You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2019/10/30 13:05:03 UTC
[ranger] branch master updated: RangerKMS to be compatible with
Java 8 and Java 9+ for Safenet KeySecure HSM
This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 1a6b97e RangerKMS to be compatible with Java 8 and Java 9+ for Safenet KeySecure HSM
1a6b97e is described below
commit 1a6b97e2c948347383ae2c279721e1c3ea7eaff5
Author: Dhaval B. Shah <dh...@gmail.com>
AuthorDate: Wed Oct 23 14:06:24 2019 +0530
RangerKMS to be compatible with Java 8 and Java 9+ for Safenet KeySecure HSM
Signed-off-by: Mehul Parikh <me...@apache.org>
---
kms/config/kms-webapp/dbks-site.xml | 5 +
.../hadoop/crypto/key/RangerSafenetKeySecure.java | 113 ++++++++++++++-------
2 files changed, 82 insertions(+), 36 deletions(-)
diff --git a/kms/config/kms-webapp/dbks-site.xml b/kms/config/kms-webapp/dbks-site.xml
index e9cafbc..6990fb7 100755
--- a/kms/config/kms-webapp/dbks-site.xml
+++ b/kms/config/kms-webapp/dbks-site.xml
@@ -229,6 +229,11 @@
<value>/opt/safenetConf/64/8.3.1/sunpkcs11.cfg</value>
<description>Location of Safenet key secure library configuration file</description>
</property>
+ <property>
+ <name>ranger.kms.keysecure.provider.type</name>
+ <value>SunPKCS11</value>
+ <description>Security Provider for key secure</description>
+ </property>
<!-- Key-Secure Config END-->
<!--Azure Key Vault START-->
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
index 12afe33..371e367 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
@@ -20,16 +20,13 @@ package org.apache.hadoop.crypto.key;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
-
import org.apache.hadoop.conf.Configuration;
import org.apache.log4j.Logger;
-
import com.sun.org.apache.xml.internal.security.utils.Base64;
-
import java.io.IOException;
+import java.lang.reflect.Method;
import java.security.Key;
import java.security.KeyStore;
-import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
@@ -43,9 +40,10 @@ public class RangerSafenetKeySecure implements RangerKMSMKI {
static final Logger logger = Logger.getLogger(RangerSafenetKeySecure.class);
private final String alias;
- private final KeyStore myStore;
+ private final String providerType;
+ private KeyStore myStore;
private final String adp;
- private final Provider provider;
+ private Provider provider;
private static final String MK_ALGO = "AES";
private final int mkSize;
private static final int MK_KeySize = 256;
@@ -53,38 +51,64 @@ public class RangerSafenetKeySecure implements RangerKMSMKI {
private static final String CFGFILEPATH = "ranger.kms.keysecure.sunpkcs11.cfg.filepath";
private static final String MK_KEYSIZE = "ranger.kms.keysecure.masterkey.size";
private static final String ALIAS = "ranger.kms.keysecure.masterkey.name";
-
+ private static final String PROVIDER = "ranger.kms.keysecure.provider.type";
private static final String KEYSECURE_LOGIN = "ranger.kms.keysecure.login";
- public RangerSafenetKeySecure(Configuration conf) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
- mkSize = conf.getInt(MK_KEYSIZE, MK_KeySize);
- alias = conf.get(ALIAS, "RANGERMK");
- adp = conf.get(KEYSECURE_LOGIN);
- pkcs11CfgFilePath = conf.get(CFGFILEPATH);
-
- try {
- // Create a PKCS#11 session and initialize it
- // using the sunPKCS11 config file
- provider = new sun.security.pkcs11.SunPKCS11(pkcs11CfgFilePath);
- Security.addProvider(provider);
- myStore = KeyStore.getInstance("PKCS11", provider);
- if(myStore != null){
- myStore.load(null, adp.toCharArray());
- }else{
- logger.error("Safenet Keysecure not found. Please verify the Ranger KMS Safenet Keysecure configuration setup.");
- }
-
- } catch (NoSuchAlgorithmException nsae) {
- throw new NoSuchAlgorithmException("Unexpected NoSuchAlgorithmException while loading keystore : "
- + nsae.getMessage());
- } catch (CertificateException e) {
- throw new CertificateException("Unexpected CertificateException while loading keystore : "
- + e.getMessage());
- } catch (IOException e) {
- throw new IOException("Unexpected IOException while loading keystore : "
- + e.getMessage());
- }
- }
+ public RangerSafenetKeySecure(Configuration conf) throws Exception {
+ mkSize = conf.getInt(MK_KEYSIZE, MK_KeySize);
+ alias = conf.get(ALIAS, "RANGERMK");
+ providerType = conf.get(PROVIDER, "SunPKCS11");
+ adp = conf.get(KEYSECURE_LOGIN);
+ pkcs11CfgFilePath = conf.get(CFGFILEPATH);
+ /*
+ * Method sun.security.pkcs11.SunPKCS11 is supported till Java 8.
+ * Provider.configure() method is available from Java 9 onwards and does not have Backward compatibility.
+ * We need to remove Java 8 scenario and keep only Java 9+ once we completely upgrade to JAVA 9+.
+ * */
+ try {
+ int javaVersion = getJavaVersion();
+ /*Minimum java requirement for Ranger KMS is Java 8 and Maximum java supported by Ranger KMS is Java 11*/
+ if(javaVersion == 8){
+ provider = new sun.security.pkcs11.SunPKCS11(pkcs11CfgFilePath);
+ }else if(javaVersion == 9 || javaVersion == 10 || javaVersion == 11){
+ Class<Provider> cls = Provider.class;
+ Method configureMethod = null;
+ configureMethod = cls.getDeclaredMethod("configure", String.class);
+ provider = Security.getProvider(providerType);
+ if(configureMethod != null){
+ provider = (Provider) configureMethod.invoke(provider,pkcs11CfgFilePath);
+ }
+ }
+
+ if(provider != null){
+ Security.addProvider(provider);
+ myStore = KeyStore.getInstance("PKCS11", provider);
+ }else{
+ logger.error("Provider was not initialize for Ranger Safenet Key Secure.");
+ }
+ if (myStore != null) {
+ myStore.load(null, adp.toCharArray());
+ } else {
+ logger.error("Safenet Keysecure not found. Please verify the Ranger KMS Safenet Keysecure configuration setup.");
+ }
+ }catch (NoSuchMethodException e) {
+ throw new NoSuchMethodException(
+ "Unexpected NoSuchMethodException while loading keystore : "
+ + e.getMessage());
+ }catch (NoSuchAlgorithmException nsae) {
+ throw new NoSuchAlgorithmException(
+ "Unexpected NoSuchAlgorithmException while loading keystore : "
+ + nsae.getMessage());
+ } catch (CertificateException e) {
+ throw new CertificateException(
+ "Unexpected CertificateException while loading keystore : "
+ + e.getMessage());
+ } catch (IOException e) {
+ throw new IOException(
+ "Unexpected IOException while loading keystore : "
+ + e.getMessage());
+ }
+ }
@Override
public boolean generateMasterKey(String password){
@@ -150,4 +174,21 @@ public class RangerSafenetKeySecure implements RangerKMSMKI {
return false;
}
+ private int getJavaVersion() {
+ /*
+ Java 8 or lower: 1.6.0_23, 1.7.0, 1.7.0_80, 1.8.0_211
+ Java 9 or higher: 9.0.1, 11.0.4
+ */
+ String version = System.getProperty("java.version");
+ if (version.startsWith("1.")) {
+ version = version.substring(2, 3);
+ } else {
+ int dot = version.indexOf(".");
+ if (dot != -1) {
+ version = version.substring(0, dot);
+ }
+ }
+ return Integer.parseInt(version);
+ }
+
}
\ No newline at end of file