ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Endre Kovacs (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (RANGER-1644) Change the default Crypt Algo to use stronger cryptographic algo.
Date Mon, 06 Nov 2017 11:31:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16240145#comment-16240145
] 

Endre Kovacs edited comment on RANGER-1644 at 11/6/17 11:30 AM:
----------------------------------------------------------------

hi [~bosco]
this patch is created in a way that:

* when *new service* is *created* through the Ranger UI
* when an *existing service* is *updated*

then it will use the new updated algo from:

`ranger-admin-default-site.xml`
{code}
        </property>
        <property>
                <name>ranger.password.encryption.algorithm</name>
               <value>PBEWITHHMACSHA512ANDAES_128</value>
        </property>
{code}

first decoding value with the previously configured algorithm, then encoding and sanity checking
with the new algorithm.

* in such cases, when the service is not created or updated, just simply *READ*, it does not
update the encrypt algo. it uses the stored, coma separated algorithm information for encrypting
and decrypting. If no such coma separated algorithm info is present, then encryption&decryption
is done with `PasswordUtils.DEFAULT_CRYPT_ALGO = "PBEWithMD5AndDES";` which did not change.
Making it backward compatible.

Please let me know if you have any specific concerns / use cases / steps in mind needing to
be tested on a live cluster.
Best regards,
Endre


was (Author: andrewsmith87):
hi [~bosco]
this patch is created in a way that:

* when *new service* is *created* through the Ranger UI
* when an *existing service* is *updated*

then it will use the new updated algo from:

`ranger-admin-default-site.xml`
{code}
        </property>
        <property>
                <name>ranger.password.encryption.algorithm</name>
               <value>PBEWITHHMACSHA512ANDAES_128</value>
        </property>
{code}

first decoding value with the previously configured algorithm, then encoding and sanity checking
with the new algorithm.

* in such cases, when the service is not created or updated, just simply *READ*, it does not
update the encrypt algo. it uses the stored, coma separated algorithm information for encrypting
and decrypting. If no such coma separated algorithm info is present, then encryption&decryption
is done with `PasswordUtils.DEFAULT_CRYPT_ALGO = "PBEWithMD5AndDES";` which did not change.
Making it backward compatible.

Please let me know if you have any specific use cases / steps in mind needing to be tested
on a live cluster.
Best regards,
Endre

> Change the default Crypt Algo to use stronger cryptographic algo. 
> ------------------------------------------------------------------
>
>                 Key: RANGER-1644
>                 URL: https://issues.apache.org/jira/browse/RANGER-1644
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Selvamohan Neethiraj
>            Assignee: Endre Kovacs
>            Priority: Critical
>         Attachments: 0001-RANGER-1644-replacing-MD5-DES-with-SHA512-AES128.patch
>
>
> Change the default crypt algorithm to use a stronger cipher algorithm



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message