[
https://issues.apache.org/jira/browse/RANGER-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jianchun Xu updated RANGER-4506:
--------------------------------
Description:
RangerKeyStoreProvider illegally writes to key store under Read lock. This
happens in both getMetadata and getKeyVersion.
E.g. in following getKeyVersion, under Read lock, the code calls
`dbStore.engineLoad(null, masterKey)` which reloads all the keys. Since
multiple threads can hold the Read lock, multiple threads can enter and reload
all the keys. Thus the 2nd `dbStore.engineContainsAlias(versionName)` test and
following `dbStore.engineGetDecryptedZoneKeyByte(versionName)` can both get
wrong result if another thread is reloading keys.
[https://github.com/apache/ranger/blob/master/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java#L331]
{code:java}
@Override
public KeyVersion getKeyVersion(String versionName) throws IOException {
if (logger.isDebugEnabled()) {
logger.debug("==> getKeyVersion({})", versionName);
}
KeyVersion ret = null;
try (AutoClosableReadLock ignored = new AutoClosableReadLock(lock)) {
if (keyVaultEnabled) {
try {
boolean versionNameExists =
dbStore.engineContainsAlias(versionName);
if (!versionNameExists) {
dbStore.engineLoad(null, masterKey);
versionNameExists =
dbStore.engineContainsAlias(versionName);
}
if (versionNameExists) {
byte[] decryptKeyByte;
try {
decryptKeyByte =
dbStore.engineGetDecryptedZoneKeyByte(versionName);
{code}
was:
RangerKeyStoreProvider illegally writes to key store under Read lock. This
happens in both getMetadata and getKeyVersion.
E.g. in following getKeyVersion, under Read lock, the code calls
`dbStore.engineLoad(null, masterKey)` which reloads all the keys. Since
multiple threads can hold the Read lock, multiple threads can enter and reload
all the keys. Thus the 2nd `dbStore.engineContainsAlias(versionName)` test and
following `dbStore.engineGetDecryptedZoneKeyByte(versionName)` can both get
wrong result if another threads is reloading keys.
[https://github.com/apache/ranger/blob/master/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java#L331]
{code:java}
@Override
public KeyVersion getKeyVersion(String versionName) throws IOException {
if (logger.isDebugEnabled()) {
logger.debug("==> getKeyVersion({})", versionName);
}
KeyVersion ret = null;
try (AutoClosableReadLock ignored = new AutoClosableReadLock(lock)) {
if (keyVaultEnabled) {
try {
boolean versionNameExists =
dbStore.engineContainsAlias(versionName);
if (!versionNameExists) {
dbStore.engineLoad(null, masterKey);
versionNameExists =
dbStore.engineContainsAlias(versionName);
}
if (versionNameExists) {
byte[] decryptKeyByte;
try {
decryptKeyByte =
dbStore.engineGetDecryptedZoneKeyByte(versionName);
{code}
> Illegal read lock usage in getMetadata/getKeyVersion
> ----------------------------------------------------
>
> Key: RANGER-4506
> URL: https://issues.apache.org/jira/browse/RANGER-4506
> Project: Ranger
> Issue Type: Bug
> Components: kms
> Reporter: Jianchun Xu
> Priority: Major
>
> RangerKeyStoreProvider illegally writes to key store under Read lock. This
> happens in both getMetadata and getKeyVersion.
> E.g. in following getKeyVersion, under Read lock, the code calls
> `dbStore.engineLoad(null, masterKey)` which reloads all the keys. Since
> multiple threads can hold the Read lock, multiple threads can enter and
> reload all the keys. Thus the 2nd `dbStore.engineContainsAlias(versionName)`
> test and following `dbStore.engineGetDecryptedZoneKeyByte(versionName)` can
> both get wrong result if another thread is reloading keys.
> [https://github.com/apache/ranger/blob/master/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java#L331]
> {code:java}
> @Override
> public KeyVersion getKeyVersion(String versionName) throws IOException {
> if (logger.isDebugEnabled()) {
> logger.debug("==> getKeyVersion({})", versionName);
> }
> KeyVersion ret = null;
> try (AutoClosableReadLock ignored = new AutoClosableReadLock(lock)) {
> if (keyVaultEnabled) {
> try {
> boolean versionNameExists =
> dbStore.engineContainsAlias(versionName);
> if (!versionNameExists) {
> dbStore.engineLoad(null, masterKey);
> versionNameExists =
> dbStore.engineContainsAlias(versionName);
> }
> if (versionNameExists) {
> byte[] decryptKeyByte;
> try {
> decryptKeyByte =
> dbStore.engineGetDecryptedZoneKeyByte(versionName);
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
