(ranger) branch master updated: RANGER-5408: Make MasterKey size configurable for RangerHSM (#865)

[vikaskumar]

This is an automated email from the ASF dual-hosted git repository.

vikaskumar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 4dad34420 RANGER-5408: Make MasterKey size configurable for RangerHSM 
(#865)
4dad34420 is described below

commit 4dad344208fc50308246ac88678d722b7d10bd43
Author: Vikas Kumar <talktovikas...@gmail.com>
AuthorDate: Tue Mar 10 12:28:43 2026 +0530

    RANGER-5408: Make MasterKey size configurable for RangerHSM (#865)
---
 .../org/apache/hadoop/crypto/key/RangerHSM.java    | 25 +++++++++++++---------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
index be1484a42..4a4fc97a2 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
@@ -42,15 +42,17 @@
 public class RangerHSM implements RangerKMSMKI {
     static final Logger logger = LoggerFactory.getLogger(RangerHSM.class);
 
-    private static final String MK_CIPHER          = "AES";
-    private static final int    MK_KeySize         = 128;
-    private static final String PARTITION_PASSWORD = 
"ranger.ks.hsm.partition.password";
-    private static final String PARTITION_NAME     = 
"ranger.ks.hsm.partition.name";
-    private static final String HSM_TYPE           = "ranger.ks.hsm.type";
-    private static final String ALIAS              = "RangerKMSKey";
+    private static final String MK_CIPHER               = "AES";
+    private static final int    DEFAULT_MK_KEY_SIZE     = 256;
+    private static final String PARTITION_PASSWORD      = 
"ranger.ks.hsm.partition.password";
+    private static final String PARTITION_NAME          = 
"ranger.ks.hsm.partition.name";
+    private static final String HSM_TYPE                = "ranger.ks.hsm.type";
+    private static final String MK_KEY_SIZE             = 
"ranger.kms.hsm.masterkey.size";
+    private static final String ALIAS                   = "RangerKMSKey";
 
     private KeyStore myStore;
     private String   hsmKeystore;
+    private int mkKeySize;
 
     public RangerHSM() {
     }
@@ -63,6 +65,7 @@ public RangerHSM(Configuration conf) {
          */
         String passwd        = conf.get(PARTITION_PASSWORD);
         String partitionName = conf.get(PARTITION_NAME);
+        this.mkKeySize       = conf.getInt(MK_KEY_SIZE, DEFAULT_MK_KEY_SIZE);
         String errorMsg      = StringUtils.EMPTY;
 
         hsmKeystore = conf.get(HSM_TYPE);
@@ -98,19 +101,21 @@ public RangerHSM(Configuration conf) {
     public boolean generateMasterKey(String password) throws Throwable {
         logger.debug("==> RangerHSM.generateMasterKey()");
 
+        boolean isMKGenerated = false;
+
         if (!this.myStore.containsAlias(ALIAS)) {
             try {
-                logger.info("Generating AES Master Key for '{}' HSM Provider", 
hsmKeystore);
+                logger.info("Generating AES Master Key for '{}' HSM Provider 
and keySize is {}", hsmKeystore, this.mkKeySize);
 
                 KeyGenerator keyGen = KeyGenerator.getInstance(MK_CIPHER, 
hsmKeystore);
 
-                keyGen.init(MK_KeySize);
+                keyGen.init(this.mkKeySize);
 
                 SecretKey aesKey = keyGen.generateKey();
 
                 myStore.setKeyEntry(ALIAS, aesKey, password.toCharArray(), 
(java.security.cert.Certificate[]) null);
 
-                return true;
+                isMKGenerated = true;
             } catch (Exception e) {
                 logger.error("generateMasterKey : Exception during Ranger 
Master Key Generation - {}", e.getMessage());
             }
@@ -120,7 +125,7 @@ public boolean generateMasterKey(String password) throws 
Throwable {
 
         logger.debug("<== RangerHSM.generateMasterKey()");
 
-        return false;
+        return isMKGenerated;
     }
 
     @Override