From commits-return-4383-archive-asf-public=cust-asf.ponee.io@ranger.apache.org Sat Apr 7 08:10:45 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 95B1118064E for ; Sat, 7 Apr 2018 08:10:44 +0200 (CEST) Received: (qmail 92161 invoked by uid 500); 7 Apr 2018 06:10:43 -0000 Mailing-List: contact commits-help@ranger.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.apache.org Delivered-To: mailing list commits@ranger.apache.org Received: (qmail 92152 invoked by uid 99); 7 Apr 2018 06:10:43 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 07 Apr 2018 06:10:43 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id A994DF4DC0; Sat, 7 Apr 2018 06:10:42 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: mehul@apache.org To: commits@ranger.apache.org Message-Id: <3e768a4940144aee992687c10a2976ed@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: ranger git commit: RANGER-2056 : Good coding practices for KMS and unixauth Date: Sat, 7 Apr 2018 06:10:42 +0000 (UTC) Repository: ranger Updated Branches: refs/heads/master 122172a0b -> e65a3e812 RANGER-2056 : Good coding practices for KMS and unixauth Change-Id: I24777506233e00cf5d05a2b5412c0e579e09e569 Signed-off-by: Mehul Parikh Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/e65a3e81 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/e65a3e81 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/e65a3e81 Branch: refs/heads/master Commit: e65a3e81265f46c76611b0c3e7265af932629bb1 Parents: 122172a Author: Nikhil P Authored: Wed Apr 4 17:12:00 2018 +0530 Committer: Mehul Parikh Committed: Sat Apr 7 11:40:01 2018 +0530 ---------------------------------------------------------------------- .../apache/hadoop/crypto/key/ConsoleUtil.java | 29 ++++++-------------- .../apache/hadoop/crypto/key/DB2HSMMKUtil.java | 10 +++++-- .../apache/hadoop/crypto/key/HSM2DBMKUtil.java | 10 +++++-- .../hadoop/crypto/key/JKS2RangerUtil.java | 11 ++++++-- .../hadoop/crypto/key/Ranger2JKSUtil.java | 11 ++++++-- .../unix/jaas/PamLoginModule.java | 12 ++++---- .../unix/jaas/RemoteUnixLoginModule.java | 29 +++++++++++++------- 7 files changed, 68 insertions(+), 44 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java index 9f43740..f07a1fe 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/ConsoleUtil.java @@ -20,7 +20,6 @@ package org.apache.hadoop.crypto.key; import java.io.Console; import java.io.IOException; import java.io.InputStream; -import java.nio.charset.Charset; /** * Utility class for reading passwords from the console. @@ -33,17 +32,9 @@ class ConsoleUtil { * @param prompt the question which is prompted * @return the password. */ - static char[] getPasswordFromConsole(String prompt) throws IOException { - return getStringPasswordFromConsole(prompt).toCharArray(); - } - /** - * Ask a password from console, and return as a String. - * @param prompt the question which is prompted - * @return the password. - */ - static String getStringPasswordFromConsole(String prompt) throws IOException { - String ret = null; + static char[] getPasswordFromConsole(String prompt) throws IOException { + char pwd[]=null; Console c = System.console(); if (c == null) { System.out.print(prompt + " "); @@ -52,23 +43,21 @@ class ConsoleUtil { byte[] b = new byte[max]; int l = in.read(b); l--; // last character is \n + pwd=new char[l]; if (l > 0) { byte[] e = new byte[l]; System.arraycopy(b, 0, e, 0, l); - ret = new String(e, Charset.defaultCharset()); + for (int i = 0; i < l; i++) { + pwd[i] = (char) e[i]; + } } } else { - char[] pwd = c.readPassword(prompt + " "); + pwd = c.readPassword(prompt + " "); if (pwd == null) { - ret = null; - } else { - ret = new String(pwd); + pwd = new char[0]; } } - if (ret == null) { - ret = ""; - } - return ret; + return pwd; } } http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java index ad85245..aec8eae 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/DB2HSMMKUtil.java @@ -16,6 +16,8 @@ */ package org.apache.hadoop.crypto.key; +import java.util.Arrays; + import org.apache.hadoop.conf.Configuration; import org.apache.ranger.kms.dao.DaoManager; @@ -65,12 +67,13 @@ public class DB2HSMMKUtil { } private boolean doExportMKToHSM(String hsmType, String partitionName) { + char[] partitionPassword=null; try { - String partitionPassword = ConsoleUtil.getStringPasswordFromConsole("Enter Password for the Partition "+partitionName+" : "); + partitionPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the Partition "+partitionName+" : "); Configuration conf = RangerKeyStoreProvider.getDBKSConf(); conf.set(HSM_TYPE, hsmType); conf.set(PARTITION_NAME, partitionName); - conf.set(PARTITION_PASSWORD, partitionPassword); + conf.set(PARTITION_PASSWORD, String.valueOf(partitionPassword)); RangerKMSDB rangerkmsDb = new RangerKMSDB(conf); DaoManager daoManager = rangerkmsDb.getDaoManager(); @@ -89,5 +92,8 @@ public class DB2HSMMKUtil { catch(Throwable t) { throw new RuntimeException("Unable to import Master key from Ranger DB to HSM ", t); } + finally{ + Arrays.fill(partitionPassword, ' '); + } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java index b330a01..0cf832f 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/HSM2DBMKUtil.java @@ -16,6 +16,8 @@ */ package org.apache.hadoop.crypto.key; +import java.util.Arrays; + import org.apache.hadoop.conf.Configuration; import org.apache.ranger.kms.dao.DaoManager; @@ -64,12 +66,13 @@ public class HSM2DBMKUtil { } private void doImportMKFromHSM(String hsmType, String partitionName) { + char[] partitionPassword=null; try { - String partitionPassword = ConsoleUtil.getStringPasswordFromConsole("Enter Password for the Partition "+partitionName+" : "); + partitionPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the Partition "+partitionName+" : "); Configuration conf = RangerKeyStoreProvider.getDBKSConf(); conf.set(HSM_TYPE, hsmType); conf.set(PARTITION_NAME, partitionName); - conf.set(PARTITION_PASSWORD, partitionPassword); + conf.set(PARTITION_PASSWORD, String.valueOf(partitionPassword)); RangerKMSDB rangerkmsDb = new RangerKMSDB(conf); DaoManager daoManager = rangerkmsDb.getDaoManager(); @@ -87,5 +90,8 @@ public class HSM2DBMKUtil { catch(Throwable t) { throw new RuntimeException("Unable to import Master key from HSM to Ranger DB", t); } + finally{ + Arrays.fill(partitionPassword, ' '); + } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java index 13833cb..dd4408f 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java @@ -22,6 +22,7 @@ import java.io.FileInputStream; import java.io.InputStream; import java.security.KeyStore; import java.security.KeyStoreException; +import java.util.Arrays; import org.apache.hadoop.conf.Configuration; import org.apache.ranger.kms.dao.DaoManager; @@ -71,9 +72,11 @@ public class JKS2RangerUtil { } private void doImportKeysFromJKS(String keyStoreFileName, String keyStoreType) { + char[] keyStorePassword = null; + char[] keyPassword = null; try { - char[] keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :"); - char[] keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:"); + keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :"); + keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:"); Configuration conf = RangerKeyStoreProvider.getDBKSConf(); RangerKMSDB rangerkmsDb = new RangerKMSDB(conf); DaoManager daoManager = rangerkmsDb.getDaoManager(); @@ -101,6 +104,10 @@ public class JKS2RangerUtil { catch(Throwable t) { throw new RuntimeException("Unable to import keys from [" + keyStoreFileName + "] due to exception.", t); } + finally{ + Arrays.fill(keyStorePassword, ' '); + Arrays.fill(keyPassword, ' '); + } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java index f7c3e6d..4f337bb 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.io.OutputStream; import java.security.KeyStore; import java.security.KeyStoreException; +import java.util.Arrays; import org.apache.hadoop.conf.Configuration; import org.apache.ranger.kms.dao.DaoManager; @@ -72,9 +73,11 @@ public class Ranger2JKSUtil { } private void doExportKeysFromJKS(String keyStoreFileName, String keyStoreType) { + char[] keyStorePassword = null; + char[] keyPassword = null; try { - char[] keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :"); - char[] keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:"); + keyStorePassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the keystore FILE :"); + keyPassword = ConsoleUtil.getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:"); Configuration conf = RangerKeyStoreProvider.getDBKSConf(); RangerKMSDB rangerkmsDb = new RangerKMSDB(conf); DaoManager daoManager = rangerkmsDb.getDaoManager(); @@ -100,6 +103,10 @@ public class Ranger2JKSUtil { catch(Throwable t) { throw new RuntimeException("Unable to export keys to [" + keyStoreFileName + "] due to exception.", t); } + finally{ + Arrays.fill(keyStorePassword, ' '); + Arrays.fill(keyPassword, ' '); + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java ---------------------------------------------------------------------- diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java index 803e3e8..8ff5b23 100644 --- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java +++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java @@ -19,7 +19,6 @@ package org.apache.ranger.authentication.unix.jaas; -import org.apache.commons.lang.StringUtils; import org.jvnet.libpam.PAM; import org.jvnet.libpam.PAMException; import org.jvnet.libpam.UnixUser; @@ -31,6 +30,7 @@ import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import java.io.IOException; import java.security.Principal; +import java.util.Arrays; import java.util.HashMap; import java.util.Map; import java.util.Set; @@ -45,7 +45,7 @@ public class PamLoginModule implements LoginModule private Map _options; private String _username; - private String _password; + private char[] _passwordchar; private boolean _authSucceeded; private PamPrincipal _principal; @@ -139,7 +139,7 @@ public class PamLoginModule implements LoginModule { char[] password = passwordCallback.getPassword(); if (password != null) { - _password = new String(password); + _passwordchar = Arrays.copyOf(password, password.length); } passwordCallback.clearPassword(); } @@ -148,8 +148,8 @@ public class PamLoginModule implements LoginModule { try { - if (StringUtils.isNotEmpty(_password)) { - UnixUser user = _pam.authenticate(_username, _password); + if (_passwordchar != null) { + UnixUser user = _pam.authenticate(_username, String.valueOf(_passwordchar)); _principal = new PamPrincipal(user); _authSucceeded = true; return true; @@ -219,7 +219,7 @@ public class PamLoginModule implements LoginModule { _authSucceeded = false; _username = null; - _password = null; + Arrays.fill(_passwordchar, ' '); _principal = null; _pam.dispose(); } http://git-wip-us.apache.org/repos/asf/ranger/blob/e65a3e81/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java ---------------------------------------------------------------------- diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java index 40cc51e..204398f 100644 --- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java +++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java @@ -32,6 +32,7 @@ import java.security.KeyStore; import java.security.SecureRandom; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; +import java.util.Arrays; import java.util.Map; import java.util.Properties; @@ -235,15 +236,17 @@ public class RemoteUnixLoginModule implements LoginModule { log("userName:" + userName); log("modified UserName:" + modifiedUserName); - String modifiedPassword; + char modifiedPasschar[]; if (password != null) { - modifiedPassword = new String(password); + modifiedPasschar = Arrays.copyOf(password,password.length); } else { - modifiedPassword = new String(new char[0]); + modifiedPasschar = new char[0]; } - doLogin(modifiedUserName, modifiedPassword); + doLogin(modifiedUserName, modifiedPasschar); + Arrays.fill(password, ' '); + Arrays.fill(modifiedPasschar, ' '); loginSuccessful = true; } @@ -258,14 +261,14 @@ public class RemoteUnixLoginModule implements LoginModule { return true; } - public void doLogin(String aUserName, String aPassword) throws LoginException { + public void doLogin(String aUserName, char[] modifiedPasschar) throws LoginException { // POSSIBLE values // null // OK: group1, group2, group3 // FAILED: Invalid Password - String ret = getLoginReplyFromAuthService(aUserName, aPassword); + String ret = getLoginReplyFromAuthService(aUserName, modifiedPasschar); if (ret == null) { throw new LoginException("FAILED: unable to authenticate to AuthenticationService: " + remoteHostName + ":" + remoteHostAuthServicePort); @@ -282,13 +285,17 @@ public class RemoteUnixLoginModule implements LoginModule { } } - private String getLoginReplyFromAuthService(String aUserName, String aPassword) throws LoginException { + private String getLoginReplyFromAuthService(String aUserName, char[] modifiedPasschar) throws LoginException { String ret = null; Socket sslsocket = null; - String loginString = "LOGIN:" + aUserName + " " + new String(aPassword) + "\n"; - + char prefix[]=new String("LOGIN:"+aUserName+" ").toCharArray(); + char tail[]=new String("\n").toCharArray(); + char loginData[]=new char[prefix.length+modifiedPasschar.length+tail.length]; + System.arraycopy(prefix, 0, loginData, 0, prefix.length); + System.arraycopy(modifiedPasschar, 0, loginData, prefix.length,modifiedPasschar.length); + System.arraycopy(tail, 0, loginData, prefix.length+modifiedPasschar.length, tail.length); try { try { if (SSLEnabled) { @@ -380,7 +387,7 @@ public class RemoteUnixLoginModule implements LoginModule { OutputStreamWriter writer = new OutputStreamWriter(sslsocket.getOutputStream()); - writer.write(loginString); + writer.write(loginData); writer.flush(); @@ -401,6 +408,8 @@ public class RemoteUnixLoginModule implements LoginModule { throw new LoginException("FAILED: unable to authenticate to AuthenticationService: " + remoteHostName + ":" + remoteHostAuthServicePort + ", Exception: [" + t + "]"); } finally { log("Login of user String: {" + aUserName + "}, return from AuthServer: {" + ret + "}"); + Arrays.fill(loginData,' '); + Arrays.fill(modifiedPasschar,' '); } return ret;