ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Velmurugan Periasamy <vperias...@hortonworks.com>
Subject Re: Review Request 55135: RANGER-1288 : Add SSL enabled MySQL support in Ranger Admin
Date Tue, 17 Jan 2017 18:02:35 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55135/#review161895
-----------------------------------------------------------


Ship it!




Ship It!

- Velmurugan Periasamy


On Jan. 3, 2017, 12:45 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55135/
> -----------------------------------------------------------
> 
> (Updated Jan. 3, 2017, 12:45 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni,
Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and
Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1288
>     https://issues.apache.org/jira/browse/RANGER-1288
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement:** Ranger can not communicate to ssl enabled MySQL server
> 
> **Proposed Solution:** 
> To connect to a SSL Enabled MySQL Server JDBC connection string could be : "jdbc:mysql://127.0.0.1:3306/ranger?verifyServerCertificate=false&useSSL=true&requireSSL=true".
> The 'useSSL=true' property is added to the JDBC URL to attempt to communicate via SSL.

> The 'verifyServerCerticate=false' property is set to bypass certificate validation.
> The 'requireSSL=true' property is set to refuse to connect if the MySQL server does not
support SSL. If user want to connect using truststore then he can configure truststore files(certificate
information for the mysql server and client both). 
> Ranger application and jisql utility should know from where to pick the certificates
which can be set in System properties like this :
> -Djavax.net.ssl.keyStore=path_to_keystore_file
> -Djavax.net.ssl.keyStorePassword=password
> -Djavax.net.ssl.trustStore=path_to_truststore_file
> -Djavax.net.ssl.trustStorePassword=password
> 
> Following properties have been added in install.properties to add SSL enabled MySQL configuration
in ranger admin: 
> 
> db_ssl_enabled=false
> db_ssl_required=false
> db_ssl_verifyServerCertificate=false
> javax_net_ssl_keyStore=/etc/mysql/keystore
> javax_net_ssl_keyStorePassword=secret
> javax_net_ssl_trustStore=/etc/mysql/truststore
> javax_net_ssl_trustStorePassword=secret
> 
> 
> Diffs
> -----
> 
>   embeddedwebserver/scripts/ranger-admin-services.sh c19598a 
>   kms/config/kms-webapp/dbks-site.xml ebf06d7 
>   kms/scripts/db_setup.py f1342fd 
>   kms/scripts/dba_script.py 4366743 
>   kms/scripts/install.properties d07dc2c 
>   kms/scripts/setup.sh 568350b 
>   kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java f350dce 
>   plugin-kms/scripts/enable-kms-plugin.sh b2701a8 
>   security-admin/scripts/db_setup.py 430aa47 
>   security-admin/scripts/dba_script.py 1b29c75 
>   security-admin/scripts/install.properties 693129f 
>   security-admin/scripts/setup.sh 82250b1 
>   security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java 5636ed3 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml e73b6c6 
> 
> Diff: https://reviews.apache.org/r/55135/diff/
> 
> 
> Testing
> -------
> 
> **Steps Performed(with patch):**
> 1. Installed MySQL and enabled SSL with the help of doc : 
> http://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html
> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html
> 
> 2. Untar ranger-admin from Build having changes of proposed patch.
> 3. Provided ranger db root and admin db details in install.properties.
> 4. Provided values in below introduced properties of install.properties file.
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> javax_net_ssl_keyStore=/root/keystore
> javax_net_ssl_keyStorePassword=secret
> javax_net_ssl_trustStore=/root/truststore
> javax_net_ssl_trustStorePassword=secret
> 
> 5. Executed setup.sh script.
> 6. Tried to start ranger admin service.
> 
> **Expected behaviour :** Ranger admin should start normally and User should able to see
Dashboard page after login.
> 
> **Actual behaviour :** Ranger admin was started and was able to login and see Ranger
UI.
> 
> **Note :** Tried below combination of SSL properties also with different ranger db combination
to install ranger.
> 
> **db_ssl_enabled | db_ssl_required | db_ssl_verifyServerCertificate**
> true           |true             |true
> true           |true             |false
> true           |false            |true
> true           |false            |false
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message