Re: [PR] RANGER-5543:Ranger KMS GCP always try to create master key irrespective of its existence [ranger]

Mon, 13 Apr 2026 05:28:06 -0700 


bhaveshamre commented on code in PR #910:
URL: https://github.com/apache/ranger/pull/910#discussion_r3072961805


##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerGoogleCloudHSMProvider.java:
##########
@@ -68,37 +68,34 @@ public RangerGoogleCloudHSMProvider(Configuration conf) 
throws Exception {
 
     @Override
     public boolean generateMasterKey(String unusedPassword) throws Throwable {
-        //The ENCRYPT_DECRYPT key purpose enables symmetric encryption.
-        //All keys with key purpose ENCRYPT_DECRYPT use the 
GOOGLE_SYMMETRIC_ENCRYPTION algorithm.
-        //No parameters are used with this algorithm.
-        CryptoKey key = CryptoKey.newBuilder()
-                .setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
-                .setVersionTemplate(CryptoKeyVersionTemplate.newBuilder()
-                        .setProtectionLevel(ProtectionLevel.HSM)
-                        
.setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION))
-                .build();
-
-        // Create the key.
-        CryptoKey createdKey = null;
-        try {
-            createdKey = client.createCryptoKey(this.keyRingName, 
this.gcpMasterKeyName, key);
-        } catch (Exception e) {
-            if (e instanceof AlreadyExistsException) {
-                logger.info("MasterKey with the name '{}' already exist.", 
this.gcpMasterKeyName);
-                return true;
-            } else {
+        boolean isMKGenerated = false;
+        if (!this.masterKeyExists()) {
+            //The ENCRYPT_DECRYPT key purpose enables symmetric encryption.
+            //All keys with key purpose ENCRYPT_DECRYPT use the 
GOOGLE_SYMMETRIC_ENCRYPTION algorithm.
+            //No parameters are used with this algorithm.
+            CryptoKey key = CryptoKey.newBuilder()
+                    .setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
+                    .setVersionTemplate(CryptoKeyVersionTemplate.newBuilder()
+                            .setProtectionLevel(ProtectionLevel.HSM)
+                            
.setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION))
+                    .build();
+
+            // Create the key.
+            CryptoKey createdKey = null;
+            try {
+                createdKey = client.createCryptoKey(this.keyRingName, 
this.gcpMasterKeyName, key);
+            } catch (Exception e) {
                 throw new RuntimeCryptoException("Failed to create master key 
with name '" + this.gcpMasterKeyName + "', Error - " + e.getMessage());
             }
-        }
 
-        if (createdKey == null) {
-            logger.info("Failed to create master key : {}", 
this.gcpMasterKeyName);
-            return false;
+            if (createdKey == null) {
+                logger.info("Failed to create master key : {}", 
this.gcpMasterKeyName);
+                return false;

Review Comment:
   @vikaskr22 , addressed the comments and made the necessary changes. Kindly 
review.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to