-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73912/
-----------------------------------------------------------
(Updated 三月 30, 2022, 6:41 a.m.)
Review request for ranger, Bhavik Bavishi, Dhaval Shah, and Mateen Mansoori.
Changes
-------
add missing line for filling the dummy encodedKey of KeyVersion
Bugs: RANGER-3682
https://issues.apache.org/jira/browse/RANGER-3682
Repository: ranger
Description
-------
Unify the ways that rangerkeystore to encapsulate zonekey
Now we have 2 styles of MasterKeyProvider:
1. RangerMasterKey, RangerHSM, RangerSafenetKeySecure
2. RangerAzureKeyVaultKeyGenerator, RangerGoogleCloudHSMProvider,
RangerTencentKMSProvider
Style 1 can get out master key string from provider, Style 2 can not.
In old, I add a flag KeyVaultEnabled to distinguish them. KeyVaultEnabled=false
means style1, true means style2
RangerKeyStore with style1 use SecretKeyEntry with SealedObject to store a key
and do encryption / decryption by itself.
RangerKeyStore with style2 use SecretKeyByteEntry to store a key and let MK
provider to encryption / decryption.
These are ugly and hard to maintain. I refactor it by removing SecretKeyEntry,
and let providers of style1 do encryption / decryption.
Add a common base class of RangerMasterKey, RangerHSM andd
RangerSafenetKeySecure, named AbstractRangerMasterKey. It provides the common
logic of encryptZoneKey and decryptZoneKey.
And, there is no unified method to initialize a master key provider. Duplicate
code is distributed in RangerKeyStoreProvider and a bunch of CLI classes.
I made a new RangerKMSMKIFactory class to unify it.
Diffs (updated)
-----
kms/src/main/java/org/apache/hadoop/crypto/key/AbstractRangerMasterKey.java
PRE-CREATION
kms/src/main/java/org/apache/hadoop/crypto/key/DBToAzureKeyVault.java
39de0a5034c4cf8f219c20a451ae36d26c8b327a
kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
a1a6f348b98407125611cffde6e920a682d3011b
kms/src/main/java/org/apache/hadoop/crypto/key/MigrateDBMKeyToGCP.java
d3b717a8a6f4fe158785ea0408e9c635ddf5fd4f
kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
1935a0185a0aa56f5be6557ef98c82f97684c7fb
kms/src/main/java/org/apache/hadoop/crypto/key/RangerGoogleCloudHSMProvider.java
a61cabb1bbf02f9eb66f52d76fb3bbd1f2f839f3
kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
90ef729b2e1a89a4822f3ccbbaa8989e3dc446ee
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java
b09cd5bad34157110f306f0327fa89533f384fce
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKIFactory.java
PRE-CREATION
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
8dc129069689d2ed994cec4184f930e033375a97
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
cb5739f61d975061d33623dd90941edb952a5990
kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
c37e98ee544ca0810aa2d3dcc5bfacf19dcd3b53
kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
eb8a90a712bd48ca7629a1af9c14f8357edf6194
kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsDBMasterkeyCorrect.java
632e728f4c3b2b00cabe9adf0a95112238487fb1
kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsHSMMasterkeyCorrect.java
e5ebeb783f5d5ff51a8433d4536205968e3546a4
kms/src/main/java/org/apache/ranger/kms/biz/RangerKMSStartUp.java
aae722b396801bc591666a05c6db99e6fad70a23
kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerKeyStore.java
bcdf2e3374ef46666864f224056e380b3744f1fe
kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/RangerMasterKeyTest.java
f420322ca654fce4b7b6cc9de2b3565cae99ac12
Diff: https://reviews.apache.org/r/73912/diff/2/
Changes: https://reviews.apache.org/r/73912/diff/1-2/
Testing
-------
Tested by fresh install and update.
Thanks,
Kirby Zhou
