Example 1 with DaoManager
use of org.apache.ranger.kms.dao.DaoManager in project testcases by coheigea.
the class RangerMasterKeyTest method testRangerMasterKey.
@org.junit.Test
public void testRangerMasterKey() throws Throwable {
Path configDir = Paths.get("src/test/resources/kms");
System.setProperty(KMSConfiguration.KMS_CONFIG_DIR, configDir.toFile().getAbsolutePath());
RangerKMSDB rangerkmsDb = new RangerKMSDB(RangerKeyStoreProvider.getDBKSConf());
DaoManager daoManager = rangerkmsDb.getDaoManager();
String masterKeyPassword = "password0password0password0password0password0password0password0password0" + "password0password0password0password0password0password0password0password0password0password0" + "password0password0password0password0password0password0password0password0password0password0";
RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
Assert.assertTrue(rangerMasterKey.generateMasterKey(masterKeyPassword));
Assert.assertNotNull(rangerMasterKey.getMasterKey(masterKeyPassword));
try {
rangerMasterKey.getMasterKey("badpass");
Assert.fail("Failure expected on retrieving a key with the wrong password");
} catch (Throwable t) {
// expected
}
Assert.assertNotNull(rangerMasterKey.getMasterSecretKey(masterKeyPassword));
try {
rangerMasterKey.getMasterSecretKey("badpass");
Assert.fail("Failure expected on retrieving a key with the wrong password");
} catch (Throwable t) {
// expected
}
}
Also used :
Path(java.nio.file.Path)
RangerKMSDB(org.apache.hadoop.crypto.key.RangerKMSDB)
RangerMasterKey(org.apache.hadoop.crypto.key.RangerMasterKey)
DaoManager(org.apache.ranger.kms.dao.DaoManager)
Example 2 with DaoManager
use of org.apache.ranger.kms.dao.DaoManager in project ranger by apache.
the class DBToKeySecure method doExportMKToKeySecure.
private boolean doExportMKToKeySecure(String keyName, String username, String password, String cfgFilePath, Configuration conf) {
try {
String keySecureMKPassword = conf.get(ENCRYPTION_KEY);
if (keySecureMKPassword == null || keySecureMKPassword.trim().equals("") || keySecureMKPassword.trim().equals("_") || keySecureMKPassword.trim().equals("crypted")) {
throw new IOException("Master Key Jceks does not exists");
}
conf.set(CFGFILEPATH, cfgFilePath);
conf.set(KEYSECURE_MASTERKEY_NAME, keyName);
conf.set(KEYSECURE_LOGIN, username + ":" + password);
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
String mkPassword = conf.get(ENCRYPTION_KEY);
// Get Master Key from Ranger DB
RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
String mkey = rangerMasterKey.getMasterKey(mkPassword);
byte[] key = Base64.decode(mkey);
if (conf != null) {
RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure(conf);
return rangerSafenetKeySecure.setMasterKey(password, key, conf);
}
return false;
} catch (Throwable t) {
throw new RuntimeException("Unable to import Master key from Ranger DB to KeySecure ", t);
}
}
Also used :
IOException(java.io.IOException)
DaoManager(org.apache.ranger.kms.dao.DaoManager)
Example 3 with DaoManager
use of org.apache.ranger.kms.dao.DaoManager in project ranger by apache.
the class JKS2RangerUtil method doImportKeysFromJKS.
private void doImportKeysFromJKS(String keyStoreFileName, String keyStoreType) {
char[] keyStorePassword = null;
char[] keyPassword = null;
try {
keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :");
keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:");
Configuration conf = RangerKeyStoreProvider.getDBKSConf();
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
RangerKeyStore dbStore = new RangerKeyStore(daoManager);
char[] masterKey = null;
String password = conf.get(ENCRYPTION_KEY);
InputStream in = null;
if (conf != null && StringUtils.isNotEmpty(conf.get(KEYSECURE_ENABLED)) && conf.get(KEYSECURE_ENABLED).equalsIgnoreCase("true")) {
getFromJceks(conf, CREDENTIAL_PATH, KEYSECURE_PASSWORD_ALIAS, KEYSECURE_PASSWORD);
String keySecureLoginCred = conf.get(KEYSECURE_USERNAME).trim() + ":" + conf.get(KEYSECURE_PASSWORD);
conf.set(KEYSECURE_LOGIN, keySecureLoginCred);
RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure(conf);
rangerSafenetKeySecure.generateMasterKey(password);
masterKey = rangerSafenetKeySecure.getMasterKey(password).toCharArray();
} else if (conf != null && StringUtils.isNotEmpty(conf.get(AZURE_KEYVAULT_ENABLED)) && conf.get(AZURE_KEYVAULT_ENABLED).equalsIgnoreCase("true")) {
getFromJceks(conf, CREDENTIAL_PATH, AZURE_CLIENT_SECRET_ALIAS, AZURE_CLIENT_SECRET);
String azureClientId = conf.get(AZURE_CLIENT_ID);
if (StringUtils.isEmpty(azureClientId)) {
throw new Exception("Azure Key Vault is enabled and client id is not configured");
}
String azureClientSecret = conf.get(AZURE_CLIENT_SECRET);
AzureKeyVaultClientAuthenticator azureKVClientAuthenticator;
RangerKMSMKI rangerKVKeyGenerator = null;
KeyVaultClient kvClient = null;
if (conf != null && StringUtils.isNotEmpty(conf.get(AZURE_KEYVAULT_SSL_ENABLED)) && conf.get(AZURE_KEYVAULT_SSL_ENABLED).equalsIgnoreCase("false")) {
try {
azureKVClientAuthenticator = new AzureKeyVaultClientAuthenticator(azureClientId, azureClientSecret);
kvClient = new KeyVaultClient(azureKVClientAuthenticator);
} catch (Exception ex) {
throw new Exception("Error while getting key vault client object with client id and client secret : " + ex);
}
} else {
try {
azureKVClientAuthenticator = new AzureKeyVaultClientAuthenticator(azureClientId);
String keyVaultCertPath = conf.get(AZURE_KEYVAULT_CERTIFICATE_PATH);
if (StringUtils.isEmpty(keyVaultCertPath)) {
throw new Exception("Azure Key Vault is enabled. Please provide client secret or certificate path for authentication.");
}
String keyVaultCertPassword = conf.get(AZURE_KEYVAULT_CERTIFICATE_PASSWORD);
kvClient = !StringUtils.isEmpty(keyVaultCertPassword) ? azureKVClientAuthenticator.getAuthentication(keyVaultCertPath, keyVaultCertPassword) : azureKVClientAuthenticator.getAuthentication(keyVaultCertPath, "");
} catch (Exception ex) {
throw new Exception("Error while getting key vault client object with client id and certificate. Error : : " + ex);
}
}
boolean success = false;
if (kvClient != null) {
try {
dbStore = new RangerKeyStore(daoManager, conf, kvClient);
rangerKVKeyGenerator = new RangerAzureKeyVaultKeyGenerator(conf, kvClient);
if (rangerKVKeyGenerator != null) {
success = rangerKVKeyGenerator.generateMasterKey(password);
}
} catch (Exception ex) {
throw new Exception("Error while generating master key and master key secret in Azure key vault. Error : : " + ex);
}
}
if (success) {
/* Master key not exportable from key vault */
masterKey = null;
}
} else {
RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
rangerMasterKey.generateMasterKey(password);
masterKey = rangerMasterKey.getMasterKey(password).toCharArray();
}
try {
in = new FileInputStream(new File(keyStoreFileName));
dbStore.engineLoadKeyStoreFile(in, keyStorePassword, keyPassword, masterKey, keyStoreType);
dbStore.engineStore(null, masterKey);
} finally {
if (in != null) {
try {
in.close();
} catch (Exception e) {
throw new RuntimeException("ERROR: Unable to close file stream for [" + keyStoreFileName + "]", e);
}
}
}
} catch (Throwable t) {
throw new RuntimeException("Unable to import keys from [" + keyStoreFileName + "] due to exception.", t);
} finally {
Arrays.fill(keyStorePassword, ' ');
Arrays.fill(keyPassword, ' ');
}
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
KeyVaultClient(com.microsoft.azure.keyvault.KeyVaultClient)
FileInputStream(java.io.FileInputStream)
InputStream(java.io.InputStream)
KeyStoreException(java.security.KeyStoreException)
FileInputStream(java.io.FileInputStream)
DaoManager(org.apache.ranger.kms.dao.DaoManager)
File(java.io.File)
Example 4 with DaoManager
use of org.apache.ranger.kms.dao.DaoManager in project ranger by apache.
the class KeySecureToRangerDBMKUtil method doImportMKFromKeySecure.
private void doImportMKFromKeySecure(String kmsMKPassword) {
try {
Configuration conf = RangerKeyStoreProvider.getDBKSConf();
conf.set(ENCRYPTION_KEY, kmsMKPassword);
getFromJceks(conf, CREDENTIAL_PATH, KEYSECURE_PASSWORD_ALIAS, KEYSECURE_PASSWORD);
String keySecureLoginCred = conf.get(KEYSECURE_USERNAME).trim() + ":" + conf.get(KEYSECURE_PASSWORD);
conf.set(KEYSECURE_LOGIN, keySecureLoginCred);
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
String password = conf.get(ENCRYPTION_KEY);
RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure(conf);
String mKey = rangerSafenetKeySecure.getMasterKey(password);
byte[] key = Base64.decode(mKey);
// Put Master Key in Ranger DB
RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
rangerMasterKey.generateMKFromKeySecureMK(password, key);
} catch (Throwable t) {
throw new RuntimeException("Unable to migrate Master key from KeySecure to Ranger DB", t);
}
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
DaoManager(org.apache.ranger.kms.dao.DaoManager)
Example 5 with DaoManager
use of org.apache.ranger.kms.dao.DaoManager in project ranger by apache.
the class RangerKMSDB method initDBConnectivity.
private void initDBConnectivity() {
try {
jpaProperties.put(JPA_DB_DIALECT, conf.get(PROPERTY_PREFIX + DB_DIALECT));
jpaProperties.put(JPA_DB_DRIVER, conf.get(PROPERTY_PREFIX + DB_DRIVER));
jpaProperties.put(JPA_DB_URL, conf.get(PROPERTY_PREFIX + DB_URL));
jpaProperties.put(JPA_DB_USER, conf.get(PROPERTY_PREFIX + DB_USER));
jpaProperties.put(JPA_DB_PASSWORD, conf.get(PROPERTY_PREFIX + DB_PASSWORD));
if (getDBFlavor(conf) == DB_FLAVOR_MYSQL || getDBFlavor(conf) == DB_FLAVOR_POSTGRES) {
updateDBSSLURL();
}
// DB_PROPERTIES.list(System.out);
/*
Set keys = DB_PROPERTIES.keySet();
for (Iterator i = keys.iterator(); i.hasNext();) {
String key = (String) i.next();
String value = (String) DB_PROPERTIES.get(key);
System.out.println(key + " = " + value);
}
*/
entityManagerFactory = Persistence.createEntityManagerFactory("persistence_ranger_server", jpaProperties);
daoManager = new DaoManager();
daoManager.setEntityManagerFactory(entityManagerFactory);
// this forces the connection to be made to DB
daoManager.getEntityManager();
logger.info("Connected to DB : " + isDbConnected());
} catch (Exception excp) {
excp.printStackTrace();
}
}
Also used :
DaoManager(org.apache.ranger.kms.dao.DaoManager)
Aggregations
DaoManager (org.apache.ranger.kms.dao.DaoManager)18
FileInputStream (java.io.FileInputStream)7
InputStream (java.io.InputStream)7
Test (org.junit.Test)7
Configuration (org.apache.hadoop.conf.Configuration)6
RangerKeyStore (org.apache.hadoop.crypto.key.RangerKeyStore)6
IOException (java.io.IOException)5
KeyVaultClient (com.microsoft.azure.keyvault.KeyVaultClient)3
File (java.io.File)2
Path (java.nio.file.Path)2
Key (java.security.Key)2
KeyStoreException (java.security.KeyStoreException)2
ArrayList (java.util.ArrayList)2
RangerKMSDB (org.apache.hadoop.crypto.key.RangerKMSDB)2
RangerMasterKey (org.apache.hadoop.crypto.key.RangerMasterKey)2
XXRangerKeyStore (org.apache.ranger.entity.XXRangerKeyStore)2
FileOutputStream (java.io.FileOutputStream)1
OutputStream (java.io.OutputStream)1
