ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From me...@apache.org
Subject ranger git commit: RANGER-2056 : Good coding practices for KMS and unixauth
Date Sat, 07 Apr 2018 06:10:42 GMT
Repository: ranger
Updated Branches:
  refs/heads/master 122172a0b -> e65a3e812


RANGER-2056 : Good coding practices for KMS and unixauth

Change-Id: I24777506233e00cf5d05a2b5412c0e579e09e569

Signed-off-by: Mehul Parikh <mehul@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/e65a3e81
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/e65a3e81
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/e65a3e81

Branch: refs/heads/master
Commit: e65a3e81265f46c76611b0c3e7265af932629bb1
Parents: 122172a
Author: Nikhil P <nikhil.purbhe@gmail.com>
Authored: Wed Apr 4 17:12:00 2018 +0530
Committer: Mehul Parikh <mehul@apache.org>
Committed: Sat Apr 7 11:40:01 2018 +0530

----------------------------------------------------------------------
 .../apache/hadoop/crypto/key/ConsoleUtil.java   | 29 ++++++--------------
 .../apache/hadoop/crypto/key/DB2HSMMKUtil.java  | 10 +++++--
 .../apache/hadoop/crypto/key/HSM2DBMKUtil.java  | 10 +++++--
 .../hadoop/crypto/key/JKS2RangerUtil.java       | 11 ++++++--
 .../hadoop/crypto/key/Ranger2JKSUtil.java       | 11 ++++++--
 .../unix/jaas/PamLoginModule.java               | 12 ++++----
 .../unix/jaas/RemoteUnixLoginModule.java        | 29 +++++++++++++-------
 7 files changed, 68 insertions(+), 44 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java
index 9f43740..f07a1fe 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java
@@ -20,7 +20,6 @@ package org.apache.hadoop.crypto.key;
 import java.io.Console;
 import java.io.IOException;
 import java.io.InputStream;
-import java.nio.charset.Charset;
 
 /**
  * Utility class for reading passwords from the console.
@@ -33,17 +32,9 @@ class ConsoleUtil {
      * @param prompt the question which is prompted
      * @return the password.
      */
-    static char[] getPasswordFromConsole(String prompt) throws IOException {
-        return getStringPasswordFromConsole(prompt).toCharArray();
-    }
 
-    /**
-     * Ask a password from console, and return as a String.
-     * @param prompt the question which is prompted
-     * @return the password.
-     */
-    static String getStringPasswordFromConsole(String prompt) throws IOException {
-        String ret = null;
+    static char[] getPasswordFromConsole(String prompt) throws IOException {
+        char pwd[]=null;
         Console c = System.console();
         if (c == null) {
             System.out.print(prompt + " ");
@@ -52,23 +43,21 @@ class ConsoleUtil {
             byte[] b = new byte[max];
             int l = in.read(b);
             l--; // last character is \n
+            pwd=new char[l];
             if (l > 0) {
                 byte[] e = new byte[l];
                 System.arraycopy(b, 0, e, 0, l);
-                ret = new String(e, Charset.defaultCharset());
+                for (int i = 0; i < l; i++) {
+                    pwd[i] = (char) e[i];
+                }
             }
         } else {
-            char[] pwd = c.readPassword(prompt + " ");
+            pwd = c.readPassword(prompt + " ");
             if (pwd == null) {
-                ret = null;
-            } else {
-                ret = new String(pwd);
+                pwd = new char[0];
             }
         }
-        if (ret == null) {
-            ret = "";
-        }
-        return ret;
+        return pwd;
     }
 
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
index ad85245..aec8eae 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java
@@ -16,6 +16,8 @@
  */
 package org.apache.hadoop.crypto.key;
 
+import java.util.Arrays;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.ranger.kms.dao.DaoManager;
 
@@ -65,12 +67,13 @@ public class DB2HSMMKUtil {
 	}
 	
 	private boolean doExportMKToHSM(String hsmType, String partitionName) {
+		char[] partitionPassword=null;
 		try {
-			String partitionPassword = ConsoleUtil.getStringPasswordFromConsole("Enter Password for
the Partition "+partitionName+" : ");
+			partitionPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the Partition
"+partitionName+" : ");
 			Configuration conf = RangerKeyStoreProvider.getDBKSConf();
 			conf.set(HSM_TYPE, hsmType);
 			conf.set(PARTITION_NAME, partitionName);
-			conf.set(PARTITION_PASSWORD, partitionPassword);
+			conf.set(PARTITION_PASSWORD, String.valueOf(partitionPassword));
 			
 			RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);		
 			DaoManager daoManager = rangerkmsDb.getDaoManager();
@@ -89,5 +92,8 @@ public class DB2HSMMKUtil {
 		catch(Throwable t) {
 			throw new RuntimeException("Unable to import Master key from Ranger DB to HSM ", t);
 		}
+		finally{
+			Arrays.fill(partitionPassword, ' ');
+		}
 	}
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
index b330a01..0cf832f 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java
@@ -16,6 +16,8 @@
  */
 package org.apache.hadoop.crypto.key;
 
+import java.util.Arrays;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.ranger.kms.dao.DaoManager;
 
@@ -64,12 +66,13 @@ public class HSM2DBMKUtil {
 	}
 	
 	private void doImportMKFromHSM(String hsmType, String partitionName) {
+		char[] partitionPassword=null;
 		try {
-			String partitionPassword = ConsoleUtil.getStringPasswordFromConsole("Enter Password for
the Partition "+partitionName+" : ");
+			partitionPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the Partition
"+partitionName+" : ");
 			Configuration conf = RangerKeyStoreProvider.getDBKSConf();
 			conf.set(HSM_TYPE, hsmType);
 			conf.set(PARTITION_NAME, partitionName);
-			conf.set(PARTITION_PASSWORD, partitionPassword);
+			conf.set(PARTITION_PASSWORD, String.valueOf(partitionPassword));
 			
 			RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);		
 			DaoManager daoManager = rangerkmsDb.getDaoManager();
@@ -87,5 +90,8 @@ public class HSM2DBMKUtil {
 		catch(Throwable t) {
 			throw new RuntimeException("Unable to import Master key from HSM to Ranger DB", t);
 		}
+		finally{
+			Arrays.fill(partitionPassword, ' ');
+		}
 	}
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
index 13833cb..dd4408f 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
@@ -22,6 +22,7 @@ import java.io.FileInputStream;
 import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.util.Arrays;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.ranger.kms.dao.DaoManager;
@@ -71,9 +72,11 @@ public class JKS2RangerUtil {
 	}
 	
 	private void doImportKeysFromJKS(String keyStoreFileName, String keyStoreType) {
+		char[] keyStorePassword = null;
+		char[] keyPassword = null;
 		try {
-			char[] keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore
FILE :");
-			char[] keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s)
stored in the keystore:");
+			keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore
FILE :");
+			keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored
in the keystore:");
 			Configuration conf = RangerKeyStoreProvider.getDBKSConf();
 			RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);		
 			DaoManager daoManager = rangerkmsDb.getDaoManager();
@@ -101,6 +104,10 @@ public class JKS2RangerUtil {
 		catch(Throwable t) {
 			throw new RuntimeException("Unable to import keys from [" + keyStoreFileName + "] due
to exception.", t);
 		}
+		finally{
+			Arrays.fill(keyStorePassword, ' ');
+			Arrays.fill(keyPassword, ' ');
+		}
 	}
 
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
index f7c3e6d..4f337bb 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
@@ -22,6 +22,7 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.util.Arrays;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.ranger.kms.dao.DaoManager;
@@ -72,9 +73,11 @@ public class Ranger2JKSUtil {
 	}
 	
 	private void doExportKeysFromJKS(String keyStoreFileName, String keyStoreType) {
+		char[] keyStorePassword = null;
+		char[] keyPassword = null;
 		try {
-			char[] keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore
FILE :");
-			char[] keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s)
stored in the keystore:");
+			keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore
FILE :");
+			keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored
in the keystore:");
 			Configuration conf = RangerKeyStoreProvider.getDBKSConf();
 			RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);		
 			DaoManager daoManager = rangerkmsDb.getDaoManager();
@@ -100,6 +103,10 @@ public class Ranger2JKSUtil {
 		catch(Throwable t) {
 			throw new RuntimeException("Unable to export keys to [" + keyStoreFileName + "] due to
exception.", t);
 		}
+		finally{
+			Arrays.fill(keyStorePassword, ' ');
+			Arrays.fill(keyPassword, ' ');
+		}
 	}
 	
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
----------------------------------------------------------------------
diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
index 803e3e8..8ff5b23 100644
--- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
+++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
@@ -19,7 +19,6 @@
 
 package org.apache.ranger.authentication.unix.jaas;
 
-import org.apache.commons.lang.StringUtils;
 import org.jvnet.libpam.PAM;
 import org.jvnet.libpam.PAMException;
 import org.jvnet.libpam.UnixUser;
@@ -31,6 +30,7 @@ import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 import java.io.IOException;
 import java.security.Principal;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
@@ -45,7 +45,7 @@ public class PamLoginModule implements LoginModule
     private Map<String, ?> _options;
 
     private String _username;
-    private String _password;
+    private char[] _passwordchar;
 
     private boolean _authSucceeded;
     private PamPrincipal _principal;
@@ -139,7 +139,7 @@ public class PamLoginModule implements LoginModule
     {
         char[] password = passwordCallback.getPassword();
         if (password != null) {
-        	_password = new String(password);
+            _passwordchar = Arrays.copyOf(password, password.length);
         }
         passwordCallback.clearPassword();
     }
@@ -148,8 +148,8 @@ public class PamLoginModule implements LoginModule
     {
         try
         {
-		if (StringUtils.isNotEmpty(_password)) {
-                                UnixUser user = _pam.authenticate(_username, _password);
+		if (_passwordchar != null) {
+                                UnixUser user = _pam.authenticate(_username, String.valueOf(_passwordchar));
                                 _principal = new PamPrincipal(user);
                                 _authSucceeded = true;
                                 return true;
@@ -219,7 +219,7 @@ public class PamLoginModule implements LoginModule
     {
         _authSucceeded = false;
         _username = null;
-        _password = null;
+        Arrays.fill(_passwordchar, ' ');
         _principal = null;
         _pam.dispose();
     }

http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
----------------------------------------------------------------------
diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
index 40cc51e..204398f 100644
--- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
+++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
@@ -32,6 +32,7 @@ import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.Map;
 import java.util.Properties;
 
@@ -235,15 +236,17 @@ public class RemoteUnixLoginModule implements LoginModule {
 			log("userName:" + userName);
 			log("modified UserName:" + modifiedUserName);
 
-			String modifiedPassword;
+			char modifiedPasschar[];
 			if (password != null) {
-				modifiedPassword = new String(password);
+				modifiedPasschar = Arrays.copyOf(password,password.length);
 			} else {
-				modifiedPassword = new String(new char[0]);
+				modifiedPasschar = new char[0];
 			}
 
-			doLogin(modifiedUserName, modifiedPassword);
+			doLogin(modifiedUserName, modifiedPasschar);
 
+			Arrays.fill(password, ' ');
+			Arrays.fill(modifiedPasschar, ' ');
 			loginSuccessful = true;
 		}
 
@@ -258,14 +261,14 @@ public class RemoteUnixLoginModule implements LoginModule {
 		return true;
 	}
 
-	public void doLogin(String aUserName, String  aPassword) throws LoginException {
+	public void doLogin(String aUserName, char[]  modifiedPasschar) throws LoginException {
 
 		// POSSIBLE values
 		// null
 		// OK: group1, group2, group3
 		// FAILED: Invalid Password
 
-		String ret = getLoginReplyFromAuthService(aUserName, aPassword);
+		String ret = getLoginReplyFromAuthService(aUserName, modifiedPasschar);
 
 		if (ret == null) {
 			throw new LoginException("FAILED: unable to authenticate to AuthenticationService: " +
remoteHostName + ":" + remoteHostAuthServicePort);
@@ -282,13 +285,17 @@ public class RemoteUnixLoginModule implements LoginModule {
 		}
 	}
 
-	private String getLoginReplyFromAuthService(String aUserName, String aPassword) throws LoginException
{
+	private String getLoginReplyFromAuthService(String aUserName, char[] modifiedPasschar) throws
LoginException {
 		String ret = null;
 
 		Socket sslsocket = null;
 
-		String loginString = "LOGIN:" + aUserName + " " + new String(aPassword) + "\n";
-
+		char prefix[]=new String("LOGIN:"+aUserName+" ").toCharArray();
+		char tail[]=new String("\n").toCharArray();
+		char loginData[]=new char[prefix.length+modifiedPasschar.length+tail.length];
+		System.arraycopy(prefix, 0, loginData, 0, prefix.length);
+		System.arraycopy(modifiedPasschar, 0, loginData, prefix.length,modifiedPasschar.length);
+		System.arraycopy(tail, 0, loginData, prefix.length+modifiedPasschar.length, tail.length);
 		try {
 			try {
 				if (SSLEnabled) {
@@ -380,7 +387,7 @@ public class RemoteUnixLoginModule implements LoginModule {
 
 				OutputStreamWriter writer = new OutputStreamWriter(sslsocket.getOutputStream());
 
-				writer.write(loginString);
+				writer.write(loginData);
 
 				writer.flush();
 
@@ -401,6 +408,8 @@ public class RemoteUnixLoginModule implements LoginModule {
 			throw new LoginException("FAILED: unable to authenticate to AuthenticationService: " +
remoteHostName + ":" + remoteHostAuthServicePort + ", Exception: [" + t + "]");
 		} finally {
 			log("Login of user String: {" + aUserName + "}, return from AuthServer: {" + ret + "}");
+			Arrays.fill(loginData,' ');
+			Arrays.fill(modifiedPasschar,' ');
 		}
 
 		return ret;


Mime
View raw message