadoopConfiguration

        protected org.apache.hadoop.conf.Configuration hadoopConfiguration
    • Constructor Detail

      • LocalWrapKmsClient

        public LocalWrapKmsClient()
    • Method Detail

      • initialize

        public void initialize​(org.apache.hadoop.conf.Configuration configuration,
                               String kmsInstanceID,
                               String kmsInstanceURL,
                               String accessToken)
        Description copied from interface: KmsClient
        Pass configuration with KMS-specific parameters.
        Specified by:
        initialize in interface KmsClient
        Parameters:
        configuration - Hadoop configuration
        kmsInstanceID - ID of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with multiple instances.
        kmsInstanceURL - URL of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with URLs.
        accessToken - KMS access (authorization) token. Use the default value, for KMS systems that don't work with tokens.
      • wrapKey

        public String wrapKey​(byte[] key,
                              String masterKeyIdentifier)
                       throws KeyAccessDeniedException
        Description copied from interface: KmsClient
        Wraps a key - encrypts it with the master key, encodes the result and potentially adds a KMS-specific metadata. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.
        Specified by:
        wrapKey in interface KmsClient
        Parameters:
        key - : key bytes to be wrapped
        masterKeyIdentifier - : a string that uniquely identifies the master key in a KMS instance
        Returns:
        wrapped key
        Throws:
        KeyAccessDeniedException - unauthorized to encrypt with the given master key
      • unwrapKey

        public byte[] unwrapKey​(String wrappedKey,
                                String masterKeyIdentifier)
                         throws KeyAccessDeniedException
        Description copied from interface: KmsClient
        Decrypts (unwraps) a key with the master key. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.
        Specified by:
        unwrapKey in interface KmsClient
        Parameters:
        wrappedKey - String produced by wrapKey operation
        masterKeyIdentifier - : a string that uniquely identifies the master key in a KMS instance
        Returns:
        unwrapped key bytes
        Throws:
        KeyAccessDeniedException - unauthorized to unwrap with the given master key
      • getMasterKeyFromServer

        protected abstract byte[] getMasterKeyFromServer​(String masterKeyIdentifier)
                                                  throws KeyAccessDeniedException
        Get master key from the remote KMS server. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.
        Parameters:
        masterKeyIdentifier - : a string that uniquely identifies the master key in a KMS instance
        Returns:
        master key bytes
        Throws:
        KeyAccessDeniedException - unauthorized to get the master key