ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: Password encryption for service definitions
Date Tue, 08 Jan 2019 14:18:26 GMT
I also feel we shouldn't store the key along with the encrypted data. It defeats the purpose.

Adam, getting from properties is one way to do it. We have to ensure that the key is auto
generated per install and we have to ensure that it works in HA environment.

Ideally, even the config file shouldn't have the actual key. It should be in the keystore
with only user Privacera have the read permission. The key to the keystore can be in the config
file.

The other way is to use Ranger KMS in the future.

Bosco


On 1/8/19, 6:13 AM, "Rempter, A. (Adam)" <adam.rempter@ing.com.INVALID> wrote:

    Hey Zsombor,
    
    Thanks for update. 
    
    I understand that... but it means that (when storing encryption key next to password)
it is effectively not encrypted. 
    
    According to owasp (https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Ensure_that_any_secret_key_is_protected_from_unauthorized_access)
    
    Rule - Store unencrypted keys away from the encrypted data
    If the keys are stored with the data then any compromise of the data will easily compromise
the keys as well. Unencrypted keys should never reside on the same machine or cluster as the
data.
    
    One solution would be simply not store encryption key in db. It is anyway available via
configuration key:
    
    public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key",
PasswordUtils.DEFAULT_ENCRYPT_KEY)
    
    What do you think?
    
    Thanks,
    Adam
    
    -----Wiadomość oryginalna-----
    Od: Zs. [mailto:gzsombor@gmail.com] 
    Wysłano: 8 stycznia 2019 14:56
    Do: ranger <dev@ranger.apache.org>
    Temat: Re: PD: Password encryption for service definitions
    
    Hi,
    
     The problem is that Ranger needs to know the password, to reach out to the service, so
it must store the password somewhere in a decryptable state.
    Ideally, every service/protocol should support kerberos, so authentication could work
without passwords.
    
    Regards,
     Zsombor
    
    On Tue, Jan 8, 2019 at 2:21 PM Rempter, A. (Adam) <adam.rempter@ing.com.invalid>
wrote:
    
    > Hello there,
    >
    > While using Ranger I noticed that when I create service def with input
    > property:
    >    {
    >         "itemId": 3,
    >         "name": "password",
    >         "type": "password",
    >         "subType": "",
    >         "mandatory": true,
    >         "validationRegEx": "",
    >         "validationMessage": "",
    >         "uiHint":"",
    >         "label": "Secret key"
    >       }
    >
    > Ranger will encrypt it using:
    >
    > if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
    >                              String cryptConfigString = CRYPT_ALGO + ","
    > +  ENCRYPT_KEY + "," + SALT + "," + ITERATION_COUNT + "," + 
    > + configValue;
    >                              String encryptedPwd = 
    > PasswordUtils.encryptPassword(cryptConfigString);
    >
    > Problem is that all encryption parameters are stored next to password 
    > (encryption key and salt):
    >
    > | 609 | NULL | 2019-01-08 10:07:33 | 2019-01-08 10:07:34 |           1 |
    >        1 |      82 | password                                  |
    > PBEWithMD5AndDES,tzL1AKl5uc4NKYaoQ4P3WLGIBFPXWPWdu1fRm9004jtQiV,f77aLY
    > Lo,1000,6IxJOOpoFsJXyLNjNf/M9Q==
    >
    > Even if I change default ones in
    > $ranger_home/ews/webapp/WEB-INF/classes/conf/ranger-admin-default-site
    > .xml,
    > they will still be storred in db
    >
    > Is this know issue? Basically it means that password can be decrypted 
    > with little effort…
    >
    > Thanks,
    > Adam Rempter
    >
    >
    > ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, 
    > VAT PL 526-319-58-54, działająca w Polsce w formie oddziału, pod firmą 
    > ING Business Shared Services B.V. spółka z ograniczoną 
    > odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul. 
    > Konduktorska 35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru 
    > przedsiębiorców Krajowego Rejestru Sądowego prowadzonego przez Sąd 
    > Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy 
    > Krajowego Rejestru Sądowego pod numerem KRS 0000702305.
    >
    
    ING Business Shared Services B.V. z siedzibą w Amsterdamie, Holandia, VAT PL 526-319-58-54,
działająca w Polsce w formie oddziału, pod firmą ING Business Shared Services B.V. spółka
z ograniczoną odpowiedzialnością Oddział w Polsce z siedzibą w Katowicach, ul. Konduktorska
35, 40-155 Katowice, NIP: 2050005130, wpisana do rejestru przedsiębiorców Krajowego Rejestru
Sądowego prowadzonego przez Sąd Rejonowy Katowice-Wschód w Katowicach, VIII Wydział Gospodarczy
Krajowego Rejestru Sądowego pod numerem KRS 0000702305.
    



Mime
View raw message