[
https://issues.apache.org/jira/browse/RANGER-1644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16240145#comment-16240145
]
Endre Kovacs edited comment on RANGER-1644 at 11/6/17 11:30 AM:
----------------------------------------------------------------
hi [~bosco]
this patch is created in a way that:
* when *new service* is *created* through the Ranger UI
* when an *existing service* is *updated*
then it will use the new updated algo from:
`ranger-admin-default-site.xml`
{code}
</property>
<property>
<name>ranger.password.encryption.algorithm</name>
<value>PBEWITHHMACSHA512ANDAES_128</value>
</property>
{code}
first decoding value with the previously configured algorithm, then encoding
and sanity checking with the new algorithm.
* in such cases, when the service is not created or updated, just simply
*READ*, it does not update the encrypt algo. it uses the stored, coma separated
algorithm information for encrypting and decrypting. If no such coma separated
algorithm info is present, then encryption&decryption is done with
`PasswordUtils.DEFAULT_CRYPT_ALGO = "PBEWithMD5AndDES";` which did not change.
Making it backward compatible.
Please let me know if you have any specific concerns / use cases / steps in
mind needing to be tested on a live cluster.
Best regards,
Endre
was (Author: andrewsmith87):
hi [~bosco]
this patch is created in a way that:
* when *new service* is *created* through the Ranger UI
* when an *existing service* is *updated*
then it will use the new updated algo from:
`ranger-admin-default-site.xml`
{code}
</property>
<property>
<name>ranger.password.encryption.algorithm</name>
<value>PBEWITHHMACSHA512ANDAES_128</value>
</property>
{code}
first decoding value with the previously configured algorithm, then encoding
and sanity checking with the new algorithm.
* in such cases, when the service is not created or updated, just simply
*READ*, it does not update the encrypt algo. it uses the stored, coma separated
algorithm information for encrypting and decrypting. If no such coma separated
algorithm info is present, then encryption&decryption is done with
`PasswordUtils.DEFAULT_CRYPT_ALGO = "PBEWithMD5AndDES";` which did not change.
Making it backward compatible.
Please let me know if you have any specific use cases / steps in mind needing
to be tested on a live cluster.
Best regards,
Endre
> Change the default Crypt Algo to use stronger cryptographic algo.
> ------------------------------------------------------------------
>
> Key: RANGER-1644
> URL: https://issues.apache.org/jira/browse/RANGER-1644
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Selvamohan Neethiraj
> Assignee: Endre Kovacs
> Priority: Critical
> Attachments:
> 0001-RANGER-1644-replacing-MD5-DES-with-SHA512-AES128.patch
>
>
> Change the default crypt algorithm to use a stronger cipher algorithm
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
