You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by jo...@apache.org on 2020/10/30 04:32:28 UTC
[impala] 02/04: IMPALA-10298: Change column mask hash as SHA512 in
FIPS mode
This is an automated email from the ASF dual-hosted git repository.
joemcdonnell pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit 1682afcda6e28571c83200a89f0e334a5ae49aa7
Author: wzhou-code <wz...@cloudera.com>
AuthorDate: Tue Oct 27 14:57:53 2020 -0700
IMPALA-10298: Change column mask hash as SHA512 in FIPS mode
Column masking API is called by Ranger during policy evaluation.
Ranger team requires to change the column mask hash as SHA-512 in
FIPS mode without changing API.
This patch changes the MaskFunctions::MaskHash() for string type
to use SHA-512 in FIPS mode.
Testing:
- Passed exhaustive tests.
- Manually test the API.
Change-Id: I422d4b11b31c3e6eb7963260a1da730579c4ca74
Reviewed-on: http://gerrit.cloudera.org:8080/16671
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
be/src/exprs/expr-test.cc | 26 ++++++++++++++++++++------
be/src/exprs/mask-functions-ir.cc | 19 ++++++++++++++-----
2 files changed, 34 insertions(+), 11 deletions(-)
diff --git a/be/src/exprs/expr-test.cc b/be/src/exprs/expr-test.cc
index 72e7aac..024799b 100644
--- a/be/src/exprs/expr-test.cc
+++ b/be/src/exprs/expr-test.cc
@@ -29,6 +29,8 @@
#include <boost/scoped_ptr.hpp>
#include <boost/unordered_map.hpp>
+#include <openssl/crypto.h>
+
#include "codegen/llvm-codegen.h"
#include "common/init.h"
#include "common/object-pool.h"
@@ -10481,12 +10483,24 @@ TEST_P(ExprTest, MaskTest) {
}
TEST_P(ExprTest, MaskHashTest) {
- TestStringValue("mask_hash('TestString-123')",
- "8b44d559dc5d60e4453c9b4edf2a455fbce054bb8504cd3eb9b5f391bd239c90");
- TestStringValue("mask_hash(cast('TestString-123' as varchar(24)))",
- "8b44d559dc5d60e4453c9b4edf2a455fbce054bb8504cd3eb9b5f391bd239c90");
- TestStringValue("mask_hash(cast('TestString-123' as char(24)))",
- "30a88603135d3a6f7a66b4f9193da1ab4423aed45fb8fe736c2f2a08977f2bdd");
+ if (FIPS_mode()) {
+ TestStringValue("mask_hash('TestString-123')",
+ "f3a58111be6ecec11449ac44654e72376b7759883ea11723b6e51354d50436de"
+ "645bd061cb5c2b07b68e15b7a7c342cac41f69b9c4efe19e810bbd7abf639a1c");
+ TestStringValue("mask_hash(cast('TestString-123' as varchar(24)))",
+ "f3a58111be6ecec11449ac44654e72376b7759883ea11723b6e51354d50436de"
+ "645bd061cb5c2b07b68e15b7a7c342cac41f69b9c4efe19e810bbd7abf639a1c");
+ TestStringValue("mask_hash(cast('TestString-123' as char(24)))",
+ "8eb5cfb29df20ccb1142aab8700ef4649c3b26304c35263c9bbc7db0d20e1098"
+ "47a728afe0dccdfbbb3d876a5cb3ceb0bd34b5104dd62af1feb234d705bfb193");
+ } else {
+ TestStringValue("mask_hash('TestString-123')",
+ "8b44d559dc5d60e4453c9b4edf2a455fbce054bb8504cd3eb9b5f391bd239c90");
+ TestStringValue("mask_hash(cast('TestString-123' as varchar(24)))",
+ "8b44d559dc5d60e4453c9b4edf2a455fbce054bb8504cd3eb9b5f391bd239c90");
+ TestStringValue("mask_hash(cast('TestString-123' as char(24)))",
+ "30a88603135d3a6f7a66b4f9193da1ab4423aed45fb8fe736c2f2a08977f2bdd");
+ }
TestIsNull("mask_hash(cast(123 as tinyint))", TYPE_BIGINT);
TestIsNull("mask_hash(cast(12345 as smallint))", TYPE_BIGINT);
TestIsNull("mask_hash(cast(12345 as int))", TYPE_BIGINT);
diff --git a/be/src/exprs/mask-functions-ir.cc b/be/src/exprs/mask-functions-ir.cc
index 15177bf..6034501 100644
--- a/be/src/exprs/mask-functions-ir.cc
+++ b/be/src/exprs/mask-functions-ir.cc
@@ -18,6 +18,7 @@
#include "exprs/mask-functions.h"
#include <gutil/strings/substitute.h>
+#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/sha.h>
@@ -702,11 +703,19 @@ BigIntVal MaskFunctions::Mask(FunctionContext* ctx, const BigIntVal& val,
}
StringVal MaskFunctions::MaskHash(FunctionContext* ctx, const StringVal& val) {
- // Hive hash the value by sha256 and encoding it into a lower case hex string.
- StringVal sha256_hash(ctx, SHA256_DIGEST_LENGTH);
- if (UNLIKELY(sha256_hash.is_null)) return StringVal::null();
- discard_result(SHA256(val.ptr, val.len, sha256_hash.ptr));
- return StringFunctions::Lower(ctx, MathFunctions::HexString(ctx, sha256_hash));
+ // Hive hash the value by sha256 and encoding it into a lower case hex string in
+ // non FIPS mode. In FIPS enabled mode, it's required to use sha512 for mask hash.
+ if (FIPS_mode()) {
+ StringVal sha512_hash(ctx, SHA512_DIGEST_LENGTH);
+ if (UNLIKELY(sha512_hash.is_null)) return StringVal::null();
+ discard_result(SHA512(val.ptr, val.len, sha512_hash.ptr));
+ return StringFunctions::Lower(ctx, MathFunctions::HexString(ctx, sha512_hash));
+ } else {
+ StringVal sha256_hash(ctx, SHA256_DIGEST_LENGTH);
+ if (UNLIKELY(sha256_hash.is_null)) return StringVal::null();
+ discard_result(SHA256(val.ptr, val.len, sha256_hash.ptr));
+ return StringFunctions::Lower(ctx, MathFunctions::HexString(ctx, sha256_hash));
+ }
}
// For other types, the hash values are always NULL.
BigIntVal MaskFunctions::MaskHash(FunctionContext* ctx, const BigIntVal& val) {