Trying to understand a bit of ACLs for KMS. Below are my queries. Can someone help me and provide their thoughts?
1. In the kms-acls.xml, what is the difference between entries hadoop.kms.acl.<op-name>, key.acl.<key-name>.<op-name>, default.key.acl.<op-name> and whitelist.key.acl.<op-name>
2. When should each of the above entries need to be used? For example, if I want fine-grained access control, I believe I need to use key.acl.<key-name>.<op-name>. But when is hadoop.kms.acl.<op-name> used in that case?
3. What happens when a user is present in multiple sections, for example - hadoop.kms.acl and blacklist acl as well?
Are you planning to use Ranger KMS? If so, the permissions can be managed via Ranger UI.
Doc for Hadoop KMS is here - https://hadoop.apache.org/docs/stable/hadoop-kms/index.html
Blacklist will override the access given.
Thanks for your response. I am looking at Hadoop KMS at the moment. I have gone through the link you had shared, but my doubts still are unanswered after going through the doc as its not quite exhaustive.
Please provide your thoughts on my other questions as well. Minaly trying to understand the difference between KMS Access Control and Key Access Control as documented in the link provided.
The difference between KMS Access Control and Key Access Control is, Key Access Control can define whitelist of operation of certain key whereas KMS Access control as whitelist or blacklist based on operation in general for all the keys.