use of org.apache.ranger.kms.dao.DaoManager in project ranger by apache.
the class DBToAzureKeyVault method doExportMKToAzureKeyVault.
private boolean doExportMKToAzureKeyVault(boolean sslEnabled, String masterKeyName, String masterKeyType, String zoneKeyEncryptionAlgo, String azureClientId, String azureKeyVaultUrl, String passwordOrCertPath, String certificatePassword, Configuration conf) {
try {
String mKeyPass = conf.get(ENCRYPTION_KEY);
if (mKeyPass == null || mKeyPass.trim().equals("") || mKeyPass.trim().equals("_") || mKeyPass.trim().equals("crypted")) {
throw new IOException("Master Key Jceks does not exists");
}
conf.set(AZURE_MASTER_KEY_TYPE, masterKeyType);
conf.set(ZONE_KEY_ENCRYPTION_ALGO, zoneKeyEncryptionAlgo);
conf.set(AZURE_MASTER_KEY_ALIAS, masterKeyName);
conf.set(AZURE_CLIENT_ID, azureClientId);
conf.set(AZURE_KEYVAULT_URL, azureKeyVaultUrl);
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
KeyVaultClient kvClient = null;
if (sslEnabled) {
conf.set(AZURE_KEYVAULT_CERTIFICATE_PATH, passwordOrCertPath);
AzureKeyVaultClientAuthenticator azureKVClientAuthenticator = new AzureKeyVaultClientAuthenticator(azureClientId);
kvClient = !StringUtils.isEmpty(certificatePassword) ? azureKVClientAuthenticator.getAuthentication(passwordOrCertPath, certificatePassword) : azureKVClientAuthenticator.getAuthentication(passwordOrCertPath, "");
} else {
conf.set(AZURE_CLIENT_SECRET, passwordOrCertPath);
AzureKeyVaultClientAuthenticator azureKVClientAuthenticator = new AzureKeyVaultClientAuthenticator(azureClientId, passwordOrCertPath);
kvClient = new KeyVaultClient(azureKVClientAuthenticator);
}
if (kvClient == null) {
System.err.println("Key Vault is null. Please check the azure related configs.");
System.exit(1);
}
RangerKMSMKI rangerKVKeyGenerator = new RangerAzureKeyVaultKeyGenerator(conf, kvClient);
boolean azureMKSuccess = rangerKVKeyGenerator.generateMasterKey(mKeyPass);
if (azureMKSuccess) {
dbStore = new RangerKeyStore(daoManager, conf, kvClient);
// Get Master Key from Ranger DB
RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
char[] mkey = rangerMasterKey.getMasterKey(mKeyPass).toCharArray();
List<XXRangerKeyStore> rangerKeyStoreList = new ArrayList<XXRangerKeyStore>();
dbStore.engineLoad(null, mkey);
Enumeration<String> e = dbStore.engineAliases();
Key key;
String alias = null;
while (e.hasMoreElements()) {
alias = e.nextElement();
key = dbStore.engineGetKey(alias, mkey);
XXRangerKeyStore xxRangerKeyStore = dbStore.convertKeysBetweenRangerKMSAndAzureKeyVault(alias, key, rangerKVKeyGenerator);
rangerKeyStoreList.add(xxRangerKeyStore);
}
if (rangerKeyStoreList != null && !rangerKeyStoreList.isEmpty()) {
for (XXRangerKeyStore rangerKeyStore : rangerKeyStoreList) {
dbStore.dbOperationStore(rangerKeyStore);
}
}
return true;
}
return false;
} catch (Throwable t) {
throw new RuntimeException("Unable to import Master key from Ranger DB to Azure Key Vault ", t);
}
}
use of org.apache.ranger.kms.dao.DaoManager in project ranger by apache.
the class HSM2DBMKUtil method doImportMKFromHSM.
private void doImportMKFromHSM(String hsmType, String partitionName) {
char[] partitionPassword = null;
try {
partitionPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the Partition " + partitionName + " : ");
Configuration conf = RangerKeyStoreProvider.getDBKSConf();
conf.set(HSM_TYPE, hsmType);
conf.set(PARTITION_NAME, partitionName);
conf.set(PARTITION_PASSWORD, String.valueOf(partitionPassword));
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
String password = conf.get(ENCRYPTION_KEY);
// Get Master Key from HSM
RangerHSM rangerHSM = new RangerHSM(conf);
String mKey = rangerHSM.getMasterKey(password);
byte[] key = Base64.decode(mKey);
// Put Master Key in Ranger DB
RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
rangerMasterKey.generateMKFromHSMMK(password, key);
} catch (Throwable t) {
throw new RuntimeException("Unable to import Master key from HSM to Ranger DB", t);
} finally {
Arrays.fill(partitionPassword, ' ');
}
}
use of org.apache.ranger.kms.dao.DaoManager in project ranger by apache.
the class Ranger2JKSUtil method doExportKeysFromJKS.
private void doExportKeysFromJKS(String keyStoreFileName, String keyStoreType) {
char[] keyStorePassword = null;
char[] keyPassword = null;
try {
keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :");
keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:");
Configuration conf = RangerKeyStoreProvider.getDBKSConf();
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
RangerKeyStore dbStore;
char[] masterKey = null;
String password = conf.get(ENCRYPTION_KEY);
if (conf != null && StringUtils.isNotEmpty(conf.get(KEYSECURE_ENABLED)) && conf.get(KEYSECURE_ENABLED).equalsIgnoreCase("true")) {
getFromJceks(conf, CREDENTIAL_PATH, KEYSECURE_PASSWORD_ALIAS, KEYSECURE_PASSWORD);
String keySecureLoginCred = conf.get(KEYSECURE_USERNAME).trim() + ":" + conf.get(KEYSECURE_PASSWORD);
conf.set(KEYSECURE_LOGIN, keySecureLoginCred);
RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure(conf);
masterKey = rangerSafenetKeySecure.getMasterKey(password).toCharArray();
dbStore = new RangerKeyStore(daoManager);
} else if (conf != null && StringUtils.isNotEmpty(conf.get(AZURE_KEYVAULT_ENABLED)) && conf.get(AZURE_KEYVAULT_ENABLED).equalsIgnoreCase("true")) {
getFromJceks(conf, CREDENTIAL_PATH, AZURE_CLIENT_SECRET_ALIAS, AZURE_CLIENT_SECRET);
String azureClientId = conf.get(AZURE_CLIENT_ID);
if (StringUtils.isEmpty(azureClientId)) {
throw new Exception("Azure Key Vault is enabled and client id is not configured");
}
String azureClientSecret = conf.get(AZURE_CLIENT_SECRET);
dbStore = new RangerKeyStore(daoManager);
AzureKeyVaultClientAuthenticator azureKVClientAuthenticator;
KeyVaultClient kvClient = null;
if (conf != null && StringUtils.isNotEmpty(conf.get(AZURE_KEYVAULT_SSL_ENABLED)) && conf.get(AZURE_KEYVAULT_SSL_ENABLED).equalsIgnoreCase("false")) {
try {
azureKVClientAuthenticator = new AzureKeyVaultClientAuthenticator(azureClientId, azureClientSecret);
kvClient = new KeyVaultClient(azureKVClientAuthenticator);
} catch (Exception ex) {
throw new Exception("Error while getting key vault client object with client id and client secret : " + ex);
}
} else {
try {
azureKVClientAuthenticator = new AzureKeyVaultClientAuthenticator(azureClientId);
String keyVaultCertPath = conf.get(AZURE_KEYVAULT_CERTIFICATE_PATH);
if (StringUtils.isEmpty(keyVaultCertPath)) {
throw new Exception("Azure Key Vault is enabled. Please provide client secret or certificate path for authentication.");
}
String keyVaultCertPassword = conf.get(AZURE_KEYVAULT_CERTIFICATE_PASSWORD);
kvClient = !StringUtils.isEmpty(keyVaultCertPassword) ? azureKVClientAuthenticator.getAuthentication(keyVaultCertPath, keyVaultCertPassword) : azureKVClientAuthenticator.getAuthentication(keyVaultCertPath, "");
} catch (Exception ex) {
throw new Exception("Error while getting key vault client object with client id and certificate. Error : : " + ex);
}
}
if (kvClient != null) {
masterKey = null;
dbStore = new RangerKeyStore(daoManager, conf, kvClient);
}
} else {
RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
masterKey = rangerMasterKey.getMasterKey(password).toCharArray();
dbStore = new RangerKeyStore(daoManager);
}
OutputStream out = null;
try {
out = new FileOutputStream(new File(keyStoreFileName));
dbStore.engineLoadToKeyStoreFile(out, keyStorePassword, keyPassword, masterKey, keyStoreType);
} finally {
if (out != null) {
try {
out.close();
} catch (Exception e) {
throw new RuntimeException("ERROR: Unable to close file stream for [" + keyStoreFileName + "]", e);
}
}
}
} catch (Throwable t) {
throw new RuntimeException("Unable to export keys to [" + keyStoreFileName + "] due to exception.", t);
} finally {
Arrays.fill(keyStorePassword, ' ');
Arrays.fill(keyPassword, ' ');
}
}
use of org.apache.ranger.kms.dao.DaoManager in project ranger by apache.
the class MigrateDBMKeyToGCP method doExportMKToGcp.
private boolean doExportMKToGcp(Configuration conf, final String masterKeyName) {
try {
String mKeyPass = conf.get(ENCRYPTION_KEY);
if (mKeyPass == null || mKeyPass.trim().equals("") || mKeyPass.trim().equals("_") || mKeyPass.trim().equals("crypted")) {
throw new IOException("Master Key Jceks does not exists");
}
RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
DaoManager daoManager = rangerkmsDb.getDaoManager();
System.out.println("Creating masterkey with the name - " + masterKeyName);
boolean gcpMKSuccess = rangerGcpProvider.generateMasterKey(null);
if (gcpMKSuccess) {
System.out.println("Masterkey with the name '" + masterKeyName + "' created successfully on Google Cloud KMS.");
dbStore = new RangerKeyStore(daoManager, false, rangerGcpProvider);
// Get Master Key from Ranger DB
RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
char[] mkey = rangerMasterKey.getMasterKey(mKeyPass).toCharArray();
List<XXRangerKeyStore> rangerKeyStoreList = new ArrayList<XXRangerKeyStore>();
dbStore.engineLoad(null, mkey);
Enumeration<String> e = dbStore.engineAliases();
Key key;
String alias = null;
while (e.hasMoreElements()) {
alias = e.nextElement();
key = dbStore.engineGetKey(alias, mkey);
XXRangerKeyStore xxRangerKeyStore = dbStore.convertKeysBetweenRangerKMSAndGCP(alias, key, rangerGcpProvider);
rangerKeyStoreList.add(xxRangerKeyStore);
}
if (rangerKeyStoreList != null && !rangerKeyStoreList.isEmpty()) {
for (XXRangerKeyStore rangerKeyStore : rangerKeyStoreList) {
dbStore.dbOperationStore(rangerKeyStore);
}
}
return true;
}
return false;
} catch (Throwable t) {
throw new RuntimeException("Unable to migrate Master key from Ranger KMS DB to GCP ", t);
}
}
use of org.apache.ranger.kms.dao.DaoManager in project ranger by apache.
the class TestRangerKeyStore method testValidKey1.
@Test
public void testValidKey1() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException {
DaoManager daoManager = Mockito.mock(DaoManager.class);
RangerKeyStore rangerKeyStore = new RangerKeyStore(daoManager);
String keyValue = "enckey_1-test";
InputStream inputStream = generateKeyStoreFile(keyValue);
rangerKeyStore.engineLoadKeyStoreFile(inputStream, storePass, keyPass, masterKey, fileFormat);
inputStream.close();
}
Aggregations