You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/10/13 02:57:22 UTC
[ranger] branch master updated: RANGER-3421: Key getting logged in
RangerMasterKey
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4778fd5 RANGER-3421: Key getting logged in RangerMasterKey
4778fd5 is described below
commit 4778fd52dae48e8c5024e87bac9e9622f773112c
Author: Abhishek Kumar <ab...@gmail.com>
AuthorDate: Tue Oct 12 19:42:37 2021 -0700
RANGER-3421: Key getting logged in RangerMasterKey
---
.../apache/hadoop/crypto/key/RangerMasterKey.java | 141 ++++++++-------------
1 file changed, 56 insertions(+), 85 deletions(-)
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
index adb2c26..582de02 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
@@ -22,9 +22,7 @@ import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
-import java.util.HashMap;
import java.util.List;
-import java.util.Map;
import java.util.Properties;
import javax.crypto.Cipher;
@@ -45,25 +43,24 @@ import org.apache.ranger.entity.XXRangerMasterKey;
import com.google.common.base.Joiner;
import com.google.common.base.Splitter;
import com.google.common.collect.Lists;
-import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
import com.sun.org.apache.xml.internal.security.utils.Base64;
public class RangerMasterKey implements RangerKMSMKI {
- private static final Logger logger = Logger.getLogger(RangerMasterKey.class);
+ private static final Logger logger = Logger.getLogger(RangerMasterKey.class);
+ private static final String DEFAULT_MK_CIPHER = "AES";
+ private static final int DEFAULT_MK_KeySize = 256;
+ private static final int DEFAULT_SALT_SIZE = 8;
+ private static final String DEFAULT_SALT = "abcdefghijklmnopqrstuvwxyz01234567890";
+ private static final String DEFAULT_CRYPT_ALGO = "PBEWithMD5AndTripleDES";
+ private static final int DEFAULT_ITERATION_COUNT = 1000;
+ private static final Properties serverConfigProperties = new Properties();
+
+ public static final String DBKS_SITE_XML = "dbks-site.xml";
- private static final String DEFAULT_MK_CIPHER = "AES";
- private static final int DEFAULT_MK_KeySize = 256;
- private static final int DEFAULT_SALT_SIZE = 8;
- private static final String DEFAULT_SALT = "abcdefghijklmnopqrstuvwxyz01234567890";
- private static final String DEFAULT_CRYPT_ALGO = "PBEWithMD5AndTripleDES";
- private static final int DEFAULT_ITERATION_COUNT = 1000;
private static String password = null;
private static String DEFAULT_MD_ALGO;
- public static final String DBKS_SITE_XML = "dbks-site.xml";
- private static Properties serverConfigProperties = new Properties();
-
public static String MK_CIPHER;
public static Integer MK_KeySize = 0;
public static Integer SALT_SIZE = 0;
@@ -75,8 +72,7 @@ public class RangerMasterKey implements RangerKMSMKI {
private DaoManager daoManager;
- public RangerMasterKey() {
- }
+ public RangerMasterKey() {}
public RangerMasterKey(DaoManager daoManager) {
this.daoManager = daoManager;
@@ -85,8 +81,7 @@ public class RangerMasterKey implements RangerKMSMKI {
protected static String getConfig(String key, String defaultValue) {
String value = serverConfigProperties.getProperty(key);
if (value == null || value.trim().isEmpty()) {
- // Value not found in properties file, let's try to get from
- // System's property
+ //value not found in properties file, let's try to get from system property
value = System.getProperty(key);
}
if (value == null || value.trim().isEmpty()) {
@@ -103,7 +98,7 @@ public class RangerMasterKey implements RangerKMSMKI {
ret = Integer.parseInt(retStr);
}
} catch (Exception err) {
- logger.warn(retStr + " can't be parsed to int. Reason: " + err.toString());
+ logger.warn("Key can not be parsed to int due to NumberFormatException");
}
return ret;
}
@@ -123,7 +118,7 @@ public class RangerMasterKey implements RangerKMSMKI {
logger.info("Getting Master Key");
List result = getEncryptedMK();
String encryptedPassString = null;
- byte masterKeyByte[] = null;
+ byte[] masterKeyByte = null;
if (CollectionUtils.isNotEmpty(result) && result.size() == 2) {
masterKeyByte = (byte[]) result.get(0);
encryptedPassString = (String) result.get(1);
@@ -147,7 +142,7 @@ public class RangerMasterKey implements RangerKMSMKI {
logger.info("Getting Master Key");
List result = getEncryptedMK();
String encryptedPassString = null;
- byte masterKeyByte[] = null;
+ byte[] masterKeyByte = null;
if (CollectionUtils.isNotEmpty(result) && result.size() == 2) {
masterKeyByte = (byte[]) result.get(0);
encryptedPassString = (String) result.get(1);
@@ -167,16 +162,15 @@ public class RangerMasterKey implements RangerKMSMKI {
/**
* Generate the master key, encrypt it and save it in the database
*
- * @param password password to be used for encryption
* @return true if the master key was successfully created false if master
* key generation was unsuccessful or the master key already exists
- * @throws Throwable
*/
public void init() {
if (logger.isDebugEnabled()) {
logger.debug("==> RangerMasterKey.init()");
}
+
XMLUtils.loadConfig(DBKS_SITE_XML, serverConfigProperties);
DEFAULT_MD_ALGO = getConfig("ranger.keystore.file.type", KeyStore.getDefaultType()).equalsIgnoreCase("bcfks") ? "SHA-512" : "MD5";
MK_CIPHER = getConfig("ranger.kms.service.masterkey.password.cipher", DEFAULT_MK_CIPHER);
@@ -185,10 +179,12 @@ public class RangerMasterKey implements RangerKMSMKI {
SALT = getConfig("ranger.kms.service.masterkey.password.salt", DEFAULT_SALT);
PBE_ALGO = getConfig("ranger.kms.service.masterkey.password.encryption.algorithm", DEFAULT_CRYPT_ALGO);
MD_ALGO = getConfig("ranger.kms.service.masterkey.password.md.algorithm", DEFAULT_MD_ALGO);
- ITERATION_COUNT = getIntConfig("ranger.kms.service.masterkey.password.iteration.count",
- DEFAULT_ITERATION_COUNT);
- paddingString = Joiner.on(",").skipNulls().join(MK_CIPHER, MK_KeySize, SALT_SIZE, PBE_ALGO, MD_ALGO,
- ITERATION_COUNT, SALT);
+ ITERATION_COUNT = getIntConfig("ranger.kms.service.masterkey.password.iteration.count", DEFAULT_ITERATION_COUNT);
+ paddingString = Joiner.on(",").skipNulls().join(MK_CIPHER, MK_KeySize, SALT_SIZE, PBE_ALGO, MD_ALGO, ITERATION_COUNT, SALT);
+
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.init()");
+ }
}
@Override
@@ -213,7 +209,7 @@ public class RangerMasterKey implements RangerKMSMKI {
return false;
}
- public boolean generateMKFromHSMMK(String password, byte[] key) throws Throwable {
+ public void generateMKFromHSMMK(String password, byte[] key) throws Throwable {
if (logger.isDebugEnabled()) {
logger.debug("==> RangerMasterKey.generateMKFromHSMMK()");
}
@@ -225,15 +221,13 @@ public class RangerMasterKey implements RangerKMSMKI {
logger.debug("Master Key Created with id = " + savedKey);
logger.debug("<== RangerMasterKey.generateMKFromHSMMK()");
}
- return true;
}
if (logger.isDebugEnabled()) {
logger.debug("<== RangerMasterKey.generateMKFromHSMMK()");
}
- return false;
}
- private String decryptMasterKey(byte masterKey[], String password, String encryptedPassString) throws Throwable {
+ private String decryptMasterKey(byte[] masterKey, String password, String encryptedPassString) throws Throwable {
if (logger.isDebugEnabled()) {
logger.debug("==> RangerMasterKey.decryptMasterKey()");
logger.debug("Decrypting Master Key...");
@@ -279,26 +273,22 @@ public class RangerMasterKey implements RangerKMSMKI {
}
}
- public boolean generateMKFromKeySecureMK(String password, byte[] key)
- throws Throwable {
- if (logger.isDebugEnabled()) {
+ public void generateMKFromKeySecureMK(String password, byte[] key) throws Throwable {
+ if (logger.isDebugEnabled()) {
logger.debug("==> RangerMasterKey.generateMKFromKeySecureMK()");
}
- init();
- String encryptedMasterKey = encryptMasterKey(password, key);
- String savedKey = saveEncryptedMK(paddingString + "," + encryptedMasterKey, daoManager);
- if (savedKey != null && !savedKey.trim().equals("")) {
- logger.debug("Master Key Created with id = " + savedKey);
- return true;
- }
- if (logger.isDebugEnabled()) {
- logger.debug("<== RangerMasterKey.generateMKFromKeySecureMK()");
+ init();
+ String encryptedMasterKey = encryptMasterKey(password, key);
+ String savedKey = saveEncryptedMK(paddingString + "," + encryptedMasterKey, daoManager);
+ if (savedKey != null && !savedKey.trim().equals("")) {
+ logger.debug("Master Key Created with id = " + savedKey);
}
- return false;
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.generateMKFromKeySecureMK()");
}
+ }
- private SecretKey decryptMasterKeySK(byte masterKey[], String password, String encryptedPassString)
- throws Throwable {
+ private SecretKey decryptMasterKeySK(byte[] masterKey, String password, String encryptedPassString) throws Throwable {
if (logger.isDebugEnabled()) {
logger.debug("==> RangerMasterKey.decryptMasterKeySK()");
}
@@ -313,7 +303,7 @@ public class RangerMasterKey implements RangerKMSMKI {
return getMasterKeyFromBytes(masterKeyFromDBDecrypted);
}
- private List getEncryptedMK() throws Base64DecodingException {
+ private List getEncryptedMK() {
if (logger.isDebugEnabled()) {
logger.debug("==> RangerMasterKey.getEncryptedMK()");
}
@@ -333,21 +323,17 @@ public class RangerMasterKey implements RangerKMSMKI {
getPasswordParam(masterKeyStr);
ret.add(Base64.decode(password));
ret.add(masterKeyStr);
- if (logger.isDebugEnabled()) {
- logger.debug("<== RangerMasterKey.getEncryptedMK()");
- }
- return ret;
} else {
ret.add(Base64.decode(masterKeyStr));
- if (logger.isDebugEnabled()) {
- logger.debug("<== RangerMasterKey.getEncryptedMK()");
- }
- return ret;
}
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.getEncryptedMK()");
+ }
+ return ret;
}
}
} catch (Exception e) {
- logger.error("Unable to Retrieving Master Key from database!!! or ", e);
+ logger.error("Unable to retrieve Master Key from the database!!!", e);
}
if (logger.isDebugEnabled()) {
logger.debug("<== RangerMasterKey.getEncryptedMK()");
@@ -366,8 +352,7 @@ public class RangerMasterKey implements RangerKMSMKI {
try {
if (daoManager != null) {
RangerMasterKeyDao rangerKMSDao = new RangerMasterKeyDao(daoManager);
- Long l = rangerKMSDao.getAllCount();
- if (l < 1) {
+ if (rangerKMSDao.getAllCount() < 1) {
XXRangerMasterKey rangerMasterKey = rangerKMSDao.create(xxRangerMasterKey);
if (logger.isDebugEnabled()) {
logger.debug("<== RangerMasterKey.saveEncryptedMK()");
@@ -438,8 +423,14 @@ public class RangerMasterKey implements RangerKMSMKI {
PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
Cipher c = Cipher.getInstance(key.getAlgorithm());
c.init(Cipher.ENCRYPT_MODE, key, paramSpec);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.encryptKey()");
+ }
return c.doFinal(data);
}
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.encryptKey()");
+ }
return null;
}
@@ -448,13 +439,16 @@ public class RangerMasterKey implements RangerKMSMKI {
logger.debug("==> RangerMasterKey.getPasswordKey()");
}
SecretKeyFactory factory = SecretKeyFactory.getInstance(PBE_ALGO);
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== RangerMasterKey.getPasswordKey()");
+ }
return factory.generateSecret(keyspec);
}
- private byte[] decryptKey(byte[] encrypted, PBEKeySpec keyspec) throws Throwable {
- SecretKey key = getPasswordKey(keyspec);
- if (keyspec.getSalt() != null) {
- PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
+ private byte[] decryptKey(byte[] encrypted, PBEKeySpec keySpec) throws Throwable {
+ SecretKey key = getPasswordKey(keySpec);
+ if (keySpec.getSalt() != null) {
+ PBEParameterSpec paramSpec = new PBEParameterSpec(keySpec.getSalt(), keySpec.getIterationCount());
Cipher c = Cipher.getInstance(key.getAlgorithm());
c.init(Cipher.DECRYPT_MODE, key, paramSpec);
return c.doFinal(encrypted);
@@ -462,31 +456,8 @@ public class RangerMasterKey implements RangerKMSMKI {
return null;
}
- private SecretKey getMasterKeyFromBytes(byte[] keyData) throws Throwable {
+ private SecretKey getMasterKeyFromBytes(byte[] keyData) {
return new SecretKeySpec(keyData, MK_CIPHER);
}
- public Map<String, String> getPropertiesWithPrefix(Properties props, String prefix) {
- Map<String, String> prefixedProperties = new HashMap<String, String>();
-
- if (props != null && prefix != null) {
- for (String key : props.stringPropertyNames()) {
- if (key == null) {
- continue;
- }
-
- String val = props.getProperty(key);
-
- if (key.startsWith(prefix)) {
- key = key.substring(prefix.length());
-
- if (key != null) {
- prefixedProperties.put(key, val);
- }
- }
- }
- }
-
- return prefixedProperties;
- }
}