ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mgerg...@apache.org
Subject ambari git commit: AMBARI-19519 Log Feeder should store keystore / truststore passwords in files (mgergely)
Date Mon, 16 Jan 2017 22:57:19 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk e0552d62e -> 17db42826


AMBARI-19519 Log Feeder should store keystore / truststore passwords in files (mgergely)

Change-Id: I1d5b39b035391c01d1911715cffcd20b7561b65d


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/17db4282
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/17db4282
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/17db4282

Branch: refs/heads/trunk
Commit: 17db42826eb7f4c03f554fc7b2f5633d0a480934
Parents: e0552d6
Author: Miklos Gergely <mgergely@hortonworks.com>
Authored: Mon Jan 16 23:57:10 2017 +0100
Committer: Miklos Gergely <mgergely@hortonworks.com>
Committed: Mon Jan 16 23:57:10 2017 +0100

----------------------------------------------------------------------
 .../org/apache/ambari/logfeeder/LogFeeder.java  |  2 +
 .../apache/ambari/logfeeder/util/SSLUtil.java   | 68 ++++++++++++++++++++
 .../src/main/scripts/run.sh                     |  2 +-
 .../LOGSEARCH/0.5.0/package/scripts/params.py   |  1 +
 .../0.5.0/package/scripts/setup_logfeeder.py    | 20 ++++++
 .../0.5.0/package/scripts/setup_logsearch.py    |  6 +-
 .../0.5.0/properties/logfeeder-env.sh.j2        |  2 -
 .../stacks/2.4/LOGSEARCH/test_logfeeder.py      | 20 ++++++
 .../test/python/stacks/2.4/configs/default.json |  4 +-
 9 files changed, 118 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java
----------------------------------------------------------------------
diff --git a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java
b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java
index 6d0f22c..24651ba 100644
--- a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java
+++ b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java
@@ -45,6 +45,7 @@ import org.apache.ambari.logfeeder.output.OutputManager;
 import org.apache.ambari.logfeeder.util.AliasUtil;
 import org.apache.ambari.logfeeder.util.FileUtil;
 import org.apache.ambari.logfeeder.util.LogFeederUtil;
+import org.apache.ambari.logfeeder.util.SSLUtil;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
@@ -97,6 +98,7 @@ public class LogFeeder {
     mergeAllConfigs();
     
     LogConfigHandler.handleConfig();
+    SSLUtil.ensureStorePasswords();
     
     outputManager.init();
     inputManager.init();

http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/util/SSLUtil.java
----------------------------------------------------------------------
diff --git a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/util/SSLUtil.java
b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/util/SSLUtil.java
new file mode 100644
index 0000000..317f5ae
--- /dev/null
+++ b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/util/SSLUtil.java
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ambari.logfeeder.util;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang.StringUtils;
+
+import java.io.File;
+
+public class SSLUtil {
+  private static final String KEYSTORE_LOCATION_ARG = "javax.net.ssl.keyStore";
+  private static final String TRUSTSTORE_LOCATION_ARG = "javax.net.ssl.trustStore";
+  private static final String KEYSTORE_PASSWORD_ARG = "javax.net.ssl.keyStorePassword";
+  private static final String TRUSTSTORE_PASSWORD_ARG = "javax.net.ssl.trustStorePassword";
+  private static final String KEYSTORE_PASSWORD_FILE = "ks_pass.txt";
+  private static final String TRUSTSTORE_PASSWORD_FILE = "ts_pass.txt";
+  
+  private static final String LOGFEEDER_CERT_DEFAULT_FOLDER = "/etc/ambari-logsearch-portal/conf/keys";
+  private static final String LOGFEEDER_STORE_DEFAULT_PASSWORD = "bigdata";
+  
+  private SSLUtil() {
+    throw new UnsupportedOperationException();
+  }
+  
+  public static void ensureStorePasswords() {
+    ensureStorePassword(KEYSTORE_LOCATION_ARG, KEYSTORE_PASSWORD_ARG, KEYSTORE_PASSWORD_FILE);
+    ensureStorePassword(TRUSTSTORE_LOCATION_ARG, TRUSTSTORE_PASSWORD_ARG, TRUSTSTORE_PASSWORD_FILE);
+  }
+  
+  private static void ensureStorePassword(String locationArg, String pwdArg, String pwdFile)
{
+    if (StringUtils.isNotEmpty(System.getProperty(locationArg)) && StringUtils.isEmpty(System.getProperty(pwdArg)))
{
+      String password = getPasswordFromFile(pwdFile);
+      System.setProperty(pwdArg, password);
+    }
+  }
+
+  private static String getPasswordFromFile(String fileName) {
+    try {
+      File pwdFile = new File(LOGFEEDER_CERT_DEFAULT_FOLDER, fileName);
+      if (!pwdFile.exists()) {
+        FileUtils.writeStringToFile(pwdFile, LOGFEEDER_STORE_DEFAULT_PASSWORD);
+        return LOGFEEDER_STORE_DEFAULT_PASSWORD;
+      } else {
+        return FileUtils.readFileToString(pwdFile);
+      }
+    } catch (Exception e) {
+      throw new RuntimeException("Exception occurred during read/write password file for
keystore/truststore.", e);
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh
----------------------------------------------------------------------
diff --git a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh
index 5aecd00..645c5f0 100644
--- a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh
+++ b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh
@@ -70,7 +70,7 @@ LOGFEEDER_GC_OPTS="-XX:+PrintGCDetails -XX:+PrintGCDateStamps -Xloggc:$LOGFEEDER
 #JMX="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.port=2098"
 
 if [ "$LOGFEEDER_SSL" = "true" ]; then
-  LOGFEEDER_JAVA_OPTS="$LOGFEEDER_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGFEEDER_KEYSTORE_LOCATION
-Djavax.net.ssl.keyStoreType=$LOGFEEDER_KEYSTORE_TYPE -Djavax.net.ssl.keyStorePassword=$LOGFEEDER_KEYSTORE_PASSWORD
-Djavax.net.ssl.trustStore=$LOGFEEDER_TRUSTSTORE_LOCATION -Djavax.net.ssl.trustStoreType=$LOGFEEDER_TRUSTSTORE_TYPE
-Djavax.net.ssl.trustStorePassword=$LOGFEEDER_TRUSTSTORE_PASSWORD"
+  LOGFEEDER_JAVA_OPTS="$LOGFEEDER_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGFEEDER_KEYSTORE_LOCATION
-Djavax.net.ssl.keyStoreType=$LOGFEEDER_KEYSTORE_TYPE -Djavax.net.ssl.trustStore=$LOGFEEDER_TRUSTSTORE_LOCATION
-Djavax.net.ssl.trustStoreType=$LOGFEEDER_TRUSTSTORE_TYPE"
 fi
 
 if [ $foreground -eq 0 ]; then

http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
index 5ffd5e6..25e947d 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
@@ -44,6 +44,7 @@ security_enabled = status_params.security_enabled
 logsearch_server_conf = "/etc/ambari-logsearch-portal/conf"
 logsearch_server_keys_folder = logsearch_server_conf + "/keys"
 logsearch_logfeeder_conf = "/etc/ambari-logsearch-logfeeder/conf"
+logsearch_logfeeder_keys_folder = logsearch_logfeeder_conf + "/keys"
 
 logsearch_config_set_dir = format("{logsearch_server_conf}/solr_configsets")
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py
b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py
index 14f8d20..a04618f 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py
@@ -39,6 +39,26 @@ def setup_logfeeder():
             recursive_ownership=True
             )
 
+  Directory(params.logsearch_logfeeder_keys_folder,
+            cd_access='a',
+            mode=0755,
+            owner=params.logsearch_user,
+            group=params.user_group)
+
+  File(format("{logsearch_logfeeder_keys_folder}/ks_pass.txt"),
+       content=params.logfeeder_keystore_password,
+       mode=0600,
+       owner=params.logsearch_user,
+       group=params.user_group
+       )
+
+  File(format("{logsearch_logfeeder_keys_folder}/ts_pass.txt"),
+       content=params.logfeeder_truststore_password,
+       mode=0600,
+       owner=params.logsearch_user,
+       group=params.user_group
+       )
+
   File(params.logfeeder_log,
        mode=0644,
        content=''

http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
index 9ff9c74..2690a3a 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
@@ -49,20 +49,20 @@ def setup_logsearch():
   Directory(params.logsearch_server_keys_folder,
             cd_access='a',
             mode=0755,
-            owner= params.logsearch_user,
+            owner=params.logsearch_user,
             group=params.user_group)
 
   File(format("{logsearch_server_keys_folder}/ks_pass.txt"),
        content=params.logsearch_keystore_password,
        mode=0600,
-       owner= params.logsearch_user,
+       owner=params.logsearch_user,
        group=params.user_group
        )
 
   File(format("{logsearch_server_keys_folder}/ts_pass.txt"),
        content=params.logsearch_truststore_password,
        mode=0600,
-       owner= params.logsearch_user,
+       owner=params.logsearch_user,
        group=params.user_group
        )
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2
b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2
index 6795dab..6d1c445 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2
@@ -35,9 +35,7 @@ fi
 {% if logsearch_solr_ssl_enabled %}
 export LOGFEEDER_SSL="true"
 export LOGFEEDER_KEYSTORE_LOCATION={{logfeeder_keystore_location}}
-export LOGFEEDER_KEYSTORE_PASSWORD={{logfeeder_keystore_password}}
 export LOGFEEDER_KEYSTORE_TYPE={{logfeeder_keystore_type}}
 export LOGFEEDER_TRUSTSTORE_LOCATION={{logfeeder_truststore_location}}
-export LOGFEEDER_TRUSTSTORE_PASSWORD={{logfeeder_truststore_password}}
 export LOGFEEDER_TRUSTSTORE_TYPE={{logfeeder_truststore_type}}
 {% endif %}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py
index 02570e2..b172f64 100644
--- a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py
+++ b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py
@@ -55,6 +55,26 @@ class TestLogFeeder(RMFTestCase):
                               cd_access='a',
                               mode=0755
                               )
+    self.assertResourceCalled('Directory', '/etc/ambari-logsearch-logfeeder/conf/keys',
+                              owner = 'logsearch',
+                              group = 'hadoop',
+                              cd_access = 'a',
+                              mode = 0755
+                              )
+
+    self.assertResourceCalled('File', '/etc/ambari-logsearch-logfeeder/conf/keys/ks_pass.txt',
+                              owner='logsearch',
+                              group='hadoop',
+                              mode=0600,
+                              content='bigdata'
+                              )
+
+    self.assertResourceCalled('File', '/etc/ambari-logsearch-logfeeder/conf/keys/ts_pass.txt',
+                              owner='logsearch',
+                              group='hadoop',
+                              mode=0600,
+                              content='bigdata'
+                              )
 
     self.assertResourceCalled('File', '/var/log/ambari-logsearch-logfeeder/logfeeder.out',
                               mode=0644,

http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/test/python/stacks/2.4/configs/default.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/configs/default.json b/ambari-server/src/test/python/stacks/2.4/configs/default.json
index 30e12e9..dd8a096 100644
--- a/ambari-server/src/test/python/stacks/2.4/configs/default.json
+++ b/ambari-server/src/test/python/stacks/2.4/configs/default.json
@@ -315,7 +315,9 @@
         "logfeeder_pid_dir": "/var/run/ambari-logsearch-logfeeder",
         "logfeeder_log_dir": "/var/log/ambari-logsearch-logfeeder",
         "logfeeder_max_mem": "512m",
-        "content": "# Licensed to the Apache Software Foundation (ASF) under one or more\n#
contributor license agreements.  See the NOTICE file distributed with\n# this work for additional
information regarding copyright ownership.\n# The ASF licenses this file to You under the
Apache License, Version 2.0\n# (the \"License\"); you may not use this file except in compliance
with\n# the License.  You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n#
Unless required by applicable law or agreed to in writing, software\n# distributed under the
License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied.\n# See the License for the specific language governing permissions
and\n# limitations under the License.\n\nlogsearch.solr.metrics.collector.hosts=http://{{metrics_collector_hosts}}:{{metrics_collector_port}}/ws/v1/timeline/metrics\n{%
if logsearch_solr_ssl_enabled %}\nexport LOGFEED
 ER_SSL=\"true\"\nexport LOGFEEDER_KEYSTORE_LOCATION={{logfeeder_keystore_location}}\nexport
LOGFEEDER_KEYSTORE_PASSWORD={{logfeeder_keystore_password}}\nexport LOGFEEDER_KEYSTORE_TYPE={{logfeeder_keystore_type}}\nexport
LOGFEEDER_TRUSTSTORE_LOCATION={{logfeeder_truststore_location}}\nexport LOGFEEDER_TRUSTSTORE_PASSWORD={{logfeeder_truststore_password}}\nexport
LOGFEEDER_TRUSTSTORE_TYPE={{logfeeder_truststore_type}}\n{% endif %}"
+        "logfeeder_keystore_password" : "bigdata",
+        "logfeeder_truststore_password" : "bigdata",
+        "content": "# Licensed to the Apache Software Foundation (ASF) under one or more\n#
contributor license agreements.  See the NOTICE file distributed with\n# this work for additional
information regarding copyright ownership.\n# The ASF licenses this file to You under the
Apache License, Version 2.0\n# (the \"License\"); you may not use this file except in compliance
with\n# the License.  You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n#
Unless required by applicable law or agreed to in writing, software\n# distributed under the
License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied.\n# See the License for the specific language governing permissions
and\n# limitations under the License.\n\nlogsearch.solr.metrics.collector.hosts=http://{{metrics_collector_hosts}}:{{metrics_collector_port}}/ws/v1/timeline/metrics\n{%
if logsearch_solr_ssl_enabled %}\nexport LOGFEED
 ER_SSL=\"true\"\nexport LOGFEEDER_KEYSTORE_LOCATION={{logfeeder_keystore_location}}\n\nexport
LOGFEEDER_KEYSTORE_TYPE={{logfeeder_keystore_type}}\nexport LOGFEEDER_TRUSTSTORE_LOCATION={{logfeeder_truststore_location}}\n\nexport
LOGFEEDER_TRUSTSTORE_TYPE={{logfeeder_truststore_type}}\n{% endif %}"
       },
       "logfeeder-output-config" : {
         "content" : "output-grok-filter"


Mime
View raw message