You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2018/04/18 06:54:09 UTC
[1/3] ranger git commit: RANGER-2043 : Ranger KMS KeyProvider and HSM
KeyProvider should have more debug logs
Repository: ranger
Updated Branches:
refs/heads/master 499650ce0 -> bc2cd5e00
http://git-wip-us.apache.org/repos/asf/ranger/blob/bc2cd5e0/src/main/assembly/kms.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml
index 68512ef..7fbc141 100755
--- a/src/main/assembly/kms.xml
+++ b/src/main/assembly/kms.xml
@@ -16,363 +16,367 @@
limitations under the License.
-->
<assembly>
- <id>kms</id>
- <formats>
- <format>tar.gz</format>
- <format>zip</format>
- </formats>
- <baseDirectory>${project.name}-${project.version}-kms</baseDirectory>
- <includeBaseDirectory>true</includeBaseDirectory>
-
- <moduleSets>
- <moduleSet>
- <binaries>
- <includeDependencies>false</includeDependencies>
- <unpack>false</unpack>
- <outputDirectory>/ews/webapp/lib</outputDirectory>
- <dependencySets>
- <dependencySet>
- <outputDirectory>/ews/webapp/lib</outputDirectory>
+ <id>kms</id>
+ <formats>
+ <format>tar.gz</format>
+ <format>zip</format>
+ </formats>
+ <baseDirectory>${project.name}-${project.version}-kms</baseDirectory>
+ <includeBaseDirectory>true</includeBaseDirectory>
+
+ <moduleSets>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
<unpack>false</unpack>
- <includes>
- <include>org.apache.hadoop:hadoop-common:jar:${hadoop.version}</include>
- <include>org.apache.hadoop:hadoop-auth:jar:${hadoop.version}</include>
- <include>org.eclipse.persistence:eclipselink</include>
- <include>org.eclipse.persistence:javax.persistence</include>
- <include>com.googlecode.log4jdbc:log4jdbc</include>
- <include>log4j:log4j</include>
- <include>org.slf4j:slf4j-api</include>
- <include>org.slf4j:slf4j-log4j12</include>
- <include>com.codahale.metrics:metrics-core</include>
- <include>org.slf4j:jul-to-slf4j</include>
- <include>commons-logging:commons-logging</include>
- <include>com.google.guava:guava</include>
- <include>com.sun.jersey:jersey-core</include>
- <include>com.sun.jersey:jersey-server</include>
- <include>javax.servlet:servlet-api</include>
- <include>org.mortbay.jetty:jetty</include>
- <include>org.mortbay.jetty:jetty-util</include>
- <include>commons-collections:commons-collections</include>
- <include>commons-lang:commons-lang</include>
- <include>org.apache.zookeeper:zookeeper</include>
- <include>org.apache.curator:curator-framework</include>
- <include>org.apache.curator:curator-client</include>
- <include>org.apache.curator:curator-test</include>
- <include>asm:asm-all</include>
- <include>com.sun.jersey:jersey-bundle</include>
- <include>org.apache.httpcomponents:httpclient</include>
- <include>javax.activation:activation</include>
- <include>org.apache.directory.server:apacheds-i18n</include>
- <include>org.apache.directory.server:apacheds-kerberos-codec</include>
- <include>org.apache.directory.api:api-asn1-api</include>
- <include>org.apache.directory.api:api-i18n</include>
- <include>org.apache.directory.api:api-util</include>
- <include>org.apache.avro:avro</include>
- <include>commons-beanutils:commons-beanutils</include>
- <include>commons-cli:commons-cli</include>
- <include>commons-codec:commons-codec</include>
- <include>org.apache.commons:commons-compress</include>
- <include>commons-configuration:commons-configuration</include>
- <include>commons-digester:commons-digester</include>
- <include>commons-io:commons-io</include>
- <include>org.apache.commons:commons-math3</include>
- <include>commons-net:commons-net</include>
- <include>org.apache.curator:curator-recipes</include>
- <include>com.google.code.gson:gson</include>
- <include>org.apache.hadoop:hadoop-annotations</include>
- <include>org.apache.htrace:htrace-core</include>
- <include>org.apache.httpcomponents:httpcore</include>
- <include>org.codehaus.jackson:jackson-core-asl</include>
- <include>org.codehaus.jackson:jackson-jaxrs</include>
- <include>org.codehaus.jackson:jackson-mapper-asl</include>
- <include>org.codehaus.jackson:jackson-xc</include>
- <include>javax.xml.bind:jaxb-api</include>
- <include>com.sun.xml.bind:jaxb-impl</include>
- <include>com.sun.jersey:jersey-json</include>
- <include>org.codehaus.jettison:jettison</include>
- <include>jline:jline</include>
- <include>com.jcraft:jsch</include>
- <include>com.google.code.findbugs:jsr305</include>
- <include>io.netty:netty</include>
- <include>com.thoughtworks.paranamer:paranamer</include>
- <include>org.xerial.snappy:snappy-java</include>
- <include>xmlenc:xmlenc</include>
- <include>org.tukaani:xz</include>
- <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include>
- <include>org.apache.httpcomponents:httpclient:jar:${kms.httpcomponents.httpclient.version}</include>
- <include>org.noggit:noggit:jar:${noggit.version}</include>
- <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
- <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
- <include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include>
- </includes>
- </dependencySet>
- </dependencySets>
- </binaries>
- <includes>
- <include>org.apache.ranger:ranger-kms</include>
- </includes>
- </moduleSet>
-
- <moduleSet>
- <binaries>
- <includeDependencies>false</includeDependencies>
- <unpack>true</unpack>
- <outputDirectory>/ews/webapp</outputDirectory>
- </binaries>
- <includes>
- <include>org.apache.ranger:ranger-kms</include>
- </includes>
- </moduleSet>
+ <outputDirectory>/ews/webapp/lib</outputDirectory>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>/ews/webapp/lib</outputDirectory>
+ <unpack>false</unpack>
+ <includes>
+ <include>org.apache.hadoop:hadoop-common:jar:${hadoop.version}</include>
+ <include>org.apache.hadoop:hadoop-auth:jar:${hadoop.version}</include>
+ <include>org.eclipse.persistence:eclipselink</include>
+ <include>org.eclipse.persistence:javax.persistence</include>
+ <include>com.googlecode.log4jdbc:log4jdbc</include>
+ <include>log4j:log4j</include>
+ <include>org.slf4j:slf4j-api</include>
+ <include>org.slf4j:slf4j-log4j12</include>
+ <include>com.codahale.metrics:metrics-core</include>
+ <include>org.slf4j:jul-to-slf4j</include>
+ <include>commons-logging:commons-logging</include>
+ <include>com.google.guava:guava</include>
+ <include>com.sun.jersey:jersey-core</include>
+ <include>com.sun.jersey:jersey-server</include>
+ <include>javax.servlet:servlet-api</include>
+ <include>org.mortbay.jetty:jetty</include>
+ <include>org.mortbay.jetty:jetty-util</include>
+ <include>commons-collections:commons-collections</include>
+ <include>commons-lang:commons-lang</include>
+ <include>org.apache.zookeeper:zookeeper</include>
+ <include>org.apache.curator:curator-framework</include>
+ <include>org.apache.curator:curator-client</include>
+ <include>org.apache.curator:curator-test</include>
+ <include>asm:asm-all</include>
+ <include>com.sun.jersey:jersey-bundle</include>
+ <include>org.apache.httpcomponents:httpclient</include>
+ <include>javax.activation:activation</include>
+ <include>org.apache.directory.server:apacheds-i18n</include>
+ <include>org.apache.directory.server:apacheds-kerberos-codec</include>
+ <include>org.apache.directory.api:api-asn1-api</include>
+ <include>org.apache.directory.api:api-i18n</include>
+ <include>org.apache.directory.api:api-util</include>
+ <include>org.apache.avro:avro</include>
+ <include>commons-beanutils:commons-beanutils</include>
+ <include>commons-cli:commons-cli</include>
+ <include>commons-codec:commons-codec</include>
+ <include>org.apache.commons:commons-compress</include>
+ <include>commons-configuration:commons-configuration</include>
+ <include>commons-digester:commons-digester</include>
+ <include>commons-io:commons-io</include>
+ <include>org.apache.commons:commons-math3</include>
+ <include>commons-net:commons-net</include>
+ <include>org.apache.curator:curator-recipes</include>
+ <include>com.google.code.gson:gson</include>
+ <include>org.apache.hadoop:hadoop-annotations</include>
+ <include>org.apache.htrace:htrace-core</include>
+ <include>org.apache.httpcomponents:httpcore</include>
+ <include>org.codehaus.jackson:jackson-core-asl</include>
+ <include>org.codehaus.jackson:jackson-jaxrs</include>
+ <include>org.codehaus.jackson:jackson-mapper-asl</include>
+ <include>org.codehaus.jackson:jackson-xc</include>
+ <include>javax.xml.bind:jaxb-api</include>
+ <include>com.sun.xml.bind:jaxb-impl</include>
+ <include>com.sun.jersey:jersey-json</include>
+ <include>org.codehaus.jettison:jettison</include>
+ <include>jline:jline</include>
+ <include>com.jcraft:jsch</include>
+ <include>com.google.code.findbugs:jsr305</include>
+ <include>io.netty:netty</include>
+ <include>com.thoughtworks.paranamer:paranamer</include>
+ <include>org.xerial.snappy:snappy-java</include>
+ <include>xmlenc:xmlenc</include>
+ <include>org.tukaani:xz</include>
+ <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include>
+ <include>org.apache.httpcomponents:httpclient:jar:${kms.httpcomponents.httpclient.version}
+ </include>
+ <include>org.noggit:noggit:jar:${noggit.version}</include>
+ <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
+ <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
+ <include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include>
+ </includes>
+ </dependencySet>
+ </dependencySets>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-kms</include>
+ </includes>
+ </moduleSet>
+
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <unpack>true</unpack>
+ <outputDirectory>/ews/webapp</outputDirectory>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-kms</include>
+ </includes>
+ </moduleSet>
- <moduleSet>
- <binaries>
- <includeDependencies>false</includeDependencies>
- <outputDirectory>/ews/webapp/WEB-INF/classes/lib</outputDirectory>
- <unpack>false</unpack>
- <directoryMode>755</directoryMode>
- <fileMode>644</fileMode>
- <dependencySets>
- <dependencySet>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
<outputDirectory>/ews/webapp/WEB-INF/classes/lib</outputDirectory>
- <includes>
- <include>org.apache.tomcat.embed:tomcat-embed*</include>
- <include>org.apache.tomcat:tomcat-annotations-api*</include>
- <include>org.eclipse.jdt.core.compiler:ecj:jar:P20140317-1600</include>
- <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
- <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
- <include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include>
- <include>org.apache.solr:solr-solrj</include>
- <include>org.apache.ranger:ranger-plugins-common</include>
- </includes>
<unpack>false</unpack>
- </dependencySet>
- </dependencySets>
- </binaries>
- <includes>
- <include>org.apache.ranger:embeddedwebserver</include>
- </includes>
- </moduleSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>/ews/webapp/WEB-INF/classes/lib</outputDirectory>
+ <includes>
+ <include>org.apache.tomcat.embed:tomcat-embed*</include>
+ <include>org.apache.tomcat:tomcat-annotations-api*</include>
+ <include>org.eclipse.jdt.core.compiler:ecj:jar:P20140317-1600</include>
+ <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
+ <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
+ <include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include>
+ <include>org.apache.solr:solr-solrj</include>
+ <include>org.apache.ranger:ranger-plugins-common</include>
+ </includes>
+ <unpack>false</unpack>
+ </dependencySet>
+ </dependencySets>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:embeddedwebserver</include>
+ </includes>
+ </moduleSet>
- <moduleSet>
- <binaries>
- <includeDependencies>false</includeDependencies>
- <outputDirectory>/jisql/lib</outputDirectory>
- <unpack>false</unpack>
- <directoryMode>755</directoryMode>
- <fileMode>644</fileMode>
- <dependencySets>
- <dependencySet>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
<outputDirectory>/jisql/lib</outputDirectory>
<unpack>false</unpack>
- <includes>
- <include>net.sf.jopt-simple:jopt-simple</include>
- </includes>
- </dependencySet>
- </dependencySets>
- </binaries>
- <includes>
- <include>org.apache.ranger:jisql</include>
- </includes>
- </moduleSet>
- <!-- Plugin -->
- <moduleSet>
- <binaries>
- <includeDependencies>false</includeDependencies>
- <unpack>false</unpack>
- <directoryMode>755</directoryMode>
- <fileMode>644</fileMode>
- <outputDirectory>/ews/webapp/WEB-INF/classes/lib</outputDirectory>
- </binaries>
- <includes>
- <include>org.apache.ranger:ranger-kms-plugin-shim</include>
- <include>org.apache.ranger:ranger-plugin-classloader</include>
- <include>org.apache.ranger:credentialbuilder</include>
- </includes>
- </moduleSet>
- <moduleSet>
- <binaries>
- <includeDependencies>false</includeDependencies>
- <unpack>false</unpack>
- <directoryMode>755</directoryMode>
- <fileMode>644</fileMode>
- <dependencySets>
- <dependencySet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>/jisql/lib</outputDirectory>
+ <unpack>false</unpack>
+ <includes>
+ <include>net.sf.jopt-simple:jopt-simple</include>
+ </includes>
+ </dependencySet>
+ </dependencySets>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:jisql</include>
+ </includes>
+ </moduleSet>
+ <!-- Plugin -->
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/ews/webapp/WEB-INF/classes/lib</outputDirectory>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-kms-plugin-shim</include>
+ <include>org.apache.ranger:ranger-plugin-classloader</include>
+ <include>org.apache.ranger:credentialbuilder</include>
+ </includes>
+ </moduleSet>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>/ews/webapp/WEB-INF/classes/lib/ranger-kms-plugin-impl</outputDirectory>
+ <unpack>false</unpack>
+ <includes>
+ <include>commons-configuration:commons-configuration:jar:${commons.pool.version}</include>
+ <include>com.google.code.gson:gson</include>
+ <include>org.eclipse.persistence:eclipselink</include>
+ <include>org.eclipse.persistence:javax.persistence</include>
+ <include>commons-collections:commons-collections</include>
+ <include>commons-logging:commons-logging:jar:${commons.logging.version}</include>
+ <include>com.google.guava:guava:jar:${guava.version}</include>
+ <include>org.apache.httpcomponents:httpclient:jar:${httpcomponents.httpclient.version}
+ </include>
+ <include>org.apache.httpcomponents:httpcore:jar:${httpcomponents.httpcore.version}</include>
+ <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include>
+ <include>org.noggit:noggit:jar:${noggit.version}</include>
+ <include>org.apache.zookeeper:zookeeper:jar:${zookeeper.version}</include>
+ <include>org.apache.solr:solr-solrj</include>
+ </includes>
+ </dependencySet>
+ <dependencySet>
+ <outputDirectory>/install/lib</outputDirectory>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <includes>
+ <include>commons-cli:commons-cli</include>
+ <include>commons-collections:commons-collections</include>
+ <include>commons-configuration:commons-configuration:jar:${commons.pool.version}</include>
+ <include>commons-io:commons-io:jar:${commons.io.version}</include>
+ <include>commons-lang:commons-lang:jar:${commons.lang.version}</include>
+ <include>commons-logging:commons-logging:jar:${commons.logging.version}</include>
+ <include>com.google.guava:guava:jar:${guava.version}</include>
+ <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include>
+ <include>org.apache.hadoop:hadoop-common:jar:${hadoop.version}</include>
+ <include>org.apache.hadoop:hadoop-auth:jar:${hadoop.version}</include>
+ <include>org.apache.ranger:ranger-plugins-cred</include>
+ <include>org.apache.ranger:credentialbuilder</include>
+ </includes>
+ </dependencySet>
+ </dependencySets>
<outputDirectory>/ews/webapp/WEB-INF/classes/lib/ranger-kms-plugin-impl</outputDirectory>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-plugins-audit</include>
+ <include>org.apache.ranger:ranger-plugins-cred</include>
+ <include>org.apache.ranger:ranger-plugins-common</include>
+ <include>org.apache.ranger:ranger-kms-plugin</include>
+ </includes>
+ </moduleSet>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <outputDirectory>/install/lib</outputDirectory>
+ <unpack>false</unpack>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-plugins-installer</include>
+ <include>org.apache.ranger:credentialbuilder</include>
+ </includes>
+ </moduleSet>
+ <!-- End Plugin -->
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <outputDirectory>/cred/lib</outputDirectory>
<unpack>false</unpack>
- <includes>
- <include>commons-configuration:commons-configuration:jar:${commons.pool.version}</include>
- <include>com.google.code.gson:gson</include>
- <include>org.eclipse.persistence:eclipselink</include>
- <include>org.eclipse.persistence:javax.persistence</include>
- <include>commons-collections:commons-collections</include>
- <include>commons-logging:commons-logging:jar:${commons.logging.version}</include>
- <include>com.google.guava:guava:jar:${guava.version}</include>
- <include>org.apache.httpcomponents:httpclient:jar:${httpcomponents.httpclient.version}</include>
- <include>org.apache.httpcomponents:httpcore:jar:${httpcomponents.httpcore.version}</include>
- <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include>
- <include>org.noggit:noggit:jar:${noggit.version}</include>
- <include>org.apache.zookeeper:zookeeper:jar:${zookeeper.version}</include>
- <include>org.apache.solr:solr-solrj</include>
- </includes>
- </dependencySet>
- <dependencySet>
- <outputDirectory>/install/lib</outputDirectory>
- <unpack>false</unpack>
- <directoryMode>755</directoryMode>
- <fileMode>644</fileMode>
- <includes>
- <include>commons-cli:commons-cli</include>
- <include>commons-collections:commons-collections</include>
- <include>commons-configuration:commons-configuration:jar:${commons.pool.version}</include>
- <include>commons-io:commons-io:jar:${commons.io.version}</include>
- <include>commons-lang:commons-lang:jar:${commons.lang.version}</include>
- <include>commons-logging:commons-logging:jar:${commons.logging.version}</include>
- <include>com.google.guava:guava:jar:${guava.version}</include>
- <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include>
- <include>org.apache.hadoop:hadoop-common:jar:${hadoop.version}</include>
- <include>org.apache.hadoop:hadoop-auth:jar:${hadoop.version}</include>
- <include>org.apache.ranger:ranger-plugins-cred</include>
- <include>org.apache.ranger:credentialbuilder</include>
- </includes>
- </dependencySet>
- </dependencySets>
- <outputDirectory>/ews/webapp/WEB-INF/classes/lib/ranger-kms-plugin-impl</outputDirectory>
- </binaries>
- <includes>
- <include>org.apache.ranger:ranger-plugins-audit</include>
- <include>org.apache.ranger:ranger-plugins-cred</include>
- <include>org.apache.ranger:ranger-plugins-common</include>
- <include>org.apache.ranger:ranger-kms-plugin</include>
- </includes>
- </moduleSet>
- <moduleSet>
- <binaries>
- <includeDependencies>false</includeDependencies>
- <outputDirectory>/install/lib</outputDirectory>
- <unpack>false</unpack>
- </binaries>
- <includes>
- <include>org.apache.ranger:ranger-plugins-installer</include>
- <include>org.apache.ranger:credentialbuilder</include>
- </includes>
- </moduleSet>
- <!-- End Plugin -->
- <moduleSet>
- <binaries>
- <includeDependencies>false</includeDependencies>
- <outputDirectory>/cred/lib</outputDirectory>
- <unpack>false</unpack>
- <directoryMode>755</directoryMode>
- <fileMode>644</fileMode>
- <dependencySets>
- <dependencySet>
- <outputDirectory>/cred/lib</outputDirectory>
- <unpack>false</unpack>
- <includes>
- <include>commons-cli:commons-cli</include>
- <include>commons-collections:commons-collections</include>
- <include>commons-configuration:commons-configuration</include>
- <include>commons-io:commons-io:jar:${commons.io.version}</include>
- <include>commons-lang:commons-lang</include>
- <include>commons-logging:commons-logging</include>
- <include>com.google.guava:guava</include>
- <include>org.slf4j:slf4j-api</include>
- <include>org.apache.hadoop:hadoop-common</include>
- <include>org.apache.hadoop:hadoop-auth</include>
- <include>org.apache.htrace:htrace-core</include>
- </includes>
- </dependencySet>
- </dependencySets>
- </binaries>
- <includes>
- <include>org.apache.ranger:credentialbuilder</include>
- </includes>
- </moduleSet>
- </moduleSets>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>/cred/lib</outputDirectory>
+ <unpack>false</unpack>
+ <includes>
+ <include>commons-cli:commons-cli</include>
+ <include>commons-collections:commons-collections</include>
+ <include>commons-configuration:commons-configuration</include>
+ <include>commons-io:commons-io:jar:${commons.io.version}</include>
+ <include>commons-lang:commons-lang</include>
+ <include>commons-logging:commons-logging</include>
+ <include>com.google.guava:guava</include>
+ <include>org.slf4j:slf4j-api</include>
+ <include>org.apache.hadoop:hadoop-common</include>
+ <include>org.apache.hadoop:hadoop-auth</include>
+ <include>org.apache.htrace:htrace-core</include>
+ </includes>
+ </dependencySet>
+ </dependencySets>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:credentialbuilder</include>
+ </includes>
+ </moduleSet>
+ </moduleSets>
- <fileSets>
- <!-- <fileSet>
- <outputDirectory>/ews/webapp/WEB-INF/classes/conf.dist</outputDirectory>
- <directory>kms/config/webserver</directory>
- <fileMode>700</fileMode>
- </fileSet> -->
- <fileSet>
- <outputDirectory>/db</outputDirectory>
- <directoryMode>755</directoryMode>
- <directory>kms/scripts/db</directory>
- <fileMode>544</fileMode>
- </fileSet>
- <fileSet>
- <outputDirectory>/</outputDirectory>
- <directory>kms/scripts</directory>
- <includes>
- <include>dba_script.py</include>
- <include>db_setup.py</include>
- <include>update_property.py</include>
- <include>ranger-kms-initd</include>
- <include>ranger-kms</include>
- <include>setup.sh</include>
- <include>install.properties</include>
- <include>importJCEKSKeys.sh</include>
- <include>exportKeysToJCEKS.sh</include>
- <include>HSMMK2DB.sh</include>
- <include>DBMK2HSM.sh</include>
- </includes>
- <fileMode>544</fileMode>
- </fileSet>
- <fileSet>
- <outputDirectory>/ews/webapp/WEB-INF/classes/conf.dist</outputDirectory>
- <directoryMode>0700</directoryMode>
- <directory>kms/config/kms-webapp</directory>
- <fileMode>0700</fileMode>
- </fileSet>
- <fileSet>
- <outputDirectory>/ews/webapp/WEB-INF/classes/conf.dist</outputDirectory>
- <directoryMode>0700</directoryMode>
- <directory>kms/config/webserver</directory>
- <fileMode>0700</fileMode>
- </fileSet>
- <!-- Plugin -->
- <!-- conf.templates for enable -->
- <fileSet>
- <outputDirectory>/install/conf.templates/enable</outputDirectory>
- <directory>plugin-kms/conf</directory>
- <excludes>
- <exclude>*.sh</exclude>
- </excludes>
- <fileMode>700</fileMode>
- </fileSet>
- <fileSet>
- <outputDirectory>/install/conf.templates/disable</outputDirectory>
- <directory>plugin-kms/disable-conf</directory>
- <fileMode>700</fileMode>
- </fileSet>
- <fileSet>
- <outputDirectory>/install/conf.templates/default</outputDirectory>
- <directory>plugin-kms/template</directory>
- <fileMode>700</fileMode>
- </fileSet>
- <!-- version file -->
- <fileSet>
- <outputDirectory>/</outputDirectory>
- <directory>${project.build.directory}</directory>
- <includes>
- <include>version</include>
- </includes>
- <fileMode>444</fileMode>
- </fileSet>
- </fileSets>
- <files>
- <file>
- <source>plugin-kms/scripts/enable-kms-plugin.sh</source>
- <outputDirectory>/</outputDirectory>
- <destName>enable-kms-plugin.sh</destName>
- <fileMode>755</fileMode>
- </file>
- <file>
- <source>security-admin/scripts/ranger_credential_helper.py</source>
- <outputDirectory>/</outputDirectory>
- <fileMode>755</fileMode>
- </file>
- </files>
+ <fileSets>
+ <!-- <fileSet>
+ <outputDirectory>/ews/webapp/WEB-INF/classes/conf.dist</outputDirectory>
+ <directory>kms/config/webserver</directory>
+ <fileMode>700</fileMode>
+ </fileSet> -->
+ <fileSet>
+ <outputDirectory>/db</outputDirectory>
+ <directoryMode>755</directoryMode>
+ <directory>kms/scripts/db</directory>
+ <fileMode>544</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>/</outputDirectory>
+ <directory>kms/scripts</directory>
+ <includes>
+ <include>dba_script.py</include>
+ <include>db_setup.py</include>
+ <include>update_property.py</include>
+ <include>ranger-kms-initd</include>
+ <include>ranger-kms</include>
+ <include>setup.sh</include>
+ <include>install.properties</include>
+ <include>importJCEKSKeys.sh</include>
+ <include>exportKeysToJCEKS.sh</include>
+ <include>HSMMK2DB.sh</include>
+ <include>DBMK2HSM.sh</include>
+ <include>VerifyIsDBMasterkeyCorrect.sh</include>
+ <include>VerifyIsHSMMasterkeyCorrect.sh</include>
+ </includes>
+ <fileMode>544</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>/ews/webapp/WEB-INF/classes/conf.dist</outputDirectory>
+ <directoryMode>0700</directoryMode>
+ <directory>kms/config/kms-webapp</directory>
+ <fileMode>0700</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>/ews/webapp/WEB-INF/classes/conf.dist</outputDirectory>
+ <directoryMode>0700</directoryMode>
+ <directory>kms/config/webserver</directory>
+ <fileMode>0700</fileMode>
+ </fileSet>
+ <!-- Plugin -->
+ <!-- conf.templates for enable -->
+ <fileSet>
+ <outputDirectory>/install/conf.templates/enable</outputDirectory>
+ <directory>plugin-kms/conf</directory>
+ <excludes>
+ <exclude>*.sh</exclude>
+ </excludes>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>/install/conf.templates/disable</outputDirectory>
+ <directory>plugin-kms/disable-conf</directory>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>/install/conf.templates/default</outputDirectory>
+ <directory>plugin-kms/template</directory>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <!-- version file -->
+ <fileSet>
+ <outputDirectory>/</outputDirectory>
+ <directory>${project.build.directory}</directory>
+ <includes>
+ <include>version</include>
+ </includes>
+ <fileMode>444</fileMode>
+ </fileSet>
+ </fileSets>
+ <files>
+ <file>
+ <source>plugin-kms/scripts/enable-kms-plugin.sh</source>
+ <outputDirectory>/</outputDirectory>
+ <destName>enable-kms-plugin.sh</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>security-admin/scripts/ranger_credential_helper.py</source>
+ <outputDirectory>/</outputDirectory>
+ <fileMode>755</fileMode>
+ </file>
+ </files>
</assembly>
[3/3] ranger git commit: RANGER-2043 : Ranger KMS KeyProvider and HSM
KeyProvider should have more debug logs
Posted by me...@apache.org.
RANGER-2043 : Ranger KMS KeyProvider and HSM KeyProvider should have more debug logs
Signed-off-by: Mehul Parikh <me...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/bc2cd5e0
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/bc2cd5e0
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/bc2cd5e0
Branch: refs/heads/master
Commit: bc2cd5e00290866eb48f5115edb0e33971e8fca3
Parents: 499650c
Author: bpatel <bp...@hortonworks.com>
Authored: Wed Apr 18 11:32:34 2018 +0530
Committer: Mehul Parikh <me...@apache.org>
Committed: Wed Apr 18 12:23:45 2018 +0530
----------------------------------------------------------------------
kms/scripts/VerifyIsDBMasterkeyCorrect.sh | 26 +
kms/scripts/VerifyIsHSMMasterkeyCorrect.sh | 26 +
.../org/apache/hadoop/crypto/key/RangerHSM.java | 150 ++--
.../hadoop/crypto/key/RangerKeyStore.java | 857 ++++++++++---------
.../crypto/key/RangerKeyStoreProvider.java | 792 ++++++++---------
.../hadoop/crypto/key/RangerMasterKey.java | 736 +++++++++-------
.../crypto/key/VerifyIsDBMasterkeyCorrect.java | 69 ++
.../crypto/key/VerifyIsHSMMasterkeyCorrect.java | 86 ++
src/main/assembly/kms.xml | 702 +++++++--------
9 files changed, 1915 insertions(+), 1529 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/bc2cd5e0/kms/scripts/VerifyIsDBMasterkeyCorrect.sh
----------------------------------------------------------------------
diff --git a/kms/scripts/VerifyIsDBMasterkeyCorrect.sh b/kms/scripts/VerifyIsDBMasterkeyCorrect.sh
new file mode 100755
index 0000000..1c9a2e1
--- /dev/null
+++ b/kms/scripts/VerifyIsDBMasterkeyCorrect.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# -------------------------------------------------------------------------------------
+if [ "$JAVA_HOME" != "" ]; then
+ export PATH=$JAVA_HOME/bin:$PATH
+else
+ exit ;
+fi
+RANGER_KMS_HOME=`dirname $0`
+cp="${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_HOME}/./ews/webapp/WEB-INF/classes/conf/:${RANGER_KMS_HOME}/ews/webapp/WEB-INF/classes/lib/*:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF"
+
+#echo "${cp}"
+java -cp "${cp}" org.apache.hadoop.crypto.key.VerifyIsDBMasterkeyCorrect ${1}
http://git-wip-us.apache.org/repos/asf/ranger/blob/bc2cd5e0/kms/scripts/VerifyIsHSMMasterkeyCorrect.sh
----------------------------------------------------------------------
diff --git a/kms/scripts/VerifyIsHSMMasterkeyCorrect.sh b/kms/scripts/VerifyIsHSMMasterkeyCorrect.sh
new file mode 100755
index 0000000..82eccd5
--- /dev/null
+++ b/kms/scripts/VerifyIsHSMMasterkeyCorrect.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# -------------------------------------------------------------------------------------
+if [ "$JAVA_HOME" != "" ]; then
+ export PATH=$JAVA_HOME/bin:$PATH
+else
+ exit ;
+fi
+RANGER_KMS_HOME=`dirname $0`
+cp="${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_HOME}/./ews/webapp/WEB-INF/classes/conf/:${RANGER_KMS_HOME}/ews/webapp/WEB-INF/classes/lib/*:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF"
+
+#echo "${cp}"
+java -cp "${cp}" org.apache.hadoop.crypto.key.VerifyIsHSMMasterkeyCorrect ${1} ${2}
http://git-wip-us.apache.org/repos/asf/ranger/blob/bc2cd5e0/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
index 00dc069..a531f32 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
@@ -38,97 +38,109 @@ import java.security.cert.CertificateException;
* This Class is for HSM Keystore
*/
public class RangerHSM implements RangerKMSMKI {
-
- static final Logger logger = Logger.getLogger(RangerHSM.class);
-
+
+ static final Logger logger = Logger.getLogger(RangerHSM.class);
+
// Configure these as required.
private String passwd = null;
private String alias = "RangerKMSKey";
private String partitionName = null;
private KeyStore myStore = null;
- private String hsm_keystore=null;
+ private String hsm_keystore = null;
private static final String MK_CIPHER = "AES";
- private static final int MK_KeySize = 128;
- private static final String PARTITION_PASSWORD = "ranger.ks.hsm.partition.password";
- private static final String PARTITION_NAME = "ranger.ks.hsm.partition.name";
- private static final String HSM_TYPE = "ranger.ks.hsm.type";
-
- public RangerHSM(){
- }
+ private static final int MK_KeySize = 128;
+ private static final String PARTITION_PASSWORD = "ranger.ks.hsm.partition.password";
+ private static final String PARTITION_NAME = "ranger.ks.hsm.partition.name";
+ private static final String HSM_TYPE = "ranger.ks.hsm.type";
+
+ public RangerHSM() {
+ }
public RangerHSM(Configuration conf) {
- logger.info("RangerHSM provider");
+ logger.info("RangerHSM provider");
/*
* We will log in to the HSM
*/
- passwd = conf.get(PARTITION_PASSWORD);
- partitionName = conf.get(PARTITION_NAME);
- hsm_keystore = conf.get(HSM_TYPE);
+ passwd = conf.get(PARTITION_PASSWORD);
+ partitionName = conf.get(PARTITION_NAME);
+ hsm_keystore = conf.get(HSM_TYPE);
try {
ByteArrayInputStream is1 = new ByteArrayInputStream(("tokenlabel:" + partitionName).getBytes());
- logger.debug("Loading HSM tokenlabel : "+partitionName);
+ logger.debug("Loading HSM tokenlabel : " + partitionName);
myStore = KeyStore.getInstance("Luna");
myStore.load(is1, passwd.toCharArray());
- if(myStore == null){ logger.error("Luna not found. Please verify the Ranger KMS HSM configuration setup."); }
+ if (myStore == null) {
+ logger.error("Luna not found. Please verify the Ranger KMS HSM configuration setup.");
+ }
} catch (KeyStoreException kse) {
- logger.error("Unable to create keystore object : "+kse.getMessage());
+ logger.error("Unable to create keystore object : " + kse.getMessage());
} catch (NoSuchAlgorithmException nsae) {
logger.error("Unexpected NoSuchAlgorithmException while loading keystore : " + nsae.getMessage());
} catch (CertificateException e) {
- logger.error("Unexpected CertificateException while loading keystore : "+e.getMessage());
+ logger.error("Unexpected CertificateException while loading keystore : " + e.getMessage());
} catch (IOException e) {
- logger.error("Unexpected IOException while loading keystore : "+e.getMessage());
- }
+ logger.error("Unexpected IOException while loading keystore : " + e.getMessage());
+ }
}
- @Override
- public boolean generateMasterKey(String password) throws Throwable {
- if(myStore != null && myStore.size() < 1){
- KeyGenerator keyGen = null;
- SecretKey aesKey = null;
- try {
- logger.info("Generating AES Master Key for HSM Provider");
- keyGen = KeyGenerator.getInstance(MK_CIPHER, hsm_keystore);
- keyGen.init(MK_KeySize);
- aesKey = keyGen.generateKey();
+ @Override
+ public boolean generateMasterKey(String password) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerHSM.generateMasterKey()");
+ }
+ if (myStore != null && myStore.size() < 1) {
+ KeyGenerator keyGen = null;
+ SecretKey aesKey = null;
+ try {
+ logger.info("Generating AES Master Key for HSM Provider");
+ keyGen = KeyGenerator.getInstance(MK_CIPHER, hsm_keystore);
+ keyGen.init(MK_KeySize);
+ aesKey = keyGen.generateKey();
myStore.setKeyEntry(alias, aesKey, password.toCharArray(), (java.security.cert.Certificate[]) null);
- return true;
- } catch (Exception e) {
- logger.error("generateMasterKey : Exception during Ranger Master Key Generation - " + e.getMessage());
- return false;
- }
- }
- return false;
- }
+ return true;
+ } catch (Exception e) {
+ logger.error("generateMasterKey : Exception during Ranger Master Key Generation - " + e.getMessage());
+ return false;
+ }
+ }
+ return false;
+ }
- @Override
- public String getMasterKey(String password) throws Throwable {
- if(myStore != null){
- try {
- logger.debug("Searching for Ranger Master Key in Luna Keystore");
- boolean result = myStore.containsAlias(alias);
- if (result == true) {
- logger.debug("Ranger Master Key is present in Keystore");
- SecretKey key = (SecretKey)myStore.getKey(alias, password.toCharArray());
- return Base64.encode(key.getEncoded());
- }
- } catch (Exception e) {
- logger.error("getMasterKey : Exception searching for Ranger Master Key - " + e.getMessage());
- }
- }
- return null;
- }
-
- public boolean setMasterKey(String password, byte[] key){
- if(myStore != null){
- try {
- Key aesKey = new SecretKeySpec(key, MK_CIPHER);
- myStore.setKeyEntry(alias, aesKey, password.toCharArray(), (java.security.cert.Certificate[]) null);
- return true;
- } catch (KeyStoreException e) {
- logger.error("setMasterKey : Exception while setting Master Key - " + e.getMessage());
- }
- }
- return false;
- }
+ @Override
+ public String getMasterKey(String password) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerHSM.getMasterKey()");
+ }
+ if (myStore != null) {
+ try {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Searching for Ranger Master Key in Luna Keystore");
+ }
+ boolean result = myStore.containsAlias(alias);
+ if (result == true) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Ranger Master Key is present in Keystore");
+ }
+ SecretKey key = (SecretKey) myStore.getKey(alias, password.toCharArray());
+ return Base64.encode(key.getEncoded());
+ }
+ } catch (Exception e) {
+ logger.error("getMasterKey : Exception searching for Ranger Master Key - " + e.getMessage());
+ }
+ }
+ return null;
+ }
+
+ public boolean setMasterKey(String password, byte[] key) {
+ if (myStore != null) {
+ try {
+ Key aesKey = new SecretKeySpec(key, MK_CIPHER);
+ myStore.setKeyEntry(alias, aesKey, password.toCharArray(), (java.security.cert.Certificate[]) null);
+ return true;
+ } catch (KeyStoreException e) {
+ logger.error("setMasterKey : Exception while setting Master Key - " + e.getMessage());
+ }
+ }
+ return false;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/bc2cd5e0/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
index e73b6d3..cd5a8c2 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
@@ -72,21 +72,23 @@ import org.apache.ranger.kms.dao.RangerKMSDao;
*/
public class RangerKeyStore extends KeyStoreSpi {
-
- static final Logger logger = Logger.getLogger(RangerKeyStore.class);
- private static final String KEY_NAME_VALIDATION = "[a-z,A-Z,0-9](?!.*--)(?!.*__)(?!.*-_)(?!.*_-)[\\w\\-\\_]*";
- private static final Pattern pattern = Pattern.compile(KEY_NAME_VALIDATION);
-
- private DaoManager daoManager;
-
+
+ static final Logger logger = Logger.getLogger(RangerKeyStore.class);
+ private static final String KEY_NAME_VALIDATION = "[a-z,A-Z,0-9](?!.*--)(?!.*__)(?!.*-_)(?!.*_-)[\\w\\-\\_]*";
+ private static final Pattern pattern = Pattern.compile(KEY_NAME_VALIDATION);
+
+ private DaoManager daoManager;
+
// keys
private static class KeyEntry {
- Date date=new Date(); // the creation date of this entry
- };
+ Date date = new Date(); // the creation date of this entry
+ }
+
+ ;
// Secret key
private static final class SecretKeyEntry {
- Date date=new Date(); // the creation date of this entry
+ Date date = new Date(); // the creation date of this entry
SealedObject sealedKey;
String cipher_field;
int bit_length;
@@ -102,17 +104,19 @@ public class RangerKeyStore extends KeyStoreSpi {
}
public RangerKeyStore(DaoManager daoManager) {
- this.daoManager = daoManager;
- }
+ this.daoManager = daoManager;
+ }
- String convertAlias(String alias){
- return alias.toLowerCase();
+ String convertAlias(String alias) {
+ return alias.toLowerCase();
}
@Override
- public Key engineGetKey(String alias, char[] password)throws NoSuchAlgorithmException, UnrecoverableKeyException
- {
- Key key = null;
+ public Key engineGetKey(String alias, char[] password) throws NoSuchAlgorithmException, UnrecoverableKeyException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStore.engineGetKey()");
+ }
+ Key key = null;
Object entry = keyEntries.get(convertAlias(alias));
@@ -120,34 +124,40 @@ public class RangerKeyStore extends KeyStoreSpi {
return null;
}
- try {
- key = unsealKey(((SecretKeyEntry)entry).sealedKey, password);
- } catch (Exception e) {
- logger.error(e.getMessage());
- }
+ try {
+ key = unsealKey(((SecretKeyEntry) entry).sealedKey, password);
+ } catch (Exception e) {
+ logger.error("==> RangerKeyStore.engineGetKey() error: ", e);
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerKeyStore.engineGetKey()");
+ }
return key;
}
@Override
public Date engineGetCreationDate(String alias) {
Object entry = keyEntries.get(convertAlias(alias));
- Date date=null;
+ Date date = null;
if (entry != null) {
- KeyEntry keyEntry=(KeyEntry)entry;
- if(keyEntry.date!=null){
- date=new Date(keyEntry.date.getTime());
- }
- }
- return date;
- }
+ KeyEntry keyEntry = (KeyEntry) entry;
+ if (keyEntry.date != null) {
+ date = new Date(keyEntry.date.getTime());
+ }
+ }
+ return date;
+ }
public void addKeyEntry(String alias, Key key, char[] password, String cipher, int bitLength, String description, int version, String attributes)
- throws KeyStoreException
- {
- SecretKeyEntry entry = new SecretKeyEntry();
- synchronized(deltaEntries) {
- try {
+ throws KeyStoreException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStore.addKeyEntry()");
+ logger.debug("Adding entry for alias:" + alias);
+ }
+ SecretKeyEntry entry = new SecretKeyEntry();
+ synchronized (deltaEntries) {
+ try {
entry.date = new Date();
// seal and store the key
entry.sealedKey = sealKey(key, password);
@@ -159,21 +169,24 @@ public class RangerKeyStore extends KeyStoreSpi {
entry.attributes = attributes;
deltaEntries.put(convertAlias(alias), entry);
} catch (Exception e) {
- logger.error(e.getMessage());
- throw new KeyStoreException(e.getMessage());
+ logger.error("==> RangerKeyStore.addKeyEntry() error: ", e);
+ throw new KeyStoreException(e.getMessage());
}
}
- synchronized(keyEntries) {
- try {
- keyEntries.put(convertAlias(alias), entry);
- }catch (Exception e) {
- logger.error(e.getMessage());
- throw new KeyStoreException(e.getMessage());
+ synchronized (keyEntries) {
+ try {
+ keyEntries.put(convertAlias(alias), entry);
+ } catch (Exception e) {
+ logger.error("==> RangerKeyStore.addKeyEntry() error: ", e);
+ throw new KeyStoreException(e.getMessage());
}
}
}
private SealedObject sealKey(Key key, char[] password) throws Exception {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStore.sealKey()");
+ }
// Create SecretKey
SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES");
PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
@@ -189,10 +202,16 @@ public class RangerKeyStore extends KeyStoreSpi {
// Seal the Key
Cipher cipher = Cipher.getInstance("PBEWithMD5AndTripleDES");
cipher.init(Cipher.ENCRYPT_MODE, secretKey, pbeSpec);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerKeyStore.sealKey()");
+ }
return new RangerSealedObject(key, cipher);
}
private Key unsealKey(SealedObject sealedKey, char[] password) throws Exception {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStore.unsealKey()");
+ }
// Create SecretKey
SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES");
PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
@@ -202,7 +221,7 @@ public class RangerKeyStore extends KeyStoreSpi {
// Get the AlgorithmParameters from RangerSealedObject
AlgorithmParameters algorithmParameters = null;
if (sealedKey instanceof RangerSealedObject) {
- algorithmParameters = ((RangerSealedObject)sealedKey).getParameters();
+ algorithmParameters = ((RangerSealedObject) sealedKey).getParameters();
} else {
algorithmParameters = new RangerSealedObject(sealedKey).getParameters();
}
@@ -210,35 +229,38 @@ public class RangerKeyStore extends KeyStoreSpi {
// Unseal the Key
Cipher cipher = Cipher.getInstance("PBEWithMD5AndTripleDES");
cipher.init(Cipher.DECRYPT_MODE, secretKey, algorithmParameters);
-
- return (Key)sealedKey.getObject(cipher);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerKeyStore.unsealKey()");
+ }
+ return (Key) sealedKey.getObject(cipher);
}
@Override
public void engineDeleteEntry(String alias)
- throws KeyStoreException
- {
- synchronized(keyEntries) {
- dbOperationDelete(convertAlias(alias));
- keyEntries.remove(convertAlias(alias));
+ throws KeyStoreException {
+ synchronized (keyEntries) {
+ dbOperationDelete(convertAlias(alias));
+ keyEntries.remove(convertAlias(alias));
}
- synchronized(deltaEntries) {
- deltaEntries.remove(convertAlias(alias));
+ synchronized (deltaEntries) {
+ deltaEntries.remove(convertAlias(alias));
}
}
private void dbOperationDelete(String alias) {
- try{
- if(daoManager != null){
- RangerKMSDao rangerKMSDao = new RangerKMSDao(daoManager);
- rangerKMSDao.deleteByAlias(alias);
- }
- }catch(Exception e){
- logger.error(e.getMessage());
- e.printStackTrace();
- }
- }
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStore.dbOperationDelete(" + alias + ")");
+ }
+ try {
+ if (daoManager != null) {
+ RangerKMSDao rangerKMSDao = new RangerKMSDao(daoManager);
+ rangerKMSDao.deleteByAlias(alias);
+ }
+ } catch (Exception e) {
+ logger.error("==> RangerKeyStore.dbOperationDelete() error : ", e);
+ }
+ }
@Override
@@ -258,9 +280,11 @@ public class RangerKeyStore extends KeyStoreSpi {
@Override
public void engineStore(OutputStream stream, char[] password)
- throws IOException, NoSuchAlgorithmException, CertificateException
- {
- synchronized(deltaEntries) {
+ throws IOException, NoSuchAlgorithmException, CertificateException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStore.engineStore()");
+ }
+ synchronized (deltaEntries) {
// password is mandatory when storing
if (password == null) {
throw new IllegalArgumentException("Ranger Master Key can't be null");
@@ -268,27 +292,27 @@ public class RangerKeyStore extends KeyStoreSpi {
MessageDigest md = getKeyedMessageDigest(password);
- byte digest[] = md.digest();
- for (Enumeration<String> e = deltaEntries.keys(); e.hasMoreElements();) {
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ byte digest[] = md.digest();
+ for (Enumeration<String> e = deltaEntries.keys(); e.hasMoreElements(); ) {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream dos = new DataOutputStream(new DigestOutputStream(baos, md));
ObjectOutputStream oos = null;
- try{
-
- String alias = e.nextElement();
- Object entry = deltaEntries.get(alias);
+ try {
+
+ String alias = e.nextElement();
+ Object entry = deltaEntries.get(alias);
oos = new ObjectOutputStream(dos);
- oos.writeObject(((SecretKeyEntry)entry).sealedKey);
+ oos.writeObject(((SecretKeyEntry) entry).sealedKey);
dos.write(digest);
dos.flush();
- Long creationDate = ((SecretKeyEntry)entry).date.getTime();
- SecretKeyEntry secretKey = (SecretKeyEntry)entry;
- XXRangerKeyStore xxRangerKeyStore = mapObjectToEntity(alias,creationDate,baos.toByteArray(), secretKey.cipher_field, secretKey.bit_length, secretKey.description, secretKey.version, secretKey.attributes);
+ Long creationDate = ((SecretKeyEntry) entry).date.getTime();
+ SecretKeyEntry secretKey = (SecretKeyEntry) entry;
+ XXRangerKeyStore xxRangerKeyStore = mapObjectToEntity(alias, creationDate, baos.toByteArray(), secretKey.cipher_field, secretKey.bit_length, secretKey.description, secretKey.version, secretKey.attributes);
dbOperationStore(xxRangerKeyStore);
- }finally {
+ } finally {
if (oos != null) {
oos.close();
} else {
@@ -296,165 +320,183 @@ public class RangerKeyStore extends KeyStoreSpi {
}
}
}
- clearDeltaEntires();
+ clearDeltaEntires();
}
}
private XXRangerKeyStore mapObjectToEntity(String alias, Long creationDate,
- byte[] byteArray, String cipher_field, int bit_length,
- String description, int version, String attributes) {
- XXRangerKeyStore xxRangerKeyStore = new XXRangerKeyStore();
- xxRangerKeyStore.setAlias(alias);
- xxRangerKeyStore.setCreatedDate(creationDate);
- xxRangerKeyStore.setEncoded(DatatypeConverter.printBase64Binary(byteArray));
- xxRangerKeyStore.setCipher(cipher_field);
- xxRangerKeyStore.setBitLength(bit_length);
- xxRangerKeyStore.setDescription(description);
- xxRangerKeyStore.setVersion(version);
- xxRangerKeyStore.setAttributes(attributes);
- return xxRangerKeyStore;
- }
-
- private void dbOperationStore(XXRangerKeyStore rangerKeyStore) {
- try{
- if(daoManager != null){
- RangerKMSDao rangerKMSDao = new RangerKMSDao(daoManager);
- XXRangerKeyStore xxRangerKeyStore = rangerKMSDao.findByAlias(rangerKeyStore.getAlias());
- boolean keyStoreExists = true;
- if (xxRangerKeyStore == null) {
- xxRangerKeyStore = new XXRangerKeyStore();
- keyStoreExists = false;
- }
- xxRangerKeyStore = mapToEntityBean(rangerKeyStore, xxRangerKeyStore);
- if (keyStoreExists) {
- xxRangerKeyStore = rangerKMSDao.update(xxRangerKeyStore);
- } else {
- xxRangerKeyStore = rangerKMSDao.create(xxRangerKeyStore);
- }
- }
- }catch(Exception e){
- logger.error(e.getMessage());
- e.printStackTrace();
- }
- }
-
- private XXRangerKeyStore mapToEntityBean(XXRangerKeyStore rangerKMSKeyStore, XXRangerKeyStore xxRangerKeyStore) {
- xxRangerKeyStore.setAlias(rangerKMSKeyStore.getAlias());
- xxRangerKeyStore.setCreatedDate(rangerKMSKeyStore.getCreatedDate());
- xxRangerKeyStore.setEncoded(rangerKMSKeyStore.getEncoded());
- xxRangerKeyStore.setCipher(rangerKMSKeyStore.getCipher());
- xxRangerKeyStore.setBitLength(rangerKMSKeyStore.getBitLength());
- xxRangerKeyStore.setDescription(rangerKMSKeyStore.getDescription());
- xxRangerKeyStore.setVersion(rangerKMSKeyStore.getVersion());
- xxRangerKeyStore.setAttributes(rangerKMSKeyStore.getAttributes());
- return xxRangerKeyStore;
- }
-
-
- @Override
- public void engineLoad(InputStream stream, char[] password)
- throws IOException , NoSuchAlgorithmException, CertificateException
- {
- synchronized(keyEntries) {
- List<XXRangerKeyStore> rangerKeyDetails = dbOperationLoad();
-
+ byte[] byteArray, String cipher_field, int bit_length,
+ String description, int version, String attributes) {
+ XXRangerKeyStore xxRangerKeyStore = new XXRangerKeyStore();
+ xxRangerKeyStore.setAlias(alias);
+ xxRangerKeyStore.setCreatedDate(creationDate);
+ xxRangerKeyStore.setEncoded(DatatypeConverter.printBase64Binary(byteArray));
+ xxRangerKeyStore.setCipher(cipher_field);
+ xxRangerKeyStore.setBitLength(bit_length);
+ xxRangerKeyStore.setDescription(description);
+ xxRangerKeyStore.setVersion(version);
+ xxRangerKeyStore.setAttributes(attributes);
+ return xxRangerKeyStore;
+ }
+
+ private void dbOperationStore(XXRangerKeyStore rangerKeyStore) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStore.dbOperationStore()");
+ }
+ try {
+ if (daoManager != null) {
+ RangerKMSDao rangerKMSDao = new RangerKMSDao(daoManager);
+ XXRangerKeyStore xxRangerKeyStore = rangerKMSDao.findByAlias(rangerKeyStore.getAlias());
+ boolean keyStoreExists = true;
+ if (xxRangerKeyStore == null) {
+ xxRangerKeyStore = new XXRangerKeyStore();
+ keyStoreExists = false;
+ }
+ xxRangerKeyStore = mapToEntityBean(rangerKeyStore, xxRangerKeyStore);
+ if (keyStoreExists) {
+ xxRangerKeyStore = rangerKMSDao.update(xxRangerKeyStore);
+ } else {
+ xxRangerKeyStore = rangerKMSDao.create(xxRangerKeyStore);
+ }
+ }
+ } catch (Exception e) {
+ logger.error("==> RangerKeyStore.dbOperationStore() error : ", e);
+ }
+ }
+
+ private XXRangerKeyStore mapToEntityBean(XXRangerKeyStore rangerKMSKeyStore, XXRangerKeyStore xxRangerKeyStore) {
+ xxRangerKeyStore.setAlias(rangerKMSKeyStore.getAlias());
+ xxRangerKeyStore.setCreatedDate(rangerKMSKeyStore.getCreatedDate());
+ xxRangerKeyStore.setEncoded(rangerKMSKeyStore.getEncoded());
+ xxRangerKeyStore.setCipher(rangerKMSKeyStore.getCipher());
+ xxRangerKeyStore.setBitLength(rangerKMSKeyStore.getBitLength());
+ xxRangerKeyStore.setDescription(rangerKMSKeyStore.getDescription());
+ xxRangerKeyStore.setVersion(rangerKMSKeyStore.getVersion());
+ xxRangerKeyStore.setAttributes(rangerKMSKeyStore.getAttributes());
+ return xxRangerKeyStore;
+ }
+
+
+ @Override
+ public void engineLoad(InputStream stream, char[] password)
+ throws IOException, NoSuchAlgorithmException, CertificateException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStore.engineLoad()");
+ }
+ synchronized (keyEntries) {
+ List<XXRangerKeyStore> rangerKeyDetails = dbOperationLoad();
+
DataInputStream dis;
MessageDigest md = null;
- if(rangerKeyDetails == null || rangerKeyDetails.size() < 1){
- return;
- }
-
- keyEntries.clear();
- if(password!=null){
- md = getKeyedMessageDigest(password);
- }
-
- byte computed[]={};
- if(md!=null){
- computed = md.digest();
- }
- for(XXRangerKeyStore rangerKey : rangerKeyDetails){
- String encoded = rangerKey.getEncoded();
- byte[] data = DatatypeConverter.parseBase64Binary(encoded);
-
- if(data != null && data.length > 0){
- stream = new ByteArrayInputStream(data);
- }else{
- logger.error("No Key found for alias "+rangerKey.getAlias());
- }
-
- if (computed != null) {
- int counter = 0;
- for (int i = computed.length-1; i >= 0; i--) {
- if (computed[i] != data[data.length-(1+counter)]) {
- Throwable t = new UnrecoverableKeyException
- ("Password verification failed");
- throw (IOException)new IOException
- ("Keystore was tampered with, or "
- + "password was incorrect").initCause(t);
- }else{
- counter++;
- }
- }
- }
-
- if (password != null) {
- dis = new DataInputStream(new DigestInputStream(stream, md));
- } else {
- dis = new DataInputStream(stream);
- }
-
- ObjectInputStream ois = null;
- try{
- String alias;
-
- SecretKeyEntry entry = new SecretKeyEntry();
-
- //read the alias
- alias = rangerKey.getAlias();
-
- //read the (entry creation) date
- entry.date = new Date(rangerKey.getCreatedDate());
- entry.cipher_field = rangerKey.getCipher();
- entry.bit_length = rangerKey.getBitLength();
- entry.description = rangerKey.getDescription();
- entry.version = rangerKey.getVersion();
- entry.attributes = rangerKey.getAttributes();
- //read the sealed key
- try {
- ois = new ObjectInputStream(dis);
- entry.sealedKey = (SealedObject)ois.readObject();
- } catch (ClassNotFoundException cnfe) {
- throw new IOException(cnfe.getMessage());
- }
-
- //Add the entry to the list
- keyEntries.put(alias, entry);
- }finally {
- if (ois != null) {
- ois.close();
- } else {
- dis.close();
- }
- }
+ if (rangerKeyDetails == null || rangerKeyDetails.size() < 1) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("RangerKeyStore might be null or key is not present in the database.");
+ }
+ return;
+ }
+
+ keyEntries.clear();
+ if (password != null) {
+ md = getKeyedMessageDigest(password);
+ }
+
+ byte computed[] = {};
+ if (md != null) {
+ computed = md.digest();
+ }
+ for (XXRangerKeyStore rangerKey : rangerKeyDetails) {
+
+ String encoded = rangerKey.getEncoded();
+ byte[] data = DatatypeConverter.parseBase64Binary(encoded);
+
+ if (data != null && data.length > 0) {
+ stream = new ByteArrayInputStream(data);
+ } else {
+ logger.error("No Key found for alias " + rangerKey.getAlias());
+ }
+
+ if (computed != null) {
+ int counter = 0;
+ for (int i = computed.length - 1; i >= 0; i--) {
+ if (computed[i] != data[data.length - (1 + counter)]) {
+ Throwable t = new UnrecoverableKeyException
+ ("Password verification failed");
+ logger.error("Keystore was tampered with, or password was incorrect.", t);
+ throw (IOException) new IOException
+ ("Keystore was tampered with, or "
+ + "password was incorrect").initCause(t);
+ } else {
+ counter++;
+ }
+ }
+ }
+
+ if (password != null) {
+ dis = new DataInputStream(new DigestInputStream(stream, md));
+ } else {
+ dis = new DataInputStream(stream);
+ }
+
+ ObjectInputStream ois = null;
+ try {
+ String alias;
+
+ SecretKeyEntry entry = new SecretKeyEntry();
+
+ //read the alias
+ alias = rangerKey.getAlias();
+
+ //read the (entry creation) date
+ entry.date = new Date(rangerKey.getCreatedDate());
+ entry.cipher_field = rangerKey.getCipher();
+ entry.bit_length = rangerKey.getBitLength();
+ entry.description = rangerKey.getDescription();
+ entry.version = rangerKey.getVersion();
+ entry.attributes = rangerKey.getAttributes();
+ //read the sealed key
+ try {
+ ois = new ObjectInputStream(dis);
+ entry.sealedKey = (SealedObject) ois.readObject();
+ } catch (ClassNotFoundException cnfe) {
+ throw new IOException(cnfe.getMessage());
+ }
+
+ //Add the entry to the list
+ keyEntries.put(alias, entry);
+ } finally {
+ if (ois != null) {
+ ois.close();
+ } else {
+ dis.close();
+ }
+ }
}
}
}
private List<XXRangerKeyStore> dbOperationLoad() throws IOException {
- try{
- if(daoManager != null){
- RangerKMSDao rangerKMSDao = new RangerKMSDao(daoManager);
- return rangerKMSDao.getAllKeys();
- }
- }catch(Exception e){
- e.printStackTrace();
- }
- return null;
- }
-
- /**
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStore.dbOperationLoad()");
+ }
+ try {
+ if (daoManager != null) {
+ RangerKMSDao rangerKMSDao = new RangerKMSDao(daoManager);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerKeyStore.dbOperationLoad()");
+ }
+ return rangerKMSDao.getAllKeys();
+ }
+ } catch (Exception e) {
+ logger.error("==> RangerKeyStore.dbOperationLoad() error:", e);
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerKeyStore.dbOperationLoad()");
+ }
+ return null;
+ }
+
+ /**
* To guard against tampering with the keystore, we append a keyed
* hash with a bit of whitener.
*/
@@ -462,205 +504,210 @@ public class RangerKeyStore extends KeyStoreSpi {
private final String SECRET_KEY_HASH_WORD = "Apache Ranger";
private MessageDigest getKeyedMessageDigest(char[] aKeyPassword)
- throws NoSuchAlgorithmException, UnsupportedEncodingException
- {
+ throws NoSuchAlgorithmException, UnsupportedEncodingException {
int i, j;
MessageDigest md = MessageDigest.getInstance("SHA");
byte[] keyPasswordBytes = new byte[aKeyPassword.length * 2];
- for (i=0, j=0; i<aKeyPassword.length; i++) {
- keyPasswordBytes[j++] = (byte)(aKeyPassword[i] >> 8);
- keyPasswordBytes[j++] = (byte)aKeyPassword[i];
+ for (i = 0, j = 0; i < aKeyPassword.length; i++) {
+ keyPasswordBytes[j++] = (byte) (aKeyPassword[i] >> 8);
+ keyPasswordBytes[j++] = (byte) aKeyPassword[i];
}
md.update(keyPasswordBytes);
- for (i=0; i<keyPasswordBytes.length; i++)
+ for (i = 0; i < keyPasswordBytes.length; i++)
keyPasswordBytes[i] = 0;
md.update(SECRET_KEY_HASH_WORD.getBytes("UTF8"));
return md;
}
- @Override
- public void engineSetKeyEntry(String arg0, byte[] arg1, Certificate[] arg2)
- throws KeyStoreException {
- }
-
- @Override
- public Certificate engineGetCertificate(String alias) {
- return null;
- }
-
- @Override
- public String engineGetCertificateAlias(Certificate cert) {
- return null;
- }
-
- @Override
- public Certificate[] engineGetCertificateChain(String alias) {
- return null;
- }
-
- @Override
- public boolean engineIsCertificateEntry(String alias) {
- return false;
- }
-
- @Override
- public boolean engineIsKeyEntry(String alias) {
- return false;
- }
-
- @Override
- public void engineSetCertificateEntry(String alias, Certificate cert)
- throws KeyStoreException {
- }
-
- @Override
- public void engineSetKeyEntry(String alias, Key key, char[] password,
- Certificate[] chain) throws KeyStoreException {
- }
-
- //
- // The method is created to support JKS migration (from hadoop-common KMS keystore to RangerKMS keystore)
- //
-
- private static final String METADATA_FIELDNAME = "metadata";
- private static final int NUMBER_OF_BITS_PER_BYTE = 8;
-
- public void engineLoadKeyStoreFile(InputStream stream, char[] storePass,
- char[] keyPass, char[] masterKey, String fileFormat)
- throws IOException, NoSuchAlgorithmException, CertificateException {
- synchronized (deltaEntries) {
- KeyStore ks;
-
- try {
- ks = KeyStore.getInstance(fileFormat);
- ks.load(stream, storePass);
- deltaEntries.clear();
- for (Enumeration<String> name = ks.aliases(); name
- .hasMoreElements();) {
- SecretKeyEntry entry = new SecretKeyEntry();
- String alias = (String) name.nextElement();
- Key k = ks.getKey(alias, keyPass);
-
- if (k instanceof JavaKeyStoreProvider.KeyMetadata) {
- JavaKeyStoreProvider.KeyMetadata keyMetadata = (JavaKeyStoreProvider.KeyMetadata) k;
- Field f = JavaKeyStoreProvider.KeyMetadata.class
- .getDeclaredField(METADATA_FIELDNAME);
- f.setAccessible(true);
- Metadata metadata = (Metadata) f.get(keyMetadata);
- entry.bit_length = metadata.getBitLength();
- entry.cipher_field = metadata.getAlgorithm();
- Constructor<RangerKeyStoreProvider.KeyMetadata> constructor = RangerKeyStoreProvider.KeyMetadata.class
- .getDeclaredConstructor(Metadata.class);
- constructor.setAccessible(true);
- RangerKeyStoreProvider.KeyMetadata nk = constructor
- .newInstance(metadata);
- k = nk;
- } else {
- entry.bit_length = (k.getEncoded().length * NUMBER_OF_BITS_PER_BYTE);
- entry.cipher_field = k.getAlgorithm();
- }
- String keyName = alias.split("@")[0];
- validateKeyName(keyName);
- entry.attributes = "{\"key.acl.name\":\"" + keyName + "\"}";
- Class<?> c = null;
- Object o = null;
- try {
- c = Class
- .forName("com.sun.crypto.provider.KeyProtector");
- Constructor<?> constructor = c
- .getDeclaredConstructor(char[].class);
- constructor.setAccessible(true);
- o = constructor.newInstance(masterKey);
- // seal and store the key
- Method m = c.getDeclaredMethod("seal", Key.class);
- m.setAccessible(true);
- entry.sealedKey = (SealedObject) m.invoke(o, k);
- } catch (ClassNotFoundException | NoSuchMethodException
- | SecurityException | InstantiationException
- | IllegalAccessException | IllegalArgumentException
- | InvocationTargetException e) {
- logger.error(e.getMessage());
- throw new IOException(e.getMessage());
- }
-
- entry.date = ks.getCreationDate(alias);
- entry.version = (alias.split("@").length == 2) ? (Integer
- .parseInt(alias.split("@")[1])) : 0;
- entry.description = k.getFormat() + " - " + ks.getType();
- deltaEntries.put(alias, entry);
- }
- } catch (Throwable t) {
- logger.error("Unable to load keystore file ", t);
- throw new IOException(t);
- }
- }
- }
-
- public void engineLoadToKeyStoreFile(OutputStream stream, char[] storePass,
- char[] keyPass, char[] masterKey, String fileFormat)
- throws IOException, NoSuchAlgorithmException, CertificateException {
- synchronized (keyEntries) {
- KeyStore ks;
- try {
- ks = KeyStore.getInstance(fileFormat);
- if (ks != null) {
- ks.load(null, storePass);
- String alias = null;
- engineLoad(null, masterKey);
- Enumeration<String> e = engineAliases();
- Key key;
- while (e.hasMoreElements()) {
- alias = e.nextElement();
- key = engineGetKey(alias, masterKey);
- ks.setKeyEntry(alias, key, keyPass, null);
- }
- ks.store(stream, storePass);
- }
- } catch (Throwable t) {
- logger.error("Unable to load keystore file ", t);
- throw new IOException(t);
- }
+ @Override
+ public void engineSetKeyEntry(String arg0, byte[] arg1, Certificate[] arg2)
+ throws KeyStoreException {
+ }
+
+ @Override
+ public Certificate engineGetCertificate(String alias) {
+ return null;
+ }
+
+ @Override
+ public String engineGetCertificateAlias(Certificate cert) {
+ return null;
+ }
+
+ @Override
+ public Certificate[] engineGetCertificateChain(String alias) {
+ return null;
+ }
+
+ @Override
+ public boolean engineIsCertificateEntry(String alias) {
+ return false;
+ }
+
+ @Override
+ public boolean engineIsKeyEntry(String alias) {
+ return false;
+ }
+
+ @Override
+ public void engineSetCertificateEntry(String alias, Certificate cert)
+ throws KeyStoreException {
+ }
+
+ @Override
+ public void engineSetKeyEntry(String alias, Key key, char[] password,
+ Certificate[] chain) throws KeyStoreException {
+ }
+
+ //
+ // The method is created to support JKS migration (from hadoop-common KMS keystore to RangerKMS keystore)
+ //
+
+ private static final String METADATA_FIELDNAME = "metadata";
+ private static final int NUMBER_OF_BITS_PER_BYTE = 8;
+
+ public void engineLoadKeyStoreFile(InputStream stream, char[] storePass,
+ char[] keyPass, char[] masterKey, String fileFormat)
+ throws IOException, NoSuchAlgorithmException, CertificateException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.engineLoadKeyStoreFile()");
+ }
+ synchronized (deltaEntries) {
+ KeyStore ks;
+ try {
+ ks = KeyStore.getInstance(fileFormat);
+ ks.load(stream, storePass);
+ deltaEntries.clear();
+ for (Enumeration<String> name = ks.aliases(); name
+ .hasMoreElements(); ) {
+ SecretKeyEntry entry = new SecretKeyEntry();
+ String alias = (String) name.nextElement();
+ Key k = ks.getKey(alias, keyPass);
+
+ if (k instanceof JavaKeyStoreProvider.KeyMetadata) {
+ JavaKeyStoreProvider.KeyMetadata keyMetadata = (JavaKeyStoreProvider.KeyMetadata) k;
+ Field f = JavaKeyStoreProvider.KeyMetadata.class
+ .getDeclaredField(METADATA_FIELDNAME);
+ f.setAccessible(true);
+ Metadata metadata = (Metadata) f.get(keyMetadata);
+ entry.bit_length = metadata.getBitLength();
+ entry.cipher_field = metadata.getAlgorithm();
+ Constructor<RangerKeyStoreProvider.KeyMetadata> constructor = RangerKeyStoreProvider.KeyMetadata.class
+ .getDeclaredConstructor(Metadata.class);
+ constructor.setAccessible(true);
+ RangerKeyStoreProvider.KeyMetadata nk = constructor
+ .newInstance(metadata);
+ k = nk;
+ } else {
+ entry.bit_length = (k.getEncoded().length * NUMBER_OF_BITS_PER_BYTE);
+ entry.cipher_field = k.getAlgorithm();
+ }
+ String keyName = alias.split("@")[0];
+ validateKeyName(keyName);
+ entry.attributes = "{\"key.acl.name\":\"" + keyName + "\"}";
+ Class<?> c = null;
+ Object o = null;
+ try {
+ c = Class
+ .forName("com.sun.crypto.provider.KeyProtector");
+ Constructor<?> constructor = c
+ .getDeclaredConstructor(char[].class);
+ constructor.setAccessible(true);
+ o = constructor.newInstance(masterKey);
+ // seal and store the key
+ Method m = c.getDeclaredMethod("seal", Key.class);
+ m.setAccessible(true);
+ entry.sealedKey = (SealedObject) m.invoke(o, k);
+ } catch (ClassNotFoundException | NoSuchMethodException
+ | SecurityException | InstantiationException
+ | IllegalAccessException | IllegalArgumentException
+ | InvocationTargetException e) {
+ logger.error(e.getMessage());
+ throw new IOException(e.getMessage());
+ }
+
+ entry.date = ks.getCreationDate(alias);
+ entry.version = (alias.split("@").length == 2) ? (Integer
+ .parseInt(alias.split("@")[1])) : 0;
+ entry.description = k.getFormat() + " - " + ks.getType();
+ deltaEntries.put(alias, entry);
}
- }
-
- private void validateKeyName(String name) {
- Matcher matcher = pattern.matcher(name);
- if (!matcher.matches()) {
- throw new IllegalArgumentException(
- "Key Name : "
- + name
- + ", should start with alpha/numeric letters and can have special characters - (hypen) or _ (underscore)");
+ } catch (Throwable t) {
+ logger.error("Unable to load keystore file ", t);
+ throw new IOException(t);
+ }
+ }
+ }
+
+ public void engineLoadToKeyStoreFile(OutputStream stream, char[] storePass,
+ char[] keyPass, char[] masterKey, String fileFormat)
+ throws IOException, NoSuchAlgorithmException, CertificateException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.engineLoadToKeyStoreFile()");
+ }
+
+ synchronized (keyEntries) {
+ KeyStore ks;
+ try {
+ ks = KeyStore.getInstance(fileFormat);
+ if (ks != null) {
+ ks.load(null, storePass);
+ String alias = null;
+ engineLoad(null, masterKey);
+ Enumeration<String> e = engineAliases();
+ Key key;
+ while (e.hasMoreElements()) {
+ alias = e.nextElement();
+ key = engineGetKey(alias, masterKey);
+ ks.setKeyEntry(alias, key, keyPass, null);
+ }
+ ks.store(stream, storePass);
}
+ } catch (Throwable t) {
+ logger.error("Unable to load keystore file ", t);
+ throw new IOException(t);
+ }
+ }
+ }
+
+ private void validateKeyName(String name) {
+ Matcher matcher = pattern.matcher(name);
+ if (!matcher.matches()) {
+ throw new IllegalArgumentException(
+ "Key Name : "
+ + name
+ + ", should start with alpha/numeric letters and can have special characters - (hypen) or _ (underscore)");
}
+ }
- public void clearDeltaEntires(){
- deltaEntries.clear();
- }
+ public void clearDeltaEntires() {
+ deltaEntries.clear();
+ }
- /**
- * Encapsulate the encrypted key, so that we can retrieve the AlgorithmParameters object on the decryption side
- */
- private static class RangerSealedObject extends SealedObject {
+ /**
+ * Encapsulate the encrypted key, so that we can retrieve the AlgorithmParameters object on the decryption side
+ */
+ private static class RangerSealedObject extends SealedObject {
- /**
- *
- */
- private static final long serialVersionUID = -7551578543434362070L;
+ /**
+ *
+ */
+ private static final long serialVersionUID = -7551578543434362070L;
- protected RangerSealedObject(SealedObject so) {
- super(so);
- }
+ protected RangerSealedObject(SealedObject so) {
+ super(so);
+ }
- protected RangerSealedObject(Serializable object, Cipher cipher) throws IllegalBlockSizeException, IOException {
- super(object, cipher);
- }
+ protected RangerSealedObject(Serializable object, Cipher cipher) throws IllegalBlockSizeException, IOException {
+ super(object, cipher);
+ }
- public AlgorithmParameters getParameters() throws NoSuchAlgorithmException, IOException {
- AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("PBEWithMD5AndTripleDES");
- algorithmParameters.init(super.encodedParams);
- return algorithmParameters;
- }
+ public AlgorithmParameters getParameters() throws NoSuchAlgorithmException, IOException {
+ AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("PBEWithMD5AndTripleDES");
+ algorithmParameters.init(super.encodedParams);
+ return algorithmParameters;
+ }
- }
+ }
}
[2/3] ranger git commit: RANGER-2043 : Ranger KMS KeyProvider and HSM
KeyProvider should have more debug logs
Posted by me...@apache.org.
http://git-wip-us.apache.org/repos/asf/ranger/blob/bc2cd5e0/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
index b9d948f..88a545e 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
@@ -52,397 +52,427 @@ import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
@InterfaceAudience.Private
-public class RangerKeyStoreProvider extends KeyProvider{
-
- static final Logger logger = Logger.getLogger(RangerKeyStoreProvider.class);
-
- public static final String SCHEME_NAME = "dbks";
- public static final String KMS_CONFIG_DIR = "kms.config.dir";
- public static final String DBKS_SITE_XML = "dbks-site.xml";
- public static final String ENCRYPTION_KEY = "ranger.db.encrypt.key.password";
- private static final String KEY_METADATA = "KeyMetadata";
- private static final String CREDENTIAL_PATH = "ranger.ks.jpa.jdbc.credential.provider.path";
- private static final String MK_CREDENTIAL_ALIAS = "ranger.ks.masterkey.credential.alias";
- private static final String DB_CREDENTIAL_ALIAS = "ranger.ks.jpa.jdbc.credential.alias";
- private static final String DB_PASSWORD = "ranger.ks.jpa.jdbc.password";
- private static final String HSM_ENABLED = "ranger.ks.hsm.enabled";
- private static final String HSM_PARTITION_PASSWORD_ALIAS = "ranger.ks.hsm.partition.password.alias";
- private static final String HSM_PARTITION_PASSWORD = "ranger.ks.hsm.partition.password";
-
- private final RangerKeyStore dbStore;
- private char[] masterKey;
- private boolean changed = false;
- private final Map<String, Metadata> cache = new HashMap<String, Metadata>();
- private DaoManager daoManager;
-
- private Lock readLock;
-
- public RangerKeyStoreProvider(Configuration conf) throws Throwable {
- super(conf);
- conf = getDBKSConf();
- getFromJceks(conf,CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS, ENCRYPTION_KEY);
- getFromJceks(conf,CREDENTIAL_PATH, DB_CREDENTIAL_ALIAS, DB_PASSWORD);
- getFromJceks(conf,CREDENTIAL_PATH, HSM_PARTITION_PASSWORD_ALIAS, HSM_PARTITION_PASSWORD);
- RangerKMSDB rangerKMSDB = new RangerKMSDB(conf);
- daoManager = rangerKMSDB.getDaoManager();
-
- RangerKMSMKI rangerMasterKey = null;
- String password = conf.get(ENCRYPTION_KEY);
- if(password == null || password.trim().equals("") || password.trim().equals("_") || password.trim().equals("crypted")){
- throw new IOException("The Ranger MasterKey Password is empty or not a valid Password");
- }
- if(StringUtils.isEmpty(conf.get(HSM_ENABLED)) || conf.get(HSM_ENABLED).equalsIgnoreCase("false")){
- rangerMasterKey = new RangerMasterKey(daoManager);
- }else{
- rangerMasterKey = new RangerHSM(conf);
- String partitionPasswd = conf.get(HSM_PARTITION_PASSWORD);
- if(partitionPasswd == null || partitionPasswd.trim().equals("") || partitionPasswd.trim().equals("_") || partitionPasswd.trim().equals("crypted")){
- throw new IOException("Partition Password doesn't exists");
- }
- }
- dbStore = new RangerKeyStore(daoManager);
- rangerMasterKey.generateMasterKey(password);
- //code to retrieve rangerMasterKey password
- masterKey = rangerMasterKey.getMasterKey(password).toCharArray();
- if(masterKey == null){
- // Master Key does not exists
- throw new IOException("Ranger MasterKey does not exists");
- }
+public class RangerKeyStoreProvider extends KeyProvider {
+
+ static final Logger logger = Logger.getLogger(RangerKeyStoreProvider.class);
+
+ public static final String SCHEME_NAME = "dbks";
+ public static final String KMS_CONFIG_DIR = "kms.config.dir";
+ public static final String DBKS_SITE_XML = "dbks-site.xml";
+ public static final String ENCRYPTION_KEY = "ranger.db.encrypt.key.password";
+ private static final String KEY_METADATA = "KeyMetadata";
+ private static final String CREDENTIAL_PATH = "ranger.ks.jpa.jdbc.credential.provider.path";
+ private static final String MK_CREDENTIAL_ALIAS = "ranger.ks.masterkey.credential.alias";
+ private static final String DB_CREDENTIAL_ALIAS = "ranger.ks.jpa.jdbc.credential.alias";
+ private static final String DB_PASSWORD = "ranger.ks.jpa.jdbc.password";
+ private static final String HSM_ENABLED = "ranger.ks.hsm.enabled";
+ private static final String HSM_PARTITION_PASSWORD_ALIAS = "ranger.ks.hsm.partition.password.alias";
+ private static final String HSM_PARTITION_PASSWORD = "ranger.ks.hsm.partition.password";
+
+ private final RangerKeyStore dbStore;
+ private char[] masterKey;
+ private boolean changed = false;
+ private final Map<String, Metadata> cache = new HashMap<String, Metadata>();
+ private DaoManager daoManager;
+
+ private Lock readLock;
+
+ public RangerKeyStoreProvider(Configuration conf) throws Throwable {
+ super(conf);
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.Configuration(conf)");
+ }
+ conf = getDBKSConf();
+ getFromJceks(conf, CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS, ENCRYPTION_KEY);
+ getFromJceks(conf, CREDENTIAL_PATH, DB_CREDENTIAL_ALIAS, DB_PASSWORD);
+ getFromJceks(conf, CREDENTIAL_PATH, HSM_PARTITION_PASSWORD_ALIAS, HSM_PARTITION_PASSWORD);
+ RangerKMSDB rangerKMSDB = new RangerKMSDB(conf);
+ daoManager = rangerKMSDB.getDaoManager();
+
+ RangerKMSMKI rangerMasterKey = null;
+ String password = conf.get(ENCRYPTION_KEY);
+ if (password == null || password.trim().equals("") || password.trim().equals("_") || password.trim().equals("crypted")) {
+ throw new IOException("The Ranger MasterKey Password is empty or not a valid Password");
+ }
+ if (StringUtils.isEmpty(conf.get(HSM_ENABLED)) || conf.get(HSM_ENABLED).equalsIgnoreCase("false")) {
+ logger.info("Ranger KMS Database is enabled for storing master key.");
+ rangerMasterKey = new RangerMasterKey(daoManager);
+ } else {
+ logger.info("Ranger KMS HSM is enabled for storing master key.");
+ rangerMasterKey = new RangerHSM(conf);
+ String partitionPasswd = conf.get(HSM_PARTITION_PASSWORD);
+ if (partitionPasswd == null || partitionPasswd.trim().equals("") || partitionPasswd.trim().equals("_") || partitionPasswd.trim().equals("crypted")) {
+ throw new IOException("Partition Password doesn't exists");
+ }
+ }
+ dbStore = new RangerKeyStore(daoManager);
+ rangerMasterKey.generateMasterKey(password);
+ //code to retrieve rangerMasterKey password
+ masterKey = rangerMasterKey.getMasterKey(password).toCharArray();
+ if (masterKey == null) {
+ // Master Key does not exists
+ throw new IOException("Ranger MasterKey does not exists");
+ }
+ reloadKeys();
+ ReadWriteLock lock = new ReentrantReadWriteLock(true);
+ readLock = lock.readLock();
+ }
+
+ public static Configuration getDBKSConf() {
+ Configuration newConfig = getConfiguration(true, DBKS_SITE_XML);
+ getFromJceks(newConfig, CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS, ENCRYPTION_KEY);
+ getFromJceks(newConfig, CREDENTIAL_PATH, DB_CREDENTIAL_ALIAS, DB_PASSWORD);
+ return newConfig;
+
+ }
+
+ static Configuration getConfiguration(boolean loadHadoopDefaults,
+ String... resources) {
+ Configuration conf = new Configuration(loadHadoopDefaults);
+ String confDir = System.getProperty(KMS_CONFIG_DIR);
+ if (confDir != null) {
+ try {
+ Path confPath = new Path(confDir);
+ if (!confPath.isUriPathAbsolute()) {
+ throw new RuntimeException("System property '" + KMS_CONFIG_DIR +
+ "' must be an absolute path: " + confDir);
+ }
+ for (String resource : resources) {
+ conf.addResource(new URL("file://" + new Path(confDir, resource).toUri()));
+ }
+ } catch (MalformedURLException ex) {
+ logger.error("==> RangerKeyStoreProvider.getConfiguration() error : ", ex);
+ throw new RuntimeException(ex);
+ }
+ } else {
+ for (String resource : resources) {
+ conf.addResource(resource);
+ }
+ }
+ return conf;
+ }
+
+ private void loadKeys(char[] masterKey) throws NoSuchAlgorithmException, CertificateException, IOException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.loadKeys()");
+ }
+ dbStore.engineLoad(null, masterKey);
+ }
+
+ @Override
+ public KeyVersion createKey(String name, byte[] material, Options options)
+ throws IOException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.createKey()");
+ }
+ reloadKeys();
+ if (dbStore.engineContainsAlias(name) || cache.containsKey(name)) {
+ throw new IOException("Key " + name + " already exists");
+ }
+ Metadata meta = new Metadata(options.getCipher(), options.getBitLength(),
+ options.getDescription(), options.getAttributes(), new Date(), 1);
+ if (options.getBitLength() != 8 * material.length) {
+ throw new IOException("Wrong key length. Required " +
+ options.getBitLength() + ", but got " + (8 * material.length));
+ }
+ cache.put(name, meta);
+ String versionName = buildVersionName(name, 0);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerKeyStoreProvider.createKey()");
+ }
+ return innerSetKeyVersion(name, versionName, material, meta.getCipher(), meta.getBitLength(), meta.getDescription(), meta.getVersions(), meta.getAttributes());
+ }
+
+ KeyVersion innerSetKeyVersion(String name, String versionName, byte[] material, String cipher, int bitLength, String description, int version, Map<String, String> attributes) throws IOException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.innerSetKeyVersion()");
+ logger.debug("name : " + name + " and versionName : " + versionName);
+ }
+ try {
+ ObjectMapper om = new ObjectMapper();
+ String attribute = om.writeValueAsString(attributes);
+ dbStore.addKeyEntry(versionName, new SecretKeySpec(material, cipher), masterKey, cipher, bitLength, description, version, attribute);
+ } catch (KeyStoreException e) {
+ throw new IOException("Can't store key " + versionName, e);
+ }
+ changed = true;
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerKeyStoreProvider.innerSetKeyVersion()");
+ }
+ return new KeyVersion(name, versionName, material);
+ }
+
+ @Override
+ public void deleteKey(String name) throws IOException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.deleteKey(" + name + ")");
+ }
+ reloadKeys();
+ Metadata meta = getMetadata(name);
+ if (meta == null) {
+ throw new IOException("Key " + name + " does not exist");
+ }
+ for (int v = 0; v < meta.getVersions(); ++v) {
+ String versionName = buildVersionName(name, v);
+ try {
+ if (dbStore.engineContainsAlias(versionName)) {
+ dbStore.engineDeleteEntry(versionName);
+ }
+ } catch (KeyStoreException e) {
+ throw new IOException("Problem removing " + versionName, e);
+ }
+ }
+ try {
+ if (dbStore.engineContainsAlias(name)) {
+ dbStore.engineDeleteEntry(name);
+ }
+ } catch (KeyStoreException e) {
+ throw new IOException("Problem removing " + name + " from " + this, e);
+ }
+ cache.remove(name);
+ changed = true;
+ }
+
+ @Override
+ public void flush() throws IOException {
+ try {
+ if (!changed) {
+ return;
+ }
+ // put all of the updates into the db
+ for (Map.Entry<String, Metadata> entry : cache.entrySet()) {
+ try {
+ Metadata metadata = entry.getValue();
+ ObjectMapper om = new ObjectMapper();
+ String attributes = om.writeValueAsString(metadata.getAttributes());
+ dbStore.addKeyEntry(entry.getKey(), new KeyMetadata(metadata), masterKey, metadata.getAlgorithm(), metadata.getBitLength(), metadata.getDescription(), metadata.getVersions(), attributes);
+ } catch (KeyStoreException e) {
+ throw new IOException("Can't set metadata key " + entry.getKey(), e);
+ }
+ }
+ try {
+ dbStore.engineStore(null, masterKey);
+ reloadKeys();
+ } catch (NoSuchAlgorithmException e) {
+ throw new IOException("No such algorithm storing key", e);
+ } catch (CertificateException e) {
+ throw new IOException("Certificate exception storing key", e);
+ }
+ changed = false;
+ } catch (IOException ioe) {
+ cache.clear();
+ reloadKeys();
+ throw ioe;
+ }
+ }
+
+ @Override
+ public KeyVersion getKeyVersion(String versionName) throws IOException {
+ readLock.lock();
+ try {
+ SecretKeySpec key = null;
+ try {
+ if (!dbStore.engineContainsAlias(versionName)) {
+ dbStore.engineLoad(null, masterKey);
+ if (!dbStore.engineContainsAlias(versionName)) {
+ return null;
+ }
+ }
+ key = (SecretKeySpec) dbStore.engineGetKey(versionName, masterKey);
+ } catch (NoSuchAlgorithmException e) {
+ throw new IOException("Can't get algorithm for key " + key, e);
+ } catch (UnrecoverableKeyException e) {
+ throw new IOException("Can't recover key " + key, e);
+ } catch (CertificateException e) {
+ throw new IOException("Certificate exception storing key", e);
+ }
+ if (key == null) {
+ return null;
+ } else {
+ return new KeyVersion(getBaseName(versionName), versionName, key.getEncoded());
+ }
+ } finally {
+ readLock.unlock();
+ }
+ }
+
+ @Override
+ public List<KeyVersion> getKeyVersions(String name) throws IOException {
+ List<KeyVersion> list = new ArrayList<KeyVersion>();
+ Metadata km = getMetadata(name);
+ if (km != null) {
+ int latestVersion = km.getVersions();
+ KeyVersion v = null;
+ String versionName = null;
+ for (int i = 0; i < latestVersion; i++) {
+ versionName = buildVersionName(name, i);
+ v = getKeyVersion(versionName);
+ if (v != null) {
+ list.add(v);
+ }
+ }
+ }
+ return list;
+ }
+
+ @Override
+ public List<String> getKeys() throws IOException {
+ ArrayList<String> list = new ArrayList<String>();
+ String alias = null;
reloadKeys();
- ReadWriteLock lock = new ReentrantReadWriteLock(true);
- readLock = lock.readLock();
- }
-
- public static Configuration getDBKSConf() {
- Configuration newConfig = getConfiguration(true, DBKS_SITE_XML);
- getFromJceks(newConfig,CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS, ENCRYPTION_KEY);
- getFromJceks(newConfig,CREDENTIAL_PATH, DB_CREDENTIAL_ALIAS, DB_PASSWORD);
- return newConfig;
-
- }
-
- static Configuration getConfiguration(boolean loadHadoopDefaults,
- String ... resources) {
- Configuration conf = new Configuration(loadHadoopDefaults);
- String confDir = System.getProperty(KMS_CONFIG_DIR);
- if (confDir != null) {
- try {
- Path confPath = new Path(confDir);
- if (!confPath.isUriPathAbsolute()) {
- throw new RuntimeException("System property '" + KMS_CONFIG_DIR +
- "' must be an absolute path: " + confDir);
- }
- for (String resource : resources) {
- conf.addResource(new URL("file://" + new Path(confDir, resource).toUri()));
- }
- } catch (MalformedURLException ex) {
- ex.printStackTrace();
- throw new RuntimeException(ex);
- }
- } else {
- for (String resource : resources) {
- conf.addResource(resource);
- }
- }
- return conf;
- }
-
- private void loadKeys(char[] masterKey) throws NoSuchAlgorithmException, CertificateException, IOException {
- dbStore.engineLoad(null, masterKey);
- }
-
- @Override
- public KeyVersion createKey(String name, byte[] material, Options options)
- throws IOException {
- reloadKeys();
- if (dbStore.engineContainsAlias(name) || cache.containsKey(name)) {
- throw new IOException("Key " + name + " already exists");
- }
- Metadata meta = new Metadata(options.getCipher(), options.getBitLength(),
- options.getDescription(), options.getAttributes(), new Date(), 1);
- if (options.getBitLength() != 8 * material.length) {
- throw new IOException("Wrong key length. Required " +
- options.getBitLength() + ", but got " + (8 * material.length));
- }
- cache.put(name, meta);
- String versionName = buildVersionName(name, 0);
- return innerSetKeyVersion(name, versionName, material, meta.getCipher(), meta.getBitLength(), meta.getDescription(), meta.getVersions(), meta.getAttributes());
- }
-
- KeyVersion innerSetKeyVersion(String name, String versionName, byte[] material, String cipher, int bitLength, String description, int version, Map<String, String> attributes) throws IOException {
- try {
- ObjectMapper om = new ObjectMapper();
- String attribute = om.writeValueAsString(attributes);
- dbStore.addKeyEntry(versionName, new SecretKeySpec(material, cipher), masterKey, cipher, bitLength, description, version, attribute);
- } catch (KeyStoreException e) {
- throw new IOException("Can't store key " + versionName,e);
- }
- changed = true;
- return new KeyVersion(name, versionName, material);
- }
-
- @Override
- public void deleteKey(String name) throws IOException {
- reloadKeys();
- Metadata meta = getMetadata(name);
- if (meta == null) {
- throw new IOException("Key " + name + " does not exist");
- }
- for(int v=0; v < meta.getVersions(); ++v) {
- String versionName = buildVersionName(name, v);
- try {
- if (dbStore.engineContainsAlias(versionName)) {
- dbStore.engineDeleteEntry(versionName);
- }
- } catch (KeyStoreException e) {
- throw new IOException("Problem removing " + versionName, e);
- }
- }
- try {
- if (dbStore.engineContainsAlias(name)) {
- dbStore.engineDeleteEntry(name);
- }
- } catch (KeyStoreException e) {
- throw new IOException("Problem removing " + name + " from " + this, e);
- }
- cache.remove(name);
- changed = true;
- }
-
- @Override
- public void flush() throws IOException {
- try {
- if (!changed) {
- return;
- }
- // put all of the updates into the db
- for(Map.Entry<String, Metadata> entry: cache.entrySet()) {
- try {
- Metadata metadata = entry.getValue();
- ObjectMapper om = new ObjectMapper();
- String attributes = om.writeValueAsString(metadata.getAttributes());
- dbStore.addKeyEntry(entry.getKey(), new KeyMetadata(metadata), masterKey, metadata.getAlgorithm(), metadata.getBitLength(), metadata.getDescription(), metadata.getVersions(), attributes);
- } catch (KeyStoreException e) {
- throw new IOException("Can't set metadata key " + entry.getKey(),e );
- }
- }
- try {
- dbStore.engineStore(null, masterKey);
- reloadKeys();
- } catch (NoSuchAlgorithmException e) {
- throw new IOException("No such algorithm storing key", e);
- } catch (CertificateException e) {
- throw new IOException("Certificate exception storing key", e);
- }
- changed = false;
- }catch (IOException ioe) {
- cache.clear();
- reloadKeys();
- throw ioe;
- }
- }
-
- @Override
- public KeyVersion getKeyVersion(String versionName) throws IOException {
- readLock.lock();
- try {
- SecretKeySpec key = null;
- try {
- if (!dbStore.engineContainsAlias(versionName)) {
- dbStore.engineLoad(null, masterKey);
- if (!dbStore.engineContainsAlias(versionName)) {
- return null;
- }
- }
- key = (SecretKeySpec) dbStore.engineGetKey(versionName, masterKey);
- } catch (NoSuchAlgorithmException e) {
- throw new IOException("Can't get algorithm for key " + key, e);
- } catch (UnrecoverableKeyException e) {
- throw new IOException("Can't recover key " + key, e);
- }
- catch (CertificateException e) {
- throw new IOException("Certificate exception storing key", e);
- }
- if (key == null) {
- return null;
- } else {
- return new KeyVersion(getBaseName(versionName), versionName, key.getEncoded());
- }
- } finally {
- readLock.unlock();
- }
- }
-
- @Override
- public List<KeyVersion> getKeyVersions(String name) throws IOException {
- List<KeyVersion> list = new ArrayList<KeyVersion>();
- Metadata km = getMetadata(name);
- if (km != null) {
- int latestVersion = km.getVersions();
- KeyVersion v = null;
- String versionName = null;
- for (int i = 0; i < latestVersion; i++) {
- versionName = buildVersionName(name, i);
- v = getKeyVersion(versionName);
- if (v != null) {
- list.add(v);
- }
- }
- }
- return list;
- }
-
- @Override
- public List<String> getKeys() throws IOException {
- ArrayList<String> list = new ArrayList<String>();
- String alias = null;
- reloadKeys();
- Enumeration<String> e = dbStore.engineAliases();
- while (e.hasMoreElements()) {
- alias = e.nextElement();
- // only include the metadata key names in the list of names
- if (!alias.contains("@")) {
- list.add(alias);
- }
- }
- return list;
- }
-
- @Override
- public Metadata getMetadata(String name) throws IOException {
- try {
- readLock.lock();
+ Enumeration<String> e = dbStore.engineAliases();
+ while (e.hasMoreElements()) {
+ alias = e.nextElement();
+ // only include the metadata key names in the list of names
+ if (!alias.contains("@")) {
+ list.add(alias);
+ }
+ }
+ return list;
+ }
+
+ @Override
+ public Metadata getMetadata(String name) throws IOException {
+ try {
+ readLock.lock();
if (cache.containsKey(name)) {
- Metadata meta = cache.get(name);
- return meta;
- }
- try {
- if (!dbStore.engineContainsAlias(name)) {
- dbStore.engineLoad(null, masterKey);
- if (!dbStore.engineContainsAlias(name)) {
- return null;
- }
- }
- Key key = dbStore.engineGetKey(name, masterKey);
- if(key != null){
- Metadata meta = ((KeyMetadata) key).metadata;
- cache.put(name, meta);
- return meta;
- }
- } catch (NoSuchAlgorithmException e) {
- throw new IOException("Can't get algorithm for " + name, e);
- } catch (UnrecoverableKeyException e) {
- throw new IOException("Can't recover key for " + name, e);
- }
- return null;
- }
- catch(Exception e){
- throw new IOException("Please try again ", e);
- }
- finally {
- readLock.unlock();
- }
- }
-
- @Override
- public KeyVersion rollNewVersion(String name, byte[] material)throws IOException {
- reloadKeys();
- Metadata meta = getMetadata(name);
+ Metadata meta = cache.get(name);
+ return meta;
+ }
+ try {
+ if (!dbStore.engineContainsAlias(name)) {
+ dbStore.engineLoad(null, masterKey);
+ if (!dbStore.engineContainsAlias(name)) {
+ return null;
+ }
+ }
+ Key key = dbStore.engineGetKey(name, masterKey);
+ if (key != null) {
+ Metadata meta = ((KeyMetadata) key).metadata;
+ cache.put(name, meta);
+ return meta;
+ }
+ } catch (NoSuchAlgorithmException e) {
+ throw new IOException("Can't get algorithm for " + name, e);
+ } catch (UnrecoverableKeyException e) {
+ throw new IOException("Can't recover key for " + name, e);
+ }
+ return null;
+ } catch (Exception e) {
+ throw new IOException("Please try again ", e);
+ } finally {
+ readLock.unlock();
+ }
+ }
+
+ @Override
+ public KeyVersion rollNewVersion(String name, byte[] material) throws IOException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.rollNewVersion()");
+ }
+ reloadKeys();
+ Metadata meta = getMetadata(name);
if (meta == null) {
- throw new IOException("Key " + name + " not found");
- }
- if (meta.getBitLength() != 8 * material.length) {
- throw new IOException("Wrong key length. Required " + meta.getBitLength() + ", but got " + (8 * material.length));
- }
- int nextVersion = meta.addVersion();
- String versionName = buildVersionName(name, nextVersion);
- return innerSetKeyVersion(name, versionName, material, meta.getCipher(), meta.getBitLength(), meta.getDescription(), meta.getVersions(), meta.getAttributes());
- }
-
- private static void getFromJceks(Configuration conf, String path, String alias, String key){
- //update credential from keystore
- if(conf!=null){
- String pathValue=conf.get(path);
- String aliasValue=conf.get(alias);
- if(pathValue!=null && aliasValue!=null){
- String xaDBPassword=CredentialReader.getDecryptedString(pathValue.trim(),aliasValue.trim());
- if(xaDBPassword!=null&& !xaDBPassword.trim().isEmpty() &&
- !xaDBPassword.trim().equalsIgnoreCase("none")){
- conf.set(key, xaDBPassword);
- }else{
- logger.info("Credential keystore password not applied for KMS; clear text password shall be applicable");
- }
- }
- }
- }
+ throw new IOException("Key " + name + " not found");
+ }
+ if (meta.getBitLength() != 8 * material.length) {
+ throw new IOException("Wrong key length. Required " + meta.getBitLength() + ", but got " + (8 * material.length));
+ }
+ int nextVersion = meta.addVersion();
+ String versionName = buildVersionName(name, nextVersion);
+ return innerSetKeyVersion(name, versionName, material, meta.getCipher(), meta.getBitLength(), meta.getDescription(), meta.getVersions(), meta.getAttributes());
+ }
+
+ private static void getFromJceks(Configuration conf, String path, String alias, String key) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.getFromJceks()");
+ }
+ //update credential from keystore
+ if (conf != null) {
+ String pathValue = conf.get(path);
+ String aliasValue = conf.get(alias);
+ if (pathValue != null && aliasValue != null) {
+ String xaDBPassword = CredentialReader.getDecryptedString(pathValue.trim(), aliasValue.trim());
+ if (xaDBPassword != null && !xaDBPassword.trim().isEmpty() &&
+ !xaDBPassword.trim().equalsIgnoreCase("none")) {
+ conf.set(key, xaDBPassword);
+ } else {
+ logger.info("Credential keystore password not applied for KMS; clear text password shall be applicable");
+ }
+ }
+ }
+ }
private void reloadKeys() throws IOException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerKeyStoreProvider.reloadKeys()");
+ }
try {
- cache.clear();
+ cache.clear();
loadKeys(masterKey);
} catch (NoSuchAlgorithmException e) {
throw new IOException("Can't load Keys");
- }catch(CertificateException e){
+ } catch (CertificateException e) {
throw new IOException("Can't load Keys");
}
}
-
- /**
- * The factory to create JksProviders, which is used by the ServiceLoader.
- */
- public static class Factory extends KeyProviderFactory {
- @Override
- public KeyProvider createProvider(URI providerName,
- Configuration conf) throws IOException {
- try {
- if (SCHEME_NAME.equals(providerName.getScheme())) {
- return new RangerKeyStoreProvider(conf);
- }
- } catch (Throwable e) {
- e.printStackTrace();
- }
- return null;
- }
- }
-
- /**
- * An adapter between a KeyStore Key and our Metadata. This is used to store
- * the metadata in a KeyStore even though isn't really a key.
- */
- public static class KeyMetadata implements Key, Serializable {
- private Metadata metadata;
- private final static long serialVersionUID = 8405872419967874451L;
-
- private KeyMetadata(Metadata meta) {
- this.metadata = meta;
- }
-
- @Override
- public String getAlgorithm() {
- return metadata.getCipher();
- }
-
- @Override
- public String getFormat() {
- return KEY_METADATA;
- }
-
- @Override
- public byte[] getEncoded() {
- return new byte[0];
- }
-
- private void writeObject(ObjectOutputStream out) throws IOException {
- byte[] serialized = metadata.serialize();
- out.writeInt(serialized.length);
- out.write(serialized);
- }
-
- private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
- byte[] buf = new byte[in.readInt()];
- in.readFully(buf);
- metadata = new Metadata(buf);
- }
-
- }
+
+ /**
+ * The factory to create JksProviders, which is used by the ServiceLoader.
+ */
+ public static class Factory extends KeyProviderFactory {
+ @Override
+ public KeyProvider createProvider(URI providerName,
+ Configuration conf) throws IOException {
+ try {
+ if (SCHEME_NAME.equals(providerName.getScheme())) {
+ return new RangerKeyStoreProvider(conf);
+ }
+ } catch (Throwable e) {
+ logger.error("==> RangerKeyStoreProvider.reloadKeys() error : " , e);
+ }
+ return null;
+ }
+ }
+
+ /**
+ * An adapter between a KeyStore Key and our Metadata. This is used to store
+ * the metadata in a KeyStore even though isn't really a key.
+ */
+ public static class KeyMetadata implements Key, Serializable {
+ private Metadata metadata;
+ private final static long serialVersionUID = 8405872419967874451L;
+
+ private KeyMetadata(Metadata meta) {
+ this.metadata = meta;
+ }
+
+ @Override
+ public String getAlgorithm() {
+ return metadata.getCipher();
+ }
+
+ @Override
+ public String getFormat() {
+ return KEY_METADATA;
+ }
+
+ @Override
+ public byte[] getEncoded() {
+ return new byte[0];
+ }
+
+ private void writeObject(ObjectOutputStream out) throws IOException {
+ byte[] serialized = metadata.serialize();
+ out.writeInt(serialized.length);
+ out.write(serialized);
+ }
+
+ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
+ byte[] buf = new byte[in.readInt()];
+ in.readFully(buf);
+ metadata = new Metadata(buf);
+ }
+
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/bc2cd5e0/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
index 6cfd37e..eb4f75a 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
@@ -47,340 +47,426 @@ import com.google.common.collect.Lists;
import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
import com.sun.org.apache.xml.internal.security.utils.Base64;
-public class RangerMasterKey implements RangerKMSMKI{
-
- private static final Logger logger = Logger.getLogger(RangerMasterKey.class);
-
- private static final String DEFAULT_MK_CIPHER = "AES";
- private static final int DEFAULT_MK_KeySize = 256;
- private static final int DEFAULT_SALT_SIZE = 8;
- private static final String DEFAULT_SALT = "abcdefghijklmnopqrstuvwxyz01234567890";
- private static final String DEFAULT_CRYPT_ALGO = "PBEWithMD5AndTripleDES";
- private static final String DEFAULT_MD_ALGO = "MD5";
- private static final int DEFAULT_ITERATION_COUNT = 1000;
- private static String password = null;
-
- public static final String DBKS_SITE_XML = "dbks-site.xml";
- private static Properties serverConfigProperties = new Properties();
-
- public static String MK_CIPHER;
- public static Integer MK_KeySize = 0;
- public static Integer SALT_SIZE = 0;
- public static String SALT;
- public static String PBE_ALGO;
- public static String MD_ALGO;
- public static Integer ITERATION_COUNT = 0;
- public static String paddingString;
-
- private DaoManager daoManager;
-
- public RangerMasterKey() {
- }
-
- public RangerMasterKey(DaoManager daoManager) {
- this.daoManager = daoManager;
- }
-
- protected static String getConfig(String key, String defaultValue) {
- String value = serverConfigProperties.getProperty(key);
- if (value == null || value.trim().isEmpty()) {
- // Value not found in properties file, let's try to get from
- // System's property
- value = System.getProperty(key);
- }
- if (value == null || value.trim().isEmpty()) {
- value = defaultValue;
- }
- return value;
+public class RangerMasterKey implements RangerKMSMKI {
+
+ private static final Logger logger = Logger.getLogger(RangerMasterKey.class);
+
+ private static final String DEFAULT_MK_CIPHER = "AES";
+ private static final int DEFAULT_MK_KeySize = 256;
+ private static final int DEFAULT_SALT_SIZE = 8;
+ private static final String DEFAULT_SALT = "abcdefghijklmnopqrstuvwxyz01234567890";
+ private static final String DEFAULT_CRYPT_ALGO = "PBEWithMD5AndTripleDES";
+ private static final String DEFAULT_MD_ALGO = "MD5";
+ private static final int DEFAULT_ITERATION_COUNT = 1000;
+ private static String password = null;
+
+ public static final String DBKS_SITE_XML = "dbks-site.xml";
+ private static Properties serverConfigProperties = new Properties();
+
+ public static String MK_CIPHER;
+ public static Integer MK_KeySize = 0;
+ public static Integer SALT_SIZE = 0;
+ public static String SALT;
+ public static String PBE_ALGO;
+ public static String MD_ALGO;
+ public static Integer ITERATION_COUNT = 0;
+ public static String paddingString;
+
+ private DaoManager daoManager;
+
+ public RangerMasterKey() {
+ }
+
+ public RangerMasterKey(DaoManager daoManager) {
+ this.daoManager = daoManager;
+ }
+
+ protected static String getConfig(String key, String defaultValue) {
+ String value = serverConfigProperties.getProperty(key);
+ if (value == null || value.trim().isEmpty()) {
+ // Value not found in properties file, let's try to get from
+ // System's property
+ value = System.getProperty(key);
+ }
+ if (value == null || value.trim().isEmpty()) {
+ value = defaultValue;
}
+ return value;
+ }
- protected static int getIntConfig(String key, int defaultValue) {
- int ret = defaultValue;
- String retStr = serverConfigProperties.getProperty(key);
- try {
- if (retStr != null) {
- ret = Integer.parseInt(retStr);
- }
- } catch (Exception err) {
- logger.warn(retStr + " can't be parsed to int. Reason: " + err.toString());
- }
- return ret;
- }
- /**
- * To get Master Key
- * @param password password to be used for decryption
- * @return Decrypted Master Key
- * @throws Throwable
- */
- @Override
- public String getMasterKey(String password) throws Throwable {
- logger.info("Getting Master Key");
- List result = getEncryptedMK();
- String encryptedPassString = null;
- byte masterKeyByte[] = null;
- if (CollectionUtils.isNotEmpty(result) && result.size() == 2) {
- masterKeyByte = (byte[]) result.get(0);
- encryptedPassString = (String) result.get(1);
- } else if (CollectionUtils.isNotEmpty(result)) {
- masterKeyByte = (byte[]) result.get(0);
- }
- if (masterKeyByte != null && masterKeyByte.length > 0) {
- return decryptMasterKey(masterKeyByte, password, encryptedPassString);
- } else {
- throw new Exception("No Master Key Found");
- }
- }
-
- public SecretKey getMasterSecretKey(String password) throws Throwable {
- logger.info("Getting Master Key");
- List result = getEncryptedMK();
- String encryptedPassString = null;
- byte masterKeyByte[] = null;
- if (CollectionUtils.isNotEmpty(result) && result.size() == 2) {
- masterKeyByte = (byte[]) result.get(0);
- encryptedPassString = (String) result.get(1);
- } else if (CollectionUtils.isNotEmpty(result)) {
- masterKeyByte = (byte[]) result.get(0);
- }
- if (masterKeyByte != null && masterKeyByte.length > 0) {
- return decryptMasterKeySK(masterKeyByte, password, encryptedPassString);
+ protected static int getIntConfig(String key, int defaultValue) {
+ int ret = defaultValue;
+ String retStr = serverConfigProperties.getProperty(key);
+ try {
+ if (retStr != null) {
+ ret = Integer.parseInt(retStr);
+ }
+ } catch (Exception err) {
+ logger.warn(retStr + " can't be parsed to int. Reason: " + err.toString());
+ }
+ return ret;
+ }
+
+ /**
+ * To get Master Key
+ *
+ * @param password password to be used for decryption
+ * @return Decrypted Master Key
+ * @throws Throwable
+ */
+ @Override
+ public String getMasterKey(String password) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.getMasterKey()");
+ }
+ logger.info("Getting Master Key");
+ List result = getEncryptedMK();
+ String encryptedPassString = null;
+ byte masterKeyByte[] = null;
+ if (CollectionUtils.isNotEmpty(result) && result.size() == 2) {
+ masterKeyByte = (byte[]) result.get(0);
+ encryptedPassString = (String) result.get(1);
+ } else if (CollectionUtils.isNotEmpty(result)) {
+ masterKeyByte = (byte[]) result.get(0);
+ }
+ if (masterKeyByte != null && masterKeyByte.length > 0) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.getMasterKey()");
+ }
+ return decryptMasterKey(masterKeyByte, password, encryptedPassString);
+ } else {
+ throw new Exception("No Master Key Found");
+ }
+ }
+
+ public SecretKey getMasterSecretKey(String password) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.getMasterSecretKey()");
+ }
+ logger.info("Getting Master Key");
+ List result = getEncryptedMK();
+ String encryptedPassString = null;
+ byte masterKeyByte[] = null;
+ if (CollectionUtils.isNotEmpty(result) && result.size() == 2) {
+ masterKeyByte = (byte[]) result.get(0);
+ encryptedPassString = (String) result.get(1);
+ } else if (CollectionUtils.isNotEmpty(result)) {
+ masterKeyByte = (byte[]) result.get(0);
+ }
+ if (masterKeyByte != null && masterKeyByte.length > 0) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.getMasterSecretKey()");
+ }
+ return decryptMasterKeySK(masterKeyByte, password, encryptedPassString);
+ } else {
+ throw new Exception("No Master Key Found");
+ }
+ }
+
+ /**
+ * Generate the master key, encrypt it and save it in the database
+ *
+ * @param password password to be used for encryption
+ * @return true if the master key was successfully created false if master
+ * key generation was unsuccessful or the master key already exists
+ * @throws Throwable
+ */
+
+ public void init() {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.init()");
+ }
+ XMLUtils.loadConfig(DBKS_SITE_XML, serverConfigProperties);
+ MK_CIPHER = getConfig("ranger.kms.service.masterkey.password.cipher", DEFAULT_MK_CIPHER);
+ MK_KeySize = getIntConfig("ranger.kms.service.masterkey.password.size", DEFAULT_MK_KeySize);
+ SALT_SIZE = getIntConfig("ranger.kms.service.masterkey.password.salt.size", DEFAULT_SALT_SIZE);
+ SALT = getConfig("ranger.kms.service.masterkey.password.salt", DEFAULT_SALT);
+ PBE_ALGO = getConfig("ranger.kms.service.masterkey.password.encryption.algorithm", DEFAULT_CRYPT_ALGO);
+ MD_ALGO = getConfig("ranger.kms.service.masterkey.password.md.algorithm", DEFAULT_MD_ALGO);
+ ITERATION_COUNT = getIntConfig("ranger.kms.service.masterkey.password.iteration.count",
+ DEFAULT_ITERATION_COUNT);
+ paddingString = Joiner.on(",").skipNulls().join(MK_CIPHER, MK_KeySize, SALT_SIZE, PBE_ALGO, MD_ALGO,
+ ITERATION_COUNT, SALT);
+ }
+
+ @Override
+ public boolean generateMasterKey(String password) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.generateMasterKey()");
+ }
+ logger.info("Generating Master Key...");
+ init();
+ String encryptedMasterKey = encryptMasterKey(password);
+ String savedKey = saveEncryptedMK(paddingString + "," + encryptedMasterKey, daoManager);
+ if (savedKey != null && !savedKey.trim().equals("")) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Master Key Created with id = " + savedKey);
+ logger.debug("<== RangerMasterKey.generateMasterKey()");
+ }
+ return true;
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.generateMasterKey()");
+ }
+ return false;
+ }
+
+ public boolean generateMKFromHSMMK(String password, byte[] key) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.generateMKFromHSMMK()");
+ }
+ init();
+ String encryptedMasterKey = encryptMasterKey(password, key);
+ String savedKey = saveEncryptedMK(paddingString + "," + encryptedMasterKey, daoManager);
+ if (savedKey != null && !savedKey.trim().equals("")) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Master Key Created with id = " + savedKey);
+ logger.debug("<== RangerMasterKey.generateMKFromHSMMK()");
+ }
+ return true;
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.generateMKFromHSMMK()");
+ }
+ return false;
+ }
+
+ private String decryptMasterKey(byte masterKey[], String password, String encryptedPassString) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.decryptMasterKey()");
+ logger.debug("Decrypting Master Key...");
+ }
+ if (encryptedPassString == null) {
+ getPasswordParam(password);
+ }
+ PBEKeySpec pbeKeyspec = getPBEParameterSpec(password);
+ byte[] masterKeyFromDBDecrypted = decryptKey(masterKey, pbeKeyspec);
+ SecretKey masterKeyFromDB = getMasterKeyFromBytes(masterKeyFromDBDecrypted);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.decryptMasterKey()");
+ }
+ return Base64.encode(masterKeyFromDB.getEncoded());
+ }
+
+ public static void getPasswordParam(String paddedEncryptedPwd) {
+ String[] encryptedPwd = null;
+ if (paddedEncryptedPwd != null && paddedEncryptedPwd.contains(",")) {
+ encryptedPwd = Lists.newArrayList(Splitter.on(",").split(paddedEncryptedPwd)).toArray(new String[0]);
+ }
+ if (encryptedPwd != null && encryptedPwd.length >= 7) {
+ int index = 0;
+ MK_CIPHER = encryptedPwd[index];
+ MK_KeySize = Integer.parseInt(encryptedPwd[++index]);
+ SALT_SIZE = Integer.parseInt(encryptedPwd[++index]);
+ PBE_ALGO = encryptedPwd[++index];
+ MD_ALGO = encryptedPwd[++index];
+ ITERATION_COUNT = Integer.parseInt(encryptedPwd[++index]);
+ SALT = encryptedPwd[++index];
+ password = encryptedPwd[++index];
+ } else {
+ MK_CIPHER = DEFAULT_MK_CIPHER;
+ MK_KeySize = DEFAULT_MK_KeySize;
+ SALT_SIZE = DEFAULT_SALT_SIZE;
+ PBE_ALGO = DEFAULT_CRYPT_ALGO;
+ MD_ALGO = DEFAULT_MD_ALGO;
+ password = paddedEncryptedPwd;
+ SALT = password;
+ if (password != null) {
+ ITERATION_COUNT = password.toCharArray().length + 1;
+ }
+ }
+ }
+
+ private SecretKey decryptMasterKeySK(byte masterKey[], String password, String encryptedPassString)
+ throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.decryptMasterKeySK()");
+ }
+ if (encryptedPassString == null) {
+ getPasswordParam(password);
+ }
+ PBEKeySpec pbeKeyspec = getPBEParameterSpec(password);
+ byte[] masterKeyFromDBDecrypted = decryptKey(masterKey, pbeKeyspec);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.decryptMasterKeySK()");
+ }
+ return getMasterKeyFromBytes(masterKeyFromDBDecrypted);
+ }
+
+ private List getEncryptedMK() throws Base64DecodingException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.getEncryptedMK()");
+ }
+ try {
+ if (daoManager != null) {
+ ArrayList ret = new ArrayList<>();
+ RangerMasterKeyDao rangerKMSDao = new RangerMasterKeyDao(daoManager);
+ List<XXRangerMasterKey> lstRangerMasterKey = rangerKMSDao.getAll();
+ if (lstRangerMasterKey.size() < 1) {
+ throw new Exception("No Master Key exists");
+ } else if (lstRangerMasterKey.size() > 1) {
+ throw new Exception("More than one Master Key exists");
} else {
- throw new Exception("No Master Key Found");
- }
- }
-
- /**
- * Generate the master key, encrypt it and save it in the database
- * @param password password to be used for encryption
- * @return true if the master key was successfully created
- * false if master key generation was unsuccessful or the master key already exists
- * @throws Throwable
- */
-
- public void init() {
- XMLUtils.loadConfig(DBKS_SITE_XML, serverConfigProperties);
- MK_CIPHER = getConfig("ranger.kms.service.masterkey.password.cipher", DEFAULT_MK_CIPHER);
- MK_KeySize = getIntConfig("ranger.kms.service.masterkey.password.size", DEFAULT_MK_KeySize);
- SALT_SIZE = getIntConfig("ranger.kms.service.masterkey.password.salt.size", DEFAULT_SALT_SIZE);
- SALT = getConfig("ranger.kms.service.masterkey.password.salt", DEFAULT_SALT);
- PBE_ALGO = getConfig("ranger.kms.service.masterkey.password.encryption.algorithm", DEFAULT_CRYPT_ALGO);
- MD_ALGO = getConfig("ranger.kms.service.masterkey.password.md.algorithm", DEFAULT_MD_ALGO);
- ITERATION_COUNT = getIntConfig("ranger.kms.service.masterkey.password.iteration.count",
- DEFAULT_ITERATION_COUNT);
- paddingString = Joiner.on(",").skipNulls().join(MK_CIPHER, MK_KeySize, SALT_SIZE, PBE_ALGO, MD_ALGO,
- ITERATION_COUNT, SALT);
- }
-
- @Override
- public boolean generateMasterKey(String password) throws Throwable {
- logger.info("Generating Master Key");
- init();
- String encryptedMasterKey = encryptMasterKey(password);
- String savedKey = saveEncryptedMK(paddingString + "," + encryptedMasterKey, daoManager);
- if (savedKey != null && !savedKey.trim().equals("")) {
- logger.debug("Master Key Created with id = " + savedKey);
- return true;
- }
- return false;
- }
-
- public boolean generateMKFromHSMMK(String password, byte[] key) throws Throwable{
- logger.info("Generating Master Key");
- init();
- String encryptedMasterKey = encryptMasterKey(password, key);
- String savedKey = saveEncryptedMK(paddingString + "," + encryptedMasterKey, daoManager);
- if(savedKey != null && !savedKey.trim().equals("")){
- logger.debug("Master Key Created with id = "+savedKey);
- return true;
- }
- return false;
- }
-
- private String decryptMasterKey(byte masterKey[], String password, String encryptedPassString) throws Throwable {
- logger.debug("Decrypting Master Key");
- if (encryptedPassString == null) {
- getPasswordParam(password);
- }
- PBEKeySpec pbeKeyspec = getPBEParameterSpec(password);
- byte[] masterKeyFromDBDecrypted = decryptKey(masterKey, pbeKeyspec);
- SecretKey masterKeyFromDB = getMasterKeyFromBytes(masterKeyFromDBDecrypted);
- return Base64.encode(masterKeyFromDB.getEncoded());
- }
-
- public static void getPasswordParam(String paddedEncryptedPwd) {
- String[] encryptedPwd = null;
- if (paddedEncryptedPwd != null && paddedEncryptedPwd.contains(",")) {
- encryptedPwd = Lists.newArrayList(Splitter.on(",").split(paddedEncryptedPwd)).toArray(new String[0]);
- }
- if (encryptedPwd != null && encryptedPwd.length >= 7) {
- int index = 0;
- MK_CIPHER = encryptedPwd[index];
- MK_KeySize = Integer.parseInt(encryptedPwd[++index]);
- SALT_SIZE = Integer.parseInt(encryptedPwd[++index]);
- PBE_ALGO = encryptedPwd[++index];
- MD_ALGO = encryptedPwd[++index];
- ITERATION_COUNT = Integer.parseInt(encryptedPwd[++index]);
- SALT = encryptedPwd[++index];
- password = encryptedPwd[++index];
-
- if (index > 7) {
- for (int i = 8; i <= encryptedPwd.length; i++) {
- password = password + "," + encryptedPwd[i];
- }
+ XXRangerMasterKey rangerMasterKey = rangerKMSDao.getById(lstRangerMasterKey.get(0).getId());
+ String masterKeyStr = rangerMasterKey.getMasterKey();
+ if (masterKeyStr.contains(",")) {
+ getPasswordParam(masterKeyStr);
+ ret.add(Base64.decode(password));
+ ret.add(masterKeyStr);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.getEncryptedMK()");
}
- } else {
- MK_CIPHER = DEFAULT_MK_CIPHER;
- MK_KeySize = DEFAULT_MK_KeySize;
- SALT_SIZE = DEFAULT_SALT_SIZE;
- PBE_ALGO = DEFAULT_CRYPT_ALGO;
- MD_ALGO = DEFAULT_MD_ALGO;
- password = paddedEncryptedPwd;
- SALT = password;
- ITERATION_COUNT = password.toCharArray().length + 1;
+ return ret;
+ } else {
+ ret.add(Base64.decode(masterKeyStr));
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.getEncryptedMK()");
+ }
+ return ret;
+ }
}
+ }
+ } catch (Exception e) {
+ logger.error("Unable to Retrieving Master Key from database!!! or ", e);
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.getEncryptedMK()");
}
+ return null;
+ }
- private SecretKey decryptMasterKeySK(byte masterKey[], String password, String encryptedPassString)
- throws Throwable {
- logger.debug("Decrypting Master Key");
- if (encryptedPassString == null) {
- getPasswordParam(password);
+ private String saveEncryptedMK(String encryptedMasterKey, DaoManager daoManager) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.saveEncryptedMK()");
+ }
+ XXRangerMasterKey xxRangerMasterKey = new XXRangerMasterKey();
+ xxRangerMasterKey.setCipher(MK_CIPHER);
+ xxRangerMasterKey.setBitLength(MK_KeySize);
+ xxRangerMasterKey.setMasterKey(encryptedMasterKey);
+ try {
+ if (daoManager != null) {
+ RangerMasterKeyDao rangerKMSDao = new RangerMasterKeyDao(daoManager);
+ Long l = rangerKMSDao.getAllCount();
+ if (l < 1) {
+ XXRangerMasterKey rangerMasterKey = rangerKMSDao.create(xxRangerMasterKey);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.saveEncryptedMK()");
+ }
+ return rangerMasterKey.getId().toString();
}
- PBEKeySpec pbeKeyspec = getPBEParameterSpec(password);
- byte[] masterKeyFromDBDecrypted = decryptKey(masterKey, pbeKeyspec);
- return getMasterKeyFromBytes(masterKeyFromDBDecrypted);
- }
-
- private List getEncryptedMK() throws Base64DecodingException {
- logger.debug("Retrieving Encrypted Master Key from database");
- try {
- if (daoManager != null) {
- ArrayList ret = new ArrayList<>();
- RangerMasterKeyDao rangerKMSDao = new RangerMasterKeyDao(daoManager);
- List<XXRangerMasterKey> lstRangerMasterKey = rangerKMSDao.getAll();
- if (lstRangerMasterKey.size() < 1) {
- throw new Exception("No Master Key exists");
- } else if (lstRangerMasterKey.size() > 1) {
- throw new Exception("More than one Master Key exists");
- } else {
- XXRangerMasterKey rangerMasterKey = rangerKMSDao.getById(lstRangerMasterKey.get(0).getId());
- String masterKeyStr = rangerMasterKey.getMasterKey();
- if (masterKeyStr.contains(",")) {
- getPasswordParam(masterKeyStr);
- ret.add(Base64.decode(password));
- ret.add(masterKeyStr);
- return ret;
- } else {
- ret.add(Base64.decode(masterKeyStr));
- return ret;
- }
- }
- }
- } catch (Exception e) {
- e.printStackTrace();
+ }
+ } catch (Exception e) {
+ logger.error("Error while saving master key in Database!!! ", e);
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.saveEncryptedMK()");
+ }
+ return null;
+ }
+
+ private String encryptMasterKey(String password) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.encryptMasterKey()");
+ }
+ Key secretKey = generateMasterKey();
+ PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
+ byte[] masterKeyToDB = encryptKey(secretKey.getEncoded(), pbeKeySpec);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.encryptMasterKey()");
+ }
+ return Base64.encode(masterKeyToDB);
+ }
+
+ private String encryptMasterKey(String password, byte[] secretKey) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.encryptMasterKey()");
+ }
+ PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
+ byte[] masterKeyToDB = encryptKey(secretKey, pbeKeySpec);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.encryptMasterKey()");
+ }
+ return Base64.encode(masterKeyToDB);
+ }
+
+ private Key generateMasterKey() throws NoSuchAlgorithmException {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.generateMasterKey()");
+ }
+ KeyGenerator kg = KeyGenerator.getInstance(MK_CIPHER);
+ kg.init(MK_KeySize);
+ return kg.generateKey();
+ }
+
+ private PBEKeySpec getPBEParameterSpec(String password) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.getPBEParameterSpec()");
+ }
+ MessageDigest md = MessageDigest.getInstance(MD_ALGO);
+ byte[] saltGen = md.digest(SALT.getBytes());
+ byte[] salt = new byte[SALT_SIZE];
+ System.arraycopy(saltGen, 0, salt, 0, SALT_SIZE);
+ return new PBEKeySpec(password.toCharArray(), salt, ITERATION_COUNT);
+ }
+
+ private byte[] encryptKey(byte[] data, PBEKeySpec keyspec) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.encryptKey()");
+ }
+ SecretKey key = getPasswordKey(keyspec);
+ if (keyspec.getSalt() != null) {
+ PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
+ Cipher c = Cipher.getInstance(key.getAlgorithm());
+ c.init(Cipher.ENCRYPT_MODE, key, paramSpec);
+ return c.doFinal(data);
+ }
+ return null;
+ }
+
+ private SecretKey getPasswordKey(PBEKeySpec keyspec) throws Throwable {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> RangerMasterKey.getPasswordKey()");
+ }
+ SecretKeyFactory factory = SecretKeyFactory.getInstance(PBE_ALGO);
+ return factory.generateSecret(keyspec);
+ }
+
+ private byte[] decryptKey(byte[] encrypted, PBEKeySpec keyspec) throws Throwable {
+ SecretKey key = getPasswordKey(keyspec);
+ if (keyspec.getSalt() != null) {
+ PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
+ Cipher c = Cipher.getInstance(key.getAlgorithm());
+ c.init(Cipher.DECRYPT_MODE, key, paramSpec);
+ return c.doFinal(encrypted);
+ }
+ return null;
+ }
+
+ private SecretKey getMasterKeyFromBytes(byte[] keyData) throws Throwable {
+ return new SecretKeySpec(keyData, MK_CIPHER);
+ }
+
+ public Map<String, String> getPropertiesWithPrefix(Properties props, String prefix) {
+ Map<String, String> prefixedProperties = new HashMap<String, String>();
+
+ if (props != null && prefix != null) {
+ for (String key : props.stringPropertyNames()) {
+ if (key == null) {
+ continue;
}
- return null;
- }
-
- private String saveEncryptedMK(String encryptedMasterKey, DaoManager daoManager) {
- logger.debug("Saving Encrypted Master Key to database");
- XXRangerMasterKey xxRangerMasterKey = new XXRangerMasterKey();
- xxRangerMasterKey.setCipher(MK_CIPHER);
- xxRangerMasterKey.setBitLength(MK_KeySize);
- xxRangerMasterKey.setMasterKey(encryptedMasterKey);
- try{
- if(daoManager != null){
- RangerMasterKeyDao rangerKMSDao = new RangerMasterKeyDao(daoManager);
- Long l = rangerKMSDao.getAllCount();
- if(l < 1){
- XXRangerMasterKey rangerMasterKey = rangerKMSDao.create(xxRangerMasterKey);
- return rangerMasterKey.getId().toString();
- }
- }
- }catch(Exception e){
- e.printStackTrace();
- }
- return null;
- }
-
- private String encryptMasterKey(String password) throws Throwable {
- logger.debug("Encrypting Master Key");
- Key secretKey = generateMasterKey();
- PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
- byte[] masterKeyToDB = encryptKey(secretKey.getEncoded(), pbeKeySpec);
- return Base64.encode(masterKeyToDB);
- }
-
- private String encryptMasterKey(String password, byte[] secretKey) throws Throwable {
- logger.debug("Encrypting Master Key");
- PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
- byte[] masterKeyToDB = encryptKey(secretKey, pbeKeySpec);
- return Base64.encode(masterKeyToDB);
- }
-
- private Key generateMasterKey() throws NoSuchAlgorithmException{
- KeyGenerator kg = KeyGenerator.getInstance(MK_CIPHER);
- kg.init(MK_KeySize);
- return kg.generateKey();
- }
-
- private PBEKeySpec getPBEParameterSpec(String password) throws Throwable {
- MessageDigest md = MessageDigest.getInstance(MD_ALGO);
- byte[] saltGen = md.digest(SALT.getBytes());
- byte[] salt = new byte[SALT_SIZE];
- System.arraycopy(saltGen, 0, salt, 0, SALT_SIZE);
- return new PBEKeySpec(password.toCharArray(), salt, ITERATION_COUNT);
- }
-
- private byte[] encryptKey(byte[] data, PBEKeySpec keyspec) throws Throwable {
- SecretKey key = getPasswordKey(keyspec);
- if(keyspec.getSalt() != null) {
- PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
- Cipher c = Cipher.getInstance(key.getAlgorithm());
- c.init(Cipher.ENCRYPT_MODE, key,paramSpec);
- return c.doFinal(data);
- }
- return null;
- }
- private SecretKey getPasswordKey(PBEKeySpec keyspec) throws Throwable {
- SecretKeyFactory factory = SecretKeyFactory.getInstance(PBE_ALGO);
- return factory.generateSecret(keyspec);
- }
- private byte[] decryptKey(byte[] encrypted, PBEKeySpec keyspec) throws Throwable {
- SecretKey key = getPasswordKey(keyspec);
- if(keyspec.getSalt() != null) {
- PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
- Cipher c = Cipher.getInstance(key.getAlgorithm());
- c.init(Cipher.DECRYPT_MODE, key, paramSpec);
- return c.doFinal(encrypted);
- }
- return null;
- }
- private SecretKey getMasterKeyFromBytes(byte[] keyData) throws Throwable {
- return new SecretKeySpec(keyData, MK_CIPHER);
- }
-
- public Map<String, String> getPropertiesWithPrefix(Properties props, String prefix) {
- Map<String, String> prefixedProperties = new HashMap<String, String>();
-
- if(props != null && prefix != null) {
- for(String key : props.stringPropertyNames()) {
- if(key == null) {
- continue;
- }
-
- String val = props.getProperty(key);
-
- if(key.startsWith(prefix)) {
- key = key.substring(prefix.length());
-
- if(key != null) {
- prefixedProperties.put(key, val);
+
+ String val = props.getProperty(key);
+
+ if (key.startsWith(prefix)) {
+ key = key.substring(prefix.length());
+
+ if (key != null) {
+ prefixedProperties.put(key, val);
}
- }
- }
- }
+ }
+ }
+ }
- return prefixedProperties;
- }
+ return prefixedProperties;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/bc2cd5e0/kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsDBMasterkeyCorrect.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsDBMasterkeyCorrect.java b/kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsDBMasterkeyCorrect.java
new file mode 100644
index 0000000..632e728
--- /dev/null
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsDBMasterkeyCorrect.java
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.crypto.key;
+
+import java.io.IOException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.kms.dao.DaoManager;
+
+public class VerifyIsDBMasterkeyCorrect {
+ RangerMasterKey rangerMasterKey;
+ RangerKeyStore dbStore;
+ DaoManager daoManager;
+
+ public VerifyIsDBMasterkeyCorrect() throws Throwable {
+ Configuration conf = RangerKeyStoreProvider.getDBKSConf();
+ RangerKMSDB rangerKMSDB = new RangerKMSDB(conf);
+ daoManager = rangerKMSDB.getDaoManager();
+ dbStore = new RangerKeyStore(daoManager);
+ }
+
+ public static void main(String[] args) throws Throwable {
+ if (args.length == 0) {
+ System.err.println("Invalid number of parameters found.");
+ System.exit(1);
+ }
+ try {
+ String password = args[0];
+ if (password == null || password.trim().isEmpty()) {
+ System.err.println("KMS Masterkey Password not provided.");
+ System.exit(1);
+ }
+ new VerifyIsDBMasterkeyCorrect().verifyMasterkey(password);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public void verifyMasterkey(String pass) {
+ try {
+ // Get Master Key from DB
+ rangerMasterKey = new RangerMasterKey(daoManager);
+ String masterKey = rangerMasterKey.getMasterKey(pass);
+ if(masterKey == null){
+ // Master Key does not exists
+ throw new IOException("Ranger MasterKey does not exists");
+ }
+ dbStore.engineLoad(null, masterKey.toCharArray());
+ System.out.println("KMS keystore engine loaded successfully.");
+ } catch (Throwable e) {
+ throw new RuntimeException("Unable to load keystore engine with given password or Masterkey was tampered.", e);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/bc2cd5e0/kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsHSMMasterkeyCorrect.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsHSMMasterkeyCorrect.java b/kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsHSMMasterkeyCorrect.java
new file mode 100644
index 0000000..e5ebeb7
--- /dev/null
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsHSMMasterkeyCorrect.java
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.crypto.key;
+
+import java.io.IOException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.kms.dao.DaoManager;
+
+public class VerifyIsHSMMasterkeyCorrect {
+ private static final String ENCRYPTION_KEY = "ranger.db.encrypt.key.password";
+ private static final String PARTITION_PASSWORD = "ranger.ks.hsm.partition.password";
+ private static final String PARTITION_NAME = "ranger.ks.hsm.partition.name";
+ private static final String HSM_TYPE = "ranger.ks.hsm.type";
+
+ public static void main(String[] args) throws Throwable {
+ if (args.length < 2) {
+ System.err.println("Invalid number of parameters found.");
+ System.exit(1);
+ }
+ try {
+ String hsmType = args[0];
+ if (hsmType == null || hsmType.trim().isEmpty()) {
+ System.err.println("HSM Type does not exists.");
+ System.exit(1);
+ }
+
+ String partitionName = args[1];
+ if (partitionName == null || partitionName.trim().isEmpty()) {
+ System.err.println("Partition name does not exists.");
+ System.exit(1);
+ }
+ new VerifyIsHSMMasterkeyCorrect().getHSMMasterkey(hsmType, partitionName);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ public void getHSMMasterkey(String hsmType, String partitionName) {
+ char[] partitionPassword = null;
+ try {
+ partitionPassword = ConsoleUtil
+ .getPasswordFromConsole("Enter Password for the Partition " + partitionName + " : ");
+
+ Configuration conf = RangerKeyStoreProvider.getDBKSConf();
+ conf.set(HSM_TYPE, hsmType);
+ conf.set(PARTITION_NAME, partitionName);
+ conf.set(PARTITION_PASSWORD, String.valueOf(partitionPassword));
+ String password = conf.get(ENCRYPTION_KEY);
+
+ RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
+ DaoManager daoManager = rangerkmsDb.getDaoManager();
+ RangerKeyStore dbStore = new RangerKeyStore(daoManager);
+
+ // Get Master Key from HSM
+ RangerHSM rangerHSM = new RangerHSM(conf);
+ String hsmMasterKey = rangerHSM.getMasterKey(password);
+ if(hsmMasterKey == null){
+ // Master Key does not exists
+ throw new IOException("Ranger MasterKey does not exists in HSM!!!");
+ }
+
+ dbStore.engineLoad(null, hsmMasterKey.toCharArray());
+ System.out.println("KMS keystore engine loaded successfully.");
+ } catch (Throwable t) {
+ throw new RuntimeException("Unable to load keystore engine with given password or Masterkey was tampered.", t);
+ }
+
+ }
+
+}