From 3c27b1ac62a067a0648fefb2daf3110de54cc5c5 Mon Sep 17 00:00:00 2001 From: Vikas Kumar Date: Thu, 27 Nov 2025 22:03:55 +0530 Subject: [PATCH] RANGER-5411: Refactor logic to use external Key as MasterKey to avoid code redundancy --- .../hadoop/crypto/key/DB2HSMMKUtil.java | 6 +-- .../hadoop/crypto/key/DBToKeySecure.java | 6 +-- .../hadoop/crypto/key/HSM2DBMKUtil.java | 14 ++++--- .../crypto/key/KeySecureToRangerDBMKUtil.java | 7 +++- .../apache/hadoop/crypto/key/RangerHSM.java | 3 +- .../hadoop/crypto/key/RangerKMSMKI.java | 4 ++ .../hadoop/crypto/key/RangerMasterKey.java | 38 +++++++------------ .../crypto/key/RangerSafenetKeySecure.java | 3 +- .../crypto/key/RangerMasterKeyTest.java | 4 +- .../key/kms/TestRangerSafenetKeySecure.java | 2 +- 10 files changed, 44 insertions(+), 43 deletions(-) diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java index bbe3e72fb6..0bfa19f494 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java @@ -76,14 +76,14 @@ private boolean doExportMKToHSM(String hsmType, String partitionName) { String password = conf.get(ENCRYPTION_KEY); // Get Master Key from Ranger DB - RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager); + RangerKMSMKI rangerMasterKey = new RangerMasterKey(daoManager); String mkey = rangerMasterKey.getMasterKey(password); byte[] key = Base64.decode(mkey); // Put Master Key in HSM - RangerHSM rangerHSM = new RangerHSM(conf); + RangerKMSMKI rangerHSM = new RangerHSM(conf); - return rangerHSM.setMasterKey(password, key); + return rangerHSM.setExternalKeyAsMK(password, key); } catch (Throwable t) { throw new RuntimeException("Unable to import Master key from Ranger DB to HSM ", t); } finally { diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java b/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java index dbe41e3197..29d1a37c50 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java @@ -102,14 +102,14 @@ private boolean doExportMKToKeySecure(String keyName, String username, String pa String mkPassword = conf.get(ENCRYPTION_KEY); // Get Master Key from Ranger DB - RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager); + RangerKMSMKI rangerMasterKey = new RangerMasterKey(daoManager); String mkey = rangerMasterKey.getMasterKey(mkPassword); byte[] key = Base64.decode(mkey); if (conf != null) { - RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure(conf); + RangerKMSMKI rangerSafenetKeySecure = new RangerSafenetKeySecure(conf); - return rangerSafenetKeySecure.setMasterKey(password, key, conf); + return rangerSafenetKeySecure.setExternalKeyAsMK(password, key); } return false; diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java index 86ab3c8dea..4feb011729 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java @@ -79,14 +79,18 @@ private void doImportMKFromHSM(String hsmType, String partitionName) { String password = conf.get(ENCRYPTION_KEY); // Get Master Key from HSM - RangerHSM rangerHSM = new RangerHSM(conf); - String mKey = rangerHSM.getMasterKey(password); - byte[] key = Base64.decode(mKey); + RangerKMSMKI rangerHSM = new RangerHSM(conf); + String mKey = rangerHSM.getMasterKey(password); + byte[] key = Base64.decode(mKey); // Put Master Key in Ranger DB - RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager); + RangerKMSMKI rangerMasterKey = new RangerMasterKey(daoManager); - rangerMasterKey.generateMKFromHSMMK(password, key); + boolean isMKSet = rangerMasterKey.setExternalKeyAsMK(password, key); + + if (!isMKSet) { + throw new Exception("MK import from HSM to DB failed"); + } } catch (Throwable t) { throw new RuntimeException("Unable to import Master key from HSM to Ranger DB", t); } finally { diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java index c9ca433194..6f92592c0f 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java @@ -72,9 +72,12 @@ private void doImportMKFromKeySecure(String kmsMKPassword) { RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure(conf); String mKey = rangerSafenetKeySecure.getMasterKey(password); byte[] key = Base64.decode(mKey); - RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager); // Put Master Key in Ranger DB + RangerKMSMKI rangerMasterKey = new RangerMasterKey(daoManager); // Put Master Key in Ranger DB - rangerMasterKey.generateMKFromKeySecureMK(password, key); + boolean isMKSet = rangerMasterKey.setExternalKeyAsMK(password, key); + if (!isMKSet) { + throw new Exception("MK import from KeySecure to KMS-DB failed"); + } } catch (Throwable t) { throw new RuntimeException("Unable to migrate Master key from KeySecure to Ranger DB", t); } diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java index 2825aa5992..be1484a421 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java @@ -150,7 +150,8 @@ public String getMasterKey(String password) throws Throwable { return null; } - public boolean setMasterKey(String password, byte[] key) { + @Override + public boolean setExternalKeyAsMK(String password, byte[] key) { if (myStore != null) { try { Key aesKey = new SecretKeySpec(key, MK_CIPHER); diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java index 83789c2e15..1d4a31fcf0 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java @@ -37,4 +37,8 @@ default void onInitialization() throws Exception {} default boolean reencryptMKWithFipsAlgo(String mkPassword) throws Exception { return false; } + + default boolean setExternalKeyAsMK(String password, byte[] key) throws Throwable { + throw new UnsupportedOperationException("This method is not supported for current MK provider"); + } } diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java index 2e840cbfeb..067958b77d 100755 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java @@ -332,43 +332,31 @@ public boolean reencryptMKWithFipsAlgo(String mkPassword) { return isMKReencrypted; } - public void generateMKFromHSMMK(String password, byte[] key) throws Throwable { - logger.debug("==> RangerMasterKey.generateMKFromHSMMK()"); - - if (!checkMKExistence(this.masterKeyDao)) { - logger.info("Master Key doesn't exist in DB, Generating the Master Key"); - - String encryptedMasterKey = encryptMasterKey(password, key); - String savedKey = saveEncryptedMK(paddingString + "," + encryptedMasterKey); - - if (savedKey != null && !savedKey.trim().equals("")) { - logger.debug("Master Key Created with id = {}", savedKey); - logger.debug("<== RangerMasterKey.generateMKFromHSMMK()"); - } - } else { - logger.debug("Ranger Master Key already exists in the DB, returning."); - } - - logger.debug("<== RangerMasterKey.generateMKFromHSMMK()"); - } + @Override + public boolean setExternalKeyAsMK(String password, byte[] key)throws Throwable { + logger.debug("==> RangerMasterKey.useExternalKeyAsMK()"); - public void generateMKFromKeySecureMK(String password, byte[] key) throws Throwable { - logger.debug("==> RangerMasterKey.generateMKFromKeySecureMK()"); + boolean keySetAsMK = false; if (!checkMKExistence(this.masterKeyDao)) { - logger.info("Master Key doesn't exist in DB, Generating the Master Key"); + logger.info("Master Key doesn't exist in DB, encrypting and storing the provided Master Key"); String encryptedMasterKey = encryptMasterKey(password, key); String savedKey = saveEncryptedMK(paddingString + "," + encryptedMasterKey); if (savedKey != null && !savedKey.trim().equals("")) { - logger.debug("Master Key Created with id = {}", savedKey); + keySetAsMK = true; + logger.info("Master Key Created with id = {}", savedKey); + logger.debug("<== RangerMasterKey.useExternalKeyAsMK()"); } } else { - logger.debug("Ranger Master Key already exists in the DB, returning."); + String errMsg = "Ranger Master Key already exists in the DB, returning."; + logger.warn(errMsg); } - logger.debug("<== RangerMasterKey.generateMKFromKeySecureMK()"); + logger.debug("<== RangerMasterKey.useExternalKeyAsMK()"); + + return keySetAsMK; } private String decryptMasterKey(byte[] masterKey, String password, String encryptedPassString) throws Throwable { diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java index f2b1db3bff..9832ac4eb5 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java @@ -165,7 +165,8 @@ public String getMasterKey(String password) throws Throwable { return null; } - public boolean setMasterKey(String password, byte[] key, Configuration conf) { + @Override + public boolean setExternalKeyAsMK(String password, byte[] key) { if (myStore != null) { try { Key aesKey = new SecretKeySpec(key, MK_ALGO); diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/RangerMasterKeyTest.java b/kms/src/test/java/org/apache/hadoop/crypto/key/RangerMasterKeyTest.java index e76f2341cd..4b661153fc 100644 --- a/kms/src/test/java/org/apache/hadoop/crypto/key/RangerMasterKeyTest.java +++ b/kms/src/test/java/org/apache/hadoop/crypto/key/RangerMasterKeyTest.java @@ -183,7 +183,7 @@ public void testGenerateMKFromHSMMK() throws Throwable { byte[] key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17}; - rangerMasterKey.generateMKFromHSMMK(password, key); + rangerMasterKey.setExternalKeyAsMK(password, key); } @Test @@ -197,7 +197,7 @@ public void testGenerateMKFromKeySecureMK() throws Throwable { byte[] key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17}; - rangerMasterKey.generateMKFromKeySecureMK(password, key); + rangerMasterKey.setExternalKeyAsMK(password, key); assertNotNull(rangerMasterKey.getMasterKey(password)); } diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerSafenetKeySecure.java b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerSafenetKeySecure.java index d4c2e33295..ea135e9a56 100644 --- a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerSafenetKeySecure.java +++ b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerSafenetKeySecure.java @@ -86,7 +86,7 @@ public void testSetMasterKey_WithNullKeystore_ShouldReturnFalse() throws Excepti storeField.setAccessible(true); storeField.set(secure, null); - boolean result = secure.setMasterKey("pass", "mockKey".getBytes(), new Configuration()); + boolean result = secure.setExternalKeyAsMK("pass", "mockKey".getBytes()); assertFalse(result); }