----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73912/ -----------------------------------------------------------
(Updated 一月 17, 2023, 9:34 a.m.) Review request for ranger, Bhavik Bavishi, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy. Changes ------- Rebase to HEAD Bugs: RANGER-3682 https://issues.apache.org/jira/browse/RANGER-3682 Repository: ranger Description ------- Unify the ways that rangerkeystore to encapsulate zonekey Now we have 2 styles of MasterKeyProvider: 1. RangerMasterKey, RangerHSM, RangerSafenetKeySecure 2. RangerAzureKeyVaultKeyGenerator, RangerGoogleCloudHSMProvider, RangerTencentKMSProvider Style 1 can get out master key string from provider, Style 2 can not. In old, I add a flag KeyVaultEnabled to distinguish them. KeyVaultEnabled=false means style1, true means style2 RangerKeyStore with style1 use SecretKeyEntry with SealedObject to store a key and do encryption / decryption by itself. RangerKeyStore with style2 use SecretKeyByteEntry to store a key and let MK provider to encryption / decryption. These are ugly and hard to maintain. I refactor it by removing SecretKeyEntry, and let providers of style1 do encryption / decryption. Add a common base class of RangerMasterKey, RangerHSM andd RangerSafenetKeySecure, named AbstractRangerMasterKey. It provides the common logic of encryptZoneKey and decryptZoneKey. And, there is no unified method to initialize a master key provider. Duplicate code is distributed in RangerKeyStoreProvider and a bunch of CLI classes. I made a new RangerKMSMKIFactory class to unify it. Diffs (updated) ----- kms/src/main/java/org/apache/hadoop/crypto/key/AbstractRangerMasterKey.java PRE-CREATION kms/src/main/java/org/apache/hadoop/crypto/key/DBToAzureKeyVault.java 39de0a503 kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java a1a6f348b kms/src/main/java/org/apache/hadoop/crypto/key/MigrateDBMKeyToGCP.java d3b717a8a kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1935a0185 kms/src/main/java/org/apache/hadoop/crypto/key/RangerGoogleCloudHSMProvider.java a61cabb1b kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java 90ef729b2 kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java b09cd5bad kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKIFactory.java PRE-CREATION kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java 7188b19b2 kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 429d1ce45 kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java b6fc32950 kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java eb8a90a71 kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsDBMasterkeyCorrect.java 632e728f4 kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsHSMMasterkeyCorrect.java e5ebeb783 kms/src/main/java/org/apache/ranger/kms/biz/RangerKMSStartUp.java 8b0f74eac kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerKeyStore.java bcdf2e337 kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/RangerMasterKeyTest.java f420322ca Diff: https://reviews.apache.org/r/73912/diff/4/ Changes: https://reviews.apache.org/r/73912/diff/3-4/ Testing ------- Tested by fresh install and update. Thanks, Kirby Zhou