This is an automated email from the ASF dual-hosted git repository.
dhavalshah9131 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new cde5be80c RANGER-5411: Refactor logic to use external Key as MasterKey
to avoid code redundancy (#747)
cde5be80c is described below
commit cde5be80c8cc1394cfe22284ce7065b6ac75def5
Author: Vikas Kumar <[email protected]>
AuthorDate: Fri Jan 2 11:23:21 2026 +0530
RANGER-5411: Refactor logic to use external Key as MasterKey to avoid code
redundancy (#747)
---
.../org/apache/hadoop/crypto/key/DB2HSMMKUtil.java | 6 ++--
.../apache/hadoop/crypto/key/DBToKeySecure.java | 6 ++--
.../org/apache/hadoop/crypto/key/HSM2DBMKUtil.java | 14 +++++---
.../crypto/key/KeySecureToRangerDBMKUtil.java | 7 ++--
.../org/apache/hadoop/crypto/key/RangerHSM.java | 3 +-
.../org/apache/hadoop/crypto/key/RangerKMSMKI.java | 4 +++
.../apache/hadoop/crypto/key/RangerMasterKey.java | 38 ++++++++--------------
.../hadoop/crypto/key/RangerSafenetKeySecure.java | 3 +-
.../hadoop/crypto/key/RangerMasterKeyTest.java | 4 +--
.../crypto/key/kms/TestRangerSafenetKeySecure.java | 2 +-
10 files changed, 44 insertions(+), 43 deletions(-)
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
index bbe3e72fb..0bfa19f49 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
@@ -76,14 +76,14 @@ private boolean doExportMKToHSM(String hsmType, String
partitionName) {
String password = conf.get(ENCRYPTION_KEY);
// Get Master Key from Ranger DB
- RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
+ RangerKMSMKI rangerMasterKey = new RangerMasterKey(daoManager);
String mkey =
rangerMasterKey.getMasterKey(password);
byte[] key = Base64.decode(mkey);
// Put Master Key in HSM
- RangerHSM rangerHSM = new RangerHSM(conf);
+ RangerKMSMKI rangerHSM = new RangerHSM(conf);
- return rangerHSM.setMasterKey(password, key);
+ return rangerHSM.setExternalKeyAsMK(password, key);
} catch (Throwable t) {
throw new RuntimeException("Unable to import Master key from
Ranger DB to HSM ", t);
} finally {
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java
index dbe41e319..29d1a37c5 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java
@@ -102,14 +102,14 @@ private boolean doExportMKToKeySecure(String keyName,
String username, String pa
String mkPassword = conf.get(ENCRYPTION_KEY);
// Get Master Key from Ranger DB
- RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
+ RangerKMSMKI rangerMasterKey = new RangerMasterKey(daoManager);
String mkey =
rangerMasterKey.getMasterKey(mkPassword);
byte[] key = Base64.decode(mkey);
if (conf != null) {
- RangerSafenetKeySecure rangerSafenetKeySecure = new
RangerSafenetKeySecure(conf);
+ RangerKMSMKI rangerSafenetKeySecure = new
RangerSafenetKeySecure(conf);
- return rangerSafenetKeySecure.setMasterKey(password, key,
conf);
+ return rangerSafenetKeySecure.setExternalKeyAsMK(password,
key);
}
return false;
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
index 86ab3c8de..4feb01172 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
@@ -79,14 +79,18 @@ private void doImportMKFromHSM(String hsmType, String
partitionName) {
String password = conf.get(ENCRYPTION_KEY);
// Get Master Key from HSM
- RangerHSM rangerHSM = new RangerHSM(conf);
- String mKey = rangerHSM.getMasterKey(password);
- byte[] key = Base64.decode(mKey);
+ RangerKMSMKI rangerHSM = new RangerHSM(conf);
+ String mKey = rangerHSM.getMasterKey(password);
+ byte[] key = Base64.decode(mKey);
// Put Master Key in Ranger DB
- RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
+ RangerKMSMKI rangerMasterKey = new RangerMasterKey(daoManager);
- rangerMasterKey.generateMKFromHSMMK(password, key);
+ boolean isMKSet = rangerMasterKey.setExternalKeyAsMK(password,
key);
+
+ if (!isMKSet) {
+ throw new Exception("MK import from HSM to DB failed");
+ }
} catch (Throwable t) {
throw new RuntimeException("Unable to import Master key from HSM
to Ranger DB", t);
} finally {
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
index c9ca43319..6f92592c0 100644
---
a/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
+++
b/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
@@ -72,9 +72,12 @@ private void doImportMKFromKeySecure(String kmsMKPassword) {
RangerSafenetKeySecure rangerSafenetKeySecure = new
RangerSafenetKeySecure(conf);
String mKey =
rangerSafenetKeySecure.getMasterKey(password);
byte[] key =
Base64.decode(mKey);
- RangerMasterKey rangerMasterKey = new
RangerMasterKey(daoManager); // Put Master Key in Ranger DB
+ RangerKMSMKI rangerMasterKey = new
RangerMasterKey(daoManager); // Put Master Key in Ranger DB
- rangerMasterKey.generateMKFromKeySecureMK(password, key);
+ boolean isMKSet = rangerMasterKey.setExternalKeyAsMK(password,
key);
+ if (!isMKSet) {
+ throw new Exception("MK import from KeySecure to KMS-DB
failed");
+ }
} catch (Throwable t) {
throw new RuntimeException("Unable to migrate Master key from
KeySecure to Ranger DB", t);
}
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
index 2825aa599..be1484a42 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
@@ -150,7 +150,8 @@ public String getMasterKey(String password) throws
Throwable {
return null;
}
- public boolean setMasterKey(String password, byte[] key) {
+ @Override
+ public boolean setExternalKeyAsMK(String password, byte[] key) {
if (myStore != null) {
try {
Key aesKey = new SecretKeySpec(key, MK_CIPHER);
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java
index 83789c2e1..1d4a31fcf 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java
@@ -37,4 +37,8 @@ default void onInitialization() throws Exception {}
default boolean reencryptMKWithFipsAlgo(String mkPassword) throws
Exception {
return false;
}
+
+ default boolean setExternalKeyAsMK(String password, byte[] key) throws
Throwable {
+ throw new UnsupportedOperationException("This method is not supported
for current MK provider");
+ }
}
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
index 2e840cbfe..067958b77 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
@@ -332,43 +332,31 @@ public boolean reencryptMKWithFipsAlgo(String mkPassword)
{
return isMKReencrypted;
}
- public void generateMKFromHSMMK(String password, byte[] key) throws
Throwable {
- logger.debug("==> RangerMasterKey.generateMKFromHSMMK()");
-
- if (!checkMKExistence(this.masterKeyDao)) {
- logger.info("Master Key doesn't exist in DB, Generating the Master
Key");
-
- String encryptedMasterKey = encryptMasterKey(password, key);
- String savedKey = saveEncryptedMK(paddingString + "," +
encryptedMasterKey);
-
- if (savedKey != null && !savedKey.trim().equals("")) {
- logger.debug("Master Key Created with id = {}", savedKey);
- logger.debug("<== RangerMasterKey.generateMKFromHSMMK()");
- }
- } else {
- logger.debug("Ranger Master Key already exists in the DB,
returning.");
- }
-
- logger.debug("<== RangerMasterKey.generateMKFromHSMMK()");
- }
+ @Override
+ public boolean setExternalKeyAsMK(String password, byte[] key)throws
Throwable {
+ logger.debug("==> RangerMasterKey.useExternalKeyAsMK()");
- public void generateMKFromKeySecureMK(String password, byte[] key) throws
Throwable {
- logger.debug("==> RangerMasterKey.generateMKFromKeySecureMK()");
+ boolean keySetAsMK = false;
if (!checkMKExistence(this.masterKeyDao)) {
- logger.info("Master Key doesn't exist in DB, Generating the Master
Key");
+ logger.info("Master Key doesn't exist in DB, encrypting and
storing the provided Master Key");
String encryptedMasterKey = encryptMasterKey(password, key);
String savedKey = saveEncryptedMK(paddingString + "," +
encryptedMasterKey);
if (savedKey != null && !savedKey.trim().equals("")) {
- logger.debug("Master Key Created with id = {}", savedKey);
+ keySetAsMK = true;
+ logger.info("Master Key Created with id = {}", savedKey);
+ logger.debug("<== RangerMasterKey.useExternalKeyAsMK()");
}
} else {
- logger.debug("Ranger Master Key already exists in the DB,
returning.");
+ String errMsg = "Ranger Master Key already exists in the DB,
returning.";
+ logger.warn(errMsg);
}
- logger.debug("<== RangerMasterKey.generateMKFromKeySecureMK()");
+ logger.debug("<== RangerMasterKey.useExternalKeyAsMK()");
+
+ return keySetAsMK;
}
private String decryptMasterKey(byte[] masterKey, String password, String
encryptedPassString) throws Throwable {
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
index f2b1db3bf..9832ac4eb 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
@@ -165,7 +165,8 @@ public String getMasterKey(String password) throws
Throwable {
return null;
}
- public boolean setMasterKey(String password, byte[] key, Configuration
conf) {
+ @Override
+ public boolean setExternalKeyAsMK(String password, byte[] key) {
if (myStore != null) {
try {
Key aesKey = new SecretKeySpec(key, MK_ALGO);
diff --git
a/kms/src/test/java/org/apache/hadoop/crypto/key/RangerMasterKeyTest.java
b/kms/src/test/java/org/apache/hadoop/crypto/key/RangerMasterKeyTest.java
index e76f2341c..4b661153f 100644
--- a/kms/src/test/java/org/apache/hadoop/crypto/key/RangerMasterKeyTest.java
+++ b/kms/src/test/java/org/apache/hadoop/crypto/key/RangerMasterKeyTest.java
@@ -183,7 +183,7 @@ public void testGenerateMKFromHSMMK() throws Throwable {
byte[] key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17};
- rangerMasterKey.generateMKFromHSMMK(password, key);
+ rangerMasterKey.setExternalKeyAsMK(password, key);
}
@Test
@@ -197,7 +197,7 @@ public void testGenerateMKFromKeySecureMK() throws
Throwable {
byte[] key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17};
- rangerMasterKey.generateMKFromKeySecureMK(password, key);
+ rangerMasterKey.setExternalKeyAsMK(password, key);
assertNotNull(rangerMasterKey.getMasterKey(password));
}
diff --git
a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerSafenetKeySecure.java
b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerSafenetKeySecure.java
index d4c2e3329..ea135e9a5 100644
---
a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerSafenetKeySecure.java
+++
b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerSafenetKeySecure.java
@@ -86,7 +86,7 @@ public void
testSetMasterKey_WithNullKeystore_ShouldReturnFalse() throws Excepti
storeField.setAccessible(true);
storeField.set(secure, null);
- boolean result = secure.setMasterKey("pass", "mockKey".getBytes(), new
Configuration());
+ boolean result = secure.setExternalKeyAsMK("pass",
"mockKey".getBytes());
assertFalse(result);
}
