RANGER-5411: Refactor logic to use external Key as MasterKey to avoid…

kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java

@@ -76,14 +76,14 @@ private boolean doExportMKToHSM(String hsmType, String partitionName) {
             String      password    = conf.get(ENCRYPTION_KEY);
 
             // Get Master Key from Ranger DB
-            RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
+            RangerKMSMKI rangerMasterKey    = new RangerMasterKey(daoManager);
             String          mkey            = rangerMasterKey.getMasterKey(password);
             byte[]          key             = Base64.decode(mkey);
 
             // Put Master Key in HSM
-            RangerHSM rangerHSM = new RangerHSM(conf);
+            RangerKMSMKI rangerHSM = new RangerHSM(conf);
 
-            return rangerHSM.setMasterKey(password, key);
+            return rangerHSM.setExternalKeyAsMK(password, key);
         } catch (Throwable t) {
             throw new RuntimeException("Unable to import Master key from Ranger DB to HSM ", t);
         } finally {

kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java

@@ -102,14 +102,14 @@ private boolean doExportMKToKeySecure(String keyName, String username, String pa
             String      mkPassword  = conf.get(ENCRYPTION_KEY);
 
             // Get Master Key from Ranger DB
-            RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
+            RangerKMSMKI rangerMasterKey    = new RangerMasterKey(daoManager);
             String          mkey            = rangerMasterKey.getMasterKey(mkPassword);
             byte[]          key             = Base64.decode(mkey);
 
             if (conf != null) {
-                RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure(conf);
+                RangerKMSMKI rangerSafenetKeySecure = new RangerSafenetKeySecure(conf);
 
-                return rangerSafenetKeySecure.setMasterKey(password, key, conf);
+                return rangerSafenetKeySecure.setExternalKeyAsMK(password, key);
             }
 
             return false;

kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java

@@ -79,14 +79,18 @@ private void doImportMKFromHSM(String hsmType, String partitionName) {
             String      password    = conf.get(ENCRYPTION_KEY);
 
             // Get Master Key from HSM
-            RangerHSM rangerHSM = new RangerHSM(conf);
-            String    mKey      = rangerHSM.getMasterKey(password);
-            byte[]    key       = Base64.decode(mKey);
+            RangerKMSMKI rangerHSM  = new RangerHSM(conf);
+            String    mKey          = rangerHSM.getMasterKey(password);
+            byte[]    key           = Base64.decode(mKey);
 
             // Put Master Key in Ranger DB
-            RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
+            RangerKMSMKI rangerMasterKey = new RangerMasterKey(daoManager);
 
-            rangerMasterKey.generateMKFromHSMMK(password, key);
+            boolean isMKSet = rangerMasterKey.setExternalKeyAsMK(password, key);
+
+            if (!isMKSet) {
+                throw new Exception("MK import from HSM to DB failed");
+            }
         } catch (Throwable t) {
             throw new RuntimeException("Unable to import Master key from HSM to Ranger DB", t);
         } finally {

kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java

@@ -72,9 +72,12 @@ private void doImportMKFromKeySecure(String kmsMKPassword) {
             RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure(conf);
             String                 mKey                   = rangerSafenetKeySecure.getMasterKey(password);
             byte[]                 key                    = Base64.decode(mKey);
-            RangerMasterKey        rangerMasterKey        = new RangerMasterKey(daoManager); // Put Master Key in Ranger DB
+            RangerKMSMKI        rangerMasterKey        = new RangerMasterKey(daoManager); // Put Master Key in Ranger DB
 
-            rangerMasterKey.generateMKFromKeySecureMK(password, key);
+            boolean isMKSet = rangerMasterKey.setExternalKeyAsMK(password, key);
+            if (!isMKSet) {
+                throw new Exception("MK import from KeySecure to KMS-DB failed");
+            }
         } catch (Throwable t) {
             throw new RuntimeException("Unable to migrate Master key from KeySecure to Ranger DB", t);
         }

kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java

@@ -150,7 +150,8 @@ public String getMasterKey(String password) throws Throwable {
         return null;
     }
 
-    public boolean setMasterKey(String password, byte[] key) {
+    @Override
+    public boolean setExternalKeyAsMK(String password, byte[] key) {
         if (myStore != null) {
             try {
                 Key aesKey = new SecretKeySpec(key, MK_CIPHER);

kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java

@@ -37,4 +37,8 @@ default void onInitialization() throws Exception {}
     default boolean reencryptMKWithFipsAlgo(String mkPassword) throws Exception {
         return  false;
     }
+
+    default boolean setExternalKeyAsMK(String password, byte[] key) throws Throwable {
+        throw new UnsupportedOperationException("This method is not supported for current MK provider");
+    }
 }

kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java

@@ -332,43 +332,31 @@ public boolean reencryptMKWithFipsAlgo(String mkPassword) {
         return isMKReencrypted;
     }
 
-    public void generateMKFromHSMMK(String password, byte[] key) throws Throwable {
-        logger.debug("==> RangerMasterKey.generateMKFromHSMMK()");
-
-        if (!checkMKExistence(this.masterKeyDao)) {
-            logger.info("Master Key doesn't exist in DB, Generating the Master Key");
-
-            String encryptedMasterKey = encryptMasterKey(password, key);
-            String savedKey           = saveEncryptedMK(paddingString + "," + encryptedMasterKey);
-
-            if (savedKey != null && !savedKey.trim().equals("")) {
-                logger.debug("Master Key Created with id = {}", savedKey);
-                logger.debug("<== RangerMasterKey.generateMKFromHSMMK()");
-            }
-        } else {
-            logger.debug("Ranger Master Key already exists in the DB, returning.");
-        }
-
-        logger.debug("<== RangerMasterKey.generateMKFromHSMMK()");
-    }
+    @Override
+    public boolean setExternalKeyAsMK(String password, byte[] key)throws Throwable {
+        logger.debug("==> RangerMasterKey.useExternalKeyAsMK()");
 
-    public void generateMKFromKeySecureMK(String password, byte[] key) throws Throwable {
-        logger.debug("==> RangerMasterKey.generateMKFromKeySecureMK()");
+        boolean keySetAsMK = false;
 
         if (!checkMKExistence(this.masterKeyDao)) {
-            logger.info("Master Key doesn't exist in DB, Generating the Master Key");
+            logger.info("Master Key doesn't exist in DB, encrypting and storing the provided Master Key");
 
             String encryptedMasterKey = encryptMasterKey(password, key);
             String savedKey           = saveEncryptedMK(paddingString + "," + encryptedMasterKey);
 
             if (savedKey != null && !savedKey.trim().equals("")) {
-                logger.debug("Master Key Created with id = {}", savedKey);
+                keySetAsMK = true;
+                logger.info("Master Key Created with id = {}", savedKey);
+                logger.debug("<== RangerMasterKey.useExternalKeyAsMK()");
             }
         } else {
-            logger.debug("Ranger Master Key already exists in the DB, returning.");
+            String errMsg = "Ranger Master Key already exists in the DB, returning.";
+            logger.warn(errMsg);
         }
 
-        logger.debug("<== RangerMasterKey.generateMKFromKeySecureMK()");
+        logger.debug("<== RangerMasterKey.useExternalKeyAsMK()");
+
+        return keySetAsMK;
     }
 
     private String decryptMasterKey(byte[] masterKey, String password, String encryptedPassString) throws Throwable {

kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java

@@ -165,7 +165,8 @@ public String getMasterKey(String password) throws Throwable {
         return null;
     }
 
-    public boolean setMasterKey(String password, byte[] key, Configuration conf) {
+    @Override
+    public boolean setExternalKeyAsMK(String password, byte[] key) {
         if (myStore != null) {
             try {
                 Key aesKey = new SecretKeySpec(key, MK_ALGO);

kms/src/test/java/org/apache/hadoop/crypto/key/RangerMasterKeyTest.java

@@ -183,7 +183,7 @@ public void testGenerateMKFromHSMMK() throws Throwable {
         byte[] key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
                 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
                 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17};
-        rangerMasterKey.generateMKFromHSMMK(password, key);
+        rangerMasterKey.setExternalKeyAsMK(password, key);
     }
 
     @Test
@@ -197,7 +197,7 @@ public void testGenerateMKFromKeySecureMK() throws Throwable {
         byte[] key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
                 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
                 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17};
-        rangerMasterKey.generateMKFromKeySecureMK(password, key);
+        rangerMasterKey.setExternalKeyAsMK(password, key);
 
         assertNotNull(rangerMasterKey.getMasterKey(password));
     }

kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerSafenetKeySecure.java

@@ -86,7 +86,7 @@ public void testSetMasterKey_WithNullKeystore_ShouldReturnFalse() throws Excepti
         storeField.setAccessible(true);
         storeField.set(secure, null);
 
-        boolean result = secure.setMasterKey("pass", "mockKey".getBytes(), new Configuration());
+        boolean result = secure.setExternalKeyAsMK("pass", "mockKey".getBytes());
         assertFalse(result);
     }