| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.hadoop.crypto.key; |
| |
| import java.io.Console; |
| import java.io.File; |
| import java.io.FileOutputStream; |
| import java.io.IOException; |
| import java.io.InputStream; |
| import java.io.OutputStream; |
| import java.nio.charset.Charset; |
| import java.security.KeyStore; |
| import java.security.KeyStoreException; |
| |
| import org.apache.commons.lang.StringUtils; |
| import org.apache.hadoop.conf.Configuration; |
| import org.apache.ranger.credentialapi.CredentialReader; |
| import org.apache.ranger.kms.dao.DaoManager; |
| |
| public class Ranger2JKSUtil { |
| |
| private static final String DEFAULT_KEYSTORE_TYPE = "jceks"; |
| private static final String ENCRYPTION_KEY = "ranger.db.encrypt.key.password"; |
| private static final String KEYSECURE_ENABLED = "ranger.kms.keysecure.enabled"; |
| private static final String KEYSECURE_USERNAME = "ranger.kms.keysecure.login.username"; |
| private static final String KEYSECURE_PASSWORD = "ranger.kms.keysecure.login.password"; |
| private static final String KEYSECURE_PASSWORD_ALIAS = "ranger.kms.keysecure.login.password.alias"; |
| private static final String KEYSECURE_LOGIN = "ranger.kms.keysecure.login"; |
| private static final String CREDENTIAL_PATH = "ranger.ks.jpa.jdbc.credential.provider.path"; |
| |
| public static void showUsage() { |
| System.err.println("USAGE: java " + Ranger2JKSUtil.class.getName() + " <KMS_FileName> [KeyStoreType]"); |
| System.err.println(" If KeyStoreType is not provided, it will be considered as " + DEFAULT_KEYSTORE_TYPE); |
| System.err.println(" When execution of this utility, it will prompt for both keystore password and key password."); |
| } |
| |
| |
| public static void main(String[] args) throws IOException { |
| if (args.length == 0) { |
| System.err.println("Invalid number of parameters found."); |
| showUsage(); |
| System.exit(1); |
| } |
| else { |
| String keyStoreFileName = args[0]; |
| File f = new File(keyStoreFileName); |
| if (! f.exists()) { |
| boolean ret = f.createNewFile(); |
| if (!ret) { |
| System.err.println("Error creating new keystore file. fileName="+ args[0]); |
| } |
| } |
| String keyStoreType = (args.length == 2 ? args[1] : DEFAULT_KEYSTORE_TYPE); |
| try { |
| KeyStore.getInstance(keyStoreType); |
| } catch (KeyStoreException e) { |
| System.err.println("ERROR: Unable to get valid keystore for the type [" + keyStoreType + "]"); |
| showUsage(); |
| System.exit(1); |
| } |
| |
| new Ranger2JKSUtil().doExportKeysFromJKS(keyStoreFileName, keyStoreType); |
| |
| System.out.println("Keys from Ranger KMS Database has been successfully exported into " + keyStoreFileName); |
| |
| System.exit(0); |
| |
| } |
| } |
| |
| private void doExportKeysFromJKS(String keyStoreFileName, String keyStoreType) { |
| try { |
| char[] keyStorePassword = getPasswordFromConsole("Enter Password for the keystore FILE :"); |
| char[] keyPassword = getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:"); |
| Configuration conf = RangerKeyStoreProvider.getDBKSConf(); |
| RangerKMSDB rangerkmsDb = new RangerKMSDB(conf); |
| DaoManager daoManager = rangerkmsDb.getDaoManager(); |
| RangerKeyStore dbStore= new RangerKeyStore(daoManager); |
| |
| char[] masterKey; |
| String password = conf.get(ENCRYPTION_KEY); |
| if (conf != null |
| && StringUtils.isNotEmpty(conf.get(KEYSECURE_ENABLED)) |
| && conf.get(KEYSECURE_ENABLED).equalsIgnoreCase("true")) { |
| |
| getFromJceks(conf, CREDENTIAL_PATH, KEYSECURE_PASSWORD_ALIAS, KEYSECURE_PASSWORD); |
| String keySecureLoginCred = conf.get(KEYSECURE_USERNAME).trim() + ":" + conf.get(KEYSECURE_PASSWORD); |
| conf.set(KEYSECURE_LOGIN, keySecureLoginCred); |
| |
| RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure( |
| conf); |
| masterKey = rangerSafenetKeySecure.getMasterKey(password).toCharArray(); |
| |
| } else { |
| RangerMasterKey rangerMasterKey = new RangerMasterKey( |
| daoManager); |
| masterKey = rangerMasterKey.getMasterKey(password) |
| .toCharArray(); |
| } |
| OutputStream out = null; |
| try { |
| out = new FileOutputStream(new File(keyStoreFileName)); |
| dbStore.engineLoadToKeyStoreFile(out, keyStorePassword, |
| keyPassword, masterKey, keyStoreType); |
| } finally { |
| if (out != null) { |
| try { |
| out.close(); |
| } catch (Exception e) { |
| throw new RuntimeException( |
| "ERROR: Unable to close file stream for [" |
| + keyStoreFileName + "]", e); |
| } |
| } |
| } |
| } |
| catch(Throwable t) { |
| throw new RuntimeException("Unable to export keys to [" + keyStoreFileName + "] due to exception.", t); |
| } |
| } |
| |
| private char[] getPasswordFromConsole(String prompt) throws IOException { |
| String ret = null; |
| Console c=System.console(); |
| if (c == null) { |
| System.out.print(prompt + " "); |
| InputStream in=System.in; |
| int max=50; |
| byte[] b=new byte[max]; |
| int l= in.read(b); |
| l--; //last character is \n |
| if (l>0) { |
| byte[] e=new byte[l]; |
| System.arraycopy(b,0, e, 0, l); |
| ret = new String(e, Charset.defaultCharset()); |
| } |
| } else { |
| char[] pwd = c.readPassword(prompt + " "); |
| if (pwd == null) { |
| ret = null; |
| } |
| else { |
| ret = new String(pwd); |
| } |
| } |
| if (ret == null) { |
| ret = ""; |
| } |
| return ret.toCharArray(); |
| } |
| |
| private static void getFromJceks(Configuration conf, String path, String alias, String key) { |
| |
| //update credential from keystore |
| if (conf != null) { |
| String pathValue = conf.get(path); |
| String aliasValue = conf.get(alias); |
| if (pathValue != null && aliasValue != null) { |
| String xaDBPassword = CredentialReader.getDecryptedString(pathValue.trim(), aliasValue.trim()); |
| if (xaDBPassword != null && !xaDBPassword.trim().isEmpty() && |
| !xaDBPassword.trim().equalsIgnoreCase("none")) { |
| conf.set(key, xaDBPassword); |
| } |
| } |
| } |
| } |
| } |