accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject [accumulo] branch master updated: Do not require a password on the truststore JKS
Date Fri, 14 Sep 2018 19:45:13 GMT
This is an automated email from the ASF dual-hosted git repository.

elserj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/accumulo.git


The following commit(s) were added to refs/heads/master by this push:
     new c033667  Do not require a password on the truststore JKS
c033667 is described below

commit c033667b007d329d05203e21fe5af4c28f63cb13
Author: Romil Choksi <rchoksi@hortonworks.com>
AuthorDate: Wed Sep 12 15:07:20 2018 -0400

    Do not require a password on the truststore JKS
    
    A password on a truststore provides no security value, only validation
    that the JKS is the JKS that the user expects. Log a warning when the
    truststore is empty.
    
    Closes #646
    
    Signed-off-by: Josh Elser <elserj@apache.org>
---
 .../org/apache/accumulo/monitor/EmbeddedWebServer.java     | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
b/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
index 2d254ea..ee2ebaa 100644
--- a/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
+++ b/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
@@ -29,8 +29,12 @@ import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class EmbeddedWebServer {
+  private static final Logger LOG = LoggerFactory.getLogger(EmbeddedWebServer.class);
+
   private final Server server;
   private final ServerConnector connector;
   private final ServletContextHandler handler;
@@ -51,17 +55,21 @@ public class EmbeddedWebServer {
   private static AbstractConnectionFactory[] getConnectionFactories(AccumuloConfiguration
conf) {
     HttpConnectionFactory httpFactory = new HttpConnectionFactory();
     EnumSet<Property> requireForSecure = EnumSet.of(Property.MONITOR_SSL_KEYSTORE,
-        Property.MONITOR_SSL_KEYSTOREPASS, Property.MONITOR_SSL_TRUSTSTORE,
-        Property.MONITOR_SSL_TRUSTSTOREPASS);
+        Property.MONITOR_SSL_KEYSTOREPASS, Property.MONITOR_SSL_TRUSTSTORE);
+
     if (requireForSecure.stream().map(p -> conf.get(p)).anyMatch(s -> s == null ||
s.isEmpty())) {
       return new AbstractConnectionFactory[] {httpFactory};
     } else {
+      final String trustStorePass = conf.get(Property.MONITOR_SSL_TRUSTSTOREPASS);
+      if (trustStorePass.isEmpty()) {
+        LOG.warn("Truststore JKS file has an empty password which prevents any integrity
checks.");
+      }
       SslContextFactory sslContextFactory = new SslContextFactory();
       sslContextFactory.setKeyStorePath(conf.get(Property.MONITOR_SSL_KEYSTORE));
       sslContextFactory.setKeyStorePassword(conf.get(Property.MONITOR_SSL_KEYSTOREPASS));
       sslContextFactory.setKeyStoreType(conf.get(Property.MONITOR_SSL_KEYSTORETYPE));
       sslContextFactory.setTrustStorePath(conf.get(Property.MONITOR_SSL_TRUSTSTORE));
-      sslContextFactory.setTrustStorePassword(conf.get(Property.MONITOR_SSL_TRUSTSTOREPASS));
+      sslContextFactory.setTrustStorePassword(trustStorePass);
       sslContextFactory.setTrustStoreType(conf.get(Property.MONITOR_SSL_TRUSTSTORETYPE));
 
       final String includedCiphers = conf.get(Property.MONITOR_SSL_INCLUDE_CIPHERS);


Mime
View raw message