[
https://issues.apache.org/jira/browse/RANGER-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824525#comment-17824525
]
Madhan Neethiraj edited comment on RANGER-4506 at 3/7/24 9:50 PM:
------------------------------------------------------------------
[~jianchun], [~vikkumar] - thank you both for the detailed reporting and
analysis of the issue. Fix in RANGER-3989 required sizable updates to prevent
issues in KMS handling of simultaneous calls. [~vikkumar] helped review that
fix. [~jianchun] - it's good to have you as well review Ranger KMS! Thank you.
was (Author: madhan.neethiraj):
[~jianchun], [~vikkumar] - thank you both for the detailed reporting and
analysis of the issue. Fix in RANGER-3989 required sizable updates to prevent
issues in handling simultaneous calls in KMS. [~vikkumar] heled review that
fix. [~jianchun] - it's good to have you as well review Ranger KMS! Thank you.
> Illegal read lock usage in getMetadata/getKeyVersion
> ----------------------------------------------------
>
> Key: RANGER-4506
> URL: https://issues.apache.org/jira/browse/RANGER-4506
> Project: Ranger
> Issue Type: Bug
> Components: kms
> Reporter: Jianchun Xu
> Assignee: Vikas Kumar
> Priority: Major
>
> RangerKeyStoreProvider illegally writes to key store under Read lock. This
> happens in both getMetadata and getKeyVersion.
> E.g. in following getKeyVersion, under Read lock, the code calls
> `dbStore.engineLoad(null, masterKey)` which reloads all the keys. Since
> multiple threads can hold the Read lock, multiple threads can enter and
> reload all the keys. Thus the 2nd `dbStore.engineContainsAlias(versionName)`
> test and following `dbStore.engineGetDecryptedZoneKeyByte(versionName)` can
> both get wrong result if another thread is reloading keys.
> [https://github.com/apache/ranger/blob/master/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java#L331]
> {code:java}
> @Override
> public KeyVersion getKeyVersion(String versionName) throws IOException {
> if (logger.isDebugEnabled()) {
> logger.debug("==> getKeyVersion({})", versionName);
> }
> KeyVersion ret = null;
> try (AutoClosableReadLock ignored = new AutoClosableReadLock(lock)) {
> if (keyVaultEnabled) {
> try {
> boolean versionNameExists =
> dbStore.engineContainsAlias(versionName);
> if (!versionNameExists) {
> dbStore.engineLoad(null, masterKey);
> versionNameExists =
> dbStore.engineContainsAlias(versionName);
> }
> if (versionNameExists) {
> byte[] decryptKeyByte;
> try {
> decryptKeyByte =
> dbStore.engineGetDecryptedZoneKeyByte(versionName);
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
