ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Qiang Zhang <zhangqia...@zte.com.cn>
Subject Re: Review Request 66504: RANGER-2058: Add SSL enabled Postgres support in Ranger Admin
Date Tue, 10 Apr 2018 14:57:18 GMT 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/#review200820
-----------------------------------------------------------



.git/rebase-apply/patch:195: trailing whitespace.
				
warning: 1 line adds whitespace errors.

Please fix above warning.

- Qiang Zhang


On April 9, 2018, 2:55 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66504/
> -----------------------------------------------------------
> 
> (Updated April 9, 2018, 2:55 p.m.)
> 
> 
> Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj,
Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2058
>     https://issues.apache.org/jira/browse/RANGER-2058
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement:** Ranger can not communicate to ssl enabled Postgres server
> 
> 
> **Proposed Solution:**
> To connect to a SSL Enabled Postgres Server JDBC connection string could be :
> =>For validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&sslmode=verify-ca".
> =>For Non validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory".
> 
> The 'ssl=true' property is added to the JDBC URL to attempt to communicate via SSL. 
> The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to bypass certificate
validation.
> The 'sslmode=verify-ca' property is set to connect only if the Postgres server trust
certificate is available. If user wants to connect using truststore then he can configure
truststore files(certificate information for the postgres  server and client both). 
> ---
> Following properties of install.properties file can be used to provide the SSL config
options, keystore and truststore path to connect to SSL enabled Postgres server:
> 
> db_ssl_enabled=
> db_ssl_required=
> db_ssl_verifyServerCertificate=
> db_ssl_auth_type=
> javax_net_ssl_keyStore=
> javax_net_ssl_keyStorePassword=
> javax_net_ssl_trustStore=
> javax_net_ssl_trustStorePassword=
> ---
> **Rules:**
> 1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to communicate
to postgres via SSL.
> 2. if [db_ssl_enabled=true and [db_ssl_required=false and db_ssl_verifyServerCertificate=false]]
then JDBC url will have parameter 'sslfactory=org.postgresql.ssl.NonValidatingFactory' in
it and CA validation will be skipped.
> 3. if [db_ssl_enabled=true and [db_ssl_required=true or db_ssl_verifyServerCertificate=true]]
then JDBC url will have parameter 'sslmode=verify-ca' in it and CA validation will be mandatory.

>    3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate and password
through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword) 
>    3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore and password
through keystore properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA
certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword).
> 
> **Note:**
> Ranger application and jisql utility should know from where to pick the certificates
which can be set in the System properties like this :
> -Djavax.net.ssl.keyStore=path_to_keystore_file
> -Djavax.net.ssl.keyStorePassword=password
> -Djavax.net.ssl.trustStore=path_to_truststore_file
> -Djavax.net.ssl.trustStorePassword=password
> 
> 
> Diffs
> -----
> 
>   kms/scripts/db_setup.py a431b60 
>   kms/scripts/dba_script.py bcd4aa2 
>   kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca 
>   security-admin/scripts/db_setup.py b8664d2 
>   security-admin/scripts/dba_script.py 69fff41 
>   security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java edd9d36 
> 
> 
> Diff: https://reviews.apache.org/r/66504/diff/1/
> 
> 
> Testing
> -------
> 
> **Steps Performed(with patch):**
> Installed Postgres and enabled SSL with the help of doc : https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
> 
> Untar ranger-admin from Build having changes of proposed patch.
> Provided ranger db root and admin db details in install.properties.
> Provided values for below properties of install.properties file.
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> db_ssl_auth_type=1-way
> javax_net_ssl_keyStore=/root/keystore
> javax_net_ssl_keyStorePassword=secret
> javax_net_ssl_trustStore=/root/truststore
> javax_net_ssl_trustStorePassword=secret
> 
> Executed setup.sh script.
> 
> Tried to start ranger admin service.
> 
> **Expected behaviour :** Ranger admin should start normally and User should able to see
Dashboard page after login.
> 
> **Actual behaviour :** Ranger admin was started and was able to login and see Ranger
UI.
> 
> **Note :** 
> Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and two-way ssl
configurations.
> Tried below combination of SSL properties also with different ranger db combination to
install ranger admin and ranger kms.
> 
> db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore
javax_net_ssl_trustStore
> TRUE	TRUE	TRUE	2-way	provided	provided
> TRUE	TRUE	TRUE	2-way	provided	not provided
> TRUE	TRUE	TRUE	2-way	not provided	provided
> TRUE	TRUE	TRUE	2-way	not provided	not provided
> TRUE	TRUE	TRUE	1-way	provided	provided
> TRUE	TRUE	TRUE	1-way	provided	not provided
> TRUE	TRUE	TRUE	1-way	not provided	provided
> TRUE	TRUE	TRUE	1-way	not provided	not provided
> TRUE	TRUE	FALSE	2-way	provided	provided
> TRUE	TRUE	FALSE	2-way	provided	not provided
> TRUE	TRUE	FALSE	2-way	not provided	provided
> TRUE	TRUE	FALSE	2-way	not provided	not provided
> TRUE	TRUE	FALSE	1-way	provided	provided
> TRUE	TRUE	FALSE	1-way	provided	not provided
> TRUE	TRUE	FALSE	1-way	not provided	provided
> TRUE	TRUE	FALSE	1-way	not provided	not provided
> TRUE	FALSE	TRUE	2-way	provided	provided
> TRUE	FALSE	TRUE	2-way	provided	not provided
> TRUE	FALSE	TRUE	2-way	not provided	provided
> TRUE	FALSE	TRUE	2-way	not provided	not provided
> TRUE	FALSE	TRUE	1-way	provided	provided
> TRUE	FALSE	TRUE	1-way	provided	not provided
> TRUE	FALSE	TRUE	1-way	not provided	provided
> TRUE	FALSE	TRUE	1-way	not provided	not provided
> TRUE	FALSE	FALSE	2-way	provided	provided
> TRUE	FALSE	FALSE	2-way	provided	not provided
> TRUE	FALSE	FALSE	2-way	not provided	provided
> TRUE	FALSE	FALSE	2-way	not provided	not provided
> TRUE	FALSE	FALSE	1-way	provided	provided
> TRUE	FALSE	FALSE	1-way	provided	not provided
> TRUE	FALSE	FALSE	1-way	not provided	provided
> TRUE	FALSE	FALSE	1-way	not provided	not provided
> FALSE	TRUE	TRUE	2-way	provided	provided
> FALSE	TRUE	TRUE	2-way	provided	not provided
> FALSE	TRUE	TRUE	2-way	not provided	provided
> FALSE	TRUE	TRUE	2-way	not provided	not provided
> FALSE	TRUE	TRUE	1-way	provided	provided
> FALSE	TRUE	TRUE	1-way	provided	not provided
> FALSE	TRUE	TRUE	1-way	not provided	provided
> FALSE	TRUE	TRUE	1-way	not provided	not provided
> FALSE	TRUE	FALSE	2-way	provided	provided
> FALSE	TRUE	FALSE	2-way	provided	not provided
> FALSE	TRUE	FALSE	2-way	not provided	provided
> FALSE	TRUE	FALSE	2-way	not provided	not provided
> FALSE	TRUE	FALSE	1-way	provided	provided
> FALSE	TRUE	FALSE	1-way	provided	not provided
> FALSE	TRUE	FALSE	1-way	not provided	provided
> FALSE	TRUE	FALSE	1-way	not provided	not provided
> FALSE	FALSE	TRUE	2-way	provided	provided
> FALSE	FALSE	TRUE	2-way	provided	not provided
> FALSE	FALSE	TRUE	2-way	not provided	provided
> FALSE	FALSE	TRUE	2-way	not provided	not provided
> FALSE	FALSE	TRUE	1-way	provided	provided
> FALSE	FALSE	TRUE	1-way	provided	not provided
> FALSE	FALSE	TRUE	1-way	not provided	provided
> FALSE	FALSE	TRUE	1-way	not provided	not provided
> FALSE	FALSE	FALSE	2-way	provided	provided
> FALSE	FALSE	FALSE	2-way	provided	not provided
> FALSE	FALSE	FALSE	2-way	not provided	provided
> FALSE	FALSE	FALSE	2-way	not provided	not provided
> FALSE	FALSE	FALSE	1-way	provided	provided
> FALSE	FALSE	FALSE	1-way	provided	not provided
> FALSE	FALSE	FALSE	1-way	not provided	provided
> FALSE	FALSE	FALSE	1-way	not provided	not provided
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message