This is an automated email from the ASF dual-hosted git repository.

dhavalshah9131 pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.3 by this push:
     new 1a375c4  RANGER-3613 : Check if master key with the given alias exists 
or not if LUNA HSM is enabled
1a375c4 is described below

commit 1a375c422c108921ea01c6f011c7dde8f8cfa862
Author: mateenmansoori <[email protected]>
AuthorDate: Mon Feb 21 14:00:33 2022 +0530

    RANGER-3613 : Check if master key with the given alias exists or not if 
LUNA HSM is enabled
---
 .../org/apache/hadoop/crypto/key/RangerHSM.java    | 52 ++++++++++++----------
 .../hadoop/crypto/key/RangerKeyStoreProvider.java  | 39 ++++++++--------
 2 files changed, 47 insertions(+), 44 deletions(-)

diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
index 4e96098..90ef729 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
@@ -21,7 +21,9 @@ import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
+import org.bouncycastle.crypto.RuntimeCryptoException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -65,9 +67,10 @@ public class RangerHSM implements RangerKMSMKI {
         passwd = conf.get(PARTITION_PASSWORD);
         partitionName = conf.get(PARTITION_NAME);
         hsm_keystore = conf.get(HSM_TYPE);
+        String errorMsg = StringUtils.EMPTY;
         try {
             ByteArrayInputStream is1 = new ByteArrayInputStream(("tokenlabel:" 
+ partitionName).getBytes());
-            logger.debug("Loading HSM tokenlabel : " + partitionName);
+            logger.debug("Loading HSM : Tokenlabel - '{}', Type - '{}' ", 
partitionName, hsm_keystore);
             myStore = KeyStore.getInstance("Luna");
             if (myStore == null) {
                 logger.error("Luna not found. Please verify the Ranger KMS HSM 
configuration setup.");
@@ -75,61 +78,64 @@ public class RangerHSM implements RangerKMSMKI {
                                myStore.load(is1, passwd.toCharArray());
                        }
         } catch (KeyStoreException kse) {
-            logger.error("Unable to create keystore object : " + 
kse.getMessage());
+            errorMsg = "Unable to create keystore object : " + 
kse.getMessage();
         } catch (NoSuchAlgorithmException nsae) {
-            logger.error("Unexpected NoSuchAlgorithmException while loading 
keystore : " + nsae.getMessage());
+            errorMsg = "Unexpected NoSuchAlgorithmException while loading 
keystore : " + nsae.getMessage();
         } catch (CertificateException e) {
-            logger.error("Unexpected CertificateException while loading 
keystore : " + e.getMessage());
+            errorMsg = "Unexpected CertificateException while loading keystore 
: " + e.getMessage();
         } catch (IOException e) {
-            logger.error("Unexpected IOException while loading keystore : " + 
e.getMessage());
+            errorMsg = "Unexpected IOException while loading keystore : " + 
e.getMessage();
+        }
+
+        if (StringUtils.isNotEmpty(errorMsg)) {
+            throw new RuntimeCryptoException(errorMsg);
         }
     }
 
     @Override
     public boolean generateMasterKey(String password) throws Throwable {
-        if (logger.isDebugEnabled()) {
-            logger.debug("==> RangerHSM.generateMasterKey()");
-        }
-        if (myStore != null && myStore.size() < 1) {
+        logger.debug("==> RangerHSM.generateMasterKey()");
+
+        if (!this.myStore.containsAlias(alias)) {
             KeyGenerator keyGen = null;
             SecretKey aesKey = null;
             try {
-                logger.info("Generating AES Master Key for HSM Provider");
+                logger.info("Generating AES Master Key for '{}' HSM Provider", 
hsm_keystore);
                 keyGen = KeyGenerator.getInstance(MK_CIPHER, hsm_keystore);
                 keyGen.init(MK_KeySize);
                 aesKey = keyGen.generateKey();
                 myStore.setKeyEntry(alias, aesKey, password.toCharArray(), 
(java.security.cert.Certificate[]) null);
                 return true;
             } catch (Exception e) {
-                logger.error("generateMasterKey : Exception during Ranger 
Master Key Generation - " + e.getMessage());
-                return false;
+                logger.error("generateMasterKey : Exception during Ranger 
Master Key Generation - {}", e.getMessage());
             }
+        } else {
+            logger.info("Master key with alias - '{}' already exists!", alias);
         }
+
+        logger.debug("<== RangerHSM.generateMasterKey()");
+
         return false;
     }
 
     @Override
     public String getMasterKey(String password) throws Throwable {
-        if (logger.isDebugEnabled()) {
-            logger.debug("==> RangerHSM.getMasterKey()");
-        }
+        logger.debug("==> RangerHSM.getMasterKey()");
         if (myStore != null) {
             try {
-                if (logger.isDebugEnabled()) {
-                    logger.debug("Searching for Ranger Master Key in Luna 
Keystore");
-                }
+                logger.debug("Searching for Ranger Master Key in Luna 
Keystore");
                 boolean result = myStore.containsAlias(alias);
                 if (result == true) {
-                    if (logger.isDebugEnabled()) {
-                        logger.debug("Ranger Master Key is present in 
Keystore");
-                    }
+                    logger.debug("Ranger Master Key is present in Keystore");
                     SecretKey key = (SecretKey) myStore.getKey(alias, 
password.toCharArray());
                     return Base64.encode(key.getEncoded());
                 }
             } catch (Exception e) {
-                logger.error("getMasterKey : Exception searching for Ranger 
Master Key - " + e.getMessage());
+                logger.error("getMasterKey : Exception searching for Ranger 
Master Key - {} ", e.getMessage());
             }
         }
+        logger.debug("<== RangerHSM.getMasterKey()");
+
         return null;
     }
 
@@ -140,7 +146,7 @@ public class RangerHSM implements RangerKMSMKI {
                 myStore.setKeyEntry(alias, aesKey, password.toCharArray(), 
(java.security.cert.Certificate[]) null);
                 return true;
             } catch (KeyStoreException e) {
-                logger.error("setMasterKey : Exception while setting Master 
Key - " + e.getMessage());
+                logger.error("setMasterKey : Exception while setting Master 
Key, Error - {} ", e.getMessage());
             }
         }
         return false;
diff --git 
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
index 18a6bee..cb5739f 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
@@ -125,17 +125,8 @@ public class RangerKeyStoreProvider extends KeyProvider {
                                        || 
partitionPasswd.trim().equals("crypted")) {
                                throw new IOException("Partition Password 
doesn't exists");
                        }
-                       dbStore = new RangerKeyStore(daoManager);
-                       // generate master key on HSM
-                       masterKeyProvider.generateMasterKey(password);
-                       try {
-                               masterKey = 
masterKeyProvider.getMasterKey(password)
-                                               .toCharArray();
-                       } catch (Exception ex) {
-                               throw new Exception(
-                                               "Error while getting Safenet 
KeySecure master key "
-                                                               + ex);
-                       }
+                       this.dbStore = new RangerKeyStore(daoManager);
+                       this.generateAndGetMasterKey(masterKeyProvider, 
password);
                } else if (isKeySecureEnabled) {
                        logger.info("KeySecure is enabled for storing the 
master key.");
                        getFromJceks(conf, CREDENTIAL_PATH, 
KEYSECURE_PASSWORD_ALIAS,
@@ -199,22 +190,28 @@ public class RangerKeyStoreProvider extends KeyProvider {
                } else {
                        logger.info("Ranger KMS Database is enabled for storing 
master key.");
                        masterKeyProvider = new RangerMasterKey(daoManager);
-                       dbStore = new RangerKeyStore(daoManager);
-                       masterKeyProvider.generateMasterKey(password);
-                       // code to retrieve rangerMasterKey password
-                       try {
-                               masterKey = 
masterKeyProvider.getMasterKey(password)
-                                               .toCharArray();
-                       } catch (Exception ex) {
-                               throw new Exception("Error while getting Ranger 
Master key "
-                                               + ex);
-                       }
+                       this.dbStore = new RangerKeyStore(this.daoManager);
+                       this.generateAndGetMasterKey(masterKeyProvider, 
password);
                }
                reloadKeys();
                ReadWriteLock lock = new ReentrantReadWriteLock(true);
                readLock = lock.readLock();
        }
 
+    private void generateAndGetMasterKey(final RangerKMSMKI masterKeyProvider, 
final String password) {
+        try {
+            masterKeyProvider.generateMasterKey(password);
+        } catch (Throwable cause) {
+            throw new RuntimeException("Error while generating Ranger Master 
key, Error - ", cause);
+        }
+
+        try {
+            this.masterKey = 
masterKeyProvider.getMasterKey(password).toCharArray();
+        } catch (Throwable cause) {
+            throw new RuntimeException("Error while getting Ranger Master key, 
Error - ", cause);
+        }
+    }
+
        public static Configuration getDBKSConf() {
                Configuration newConfig = getConfiguration(true, DBKS_SITE_XML);
                getFromJceks(newConfig, CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS,

Reply via email to