ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jiayi Liu (Jira)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2700) creating service sometimes fails because SecureRandom.getInstanceStrong() is very slow
Date Tue, 14 Jan 2020 13:59:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jiayi Liu updated RANGER-2700:
------------------------------
    Description: 
I try to install ranger-2.0.0 on my cluster, however, I try to create a new service in Ranger
WebUI, when I click the Add button, I keep stuck in the Please waiting state for a long time,
and finally get an error that createService failed.

 I try to debug through the source code, and found that it stuck on generateBase64EncodedIV()
in PasswordUtils.java. It uses SecureRandom.getInstanceStrong() to get the random string.
We can find a lot of information showing that this function often blocks and is very slow.
SecureRandom.getInstanceStrong() uses /dev/random, and /dev/random blocks the thread if there
isn't enough randomness available, but /dev/urandom will never block. 

SecureRandom.getInstanceStrong() is equivalent to SecureRandom.getInstance("NativePRNGBlocking"),
so we can use /dev/urandom by replacing SecureRandom.getInstanceStrong().nextBytes(iv) with
SecureRandom.getInstance("NativePRNGNonBlocking").nextBytes(iv) which will not be blocked,
or we can use new SecureRandom().nextBytes(iv). /dev/random and /dev/urandom use the same
pool of randomness under the hood, and they are equally secure. 

  was:
I try to install ranger-2.0.0 on my cluster, however, I try to create a new service in Ranger
WebUI, when I click the Add button, I keep stuck in the Please waiting state for a long time,
and finally get an error that createService failed.

 I try to debug through the source code, and found that it stuck on generateBase64EncodedIV()
in PasswordUtils.java. It uses SecureRandom.getInstanceStrong() to get the random string.
We can find a lot of information showing that this function often blocks and is very slow.
SecureRandom.getInstanceStrong() uses /dev/random, and /dev/random blocks the thread if there
isn't enough randomness available, but /dev/urandom will never block. 

Can we use /dev/urandom by replacing SecureRandom.getInstanceStrong().nextBytes(iv) with new
SecureRandom().nextBytes(iv)? /dev/random and /dev/urandom use the same pool of randomness
under the hood, and they are equally secure. 


> creating service sometimes fails because SecureRandom.getInstanceStrong() is very slow
> --------------------------------------------------------------------------------------
>
>                 Key: RANGER-2700
>                 URL: https://issues.apache.org/jira/browse/RANGER-2700
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin
>    Affects Versions: ranger-2.0
>            Reporter: Jiayi Liu
>            Priority: Major
>
> I try to install ranger-2.0.0 on my cluster, however, I try to create a new service in
Ranger WebUI, when I click the Add button, I keep stuck in the Please waiting state for a
long time, and finally get an error that createService failed.
>  I try to debug through the source code, and found that it stuck on generateBase64EncodedIV()
in PasswordUtils.java. It uses SecureRandom.getInstanceStrong() to get the random string.
We can find a lot of information showing that this function often blocks and is very slow.
SecureRandom.getInstanceStrong() uses /dev/random, and /dev/random blocks the thread if there
isn't enough randomness available, but /dev/urandom will never block. 
> SecureRandom.getInstanceStrong() is equivalent to SecureRandom.getInstance("NativePRNGBlocking"),
so we can use /dev/urandom by replacing SecureRandom.getInstanceStrong().nextBytes(iv) with
SecureRandom.getInstance("NativePRNGNonBlocking").nextBytes(iv) which will not be blocked,
or we can use new SecureRandom().nextBytes(iv). /dev/random and /dev/urandom use the same
pool of randomness under the hood, and they are equally secure. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message