(ranger) branch ranger-2.8 updated: RANGER-5320:Handling unsupported cipher key creation (#754)

[pradeep]

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a commit to branch ranger-2.8
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.8 by this push:
     new 668ca8853 RANGER-5320:Handling unsupported cipher key creation (#754)
668ca8853 is described below

commit 668ca885339828babd3424b8ad34968393e20a2c
Author: Chinmay Hegde <hegdechinma...@gmail.com>
AuthorDate: Wed Dec 3 10:53:13 2025 +0530

    RANGER-5320:Handling unsupported cipher key creation (#754)
---
 .../apache/hadoop/crypto/key/RangerKeyStoreProvider.java    | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git 
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
index 957d2ca0e..9adddcd18 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
@@ -40,8 +40,10 @@
 import java.util.concurrent.locks.ReentrantReadWriteLock;
 import javax.crypto.KeyGenerator;
 import javax.crypto.spec.SecretKeySpec;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.ranger.plugin.util.AutoClosableLock.AutoClosableReadLock;
 import org.apache.ranger.plugin.util.AutoClosableLock.AutoClosableTryWriteLock;
 import org.apache.ranger.plugin.util.AutoClosableLock.AutoClosableWriteLock;
@@ -240,6 +242,7 @@ public KeyVersion createKey(String name, byte[] material, 
Options options) throw
         }
 
         KeyVersion ret;
+        validateKeyCiphers(options.getCipher());
 
         try (AutoClosableWriteLock ignored = new AutoClosableWriteLock(lock)) {
             reloadKeys();
@@ -604,6 +607,16 @@ private static Configuration getConfiguration(boolean 
loadHadoopDefaults, String
         return conf;
     }
 
+    private void validateKeyCiphers(String ciphers) throws IOException {
+        if (StringUtils.isNotEmpty(ciphers)) {
+            try {
+                CipherSuite.convert(ciphers);
+            }  catch (Exception e) {
+                throw new IOException("Invalid ciphers: " + ciphers, e);
+            }
+        }
+    }
+
     private static void getFromJceks(Configuration conf, String path, String 
alias, String key) {
         if (logger.isDebugEnabled()) {
             logger.debug("==> getFromJceks()");