drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From parthchandra <...@git.apache.org>
Subject [GitHub] drill pull request #950: DRILL-5431: SSL Support
Date Mon, 25 Sep 2017 17:26:32 GMT
Github user parthchandra commented on a diff in the pull request:

    https://github.com/apache/drill/pull/950#discussion_r140610830
  
    --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/ssl/SSLConfig.java ---
    @@ -0,0 +1,325 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + * http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.drill.exec.ssl;
    +
    +import com.google.common.base.Preconditions;
    +import io.netty.handler.ssl.SslContext;
    +import io.netty.handler.ssl.SslProvider;
    +import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
    +import org.apache.drill.common.config.DrillConfig;
    +import org.apache.drill.common.exceptions.DrillException;
    +import org.apache.drill.exec.ExecConstants;
    +import org.apache.drill.exec.memory.BufferAllocator;
    +import org.apache.hadoop.conf.Configuration;
    +import org.apache.hadoop.security.ssl.SSLFactory;
    +
    +import javax.net.ssl.KeyManagerFactory;
    +import javax.net.ssl.SSLContext;
    +import javax.net.ssl.SSLEngine;
    +import javax.net.ssl.TrustManagerFactory;
    +import java.io.FileInputStream;
    +import java.io.InputStream;
    +import java.security.KeyStore;
    +import java.text.MessageFormat;
    +
    +public abstract class SSLConfig {
    +
    +  private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(SSLConfig.class);
    +
    +  public static final String DEFAULT_SSL_PROVIDER = "JDK"; // JDK or OPENSSL
    +  public static final String DEFAULT_SSL_PROTOCOL = "TLSv1.2";
    +  public static final int DEFAULT_SSL_HANDSHAKE_TIMEOUT_MS = 10 * 1000; // 10 seconds
    +
    +  protected final boolean httpsEnabled;
    +  protected final DrillConfig config;
    +  protected final Configuration hadoopConfig;
    +
    +  // Either the Netty SSL context or the JDK SSL context will be initialized
    +  // The JDK SSL context is use iff the useSystemTrustStore setting is enabled.
    +  protected SslContext nettySslContext;
    +  protected SSLContext jdkSSlContext;
    +
    +  private static final boolean isWindows = System.getProperty("os.name").toLowerCase().indexOf("win")
>= 0;
    +  private static final boolean isMacOs = System.getProperty("os.name").toLowerCase().indexOf("mac")
>= 0;
    +
    +  public static final String HADOOP_SSL_CONF_TPL_KEY = "hadoop.ssl.{0}.conf";
    +  public static final String HADOOP_SSL_KEYSTORE_LOCATION_TPL_KEY = "ssl.{0}.keystore.location";
    +  public static final String HADOOP_SSL_KEYSTORE_PASSWORD_TPL_KEY = "ssl.{0}.keystore.password";
    +  public static final String HADOOP_SSL_KEYSTORE_TYPE_TPL_KEY = "ssl.{0}.keystore.type";
    +  public static final String HADOOP_SSL_KEYSTORE_KEYPASSWORD_TPL_KEY =
    +      "ssl.{0}.keystore.keypassword";
    +  public static final String HADOOP_SSL_TRUSTSTORE_LOCATION_TPL_KEY = "ssl.{0}.truststore.location";
    +  public static final String HADOOP_SSL_TRUSTSTORE_PASSWORD_TPL_KEY = "ssl.{0}.truststore.password";
    +  public static final String HADOOP_SSL_TRUSTSTORE_TYPE_TPL_KEY = "ssl.{0}.truststore.type";
    +
    +  public SSLConfig(DrillConfig config, Configuration hadoopConfig, SSLFactory.Mode mode)
    +      throws DrillException {
    +
    +    this.config = config;
    +    httpsEnabled =
    +        config.hasPath(ExecConstants.HTTP_ENABLE_SSL) && config.getBoolean(ExecConstants.HTTP_ENABLE_SSL);
    +    // For testing we will mock up a hadoop configuration, however for regular use, we
find the actual hadoop config.
    +    boolean enableHadoopConfig = config.getBoolean(ExecConstants.SSL_USE_HADOOP_CONF);
    +    if (enableHadoopConfig && this instanceof SSLConfigServer) {
    +      if (hadoopConfig == null) {
    +        this.hadoopConfig = new Configuration(); // get hadoop configuration
    +      } else {
    +        this.hadoopConfig = hadoopConfig;
    +      }
    +      String hadoopSSLConfigFile =
    +          this.hadoopConfig.get(resolveHadoopPropertyName(HADOOP_SSL_CONF_TPL_KEY, mode));
    +      logger.debug("Using Hadoop configuration for SSL");
    +      logger.debug("Hadoop SSL configuration file: {}", hadoopSSLConfigFile);
    +      this.hadoopConfig.addResource(hadoopSSLConfigFile);
    +    } else {
    +      this.hadoopConfig = null;
    +    }
    +  }
    +
    +  protected String getConfigParam(String name, String hadoopName) {
    +    String value = "";
    +    if (hadoopConfig != null) {
    +      value = getHadoopConfigParam(hadoopName);
    +    }
    +    if (value.isEmpty() && config.hasPath(name)) {
    +      value = config.getString(name);
    +    }
    +    value = value.trim();
    +    return value;
    +  }
    +
    +  protected String getHadoopConfigParam(String name) {
    +    Preconditions.checkArgument(this.hadoopConfig != null);
    +    String value = "";
    +    value = hadoopConfig.get(name, "");
    +    value = value.trim();
    +    return value;
    +  }
    +
    +  protected String getConfigParamWithDefault(String name, String defaultValue) {
    +    String value = "";
    +    if (config.hasPath(name)) {
    +      value = config.getString(name);
    +    }
    +    if (value.isEmpty()) {
    +      value = defaultValue;
    +    }
    +    value = value.trim();
    +    return value;
    +  }
    +
    +  protected String resolveHadoopPropertyName(String nameTemplate, SSLFactory.Mode mode)
{
    +    return MessageFormat.format(nameTemplate, mode.toString().toLowerCase());
    +  }
    +
    +  public abstract void validateKeyStore() throws DrillException;
    +
    +  public abstract SslContext initSslContext() throws DrillException;
    +
    +  public abstract SSLContext initSSLContext() throws DrillException;
    +
    +  public abstract boolean isUserSslEnabled();
    +
    +  public abstract boolean isHttpsEnabled();
    +
    +  public abstract String getKeyStoreType();
    +
    +  public abstract String getKeyStorePath();
    +
    +  public abstract String getKeyStorePassword();
    +
    +  public abstract String getKeyPassword();
    +
    +  public abstract String getTrustStoreType();
    +
    +  public abstract boolean hasTrustStorePath();
    +
    +  public abstract String getTrustStorePath();
    +
    +  public abstract boolean hasTrustStorePassword();
    +
    +  public abstract String getTrustStorePassword();
    +
    +  public abstract String getProtocol();
    +
    +  public abstract SslProvider getProvider();
    +
    +  public abstract int getHandshakeTimeout();
    +
    +  public abstract SSLFactory.Mode getMode();
    +
    +  public abstract boolean disableHostVerification();
    +
    +  public abstract boolean disableCertificateVerification();
    +
    +  public abstract boolean useSystemTrustStore();
    +
    +  public abstract boolean isSslValid();
    +
    +  public SslContext getNettySslContext() {
    +    return nettySslContext;
    +  }
    +
    +  public TrustManagerFactory initializeTrustManagerFactory() throws DrillException {
    +    TrustManagerFactory tmf;
    +    KeyStore ts = null;
    +    //Support Windows/MacOs system trust store
    +    try {
    +      String trustStoreType = getTrustStoreType();
    +      if ((isWindows || isMacOs) && useSystemTrustStore()) {
    +        // This is valid for MS-Windows and MacOs
    +        logger.debug("Initializing System truststore.");
    +        ts = KeyStore.getInstance(!trustStoreType.isEmpty() ? trustStoreType : KeyStore.getDefaultType());
    +        ts.load(null, null);
    +      } else if (!getTrustStorePath().isEmpty()) {
    +          // if truststore is not provided then we will use the default. Note that the
default depends on
    +          // the TrustManagerFactory that in turn depends on the Security Provider.
    +          // Use null as the truststore which will result in the default truststore being
picked up
    +          logger.debug("Initializing truststore {}.", getTrustStorePath());
    +          ts = KeyStore.getInstance(!trustStoreType.isEmpty() ? trustStoreType : KeyStore.getDefaultType());
    +          InputStream tsStream = new FileInputStream(getTrustStorePath());
    +          ts.load(tsStream, getTrustStorePassword().toCharArray());
    +      } else {
    +        logger.debug("Initializing default truststore.");
    +      }
    +      if (disableCertificateVerification()) {
    +        tmf = InsecureTrustManagerFactory.INSTANCE;
    +      } else {
    +        tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    +      }
    +      tmf.init(ts);
    +    } catch (Exception e) {
    +      // Catch any SSL initialization Exceptions here and abort.
    +      throw new DrillException(
    +          new StringBuilder()
    +              .append("Exception while initializing the truststore: [")
    +              .append(e.getMessage())
    +              .append("]. ")
    +              .toString());
    +    }
    +    return tmf;
    +  }
    +
    +  public KeyManagerFactory initializeKeyManagerFactory() throws DrillException {
    +    KeyManagerFactory kmf;
    +    String keyStorePath = getKeyStorePath();
    +    String keyStorePassword = getKeyStorePassword();
    +    String keyStoreType = getKeyStoreType();
    +    try {
    +      if (keyStorePath.isEmpty()) {
    +        throw new DrillException("No Keystore provided.");
    +      }
    +      KeyStore ks =
    +          KeyStore.getInstance(!keyStoreType.isEmpty() ? keyStoreType : KeyStore.getDefaultType());
    +      //initialize the key manager factory
    +      // Will throw an exception if the file is not found/accessible.
    +      InputStream ksStream = new FileInputStream(keyStorePath);
    +      // A key password CANNOT be null or an empty string.
    +      if (keyStorePassword.isEmpty()) {
    +        throw new DrillException("The Keystore password cannot be empty.");
    +      }
    +      ks.load(ksStream, keyStorePassword.toCharArray());
    +      // Empty Keystore. (Remarkably, it is possible to do this).
    +      if (ks.size() == 0) {
    +        throw new DrillException("The Keystore has no entries.");
    +      }
    +      kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    +      kmf.init(ks, getKeyPassword().toCharArray());
    +
    +    } catch (Exception e) {
    +      throw new DrillException(
    +          new StringBuilder()
    +              .append("Exception while initializing the keystore: [")
    +              .append(e.getMessage())
    +              .append("]. ")
    +              .toString());
    +    }
    +    return kmf;
    +  }
    +
    +  public void initContext() throws DrillException {
    +    if ((isWindows || isMacOs) && useSystemTrustStore()) {
    +      initSSLContext();
    +      logger.debug("Initialized Windows SSL context using JDK.");
    +    } else {
    +      initSslContext();
    +      logger.debug("Initialized SSL context.");
    +    }
    +    return;
    +  }
    +
    +  public SSLEngine createSSLEngine(BufferAllocator allocator, String peerHost, int peerPort)
{
    +    SSLEngine engine;
    +    if ((isWindows || isMacOs) && useSystemTrustStore()) {
    +      if (peerHost != null) {
    +        engine = jdkSSlContext.createSSLEngine(peerHost, peerPort);
    +        logger.debug("Initializing Windows SSLEngine with hostname verification.");
    +      } else {
    +        engine = jdkSSlContext.createSSLEngine();
    +        logger.debug("Initializing Windows SSLEngine with no hostname verification.");
    +      }
    +    } else {
    +      if (peerHost != null) {
    +        engine = nettySslContext.newEngine(allocator.getAsByteBufAllocator(), peerHost,
peerPort);
    +        logger.debug("Initializing SSLEngine with hostname verification.");
    +      } else {
    +        engine = nettySslContext.newEngine(allocator.getAsByteBufAllocator());
    +        logger.debug("Initializing SSLEngine with no hostname verification.");
    +      }
    +    }
    +    return engine;
    --- End diff --
    
    I'm going to leave this as it is. Seems easier to read to me. 
    I changed the logging message (you did notice it was for debugging, right?). Hostname
verification is not enabled/disabled in this method but in the caller.  


---

Mime
View raw message