> On Oct. 23, 2017, 4:56 a.m., bhavik patel wrote:
> > @Endre Zoltan Kovacs : Have you tested plugins test-connection? If someone
> > upgrade from ranger-0.6 to ranger-0.7 or master after then check plugins
> > test-connection should not break, can you please confirm that.
> >
> > note: If you want to use stronger crypto algorithm than you can directly
> > specify in ranger-admin-default-site.xml rather than changing default value
> > in PasswordUtils.java
>
> Endre Zoltan Kovacs wrote:
> hi!
> i've checked this patch agains HDP 2.6.3 with ranger 0.7.0.2.6 and tested
> the 'test-connection'. it brought problems to light,so i fixed them and
> re-created the patch.
> this version should work well with service check and service update.
>
> i tested and verified that upgrading from an older crypto algo (e.g.:
> PBEWithSHA1AndDESede) to this new algo works.
>
> Best regards,
> Endre
>
> bhavik patel wrote:
> Hi,
> Can you please verify one more case : user password which contain special
> character , at that time also test-connection should work
>
> Endre Zoltan Kovacs wrote:
> Hi!
> This was a great idea! i added some more unit tests, aiming catch coma
> related password problems, and it turned out there were issues during encrypt
> phase.
> with the new patch these are gone.
>
> besides the unit tests, i also tested passwords with coma on HDP cluster
> to verify it in a live settings.
> i also tested and verified that it is possible to go back to a less
> secure algo (that doesn't need initializer vector) and test/update of service
> still worked.
re: "note: If you want to use stronger crypto algorithm than you can directly
specify in ranger-admin-default-site.xml rather than changing default value in
PasswordUtils.java"
indeed!
Now, i changed back the default value in PasswordUtils to it's original one, to
prevent decryption failures for passwords, where customer didn't have algorithm
configuration included in the password string.
public static final String CRYPT_ALGO =
PropertiesUtil.getProperty("ranger.password.encryption.algorithm",
PasswordUtils.DEFAULT_CRYPT_ALGO);
takes care of reading the default value from 'ranger-admin-default-site.xml'
where the user can specify the newer/stronger crypto algorithm (e.g.:
PBEWITHHMACSHA512ANDAES_128)
- Endre Zoltan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63209/#review188920
-----------------------------------------------------------
On Nov. 3, 2017, 3:59 p.m., Endre Zoltan Kovacs wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63209/
> -----------------------------------------------------------
>
> (Updated Nov. 3, 2017, 3:59 p.m.)
>
>
> Review request for ranger.
>
>
> Bugs: RANGER-1644
> https://issues.apache.org/jira/browse/RANGER-1644
>
>
> Repository: ranger
>
>
> Description
> -------
>
> changing outdate hash&crypto algorigthms: MD5&DES => SHA512&AES128
>
>
> Diffs
> -----
>
>
> agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java
> 58cdd3531
>
> agents-common/src/test/java/org/apache/ranger/plugin/util/PasswordUtilsTest.java
> 4e135aaa7
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
> da650747d
>
> security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java
> 3dd761a2b
> security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
> 9dfc03df1
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
> 976fd0cb8
>
>
> Diff: https://reviews.apache.org/r/63209/diff/4/
>
>
> Testing
> -------
>
> PasswordUtilsTest: added new unit test and updated previous ones
> Added service update test: on service update new service password will be
> encrypted with the new algorithm
>
>
> Thanks,
>
> Endre Zoltan Kovacs
>
>
