> On Dec. 4, 2020, 9:31 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/util/Pbkdf2PasswordEncoderCust.java > > Lines 102 (patched) > > <https://reviews.apache.org/r/73015/diff/3/?file=2242839#file2242839line102> > > > > Wouldn't following be simpler: > > return Arrays.equals(expected, actual);
Spring security has Pbkdf2PasswordEncoder.java which has hard coded lenght for salt as 8bytes. With safelogic cryptocomply APIs for FIPs, the minimum salt length is 16 bytes. Hence we implemented custom Pbkdf2PasswordEncoder by copying code from spring security implementation with a salt length to 16bytes. One of the possible explanation I found for matches method was: "This comparison method is used so that password hashes cannot be extracted from an on-line system using a timing attack and then attacked off-line." - Sailaja ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73015/#review222293 ----------------------------------------------------------- On Dec. 4, 2020, 8:49 p.m., Dhaval Shah wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73015/ > ----------------------------------------------------------- > > (Updated Dec. 4, 2020, 8:49 p.m.) > > > Review request for ranger, Ankita Sinha, Jayendra Parab, Madhan Neethiraj, > Mehul Parikh, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-3055 > https://issues.apache.org/jira/browse/RANGER-3055 > > > Repository: ranger > > > Description > ------- > > We need to make algorithmic changes in order to make Ranger Source code FIPS > compliant. As per FIPS standard some alogrithms and storetypes are > blacklisted. As required we have made the approriate changes and also > introduce the FIPS flag in Ranger to use the appropriate algorithms under > FIPS enviornment. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerAdminConfig.java > 5cd539aeb > > agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfigConstants.java > 1ad34efa7 > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java > 2bb65891a > > agents-common/src/main/java/org/apache/ranger/plugin/store/RangerServiceResourceSignature.java > d7fedf053 > > credentialbuilder/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java > 42497e357 > > credentialbuilder/src/main/java/org/apache/ranger/credentialapi/buildks.java > cb391cc00 > > credentialbuilder/src/test/java/org/apache/ranger/credentialapi/TestCredentialReader.java > 006986c6a > > credentialbuilder/src/test/java/org/apache/ranger/credentialapi/Testbuildks.java > 87634d777 > > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java > e6eb7af99 > > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java > f6d735c30 > kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java > 75aa939e0 > > kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java > 538fde95e > kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java > 6e4f75ae1 > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java > 7473871fb > kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java > 2b4eb809c > ranger-util/src/scripts/saveVersion.py 0ad39ac90 > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 2b3cdcbb5 > security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java > c58258ba0 > > security-admin/src/main/java/org/apache/ranger/credentialapi/CredentialReader.java > 1a3ade730 > > security-admin/src/main/java/org/apache/ranger/patch/cliutil/ChangePasswordUtil.java > e7a08532d > security-admin/src/main/java/org/apache/ranger/rest/UserREST.java cf764a0b4 > > security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java > a8b8c588a > > security-admin/src/main/java/org/apache/ranger/util/Pbkdf2PasswordEncoderCust.java > PRE-CREATION > tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java > 95c348265 > > ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java > 5ef78cf78 > > ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java > f911f22d4 > > unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java > 4d84a9648 > > > Diff: https://reviews.apache.org/r/73015/diff/3/ > > > Testing > ------- > > 1.CRUD for ADMIN_ROLE, USER_ROLE, KEADMIN_ROLE > 2.Tested UNIX user are getting synced > 3.Tested file based tag sync > 4.Tested the user is able to change password and is able to login with new > password. > 5.Import/export > 6.Tested admin audit. > 7.Tested kms setup. > > > Thanks, > > Dhaval Shah > >
