RANGER-5333:Configurable Master key name for Ranger KMS DB with Luna HSM#680
RANGER-5333:Configurable Master key name for Ranger KMS DB with Luna HSM#680vikaskr22 merged 3 commits intoapache:masterfrom
Conversation
ChinmayHegde24
force-pushed
the
RANGER-5333
branch
4 times, most recently
from
6465e0a to
e5ee2a9
Compare
dhavalshah9131
left a comment
dhavalshah9131
left a comment
There was a problem hiding this comment.
Hi @ChinmayHegde24 ,
Ref link : Thales doc
We should have some kind validation as per Thales guidelines for alias name string value.
Also we need to considering how KMS will behave in case of invalid name or consider documenting it.
| Key aesKey = new SecretKeySpec(key, MK_CIPHER); | ||
|
|
||
| myStore.setKeyEntry(ALIAS, aesKey, password.toCharArray(), (java.security.cert.Certificate[]) null); | ||
| myStore.setKeyEntry(alias, aesKey, password.toCharArray(), (java.security.cert.Certificate[]) null); |
There was a problem hiding this comment.
@ChinmayHegde24 , it's not related to your change. But it would be better to add one check to verify if the key alias already exists or not , the way we check in generateMasterKey() method.
@dhavalshah9131 , is there any reason there is no check for key existence ?
ChinmayHegde24
force-pushed
the
RANGER-5333
branch
from
83ff229 to
e7332cf
Compare
|
@ChinmayHegde24 , can you pls update the cases you have tested for this patch ? It would be helpful to review this PR. |
Yeah please check it once now @vikaskr22 |
vikaskr22
left a comment
vikaskr22
left a comment
There was a problem hiding this comment.
LGTM. Once CI pipeline is passed, it can be merged.
# Conflicts: # kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
|
@kumaab , Above build-11 & plugin-docker-build is failing. Is it a known issue ? Can it be merged ? |
3 participants
Master Key name is hard coded for Ranger KMS DB integration with Luna HSM.
Refer : https://github.com/apache/ranger/blob/master/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java#L50
It is made configurable so CU can provide customised name.
Test:
Successful creation of new master key with configured name
Noticed duplicate creation of key error if created with existing Master key name (as expected)
Successful mvn build