Search in sources :

Example 6 with XXRangerKeyStore

use of org.apache.ranger.entity.XXRangerKeyStore in project ranger by apache.

the class DBToAzureKeyVault method doExportMKToAzureKeyVault.

private boolean doExportMKToAzureKeyVault(boolean sslEnabled, String masterKeyName, String masterKeyType, String zoneKeyEncryptionAlgo, String azureClientId, String azureKeyVaultUrl, String passwordOrCertPath, String certificatePassword, Configuration conf) {
    try {
        String mKeyPass = conf.get(ENCRYPTION_KEY);
        if (mKeyPass == null || mKeyPass.trim().equals("") || mKeyPass.trim().equals("_") || mKeyPass.trim().equals("crypted")) {
            throw new IOException("Master Key Jceks does not exists");
        }
        conf.set(AZURE_MASTER_KEY_TYPE, masterKeyType);
        conf.set(ZONE_KEY_ENCRYPTION_ALGO, zoneKeyEncryptionAlgo);
        conf.set(AZURE_MASTER_KEY_ALIAS, masterKeyName);
        conf.set(AZURE_CLIENT_ID, azureClientId);
        conf.set(AZURE_KEYVAULT_URL, azureKeyVaultUrl);
        RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
        DaoManager daoManager = rangerkmsDb.getDaoManager();
        KeyVaultClient kvClient = null;
        if (sslEnabled) {
            conf.set(AZURE_KEYVAULT_CERTIFICATE_PATH, passwordOrCertPath);
            AzureKeyVaultClientAuthenticator azureKVClientAuthenticator = new AzureKeyVaultClientAuthenticator(azureClientId);
            kvClient = !StringUtils.isEmpty(certificatePassword) ? azureKVClientAuthenticator.getAuthentication(passwordOrCertPath, certificatePassword) : azureKVClientAuthenticator.getAuthentication(passwordOrCertPath, "");
        } else {
            conf.set(AZURE_CLIENT_SECRET, passwordOrCertPath);
            AzureKeyVaultClientAuthenticator azureKVClientAuthenticator = new AzureKeyVaultClientAuthenticator(azureClientId, passwordOrCertPath);
            kvClient = new KeyVaultClient(azureKVClientAuthenticator);
        }
        if (kvClient == null) {
            System.err.println("Key Vault is null. Please check the azure related configs.");
            System.exit(1);
        }
        RangerKMSMKI rangerKVKeyGenerator = new RangerAzureKeyVaultKeyGenerator(conf, kvClient);
        boolean azureMKSuccess = rangerKVKeyGenerator.generateMasterKey(mKeyPass);
        if (azureMKSuccess) {
            dbStore = new RangerKeyStore(daoManager, conf, kvClient);
            // Get Master Key from Ranger DB
            RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
            char[] mkey = rangerMasterKey.getMasterKey(mKeyPass).toCharArray();
            List<XXRangerKeyStore> rangerKeyStoreList = new ArrayList<XXRangerKeyStore>();
            dbStore.engineLoad(null, mkey);
            Enumeration<String> e = dbStore.engineAliases();
            Key key;
            String alias = null;
            while (e.hasMoreElements()) {
                alias = e.nextElement();
                key = dbStore.engineGetKey(alias, mkey);
                XXRangerKeyStore xxRangerKeyStore = dbStore.convertKeysBetweenRangerKMSAndAzureKeyVault(alias, key, rangerKVKeyGenerator);
                rangerKeyStoreList.add(xxRangerKeyStore);
            }
            if (rangerKeyStoreList != null && !rangerKeyStoreList.isEmpty()) {
                for (XXRangerKeyStore rangerKeyStore : rangerKeyStoreList) {
                    dbStore.dbOperationStore(rangerKeyStore);
                }
            }
            return true;
        }
        return false;
    } catch (Throwable t) {
        throw new RuntimeException("Unable to import Master key from Ranger DB to Azure Key Vault ", t);
    }
}
Also used : KeyVaultClient(com.microsoft.azure.keyvault.KeyVaultClient) ArrayList(java.util.ArrayList) IOException(java.io.IOException) XXRangerKeyStore(org.apache.ranger.entity.XXRangerKeyStore) DaoManager(org.apache.ranger.kms.dao.DaoManager) XXRangerKeyStore(org.apache.ranger.entity.XXRangerKeyStore) Key(java.security.Key)

Example 7 with XXRangerKeyStore

use of org.apache.ranger.entity.XXRangerKeyStore in project ranger by apache.

the class MigrateDBMKeyToGCP method doExportMKToGcp.

private boolean doExportMKToGcp(Configuration conf, final String masterKeyName) {
    try {
        String mKeyPass = conf.get(ENCRYPTION_KEY);
        if (mKeyPass == null || mKeyPass.trim().equals("") || mKeyPass.trim().equals("_") || mKeyPass.trim().equals("crypted")) {
            throw new IOException("Master Key Jceks does not exists");
        }
        RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
        DaoManager daoManager = rangerkmsDb.getDaoManager();
        System.out.println("Creating masterkey with the name - " + masterKeyName);
        boolean gcpMKSuccess = rangerGcpProvider.generateMasterKey(null);
        if (gcpMKSuccess) {
            System.out.println("Masterkey with the name '" + masterKeyName + "' created successfully on Google Cloud KMS.");
            dbStore = new RangerKeyStore(daoManager, false, rangerGcpProvider);
            // Get Master Key from Ranger DB
            RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
            char[] mkey = rangerMasterKey.getMasterKey(mKeyPass).toCharArray();
            List<XXRangerKeyStore> rangerKeyStoreList = new ArrayList<XXRangerKeyStore>();
            dbStore.engineLoad(null, mkey);
            Enumeration<String> e = dbStore.engineAliases();
            Key key;
            String alias = null;
            while (e.hasMoreElements()) {
                alias = e.nextElement();
                key = dbStore.engineGetKey(alias, mkey);
                XXRangerKeyStore xxRangerKeyStore = dbStore.convertKeysBetweenRangerKMSAndGCP(alias, key, rangerGcpProvider);
                rangerKeyStoreList.add(xxRangerKeyStore);
            }
            if (rangerKeyStoreList != null && !rangerKeyStoreList.isEmpty()) {
                for (XXRangerKeyStore rangerKeyStore : rangerKeyStoreList) {
                    dbStore.dbOperationStore(rangerKeyStore);
                }
            }
            return true;
        }
        return false;
    } catch (Throwable t) {
        throw new RuntimeException("Unable to migrate Master key from Ranger KMS DB to GCP ", t);
    }
}
Also used : ArrayList(java.util.ArrayList) IOException(java.io.IOException) XXRangerKeyStore(org.apache.ranger.entity.XXRangerKeyStore) DaoManager(org.apache.ranger.kms.dao.DaoManager) XXRangerKeyStore(org.apache.ranger.entity.XXRangerKeyStore) Key(java.security.Key)

Aggregations

XXRangerKeyStore (org.apache.ranger.entity.XXRangerKeyStore)7 IOException (java.io.IOException)4 Key (java.security.Key)3 MessageDigest (java.security.MessageDigest)2 UnrecoverableKeyException (java.security.UnrecoverableKeyException)2 ArrayList (java.util.ArrayList)2 Date (java.util.Date)2 DaoManager (org.apache.ranger.kms.dao.DaoManager)2 KeyVaultClient (com.microsoft.azure.keyvault.KeyVaultClient)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 DataInputStream (java.io.DataInputStream)1 DataOutputStream (java.io.DataOutputStream)1 ObjectInputStream (java.io.ObjectInputStream)1 ObjectOutputStream (java.io.ObjectOutputStream)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 DigestInputStream (java.security.DigestInputStream)1 DigestOutputStream (java.security.DigestOutputStream)1 KeyStoreException (java.security.KeyStoreException)1