knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-504 - Enable SSL Mutual Authentication
Date Sun, 15 Feb 2015 15:50:50 GMT
Repository: knox
Updated Branches:
  refs/heads/master 7d839171a -> 2ef76e918


KNOX-504 - Enable SSL Mutual Authentication

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/2ef76e91
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/2ef76e91
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/2ef76e91

Branch: refs/heads/master
Commit: 2ef76e918f7ee1005cae179182d0ceb9b3505946
Parents: 7d83917
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Sun Feb 15 10:50:34 2015 -0500
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Sun Feb 15 10:50:34 2015 -0500

----------------------------------------------------------------------
 .../gateway/config/impl/GatewayConfigImpl.java  | 61 ++++++++++++++++++--
 .../services/security/impl/JettySSLService.java | 45 ++++++++++++---
 .../hadoop/gateway/GatewayGlobalConfigTest.java |  6 +-
 .../resources/conf-site/conf/gateway-site.xml   | 17 ++++++
 .../hadoop/gateway/config/GatewayConfig.java    | 10 ++++
 .../hadoop/gateway/GatewayTestConfig.java       | 45 +++++++++++++++
 6 files changed, 170 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/2ef76e91/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
index 4b2a0ac..b1f8d51 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
@@ -101,17 +101,27 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig
{
   public static final String SECURITY_DIR = GATEWAY_CONFIG_FILE_PREFIX + ".security.dir";
   public static final String DATA_DIR = GATEWAY_CONFIG_FILE_PREFIX + ".data.dir";
   public static final String HADOOP_CONF_DIR = GATEWAY_CONFIG_FILE_PREFIX + ".hadoop.conf.dir";
-//  public static final String SHIRO_CONFIG_FILE = GATEWAY_CONFIG_FILE_PREFIX + ".shiro.config.file";
   public static final String FRONTEND_URL = GATEWAY_CONFIG_FILE_PREFIX + ".frontend.url";
-
+  private static final String TRUST_ALL_CERTS = GATEWAY_CONFIG_FILE_PREFIX + ".trust.all.certs";
+  private static final String CLIENT_AUTH_NEEDED = GATEWAY_CONFIG_FILE_PREFIX + ".client.auth.needed";
+  private static final String TRUSTSTORE_PATH = GATEWAY_CONFIG_FILE_PREFIX + ".truststore.path";
+  private static final String TRUSTSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".truststore.type";
+  private static final String KEYSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".keystore.type";
+
+  // These config property names are not inline with the convention of using the
+  // GATEWAY_CONFIG_FILE_PREFIX as is done by those above. These are left for
+  // backward compatibility. 
+  // LET'S NOT CONTINUE THIS PATTERN BUT LEAVE THEM FOR NOW.
+  private static final String SSL_ENABLED = "ssl.enabled";
+  private static final String SSL_EXCLUDE_PROTOCOLS = "ssl.exclude.protocols";
+  // END BACKWARD COMPATIBLE BLOCK
+  
   public static final String DEFAULT_HTTP_PORT = "8888";
   public static final String DEFAULT_HTTP_PATH = "gateway";
   public static final String DEFAULT_DEPLOYMENT_DIR = "deployments";
   public static final String DEFAULT_SECURITY_DIR = "security";
   public static final String DEFAULT_DATA_DIR = "data";
-  private static final String SSL_ENABLED = "ssl.enabled";
-  private static final String SSL_EXCLUDE_PROTOCOLS = "ssl.exclude.protocols";
-//  public static final String DEFAULT_SHIRO_CONFIG_FILE = "shiro.ini";
+  
 
   public GatewayConfigImpl() {
     init();
@@ -369,5 +379,46 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig
{
     }
     return protocols;
   }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#isClientAuthNeeded()
+   */
+  @Override
+  public boolean isClientAuthNeeded() {
+    String clientAuthNeeded = get( CLIENT_AUTH_NEEDED, "false" );
+    return "true".equals(clientAuthNeeded);
+  }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getTruststorePath()
+   */
+  @Override
+  public String getTruststorePath() {
+    return get( TRUSTSTORE_PATH, null);
+  }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getTrustAllCerts()
+   */
+  @Override
+  public boolean getTrustAllCerts() {
+    String trustAllCerts = get( TRUST_ALL_CERTS, "false" );
+    return "true".equals(trustAllCerts);
+  }
   
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getTruststorePath()
+   */
+  @Override
+  public String getTruststoreType() {
+    return get( TRUSTSTORE_TYPE, "JKS");
+  }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getTruststorePath()
+   */
+  @Override
+  public String getKeystoreType() {
+    return get( KEYSTORE_TYPE, "JKS");
+  }
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/2ef76e91/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index 85753b0..9c515b2 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -43,6 +43,7 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 public class JettySSLService implements SSLService {
   private static final String GATEWAY_IDENTITY_PASSPHRASE = "gateway-identity-passphrase";
+  private static final String GATEWAY_TRUSTSTORE_PASSWORD = "gateway-truststore-password";
   private static final String GATEWAY_CREDENTIAL_STORE_NAME = "__gateway";
   private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
   
@@ -50,6 +51,11 @@ public class JettySSLService implements SSLService {
   private KeystoreService ks;
   private AliasService as;
   private List<String> sslExcludeProtocols = null;
+  private boolean clientAuthNeeded;
+  private boolean trustAllCerts;
+  private String truststorePath;
+  private String keystoreType;
+  private String trustStoreType;
 
   public void setMasterService(MasterService ms) {
     this.ms = ms;
@@ -95,7 +101,12 @@ public class JettySSLService implements SSLService {
       throw new ServiceLifecycleException("Keystore was not loaded properly - the provided
(or persisted) master secret may not match the password for the keystore.", e);
     }
 
+    keystoreType = config.getKeystoreType();
     sslExcludeProtocols = config.getExcludedSSLProtocols();
+    clientAuthNeeded = config.isClientAuthNeeded();
+    truststorePath = config.getTruststorePath();
+    trustAllCerts = config.getTrustAllCerts();
+    trustStoreType = config.getTruststoreType();
   }
 
   private void logAndValidateCertificate() throws ServiceLifecycleException {
@@ -131,23 +142,41 @@ public class JettySSLService implements SSLService {
   public Object buildSSlConnector( String keystoreFileName ) {
     SslContextFactory sslContextFactory = new SslContextFactory( true );
     sslContextFactory.setCertAlias( "gateway-identity" );
-//    String keystorePath = gatewayHomeDir + File.separatorChar +  "conf" + File.separatorChar
+  "security" + File.separatorChar + "keystores" + File.separatorChar + "gateway.jks";
-    sslContextFactory.setKeyStoreType("JKS");
+    sslContextFactory.setKeyStoreType(keystoreType);
     sslContextFactory.setKeyStorePath(keystoreFileName);
     char[] master = ms.getMasterSecret();
     sslContextFactory.setKeyStorePassword(new String(master));
-    char[] keypass = as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
+    char[] keypass = as.getPasswordFromAliasForGateway(GATEWAY_IDENTITY_PASSPHRASE);
     if (keypass == null) {
       // there has been no alias created for the key - let's assume it is the same as the
keystore password
       keypass = master;
     }
     sslContextFactory.setKeyManagerPassword(new String(keypass));
 
-    // TODO: make specific truststore too?
-//    sslContextFactory.setTrustStore(keystorePath);
-//    sslContextFactory.setTrustStorePassword(new String(keypass));
-    sslContextFactory.setNeedClientAuth( false );
-    sslContextFactory.setTrustAll( true );
+    String truststorePassword = null;
+    if (clientAuthNeeded) {
+      if (truststorePath != null) {
+        sslContextFactory.setTrustStore(truststorePath);
+        char[] truststorePwd = as.getPasswordFromAliasForGateway(GATEWAY_TRUSTSTORE_PASSWORD);
+        if (truststorePwd != null) {
+          truststorePassword = new String(truststorePwd);
+        }
+        else {
+          truststorePassword = new String(master);
+        }
+        sslContextFactory.setTrustStorePassword(truststorePassword);
+        sslContextFactory.setTrustStoreType(trustStoreType);
+      }
+      else {
+        // when clientAuthIsNeeded but no truststore provided
+        // default to the server's keystore and details
+        sslContextFactory.setTrustStore(keystoreFileName);
+        sslContextFactory.setTrustStorePassword(new String(master));
+        sslContextFactory.setTrustStoreType(keystoreType);
+      }
+    }
+    sslContextFactory.setNeedClientAuth( clientAuthNeeded );
+    sslContextFactory.setTrustAll( trustAllCerts );
     if (sslExcludeProtocols != null) {
       sslContextFactory.setExcludeProtocols((String[]) sslExcludeProtocols.toArray());
     }

http://git-wip-us.apache.org/repos/asf/knox/blob/2ef76e91/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java
b/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java
index 5f1db49..d9957bd 100644
--- a/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java
+++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java
@@ -44,6 +44,7 @@ public class GatewayGlobalConfigTest {
     System.setProperty( GatewayConfigImpl.GATEWAY_HOME_VAR, getHomeDirName( "conf-full/conf/gateway-default.xml"
) );
     GatewayConfig config = new GatewayConfigImpl();
     assertThat( config.getGatewayPort(), is( 7777 ) );
+    assertThat( config.isClientAuthNeeded(), is( false ) );
     assertNull("ssl.exclude.protocols should be null.", config.getExcludedSSLProtocols());
     //assertThat( config.getShiroConfigFile(), is( "full-shiro.ini") );
   }
@@ -62,7 +63,10 @@ public class GatewayGlobalConfigTest {
     System.setProperty( GatewayConfigImpl.GATEWAY_HOME_VAR, getHomeDirName( "conf-site/conf/gateway-site.xml"
) );
     GatewayConfig config = new GatewayConfigImpl();
     assertThat( config.getGatewayPort(), is( 5555 ) );
-    //assertThat( config.getShiroConfigFile(), is( "site-shiro.ini") );
+    assertThat( config.isClientAuthNeeded(), is( true ) );
+    assertThat( config.getTruststorePath(), is("./gateway-trust.jks"));
+    assertThat( config.getTruststoreType(), is( "PKCS12" ) );
+    assertThat( config.getKeystoreType(), is( "JKS" ) );
   }
 
   @Test

http://git-wip-us.apache.org/repos/asf/knox/blob/2ef76e91/gateway-server/src/test/resources/conf-site/conf/gateway-site.xml
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/resources/conf-site/conf/gateway-site.xml b/gateway-server/src/test/resources/conf-site/conf/gateway-site.xml
index ec7b42c..5815b84 100644
--- a/gateway-server/src/test/resources/conf-site/conf/gateway-site.xml
+++ b/gateway-server/src/test/resources/conf-site/conf/gateway-site.xml
@@ -49,4 +49,21 @@ limitations under the License.
         <description>The location of the Shiro configuration file.</description>
     </property>
 
+    <property>
+        <name>gateway.client.auth.needed</name>
+        <value>true</value>
+        <description>mutual authentication required for all topologies</description>
+    </property>
+
+    <property>
+        <name>gateway.truststore.path</name>
+        <value>./gateway-trust.jks</value>
+        <description>path to truststore</description>
+    </property>
+
+    <property>
+        <name>gateway.truststore.type</name>
+        <value>PKCS12</value>
+        <description>type of truststore</description>
+    </property>
 </configuration>

http://git-wip-us.apache.org/repos/asf/knox/blob/2ef76e91/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
index 010e25d..a8ddc83 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
@@ -85,4 +85,14 @@ public interface GatewayConfig {
   String getDefaultAppRedirectPath();
 
   String getFrontendUrl();
+
+  boolean isClientAuthNeeded();
+
+  String getTruststorePath();
+
+  boolean getTrustAllCerts();
+
+  String getKeystoreType();
+
+  String getTruststoreType();
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/2ef76e91/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
index a013505..4340500 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
@@ -186,6 +186,51 @@ public class GatewayTestConfig implements GatewayConfig {
     this.frontendUrl = frontendUrl;
   }
 
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#isClientAuthNeeded()
+   */
+  @Override
+  public boolean isClientAuthNeeded() {
+    // TODO Auto-generated method stub
+    return false;
+  }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getTruststorePath()
+   */
+  @Override
+  public String getTruststorePath() {
+    // TODO Auto-generated method stub
+    return null;
+  }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getTrustAllCerts()
+   */
+  @Override
+  public boolean getTrustAllCerts() {
+    // TODO Auto-generated method stub
+    return false;
+  }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getTruststoreType()
+   */
+  @Override
+  public String getTruststoreType() {
+    // TODO Auto-generated method stub
+    return null;
+  }
+  
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getKeystoreType()
+   */
+  @Override
+  public String getKeystoreType() {
+    // TODO Auto-generated method stub
+    return null;
+  }
+
 //  public void setKerberosLoginConfig(String kerberosLoginConfig) {
 //   this.kerberosLoginConfig = kerberosLoginConfig;
 //  }


Mime
View raw message