You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2018/04/07 06:10:42 UTC
ranger git commit: RANGER-2056 : Good coding practices for KMS and
unixauth
Repository: ranger
Updated Branches:
refs/heads/master 122172a0b -> e65a3e812
RANGER-2056 : Good coding practices for KMS and unixauth
Change-Id: I24777506233e00cf5d05a2b5412c0e579e09e569
Signed-off-by: Mehul Parikh <me...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/e65a3e81
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/e65a3e81
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/e65a3e81
Branch: refs/heads/master
Commit: e65a3e81265f46c76611b0c3e7265af932629bb1
Parents: 122172a
Author: Nikhil P <ni...@gmail.com>
Authored: Wed Apr 4 17:12:00 2018 +0530
Committer: Mehul Parikh <me...@apache.org>
Committed: Sat Apr 7 11:40:01 2018 +0530
----------------------------------------------------------------------
.../apache/hadoop/crypto/key/ConsoleUtil.java | 29 ++++++--------------
.../apache/hadoop/crypto/key/DB2HSMMKUtil.java | 10 +++++--
.../apache/hadoop/crypto/key/HSM2DBMKUtil.java | 10 +++++--
.../hadoop/crypto/key/JKS2RangerUtil.java | 11 ++++++--
.../hadoop/crypto/key/Ranger2JKSUtil.java | 11 ++++++--
.../unix/jaas/PamLoginModule.java | 12 ++++----
.../unix/jaas/RemoteUnixLoginModule.java | 29 +++++++++++++-------
7 files changed, 68 insertions(+), 44 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java
index 9f43740..f07a1fe 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java
@@ -20,7 +20,6 @@ package org.apache.hadoop.crypto.key;
import java.io.Console;
import java.io.IOException;
import java.io.InputStream;
-import java.nio.charset.Charset;
/**
* Utility class for reading passwords from the console.
@@ -33,17 +32,9 @@ class ConsoleUtil {
* @param prompt the question which is prompted
* @return the password.
*/
- static char[] getPasswordFromConsole(String prompt) throws IOException {
- return getStringPasswordFromConsole(prompt).toCharArray();
- }
- /**
- * Ask a password from console, and return as a String.
- * @param prompt the question which is prompted
- * @return the password.
- */
- static String getStringPasswordFromConsole(String prompt) throws IOException {
- String ret = null;
+ static char[] getPasswordFromConsole(String prompt) throws IOException {
+ char pwd[]=null;
Console c = System.console();
if (c == null) {
System.out.print(prompt + " ");
@@ -52,23 +43,21 @@ class ConsoleUtil {
byte[] b = new byte[max];
int l = in.read(b);
l--; // last character is \n
+ pwd=new char[l];
if (l > 0) {
byte[] e = new byte[l];
System.arraycopy(b, 0, e, 0, l);
- ret = new String(e, Charset.defaultCharset());
+ for (int i = 0; i < l; i++) {
+ pwd[i] = (char) e[i];
+ }
}
} else {
- char[] pwd = c.readPassword(prompt + " ");
+ pwd = c.readPassword(prompt + " ");
if (pwd == null) {
- ret = null;
- } else {
- ret = new String(pwd);
+ pwd = new char[0];
}
}
- if (ret == null) {
- ret = "";
- }
- return ret;
+ return pwd;
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
index ad85245..aec8eae 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
@@ -16,6 +16,8 @@
*/
package org.apache.hadoop.crypto.key;
+import java.util.Arrays;
+
import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.kms.dao.DaoManager;
@@ -65,12 +67,13 @@ public class DB2HSMMKUtil {
}
private boolean doExportMKToHSM(String hsmType, String partitionName) {
+ char[] partitionPassword=null;
try {
- String partitionPassword = ConsoleUtil.getStringPasswordFromConsole("Enter Password for the Partition "+partitionName+" : ");
+ partitionPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the Partition "+partitionName+" : ");
Configuration conf = RangerKeyStoreProvider.getDBKSConf();
conf.set(HSM_TYPE, hsmType);
conf.set(PARTITION_NAME, partitionName);
- conf.set(PARTITION_PASSWORD, partitionPassword);
+ conf.set(PARTITION_PASSWORD, String.valueOf(partitionPassword));
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
@@ -89,5 +92,8 @@ public class DB2HSMMKUtil {
catch(Throwable t) {
throw new RuntimeException("Unable to import Master key from Ranger DB to HSM ", t);
}
+ finally{
+ Arrays.fill(partitionPassword, ' ');
+ }
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
index b330a01..0cf832f 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
@@ -16,6 +16,8 @@
*/
package org.apache.hadoop.crypto.key;
+import java.util.Arrays;
+
import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.kms.dao.DaoManager;
@@ -64,12 +66,13 @@ public class HSM2DBMKUtil {
}
private void doImportMKFromHSM(String hsmType, String partitionName) {
+ char[] partitionPassword=null;
try {
- String partitionPassword = ConsoleUtil.getStringPasswordFromConsole("Enter Password for the Partition "+partitionName+" : ");
+ partitionPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the Partition "+partitionName+" : ");
Configuration conf = RangerKeyStoreProvider.getDBKSConf();
conf.set(HSM_TYPE, hsmType);
conf.set(PARTITION_NAME, partitionName);
- conf.set(PARTITION_PASSWORD, partitionPassword);
+ conf.set(PARTITION_PASSWORD, String.valueOf(partitionPassword));
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
@@ -87,5 +90,8 @@ public class HSM2DBMKUtil {
catch(Throwable t) {
throw new RuntimeException("Unable to import Master key from HSM to Ranger DB", t);
}
+ finally{
+ Arrays.fill(partitionPassword, ' ');
+ }
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
index 13833cb..dd4408f 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
@@ -22,6 +22,7 @@ import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.util.Arrays;
import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.kms.dao.DaoManager;
@@ -71,9 +72,11 @@ public class JKS2RangerUtil {
}
private void doImportKeysFromJKS(String keyStoreFileName, String keyStoreType) {
+ char[] keyStorePassword = null;
+ char[] keyPassword = null;
try {
- char[] keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :");
- char[] keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:");
+ keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :");
+ keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:");
Configuration conf = RangerKeyStoreProvider.getDBKSConf();
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
@@ -101,6 +104,10 @@ public class JKS2RangerUtil {
catch(Throwable t) {
throw new RuntimeException("Unable to import keys from [" + keyStoreFileName + "] due to exception.", t);
}
+ finally{
+ Arrays.fill(keyStorePassword, ' ');
+ Arrays.fill(keyPassword, ' ');
+ }
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
index f7c3e6d..4f337bb 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
@@ -22,6 +22,7 @@ import java.io.IOException;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
+import java.util.Arrays;
import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.kms.dao.DaoManager;
@@ -72,9 +73,11 @@ public class Ranger2JKSUtil {
}
private void doExportKeysFromJKS(String keyStoreFileName, String keyStoreType) {
+ char[] keyStorePassword = null;
+ char[] keyPassword = null;
try {
- char[] keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :");
- char[] keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:");
+ keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :");
+ keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:");
Configuration conf = RangerKeyStoreProvider.getDBKSConf();
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
@@ -100,6 +103,10 @@ public class Ranger2JKSUtil {
catch(Throwable t) {
throw new RuntimeException("Unable to export keys to [" + keyStoreFileName + "] due to exception.", t);
}
+ finally{
+ Arrays.fill(keyStorePassword, ' ');
+ Arrays.fill(keyPassword, ' ');
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
----------------------------------------------------------------------
diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
index 803e3e8..8ff5b23 100644
--- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
+++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
@@ -19,7 +19,6 @@
package org.apache.ranger.authentication.unix.jaas;
-import org.apache.commons.lang.StringUtils;
import org.jvnet.libpam.PAM;
import org.jvnet.libpam.PAMException;
import org.jvnet.libpam.UnixUser;
@@ -31,6 +30,7 @@ import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import java.io.IOException;
import java.security.Principal;
+import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
@@ -45,7 +45,7 @@ public class PamLoginModule implements LoginModule
private Map<String, ?> _options;
private String _username;
- private String _password;
+ private char[] _passwordchar;
private boolean _authSucceeded;
private PamPrincipal _principal;
@@ -139,7 +139,7 @@ public class PamLoginModule implements LoginModule
{
char[] password = passwordCallback.getPassword();
if (password != null) {
- _password = new String(password);
+ _passwordchar = Arrays.copyOf(password, password.length);
}
passwordCallback.clearPassword();
}
@@ -148,8 +148,8 @@ public class PamLoginModule implements LoginModule
{
try
{
- if (StringUtils.isNotEmpty(_password)) {
- UnixUser user = _pam.authenticate(_username, _password);
+ if (_passwordchar != null) {
+ UnixUser user = _pam.authenticate(_username, String.valueOf(_passwordchar));
_principal = new PamPrincipal(user);
_authSucceeded = true;
return true;
@@ -219,7 +219,7 @@ public class PamLoginModule implements LoginModule
{
_authSucceeded = false;
_username = null;
- _password = null;
+ Arrays.fill(_passwordchar, ' ');
_principal = null;
_pam.dispose();
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
----------------------------------------------------------------------
diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
index 40cc51e..204398f 100644
--- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
+++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
@@ -32,6 +32,7 @@ import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
+import java.util.Arrays;
import java.util.Map;
import java.util.Properties;
@@ -235,15 +236,17 @@ public class RemoteUnixLoginModule implements LoginModule {
log("userName:" + userName);
log("modified UserName:" + modifiedUserName);
- String modifiedPassword;
+ char modifiedPasschar[];
if (password != null) {
- modifiedPassword = new String(password);
+ modifiedPasschar = Arrays.copyOf(password,password.length);
} else {
- modifiedPassword = new String(new char[0]);
+ modifiedPasschar = new char[0];
}
- doLogin(modifiedUserName, modifiedPassword);
+ doLogin(modifiedUserName, modifiedPasschar);
+ Arrays.fill(password, ' ');
+ Arrays.fill(modifiedPasschar, ' ');
loginSuccessful = true;
}
@@ -258,14 +261,14 @@ public class RemoteUnixLoginModule implements LoginModule {
return true;
}
- public void doLogin(String aUserName, String aPassword) throws LoginException {
+ public void doLogin(String aUserName, char[] modifiedPasschar) throws LoginException {
// POSSIBLE values
// null
// OK: group1, group2, group3
// FAILED: Invalid Password
- String ret = getLoginReplyFromAuthService(aUserName, aPassword);
+ String ret = getLoginReplyFromAuthService(aUserName, modifiedPasschar);
if (ret == null) {
throw new LoginException("FAILED: unable to authenticate to AuthenticationService: " + remoteHostName + ":" + remoteHostAuthServicePort);
@@ -282,13 +285,17 @@ public class RemoteUnixLoginModule implements LoginModule {
}
}
- private String getLoginReplyFromAuthService(String aUserName, String aPassword) throws LoginException {
+ private String getLoginReplyFromAuthService(String aUserName, char[] modifiedPasschar) throws LoginException {
String ret = null;
Socket sslsocket = null;
- String loginString = "LOGIN:" + aUserName + " " + new String(aPassword) + "\n";
-
+ char prefix[]=new String("LOGIN:"+aUserName+" ").toCharArray();
+ char tail[]=new String("\n").toCharArray();
+ char loginData[]=new char[prefix.length+modifiedPasschar.length+tail.length];
+ System.arraycopy(prefix, 0, loginData, 0, prefix.length);
+ System.arraycopy(modifiedPasschar, 0, loginData, prefix.length,modifiedPasschar.length);
+ System.arraycopy(tail, 0, loginData, prefix.length+modifiedPasschar.length, tail.length);
try {
try {
if (SSLEnabled) {
@@ -380,7 +387,7 @@ public class RemoteUnixLoginModule implements LoginModule {
OutputStreamWriter writer = new OutputStreamWriter(sslsocket.getOutputStream());
- writer.write(loginString);
+ writer.write(loginData);
writer.flush();
@@ -401,6 +408,8 @@ public class RemoteUnixLoginModule implements LoginModule {
throw new LoginException("FAILED: unable to authenticate to AuthenticationService: " + remoteHostName + ":" + remoteHostAuthServicePort + ", Exception: [" + t + "]");
} finally {
log("Login of user String: {" + aUserName + "}, return from AuthServer: {" + ret + "}");
+ Arrays.fill(loginData,' ');
+ Arrays.fill(modifiedPasschar,' ');
}
return ret;