Repository: ranger Updated Branches: refs/heads/ranger-0.7 a6ea029b9 -> 10d3513f3
RANGER-1988: Fix insecure randomness Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/10d3513f Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/10d3513f Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/10d3513f Branch: refs/heads/ranger-0.7 Commit: 10d3513f37426a24e9084bd41fa6334849461d05 Parents: a6ea029 Author: Abhay Kulkarni <[email protected]> Authored: Tue Feb 20 16:32:19 2018 -0800 Committer: Abhay Kulkarni <[email protected]> Committed: Wed Sep 26 15:43:32 2018 -0700 ---------------------------------------------------------------------- .../hadoop/RangerHdfsAuthorizer.java | 30 ++++++++++++++------ 1 file changed, 21 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/10d3513f/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index 97fd5cd..b37d0ff 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -24,16 +24,15 @@ import static org.apache.ranger.authorization.hadoop.constants.RangerHadoopConst import static org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants.WRITE_ACCCESS_TYPE; import java.net.InetAddress; +import java.security.SecureRandom; import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.Map; -import java.util.Random; import java.util.Set; import java.util.Stack; import org.apache.commons.lang.ArrayUtils; -import org.apache.commons.lang.RandomStringUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -616,15 +615,28 @@ class RangerHdfsPlugin extends RangerBasePlugin { RangerHdfsPlugin.fileNameExtensionSeparator = RangerConfiguration.getInstance().get(RangerHdfsAuthorizer.RANGER_FILENAME_EXTENSION_SEPARATOR_PROP, RangerHdfsAuthorizer.DEFAULT_FILENAME_EXTENSION_SEPARATOR); RangerHdfsPlugin.optimizeSubAccessAuthEnabled = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_PROP, RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_DEFAULT); - // Build random string of random length + String random = generateString("^&#@!%()-_+=@:;'<>`~abcdefghijklmnopqrstuvwxyz01234567890"); + randomizedWildcardPathName = RangerPathResourceMatcher.WILDCARD_ASTERISK + random + RangerPathResourceMatcher.WILDCARD_ASTERISK; + } + + // Build random string of length between 56 and 112 characters + private static String generateString(String source) + { + SecureRandom rng = new SecureRandom(); + byte[] bytes = new byte[1]; - new Random().nextBytes(bytes); - int count = bytes[0]; - count = count < 56 ? 56 : count; - count = count > 112 ? 112 : count; + rng.nextBytes(bytes); + int length = bytes[0]; + length = length < 56 ? 56 : length; + length = length > 112 ? 112 : length; - String random = RandomStringUtils.random(count, "^&#@!%()-_+=@:;'<>`~abcdefghijklmnopqrstuvwxyz01234567890"); - randomizedWildcardPathName = RangerPathResourceMatcher.WILDCARD_ASTERISK + random + RangerPathResourceMatcher.WILDCARD_ASTERISK; + char[] text = new char[length]; + + for (int i = 0; i < length; i++) + { + text[i] = source.charAt(rng.nextInt(source.length())); + } + return new String(text); } public static boolean isHadoopAuthEnabled() {
