----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75248/ -----------------------------------------------------------
Review request for ranger, bhavik patel, Dhaval Shah, Madhan Neethiraj, and Sailaja Polavarapu. Repository: ranger Description ------- RANGER-3174: Weak Cryptographic Algorithm and hash function used for PBE encryption Approach: If FIPS flag enabled and latest algo configured inside dbks-site.xml then, it decrypts the Masterkey and re-encrypts it. This way, MK key material remains same but it gets encrypted with the new algo. MK format in DB contains the algo name, so it becimes possible to decide which algo to use to decrypt the material. Second, For zone keys, One new key attribute is introduced that keep the name of algo used to encrypt the key material. If not re-encrypted, it remains empty. If FIPS flag is not enabled, there will not be any impact and it should work as older. Diffs ----- kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java b09cd5bad kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java 39b5d65d1 kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 957d2ca0e kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java db3750ecc kms/src/main/java/org/apache/hadoop/crypto/key/SupportedPBECryptoAlgo.java PRE-CREATION Diff: https://reviews.apache.org/r/75248/diff/1/ Testing ------- Testing: Old test cluster (without this change) Step1: Created one EDEK Reqest: curl -ivk -H "Content-Type: application/json" -H -X POST 'http://apacheprtest.site:9292/kms/v1/key/pbealgotest/_eek?eek_op=generate&num_keys=1&user.name=keyadmin' Response: { "encryptedKeyVersion" : { "material" : "G90ZtTKOWIICXG_wpqx0tA", "name" : "pbealgotest", "versionName" : "EEK" }, "versionName" : "pbealgotest@0", "iv" : "6-ZA5dd7a-TWuee3coFzWg" } Step2: Decrypted the EDEK Request: curl -ivk -H "Content-Type: application/json" -H -X POST --data '{"name":"pbealgotest","iv":"6-ZA5dd7a-TWuee3coFzWg","material":"G90ZtTKOWIICXG_wpqx0tA"}' 'http://apacheprtest.site:9292/kms/v1/keyversion/pbealgotest@0/_eek?eek_op=decrypt&user.name=keyadmin' Response: { "material" : "7l07elmiCGbeCx2OgCH2Rg", "name" : "pbealgotest", "versionName" : "EK" } Step3: Patch the cluster with current changes Update the value of "ranger.kms.service.masterkey.password.encryption.algorithm" property inside dbks-site.xml from PBEWithMD5AndDES to PBKDF2WithHmacSHA256 Manually mark the fips flag enabled ( in code for testing) Restart the cluster Step4: Here expectation was as follows: - MasterKey should get re-encrypted with latest algo, that is, PBKDF2WithHmacSHA256 - All zone keys should get re-encrypted with PBKDF2WithHmacSHA256 Manually checked the DB changes that shows following for the MasterKey: AES,256,8,PBEWithMD5AndDES,SHA,1000,abcdefghijklmnopqrstuvwxyz01234567890,x/H7cBXW6s+nHrh8IcoQ018wwCc2xXmWbTxHGqxZnNOlfGc1Y8KxJg== And similarly, zone keys starts containing one attribute that indicates ( new attribute introduced)the algo used to encrypt the key material. It will remain empty if not re-encrypted. Something like following: {"key.acl.name":"pbealgotest","abc":"123","keyEncrAlgoName":"PBKDF2WithHmacSHA256"} Step5: To further verify the if existing keys are getting decrypted correctly. I hit the decrypt API again and got the same response. I mean, same DEK material. Response: { "material" : "7l07elmiCGbeCx2OgCH2Rg", "name" : "pbealgotest", "versionName" : "EK" } I also verified other APIs like getMetadata, getkey, deletekey etc. Thanks, Vikas Kumar
