[
https://issues.apache.org/jira/browse/RANGER-5169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17942391#comment-17942391
]
Vikas Kumar commented on RANGER-5169:
-------------------------------------
*Analysis:*
It all happened due to different Masterkey format :
older format:
abcdefghijklmnopqrstuvwxyz01234567890,vYL1+RJRCYz3xNWWsT3rNt69/1zv71FefCSFArdvCdXqQ2ofvVfROg==
New Format:
AES,256,8,PBEWithMD5AndDES,SHA,1000,abcdefghijklmnopqrstuvwxyz01234567890,vYL1+RJRCYz3xNWWsT3rNt69/1zv71FefCSFArdvCdXqQ2ofvVfROg==
As per RangerMasterkey code, it initialises the metadata part while it reads it
from DB. IN older format, metadata doesn't exist in DB, so it should be
initialised with the default values. But init() method ( that initialises the
default values ) is being called selectively from generateMasterKey() method.
As a result, when *org.apache.hadoop.crypto.key.DB2HSMMKUtil* is instantiating
the RangerMasterkey and trying to fetch MK from DB, MessageDigest is not
initialised and coming as null. hence the NPE.
*Fix:* Ideally init() method should be called from it's constructor , so that
it remains available for all invocations.
> Error while migrating Masterkey from HDP format to external key store
> ---------------------------------------------------------------------
>
> Key: RANGER-5169
> URL: https://issues.apache.org/jira/browse/RANGER-5169
> Project: Ranger
> Issue Type: Bug
> Components: kms
> Reporter: Vikas Kumar
> Assignee: Vikas Kumar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> *Error:*
> While migrating master key to Luna HSM (for example), it first gets the
> Masterkey from DB, decrypts it and then send it to Luna. It works perfectly
> fine if master key is of the latest format where it contains the metdata in
> the master_key column.
> But in older HDP cluster, it only contains the master key material and other
> metdata like encryption algorithm, message digest algorithm etc needs to
> initialised with default values.
> {code:java}
> Connected to DB : trueGetting Master KeyException in thread "main"
> java.lang.RuntimeException: Unable to import Master key from Ranger DB to HSM
> at
> org.apache.hadoop.crypto.key.DB2HSMMKUtil.doExportMKToHSM(DB2HSMMKUtil.java:93)
> at org.apache.hadoop.crypto.key.DB2HSMMKUtil.main(DB2HSMMKUtil.java:58)
> Caused by: java.lang.NullPointerException
> at java.security.Provider$ServiceKey.<init>(Provider.java:872)
> at java.security.Provider$ServiceKey.<init>(Provider.java:865)
> at java.security.Provider.getService(Provider.java:1039)
> at sun.security.jca.ProviderList.getService(ProviderList.java:332)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
> at java.security.Security.getImpl(Security.java:775)
> at java.security.MessageDigest.getInstance(MessageDigest.java:170)
> at
> org.apache.hadoop.crypto.key.RangerMasterKey.getPBEParameterSpec(RangerMasterKey.java:449)
> at
> org.apache.hadoop.crypto.key.RangerMasterKey.decryptMasterKey(RangerMasterKey.java:255)
> {code}
> *RCA:* These metadata part needs to be initialised explicitly for older key
> format.
> I know the fix and will raise PR
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
