ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dmitriu...@apache.org
Subject [6/6] git commit: AMBARI-7980. Create ability to disable ciphers for https connections in Ambari. (dlysnichenko)
Date Sun, 26 Oct 2014 18:28:51 GMT
AMBARI-7980. Create ability to disable ciphers for https connections in Ambari. (dlysnichenko)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f6d39a9d
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f6d39a9d
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f6d39a9d

Branch: refs/heads/branch-1.7.0
Commit: f6d39a9d6f733df3813fd4df834efcf667ea7229
Parents: 6b2a91c
Author: Lisnichenko Dmitro <dlysnichenko@hortonworks.com>
Authored: Sun Oct 26 20:27:52 2014 +0200
Committer: Lisnichenko Dmitro <dlysnichenko@hortonworks.com>
Committed: Sun Oct 26 20:27:52 2014 +0200

----------------------------------------------------------------------
 ambari-server/conf/unix/ambari.properties       |  1 +
 .../server/configuration/Configuration.java     | 10 +++++
 .../ambari/server/controller/AmbariServer.java  | 40 ++++++++++++++------
 3 files changed, 39 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/f6d39a9d/ambari-server/conf/unix/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties
index d37174f..760441b 100644
--- a/ambari-server/conf/unix/ambari.properties
+++ b/ambari-server/conf/unix/ambari.properties
@@ -17,6 +17,7 @@
 # limitations under the License.
 
 security.server.keys_dir = /var/lib/ambari-server/keys
+#security.server.disabled.ciphers=SSL_RSA_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_RC4_40_MD5|SSL_DHE_RSA_WITH_DES_CBC_SHA|SSL_DHE_DSS_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|SSL_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_RSA_WITH_DES_CBC_SHA
 resources.dir = /var/lib/ambari-server/resources
 custom.action.definitions = /var/lib/ambari-server/resources/custom_action_definitions
 jdk1.6.url=http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-6u31-linux-x64.bin

http://git-wip-us.apache.org/repos/asf/ambari/blob/f6d39a9d/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index c3172f2..8f95b6e 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -90,6 +90,7 @@ public class Configuration {
   public static final String PASSPHRASE_ENV_KEY =
       "security.server.passphrase_env_var";
   public static final String PASSPHRASE_KEY = "security.server.passphrase";
+  public static final String SRVR_DISABLED_CIPHERS = "security.server.disabled.ciphers";
   public static final String RESOURCES_DIR_KEY = "resources.dir";
   public static final String METADETA_DIR_PATH = "metadata.path";
   public static final String SERVER_VERSION_FILE = "server.version.file";
@@ -258,6 +259,7 @@ public class Configuration {
   private static final String API_CSRF_PREVENTION_DEFAULT = "true";
   private static final String SRVR_CRT_PASS_FILE_DEFAULT = "pass.txt";
   private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50";
+  private static final String SRVR_DISABLED_CIPHERS_DEFAULT = "";
   private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE";
   private static final String RESOURCES_DIR_DEFAULT =
       "/var/lib/ambari-server/resources/";
@@ -360,6 +362,8 @@ public class Configuration {
         RESOURCES_DIR_KEY, RESOURCES_DIR_DEFAULT));
     configsMap.put(SRVR_CRT_PASS_LEN_KEY, properties.getProperty(
         SRVR_CRT_PASS_LEN_KEY, SRVR_CRT_PASS_LEN_DEFAULT));
+    configsMap.put(SRVR_DISABLED_CIPHERS, properties.getProperty(
+            SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT));
 
     configsMap.put(CLIENT_API_SSL_KSTR_DIR_NAME_KEY, properties.getProperty(
       CLIENT_API_SSL_KSTR_DIR_NAME_KEY, configsMap.get(SRVR_KSTR_DIR_KEY)));
@@ -909,6 +913,12 @@ public class Configuration {
     return defaultDir + File.separator + MASTER_KEY_FILENAME_DEFAULT;
   }
 
+  public String getSrvrDisabledCiphers() {
+    String disabledCiphers = properties.getProperty(SRVR_DISABLED_CIPHERS,
+            properties.getProperty(SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT));
+    return disabledCiphers.trim();
+  }
+
   public int getOneWayAuthPort() {
     return Integer.parseInt(properties.getProperty(SRVR_ONE_WAY_SSL_PORT_KEY, String.valueOf(SRVR_ONE_WAY_SSL_PORT_DEFAULT)));
   }

http://git-wip-us.apache.org/repos/asf/ambari/blob/f6d39a9d/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index f61341d..1990e4b 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -132,6 +132,7 @@ public class AmbariServer {
   final String CONTEXT_PATH = "/";
   final String SPRING_CONTEXT_LOCATION =
       "classpath:/webapp/WEB-INF/spring-security.xml";
+  final String DISABLED_CIPHERS_SPLITTER = "\\|";
 
   @Inject
   Configuration configs;
@@ -272,8 +273,13 @@ public class AmbariServer {
 
 
       //Secured connector for 2-way auth
+      SslContextFactory contextFactoryTwoWay = new SslContextFactory();
+      if (! configs.getSrvrDisabledCiphers().isEmpty()) {
+        String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER);
+        contextFactoryTwoWay.setExcludeCipherSuites(masks);
+      }
       SslSelectChannelConnector sslConnectorTwoWay = new
-          SslSelectChannelConnector();
+          SslSelectChannelConnector(contextFactoryTwoWay);
       sslConnectorTwoWay.setPort(configs.getTwoWayAuthPort());
 
       Map<String, String> configsMap = configs.getConfigsMap();
@@ -290,18 +296,22 @@ public class AmbariServer {
       sslConnectorTwoWay.setNeedClientAuth(configs.getTwoWaySsl());
 
       //SSL Context Factory
-      SslContextFactory contextFactory = new SslContextFactory(true);
-      contextFactory.setKeyStorePath(keystore);
-      contextFactory.setTrustStore(keystore);
-      contextFactory.setKeyStorePassword(srvrCrtPass);
-      contextFactory.setKeyManagerPassword(srvrCrtPass);
-      contextFactory.setTrustStorePassword(srvrCrtPass);
-      contextFactory.setKeyStoreType("PKCS12");
-      contextFactory.setTrustStoreType("PKCS12");
-      contextFactory.setNeedClientAuth(false);
+      SslContextFactory contextFactoryOneWay = new SslContextFactory(true);
+      contextFactoryOneWay.setKeyStorePath(keystore);
+      contextFactoryOneWay.setTrustStore(keystore);
+      contextFactoryOneWay.setKeyStorePassword(srvrCrtPass);
+      contextFactoryOneWay.setKeyManagerPassword(srvrCrtPass);
+      contextFactoryOneWay.setTrustStorePassword(srvrCrtPass);
+      contextFactoryOneWay.setKeyStoreType("PKCS12");
+      contextFactoryOneWay.setTrustStoreType("PKCS12");
+      contextFactoryOneWay.setNeedClientAuth(false);
+      if (! configs.getSrvrDisabledCiphers().isEmpty()) {
+        String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER);
+        contextFactoryOneWay.setExcludeCipherSuites(masks);
+      }
 
       //Secured connector for 1-way auth
-      SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactory);
+      SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactoryOneWay);
       sslConnectorOneWay.setPort(configs.getOneWayAuthPort());
       sslConnectorOneWay.setAcceptors(2);
       sslConnectorTwoWay.setAcceptors(2);
@@ -386,7 +396,13 @@ public class AmbariServer {
 
         String httpsCrtPass = configsMap.get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY);
 
-        SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector();
+        SslContextFactory contextFactoryApi = new SslContextFactory();
+        if (! configs.getSrvrDisabledCiphers().isEmpty()) {
+          String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER);
+          contextFactoryApi.setExcludeCipherSuites(masks);
+        }
+
+        SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(contextFactoryApi);
         sapiConnector.setPort(configs.getClientSSLApiPort());
         sapiConnector.setKeystore(httpsKeystore);
         sapiConnector.setTruststore(httpsKeystore);


Mime
View raw message