ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ab...@apache.org
Subject ranger git commit: RANGER-1988: Fix insecure randomness
Date Wed, 21 Feb 2018 00:51:01 GMT
Repository: ranger
Updated Branches:
  refs/heads/master ded33518f -> 3286f6a55


RANGER-1988: Fix insecure randomness


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/3286f6a5
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/3286f6a5
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/3286f6a5

Branch: refs/heads/master
Commit: 3286f6a55eeb6e5c6d5ecc949373d77916d9a278
Parents: ded3351
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Tue Feb 20 16:32:19 2018 -0800
Committer: Abhay Kulkarni <akulkarni@hortonworks.com>
Committed: Tue Feb 20 16:32:19 2018 -0800

----------------------------------------------------------------------
 .../hadoop/RangerHdfsAuthorizer.java            | 30 ++++++++++++++------
 1 file changed, 21 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/3286f6a5/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 0bc3b31..59cf6b1 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -24,16 +24,15 @@ import static org.apache.ranger.authorization.hadoop.constants.RangerHadoopConst
 import static org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants.WRITE_ACCCESS_TYPE;
 
 import java.net.InetAddress;
+import java.security.SecureRandom;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
-import java.util.Random;
 import java.util.Set;
 import java.util.Stack;
 
 import org.apache.commons.lang.ArrayUtils;
-import org.apache.commons.lang.RandomStringUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -699,15 +698,28 @@ class RangerHdfsPlugin extends RangerBasePlugin {
 		RangerHdfsPlugin.fileNameExtensionSeparator = RangerConfiguration.getInstance().get(RangerHdfsAuthorizer.RANGER_FILENAME_EXTENSION_SEPARATOR_PROP,
RangerHdfsAuthorizer.DEFAULT_FILENAME_EXTENSION_SEPARATOR);
 		RangerHdfsPlugin.optimizeSubAccessAuthEnabled = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_PROP,
RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_DEFAULT);
 
-		// Build random string of random length
+		String random = generateString("^&#@!%()-_+=@:;'<>`~abcdefghijklmnopqrstuvwxyz01234567890");
+		randomizedWildcardPathName = RangerPathResourceMatcher.WILDCARD_ASTERISK + random + RangerPathResourceMatcher.WILDCARD_ASTERISK;
+	}
+
+	// Build random string of length between 56 and 112 characters
+	private static String generateString(String source)
+	{
+		SecureRandom rng = new SecureRandom();
+
 		byte[] bytes = new byte[1];
-		new Random().nextBytes(bytes);
-		int count = bytes[0];
-		count = count < 56 ? 56 : count;
-		count = count > 112 ? 112 : count;
+		rng.nextBytes(bytes);
+		int length = bytes[0];
+		length = length < 56 ? 56 : length;
+		length = length > 112 ? 112 : length;
 
-		String random = RandomStringUtils.random(count, "^&#@!%()-_+=@:;'<>`~abcdefghijklmnopqrstuvwxyz01234567890");
-		randomizedWildcardPathName = RangerPathResourceMatcher.WILDCARD_ASTERISK + random + RangerPathResourceMatcher.WILDCARD_ASTERISK;
+		char[] text = new char[length];
+
+		for (int i = 0; i < length; i++)
+		{
+			text[i] = source.charAt(rng.nextInt(source.length()));
+		}
+		return new String(text);
 	}
 
 	public static boolean isHadoopAuthEnabled() {


Mime
View raw message