Repository: ranger Updated Branches: refs/heads/ranger-0.7 9aad8d6e7 -> 3999d5b6a
RANGER-1571 : Code Improvement To Follow Best Practices Signed-off-by: Gautam Borad <gau...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/3999d5b6 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/3999d5b6 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/3999d5b6 Branch: refs/heads/ranger-0.7 Commit: 3999d5b6a2f93ef72bdf1deea45d7abbe4268652 Parents: 9aad8d6 Author: Bhavik Patel <bhavikpatel...@gmail.com> Authored: Fri May 12 11:01:26 2017 +0530 Committer: Gautam Borad <gau...@apache.org> Committed: Fri May 12 14:26:34 2017 +0530 ---------------------------------------------------------------------- .../plugin/client/HadoopConfigHolder.java | 9 +--- .../ranger/plugin/util/PasswordUtils.java | 51 ++++++++++++++------ .../org/apache/ranger/biz/ServiceDBStore.java | 46 +++++++++++++++--- .../ranger/service/RangerServiceService.java | 28 +++++++++-- .../conf.dist/ranger-admin-default-site.xml | 17 +++++++ 5 files changed, 116 insertions(+), 35 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/3999d5b6/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java index 96645b9..56860e4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java @@ -31,7 +31,6 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.security.SecureClientLogin; -import org.apache.ranger.plugin.util.PasswordUtils; public class HadoopConfigHolder { private static final Log LOG = LogFactory.getLog(HadoopConfigHolder.class); @@ -304,13 +303,7 @@ public class HadoopConfigHolder { } else { hiveSiteFilePath = null; } - String plainTextPwd = prop.getProperty(RANGER_LOGIN_PASSWORD); - try { - password = PasswordUtils.encryptPassword(plainTextPwd); - } catch (IOException e) { - throw new HadoopException("Unable to initialize login info", e); - } - + password = prop.getProperty(RANGER_LOGIN_PASSWORD); lookupPrincipal = prop.getProperty(RANGER_LOOKUP_PRINCIPAL); lookupKeytab = prop.getProperty(RANGER_LOOKUP_KEYTAB); nameRules = prop.getProperty(RANGER_NAME_RULES); http://git-wip-us.apache.org/repos/asf/ranger/blob/3999d5b6/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java index f32355a..3759b8d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java @@ -33,19 +33,20 @@ public class PasswordUtils { private static final Logger LOG = LoggerFactory.getLogger(PasswordUtils.class); - private static final char[] ENCRYPT_KEY = "tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV".toCharArray(); - - private static final byte[] SALT = "f77aLYLo".getBytes(); - - private static final int ITERATION_COUNT = 17; - - private static final String CRYPT_ALGO = "PBEWithMD5AndDES"; - - private static final String PBE_KEY_ALGO = "PBEWithMD5AndDES"; - - private static final String LEN_SEPARATOR_STR = ":"; + private static String CRYPT_ALGO = null; + private static String password = null; + private static char[] ENCRYPT_KEY = null; + private static byte[] SALT = null; + private static int ITERATION_COUNT = 0; + private static final String LEN_SEPARATOR_STR = ":"; + + public static final String DEFAULT_CRYPT_ALGO = "PBEWithMD5AndDES"; + public static final String DEFAULT_ENCRYPT_KEY = "tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV"; + public static final String DEFAULT_SALT = "f77aLYLo"; + public static final int DEFAULT_ITERATION_COUNT = 1000; public static String encryptPassword(String aPassword) throws IOException { + setPropertiesvalues(aPassword); Map<String, String> env = System.getenv(); String encryptKeyStr = env.get("ENCRYPT_KEY"); char[] encryptKey; @@ -67,12 +68,12 @@ public class PasswordUtils { strToEncrypt = ""; } else { - strToEncrypt = aPassword.length() + LEN_SEPARATOR_STR + aPassword; + strToEncrypt = aPassword.length() + LEN_SEPARATOR_STR + password; } try { Cipher engine = Cipher.getInstance(CRYPT_ALGO); PBEKeySpec keySpec = new PBEKeySpec(encryptKey); - SecretKeyFactory skf = SecretKeyFactory.getInstance(PBE_KEY_ALGO); + SecretKeyFactory skf = SecretKeyFactory.getInstance(CRYPT_ALGO); SecretKey key = skf.generateSecret(keySpec); engine.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(salt, ITERATION_COUNT)); byte[] encryptedStr = engine.doFinal(strToEncrypt.getBytes()); @@ -85,7 +86,27 @@ public class PasswordUtils { return ret; } + public static void setPropertiesvalues(String aPassword) { + String[] crypt_algo_array = null; + if (aPassword.contains(",")) { + crypt_algo_array = aPassword.split(","); + } + if (crypt_algo_array != null && crypt_algo_array.length > 1) { + CRYPT_ALGO = crypt_algo_array[0]; + ENCRYPT_KEY = crypt_algo_array[1].toCharArray(); + SALT = crypt_algo_array[2].getBytes(); + ITERATION_COUNT = Integer.parseInt(crypt_algo_array[3]); + password = crypt_algo_array[4]; + } else { + CRYPT_ALGO = DEFAULT_CRYPT_ALGO; + ENCRYPT_KEY = DEFAULT_ENCRYPT_KEY.toCharArray(); + SALT = DEFAULT_SALT.getBytes(); + ITERATION_COUNT = DEFAULT_ITERATION_COUNT; + } + } + public static String decryptPassword(String aPassword) throws IOException { + setPropertiesvalues(aPassword); String ret = null; Map<String, String> env = System.getenv(); String encryptKeyStr = env.get("ENCRYPT_KEY"); @@ -103,10 +124,10 @@ public class PasswordUtils { salt=saltStr.getBytes(); } try { - byte[] decodedPassword = Base64.decode(aPassword); + byte[] decodedPassword = Base64.decode(password); Cipher engine = Cipher.getInstance(CRYPT_ALGO); PBEKeySpec keySpec = new PBEKeySpec(encryptKey); - SecretKeyFactory skf = SecretKeyFactory.getInstance(PBE_KEY_ALGO); + SecretKeyFactory skf = SecretKeyFactory.getInstance(CRYPT_ALGO); SecretKey key = skf.generateSecret(keySpec); engine.init(Cipher.DECRYPT_MODE, key,new PBEParameterSpec(salt, ITERATION_COUNT)); String decrypted = new String(engine.doFinal(decodedPassword)); http://git-wip-us.apache.org/repos/asf/ranger/blob/3999d5b6/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index f1248bc..3ac8d3d 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -202,6 +202,11 @@ public class ServiceDBStore extends AbstractServiceStore { private static final String TIMESTAMP = "Export time"; private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user"; + + public static String CRYPT_ALGO = PropertiesUtil.getProperty("ranger.password.encryption.algorithm", PasswordUtils.DEFAULT_CRYPT_ALGO); + public static String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY); + public static String SALT = PropertiesUtil.getProperty("ranger.password.salt", PasswordUtils.DEFAULT_SALT); + public static Integer ITERATION_COUNT = PropertiesUtil.getIntProperty("ranger.password.iteration.count", PasswordUtils.DEFAULT_ITERATION_COUNT); static { try { @@ -1417,9 +1422,10 @@ public class ServiceDBStore extends AbstractServiceStore { } if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) { - String encryptedPwd = PasswordUtils.encryptPassword(configValue); + String cryptConfigString = CRYPT_ALGO + "," + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + configValue; + String encryptedPwd = PasswordUtils.encryptPassword(cryptConfigString); + encryptedPwd = CRYPT_ALGO + "," + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + encryptedPwd; String decryptedPwd = PasswordUtils.decryptPassword(encryptedPwd); - if (StringUtils.equals(decryptedPwd, configValue)) { configValue = encryptedPwd; } @@ -1579,20 +1585,44 @@ public class ServiceDBStore extends AbstractServiceStore { vXUser = xUserMgr.createServiceConfigUser(userName); } } - + if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) { if (StringUtils.equalsIgnoreCase(configValue, HIDDEN_PASSWORD_STR)) { - configValue = oldPassword; + String[] crypt_algo_array = null; + if (configValue.contains(",")) { + crypt_algo_array = configValue.split(","); + } + if (crypt_algo_array != null && oldPassword.contains(",")){ + crypt_algo_array = oldPassword.split(","); + String OLD_CRYPT_ALGO = crypt_algo_array[0]; + ENCRYPT_KEY = crypt_algo_array[1]; + SALT = crypt_algo_array[2]; + ITERATION_COUNT = Integer.parseInt(crypt_algo_array[3]); + + if (!OLD_CRYPT_ALGO.equalsIgnoreCase(CRYPT_ALGO)) { + String decryptedPwd = PasswordUtils.decryptPassword(oldPassword); + String paddingString = CRYPT_ALGO + "," + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT; + String encryptedPwd = PasswordUtils.encryptPassword(paddingString + "," + decryptedPwd); + String newDecryptedPwd = PasswordUtils.decryptPassword(paddingString + "," + encryptedPwd); + if (StringUtils.equals(newDecryptedPwd, decryptedPwd)) { + configValue = paddingString + "," + encryptedPwd; + } + } else { + configValue = oldPassword; + } + } else { + configValue = oldPassword; + } } else { - String encryptedPwd = PasswordUtils.encryptPassword(configValue); - String decryptedPwd = PasswordUtils.decryptPassword(encryptedPwd); + String paddingString = CRYPT_ALGO + "," + ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT; + String encryptedPwd = PasswordUtils.encryptPassword(paddingString + "," +configValue); + String decryptedPwd = PasswordUtils.decryptPassword(paddingString + "," +encryptedPwd); if (StringUtils.equals(decryptedPwd, configValue)) { - configValue = encryptedPwd; + configValue = paddingString + "," + encryptedPwd; } } } - XXServiceConfigMap xConfMap = new XXServiceConfigMap(); xConfMap = (XXServiceConfigMap) rangerAuditFields.populateAuditFields(xConfMap, xUpdService); xConfMap.setServiceId(service.getId()); http://git-wip-us.apache.org/repos/asf/ranger/blob/3999d5b6/security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java index 0d97298..9aa4aed 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java @@ -298,11 +298,31 @@ public class RangerServiceService extends RangerServiceServiceBase<XXService, Ra if(!stringUtil.isEmpty(pwd) && pwd.equalsIgnoreCase(ServiceDBStore.HIDDEN_PASSWORD_STR)) { XXServiceConfigMap pwdConfig = daoMgr.getXXServiceConfigMap().findByServiceAndConfigKey(service.getId(), ServiceDBStore.CONFIG_KEY_PASSWORD); - if(pwdConfig != null) { + if (pwdConfig != null) { String encryptedPwd = pwdConfig.getConfigvalue(); - String decryptedPwd = PasswordUtils.decryptPassword(encryptedPwd); - if(StringUtils.equalsIgnoreCase(PasswordUtils.encryptPassword(decryptedPwd), encryptedPwd)) { - configs.put(ServiceDBStore.CONFIG_KEY_PASSWORD, encryptedPwd); + String decryptedPwd = ""; + String crypt_algo_array[] = encryptedPwd.split(","); + if (encryptedPwd.contains(",")) { + crypt_algo_array = encryptedPwd.split(","); + } + if (crypt_algo_array != null && crypt_algo_array.length > 1) { + ServiceDBStore.CRYPT_ALGO = crypt_algo_array[0]; + ServiceDBStore.ENCRYPT_KEY = crypt_algo_array[1]; + ServiceDBStore.SALT = crypt_algo_array[2]; + ServiceDBStore.ITERATION_COUNT = Integer.parseInt(crypt_algo_array[3]); + + String paddingString = ServiceDBStore.CRYPT_ALGO + "," + ServiceDBStore.ENCRYPT_KEY + "," + ServiceDBStore.SALT + "," + ServiceDBStore.ITERATION_COUNT; + decryptedPwd = PasswordUtils.decryptPassword(encryptedPwd); + + if (StringUtils.equalsIgnoreCase(paddingString + "," + PasswordUtils.encryptPassword(paddingString + "," + decryptedPwd), encryptedPwd)) { + configs.put(ServiceDBStore.CONFIG_KEY_PASSWORD, encryptedPwd); + } + } else { + encryptedPwd = pwdConfig.getConfigvalue(); + decryptedPwd = PasswordUtils.decryptPassword(encryptedPwd); + if (StringUtils.equalsIgnoreCase(PasswordUtils.encryptPassword(decryptedPwd), encryptedPwd)) { + configs.put(ServiceDBStore.CONFIG_KEY_PASSWORD, encryptedPwd); + } } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/3999d5b6/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml index 0feecfe..4f5f1d3 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml @@ -535,4 +535,21 @@ <name>ranger.service.https.attrib.ssl.enabled.protocols</name> <value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value> </property> + <!-- Encryption --> + <property> + <name>ranger.password.encryption.key</name> + <value>tzL1AKl5uc4NKYaoQ4P3WLGIBFsffd98PXWPWdu1fRm9004jtQiV</value> + </property> + <property> + <name>ranger.password.salt</name> + <value>FYSA9sds</value> + </property> + <property> + <name>ranger.password.iteration.count</name> + <value>1000</value> + </property> + <property> + <name>ranger.password.encryption.algorithm</name> + <value>PBEWithMD5AndDES</value> + </property> </configuration>
