RANGER-5313: Support FIPS compliant crypto algorithm to encrypt/decry… #723
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…pt for service password
spolavarpau1
reviewed
Nov 3, 2025
| public class PasswordUtils { | ||
| private static final Logger LOG = LoggerFactory.getLogger(PasswordUtils.class); | ||
|
|
||
| public static final String PBE_SHA512_AES_128 = "PBEWITHHMACSHA512ANDAES_128"; |
Contributor
There was a problem hiding this comment.
Do we still need this? Aren't we now going to use PBEWithHmacSHA512AndAES_128 from RangerSupportedCryptoAlgo
| return false; | ||
| } | ||
|
|
||
| return PBE_SHA512_AES_128.equalsIgnoreCase(cryptoAlgo) |
Contributor
There was a problem hiding this comment.
Same as above. Do we need to replace this check with the one from RangerSupportedCryptoAlgo?
| int index = 0; | ||
|
|
||
| cryptAlgo = cryptAlgoArray[index++]; // 0 | ||
| cryptAlgo = RangerSupportedCryptoAlgo.valueOf(cryptAlgoArray[index++]); // 0 |
Contributor
There was a problem hiding this comment.
I think we need to handle the case for crypto algorithm that is not in the list of enums supported in RangerSupportedCryptoAlgo. Can you please check?
| @Test | ||
| public void testEncryptWithSHA512AndAES128() throws IOException, NoSuchAlgorithmException { | ||
| String freeTextPasswordMetaData = join("PBEWITHHMACSHA512ANDAES_128", "ENCRYPT_KEY", "SALTSALT", "4", PasswordUtils.generateIvIfNeeded("PBEWITHHMACSHA512ANDAES_128")); | ||
| String freeTextPasswordMetaData = join("PBEWithHmacSHA512AndAES_128", "ENCRYPT_KEY", "SALTSALT", "4", PasswordUtils.generateIvIfNeeded("PBEWithHmacSHA512AndAES_128")); |
Contributor
There was a problem hiding this comment.
In case of upgrades, would this case difference in the algorithm name has any affect?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Support for PBKDF2WithHmacSHA256 encryption algorithm to encrypt/decrypt the service password. This PR is only for fresh Ranger installation and requires compliant SecurityProvider in the java.security and required jars in the JRE path.
How was this patch tested?
mvn clean install
Manual Testing in Docker env:
Non-Fips: Here I created a new docker image with new code and verified the non-fips env. Service passwords were being encrypted/decrypted using older PBEWithHmacSHA512AndAES_128 algorithm
For FIPS:
Updated the ranger-admin-site.xml with following prop:
Then, created a new docker image and started the container.
By default, Admin container starts but service creation will fail due to missing SecurityProvider and related configurations.
To make it work, following steps are required:
Copied SecurityProvider jar to JRE path:
docker cp bc-fips-2.0.0.jar b8b631895054:/opt/java/openjdk/jre/lib/ext/Next, Updated java.security with following content:
Once above explained configuration are completed and container is restarted, new Provider will come into effect.
Then, I executed following command to create all the failed services:
ranger@ranger:~/scripts$ python3 create-ranger-services.pyAfter than all services got created with latest algorithm. It can be verified by looking into DB also.
Request to review the PR. Upgrade scenario will be implemented as part of separate JIRA where re-encryption of existing passwords will happen.