(ranger) branch master updated: RANGER-5320:Handling unsupported cipher key creation (#672)

Wed, 29 Oct 2025 03:03:48 -0700 

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 27f9656f7 RANGER-5320:Handling unsupported cipher key creation (#672)
27f9656f7 is described below

commit 27f9656f76ff6dc173a74ec5a45bcb7d769dcaa3
Author: Chinmay Hegde <[email protected]>
AuthorDate: Wed Oct 29 15:33:35 2025 +0530

    RANGER-5320:Handling unsupported cipher key creation (#672)
---
 .../org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git 
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
index 4cddb0cb7..8603a94b0 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
@@ -20,6 +20,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.fs.Path;
 import org.apache.ranger.credentialapi.CredentialReader;
 import org.apache.ranger.kms.dao.DaoManager;
@@ -442,6 +443,7 @@ public KeyVersion createKey(String name, byte[] material, 
Options options) throw
         logger.debug("==> createKey({})", name);
 
         KeyVersion ret;
+        validateKeyCiphers(options.getCipher());
 
         try (AutoClosableWriteLock ignored = new AutoClosableWriteLock(lock)) {
             reloadKeys();
@@ -597,6 +599,16 @@ private static Configuration getConfiguration(boolean 
loadHadoopDefaults, String
         return conf;
     }
 
+    private void validateKeyCiphers(String ciphers) throws IOException {
+        if (StringUtils.isNotEmpty(ciphers)) {
+            try {
+                CipherSuite.convert(ciphers);
+            }  catch (Exception e) {
+                throw new IOException("Invalid ciphers: " + ciphers, e);
+            }
+        }
+    }
+
     private static void getFromJceks(Configuration conf, String path, String 
alias, String key) {
         logger.debug("==> getFromJceks()");

Reply via email to