Re: Review Request 44757: Add support for Hardware Security Modules (HSM) to Ranger

[Ankita Sinha]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44757/
-----------------------------------------------------------

(Updated April 13, 2016, 2:16 p.m.)


Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and 
Velmurugan Periasamy.


Changes
-------

Updated the Patch to get applied on latest Master Branch


Bugs: RANGER-868
    https://issues.apache.org/jira/browse/RANGER-868


Repository: ranger


Description
-------

** Problem Statement **
1. Ranger KMS needs to have a option of saving Master Key in HSM.
2. Ranger KMS need to support HSM HA.
3. Ranger KMS needs to have functionality of migrating Master Key to HSM from 
Ranger KMS DB and vice versa.

** Proposed Solution **
1. To give option to Store Ranger KMS Master Key to either DB/HSM.
2. Create a new Provider in Ranger KMS to support HSM.
3. Develop Migration script for migrating Ranger KMS Master Key from HSM to 
Ranger KMS DB and vice versa.


Diffs (updated)
-----

  kms/config/kms-webapp/dbks-site.xml edaff93 
  kms/scripts/DBMK2HSM.sh PRE-CREATION 
  kms/scripts/HSMMK2DB.sh PRE-CREATION 
  kms/scripts/install.properties d30b28c 
  kms/scripts/setup.sh 64abcc7 
  kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java PRE-CREATION 
  kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java PRE-CREATION 
  kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java PRE-CREATION 
  kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java PRE-CREATION 
  kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 
a9e43fc 
  kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 75a34b2 
  src/main/assembly/kms.xml e267687 

Diff: https://reviews.apache.org/r/44757/diff/


Testing
-------

** Testing Done **
1. Tested Ranger KMS with HSM enabled as well as disabled.
2. Tested Ranger KMS with HSM in secure environment.
3. Tested Ranger KMS in HSM HA mode.
4. Tested migration script for migrating Master Key from Ranger KMS DB to HSM.
5. Tested migration script for migrating Master Key from HSM to Ranger KMS DB.
6. Tested for all the Key operations (create, delete, rollover and list) 
through UI, CURL and hadoop command.
7. Tested for Zone operations related operation.
8. Tested for Copying file from one Zone to another.


Thanks,

Ankita Sinha