This is an automated email from the ASF dual-hosted git repository.
dhavalshah9131 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 97bab14 RANGER-3613 : Check if master key with the given alias exists
or not if LUNA HSM is enabled
97bab14 is described below
commit 97bab144a537b8add3381fb8485baf1da23f2157
Author: mateenmansoori <[email protected]>
AuthorDate: Mon Feb 21 14:00:33 2022 +0530
RANGER-3613 : Check if master key with the given alias exists or not if
LUNA HSM is enabled
---
.../org/apache/hadoop/crypto/key/RangerHSM.java | 52 ++++++++++++----------
.../hadoop/crypto/key/RangerKeyStoreProvider.java | 39 ++++++++--------
2 files changed, 47 insertions(+), 44 deletions(-)
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
index 4e96098..90ef729 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
@@ -21,7 +21,9 @@ import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
+import org.bouncycastle.crypto.RuntimeCryptoException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -65,9 +67,10 @@ public class RangerHSM implements RangerKMSMKI {
passwd = conf.get(PARTITION_PASSWORD);
partitionName = conf.get(PARTITION_NAME);
hsm_keystore = conf.get(HSM_TYPE);
+ String errorMsg = StringUtils.EMPTY;
try {
ByteArrayInputStream is1 = new ByteArrayInputStream(("tokenlabel:"
+ partitionName).getBytes());
- logger.debug("Loading HSM tokenlabel : " + partitionName);
+ logger.debug("Loading HSM : Tokenlabel - '{}', Type - '{}' ",
partitionName, hsm_keystore);
myStore = KeyStore.getInstance("Luna");
if (myStore == null) {
logger.error("Luna not found. Please verify the Ranger KMS HSM
configuration setup.");
@@ -75,61 +78,64 @@ public class RangerHSM implements RangerKMSMKI {
myStore.load(is1, passwd.toCharArray());
}
} catch (KeyStoreException kse) {
- logger.error("Unable to create keystore object : " +
kse.getMessage());
+ errorMsg = "Unable to create keystore object : " +
kse.getMessage();
} catch (NoSuchAlgorithmException nsae) {
- logger.error("Unexpected NoSuchAlgorithmException while loading
keystore : " + nsae.getMessage());
+ errorMsg = "Unexpected NoSuchAlgorithmException while loading
keystore : " + nsae.getMessage();
} catch (CertificateException e) {
- logger.error("Unexpected CertificateException while loading
keystore : " + e.getMessage());
+ errorMsg = "Unexpected CertificateException while loading keystore
: " + e.getMessage();
} catch (IOException e) {
- logger.error("Unexpected IOException while loading keystore : " +
e.getMessage());
+ errorMsg = "Unexpected IOException while loading keystore : " +
e.getMessage();
+ }
+
+ if (StringUtils.isNotEmpty(errorMsg)) {
+ throw new RuntimeCryptoException(errorMsg);
}
}
@Override
public boolean generateMasterKey(String password) throws Throwable {
- if (logger.isDebugEnabled()) {
- logger.debug("==> RangerHSM.generateMasterKey()");
- }
- if (myStore != null && myStore.size() < 1) {
+ logger.debug("==> RangerHSM.generateMasterKey()");
+
+ if (!this.myStore.containsAlias(alias)) {
KeyGenerator keyGen = null;
SecretKey aesKey = null;
try {
- logger.info("Generating AES Master Key for HSM Provider");
+ logger.info("Generating AES Master Key for '{}' HSM Provider",
hsm_keystore);
keyGen = KeyGenerator.getInstance(MK_CIPHER, hsm_keystore);
keyGen.init(MK_KeySize);
aesKey = keyGen.generateKey();
myStore.setKeyEntry(alias, aesKey, password.toCharArray(),
(java.security.cert.Certificate[]) null);
return true;
} catch (Exception e) {
- logger.error("generateMasterKey : Exception during Ranger
Master Key Generation - " + e.getMessage());
- return false;
+ logger.error("generateMasterKey : Exception during Ranger
Master Key Generation - {}", e.getMessage());
}
+ } else {
+ logger.info("Master key with alias - '{}' already exists!", alias);
}
+
+ logger.debug("<== RangerHSM.generateMasterKey()");
+
return false;
}
@Override
public String getMasterKey(String password) throws Throwable {
- if (logger.isDebugEnabled()) {
- logger.debug("==> RangerHSM.getMasterKey()");
- }
+ logger.debug("==> RangerHSM.getMasterKey()");
if (myStore != null) {
try {
- if (logger.isDebugEnabled()) {
- logger.debug("Searching for Ranger Master Key in Luna
Keystore");
- }
+ logger.debug("Searching for Ranger Master Key in Luna
Keystore");
boolean result = myStore.containsAlias(alias);
if (result == true) {
- if (logger.isDebugEnabled()) {
- logger.debug("Ranger Master Key is present in
Keystore");
- }
+ logger.debug("Ranger Master Key is present in Keystore");
SecretKey key = (SecretKey) myStore.getKey(alias,
password.toCharArray());
return Base64.encode(key.getEncoded());
}
} catch (Exception e) {
- logger.error("getMasterKey : Exception searching for Ranger
Master Key - " + e.getMessage());
+ logger.error("getMasterKey : Exception searching for Ranger
Master Key - {} ", e.getMessage());
}
}
+ logger.debug("<== RangerHSM.getMasterKey()");
+
return null;
}
@@ -140,7 +146,7 @@ public class RangerHSM implements RangerKMSMKI {
myStore.setKeyEntry(alias, aesKey, password.toCharArray(),
(java.security.cert.Certificate[]) null);
return true;
} catch (KeyStoreException e) {
- logger.error("setMasterKey : Exception while setting Master
Key - " + e.getMessage());
+ logger.error("setMasterKey : Exception while setting Master
Key, Error - {} ", e.getMessage());
}
}
return false;
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
index 18a6bee..cb5739f 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
@@ -125,17 +125,8 @@ public class RangerKeyStoreProvider extends KeyProvider {
||
partitionPasswd.trim().equals("crypted")) {
throw new IOException("Partition Password
doesn't exists");
}
- dbStore = new RangerKeyStore(daoManager);
- // generate master key on HSM
- masterKeyProvider.generateMasterKey(password);
- try {
- masterKey =
masterKeyProvider.getMasterKey(password)
- .toCharArray();
- } catch (Exception ex) {
- throw new Exception(
- "Error while getting Safenet
KeySecure master key "
- + ex);
- }
+ this.dbStore = new RangerKeyStore(daoManager);
+ this.generateAndGetMasterKey(masterKeyProvider,
password);
} else if (isKeySecureEnabled) {
logger.info("KeySecure is enabled for storing the
master key.");
getFromJceks(conf, CREDENTIAL_PATH,
KEYSECURE_PASSWORD_ALIAS,
@@ -199,22 +190,28 @@ public class RangerKeyStoreProvider extends KeyProvider {
} else {
logger.info("Ranger KMS Database is enabled for storing
master key.");
masterKeyProvider = new RangerMasterKey(daoManager);
- dbStore = new RangerKeyStore(daoManager);
- masterKeyProvider.generateMasterKey(password);
- // code to retrieve rangerMasterKey password
- try {
- masterKey =
masterKeyProvider.getMasterKey(password)
- .toCharArray();
- } catch (Exception ex) {
- throw new Exception("Error while getting Ranger
Master key "
- + ex);
- }
+ this.dbStore = new RangerKeyStore(this.daoManager);
+ this.generateAndGetMasterKey(masterKeyProvider,
password);
}
reloadKeys();
ReadWriteLock lock = new ReentrantReadWriteLock(true);
readLock = lock.readLock();
}
+ private void generateAndGetMasterKey(final RangerKMSMKI masterKeyProvider,
final String password) {
+ try {
+ masterKeyProvider.generateMasterKey(password);
+ } catch (Throwable cause) {
+ throw new RuntimeException("Error while generating Ranger Master
key, Error - ", cause);
+ }
+
+ try {
+ this.masterKey =
masterKeyProvider.getMasterKey(password).toCharArray();
+ } catch (Throwable cause) {
+ throw new RuntimeException("Error while getting Ranger Master key,
Error - ", cause);
+ }
+ }
+
public static Configuration getDBKSConf() {
Configuration newConfig = getConfiguration(true, DBKS_SITE_XML);
getFromJceks(newConfig, CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS,