drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From arina-ielchiieva <...@git.apache.org>
Subject [GitHub] drill pull request #950: DRILL-5431: SSL Support
Date Wed, 04 Oct 2017 14:48:16 GMT
Github user arina-ielchiieva commented on a diff in the pull request:

    https://github.com/apache/drill/pull/950#discussion_r142679480
  
    --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/ssl/SSLConfigServer.java
---
    @@ -0,0 +1,331 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + * http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.drill.exec.ssl;
    +
    +import com.google.common.base.Preconditions;
    +import io.netty.handler.ssl.SslContext;
    +import io.netty.handler.ssl.SslContextBuilder;
    +import io.netty.handler.ssl.SslProvider;
    +import org.apache.drill.common.config.DrillConfig;
    +import org.apache.drill.common.exceptions.DrillException;
    +import org.apache.drill.exec.ExecConstants;
    +import org.apache.drill.exec.memory.BufferAllocator;
    +import org.apache.hadoop.conf.Configuration;
    +import org.apache.hadoop.security.ssl.SSLFactory;
    +
    +import javax.net.ssl.KeyManagerFactory;
    +import javax.net.ssl.SSLContext;
    +import javax.net.ssl.SSLEngine;
    +import javax.net.ssl.TrustManagerFactory;
    +import java.text.MessageFormat;
    +
    +public class SSLConfigServer extends SSLConfig {
    +
    +  private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(SSLConfigServer.class);
    +
    +  private final DrillConfig config;
    +  private final Configuration hadoopConfig;
    +  private final boolean userSslEnabled;
    +  private final boolean httpsEnabled;
    +  private final String keyStoreType;
    +  private final String keyStorePath;
    +  private final String keyStorePassword;
    +  private final String keyPassword;
    +  private final String trustStoreType;
    +  private final String trustStorePath;
    +  private final String trustStorePassword;
    +  private final String protocol;
    +  private final String provider;
    +
    +  public SSLConfigServer(DrillConfig config, Configuration hadoopConfig) throws DrillException
{
    +    this.config = config;
    +    SSLFactory.Mode mode = SSLFactory.Mode.SERVER;
    +    httpsEnabled =
    +        config.hasPath(ExecConstants.HTTP_ENABLE_SSL) && config.getBoolean(ExecConstants.HTTP_ENABLE_SSL);
    +    // For testing we will mock up a hadoop configuration, however for regular use, we
find the actual hadoop config.
    +    boolean enableHadoopConfig = config.getBoolean(ExecConstants.SSL_USE_HADOOP_CONF);
    +    if (enableHadoopConfig) {
    +      if (hadoopConfig == null) {
    +        this.hadoopConfig = new Configuration(); // get hadoop configuration
    +      } else {
    +        this.hadoopConfig = hadoopConfig;
    +      }
    +      String hadoopSSLConfigFile =
    +          this.hadoopConfig.get(resolveHadoopPropertyName(HADOOP_SSL_CONF_TPL_KEY, getMode()));
    +      logger.debug("Using Hadoop configuration for SSL");
    +      logger.debug("Hadoop SSL configuration file: {}", hadoopSSLConfigFile);
    +      this.hadoopConfig.addResource(hadoopSSLConfigFile);
    +    } else {
    +      this.hadoopConfig = null;
    +    }
    +    userSslEnabled =
    +        config.hasPath(ExecConstants.USER_SSL_ENABLED) && config.getBoolean(ExecConstants.USER_SSL_ENABLED);
    +    trustStoreType = getConfigParam(ExecConstants.SSL_TRUSTSTORE_TYPE,
    +        resolveHadoopPropertyName(HADOOP_SSL_TRUSTSTORE_TYPE_TPL_KEY, mode));
    +    trustStorePath = getConfigParam(ExecConstants.SSL_TRUSTSTORE_PATH,
    +        resolveHadoopPropertyName(HADOOP_SSL_TRUSTSTORE_LOCATION_TPL_KEY, mode));
    +    trustStorePassword = getConfigParam(ExecConstants.SSL_TRUSTSTORE_PASSWORD,
    +        resolveHadoopPropertyName(HADOOP_SSL_TRUSTSTORE_PASSWORD_TPL_KEY, mode));
    +    keyStoreType = getConfigParam(ExecConstants.SSL_KEYSTORE_TYPE,
    +        resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_TYPE_TPL_KEY, mode));
    +    keyStorePath = getConfigParam(ExecConstants.SSL_KEYSTORE_PATH,
    +        resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_LOCATION_TPL_KEY, mode));
    +    keyStorePassword = getConfigParam(ExecConstants.SSL_KEYSTORE_PASSWORD,
    +        resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_PASSWORD_TPL_KEY, mode));
    +    // if no keypassword specified, use keystore password
    +    String keyPass = getConfigParam(ExecConstants.SSL_KEY_PASSWORD,
    +        resolveHadoopPropertyName(HADOOP_SSL_KEYSTORE_KEYPASSWORD_TPL_KEY, mode));
    +    keyPassword = keyPass.isEmpty() ? keyStorePassword : keyPass;
    +    protocol = getConfigParamWithDefault(ExecConstants.SSL_PROTOCOL, DEFAULT_SSL_PROTOCOL);
    +    provider = getConfigParamWithDefault(ExecConstants.SSL_PROVIDER, DEFAULT_SSL_PROVIDER);
    +  }
    +
    +  public void validateKeyStore() throws DrillException {
    +    //HTTPS validates the keystore is not empty. User Server SSL context initialization
also validates keystore, but
    +    // much more strictly. User Client context initialization does not validate keystore.
    +    /*If keystorePath or keystorePassword is provided in the configuration file use that*/
    +    if ((isUserSslEnabled() || isHttpsEnabled())) {
    +      if (!keyStorePath.isEmpty() || !keyStorePassword.isEmpty()) {
    +        if (keyStorePath.isEmpty()) {
    +          throw new DrillException(
    +              " *.ssl.keyStorePath in the configuration file is empty, but *.ssl.keyStorePassword
is set");
    +        } else if (keyStorePassword.isEmpty()) {
    +          throw new DrillException(
    +              " *.ssl.keyStorePassword in the configuration file is empty, but *.ssl.keyStorePath
is set ");
    +        }
    +      }
    +    }
    +  }
    +
    +  @Override
    +  public SslContext initNettySslContext() throws DrillException {
    +    final SslContext sslCtx;
    +
    +    if (!userSslEnabled) {
    +      return null;
    +    }
    +
    +    KeyManagerFactory kmf;
    +    TrustManagerFactory tmf;
    +    try {
    +      if (keyStorePath.isEmpty()) {
    +        throw new DrillException("No Keystore provided.");
    +      }
    +      kmf = initializeKeyManagerFactory();
    +      tmf = initializeTrustManagerFactory();
    +      sslCtx = SslContextBuilder.forServer(kmf)
    +          .trustManager(tmf)
    +          .protocols(protocol)
    +          .sslProvider(getProvider())
    +          .build(); // Will throw an exception if the key password is not correct
    +    } catch (Exception e) {
    +      // Catch any SSL initialization Exceptions here and abort.
    +      throw new DrillException(new StringBuilder()
    +          .append("SSL is enabled but cannot be initialized - ")
    +          .append("[ ")
    +          .append(e.getMessage())
    +          .append("]. ")
    +          .toString());
    +    }
    +    this.nettySslContext = sslCtx;
    +    return sslCtx;
    +  }
    +
    +  @Override
    +  public SSLContext initJDKSSLContext() throws DrillException {
    +    final SSLContext sslCtx;
    +
    +    if (!userSslEnabled) {
    +      return null;
    +    }
    +
    +    KeyManagerFactory kmf;
    +    TrustManagerFactory tmf;
    +    try {
    +      if (keyStorePath.isEmpty()) {
    +        throw new DrillException("No Keystore provided.");
    +      }
    +      kmf = initializeKeyManagerFactory();
    +      tmf = initializeTrustManagerFactory();
    +      sslCtx = SSLContext.getInstance(protocol);
    +      sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
    +    } catch (Exception e) {
    +      // Catch any SSL initialization Exceptions here and abort.
    +      throw new DrillException(
    +          new StringBuilder().append("SSL is enabled but cannot be initialized - ")
    +              .append("[ ")
    +              .append(e.getMessage())
    +              .append("]. ")
    +              .toString());
    +    }
    +    this.jdkSSlContext = sslCtx;
    +    return sslCtx;
    +  }
    +
    +  @Override
    +  public SSLEngine createSSLEngine(BufferAllocator allocator, String peerHost, int peerPort)
{
    +    SSLEngine engine = super.createSSLEngine(allocator, peerHost, peerPort);
    +
    +    engine.setUseClientMode(false);
    +
    +    // No need for client side authentication (HTTPS like behaviour)
    +    engine.setNeedClientAuth(false);
    +
    +    try {
    +      engine.setEnableSessionCreation(true);
    +    } catch (Exception e) {
    +      // Openssl implementation may throw this.
    +      logger.debug("Session creation not enabled. Exception: {}", e.getMessage());
    +    }
    +
    +    return engine;
    +  }
    +
    +  private String getConfigParam(String name, String hadoopName) {
    +    String value = "";
    +    if (hadoopConfig != null) {
    +      value = getHadoopConfigParam(hadoopName);
    +    }
    +    if (value.isEmpty() && config.hasPath(name)) {
    +      value = config.getString(name);
    +    }
    +    value = value.trim();
    +    return value;
    +  }
    +
    +  private String getHadoopConfigParam(String name) {
    +    Preconditions.checkArgument(this.hadoopConfig != null);
    +    String value = "";
    --- End diff --
    
    Can be removed and initialized on the next line.


---

Mime
View raw message