ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nc...@apache.org
Subject [42/50] [abbrv] ambari git commit: AMBARI-19333. Store LogSearch truststore/keystore passwords in file (oleewere)
Date Thu, 05 Jan 2017 00:05:23 GMT
AMBARI-19333. Store LogSearch truststore/keystore passwords in file (oleewere)

Change-Id: Ifbf2b1c72df7f20f31ce0e4ef8bf7f5fa4d5ac55


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/4a4a16aa
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/4a4a16aa
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/4a4a16aa

Branch: refs/heads/branch-dev-patch-upgrade
Commit: 4a4a16aa9bd0d07e20e683dd9d428227e23f076f
Parents: 4bc2263
Author: oleewere <oleewere@gmail.com>
Authored: Wed Jan 4 13:19:17 2017 +0100
Committer: oleewere <oleewere@gmail.com>
Committed: Wed Jan 4 13:39:29 2017 +0100

----------------------------------------------------------------------
 .../org/apache/ambari/logsearch/LogSearch.java  |  7 +--
 .../apache/ambari/logsearch/util/SSLUtil.java   | 46 ++++++++++++++++----
 .../src/main/scripts/run.sh                     |  2 +-
 .../test-config/logsearch/logsearch-env.sh      |  2 -
 .../LOGSEARCH/0.5.0/package/scripts/params.py   |  1 +
 .../0.5.0/package/scripts/setup_logsearch.py    | 20 +++++++++
 .../0.5.0/properties/logsearch-env.sh.j2        |  2 -
 .../stacks/2.4/LOGSEARCH/test_logsearch.py      | 20 +++++++++
 .../test/python/stacks/2.4/configs/default.json |  2 +
 9 files changed, 86 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java
----------------------------------------------------------------------
diff --git a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java
b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java
index 614e91e..88cc8bb 100644
--- a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java
+++ b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java
@@ -84,14 +84,15 @@ public class LogSearch {
   private static final String ROOT_CONTEXT = "/";
   private static final Integer SESSION_TIMEOUT = 60 * 30;
 
-  private static final String LOGSEARCH_CERT_DEFAULT_FOLDER = "/etc/ambari-logsearch-portal/conf/keys";
   private static final String LOGSEARCH_CERT_FILENAME = "logsearch.crt";
   private static final String LOGSEARCH_KEYSTORE_FILENAME = "logsearch.jks";
   private static final String LOGSEARCH_KEYSTORE_PRIVATE_KEY = "logsearch.private.key";
   private static final String LOGSEARCH_KEYSTORE_PUBLIC_KEY = "logsearch.public.key";
-  private static final String LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD = "bigdata";
   private static final String LOGSEARCH_CERT_DEFAULT_ALGORITHM = "sha256WithRSAEncryption";
 
+  public static final String LOGSEARCH_CERT_DEFAULT_FOLDER = "/etc/ambari-logsearch-portal/conf/keys";
+  public static final String LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD = "bigdata";
+
   public static void main(String[] argv) {
     LogSearch logSearch = new LogSearch();
     ManageStartEndTime.manage();
@@ -300,7 +301,7 @@ public class LogSearch {
     fileSet.setDir(new File(certFolder));
     fileSet.setIncludes("**");
     chmod.addFileset(fileSet);
-    chmod.setPerm("640");
+    chmod.setPerm("600");
     chmod.execute();
   }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java
----------------------------------------------------------------------
diff --git a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java
b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java
index 7a93305..2fb4ff3 100644
--- a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java
+++ b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java
@@ -50,6 +50,9 @@ import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Date;
 
+import static org.apache.ambari.logsearch.LogSearch.LOGSEARCH_CERT_DEFAULT_FOLDER;
+import static org.apache.ambari.logsearch.LogSearch.LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD;
+
 public class SSLUtil {
   private static final Logger LOG = LoggerFactory.getLogger(SSLUtil.class);
   
@@ -61,6 +64,8 @@ public class SSLUtil {
   private static final String TRUSTSTORE_PASSWORD_ARG = "javax.net.ssl.trustStorePassword";
   private static final String TRUSTSTORE_TYPE_ARG = "javax.net.ssl.trustStoreType";
   private static final String DEFAULT_TRUSTSTORE_TYPE = "JKS";
+  private static final String KEYSTORE_PASSWORD_FILE = "ks_pass.txt";
+  private static final String TRUSTSTORE_PASSWORD_FILE = "ts_pass.txt";
   
   private SSLUtil() {
     throw new UnsupportedOperationException();
@@ -69,11 +74,11 @@ public class SSLUtil {
   public static String getKeyStoreLocation() {
     return System.getProperty(KEYSTORE_LOCATION_ARG);
   }
-  
+
   public static String getKeyStorePassword() {
     return System.getProperty(KEYSTORE_PASSWORD_ARG);
   }
-  
+
   public static String getKeyStoreType() {
     return System.getProperty(KEYSTORE_TYPE_ARG, DEFAULT_KEYSTORE_TYPE);
   }
@@ -81,24 +86,26 @@ public class SSLUtil {
   public static String getTrustStoreLocation() {
     return System.getProperty(TRUSTSTORE_LOCATION_ARG);
   }
-  
+
   public static String getTrustStorePassword() {
     return System.getProperty(TRUSTSTORE_PASSWORD_ARG);
   }
-  
+
   public static String getTrustStoreType() {
     return System.getProperty(TRUSTSTORE_TYPE_ARG, DEFAULT_TRUSTSTORE_TYPE);
   }
-  
+
   public static boolean isKeyStoreSpecified() {
-    return StringUtils.isNotEmpty(getKeyStoreLocation()) && StringUtils.isNotEmpty(getKeyStorePassword());
+    return StringUtils.isNotEmpty(getKeyStoreLocation());
   }
 
   private static boolean isTrustStoreSpecified() {
-    return StringUtils.isNotEmpty(getTrustStoreLocation()) && StringUtils.isNotEmpty(getTrustStorePassword());
+    return StringUtils.isNotEmpty(getTrustStoreLocation());
   }
   
   public static SslContextFactory getSslContextFactory() {
+    setPasswordIfSysPropIsEmpty(KEYSTORE_PASSWORD_ARG, KEYSTORE_PASSWORD_FILE);
+    setPasswordIfSysPropIsEmpty(TRUSTSTORE_PASSWORD_ARG, TRUSTSTORE_PASSWORD_FILE);
     SslContextFactory sslContextFactory = new SslContextFactory();
     sslContextFactory.setKeyStorePath(getKeyStoreLocation());
     sslContextFactory.setKeyStorePassword(getKeyStorePassword());
@@ -111,7 +118,7 @@ public class SSLUtil {
     
     return sslContextFactory;
   }
-  
+
   public static SSLContext getSSLContext() {
     SslContextFactory sslContextFactory = getSslContextFactory();
     
@@ -130,6 +137,22 @@ public class SSLUtil {
     }
   }
 
+  private static String getPasswordFromFile(String certFolder, String fileName, String defaultPassword)
{
+    try {
+      String pwdFileName = String.format("%s/%s", certFolder, fileName);
+      File pwdFile = new File(pwdFileName);
+      if (!pwdFile.exists()) {
+        FileUtils.writeStringToFile(pwdFile, defaultPassword);
+        return defaultPassword;
+      } else {
+        return FileUtils.readFileToString(pwdFile);
+      }
+    } catch (Exception e) {
+      String errMsg = "Exception occurred during read/write password file for keystore.";
+      throw new RuntimeException(errMsg, e);
+    }
+  }
+
   /**
    * Put private key into in-memory keystore and write it to a file (JKS file)
    */
@@ -177,6 +200,13 @@ public class SSLUtil {
     }
   }
 
+  private static void setPasswordIfSysPropIsEmpty(String prop, String pwdFile) {
+    if (StringUtils.isEmpty(System.getProperty(prop))) {
+      String password = getPasswordFromFile(LOGSEARCH_CERT_DEFAULT_FOLDER, pwdFile, LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD);
+      System.setProperty(prop, password);
+    }
+  }
+
   private static X509Certificate getCertFile(String location) throws Exception {
     try (FileInputStream fos = new FileInputStream(location)) {
       CertificateFactory factory = CertificateFactory.getInstance("X.509");

http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh
----------------------------------------------------------------------
diff --git a/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh b/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh
index 1204ef3..b8fd6c4 100755
--- a/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh
+++ b/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh
@@ -52,7 +52,7 @@ if [ "$LOGSEARCH_DEBUG" = "true" ] && [ ! -z "$LOGSEARCH_DEBUG_PORT"
]; then
 fi
 
 if [ "$LOGSEARCH_SSL" = "true" ]; then
-  LOGSEARCH_JAVA_OPTS="$LOGSEARCH_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGSEARCH_KEYSTORE_LOCATION
-Djavax.net.ssl.keyStoreType=$LOGSEARCH_KEYSTORE_TYPE -Djavax.net.ssl.keyStorePassword=$LOGSEARCH_KEYSTORE_PASSWORD
-Djavax.net.ssl.trustStore=$LOGSEARCH_TRUSTSTORE_LOCATION -Djavax.net.ssl.trustStoreType=$LOGSEARCH_TRUSTSTORE_TYPE
-Djavax.net.ssl.trustStorePassword=$LOGSEARCH_TRUSTSTORE_PASSWORD"
+  LOGSEARCH_JAVA_OPTS="$LOGSEARCH_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGSEARCH_KEYSTORE_LOCATION
-Djavax.net.ssl.keyStoreType=$LOGSEARCH_KEYSTORE_TYPE -Djavax.net.ssl.trustStore=$LOGSEARCH_TRUSTSTORE_LOCATION
-Djavax.net.ssl.trustStoreType=$LOGSEARCH_TRUSTSTORE_TYPE"
 fi
 
 if [ "$PID_FILE" = "" ]; then

http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh
----------------------------------------------------------------------
diff --git a/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh b/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh
index 2c2d056..8d92e20 100644
--- a/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh
+++ b/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh
@@ -37,8 +37,6 @@ export LOGSEARCH_DEBUG_PORT=5005
 
 export LOGSEARCH_SSL="true"
 export LOGSEARCH_KEYSTORE_LOCATION=/root/config/ssl/logsearch.keyStore.jks
-export LOGSEARCH_KEYSTORE_PASSWORD=bigdata
 export LOGSEARCH_KEYSTORE_TYPE=jks
 export LOGSEARCH_TRUSTSTORE_LOCATION=/root/config/ssl/logsearch.trustStore.jks
-export LOGSEARCH_TRUSTSTORE_PASSWORD=bigdata
 export LOGSEARCH_TRUSTSTORE_TYPE=jks

http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
index ff88abc..811b3ea 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
@@ -42,6 +42,7 @@ sudo = AMBARI_SUDO_BINARY
 security_enabled = status_params.security_enabled
 
 logsearch_server_conf = "/etc/ambari-logsearch-portal/conf"
+logsearch_server_keys_folder = logsearch_server_conf + "/keys"
 logsearch_logfeeder_conf = "/etc/ambari-logsearch-logfeeder/conf"
 
 logsearch_config_set_dir = format("{logsearch_server_conf}/solr_configsets")

http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
index 874b90b..9ff9c74 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
@@ -46,6 +46,26 @@ def setup_logsearch():
             recursive_ownership=True
             )
 
+  Directory(params.logsearch_server_keys_folder,
+            cd_access='a',
+            mode=0755,
+            owner= params.logsearch_user,
+            group=params.user_group)
+
+  File(format("{logsearch_server_keys_folder}/ks_pass.txt"),
+       content=params.logsearch_keystore_password,
+       mode=0600,
+       owner= params.logsearch_user,
+       group=params.user_group
+       )
+
+  File(format("{logsearch_server_keys_folder}/ts_pass.txt"),
+       content=params.logsearch_truststore_password,
+       mode=0600,
+       owner= params.logsearch_user,
+       group=params.user_group
+       )
+
   File(params.logsearch_log,
        mode=0644,
        owner=params.logsearch_user,

http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2
b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2
index a179983..338c7f7 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2
@@ -41,9 +41,7 @@ export LOGSEARCH_DEBUG_PORT={{logsearch_debug_port}}
 {% if logsearch_solr_ssl_enabled or logsearch_ui_protocol == 'https' or ambari_server_use_ssl
%}
 export LOGSEARCH_SSL="true"
 export LOGSEARCH_KEYSTORE_LOCATION={{logsearch_keystore_location}}
-export LOGSEARCH_KEYSTORE_PASSWORD={{logsearch_keystore_password}}
 export LOGSEARCH_KEYSTORE_TYPE={{logsearch_keystore_type}}
 export LOGSEARCH_TRUSTSTORE_LOCATION={{logsearch_truststore_location}}
-export LOGSEARCH_TRUSTSTORE_PASSWORD={{logsearch_truststore_password}}
 export LOGSEARCH_TRUSTSTORE_TYPE={{logsearch_truststore_type}}
 {% endif %}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
index c3e8930..00dd641 100644
--- a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
+++ b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
@@ -63,6 +63,26 @@ class TestLogSearch(RMFTestCase):
                               cd_access = 'a',
                               mode = 0755
                               )
+    self.assertResourceCalled('Directory', '/etc/ambari-logsearch-portal/conf/keys',
+                              owner = 'logsearch',
+                              group = 'hadoop',
+                              cd_access = 'a',
+                              mode = 0755
+                              )
+
+    self.assertResourceCalled('File', '/etc/ambari-logsearch-portal/conf/keys/ks_pass.txt',
+                              owner='logsearch',
+                              group='hadoop',
+                              mode=0600,
+                              content='bigdata'
+                              )
+
+    self.assertResourceCalled('File', '/etc/ambari-logsearch-portal/conf/keys/ts_pass.txt',
+                              owner='logsearch',
+                              group='hadoop',
+                              mode=0600,
+                              content='bigdata'
+                              )
 
     self.assertResourceCalled('File', '/var/log/ambari-logsearch-portal/logsearch.out',
                               owner = 'logsearch',

http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/test/python/stacks/2.4/configs/default.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/configs/default.json b/ambari-server/src/test/python/stacks/2.4/configs/default.json
index 7591adb..a601f0b 100644
--- a/ambari-server/src/test/python/stacks/2.4/configs/default.json
+++ b/ambari-server/src/test/python/stacks/2.4/configs/default.json
@@ -273,6 +273,8 @@
         "logsearch_debug_port": "5005",
         "logsearch_ui_protocol": "http",
         "logsearch_ui_port" : "61888",
+        "logsearch_keystore_password" : "bigdata",
+        "logsearch_truststore_password" : "bigdata",
         "logsearch_solr_audit_logs_use_ranger": "false",
         "content": "# Licensed to the Apache Software Foundation (ASF) under one or more\n#
contributor license agreements.  See the NOTICE file distributed with\n# this work for additional
information regarding copyright ownership.\n# The ASF licenses this file to You under the
Apache License, Version 2.0\n# (the \"License\"); you may not use this file except in compliance
with\n# the License.  You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n#
Unless required by applicable law or agreed to in writing, software\n# distributed under the
License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied.\n# See the License for the specific language governing permissions
and\n# limitations under the License.\n#solr.url=http://{{solr_host}}:{{solr_port}}/solr\n\n#Service
Logs and History colletion\nlogsearch.solr.zkhosts={{zookeeper_quorum}}{{solr_znode}}\nlogsearch.solr.collection.ser
 vice.logs={{logsearch_collection_service_logs}}\nlogsearch.solr.collection.history=history\n\nlogsearch.service.logs.split.interval.mins={{logsearch_service_logs_split_interval_mins}}\nlogsearch.collection.service.logs.numshards={{logsearch_collection_service_logs_numshards}}\nlogsearch.collection.service.logs.replication.factor={{logsearch_collection_service_logs_replication_factor}}\n\nlogsearch.service.logs.fields={{logsearch_service_logs_fields}}\n\n#Audit
logs\nlogsearch.solr.audit.logs.zkhosts={{logsearch_solr_zk_quorum}}{{logsearch_solr_zk_znode}}\nogsearch.solr.collection.audit.logs={{solr_collection_audit_logs}}\nlogsearch.solr.audit.logs.url={{logsearch_solr_audit_logs_url}}\n\nlogsearch.audit.logs.split.interval.mins={{logsearch_audit_logs_split_interval_mins}}\nlogsearch.collection.audit.logs.numshards={{logsearch_collection_audit_logs_numshards}}\nlogsearch.collection.audit.logs.replication.factor={{logsearch_collection_audit_logs_replication_factor}}\n{%
if logsearch_s
 olr_ssl_enabled %}\nexport LOGSEARCH_SSL=\"true\"\nexport LOGSEARCH_KEYSTORE_LOCATION={{logsearch_keystore_location}}\nexport
LOGSEARCH_KEYSTORE_PASSWORD={{logsearch_keystore_password}}\nexport LOGSEARCH_KEYSTORE_TYPE={{logsearch_keystore_type}}\nexport
LOGSEARCH_TRUSTSTORE_LOCATION={{logsearch_truststore_location}}\nexport LOGSEARCH_TRUSTSTORE_PASSWORD={{logsearch_truststore_password}}\nexport
LOGSEARCH_TRUSTSTORE_TYPE={{logsearch_truststore_type}}\n{% endif %}"
       },


Mime
View raw message