You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2018/09/26 16:39:23 UTC
[1/3] ranger git commit: RANGER-1505 - Remove KeyProtector code in KMS
Repository: ranger
Updated Branches:
refs/heads/ranger-0.7 48fd2586e -> 1de5cab13
RANGER-1505 - Remove KeyProtector code in KMS
Signed-off-by: Colm O hEigeartaigh <co...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/13f17952
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/13f17952
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/13f17952
Branch: refs/heads/ranger-0.7
Commit: 13f17952d9a6869307b10b6dba73001ffd33ee8e
Parents: 48fd258
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Apr 10 12:23:38 2017 +0100
Committer: Pradeep <pr...@apache.org>
Committed: Wed Sep 26 21:14:42 2018 +0530
----------------------------------------------------------------------
.../hadoop/crypto/key/RangerKeyStore.java | 104 ++++++++++++++-----
1 file changed, 79 insertions(+), 25 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/13f17952/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
index 4b1b9bb..018ead5 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
@@ -26,11 +26,13 @@ import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
+import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.security.AlgorithmParameters;
import java.security.DigestInputStream;
import java.security.DigestOutputStream;
import java.security.Key;
@@ -39,6 +41,7 @@ import java.security.KeyStoreException;
import java.security.KeyStoreSpi;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@@ -49,7 +52,13 @@ import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
import javax.crypto.SealedObject;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
import javax.xml.bind.DatatypeConverter;
import org.apache.hadoop.crypto.key.KeyProvider.Metadata;
@@ -111,17 +120,9 @@ public class RangerKeyStore extends KeyStoreSpi {
return null;
}
- Class<?> c = null;
- Object o = null;
try {
- c = Class.forName("com.sun.crypto.provider.KeyProtector");
- Constructor<?> constructor = c.getDeclaredConstructor(char[].class);
- constructor.setAccessible(true);
- o = constructor.newInstance(password);
- Method m = c.getDeclaredMethod("unseal", SealedObject.class);
- m.setAccessible(true);
- key = (Key) m.invoke(o, ((SecretKeyEntry)entry).sealedKey);
- } catch (ClassNotFoundException | NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
+ key = unsealKey(((SecretKeyEntry)entry).sealedKey, password);
+ } catch (Exception e) {
logger.error(e.getMessage());
}
return key;
@@ -147,22 +148,9 @@ public class RangerKeyStore extends KeyStoreSpi {
SecretKeyEntry entry = new SecretKeyEntry();
synchronized(deltaEntries) {
try {
- Class<?> c = null;
- Object o = null;
- try {
- c = Class.forName("com.sun.crypto.provider.KeyProtector");
- Constructor<?> constructor = c.getDeclaredConstructor(char[].class);
- constructor.setAccessible(true);
- o = constructor.newInstance(password);
- } catch (ClassNotFoundException | NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
- logger.error(e.getMessage());
- throw new KeyStoreException(e.getMessage());
- }
entry.date = new Date();
// seal and store the key
- Method m = c.getDeclaredMethod("seal", Key.class);
- m.setAccessible(true);
- entry.sealedKey = (SealedObject) m.invoke(o, key);
+ entry.sealedKey = sealKey(key, password);
entry.cipher_field = cipher;
entry.bit_length = bitLength;
@@ -185,6 +173,47 @@ public class RangerKeyStore extends KeyStoreSpi {
}
}
+ private SealedObject sealKey(Key key, char[] password) throws Exception {
+ // Create SecretKey
+ SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES");
+ PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
+ SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec);
+ pbeKeySpec.clearPassword();
+
+ // Generate random bytes + set up the PBEParameterSpec
+ SecureRandom random = new SecureRandom();
+ byte[] salt = new byte[8];
+ random.nextBytes(salt);
+ PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20);
+
+ // Seal the Key
+ Cipher cipher = Cipher.getInstance("PBEWithMD5AndTripleDES");
+ cipher.init(Cipher.ENCRYPT_MODE, secretKey, pbeSpec);
+ return new RangerSealedObject(key, cipher);
+ }
+
+ private Key unsealKey(SealedObject sealedKey, char[] password) throws Exception {
+ // Create SecretKey
+ SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES");
+ PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
+ SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec);
+ pbeKeySpec.clearPassword();
+
+ // Get the AlgorithmParameters from RangerSealedObject
+ AlgorithmParameters algorithmParameters = null;
+ if (sealedKey instanceof RangerSealedObject) {
+ algorithmParameters = ((RangerSealedObject)sealedKey).getParameters();
+ } else {
+ algorithmParameters = new RangerSealedObject(sealedKey).getParameters();
+ }
+
+ // Unseal the Key
+ Cipher cipher = Cipher.getInstance("PBEWithMD5AndTripleDES");
+ cipher.init(Cipher.DECRYPT_MODE, secretKey, algorithmParameters);
+
+ return (Key)sealedKey.getObject(cipher);
+ }
+
@Override
public void engineDeleteEntry(String alias)
throws KeyStoreException
@@ -599,5 +628,30 @@ public class RangerKeyStore extends KeyStoreSpi {
public void clearDeltaEntires(){
deltaEntries.clear();
}
-
+
+ /**
+ * Encapsulate the encrypted key, so that we can retrieve the AlgorithmParameters object on the decryption side
+ */
+ private static class RangerSealedObject extends SealedObject {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = -7551578543434362070L;
+
+ protected RangerSealedObject(SealedObject so) {
+ super(so);
+ }
+
+ protected RangerSealedObject(Serializable object, Cipher cipher) throws IllegalBlockSizeException, IOException {
+ super(object, cipher);
+ }
+
+ public AlgorithmParameters getParameters() throws NoSuchAlgorithmException, IOException {
+ AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("PBEWithMD5AndTripleDES");
+ algorithmParameters.init(super.encodedParams);
+ return algorithmParameters;
+ }
+
+ }
}
[2/3] ranger git commit: RANGER-1402 - NPE if there is a problem with
the HiveClient driverClassName
Posted by pr...@apache.org.
RANGER-1402 - NPE if there is a problem with the HiveClient driverClassName
Signed-off-by: Colm O hEigeartaigh <co...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/8a8bcd19
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/8a8bcd19
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/8a8bcd19
Branch: refs/heads/ranger-0.7
Commit: 8a8bcd195e92f48c9392fc351cb9ee96e776f38a
Parents: 13f1795
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Feb 21 12:05:39 2017 +0000
Committer: Pradeep <pr...@apache.org>
Committed: Wed Sep 26 21:14:56 2018 +0530
----------------------------------------------------------------------
.../ranger/services/hive/client/HiveConnectionMgr.java | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/8a8bcd19/hive-agent/src/main/java/org/apache/ranger/services/hive/client/HiveConnectionMgr.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/services/hive/client/HiveConnectionMgr.java b/hive-agent/src/main/java/org/apache/ranger/services/hive/client/HiveConnectionMgr.java
index b36d5da..9376358 100644
--- a/hive-agent/src/main/java/org/apache/ranger/services/hive/client/HiveConnectionMgr.java
+++ b/hive-agent/src/main/java/org/apache/ranger/services/hive/client/HiveConnectionMgr.java
@@ -64,10 +64,19 @@ public class HiveConnectionMgr {
LOG.error("Error connecting hive repository : "+
serviceName +" using config : "+ configs, e);
}
- HiveClient oldClient = hiveConnectionCache.putIfAbsent(serviceName, hiveClient);
+
+ HiveClient oldClient = null;
+ if (hiveClient != null) {
+ oldClient = hiveConnectionCache.putIfAbsent(serviceName, hiveClient);
+ } else {
+ oldClient = hiveConnectionCache.get(serviceName);
+ }
+
if (oldClient != null) {
// in the meantime someone else has put a valid client into the cache, let's use that instead.
- hiveClient.close();
+ if (hiveClient != null) {
+ hiveClient.close();
+ }
hiveClient = oldClient;
}
repoConnectStatusMap.put(serviceName, true);
[3/3] ranger git commit: RANGER-1403:There is a problem in buildks
class when delete invalid keystore file.
Posted by pr...@apache.org.
RANGER-1403:There is a problem in buildks class when delete invalid keystore file.
Signed-off-by: Colm O hEigeartaigh <co...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/1de5cab1
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/1de5cab1
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/1de5cab1
Branch: refs/heads/ranger-0.7
Commit: 1de5cab130c4d3b85a56ee96ae33539ba7b2ad52
Parents: 8a8bcd1
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Wed Feb 22 02:11:15 2017 -0500
Committer: Pradeep <pr...@apache.org>
Committed: Wed Sep 26 21:17:10 2018 +0530
----------------------------------------------------------------------
.../src/main/java/org/apache/ranger/credentialapi/buildks.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/1de5cab1/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java
----------------------------------------------------------------------
diff --git a/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java b/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java
index 043f44c..eb38506 100644
--- a/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java
+++ b/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java
@@ -527,7 +527,7 @@ public class buildks {
}
if(keystore!=null && !keystore.isEmpty()){
File file =new File(keystore);
- if(file!=null && file.length()==0){
+ if(file!=null && file.exists() && file.length()==0){
System.out.println("Provider file '"+keystore+"' is in invalid state or corrupt!! will try to delete first.");
file.delete();
file=null;