Re: [PR] RANGER-5388: Actual calculated salt size should be updated into the DB [ranger]

Mon, 03 Nov 2025 22:43:59 -0800 


vikaskr22 commented on code in PR #721:
URL: https://github.com/apache/ranger/pull/721#discussion_r2488897454


##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java:
##########
@@ -181,17 +182,16 @@ public void init() {
         defaultCryptAlgo    = isFipsEnabled ? 
SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256 : defaultCryptAlgo;
         mkCipher            = 
getConfig("ranger.kms.service.masterkey.password.cipher", DEFAULT_MK_CIPHER);
         mkKeySize           = 
getIntConfig("ranger.kms.service.masterkey.password.size", DEFAULT_MK_KeySize);
-        saltSize            = 
getIntConfig("ranger.kms.service.masterkey.password.salt.size", 
DEFAULT_SALT_SIZE);
-        salt                = 
getConfig("ranger.kms.service.masterkey.password.salt", DEFAULT_SALT);
         pbeAlgo             = 
getConfig("ranger.kms.service.masterkey.password.encryption.algorithm", 
defaultCryptAlgo.getAlgoName());
         encrCryptoAlgo      = SupportedPBECryptoAlgo.valueOf(pbeAlgo);
+        saltSize            = 
calculateCompliantSaltSize(getIntConfig("ranger.kms.service.masterkey.password.salt.size",
 DEFAULT_SALT_SIZE), encrCryptoAlgo);
+        salt                = 
getConfig("ranger.kms.service.masterkey.password.salt", DEFAULT_SALT);
         mdAlgo              = 
getConfig("ranger.kms.service.masterkey.password.md.algorithm", defaultMdAlgo);
         iterationCount      = 
getIntConfig("ranger.kms.service.masterkey.password.iteration.count", 
DEFAULT_ITERATION_COUNT);
         paddingString       = Joiner.on(",").skipNulls().join(mkCipher, 
mkKeySize, saltSize, pbeAlgo, mdAlgo, iterationCount, salt);
 
         logger.info("Selected DEFAULT_CRYPT_ALGO={}", defaultCryptAlgo);
-        logger.info("Selected MD_ALGO={}", mdAlgo);
-        logger.info("Selected ENCR_CRYPTO_ALGO={}", encrCryptoAlgo);

Review Comment:
   Thanks @spolavarpau1 for the review.
   
   These details are required to know in case of any failure. Earlier it was 
kept at DEBUG level only, but intentionally I am making it to INFO level. This 
will be logged only once during KMS start up ( or re-encryption), not 
frequently.
   
   It selects the encrAlgo, MD algo based on provided input or if not provided, 
then based on KeyStore file type. So some basic logic is there, so it would be 
helpful to know these parameters to debug any runtime issues.
   
   Pls let me know your thoughts.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to