ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pradeep Agrawal (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (RANGER-2112) Ranger KMS broken with JDK 8 update 171
Date Fri, 06 Jul 2018 06:59:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16534474#comment-16534474
] 

Pradeep Agrawal edited comment on RANGER-2112 at 7/6/18 6:58 AM:
-----------------------------------------------------------------

Looks like a bug reported here : [https://github.com/jcryptool/core/issues/120]

Seems its fixed in Hadoop KMS : https://issues.apache.org/jira/browse/HADOOP-15473


was (Author: pradeep.agrawal):
Looks like a bug reported here : https://github.com/jcryptool/core/issues/120

> Ranger KMS broken with JDK 8 update 171
> ---------------------------------------
>
>                 Key: RANGER-2112
>                 URL: https://issues.apache.org/jira/browse/RANGER-2112
>             Project: Ranger
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 0.7.0
>            Reporter: Hernan Fernandez
>            Priority: Major
>
> After update to JDK 8 update 171 Ranger KMS UI
> 1) Ranger KMS UI > Encryption: will show the key list as the following.
> keyname (empty)
> Cipher (empty)
> Version 0
> Attributes (empty)
> Create (empty)
>  
> !image-2018-05-22-10-19-13-599.png!
>  
> 2) hadoop key -list -metadata
> Listing keys for KeyProvider: org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7d322cad
> testkey1 : null 
>  
>  *ROOT CAUSE*
>  This may be related to
> {code:java}
> New Features 
> security-libs/javax.crypto  
> Enhanced KeyStore Mechanisms
> A new security property named jceks.key.serialFilter has been introduced. If this filter
is configured, the JCEKS KeyStore uses it during the deserialization of the encrypted Key
object stored inside a SecretKeyEntry. If it is not configured or if the filter result is
UNDECIDED (for example, none of the patterns match), then the filter configured by jdk.serialFilter is
consulted. If the system property jceks.key.serialFilter is also supplied, it supersedes
the security property value defined here. The filter pattern uses the same format as jdk.serialFilter.
The default pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type,
and javax.crypto.spec.SecretKeySpec but rejects all the others. Customers storing a SecretKey
that does not serialize to the above types must modify the filter to make the key extractable.
> {code}
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>  b) second option this is related to 3DES disabled on java.security (to be tested)
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message