[jira] [Resolved] (RANGER-5543) Ranger KMS GCP always try to create master key irrespective of its existence

Tue, 14 Apr 2026 02:08:09 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-5543?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavesh Amre resolved RANGER-5543.
----------------------------------
    Fix Version/s: 3.0.0
       Resolution: Fixed

> Ranger KMS GCP always try to create master key irrespective of its existence 
> -----------------------------------------------------------------------------
>
>                 Key: RANGER-5543
>                 URL: https://issues.apache.org/jira/browse/RANGER-5543
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Bhavesh Amre
>            Assignee: Bhavesh Amre
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> GCP HSM Integration Issues in Ranger KMS
>  
> The integration of GCP HSM with Ranger KMS was failing due to the following 
> issues:
>  
> 1. Missing Dependencies
>  
> Required dependencies such as protobuf-java, failureaccess, and guava were 
> not included, causing compatibility issues with GCP libraries.
>  
> Resolution:
>  
> Added the missing dependencies (Guava, failureaccess, protobuf-java) to the 
> project.
> Updated the KMS assembly configuration to ensure all required dependencies 
> are packaged correctly.
>  
> 2. Unconditional Master Key Creation Attempts
>  
> The system was repeatedly attempting to call create master key even when it 
> already existed. This led to unnecessary exceptions and instability.
>  
> Additionally, the logic did not differentiate between user roles:
>  
> Owner role → has permission to create a master key
> Viewer role → has permission to read/view the master key only
>  
> However, both roles were attempting to generate the master key, which caused 
> permission-related failures.
>  
> Resolution:
>  
> Introduced a masterKeyExists() check in the GCP HSM provider.
> Updated the logic to:
> First verify whether the master key already exists.
> Avoid call for creating the key if it already exists.
> Ensure that:
> Owner role can create the master key if it does not exist.
> Viewer role only checks for the existence of the master key and does not 
> attempt creation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to