ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pradeep Agrawal <pradeep.agra...@freestoneinfotech.com>
Subject Review Request 55135: RANGER-1288 : Add SSL enabled MySQL support in Ranger Admin
Date Tue, 03 Jan 2017 12:45:43 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55135/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan
Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan
Periasamy.


Bugs: RANGER-1288
    https://issues.apache.org/jira/browse/RANGER-1288


Repository: ranger


Description
-------

**Problem Statement:** Ranger can not communicate to ssl enabled MySQL server

**Proposed Solution:** 
To connect to a SSL Enabled MySQL Server JDBC connection string could be : "jdbc:mysql://127.0.0.1:3306/ranger?verifyServerCertificate=false&useSSL=true&requireSSL=true".
The 'useSSL=true' property is added to the JDBC URL to attempt to communicate via SSL. 
The 'verifyServerCerticate=false' property is set to bypass certificate validation.
The 'requireSSL=true' property is set to refuse to connect if the MySQL server does not support
SSL. If user want to connect using truststore then he can configure truststore files(certificate
information for the mysql server and client both). 
Ranger application and jisql utility should know from where to pick the certificates which
can be set in System properties like this :
-Djavax.net.ssl.keyStore=path_to_keystore_file
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=path_to_truststore_file
-Djavax.net.ssl.trustStorePassword=password

Following properties have been added in install.properties to add SSL enabled MySQL configuration
in ranger admin: 

db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
javax_net_ssl_keyStore=/etc/mysql/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/etc/mysql/truststore
javax_net_ssl_trustStorePassword=secret


Diffs
-----

  embeddedwebserver/scripts/ranger-admin-services.sh c19598a 
  kms/config/kms-webapp/dbks-site.xml ebf06d7 
  kms/scripts/db_setup.py f1342fd 
  kms/scripts/dba_script.py 4366743 
  kms/scripts/install.properties d07dc2c 
  kms/scripts/setup.sh 568350b 
  kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java f350dce 
  plugin-kms/scripts/enable-kms-plugin.sh b2701a8 
  security-admin/scripts/db_setup.py 430aa47 
  security-admin/scripts/dba_script.py 1b29c75 
  security-admin/scripts/install.properties 693129f 
  security-admin/scripts/setup.sh 82250b1 
  security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java 5636ed3 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e73b6c6 

Diff: https://reviews.apache.org/r/55135/diff/


Testing
-------

**Steps Performed(with patch):**
1. Installed MySQL and enabled SSL with the help of doc : 
http://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html

2. Untar ranger-admin from Build having changes of proposed patch.
3. Provided ranger db root and admin db details in install.properties.
4. Provided values in below introduced properties of install.properties file.
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
javax_net_ssl_keyStore=/root/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/root/truststore
javax_net_ssl_trustStorePassword=secret

5. Executed setup.sh script.
6. Tried to start ranger admin service.

**Expected behaviour :** Ranger admin should start normally and User should able to see Dashboard
page after login.

**Actual behaviour :** Ranger admin was started and was able to login and see Ranger UI.

**Note :** Tried below combination of SSL properties also with different ranger db combination
to install ranger.

**db_ssl_enabled | db_ssl_required | db_ssl_verifyServerCertificate**
true           |true             |true
true           |true             |false
true           |false            |true
true           |false            |false


Thanks,

Pradeep Agrawal


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message