[PR] RANGER-5313: Support FIPS compliant crypto algorithm to encrypt/decry… [ranger]

Fri, 31 Oct 2025 06:52:10 -0700 


vikaskr22 opened a new pull request, #723:
URL: https://github.com/apache/ranger/pull/723

   ## What changes were proposed in this pull request?
   
   Support for PBKDF2WithHmacSHA256 encryption algorithm to encrypt/decrypt the 
service password.  This PR is only for fresh Ranger installation and requires 
compliant SecurityProvider in the java.security and required jars in the JRE 
path.
   
   ## How was this patch tested?
   
   - mvn clean install
   - **Manual Testing in Docker env:**
        **Non-Fips:** Here I created a new docker image with new code and 
verified the non-fips env. Service passwords were being encrypted/decrypted 
using older PBEWithHmacSHA512AndAES_128 algorithm
   
     **For FIPS:** 
   Updated the **ranger-admin-site.xml** with following prop:
         
        
         <property>
                  <name>ranger.password.iteration.count</name>
                  <value>5000</value>
          </property>
          <property>
                  <name>ranger.password.encryption.algorithm</name>
                  <value>PBEWithHmacSHA512AndAES_128</value>
          </property>
   
   
   Then, created a new docker image and started the container. 
   By default, Admin container starts but service creation will fail due to 
missing SecurityProvider and related configurations. 
   
   To make it work, following steps are required:
   
   Copied SecurityProvider jar to JRE path:
   
   `docker cp bc-fips-2.0.0.jar b8b631895054:/opt/java/openjdk/jre/lib/ext/`
   
   Next, Updated java.security with following content:
   
   ```
   security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
   org.bouncycastle.fips.approved_only=true
   ```
   
   Once above explained configuration are completed and container is restarted, 
new Provider will come into effect.
   
   Then, I executed  following command to create all the failed services:
   `ranger@ranger:~/scripts$ python3 create-ranger-services.py`
   
   After than all services got created with latest algorithm. It can be 
verified by looking into DB also.
   
   <img width="1323" height="183" alt="x_service_config_map with latest also" 
src="https://github.com/user-attachments/assets/71f37e2f-acb0-4fc1-b450-ec331612282f";
 />
   
   
   Request to review the PR. Upgrade scenario will be implemented as part of 
separate JIRA where re-encryption of existing passwords will happen.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to