Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-2700

creating service sometimes fails because SecureRandom.getInstanceStrong() is often blocked

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: ranger-2.0
    • Fix Version/s: 2.1.0
    • Component/s: admin
    • Labels:
      None

      Description

      I try to install ranger-2.0.0 on my cluster, however, I try to create a new service in Ranger WebUI, when I click the Add button, I keep stuck in the Please waiting state for a long time, and finally get an error that createService failed.

      I try to debug through the source code, and found that it stuck on generateBase64EncodedIV() in PasswordUtils.java. It uses SecureRandom.getInstanceStrong() to get the random string. We can find a lot of information showing that this function often blocks and is very slow. SecureRandom.getInstanceStrong() uses /dev/random, and /dev/random blocks the thread if there isn't enough randomness available, but /dev/urandom will never block.

      SecureRandom.getInstanceStrong() is equivalent to SecureRandom.getInstance("NativePRNGBlocking"), so we can use /dev/urandom by replacing SecureRandom.getInstanceStrong().nextBytes(iv) with SecureRandom.getInstance("NativePRNGNonBlocking").nextBytes(iv) which will not be blocked, or we can use new SecureRandom().nextBytes(iv). /dev/random and /dev/urandom use the same pool of randomness under the hood, and they are equally secure.

        Attachments

        1. 0001-RANGER-2700.patch
          1 kB
          Jiayi Liu

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                liujiayi771 Jiayi Liu
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: