This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new eb7aacf RANGER-3055 : Make Ranger source code FIPS complaint
eb7aacf is described below
commit eb7aacfb1922c2d2c02a169f10da8a85b9a00240
Author: Dhaval Shah <[email protected]>
AuthorDate: Tue Dec 8 09:50:27 2020 +0530
RANGER-3055 : Make Ranger source code FIPS complaint
Signed-off-by: Mehul Parikh <[email protected]>
---
.../hadoop/config/RangerAdminConfig.java | 13 +-
.../hadoop/config/RangerConfigConstants.java | 1 +
.../model/RangerPolicyResourceSignature.java | 13 +-
.../store/RangerServiceResourceSignature.java | 7 +-
.../ranger/credentialapi/CredentialReader.java | 31 +++-
.../org/apache/ranger/credentialapi/buildks.java | 156 ++++++++++++-------
.../ranger/credentialapi/TestCredentialReader.java | 2 +-
.../apache/ranger/credentialapi/Testbuildks.java | 4 +-
.../tomcat/ElasticSearchIndexBootStrapper.java | 4 +-
.../ranger/server/tomcat/EmbeddedServer.java | 20 ++-
.../apache/hadoop/crypto/key/JKS2RangerUtil.java | 6 +-
.../crypto/key/KeySecureToRangerDBMKUtil.java | 4 +-
.../apache/hadoop/crypto/key/Ranger2JKSUtil.java | 4 +-
.../hadoop/crypto/key/RangerKeyStoreProvider.java | 4 +-
.../apache/hadoop/crypto/key/RangerMasterKey.java | 4 +-
ranger-util/src/scripts/saveVersion.py | 4 +-
.../main/java/org/apache/ranger/biz/UserMgr.java | 171 +++++++++++++++------
.../org/apache/ranger/common/PropertiesUtil.java | 21 +--
.../ranger/credentialapi/CredentialReader.java | 45 ++++--
.../ranger/patch/cliutil/ChangePasswordUtil.java | 58 ++++---
.../main/java/org/apache/ranger/rest/UserREST.java | 1 -
.../handler/RangerAuthenticationProvider.java | 40 +++--
.../ranger/util/Pbkdf2PasswordEncoderCust.java | 115 ++++++++++++++
.../ranger/tagsync/process/TagSyncConfig.java | 15 +-
.../unixusersync/config/UserGroupSyncConfig.java | 37 ++++-
.../process/PolicyMgrUserGroupBuilder.java | 5 +-
.../authentication/UnixAuthenticationService.java | 22 ++-
27 files changed, 601 insertions(+), 206 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerAdminConfig.java
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerAdminConfig.java
index 5cd539a..af47a20 100644
---
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerAdminConfig.java
+++
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerAdminConfig.java
@@ -19,12 +19,16 @@
package org.apache.ranger.authorization.hadoop.config;
+import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
+import java.security.KeyStore;
+
public class RangerAdminConfig extends RangerConfiguration {
private static final Logger LOG =
Logger.getLogger(RangerAdminConfig.class);
private static volatile RangerAdminConfig sInstance = null;
+ private final boolean isFipsEnabled;
public static RangerAdminConfig getInstance() {
RangerAdminConfig ret = RangerAdminConfig.sInstance;
@@ -44,11 +48,12 @@ public class RangerAdminConfig extends RangerConfiguration {
private RangerAdminConfig() {
super();
-
addAdminResources();
+ String storeType = get(RangerConfigConstants.RANGER_KEYSTORE_TYPE,
KeyStore.getDefaultType());
+ isFipsEnabled = StringUtils.equalsIgnoreCase("bcfks", storeType) ?
true : false;
+
}
-
private boolean addAdminResources() {
if (LOG.isDebugEnabled()) {
LOG.debug("==> addAdminResources()");
@@ -82,4 +87,8 @@ public class RangerAdminConfig extends RangerConfiguration {
return ret;
}
+
+ public boolean isFipsEnabled() {
+ return isFipsEnabled;
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfigConstants.java
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfigConstants.java
index 1ad34ef..374c78c 100644
---
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfigConstants.java
+++
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfigConstants.java
@@ -29,6 +29,7 @@ public class RangerConfigConstants {
public static final String RANGER_PLUGIN_POLICY_POLLINVETERVALMS
= "ranger.plugin.<ServiceType>.policy.pollIntervalMs";
public static final String RANGER_PLUGIN_POLICY_CACHE_DIR
= "ranger.plugin.<ServiceType>.policy.cache.dir";
public static final String RANGER_PLUGIN_ADD_HADDOOP_AUTHORIZATION
= "xasecure.add-hadoop-authorization";
+ public static final String RANGER_KEYSTORE_TYPE
= "ranger.keystore.file.type";
//CHANGE MAP CONSTANTS
public static final String XASECURE_POLICYMGR_URL
= "xasecure.<ServiceType>.policymgr.url";
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
index 2bb6589..312005e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
@@ -31,6 +31,7 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
import org.apache.solr.common.StringUtils;
@@ -49,7 +50,11 @@ public class RangerPolicyResourceSignature {
_policy = policy;
PolicySerializer serializer = new PolicySerializer(_policy);
_string = serializer.toString();
- _hash = DigestUtils.sha256Hex(_string);
+ if (RangerAdminConfig.getInstance().isFipsEnabled()) {
+ _hash = DigestUtils.sha512Hex(_string);
+ } else {
+ _hash = DigestUtils.sha256Hex(_string);
+ }
}
/**
@@ -63,7 +68,11 @@ public class RangerPolicyResourceSignature {
} else {
_string = string;
}
- _hash = DigestUtils.sha256Hex(_string);
+ if (RangerAdminConfig.getInstance().isFipsEnabled()) {
+ _hash = DigestUtils.sha384Hex(_string);
+ } else {
+ _hash = DigestUtils.sha256Hex(_string);
+ }
}
String asString() {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceResourceSignature.java
b/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceResourceSignature.java
index d7fedf0..63546f8 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceResourceSignature.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceResourceSignature.java
@@ -20,6 +20,7 @@
package org.apache.ranger.plugin.store;
import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceResource;
@@ -31,7 +32,11 @@ public class RangerServiceResourceSignature {
public RangerServiceResourceSignature(RangerServiceResource
serviceResource) {
_string = ServiceResourceSerializer.toString(serviceResource);
- _hash = DigestUtils.sha256Hex(_string);
+ if (RangerAdminConfig.getInstance().isFipsEnabled()) {
+ _hash = DigestUtils.sha512Hex(_string);
+ } else {
+ _hash = DigestUtils.sha256Hex(_string);
+ }
}
String asString() {
diff --git
a/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java
b/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java
index 42497e3..5b72c9d 100644
---
a/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java
+++
b/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java
@@ -21,14 +21,15 @@
import java.util.ArrayList;
import java.util.List;
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
public class CredentialReader {
-
- public static String getDecryptedString(String
CrendentialProviderPath,String alias) {
+
+ public static String getDecryptedString(String
CrendentialProviderPath,String alias, String storeType) {
String credential=null;
try{
if(CrendentialProviderPath==null || alias==null){
@@ -39,17 +40,31 @@ public class CredentialReader {
String
crendentialProviderPrefixJceks=JavaKeyStoreProvider.SCHEME_NAME + "://file";
String
crendentialProviderPrefixLocalJceks="localjceks://file";
crendentialProviderPrefixJceks=crendentialProviderPrefixJceks.toLowerCase();
+
+ String crendentialProviderPrefixBcfks = "bcfks" + "://file";
+ String crendentialProviderPrefixLocalBcfks= "localbcfks" +
"://file";
+
crendentialProviderPrefixBcfks=crendentialProviderPrefixBcfks.toLowerCase();
+
crendentialProviderPrefixLocalBcfks=crendentialProviderPrefixLocalBcfks.toLowerCase();
+
CrendentialProviderPath=CrendentialProviderPath.trim();
alias=alias.trim();
-
if(CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixJceks)
||
CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalJceks)){
+
if(CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixJceks)
||
+
CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalJceks)
||
+
CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixBcfks)
||
+
CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalBcfks)){
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
//UserProvider.SCHEME_NAME + ":///,"
+
CrendentialProviderPath);
}else{
if(CrendentialProviderPath.startsWith("/")){
-
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
- //UserProvider.SCHEME_NAME +
":///," +
- JavaKeyStoreProvider.SCHEME_NAME + "://file"
+ CrendentialProviderPath);
+ if(StringUtils.equalsIgnoreCase(storeType,
"bcfks")) {
+
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
CrendentialProviderPath);
+ } else {
+
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
+
//UserProvider.SCHEME_NAME + ":///," +
+
JavaKeyStoreProvider.SCHEME_NAME + "://file" + CrendentialProviderPath);
+ }
+
}else{
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
//UserProvider.SCHEME_NAME +
":///," +
@@ -64,7 +79,7 @@ public class CredentialReader {
aliasesList=provider.getAliases();
if(aliasesList!=null &&
aliasesList.contains(alias.toLowerCase())){
credEntry=null;
- credEntry= provider.getCredentialEntry(alias);
+ credEntry=
provider.getCredentialEntry(alias.toLowerCase());
pass = credEntry.getCredential();
if(pass!=null && pass.length>0){
credential=String.valueOf(pass);
@@ -78,4 +93,4 @@ public class CredentialReader {
}
return credential;
}
-}
\ No newline at end of file
+}
diff --git
a/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java
b/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java
index cb391cc..5d196d9 100644
---
a/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java
+++
b/credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java
@@ -23,7 +23,8 @@ import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
import java.lang.reflect.Field;
-
+import java.security.KeyStore;
+import java.util.Arrays;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialShell;
import org.apache.hadoop.util.GenericOptionsParser;
@@ -64,8 +65,10 @@ public class buildks {
String providerOption=null;
String providerPath=null;
String tempCredential=null;
+ String storeTypeOption="storeType";
+ String storeType= KeyStore.getDefaultType();
try{
- if(args!=null && args.length==6)
+ if(args!=null && (args.length == 6 || args.length==8))
{
command=args[0];
alias=args[1];
@@ -73,11 +76,15 @@ public class buildks {
credential=args[3];
providerOption=args[4];
providerPath=args[5];
-
if(!isValidCreateCommand(command,alias,valueOption,credential,providerOption,providerPath)){
+ if (args.length == 8) {
+ storeTypeOption = args[6];
+ storeType = args[7];
+ }
+
if(!isValidCreateCommand(command,alias,valueOption,credential,providerOption,providerPath,storeTypeOption,storeType)){
return returnCode;
}
deleteInvalidKeystore(providerPath);
-
tempCredential=CredentialReader.getDecryptedString(providerPath, alias);
+
tempCredential=CredentialReader.getDecryptedString(providerPath, alias,
storeType);
}else{
return returnCode;
}
@@ -115,8 +122,10 @@ public class buildks {
String valueOption=null;
String credential=null;
String providerOption=null;
- String providerPath=null;
- if(args!=null && args.length==6)
+ String providerPath=null;
+ String storeTypeOption="storeType";
+ String storeType=KeyStore.getDefaultType();
+ if(args!=null && (args.length == 6 || args.length==8))
{
command=args[0];
alias=args[1];
@@ -124,7 +133,11 @@ public class buildks {
credential=args[3];
providerOption=args[4];
providerPath=args[5];
-
if(!isValidCreateCommand(command,alias,valueOption,credential,providerOption,providerPath)){
+ if (args.length == 8) {
+ storeTypeOption = args[6];
+ storeType = args[7];
+ }
+
if(!isValidCreateCommand(command,alias,valueOption,credential,providerOption,providerPath,storeTypeOption,storeType)){
return returnCode;
}
displayCommand(args);
@@ -139,16 +152,16 @@ public class buildks {
//set the configuration back, so that Tool can configure itself
cs.setConf(conf);
//get valid and remaining argument
- String[] toolArgs = parser.getRemainingArgs();
+ String[] toolArgs = parser.getRemainingArgs();
//execute command in CredentialShell
// int i = 0;
// for(String s : toolArgs) {
// System.out.println("TooArgs [" + i + "]
= [" + s + "]");
// i++;
// }
- returnCode= cs.run(toolArgs);
+ String[] finalArgs = Arrays.copyOfRange(toolArgs, 0, 6);
+ returnCode= cs.run(finalArgs);
//if response code is zero then success else failure
- //System.out.println("Response Code:"+returnCode);
}catch(IOException ex){
ex.printStackTrace();
} catch(Exception ex){
@@ -165,7 +178,9 @@ public class buildks {
String valueOption=null;
String credential=null;
String providerOption=null;
- String providerPath=null;
+ String providerPath=null;
+ String storeTypeOption=null;
+ String storeType=null;
//below code can ask user to input if command line input fails
System.out.println("Enter Alias Name:");
BufferedReader bufferRead = new BufferedReader(new
InputStreamReader(System.in));
@@ -174,7 +189,9 @@ public class buildks {
credential = bufferRead.readLine();
System.out.println("Enter .jceks output file name with path:");
providerPath = bufferRead.readLine();
- if(providerPath!=null && !providerPath.trim().isEmpty()
&&
!providerPath.startsWith("localjceks://file")&&!providerPath.startsWith("jceks://file"))
+ if(providerPath!=null && !providerPath.trim().isEmpty()
&&
+
(!providerPath.startsWith("localjceks://file")&&!providerPath.startsWith("jceks://file")
&&
+
!providerPath.startsWith("localbcfks://file")&&!providerPath.startsWith("bcfks://file")))
{
if(providerPath.startsWith("/")){
providerPath="jceks://file"+providerPath;
@@ -185,7 +202,7 @@ public class buildks {
command="create";
valueOption="-value";
providerOption="-provider";
-
if(!isValidCreateCommand(command,alias,valueOption,credential,providerOption,providerPath)){
+
if(!isValidCreateCommand(command,alias,valueOption,credential,providerOption,providerPath,storeTypeOption,storeType)){
return returnCode;
}
args=new String[6];
@@ -220,13 +237,14 @@ public class buildks {
String command=null;
String providerOption=null;
String providerPath=null;
+ String storeType = KeyStore.getDefaultType();
try{
if(args!=null && args.length==3)
{
command=args[0];
providerOption=args[1];
providerPath=args[2];
-
if(!isValidListCommand(command,providerOption,providerPath)){
+
if(!isValidListCommand(command,providerOption,providerPath, storeType)){
return returnCode;
}
//display command which need to be executed or entered
@@ -285,7 +303,8 @@ public class buildks {
//get valid and remaining argument
String[] toolArgs = parser.getRemainingArgs();
//execute command in CredentialShell
- returnCode= cs.run(toolArgs);
+// String[] finalArgs = Arrays.copyOfRange(toolArgs, 0, 6);
+ returnCode= cs.run(toolArgs);
//if response code is zero then success else failure
//System.out.println("Response Code:"+returnCode);
}catch(IOException ex){
@@ -296,7 +315,9 @@ public class buildks {
return returnCode;
}
- public static boolean isValidCreateCommand(String command,String
alias,String valueOption,String credential,String providerOption,String
providerPath)
+ public static boolean isValidCreateCommand(String command,String
alias,String valueOption,String credential,
+
String providerOption,String providerPath, String storeTypeOption,
+
String storeType)
{
boolean isValid=true;
try{
@@ -304,68 +325,70 @@ public class buildks {
{
System.out.println("Invalid create phrase in credential
creation command!!");
System.out.println("Expected:'create'
Found:'"+command+"'");
- displaySyntax("create");
+ displaySyntax("create", storeType);
return false;
}
if(alias==null || "".equalsIgnoreCase(alias.trim()))
{
System.out.println("Invalid alias name phrase in
credential creation command!!");
System.out.println("Found:'"+alias+"'");
- displaySyntax("create");
+ displaySyntax("create", storeType);
return false;
}
if(valueOption==null ||
!"-value".equalsIgnoreCase(valueOption.trim()))
{
System.out.println("Invalid value option switch in
credential creation command!!");
System.out.println("Expected:'-value'
Found:'"+valueOption+"'");
- displaySyntax("create");
+ displaySyntax("create", storeType);
return false;
}
if(valueOption==null ||
!"-value".equalsIgnoreCase(valueOption.trim()))
{
System.out.println("Invalid value option in credential
creation command!!");
System.out.println("Expected:'-value'
Found:'"+valueOption+"'");
- displaySyntax("create");
+ displaySyntax("create", storeType);
return false;
}
if(credential==null)
{
System.out.println("Invalid credential value in
credential creation command!!");
System.out.println("Found:"+credential);
- displaySyntax("create");
+ displaySyntax("create", storeType);
return false;
}
if(providerOption==null ||
!"-provider".equalsIgnoreCase(providerOption.trim()))
{
System.out.println("Invalid provider option in
credential creation command!!");
System.out.println("Expected:'-provider'
Found:'"+providerOption+"'");
- displaySyntax("create");
+ displaySyntax("create", storeType);
return false;
}
- if(providerPath==null ||
"".equalsIgnoreCase(providerPath.trim()) ||
(!providerPath.startsWith("localjceks://") &&
!providerPath.startsWith("jceks://")))
+ if(providerPath==null ||
"".equalsIgnoreCase(providerPath.trim()) ||
+
((!providerPath.startsWith("localjceks://") &&
!providerPath.startsWith("jceks://")) &&
+
(!providerPath.startsWith("localbcfks://") &&
!providerPath.startsWith("bcfks://"))))
{
System.out.println("Invalid provider option in
credential creation command!!");
System.out.println("Found:'"+providerPath+"'");
- displaySyntax("create");
+ displaySyntax("create", storeType);
return false;
}
}catch(Exception ex){
System.out.println("Invalid input or runtime error! Please try
again.");
System.out.println("Input:"+command+" "+alias+" "+valueOption+"
"+credential+" "+providerOption+" "+providerPath);
- displaySyntax("create");
+ displaySyntax("create", storeType);
ex.printStackTrace();
return false;
}
return isValid;
}
- public static boolean isValidListCommand(String command,String
providerOption,String providerPath){
+ public static boolean isValidListCommand(String command,String
providerOption,String providerPath, String storeTpe){
boolean isValid=true;
try{
if(command==null ||
!"list".equalsIgnoreCase(command.trim())){
System.out.println("Invalid list phrase in
credential get command!!");
System.out.println("Expected:'list'
Found:'"+command+"'");
- displaySyntax("list");
+ displaySyntax("list", storeTpe);
return false;
}
@@ -373,20 +396,22 @@ public class buildks {
{
System.out.println("Invalid provider option in
credential get command!!");
System.out.println("Expected:'-provider'
Found:'"+providerOption+"'");
- displaySyntax("list");
+ displaySyntax("list", storeTpe);
return false;
}
- if(providerPath==null ||
"".equalsIgnoreCase(providerPath.trim()) ||
(!providerPath.startsWith("localjceks://") &&
!providerPath.startsWith("jceks://")))
+ if(providerPath==null ||
"".equalsIgnoreCase(providerPath.trim()) ||
+
((!providerPath.startsWith("localjceks://") &&
!providerPath.startsWith("jceks://")) &&
+
(!providerPath.startsWith("localbcfks://") &&
!providerPath.startsWith("bcfks://"))))
{
System.out.println("Invalid provider option in
credential get command!!");
System.out.println("Found:'"+providerPath+"'");
- displaySyntax("list");
+ displaySyntax("list", storeTpe);
return false;
}
}catch(Exception ex){
System.out.println("Invalid input or runtime error!
Please try again.");
System.out.println("Input:"+command+"
"+providerOption+" "+providerPath);
- displaySyntax("list");
+ displaySyntax("list", storeTpe);
ex.printStackTrace();
return false;
}
@@ -407,19 +432,35 @@ public class buildks {
}
}
- public static void displaySyntax(String command){
- if(command!=null && command.trim().equalsIgnoreCase("create")){
- System.out.println("Correct syntax is:create
<aliasname> -value <password> -provider <jceks://file/filepath>");
- System.out.println("sample command is:create myalias
-value password123 -provider jceks://file/tmp/ks/myks.jceks");
- }
- if(command!=null && command.trim().equalsIgnoreCase("list")){
- System.out.println("Correct syntax is:list -provider
<jceks://file/filepath>");
- System.out.println("sample command is:list -provider
jceks://file/tmp/ks/myks.jceks");
- }
- if(command!=null && command.trim().equalsIgnoreCase("get")){
- System.out.println("Correct syntax is:get <aliasname>
-provider <jceks://file/filepath>");
- System.out.println("sample command is:get myalias
-provider jceks://file/tmp/ks/myks.jceks");
+ public static void displaySyntax(String command, String storeType){
+ if ("bcfks".equalsIgnoreCase(storeType)) {
+ if (command != null &&
command.trim().equalsIgnoreCase("create")) {
+ System.out.println("Correct syntax is:create
<aliasname> -value <password> -provider <bcfks://file/filepath>");
+ System.out.println("sample command is:create
myalias -value password123 -provider bcfks://file/tmp/ks/myks.bcfks");
+ }
+ if (command != null &&
command.trim().equalsIgnoreCase("list")) {
+ System.out.println("Correct syntax is:list
-provider <bcfks://file/filepath>");
+ System.out.println("sample command is:list
-provider bcfks://file/tmp/ks/myks.bcfks");
+ }
+ if (command != null &&
command.trim().equalsIgnoreCase("get")) {
+ System.out.println("Correct syntax is:get
<aliasname> -provider <bcfks://file/filepath>");
+ System.out.println("sample command is:get
myalias -provider bcfks://file/tmp/ks/myks.bcfks");
+ }
+ } else {
+ if (command != null &&
command.trim().equalsIgnoreCase("create")) {
+ System.out.println("Correct syntax is:create
<aliasname> -value <password> -provider <jceks://file/filepath>");
+ System.out.println("sample command is:create
myalias -value password123 -provider jceks://file/tmp/ks/myks.jceks");
+ }
+ if (command != null &&
command.trim().equalsIgnoreCase("list")) {
+ System.out.println("Correct syntax is:list
-provider <jceks://file/filepath>");
+ System.out.println("sample command is:list
-provider jceks://file/tmp/ks/myks.jceks");
+ }
+ if (command != null &&
command.trim().equalsIgnoreCase("get")) {
+ System.out.println("Correct syntax is:get
<aliasname> -provider <jceks://file/filepath>");
+ System.out.println("sample command is:get
myalias -provider jceks://file/tmp/ks/myks.jceks");
+ }
}
+
}
public String getCredential(String args[]){
String command=null;
@@ -427,19 +468,20 @@ public class buildks {
String providerOption=null;
String providerPath=null;
String tempCredential=null;
+ String storeType=KeyStore.getDefaultType();
try{
if(args!=null && args.length==4){
command=args[0];
alias=args[1];
providerOption=args[2];
providerPath=args[3];
-
if(!isValidGetCommand(command,alias,providerOption,providerPath)){
- displaySyntax("get");
+
if(!isValidGetCommand(command,alias,providerOption,providerPath,storeType)){
+ displaySyntax("get", storeType);
}else{
-
tempCredential=CredentialReader.getDecryptedString(providerPath, alias);
+
tempCredential=CredentialReader.getDecryptedString(providerPath, alias,
storeType);
}
}else{
- displaySyntax("get");
+ displaySyntax("get", storeType);
}
if(tempCredential==null){
System.out.println("Alias "+ alias +" does not
exist!!");
@@ -450,40 +492,42 @@ public class buildks {
return tempCredential;
}
- public static boolean isValidGetCommand(String command,String
alias,String providerOption,String providerPath){
+ public static boolean isValidGetCommand(String command,String
alias,String providerOption,String providerPath,String storeType){
boolean isValid=true;
try{
if(command==null ||
!"get".equalsIgnoreCase(command.trim())){
System.out.println("Invalid get phrase in
credential get command!!");
System.out.println("Expected:'get'
Found:'"+command+"'");
- displaySyntax("get");
+ displaySyntax("get", storeType);
return false;
}
if(alias==null || "".equalsIgnoreCase(alias.trim()))
{
System.out.println("Invalid alias name phrase
in credential get command!!");
System.out.println("Found:'"+alias+"'");
- displaySyntax("get");
+ displaySyntax("get", storeType);
return false;
}
if(providerOption==null ||
!"-provider".equalsIgnoreCase(providerOption.trim()))
{
System.out.println("Invalid provider option in
credential get command!!");
System.out.println("Expected:'-provider'
Found:'"+providerOption+"'");
- displaySyntax("get");
+ displaySyntax("get", storeType);
return false;
}
- if(providerPath==null ||
"".equalsIgnoreCase(providerPath.trim()) ||
(!providerPath.startsWith("localjceks://") &&
!providerPath.startsWith("jceks://")))
+ if(providerPath==null ||
"".equalsIgnoreCase(providerPath.trim()) ||
+
(!providerPath.startsWith("localjceks://") &&
!providerPath.startsWith("jceks://")) &&
+
(!providerPath.startsWith("localbcfks://") &&
!providerPath.startsWith("bcfks://")))
{
System.out.println("Invalid provider option in
credential get command!!");
System.out.println("Found:'"+providerPath+"'");
- displaySyntax("get");
+ displaySyntax("get", storeType);
return false;
}
}catch(Exception ex){
System.out.println("Invalid input or runtime error!
Please try again.");
System.out.println("Input:"+command+" "+alias+"
"+providerOption+" "+providerPath);
- displaySyntax("get");
+ displaySyntax("get", storeType);
ex.printStackTrace();
return false;
}
@@ -522,6 +566,10 @@ public class buildks {
keystore=providerPath.replace("jceks://file","");
}else if(providerPath.startsWith("localjceks://file")){
keystore=providerPath.replace("jceks://file","");
+ }else if(providerPath.startsWith("bcfks://file")){
+
keystore=providerPath.replace("bcfks://file","");
+ }else if(providerPath.startsWith("localbcfks://file")){
+
keystore=providerPath.replace("bcfks://file","");
}else{
keystore=providerPath;
}
diff --git
a/credentialbuilder/src/test/java/org/apache/ranger/credentialapi/TestCredentialReader.java
b/credentialbuilder/src/test/java/org/apache/ranger/credentialapi/TestCredentialReader.java
index 006986c..ff3ce84 100644
---
a/credentialbuilder/src/test/java/org/apache/ranger/credentialapi/TestCredentialReader.java
+++
b/credentialbuilder/src/test/java/org/apache/ranger/credentialapi/TestCredentialReader.java
@@ -50,7 +50,7 @@ public class TestCredentialReader {
@Test
public void testPassword() throws Exception {
- String password = CredentialReader.getDecryptedString(keystoreFile,
"TestCredential2");
+ String password = CredentialReader.getDecryptedString(keystoreFile,
"TestCredential2", "jceks");
assertEquals("PassworD123", password);
String[] argsdeleteCommand = new String[] {"delete",
"TestCredential2", "-provider", "jceks://file@/" + keystoreFile};
diff --git
a/credentialbuilder/src/test/java/org/apache/ranger/credentialapi/Testbuildks.java
b/credentialbuilder/src/test/java/org/apache/ranger/credentialapi/Testbuildks.java
index 87634d7..c9fb54c 100644
---
a/credentialbuilder/src/test/java/org/apache/ranger/credentialapi/Testbuildks.java
+++
b/credentialbuilder/src/test/java/org/apache/ranger/credentialapi/Testbuildks.java
@@ -21,6 +21,7 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import java.io.File;
+import java.util.Arrays;
import org.apache.commons.io.FileUtils;
import org.junit.After;
@@ -48,7 +49,7 @@ public class Testbuildks {
@Test
public void testBuildKSsuccess() throws Exception {
buildks buildksOBJ = new buildks();
- String[] argsCreateCommand = {"create", "TestCredential1", "-value",
"PassworD123", "-provider", "jceks://file@/" + keystoreFile};
+ String[] argsCreateCommand = {"create", "TestCredential1", "-value",
"PassworD123", "-provider", "jceks://file@/" + keystoreFile, "","jceks"};
int rc1 = buildksOBJ.createCredential(argsCreateCommand);
assertEquals(0, rc1);
@@ -57,6 +58,7 @@ public class Testbuildks {
assertEquals(0, rc2);
String[] argsGetCommand = {"get", "TestCredential1", "-provider",
"jceks://file@/" +keystoreFile };
+ System.out.println("Get command = " + Arrays.toString(argsGetCommand));
String pw = buildksOBJ.getCredential(argsGetCommand);
assertEquals("PassworD123", pw);
assertTrue(pw.equals("PassworD123"));
diff --git
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java
index e6eb7af..15a16e4 100644
---
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java
+++
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java
@@ -25,6 +25,7 @@ import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
+import java.security.KeyStore;
import java.util.Locale;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicLong;
@@ -121,8 +122,9 @@ public class ElasticSearchIndexBootStrapper extends Thread {
String providerPath =
EmbeddedServerUtil.getConfig(ES_CREDENTIAL_PROVIDER_PATH);
String credentialAlias =
EmbeddedServerUtil.getConfig(ES_CREDENTIAL_ALIAS, ES_CONFIG_PASSWORD);
+ String keyStoreFileType =
EmbeddedServerUtil.getConfig("ranger.keystore.file.type",
KeyStore.getDefaultType());
if (providerPath != null && credentialAlias != null) {
- password =
CredentialReader.getDecryptedString(providerPath.trim(),
credentialAlias.trim());
+ password =
CredentialReader.getDecryptedString(providerPath.trim(),
credentialAlias.trim(), keyStoreFileType);
if (StringUtils.isBlank(password) ||
"none".equalsIgnoreCase(password.trim())) {
password =
EmbeddedServerUtil.getConfig(ES_CONFIG_PASSWORD);
}
diff --git
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index 30d8305..757461d 100644
---
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -75,8 +75,8 @@ public class EmbeddedServer {
private static final String ADMIN_NAME_RULES =
"hadoop.security.auth_to_local";
private static final String ADMIN_SERVER_NAME = "rangeradmin";
private static final String KMS_SERVER_NAME = "rangerkms";
- public static final String RANGER_KEYSTORE_FILE_TYPE_DEFAULT = "jks";
- public static final String RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT = "jks";
+ public static final String RANGER_KEYSTORE_FILE_TYPE_DEFAULT =
KeyStore.getDefaultType();
+ public static final String RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT =
KeyStore.getDefaultType();
public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLS";
public static final String RANGER_SSL_KEYMANAGER_ALGO_TYPE =
KeyManagerFactory.getDefaultAlgorithm();
public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE =
TrustManagerFactory.getDefaultAlgorithm();
@@ -152,6 +152,8 @@ public class EmbeddedServer {
ssl.setScheme("https");
ssl.setAttribute("SSLEnabled", "true");
ssl.setAttribute("sslProtocol",
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.protocol",
"TLS"));
+ ssl.setAttribute("keystoreType",
EmbeddedServerUtil.getConfig("ranger.keystore.file.type",
RANGER_KEYSTORE_FILE_TYPE_DEFAULT));
+ ssl.setAttribute("truststoreType",
EmbeddedServerUtil.getConfig("ranger.truststore.file.type",
RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT));
String clientAuth =
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.clientAuth", "false");
if("false".equalsIgnoreCase(clientAuth)){
clientAuth =
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.client.auth", "want");
@@ -161,7 +163,7 @@ public class EmbeddedServer {
String keyAlias =
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.keystore.credential.alias",
"keyStoreCredentialAlias");
String keystorePass=null;
if(providerPath!=null && keyAlias!=null){
- keystorePass =
CredentialReader.getDecryptedString(providerPath.trim(), keyAlias.trim());
+ keystorePass =
CredentialReader.getDecryptedString(providerPath.trim(), keyAlias.trim(),
EmbeddedServerUtil.getConfig("ranger.keystore.file.type",
RANGER_KEYSTORE_FILE_TYPE_DEFAULT));
if (StringUtils.isBlank(keystorePass) ||
"none".equalsIgnoreCase(keystorePass.trim())) {
keystorePass =
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.keystore.pass");
}
@@ -432,8 +434,9 @@ public class EmbeddedServer {
keyStoreFile = getKeystoreFile();
keyStoreAlias =
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.keystore.credential.alias",
"keyStoreCredentialAlias");
}
+ String keyStoreFileType =
EmbeddedServerUtil.getConfig("ranger.keystore.file.type",RANGER_KEYSTORE_FILE_TYPE_DEFAULT);
String credentialProviderPath =
EmbeddedServerUtil.getConfig("ranger.credential.provider.path");
- String keyStoreFilepwd =
CredentialReader.getDecryptedString(credentialProviderPath, keyStoreAlias);
+ String keyStoreFilepwd =
CredentialReader.getDecryptedString(credentialProviderPath, keyStoreAlias,
keyStoreFileType);
if (StringUtils.isNotEmpty(keyStoreFile) &&
StringUtils.isNotEmpty(keyStoreFilepwd)) {
InputStream in = null;
@@ -442,11 +445,11 @@ public class EmbeddedServer {
in = getFileInputStream(keyStoreFile);
if (in != null) {
- KeyStore keyStore =
KeyStore.getInstance(RANGER_KEYSTORE_FILE_TYPE_DEFAULT);
+ KeyStore keyStore =
KeyStore.getInstance(keyStoreFileType);
keyStore.load(in,
keyStoreFilepwd.toCharArray());
- KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(RANGER_SSL_KEYMANAGER_ALGO_TYPE);
+ KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore,
keyStoreFilepwd.toCharArray());
@@ -488,7 +491,8 @@ public class EmbeddedServer {
String truststoreFile =
EmbeddedServerUtil.getConfig("ranger.truststore.file");
String truststoreAlias =
EmbeddedServerUtil.getConfig("ranger.truststore.alias");
String credentialProviderPath =
EmbeddedServerUtil.getConfig("ranger.credential.provider.path");
- String trustStoreFilepwd =
CredentialReader.getDecryptedString(credentialProviderPath, truststoreAlias);
+ String truststoreFileType =
EmbeddedServerUtil.getConfig("ranger.truststore.file.type",RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT);
+ String trustStoreFilepwd =
CredentialReader.getDecryptedString(credentialProviderPath, truststoreAlias,
truststoreFileType);
if (StringUtils.isNotEmpty(truststoreFile) &&
StringUtils.isNotEmpty(trustStoreFilepwd)) {
InputStream in = null;
@@ -497,7 +501,7 @@ public class EmbeddedServer {
in = getFileInputStream(truststoreFile);
if (in != null) {
- KeyStore trustStore =
KeyStore.getInstance(RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT);
+ KeyStore trustStore =
KeyStore.getInstance(truststoreFileType);
trustStore.load(in,
trustStoreFilepwd.toCharArray());
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
index 75aa939..4324439 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
@@ -41,7 +41,7 @@ public class JKS2RangerUtil {
private static final String AZURE_KEYVAULT_CERTIFICATE_PASSWORD =
"ranger.kms.azure.keyvault.certificate.password";
private static final String AZURE_CLIENT_SECRET_ALIAS =
"ranger.kms.azure.client.secret.alias";
private static final String CREDENTIAL_PATH =
"ranger.ks.jpa.jdbc.credential.provider.path";
- private static final String DEFAULT_KEYSTORE_TYPE = "jceks";
+ private static final String DEFAULT_KEYSTORE_TYPE =
KeyStore.getDefaultType();
private static final String ENCRYPTION_KEY =
"ranger.db.encrypt.key.password";
private static final String KEYSECURE_ENABLED =
"ranger.kms.keysecure.enabled";
private static final String KEYSECURE_USERNAME =
"ranger.kms.keysecure.login.username";
@@ -74,7 +74,7 @@ public class JKS2RangerUtil {
System.exit(1);
}
String keyStoreType = (args.length == 2 ? args[1]
- : DEFAULT_KEYSTORE_TYPE);
+ : KeyStore.getDefaultType());
try {
KeyStore.getInstance(keyStoreType);
} catch (KeyStoreException e) {
@@ -105,7 +105,7 @@ public class JKS2RangerUtil {
String aliasValue = conf.get(alias);
if (pathValue != null && aliasValue != null) {
String xaDBPassword =
CredentialReader.getDecryptedString(
- pathValue.trim(),
aliasValue.trim());
+ pathValue.trim(),
aliasValue.trim(), KeyStore.getDefaultType());
if (xaDBPassword != null &&
!xaDBPassword.trim().isEmpty()
&&
!xaDBPassword.trim().equalsIgnoreCase("none")) {
conf.set(key, xaDBPassword);
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
index 538fde9..7fafa10 100644
---
a/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
+++
b/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
@@ -16,6 +16,8 @@
*/
package org.apache.hadoop.crypto.key;
+import java.security.KeyStore;
+
import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.credentialapi.CredentialReader;
import org.apache.ranger.kms.dao.DaoManager;
@@ -91,7 +93,7 @@ public class KeySecureToRangerDBMKUtil {
String pathValue = conf.get(path);
String aliasValue = conf.get(alias);
if (pathValue != null && aliasValue != null) {
- String xaDBPassword =
CredentialReader.getDecryptedString(pathValue.trim(), aliasValue.trim());
+ String xaDBPassword =
CredentialReader.getDecryptedString(pathValue.trim(), aliasValue.trim(),
KeyStore.getDefaultType());
if (xaDBPassword != null && !xaDBPassword.trim().isEmpty() &&
!xaDBPassword.trim().equalsIgnoreCase("none")) {
conf.set(key, xaDBPassword);
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
index 6e4f75a..1935a01 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
@@ -41,7 +41,7 @@ public class Ranger2JKSUtil {
private static final String AZURE_KEYVAULT_CERTIFICATE_PATH =
"ranger.kms.azure.keyvault.certificate.path";
private static final String AZURE_KEYVAULT_CERTIFICATE_PASSWORD =
"ranger.kms.azure.keyvault.certificate.password";
private static final String CREDENTIAL_PATH =
"ranger.ks.jpa.jdbc.credential.provider.path";
- private static final String DEFAULT_KEYSTORE_TYPE = "jceks";
+ private static final String DEFAULT_KEYSTORE_TYPE =
KeyStore.getDefaultType();
private static final String ENCRYPTION_KEY =
"ranger.db.encrypt.key.password";
private static final String KEYSECURE_ENABLED =
"ranger.kms.keysecure.enabled";
private static final String KEYSECURE_USERNAME =
"ranger.kms.keysecure.login.username";
@@ -222,7 +222,7 @@ public class Ranger2JKSUtil {
String aliasValue = conf.get(alias);
if (pathValue != null && aliasValue != null) {
String xaDBPassword =
CredentialReader.getDecryptedString(
- pathValue.trim(),
aliasValue.trim());
+ pathValue.trim(),
aliasValue.trim(), KeyStore.getDefaultType());
if (xaDBPassword != null &&
!xaDBPassword.trim().isEmpty()
&&
!xaDBPassword.trim().equalsIgnoreCase("none")) {
conf.set(key, xaDBPassword);
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
index 7473871..011318b 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
@@ -26,6 +26,7 @@ import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.security.Key;
+import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
@@ -619,8 +620,9 @@ public class RangerKeyStoreProvider extends KeyProvider {
String pathValue = conf.get(path);
String aliasValue = conf.get(alias);
if (pathValue != null && aliasValue != null) {
+ String storeType =
conf.get("ranger.keystore.file.type", KeyStore.getDefaultType());
String xaDBPassword =
CredentialReader.getDecryptedString(
- pathValue.trim(),
aliasValue.trim());
+ pathValue.trim(),
aliasValue.trim(), storeType);
if (xaDBPassword != null &&
!xaDBPassword.trim().isEmpty()
&&
!xaDBPassword.trim().equalsIgnoreCase("none")) {
conf.set(key, xaDBPassword);
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
index 2b4eb80..adb2c26 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
@@ -18,6 +18,7 @@
package org.apache.hadoop.crypto.key;
import java.security.Key;
+import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
@@ -56,9 +57,9 @@ public class RangerMasterKey implements RangerKMSMKI {
private static final int DEFAULT_SALT_SIZE = 8;
private static final String DEFAULT_SALT =
"abcdefghijklmnopqrstuvwxyz01234567890";
private static final String DEFAULT_CRYPT_ALGO = "PBEWithMD5AndTripleDES";
- private static final String DEFAULT_MD_ALGO = "MD5";
private static final int DEFAULT_ITERATION_COUNT = 1000;
private static String password = null;
+ private static String DEFAULT_MD_ALGO;
public static final String DBKS_SITE_XML = "dbks-site.xml";
private static Properties serverConfigProperties = new Properties();
@@ -177,6 +178,7 @@ public class RangerMasterKey implements RangerKMSMKI {
logger.debug("==> RangerMasterKey.init()");
}
XMLUtils.loadConfig(DBKS_SITE_XML, serverConfigProperties);
+ DEFAULT_MD_ALGO = getConfig("ranger.keystore.file.type",
KeyStore.getDefaultType()).equalsIgnoreCase("bcfks") ? "SHA-512" : "MD5";
MK_CIPHER = getConfig("ranger.kms.service.masterkey.password.cipher",
DEFAULT_MK_CIPHER);
MK_KeySize =
getIntConfig("ranger.kms.service.masterkey.password.size", DEFAULT_MK_KeySize);
SALT_SIZE =
getIntConfig("ranger.kms.service.masterkey.password.salt.size",
DEFAULT_SALT_SIZE);
diff --git a/ranger-util/src/scripts/saveVersion.py
b/ranger-util/src/scripts/saveVersion.py
index 0ad39ac..5122754 100644
--- a/ranger-util/src/scripts/saveVersion.py
+++ b/ranger-util/src/scripts/saveVersion.py
@@ -103,11 +103,11 @@ def main():
sortedList = sorted(fileList, key = lambda x: x[:-4])
for _, val in enumerate(sortedList):
- m = hashfile(open(val,'rb'), hashlib.md5())
+ m = hashfile(open(val,'rb'), hashlib.sha512())
f = m +" "+ val + "\n"
c.append(f)
- srcChecksum = hashlib.md5(''.join(c).encode('UTF-8')).hexdigest()
+ srcChecksum = hashlib.sha512(''.join(c).encode('UTF-8')).hexdigest()
print('hash of the ' + str(len(sortedList)) + '\n\t file from: ' +
parent_dir + '\n\t is ' + srcChecksum)
dir =
os.path.join(src_dir,"target","gen","org","apache","ranger","common")
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 2b3cdcb..3182a28 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -28,6 +28,7 @@ import javax.persistence.Query;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
+import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.DateUtil;
@@ -52,6 +53,7 @@ import org.apache.ranger.entity.XXUserPermission;
import org.apache.ranger.service.XGroupPermissionService;
import org.apache.ranger.service.XPortalUserService;
import org.apache.ranger.service.XUserPermissionService;
+import org.apache.ranger.util.Pbkdf2PasswordEncoderCust;
import org.apache.ranger.view.VXGroupPermission;
import org.apache.ranger.view.VXPasswordChange;
import org.apache.ranger.view.VXPortalUser;
@@ -116,6 +118,8 @@ public class UserMgr {
@Autowired
GUIDUtil guidUtil;
+
+ private final boolean isFipsEnabled;
String publicRoles[] = new String[] { RangerConstants.ROLE_USER,
RangerConstants.ROLE_OTHER };
@@ -138,6 +142,7 @@ public class UserMgr {
if (logger.isDebugEnabled()) {
logger.debug("UserMgr()");
}
+ this.isFipsEnabled =
RangerAdminConfig.getInstance().isFipsEnabled();
}
public XXPortalUser createUser(VXPortalUser userProfile, int userStatus,
@@ -414,13 +419,21 @@ public class UserMgr {
vXResponse.setMsgDesc("SECURITY:changePassword().Ranger External
Users cannot change password. LoginId=" + pwdChange.getLoginId());
throw restErrorUtil.generateRESTException(vXResponse);
}
+
+ String currentPassword = gjUser.getPassword();
//check current password and provided old password is same or
not
- String encryptedOldPwd =
encrypt(pwdChange.getLoginId(),pwdChange.getOldPassword());
- if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) {
- logger.info("changePassword(). Invalid old password.
LoginId="+ pwdChange.getLoginId());
- throw
restErrorUtil.createRESTException("validationMessages.oldPasswordError",MessageEnums.INVALID_INPUT_DATA,
null, null,pwdChange.getLoginId());
- }
-
+ if (this.isFipsEnabled) {
+ if (!isPasswordValid(pwdChange.getLoginId(),
currentPassword, pwdChange.getOldPassword())) {
+ logger.info("changePassword(). Invalid old
password. LoginId="+ pwdChange.getLoginId());
+ throw
restErrorUtil.createRESTException("serverMsg.userMgrOldPassword",MessageEnums.INVALID_INPUT_DATA,
null, null,pwdChange.getLoginId());
+ }
+ } else {
+ String encryptedOldPwd =
encrypt(pwdChange.getLoginId(),pwdChange.getOldPassword());
+ if (!stringUtil.equals(encryptedOldPwd,
gjUser.getPassword())) {
+ logger.info("changePassword(). Invalid
old password. LoginId="+ pwdChange.getLoginId());
+ throw
restErrorUtil.createRESTException("serverMsg.userMgrOldPassword",MessageEnums.INVALID_INPUT_DATA,
null, null,pwdChange.getLoginId());
+ }
+ }
//validate new password
if (!stringUtil.validatePassword(pwdChange.getUpdPassword(),new
String[] { gjUser.getFirstName(),gjUser.getLastName(), gjUser.getLoginId()})) {
logger.warn("SECURITY:changePassword(). Invalid new
password. LoginId="+ pwdChange.getLoginId());
@@ -428,27 +441,34 @@ public class UserMgr {
}
String encryptedNewPwd =
encrypt(pwdChange.getLoginId(),pwdChange.getUpdPassword());
- String currentPassword = gjUser.getPassword();
- if (!encryptedNewPwd.equals(currentPassword)) {
- List<XXTrxLog> trxLogList = new ArrayList<XXTrxLog>();
- XXTrxLog xTrxLog = new XXTrxLog();
- xTrxLog.setAttributeName("Password");
- xTrxLog.setPreviousValue(currentPassword);
- xTrxLog.setNewValue(encryptedNewPwd);
- xTrxLog.setAction("password change");
-
xTrxLog.setObjectClassType(AppConstants.CLASS_TYPE_PASSWORD_CHANGE);
- xTrxLog.setObjectId(pwdChange.getId());
- xTrxLog.setObjectName(pwdChange.getLoginId());
- trxLogList.add(xTrxLog);
- rangerBizUtil.createTrxLog(trxLogList);
- gjUser.setPassword(encryptedNewPwd);
- gjUser = daoManager.getXXPortalUser().update(gjUser);
- ret.setMsgDesc("Password successfully updated");
- ret.setStatusCode(VXResponse.STATUS_SUCCESS);
- } else {
- ret.setMsgDesc("Password update failed");
- ret.setStatusCode(VXResponse.STATUS_ERROR);
- throw
restErrorUtil.createRESTException("serverMsg.userMgrOldPassword",MessageEnums.INVALID_INPUT_DATA,
gjUser.getId(),"password", gjUser.toString());
+ //check current password and provided new password different
+ boolean isNewPasswordDifferent;
+ if (this.isFipsEnabled) {
+ isNewPasswordDifferent =
isNewPasswordDifferent(pwdChange.getLoginId(), pwdChange.getOldPassword(),
pwdChange.getUpdPassword());
+ } else {
+ isNewPasswordDifferent =
!encryptedNewPwd.equals(currentPassword);
+ }
+ if (isNewPasswordDifferent) {
+ List<XXTrxLog> trxLogList = new
ArrayList<XXTrxLog>();
+ XXTrxLog xTrxLog = new XXTrxLog();
+ xTrxLog.setAttributeName("Password");
+ xTrxLog.setPreviousValue(currentPassword);
+ xTrxLog.setNewValue(encryptedNewPwd);
+ xTrxLog.setAction("password change");
+
xTrxLog.setObjectClassType(AppConstants.CLASS_TYPE_PASSWORD_CHANGE);
+ xTrxLog.setObjectId(pwdChange.getId());
+ xTrxLog.setObjectName(pwdChange.getLoginId());
+ trxLogList.add(xTrxLog);
+ rangerBizUtil.createTrxLog(trxLogList);
+ gjUser.setPassword(encryptedNewPwd);
+ gjUser =
daoManager.getXXPortalUser().update(gjUser);
+ ret.setMsgDesc("Password successfully updated");
+ ret.setStatusCode(VXResponse.STATUS_SUCCESS);
+ } else {
+ logger.error("SECURITY:changePassword().
Password update failed. LoginId="+ pwdChange.getLoginId());
+ ret.setMsgDesc("Password update failed");
+ ret.setStatusCode(VXResponse.STATUS_ERROR);
+ throw
restErrorUtil.createRESTException("serverMsg.userMgrOldPassword",MessageEnums.INVALID_INPUT_DATA,
gjUser.getId(),"password", gjUser.toString());
}
return ret;
}
@@ -466,9 +486,6 @@ public class UserMgr {
changeEmail.setEmailAddress(null);
}
- String encryptedOldPwd = encrypt(gjUser.getLoginId(),
- changeEmail.getOldPassword());
-
if (!StringUtils.isEmpty(changeEmail.getEmailAddress()) &&
!stringUtil.validateEmail(changeEmail.getEmailAddress())) {
logger.info("Invalid email address." + changeEmail);
throw restErrorUtil.createRESTException(
@@ -477,16 +494,27 @@ public class UserMgr {
"emailAddress", changeEmail.toString());
}
-
- if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) {
- logger.info("changeEmailAddress(). Invalid password.
changeEmail="
- + changeEmail);
-
- throw restErrorUtil.createRESTException(
- "serverMsg.userMgrWrongPassword",
- MessageEnums.OPER_NO_PERMISSION, null,
null, ""
+
+ if (this.isFipsEnabled) {
+ if (!isPasswordValid(changeEmail.getLoginId(),
gjUser.getPassword(), changeEmail.getOldPassword())) {
+ logger.info("changeEmailAddress(). Invalid
password. changeEmail="
+ + changeEmail);
+ throw
restErrorUtil.createRESTException(
+
"serverMsg.userMgrWrongPassword",
+
MessageEnums.OPER_NO_PERMISSION, null, null, ""
+
+ changeEmail);
+ }
+ } else {
+ String encryptedOldPwd =
encrypt(gjUser.getLoginId(), changeEmail.getOldPassword());
+ if (!stringUtil.equals(encryptedOldPwd,
gjUser.getPassword())) {
+ logger.info("changeEmailAddress().
Invalid password. changeEmail="
+ changeEmail);
- }
+ throw restErrorUtil.createRESTException(
+
"serverMsg.userMgrWrongPassword",
+
MessageEnums.OPER_NO_PERMISSION, null, null, ""
+ +
changeEmail);
+ }
+ }
// Normalize email. Make it lower case
gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail
@@ -1100,13 +1128,30 @@ public class UserMgr {
}
public String encrypt(String loginId, String password) {
- String
sha256PasswordUpdateDisable=PropertiesUtil.getProperty("ranger.sha256Password.update.disable",
"false");
- String saltEncodedpasswd="";
- if("false".equalsIgnoreCase(sha256PasswordUpdateDisable)){
- saltEncodedpasswd =
sha256Encoder.encodePassword(password, loginId);
- }else{
- saltEncodedpasswd = md5Encoder.encodePassword(password,
loginId);
+ String saltEncodedpasswd = "";
+ if (this.isFipsEnabled) {
+ try {
+ Pbkdf2PasswordEncoderCust pbkdf2Encoder = new
Pbkdf2PasswordEncoderCust(loginId);
+ pbkdf2Encoder.setEncodeHashAsBase64(true);
+ if (password != null) {
+ saltEncodedpasswd =
pbkdf2Encoder.encode(password);
+ }
+ } catch (Throwable t) {
+ logger.error("Password doesn't meet
requirements");
+ throw
restErrorUtil.createRESTException("Invalid password",
+
MessageEnums.INVALID_PASSWORD, null, null, ""
+ +
loginId);
+ }
+ } else {
+ String sha256PasswordUpdateDisable =
PropertiesUtil.getProperty("ranger.sha256Password.update.disable", "false");
+
+ if
("false".equalsIgnoreCase(sha256PasswordUpdateDisable)) {
+ saltEncodedpasswd =
sha256Encoder.encodePassword(password, loginId);
+ } else {
+ saltEncodedpasswd =
md5Encoder.encodePassword(password, loginId);
+ }
}
+
return saltEncodedpasswd;
}
@@ -1424,4 +1469,38 @@ public class UserMgr {
rangerBizUtil.createTrxLog(trxLogList);
return xXPortalUser;
}
-}
+ public boolean isPasswordValid(String loginId, String encodedPassword,
String password) {
+ boolean isPasswordValid = false;
+ try {
+ Pbkdf2PasswordEncoderCust pbkdf2Encoder
= new Pbkdf2PasswordEncoderCust(loginId);
+
pbkdf2Encoder.setEncodeHashAsBase64(true);
+
+ if (pbkdf2Encoder.matches(password,
encodedPassword)) {
+ isPasswordValid = true;
+ }
+ } catch (Throwable t) {
+ logger.error("Unable to validate old
password ", t);
+ }
+
+ return isPasswordValid;
+ }
+
+ public boolean isNewPasswordDifferent(String loginId, String
currentPassword, String newPassword) {
+ boolean isNewPasswordDifferent = true;
+ String saltEncodedpasswd = "";
+ try {
+ Pbkdf2PasswordEncoderCust pbkdf2Encoder
= new Pbkdf2PasswordEncoderCust(loginId);
+
pbkdf2Encoder.setEncodeHashAsBase64(true);
+ if (currentPassword != null) {
+ saltEncodedpasswd =
pbkdf2Encoder.encode(currentPassword);
+ }
+ if (pbkdf2Encoder.matches(newPassword,
saltEncodedpasswd)) {
+ isNewPasswordDifferent = false;
+ }
+ } catch (Throwable t) {
+ logger.error("Unable to validate old
and new passwords ", t);
+ }
+
+ return isNewPasswordDifferent;
+ }
+ }
\ No newline at end of file
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index c58258b..fb892d5 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -72,7 +72,8 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
String keyStr = key.toString();
propertiesMap.put(keyStr, props.getProperty(keyStr).trim());
}
-
+
+ String storeType = propertiesMap.get("ranger.keystore.file.type");
// update system trust store path with custom trust store.
if (propertiesMap!=null &&
propertiesMap.containsKey("ranger.truststore.file")) {
if(!StringUtils.isEmpty(propertiesMap.get("ranger.truststore.file"))){
@@ -86,7 +87,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
String
path=propertiesMap.get("ranger.credential.provider.path");
String
trustStoreAlias=getProperty("ranger.truststore.alias","trustStoreAlias");
if(path!=null && trustStoreAlias!=null){
- String
trustStorePassword=CredentialReader.getDecryptedString(path.trim(),
trustStoreAlias.trim());
+ String
trustStorePassword=CredentialReader.getDecryptedString(path.trim(),
trustStoreAlias.trim(), storeType);
if(trustStorePassword!=null&&
!trustStorePassword.trim().isEmpty() &&
!trustStorePassword.trim().equalsIgnoreCase("none")){
propertiesMap.put("ranger.truststore.password", trustStorePassword);
props.put("ranger.truststore.password", trustStorePassword);
@@ -113,7 +114,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
String
path=propertiesMap.get("ranger.credential.provider.path");
String
keyStoreAlias=getProperty("ranger.keystore.alias","keyStoreAlias");
if(path!=null && keyStoreAlias!=null){
- String
keyStorePassword=CredentialReader.getDecryptedString(path.trim(),
keyStoreAlias.trim());
+ String
keyStorePassword=CredentialReader.getDecryptedString(path.trim(),
keyStoreAlias.trim(), storeType);
if(keyStorePassword!=null&&
!keyStorePassword.trim().isEmpty() &&
!keyStorePassword.trim().equalsIgnoreCase("none")){
propertiesMap.put("ranger.keystore.password", keyStorePassword);
props.put("ranger.keystore.password", keyStorePassword);
@@ -133,7 +134,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
if(path!=null){
String
unixAuthKeyStoreAlias=getProperty("ranger.unixauth.keystore.alias","unixAuthKeyStoreAlias");
if(unixAuthKeyStoreAlias!=null){
- String
unixAuthKeyStorePass=CredentialReader.getDecryptedString(path.trim(),unixAuthKeyStoreAlias.trim());
+ String
unixAuthKeyStorePass=CredentialReader.getDecryptedString(path.trim(),unixAuthKeyStoreAlias.trim(),
storeType);
if(unixAuthKeyStorePass!=null&&
!unixAuthKeyStorePass.trim().isEmpty()
&&!unixAuthKeyStorePass.trim().equalsIgnoreCase("none")){
propertiesMap.put("ranger.unixauth.keystore.password", unixAuthKeyStorePass);
props.put("ranger.unixauth.keystore.password", unixAuthKeyStorePass);
@@ -144,7 +145,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
//
String
unixAuthTrustStoreAlias=getProperty("ranger.unixauth.truststore.alias","unixAuthTrustStoreAlias");
if(unixAuthTrustStoreAlias!=null){
- String
unixAuthTrustStorePass=CredentialReader.getDecryptedString(path.trim(),unixAuthTrustStoreAlias.trim());
+ String
unixAuthTrustStorePass=CredentialReader.getDecryptedString(path.trim(),unixAuthTrustStoreAlias.trim(),
storeType);
if(unixAuthTrustStorePass!=null&&
!unixAuthTrustStorePass.trim().isEmpty()
&&!unixAuthTrustStorePass.trim().equalsIgnoreCase("none")){
propertiesMap.put("ranger.unixauth.truststore.password",
unixAuthTrustStorePass);
props.put("ranger.unixauth.truststore.password", unixAuthTrustStorePass);
@@ -160,7 +161,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
String
path=propertiesMap.get("ranger.credential.provider.path");
String
alias=propertiesMap.get("ranger.jpa.jdbc.credential.alias");
if(path!=null && alias!=null){
- String
xaDBPassword=CredentialReader.getDecryptedString(path.trim(),alias.trim());
+ String
xaDBPassword=CredentialReader.getDecryptedString(path.trim(),alias.trim(),
storeType);
if(xaDBPassword!=null&& !xaDBPassword.trim().isEmpty()
&&
!"none".equalsIgnoreCase(xaDBPassword.trim())){
propertiesMap.put("ranger.jpa.jdbc.password",
xaDBPassword);
@@ -174,7 +175,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
String
path=propertiesMap.get("ranger.credential.provider.path");
String
alias=propertiesMap.get("ranger.jpa.audit.jdbc.credential.alias");
if(path!=null && alias!=null){
- String
auditDBPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim());
+ String
auditDBPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim(),
storeType);
if(auditDBPassword!=null&&
!auditDBPassword.trim().isEmpty() &&
!"none".equalsIgnoreCase(auditDBPassword.trim())){
propertiesMap.put("ranger.jpa.audit.jdbc.password", auditDBPassword);
@@ -191,7 +192,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
String
path=propertiesMap.get("ranger.credential.provider.path");
String
alias=propertiesMap.get("ranger.ldap.ad.binddn.credential.alias");
if(path!=null && alias!=null){
- String
bindDNPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim());
+ String
bindDNPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim(),
storeType);
if(bindDNPassword!=null&&
!bindDNPassword.trim().isEmpty() &&
!"none".equalsIgnoreCase(bindDNPassword.trim())){
propertiesMap.put("ranger.ldap.ad.bind.password", bindDNPassword);
@@ -210,7 +211,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
String
path=propertiesMap.get("ranger.credential.provider.path");
String
alias=propertiesMap.get("ranger.ldap.binddn.credential.alias");
if(path!=null && alias!=null){
- String
bindDNPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim());
+ String
bindDNPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim(),
storeType);
if(bindDNPassword!=null&&
!bindDNPassword.trim().isEmpty() &&
!"none".equalsIgnoreCase(bindDNPassword.trim())){
propertiesMap.put("ranger.ldap.bind.password", bindDNPassword);
@@ -229,7 +230,7 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
String
path=propertiesMap.get("ranger.credential.provider.path");
String
alias=propertiesMap.get("ranger.solr.audit.credential.alias");
if(path!=null && alias!=null){
- String
solrAuditPassword=CredentialReader.getDecryptedString(path.trim(),
alias.trim());
+ String
solrAuditPassword=CredentialReader.getDecryptedString(path.trim(),
alias.trim(), storeType);
if(solrAuditPassword!=null&&
!solrAuditPassword.trim().isEmpty() &&
!"none".equalsIgnoreCase(solrAuditPassword.trim())){
propertiesMap.put("ranger.solr.audit.user.password", solrAuditPassword);
diff --git
a/security-admin/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java
b/security-admin/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java
index 1a3ade7..f63828c 100644
---
a/security-admin/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java
+++
b/security-admin/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java
@@ -20,42 +20,55 @@
package org.apache.ranger.credentialapi;
import java.util.ArrayList;
import java.util.List;
-
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
-
public class CredentialReader {
-
- public static String getDecryptedString(String
CrendentialProviderPath,String alias) {
+
+ public static String getDecryptedString(String
CrendentialProviderPath,String alias, String storeType) {
String credential=null;
try{
if(CrendentialProviderPath==null ||
alias==null||CrendentialProviderPath.trim().isEmpty()||alias.trim().isEmpty()){
return null;
- }
+ }
char[] pass = null;
Configuration conf = new Configuration();
String
crendentialProviderPrefixJceks=JavaKeyStoreProvider.SCHEME_NAME + "://file";
String
crendentialProviderPrefixLocalJceks="localjceks://file";
crendentialProviderPrefixJceks=crendentialProviderPrefixJceks.toLowerCase();
+
+ String crendentialProviderPrefixBcfks= "bcfks" +
"://file";
+ String crendentialProviderPrefixLocalBcfks=
"localbcfks" + "://file";
+
crendentialProviderPrefixBcfks=crendentialProviderPrefixBcfks.toLowerCase();
+
crendentialProviderPrefixLocalBcfks=crendentialProviderPrefixLocalBcfks.toLowerCase();
+
CrendentialProviderPath=CrendentialProviderPath.trim();
alias=alias.trim();
-
if(CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixJceks)
||
CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalJceks)){
+
if(CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixJceks)
||
+
CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalJceks)
||
+
CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixBcfks)
||
+
CrendentialProviderPath.toLowerCase().startsWith(crendentialProviderPrefixLocalBcfks)){
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
- //UserProvider.SCHEME_NAME +
":///," +
- CrendentialProviderPath);
+ //UserProvider.SCHEME_NAME +
":///," +
+ CrendentialProviderPath);
}else{
if(CrendentialProviderPath.startsWith("/")){
-
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
-
//UserProvider.SCHEME_NAME + ":///," +
- JavaKeyStoreProvider.SCHEME_NAME +
"://file" + CrendentialProviderPath);
+
if(StringUtils.equalsIgnoreCase(storeType, "bcfks")) {
+
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
CrendentialProviderPath);
+ } else {
+
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
+
//UserProvider.SCHEME_NAME + ":///," +
+
JavaKeyStoreProvider.SCHEME_NAME + "://file" + CrendentialProviderPath);
+ }
+
}else{
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
-
//UserProvider.SCHEME_NAME + ":///," +
- JavaKeyStoreProvider.SCHEME_NAME +
"://file/" + CrendentialProviderPath);
+
//UserProvider.SCHEME_NAME + ":///," +
+
JavaKeyStoreProvider.SCHEME_NAME + "://file/" + CrendentialProviderPath);
}
- }
+ }
List<CredentialProvider> providers =
CredentialProviderFactory.getProviders(conf);
List<String> aliasesList=new ArrayList<String>();
CredentialProvider.CredentialEntry credEntry=null;
@@ -64,7 +77,7 @@ public class CredentialReader {
aliasesList=provider.getAliases();
if(aliasesList!=null &&
aliasesList.contains(alias.toLowerCase())){
credEntry=null;
- credEntry=
provider.getCredentialEntry(alias);
+ credEntry=
provider.getCredentialEntry(alias.toLowerCase());
pass = credEntry.getCredential();
if(pass!=null && pass.length>0){
credential=String.valueOf(pass);
@@ -78,4 +91,4 @@ public class CredentialReader {
}
return credential;
}
-}
\ No newline at end of file
+}
diff --git
a/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java
b/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java
index e7a0853..8b9549a 100644
---
a/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java
+++
b/security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java
@@ -132,30 +132,50 @@ public class ChangePasswordUtil extends BaseLoader {
String currentEncryptedPassword = null;
String md5EncryptedPassword = null;
try {
- currentEncryptedPassword =
userMgr.encrypt(userLoginId, currentPassword);
- if
(currentEncryptedPassword.equals(dbPassword)) {
- validatePassword(newPassword);
-
userMgr.updatePasswordInSHA256(userLoginId, newPassword, true);
- logger.info("User '" + userLoginId + "'
Password updated sucessfully.");
- }
- else if
(!currentEncryptedPassword.equals(dbPassword) && defaultPwdChangeRequest) {
- logger.info("current encryped password
is not equal to dbpassword , trying with md5 now");
- md5EncryptedPassword =
userMgr.encryptWithOlderAlgo(userLoginId, currentPassword);
- if
(md5EncryptedPassword.equals(dbPassword)) {
+ if (config.isFipsEnabled()) {
+ if (defaultPwdChangeRequest) {
+ md5EncryptedPassword =
userMgr.encryptWithOlderAlgo(userLoginId, currentPassword);
+ if
(md5EncryptedPassword.equals(dbPassword)) {
+
validatePassword(newPassword);
+
userMgr.updatePasswordInSHA256(userLoginId, newPassword, true);
+ logger.info("User '" +
userLoginId + "' Password updated sucessfully.");
+ } else {
+ System.out.println(
+
"Skipping default password change request as provided password doesn't match
with existing password.");
+ logger.error(
+
"Skipping default password change request as provided password doesn't match
with existing password.");
+ System.exit(2);
+ }
+ } else if
(userMgr.isPasswordValid(userLoginId, dbPassword, currentPassword)) {
validatePassword(newPassword);
userMgr.updatePasswordInSHA256(userLoginId, newPassword, true);
logger.info("User '" +
userLoginId + "' Password updated sucessfully.");
- } else {
- System.out.println(
- "Skipping
default password change request as provided password doesn't match with
existing password.");
- logger.error(
- "Skipping
default password change request as provided password doesn't match with
existing password.");
- System.exit(2);
}
} else {
- System.out.println("Invalid user
password");
- logger.error("Invalid user password");
- System.exit(1);
+ currentEncryptedPassword =
userMgr.encrypt(userLoginId, currentPassword);
+ if
(currentEncryptedPassword.equals(dbPassword)) {
+ validatePassword(newPassword);
+
userMgr.updatePasswordInSHA256(userLoginId, newPassword, true);
+ logger.info("User '" +
userLoginId + "' Password updated sucessfully.");
+ } else if
(!currentEncryptedPassword.equals(dbPassword) && defaultPwdChangeRequest) {
+ logger.info("current encryped
password is not equal to dbpassword , trying with md5 now");
+ md5EncryptedPassword =
userMgr.encryptWithOlderAlgo(userLoginId, currentPassword);
+ if
(md5EncryptedPassword.equals(dbPassword)) {
+
validatePassword(newPassword);
+
userMgr.updatePasswordInSHA256(userLoginId, newPassword, true);
+ logger.info("User '" +
userLoginId + "' Password updated sucessfully.");
+ } else {
+ System.out.println(
+
"Skipping default password change request as provided password doesn't match
with existing password.");
+ logger.error(
+
"Skipping default password change request as provided password doesn't match
with existing password.");
+ System.exit(2);
+ }
+ } else {
+ System.out.println("Invalid
user password");
+ logger.error("Invalid user
password");
+ System.exit(1);
+ }
}
} catch (Exception e) {
logger.error("Update Admin Password failure.
Detail: \n", e);
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
index cf764a0..ffdf101 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
@@ -310,7 +310,6 @@ public class UserREST {
throw
restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND,
null, null,"");
}
- logger.info("changePassword:" + changePassword.getLoginId());
XXPortalUser gjUser =
daoManager.getXXPortalUser().findByLoginId(changePassword.getLoginId());
if (gjUser == null) {
logger.warn("SECURITY:changePassword(): Invalid loginId
provided: loginId="+ changePassword.getLoginId());
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
index a8b8c58..80c1a91 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
@@ -31,8 +31,10 @@ import javax.security.auth.login.Configuration;
import org.apache.log4j.Logger;
import org.apache.ranger.authentication.unix.jaas.RoleUserAuthorityGranter;
+import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.common.PropertiesUtil;
+import org.apache.ranger.util.Pbkdf2PasswordEncoderCust;
import
org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy;
import org.springframework.ldap.core.support.LdapContextSource;
import org.springframework.security.authentication.AuthenticationProvider;
@@ -79,8 +81,10 @@ public class RangerAuthenticationProvider implements
AuthenticationProvider {
private LdapAuthenticator authenticator;
private boolean ssoEnabled = false;
+ private final boolean isFipsEnabled;
public RangerAuthenticationProvider() {
+ this.isFipsEnabled =
RangerAdminConfig.getInstance().isFipsEnabled();
}
@@ -135,6 +139,15 @@ public class RangerAuthenticationProvider implements
AuthenticationProvider {
return authentication;
}
}
+ if (this.isFipsEnabled) {
+ try {
+ authentication =
getJDBCAuthentication(authentication,"");
+ } catch (Exception e) {
+ logger.error("JDBC Authentication
failure: ", e);
+ throw e;
+ }
+ return authentication;
+ }
String encoder="SHA256";
try {
authentication =
getJDBCAuthentication(authentication,encoder);
@@ -573,19 +586,26 @@ public class RangerAuthenticationProvider implements
AuthenticationProvider {
private Authentication getJDBCAuthentication(Authentication
authentication,String encoder) throws AuthenticationException{
try {
-
- ReflectionSaltSource saltSource = new
ReflectionSaltSource();
- saltSource.setUserPropertyToUse("username");
-
DaoAuthenticationProvider authenticator = new
DaoAuthenticationProvider();
authenticator.setUserDetailsService(userDetailsService);
- if (encoder != null &&
"SHA256".equalsIgnoreCase(encoder)) {
- authenticator.setPasswordEncoder(new
ShaPasswordEncoder(256));
- } else if(encoder != null &&
"MD5".equalsIgnoreCase(encoder)) {
- authenticator.setPasswordEncoder(new
Md5PasswordEncoder());
+ if (this.isFipsEnabled) {
+ if (authentication.getCredentials() != null &&
!authentication.isAuthenticated()) {
+ Pbkdf2PasswordEncoderCust
passwordEncoder = new Pbkdf2PasswordEncoderCust(authentication.getName());
+
passwordEncoder.setEncodeHashAsBase64(true);
+
authenticator.setPasswordEncoder(passwordEncoder);
+ }
+ } else {
+ ReflectionSaltSource saltSource = new
ReflectionSaltSource();
+ saltSource.setUserPropertyToUse("username");
+ if (encoder != null &&
"SHA256".equalsIgnoreCase(encoder)) {
+ authenticator.setPasswordEncoder(new
ShaPasswordEncoder(256));
+ authenticator.setSaltSource(saltSource);
+ } else if (encoder != null &&
"MD5".equalsIgnoreCase(encoder)) {
+ authenticator.setPasswordEncoder(new
Md5PasswordEncoder());
+ authenticator.setSaltSource(saltSource);
+ }
}
- authenticator.setSaltSource(saltSource);
String userName ="";
String userPassword = "";
if (authentication!=null) {
@@ -616,6 +636,8 @@ public class RangerAuthenticationProvider implements
AuthenticationProvider {
throw e;
}catch (Exception e) {
throw e;
+ } catch (Throwable t) {
+ throw new BadCredentialsException("Bad credentials", t);
}
return authentication;
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/util/Pbkdf2PasswordEncoderCust.java
b/security-admin/src/main/java/org/apache/ranger/util/Pbkdf2PasswordEncoderCust.java
new file mode 100644
index 0000000..3a85cf0
--- /dev/null
+++
b/security-admin/src/main/java/org/apache/ranger/util/Pbkdf2PasswordEncoderCust.java
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.util;
+
+import org.springframework.security.crypto.codec.Base64;
+import org.springframework.security.crypto.codec.Hex;
+import org.springframework.security.crypto.codec.Utf8;
+import org.springframework.security.crypto.keygen.BytesKeyGenerator;
+import org.springframework.security.crypto.keygen.KeyGenerators;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.crypto.password.Pbkdf2PasswordEncoder;
+import org.springframework.security.crypto.util.EncodingUtils;
+
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+
+public class Pbkdf2PasswordEncoderCust implements PasswordEncoder {
+ private static final int DEFAULT_HASH_WIDTH = 256;
+ private static final int DEFAULT_ITERATIONS = 185000;
+ private final BytesKeyGenerator saltGenerator;
+ private final byte[] secret;
+ private final int hashWidth;
+ private final int iterations;
+ private String algorithm;
+ private boolean encodeHashAsBase64;
+
+ public Pbkdf2PasswordEncoderCust(CharSequence secret) {
+ this(secret, DEFAULT_ITERATIONS, DEFAULT_HASH_WIDTH);
+ }
+
+ public Pbkdf2PasswordEncoderCust(CharSequence secret, int iterations, int
hashWidth) {
+ this.saltGenerator = KeyGenerators.secureRandom(16);
+ this.algorithm =
Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA512.name();
+ this.secret = Utf8.encode(secret);
+ this.iterations = iterations;
+ this.hashWidth = hashWidth;
+ }
+
+ public void setAlgorithm(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm
secretKeyFactoryAlgorithm) {
+ if (secretKeyFactoryAlgorithm == null) {
+ throw new IllegalArgumentException("secretKeyFactoryAlgorithm
cannot be null");
+ } else {
+ String algorithmName = secretKeyFactoryAlgorithm.name();
+
+ try {
+ SecretKeyFactory.getInstance(algorithmName);
+ } catch (NoSuchAlgorithmException var4) {
+ throw new IllegalArgumentException("Invalid algorithm '" +
algorithmName + "'.", var4);
+ }
+
+ this.algorithm = algorithmName;
+ }
+ }
+
+ @Override
+ public String encode(CharSequence rawPassword) {
+ byte[] salt = this.saltGenerator.generateKey();
+ byte[] encoded = this.encode(rawPassword, salt);
+ return this.encode(encoded);
+ }
+
+ public void setEncodeHashAsBase64(boolean encodeHashAsBase64) {
+ this.encodeHashAsBase64 = encodeHashAsBase64;
+ }
+
+ private String encode(byte[] bytes) {
+ return this.encodeHashAsBase64 ? Utf8.decode(Base64.encode(bytes)) :
String.valueOf(Hex.encode(bytes));
+ }
+
+ @Override
+ public boolean matches(CharSequence rawPassword, String encodedPassword) {
+ byte[] digested = this.decode(encodedPassword);
+ byte[] salt = EncodingUtils.subArray(digested, 0,
this.saltGenerator.getKeyLength());
+ return matches(digested, this.encode(rawPassword, salt));
+ }
+
+ private static boolean matches(byte[] expected, byte[] actual) {
+ return Arrays.equals(expected, actual);
+ }
+
+
+ private byte[] decode(String encodedBytes) {
+ return this.encodeHashAsBase64 ?
Base64.decode(Utf8.encode(encodedBytes)) : Hex.decode(encodedBytes);
+ }
+
+ private byte[] encode(CharSequence rawPassword, byte[] salt) {
+ try {
+ PBEKeySpec spec = new
PBEKeySpec(rawPassword.toString().toCharArray(), EncodingUtils.concatenate(new
byte[][]{salt, this.secret}), this.iterations, this.hashWidth);
+ SecretKeyFactory skf =
SecretKeyFactory.getInstance(this.algorithm);
+ return EncodingUtils.concatenate(new byte[][]{salt,
skf.generateSecret(spec).getEncoded()});
+ } catch (GeneralSecurityException var5) {
+ throw new IllegalStateException("Could not create hash", var5);
+ }
+ }
+}
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
index 95c3482..9245fdf 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
@@ -81,6 +81,7 @@ public class TagSyncConfig extends Configuration {
private static final String
TAGSYNC_FILESOURCE_MOD_TIME_CHECK_INTERVAL_PROP =
"ranger.tagsync.source.file.check.interval.millis";
+ private static final String TAGSYNC_KEYSTORE_TYPE_PROP =
"ranger.keystore.file.type";
private static final String TAGSYNC_TAGADMIN_KEYSTORE_PROP =
"ranger.tagsync.keystore.filename";
private static final String TAGSYNC_ATLASREST_KEYSTORE_PROP =
"ranger.tagsync.source.atlasrest.keystore.filename";
@@ -216,9 +217,8 @@ public class TagSyncConfig extends Configuration {
return sb.toString() + super.toString();
}
- static public boolean isTagSyncEnabled(Properties prop) {
- String val = prop.getProperty(TAGSYNC_ENABLED_PROP);
- return val == null || Boolean.valueOf(val.trim());
+ static public String getTagsyncKeyStoreType(Properties prop) {
+ return prop.getProperty(TAGSYNC_KEYSTORE_TYPE_PROP);
}
static public boolean isTagSyncRangerCookieEnabled(Properties prop) {
@@ -277,6 +277,11 @@ public class TagSyncConfig extends Configuration {
return prop.getProperty(TAGSYNC_TAGADMIN_REST_URL_PROP);
}
+ static public boolean isTagSyncEnabled(Properties prop) {
+ String val = prop.getProperty(TAGSYNC_ENABLED_PROP);
+ return val == null || Boolean.valueOf(val.trim());
+ }
+
static public String getTagAdminPassword(Properties prop) {
//update credential from keystore
String password = null;
@@ -291,7 +296,7 @@ public class TagSyncConfig extends Configuration {
if (path != null) {
if (!path.trim().isEmpty()) {
try {
- password =
CredentialReader.getDecryptedString(path.trim(),
TAGSYNC_DEST_RANGER_PASSWORD_ALIAS);
+ password =
CredentialReader.getDecryptedString(path.trim(),
TAGSYNC_DEST_RANGER_PASSWORD_ALIAS, getTagsyncKeyStoreType(prop));
} catch (Exception ex) {
password = null;
}
@@ -341,7 +346,7 @@ public class TagSyncConfig extends Configuration {
if (path != null) {
if (!path.trim().isEmpty()) {
try {
- password =
CredentialReader.getDecryptedString(path.trim(),
TAGSYNC_SOURCE_ATLASREST_PASSWORD_ALIAS);
+ password =
CredentialReader.getDecryptedString(path.trim(),
TAGSYNC_SOURCE_ATLASREST_PASSWORD_ALIAS, getTagsyncKeyStoreType(prop));
} catch (Exception ex) {
password = null;
}
diff --git
a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index 5ef78cf..5d5ad58 100644
---
a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++
b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -23,6 +23,7 @@ import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
+import java.security.KeyStore;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
@@ -32,6 +33,7 @@ import java.util.StringTokenizer;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
+//import org.apache.hadoop.security.alias.BouncyCastleFipsKeyStoreProvider;
import org.apache.ranger.credentialapi.CredentialReader;
import org.apache.ranger.plugin.util.RangerCommonConstants;
import org.apache.ranger.plugin.util.XMLUtils;
@@ -76,6 +78,10 @@ public class UserGroupSyncConfig {
public static final String UGSYNC_SOURCE_FILE_DELIMITER =
"ranger.usersync.filesource.text.delimiter";
public static final String UGSYNC_SOURCE_FILE_DELIMITERER =
"ranger.usersync.filesource.text.delimiterer";
+ private static final String SSL_KEYSTORE_FILE_TYPE_PARAM =
"ranger.keystore.file.type";
+
+ private static final String SSL_TRUSTSTORE_FILE_TYPE_PARAM =
"ranger.truststore.file.type";
+
private static final String SSL_KEYSTORE_PATH_PARAM =
"ranger.usersync.keystore.file";
private static final String SSL_KEYSTORE_PATH_PASSWORD_PARAM =
"ranger.usersync.keystore.password";
@@ -389,6 +395,13 @@ public class UserGroupSyncConfig {
return prop.getProperty(UGSYNC_MAX_RECORDS_PER_API_CALL_PROP);
}
+ public String getSSLKeyStoreType() {
+ return prop.getProperty(SSL_KEYSTORE_FILE_TYPE_PARAM,
KeyStore.getDefaultType());
+ }
+
+ public String getSSLTrustStoreType() {
+ return prop.getProperty(SSL_TRUSTSTORE_FILE_TYPE_PARAM,
KeyStore.getDefaultType());
+ }
public String getSSLKeyStorePath() {
return prop.getProperty(SSL_KEYSTORE_PATH_PARAM);
@@ -404,7 +417,11 @@ public class UserGroupSyncConfig {
String alias=SSL_KEYSTORE_PATH_PASSWORD_ALIAS;
if(path!=null && alias!=null){
if(!path.trim().isEmpty() &&
!alias.trim().isEmpty()){
- String
password=CredentialReader.getDecryptedString(path.trim(),alias.trim());
+ if
("bcfks".equalsIgnoreCase(getSSLKeyStoreType())) {
+ String
crendentialProviderPrefixBcfks= "bcfks" + "://file";
+ path =
crendentialProviderPrefixBcfks + path;
+ }
+ String
password=CredentialReader.getDecryptedString(path.trim(),alias.trim(),
getSSLKeyStoreType());
if(password!=null&&
!password.trim().isEmpty() && !"none".equalsIgnoreCase(password.trim()) &&
!"_".equalsIgnoreCase(password.trim())){
prop.setProperty(SSL_KEYSTORE_PATH_PASSWORD_PARAM,password);
}
@@ -428,7 +445,11 @@ public class UserGroupSyncConfig {
String alias=SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS;
if(path!=null && alias!=null){
if(!path.trim().isEmpty() &&
!alias.trim().isEmpty()){
- String
password=CredentialReader.getDecryptedString(path.trim(),alias.trim());
+ if
("bcfks".equalsIgnoreCase(getSSLKeyStoreType())) {
+ String
crendentialProviderPrefixBcfks= "bcfks" + "://file";
+ path =
crendentialProviderPrefixBcfks + path;
+ }
+ String
password=CredentialReader.getDecryptedString(path.trim(),alias.trim(),
getSSLKeyStoreType());
if(password!=null&&
!password.trim().isEmpty() && !"none".equalsIgnoreCase(password.trim()) &&
!"_".equalsIgnoreCase(password.trim())){
prop.setProperty(SSL_TRUSTSTORE_PATH_PASSWORD_PARAM,password);
}
@@ -562,7 +583,11 @@ public class UserGroupSyncConfig {
String alias=LGSYNC_LDAP_BIND_ALIAS;
if(path!=null && alias!=null){
if(!path.trim().isEmpty() &&
!alias.trim().isEmpty()){
- String
password=CredentialReader.getDecryptedString(path.trim(),alias.trim());
+ if
("bcfks".equalsIgnoreCase(getSSLKeyStoreType())) {
+ String
crendentialProviderPrefixBcfks= "bcfks" + "://file";
+ path =
crendentialProviderPrefixBcfks + path;
+ }
+ String
password=CredentialReader.getDecryptedString(path.trim(),alias.trim(),
getSSLKeyStoreType());
if(password!=null&&
!password.trim().isEmpty() && !password.trim().equalsIgnoreCase("none")){
prop.setProperty(LGSYNC_LDAP_BIND_PASSWORD,password);
}
@@ -890,8 +915,12 @@ public class UserGroupSyncConfig {
String
alias=prop.getProperty(SYNC_POLICY_MGR_ALIAS,"policymgr.user.password");
if(path!=null && alias!=null){
if(!path.trim().isEmpty() &&
!alias.trim().isEmpty()){
+ if
("bcfks".equalsIgnoreCase(getSSLKeyStoreType())) {
+ String
crendentialProviderPrefixBcfks= "bcfks" + "://file";
+ path =
crendentialProviderPrefixBcfks + path;
+ }
try{
-
password=CredentialReader.getDecryptedString(path.trim(),alias.trim());
+
password=CredentialReader.getDecryptedString(path.trim(),alias.trim(),
getSSLKeyStoreType());
}catch(Exception ex){
password=null;
}
diff --git
a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
index f911f22..ee9a254 100644
---
a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
+++
b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
@@ -22,7 +22,6 @@ package org.apache.ranger.unixusersync.process;
import java.io.IOException;
import java.lang.reflect.Type;
import java.net.UnknownHostException;
-import java.security.KeyStore;
import java.security.PrivilegedAction;
import java.util.Map;
import java.util.Set;
@@ -186,8 +185,8 @@ private static final Logger LOG =
Logger.getLogger(PolicyMgrUserGroupBuilder.cla
String trustStoreFile = config.getSSLTrustStorePath();
String keyStoreFilepwd = config.getSSLKeyStorePathPassword();
String trustStoreFilepwd =
config.getSSLTrustStorePathPassword();
- String keyStoreType = KeyStore.getDefaultType();
- String trustStoreType = KeyStore.getDefaultType();
+ String keyStoreType = config.getSSLKeyStoreType();
+ String trustStoreType = config.getSSLTrustStoreType();
authenticationType =
config.getProperty(AUTHENTICATION_TYPE,"simple");
try {
principal =
SecureClientLogin.getPrincipal(config.getProperty(PRINCIPAL,""),
LOCAL_HOSTNAME);
diff --git
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 3f7886b..92eb229 100644
---
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -64,6 +64,9 @@ public class UnixAuthenticationService {
private static final String SSL_KEYSTORE_PATH_PARAM =
"ranger.usersync.keystore.file";
private static final String SSL_TRUSTSTORE_PATH_PARAM =
"ranger.usersync.truststore.file";
+ private static final String SSL_KEYSTORE_FILE_TYPE_PARAM =
"ranger.keystore.file.type";
+ private static final String SSL_TRUSTSTORE_FILE_TYPE_PARAM =
"ranger.truststore.file.type";
+
private static final String SSL_KEYSTORE_PATH_PASSWORD_ALIAS =
"usersync.ssl.key.password";
private static final String SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS =
"usersync.ssl.truststore.password";
@@ -75,10 +78,12 @@ public class UnixAuthenticationService {
private static final String CREDSTORE_FILENAME_PARAM =
"ranger.usersync.credstore.filename";
private String keyStorePath;
+ private String keyStoreType;
private List<String> enabledProtocolsList;
private String keyStorePathPassword;
private String trustStorePath;
private String trustStorePathPassword;
+ private String trustStoreType;
private List<String> adminUserList = new ArrayList<String>();
private String adminRoleNames;
@@ -179,6 +184,9 @@ public class UnixAuthenticationService {
String credStoreFileName =
prop.getProperty(CREDSTORE_FILENAME_PARAM);
keyStorePath = prop.getProperty(SSL_KEYSTORE_PATH_PARAM);
+
+ keyStoreType = prop.getProperty(SSL_KEYSTORE_FILE_TYPE_PARAM,
KeyStore.getDefaultType());
+ trustStoreType =
prop.getProperty(SSL_TRUSTSTORE_FILE_TYPE_PARAM, KeyStore.getDefaultType());
if (credStoreFileName == null) {
throw new RuntimeException("Credential file is not
defined. param = [" + CREDSTORE_FILENAME_PARAM + "]");
@@ -194,8 +202,12 @@ public class UnixAuthenticationService {
throw new RuntimeException("Credential file [" +
credStoreFileName + "]: can not be read." );
}
- keyStorePathPassword =
CredentialReader.getDecryptedString(credStoreFileName,
SSL_KEYSTORE_PATH_PASSWORD_ALIAS);
- trustStorePathPassword =
CredentialReader.getDecryptedString(credStoreFileName,SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS);
+ if ("bcfks".equalsIgnoreCase(keyStoreType)) {
+ String crendentialProviderPrefixBcfks= "bcfks" +
"://file";
+ credStoreFileName = crendentialProviderPrefixBcfks +
credStoreFileName;
+ }
+ keyStorePathPassword =
CredentialReader.getDecryptedString(credStoreFileName,
SSL_KEYSTORE_PATH_PASSWORD_ALIAS, keyStoreType);
+ trustStorePathPassword =
CredentialReader.getDecryptedString(credStoreFileName,SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS,
trustStoreType);
trustStorePath = prop.getProperty(SSL_TRUSTSTORE_PATH_PARAM);
portNum =
Integer.parseInt(prop.getProperty(REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM));
@@ -244,8 +256,8 @@ public class UnixAuthenticationService {
KeyManager[] km = null;
if (keyStorePath != null && ! keyStorePath.isEmpty()) {
- KeyStore ks =
KeyStore.getInstance(KeyStore.getDefaultType());
-
+ KeyStore ks = KeyStore.getInstance(keyStoreType);
+
InputStream in = null;
in = getFileInputStream(keyStorePath);
@@ -273,7 +285,7 @@ public class UnixAuthenticationService {
KeyStore trustStoreKeyStore = null;
if (trustStorePath != null && ! trustStorePath.isEmpty()) {
- trustStoreKeyStore =
KeyStore.getInstance(KeyStore.getDefaultType());
+ trustStoreKeyStore =
KeyStore.getInstance(trustStoreType);
InputStream in = null;
