hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jzh...@apache.org
Subject [1/2] hadoop git commit: HADOOP-14242. Make KMS Tomcat SSL property sslEnabledProtocols and clientAuth configurable. Contributed by John Zhuge.
Date Fri, 19 May 2017 01:06:46 GMT
Repository: hadoop
Updated Branches:
  refs/heads/branch-2 2ac5aab8d -> 85f7b7e8e


HADOOP-14242. Make KMS Tomcat SSL property sslEnabledProtocols and clientAuth configurable.
Contributed by John Zhuge.


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/145d716a
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/145d716a
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/145d716a

Branch: refs/heads/branch-2
Commit: 145d716a2b62259c918ba50bb4bdc014e572bb2b
Parents: 2ac5aab
Author: John Zhuge <jzhuge@apache.org>
Authored: Fri May 12 10:40:32 2017 -0700
Committer: John Zhuge <jzhuge@apache.org>
Committed: Thu May 18 18:03:54 2017 -0700

----------------------------------------------------------------------
 .../hadoop-kms/src/main/conf/kms-env.sh              | 13 +++++++++++++
 .../hadoop-kms/src/main/libexec/kms-config.sh        | 14 ++++++++++++++
 .../hadoop-kms/src/main/sbin/kms.sh                  |  3 +++
 .../hadoop-kms/src/main/tomcat/ssl-server.xml        |  3 ++-
 .../hadoop-kms/src/site/markdown/index.md.vm         | 15 ++++++++++++---
 5 files changed, 44 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh b/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
index 7deee5d..df5a904 100644
--- a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
@@ -66,6 +66,19 @@
 #
 # export KMS_MAX_HTTP_HEADER_SIZE=65536
 
+# Set to 'true' if you want the SSL stack to require a valid certificate chain
+# from the client before accepting a connection. Set to 'want' if you want the
+# SSL stack to request a client Certificate, but not fail if one isn't
+# presented. A 'false' value (which is the default) will not require a
+# certificate chain unless the client requests a resource protected by a
+# security constraint that uses CLIENT-CERT authentication.
+#
+# export KMS_SSL_CLIENT_AUTH=false
+
+# The comma separated list of SSL protocols to support
+#
+# export KMS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
+
 # The comma separated list of encryption ciphers for SSL
 #
 # export KMS_SSL_CIPHERS=

http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
index 210b87a..41eae0e 100644
--- a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
@@ -177,6 +177,20 @@ else
   print "Using   KMS_MAX_HTTP_HEADER_SIZE:     ${KMS_MAX_HTTP_HEADER_SIZE}"
 fi
 
+if [ "${KMS_SSL_CLIENT_AUTH}" = "" ]; then
+  export KMS_SSL_CLIENT_AUTH="false"
+  print "Setting KMS_SSL_CLIENT_AUTH:     ${KMS_SSL_CLIENT_AUTH}"
+else
+  print "Using   KMS_SSL_CLIENT_AUTH:     ${KMS_SSL_CLIENT_AUTH}"
+fi
+
+if [ "${KMS_SSL_ENABLED_PROTOCOLS}" = "" ]; then
+  export KMS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
+  print "Setting KMS_SSL_ENABLED_PROTOCOLS:     ${KMS_SSL_ENABLED_PROTOCOLS}"
+else
+  print "Using   KMS_SSL_ENABLED_PROTOCOLS:     ${KMS_SSL_ENABLED_PROTOCOLS}"
+fi
+
 if [ "${KMS_SSL_CIPHERS}" = "" ]; then
   export KMS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
   KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
index f93f34b..ce3c136 100644
--- a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
@@ -87,6 +87,9 @@ if [[ "${1}" = "start" || "${1}" = "run" ]]; then
     "${KMS_ACCEPTOR_THREAD_COUNT}"
   catalina_set_property "kms.max.http.header.size" \
     "${KMS_MAX_HTTP_HEADER_SIZE}"
+  catalina_set_property "kms.ssl.client.auth" "${KMS_SSL_CLIENT_AUTH}"
+  catalina_set_property "kms.ssl.enabled.protocols" \
+    "${KMS_SSL_ENABLED_PROTOCOLS}"
   catalina_set_property "kms.ssl.ciphers" "${KMS_SSL_CIPHERS}"
   catalina_set_property "kms.ssl.keystore.file" "${KMS_SSL_KEYSTORE_FILE}"
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
index 6c28c7d..73be5f8 100644
--- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
+++ b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
@@ -73,7 +73,8 @@
                acceptCount="${kms.accept.count}"
                acceptorThreadCount="${kms.acceptor.thread.count}"
                maxHttpHeaderSize="${kms.max.http.header.size}"
-               clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
+               clientAuth="${kms.ssl.client.auth}"
+               sslEnabledProtocols="${kms.ssl.enabled.protocols}"
                ciphers="${kms.ssl.ciphers}"
                truststorePass="${kms.ssl.truststore.pass}"
                keystoreFile="${kms.ssl.keystore.file}"

http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
index bfe1b88..74e84a8 100644
--- a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
@@ -301,11 +301,20 @@ The answer to "What is your first and last name?" (i.e. "CN") must be
the hostna
 
 NOTE: You need to restart the KMS for the configuration changes to take effect.
 
+
+Set environment variable `KMS_SSL_CLIENT_AUTH` to change client
+authentication. The default is `false`. See `clientAuth` in
+[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support).
+
+Set environment variable `KMS_SSL_ENABLED_PROTOCOLS` to specify a list of
+enabled SSL protocols. The default list includes `TLSv1`, `TLSv1.1`,
+`TLSv1.2`, and `SSLv2Hello`. See `sslEnabledProtocols` in
+[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support).
+
 In order to support some old SSL clients, the default encryption ciphers
 include a few relatively weaker ciphers. Set environment variable
-`KMS_SSL_CIPHERS` or property `kms.ssl.ciphers` to override. The value is a
-comma separated list of ciphers documented in this
-[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
+`KMS_SSL_CIPHERS` to override. The value is a comma separated list of ciphers
+documented in [Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
 
 $H4 ACLs (Access Control Lists)
 


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org


Mime
View raw message