You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Gautam Borad <gb...@gmail.com> on 2019/02/14 09:59:02 UTC
Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2331
https://issues.apache.org/jira/browse/RANGER-2331
Repository: ranger
Description
-------
User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
Acceptance Criteria:
1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
Diffs
-----
kms/config/kms-webapp/dbks-site.xml 0e0f2ec
kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
kms/scripts/install.properties ddc779d
kms/scripts/setup.sh 2db05b8
kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
src/main/assembly/kms.xml fca6a32
Diff: https://reviews.apache.org/r/69985/diff/1/
Testing
-------
Verified below scenario:
1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
2) DB to Key Secure (NAE-XML) master key Migration utility
3) Key Secure (NAE-XML) to DB master key Migration utility
Thanks,
Gautam Borad
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Zsombor Gegesy <zs...@apache.org>.
> On Feb. 14, 2019, 12:02 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/69985/diff/1/?file=2125358#file2125358line50>
> >
> > You can mark all variable as final
>
> Gautam Borad wrote:
> I am initializing non final variables in constructor.
>
> Zsombor Gegesy wrote:
> Yes, that's the way to use final variables: you need to initialize them in the constructor.
>
> Pradeep Agrawal wrote:
> @Zsombor Gegesy : To me its seems okay as he is reinitializing the mkSize variable at line 60. I don't think it need to be final, however we can make it static.
>
> Zsombor Gegesy wrote:
> Initializing these variables with their default values just adds noise to the code, the code behaves the same:
>
> class X {
> int x;
>
> void checkX() {
> if (x==0) {
> System.out.println("x is 0!");
> }
> }
> }
>
> new X().checkX() // this will print 'x is 0!'
>
> I dont think making an instance variable 'static' would be a good idea.
> In my opinion, you can safely remove the ' = null' and '= 0' initializations, and mark everything final, to make it clear, that these are constant values through the lifetime of this class.
>
> Pradeep Agrawal wrote:
> I agree that it don't need to be static and it don't need to be initialized with 0 at line 50 but it can't be final as per the code of line 60.
mkSize is not written anywhere else, only be set on line 60, inside the constructor, so it can be set to final.
- Zsombor
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212827
-----------------------------------------------------------
On Feb. 19, 2019, 1:58 p.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2019, 1:58 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/2/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Pradeep Agrawal <pr...@gmail.com>.
> On Feb. 14, 2019, 12:02 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/69985/diff/1/?file=2125358#file2125358line50>
> >
> > You can mark all variable as final
>
> Gautam Borad wrote:
> I am initializing non final variables in constructor.
>
> Zsombor Gegesy wrote:
> Yes, that's the way to use final variables: you need to initialize them in the constructor.
@Zsombor Gegesy : To me its seems okay as he is reinitializing the mkSize variable at line 60. I don't think it need to be final, however we can make it static.
- Pradeep
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212827
-----------------------------------------------------------
On Feb. 19, 2019, 1:58 p.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2019, 1:58 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/2/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Pradeep Agrawal <pr...@gmail.com>.
> On Feb. 14, 2019, 12:02 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/69985/diff/1/?file=2125358#file2125358line50>
> >
> > You can mark all variable as final
>
> Gautam Borad wrote:
> I am initializing non final variables in constructor.
>
> Zsombor Gegesy wrote:
> Yes, that's the way to use final variables: you need to initialize them in the constructor.
>
> Pradeep Agrawal wrote:
> @Zsombor Gegesy : To me its seems okay as he is reinitializing the mkSize variable at line 60. I don't think it need to be final, however we can make it static.
>
> Zsombor Gegesy wrote:
> Initializing these variables with their default values just adds noise to the code, the code behaves the same:
>
> class X {
> int x;
>
> void checkX() {
> if (x==0) {
> System.out.println("x is 0!");
> }
> }
> }
>
> new X().checkX() // this will print 'x is 0!'
>
> I dont think making an instance variable 'static' would be a good idea.
> In my opinion, you can safely remove the ' = null' and '= 0' initializations, and mark everything final, to make it clear, that these are constant values through the lifetime of this class.
I agree that it don't need to be static and it don't need to be initialized with 0 at line 50 but it can't be final as per the code of line 60.
- Pradeep
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212827
-----------------------------------------------------------
On Feb. 19, 2019, 1:58 p.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2019, 1:58 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/2/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Zsombor Gegesy <zs...@apache.org>.
> On Feb. 14, 2019, 12:02 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/69985/diff/1/?file=2125358#file2125358line50>
> >
> > You can mark all variable as final
>
> Gautam Borad wrote:
> I am initializing non final variables in constructor.
Yes, that's the way to use final variables: you need to initialize them in the constructor.
- Zsombor
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212827
-----------------------------------------------------------
On Feb. 19, 2019, 1:58 p.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2019, 1:58 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/2/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Zsombor Gegesy <zs...@apache.org>.
> On Feb. 14, 2019, 12:02 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/69985/diff/1/?file=2125358#file2125358line50>
> >
> > You can mark all variable as final
>
> Gautam Borad wrote:
> I am initializing non final variables in constructor.
>
> Zsombor Gegesy wrote:
> Yes, that's the way to use final variables: you need to initialize them in the constructor.
>
> Pradeep Agrawal wrote:
> @Zsombor Gegesy : To me its seems okay as he is reinitializing the mkSize variable at line 60. I don't think it need to be final, however we can make it static.
Initializing these variables with their default values just adds noise to the code, the code behaves the same:
class X {
int x;
void checkX() {
if (x==0) {
System.out.println("x is 0!");
}
}
}
new X().checkX() // this will print 'x is 0!'
I dont think making an instance variable 'static' would be a good idea.
In my opinion, you can safely remove the ' = null' and '= 0' initializations, and mark everything final, to make it clear, that these are constant values through the lifetime of this class.
- Zsombor
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212827
-----------------------------------------------------------
On Feb. 19, 2019, 1:58 p.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2019, 1:58 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/2/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Pradeep Agrawal <pr...@gmail.com>.
> On Feb. 14, 2019, 12:02 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/69985/diff/1/?file=2125358#file2125358line50>
> >
> > You can mark all variable as final
>
> Gautam Borad wrote:
> I am initializing non final variables in constructor.
>
> Zsombor Gegesy wrote:
> Yes, that's the way to use final variables: you need to initialize them in the constructor.
>
> Pradeep Agrawal wrote:
> @Zsombor Gegesy : To me its seems okay as he is reinitializing the mkSize variable at line 60. I don't think it need to be final, however we can make it static.
>
> Zsombor Gegesy wrote:
> Initializing these variables with their default values just adds noise to the code, the code behaves the same:
>
> class X {
> int x;
>
> void checkX() {
> if (x==0) {
> System.out.println("x is 0!");
> }
> }
> }
>
> new X().checkX() // this will print 'x is 0!'
>
> I dont think making an instance variable 'static' would be a good idea.
> In my opinion, you can safely remove the ' = null' and '= 0' initializations, and mark everything final, to make it clear, that these are constant values through the lifetime of this class.
>
> Pradeep Agrawal wrote:
> I agree that it don't need to be static and it don't need to be initialized with 0 at line 50 but it can't be final as per the code of line 60.
>
> Zsombor Gegesy wrote:
> mkSize is not written anywhere else, only be set on line 60, inside the constructor, so it can be set to final.
Yes, you are right.
- Pradeep
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212827
-----------------------------------------------------------
On Feb. 19, 2019, 1:58 p.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2019, 1:58 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/2/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Gautam Borad <gb...@gmail.com>.
> On Feb. 14, 2019, 12:02 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/69985/diff/1/?file=2125358#file2125358line50>
> >
> > You can mark all variable as final
I am initializing non final variables in constructor.
- Gautam
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212827
-----------------------------------------------------------
On Feb. 19, 2019, 1:58 p.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2019, 1:58 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/2/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Zsombor Gegesy <zs...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212827
-----------------------------------------------------------
kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java
Lines 82 (patched)
<https://reviews.apache.org/r/69985/#comment298708>
I would expect that if the import was failed, the process ends with a non-zero exit code.
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
Lines 50 (patched)
<https://reviews.apache.org/r/69985/#comment298711>
You can mark all variable as final
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
Lines 52 (patched)
<https://reviews.apache.org/r/69985/#comment298712>
This variable shouldn't be static.
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
Lines 59 (patched)
<https://reviews.apache.org/r/69985/#comment298710>
Unnecessary constructor
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
Lines 87 (patched)
<https://reviews.apache.org/r/69985/#comment298709>
Why don't you simply re-throw the exception(s)?
Having a non-usable RangerSafenetKeySecure object for the caller doesn't make too much sense.
So later, you don't need to check that myStore is not null
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
Lines 115 (patched)
<https://reviews.apache.org/r/69985/#comment298713>
Why the e.printStackTrace(), could you just add that 'e' to the logger.error call?
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
Lines 117 (patched)
<https://reviews.apache.org/r/69985/#comment298714>
It's not an issue with your code, but I think RangerKMSKI is a bit confusing, what's the reason for having a 'Throwable' in the method declaration, and returning a boolean=false. One of them is unnecessary.
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
Lines 135 (patched)
<https://reviews.apache.org/r/69985/#comment298715>
If 'key' is null, then it will throw an NPE from here, get catched in the 'catch (Exception e)' and returned null later. Maybe it's simpler to return null in the if:
if (key == null) {
logger.warn('getMasterKey(pw) returned null!');
return null;
}
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
Lines 154 (patched)
<https://reviews.apache.org/r/69985/#comment298716>
I don't get, why it throws NoSuchAlgorithmException, CertificateException, and IOException, but catch KeyStoreException ?
- Zsombor Gegesy
On Feb. 14, 2019, 9:59 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 14, 2019, 9:59 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/1/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Mehul Parikh <me...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review213156
-----------------------------------------------------------
Ship it!
Ship It!
- Mehul Parikh
On Feb. 21, 2019, 6:30 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 21, 2019, 6:30 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/3/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Zsombor Gegesy <zs...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review213155
-----------------------------------------------------------
Ship it!
Ship It!
- Zsombor Gegesy
On Feb. 21, 2019, 6:30 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 21, 2019, 6:30 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/3/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Gautam Borad <gb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/
-----------------------------------------------------------
(Updated Feb. 21, 2019, 6:30 a.m.)
Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2331
https://issues.apache.org/jira/browse/RANGER-2331
Repository: ranger
Description
-------
User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
Acceptance Criteria:
1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
Diffs (updated)
-----
kms/config/kms-webapp/dbks-site.xml 0e0f2ec
kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
kms/scripts/install.properties ddc779d
kms/scripts/setup.sh 2db05b8
kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
src/main/assembly/kms.xml fca6a32
Diff: https://reviews.apache.org/r/69985/diff/3/
Changes: https://reviews.apache.org/r/69985/diff/2-3/
Testing
-------
Verified below scenario:
1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
2) DB to Key Secure (NAE-XML) master key Migration utility
3) Key Secure (NAE-XML) to DB master key Migration utility
Thanks,
Gautam Borad
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Zsombor Gegesy <zs...@apache.org>.
> On Feb. 20, 2019, 12:08 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 72 (patched)
> > <https://reviews.apache.org/r/69985/diff/2/?file=2125810#file2125810line72>
> >
> > myStore is never null here - even if KeyStore.getInstance would return a null (but it wont do), the myStore.load would trigger an NPE before.
>
> Gautam Borad wrote:
> Added null before myStore.load
>
> Zsombor Gegesy wrote:
> This check is needs to happen earlier, otherwise it's dead code, as if 'myStore' is null, then a NPE is raised earlier.
Sorry, my bad, I haven't noticed the new changeset.
- Zsombor
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212953
-----------------------------------------------------------
On Feb. 21, 2019, 6:30 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 21, 2019, 6:30 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/3/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Zsombor Gegesy <zs...@apache.org>.
> On Feb. 20, 2019, 12:08 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
> > Lines 130 (patched)
> > <https://reviews.apache.org/r/69985/diff/2/?file=2125808#file2125808line130>
> >
> > masterKey is never null, because if rangerMasterKey.getMasterKey(...) would return null, the toCharArray call would cause an NPE
>
> Gautam Borad wrote:
> Surrounded it with Try ... Catch
This check is needs to happen earlier, otherwise it's dead code, as if 'masterKey' is null, then a NPE is raised earlier.
> On Feb. 20, 2019, 12:08 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
> > Lines 140 (patched)
> > <https://reviews.apache.org/r/69985/diff/2/?file=2125808#file2125808line140>
> >
> > masterKey is never null, because if rangerMasterKey.getMasterKey(...) would return null, the toCharArray call would cause an NPE
>
> Gautam Borad wrote:
> Surrounded it with Try ... Catch
It's dead code, no need for this check - or this check needs to happen earlier, so the NPE is not raised.
> On Feb. 20, 2019, 12:08 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 72 (patched)
> > <https://reviews.apache.org/r/69985/diff/2/?file=2125810#file2125810line72>
> >
> > myStore is never null here - even if KeyStore.getInstance would return a null (but it wont do), the myStore.load would trigger an NPE before.
>
> Gautam Borad wrote:
> Added null before myStore.load
This check is needs to happen earlier, otherwise it's dead code, as if 'myStore' is null, then a NPE is raised earlier.
- Zsombor
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212953
-----------------------------------------------------------
On Feb. 21, 2019, 6:30 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 21, 2019, 6:30 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/3/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Gautam Borad <gb...@gmail.com>.
> On Feb. 20, 2019, 12:08 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
> > Lines 130 (patched)
> > <https://reviews.apache.org/r/69985/diff/2/?file=2125808#file2125808line130>
> >
> > masterKey is never null, because if rangerMasterKey.getMasterKey(...) would return null, the toCharArray call would cause an NPE
Surrounded it with Try ... Catch
> On Feb. 20, 2019, 12:08 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
> > Lines 140 (patched)
> > <https://reviews.apache.org/r/69985/diff/2/?file=2125808#file2125808line140>
> >
> > masterKey is never null, because if rangerMasterKey.getMasterKey(...) would return null, the toCharArray call would cause an NPE
Surrounded it with Try ... Catch
> On Feb. 20, 2019, 12:08 p.m., Zsombor Gegesy wrote:
> > kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
> > Lines 72 (patched)
> > <https://reviews.apache.org/r/69985/diff/2/?file=2125810#file2125810line72>
> >
> > myStore is never null here - even if KeyStore.getInstance would return a null (but it wont do), the myStore.load would trigger an NPE before.
Added null before myStore.load
- Gautam
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212953
-----------------------------------------------------------
On Feb. 21, 2019, 6:30 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 21, 2019, 6:30 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/3/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Zsombor Gegesy <zs...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/#review212953
-----------------------------------------------------------
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
Lines 130 (patched)
<https://reviews.apache.org/r/69985/#comment298827>
masterKey is never null, because if rangerMasterKey.getMasterKey(...) would return null, the toCharArray call would cause an NPE
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
Lines 140 (patched)
<https://reviews.apache.org/r/69985/#comment298826>
masterKey is never null, because if rangerMasterKey.getMasterKey(...) would return null, the toCharArray call would cause an NPE
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
Lines 72 (patched)
<https://reviews.apache.org/r/69985/#comment298828>
myStore is never null here - even if KeyStore.getInstance would return a null (but it wont do), the myStore.load would trigger an NPE before.
- Zsombor Gegesy
On Feb. 19, 2019, 1:58 p.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69985/
> -----------------------------------------------------------
>
> (Updated Feb. 19, 2019, 1:58 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2331
> https://issues.apache.org/jira/browse/RANGER-2331
>
>
> Repository: ranger
>
>
> Description
> -------
>
> User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
>
>
> For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
>
>
> Acceptance Criteria:
>
>
> 1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
>
>
> 2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
>
>
> 3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
>
>
> Diffs
> -----
>
> kms/config/kms-webapp/dbks-site.xml 0e0f2ec
> kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
> kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
> kms/scripts/install.properties ddc779d
> kms/scripts/setup.sh 2db05b8
> kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
> kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
> kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
> src/main/assembly/kms.xml fca6a32
>
>
> Diff: https://reviews.apache.org/r/69985/diff/2/
>
>
> Testing
> -------
>
> Verified below scenario:
>
>
> 1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
> 2) DB to Key Secure (NAE-XML) master key Migration utility
> 3) Key Secure (NAE-XML) to DB master key Migration utility
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 69985: RANGER-2331 : Ranger-KMS - KeySecure HSM
Integration
Posted by Gautam Borad <gb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69985/
-----------------------------------------------------------
(Updated Feb. 19, 2019, 1:58 p.m.)
Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2331
https://issues.apache.org/jira/browse/RANGER-2331
Repository: ranger
Description
-------
User story: As a security admin, I want to manage encryption keys for securing my Hadoop cluster files in Ranger KMS service with Safenet KeySecure crypto platform.
For Safenet KeySecure overview refer to: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
Acceptance Criteria:
1) Ranger KMS has ability to configure Safenet KeySecure platform to be used for key offload
2) Ranger KMS provides ability to provide key management functions (create keys, manage keys, retrieve keys, rollover) using Safenet KeySecure platform
3) Ranger KMS UI panel on Ambari can be used to configure Safenet KeySecure platform
Diffs (updated)
-----
kms/config/kms-webapp/dbks-site.xml 0e0f2ec
kms/scripts/DBMKTOKEYSECURE.sh PRE-CREATION
kms/scripts/KEYSECUREMKTOKMSDB.sh PRE-CREATION
kms/scripts/install.properties ddc779d
kms/scripts/setup.sh 2db05b8
kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java PRE-CREATION
kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 22dce0f
kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java PRE-CREATION
kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1abbf8e
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 267fcf0
kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 5614c16
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java PRE-CREATION
src/main/assembly/kms.xml fca6a32
Diff: https://reviews.apache.org/r/69985/diff/2/
Changes: https://reviews.apache.org/r/69985/diff/1-2/
Testing
-------
Verified below scenario:
1) Fresh Installation Of Ranger KMS with Safenet Key Secure (NAE-XML Protocol)
2) DB to Key Secure (NAE-XML) master key Migration utility
3) Key Secure (NAE-XML) to DB master key Migration utility
Thanks,
Gautam Borad