incubator-ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smoha...@apache.org
Subject git commit: AMBARI-2618. Save truststore password in encrypted form. (Dmitry Lysnichenko via smohanty)
Date Wed, 10 Jul 2013 17:57:30 GMT
Updated Branches:
  refs/heads/trunk 635ff2af1 -> e2d42ea27


AMBARI-2618. Save truststore password in encrypted form. (Dmitry Lysnichenko via smohanty)


Project: http://git-wip-us.apache.org/repos/asf/incubator-ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ambari/commit/e2d42ea2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ambari/tree/e2d42ea2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ambari/diff/e2d42ea2

Branch: refs/heads/trunk
Commit: e2d42ea2714084c7c13518bf3856d4b3d1b2e104
Parents: 635ff2a
Author: Sumit Mohanty <smohanty@hortonworks.com>
Authored: Wed Jul 10 10:57:14 2013 -0700
Committer: Sumit Mohanty <smohanty@hortonworks.com>
Committed: Wed Jul 10 10:57:14 2013 -0700

----------------------------------------------------------------------
 .../server/configuration/Configuration.java     | 21 +++++++---
 ambari-server/src/main/python/ambari-server.py  | 15 ++++++-
 .../server/configuration/ConfigurationTest.java | 26 ++++++++++++
 .../src/test/python/TestAmbaryServer.py         | 44 +++++++-------------
 4 files changed, 71 insertions(+), 35 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/e2d42ea2/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index 538885c..7808003 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -170,6 +170,10 @@ public class Configuration {
   public static final String SSL_TRUSTSTORE_PATH_KEY = "ssl.trustStore.path";
   public static final String SSL_TRUSTSTORE_PASSWORD_KEY = "ssl.trustStore.password";
   public static final String SSL_TRUSTSTORE_TYPE_KEY = "ssl.trustStore.type";
+  public static final String JAVAX_SSL_TRUSTSTORE = "javax.net.ssl.trustStore";
+  public static final String JAVAX_SSL_TRUSTSTORE_PASSWORD = "javax.net.ssl.trustStorePassword";
+  public static final String JAVAX_SSL_TRUSTSTORE_TYPE = "javax.net.ssl.trustStoreType";
+
 
   private static final String SRVR_TWO_WAY_SSL_DEFAULT = "false";
   private static final String SRVR_KSTR_DIR_DEFAULT = ".";
@@ -348,15 +352,22 @@ public class Configuration {
   /**
    * Loads trusted certificates store properties
    */
-  private void loadSSLParams(){
+  void loadSSLParams(){
     if (properties.getProperty(SSL_TRUSTSTORE_PATH_KEY) != null) {
-      System.setProperty("javax.net.ssl.trustStore", properties.getProperty(SSL_TRUSTSTORE_PATH_KEY));
+      System.setProperty(JAVAX_SSL_TRUSTSTORE, properties.getProperty(SSL_TRUSTSTORE_PATH_KEY));
     }
     if (properties.getProperty(SSL_TRUSTSTORE_PASSWORD_KEY) != null) {
-      System.setProperty("javax.net.ssl.trustStorePassword", properties.getProperty(SSL_TRUSTSTORE_PASSWORD_KEY));
+      String ts_password = readPasswordFromStore(
+              properties.getProperty(SSL_TRUSTSTORE_PASSWORD_KEY));
+      if (ts_password != null) {
+        System.setProperty(JAVAX_SSL_TRUSTSTORE_PASSWORD, ts_password);
+      } else {
+        System.setProperty(JAVAX_SSL_TRUSTSTORE_PASSWORD,
+                properties.getProperty(SSL_TRUSTSTORE_PASSWORD_KEY));
+      }
     }
     if (properties.getProperty(SSL_TRUSTSTORE_TYPE_KEY) != null) {
-      System.setProperty("javax.net.ssl.trustStoreType", properties.getProperty(SSL_TRUSTSTORE_TYPE_KEY));
+      System.setProperty(JAVAX_SSL_TRUSTSTORE_TYPE, properties.getProperty(SSL_TRUSTSTORE_TYPE_KEY));
     }
   }
 
@@ -588,7 +599,7 @@ public class Configuration {
     }
   }
 
-  private String readPasswordFromStore(String aliasStr) {
+  String readPasswordFromStore(String aliasStr) {
     String password = null;
     loadCredentialProvider();
     if (credentialProvider != null) {

http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/e2d42ea2/ambari-server/src/main/python/ambari-server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py
index 2d2a5b7..47fe3f2 100755
--- a/ambari-server/src/main/python/ambari-server.py
+++ b/ambari-server/src/main/python/ambari-server.py
@@ -184,6 +184,7 @@ LDAP_MGR_PASSWORD_ALIAS = "ambari.ldap.manager.password"
 LDAP_MGR_PASSWORD_PROPERTY = "authentication.ldap.managerPassword"
 LDAP_MGR_USERNAME_PROPERTY = "authentication.ldap.managerDn"
 
+SSL_TRUSTSTORE_PASSWORD_ALIAS="ambari.ssl.trustStore.password"
 SSL_TRUSTSTORE_PATH_PROPERTY = "ssl.trustStore.path"
 SSL_TRUSTSTORE_PASSWORD_PROPERTY = "ssl.trustStore.password"
 SSL_TRUSTSTORE_TYPE_PROPERTY = "ssl.trustStore.type"
@@ -2574,6 +2575,7 @@ def setup_master_key():
       db_password = file.read()
       
   ldap_password = properties.get_property(LDAP_MGR_PASSWORD_PROPERTY)
+  ts_password = properties.get_property(SSL_TRUSTSTORE_PASSWORD_PROPERTY)
   resetKey = False
   masterKey = None
 
@@ -2604,6 +2606,9 @@ def setup_master_key():
         if ldap_password and is_alias_string(ldap_password):
           print err.format('LDAP manager password', '"' + LDAP_SETUP_ACTION + '"')
           return 1
+        if ts_password and is_alias_string(ts_password):
+          print err.format('TrustStore password', '"' + LDAP_SETUP_ACTION + '"')
+          return 1
       pass
     pass
   pass
@@ -2613,7 +2618,8 @@ def setup_master_key():
     db_password = read_passwd_for_alias(JDBC_RCA_PASSWORD_ALIAS, masterKey)
   if ldap_password and is_alias_string(ldap_password):
     ldap_password = read_passwd_for_alias(LDAP_MGR_PASSWORD_ALIAS, masterKey)
-
+  if ts_password and is_alias_string(ts_password):
+    ts_password = read_passwd_for_alias(SSL_TRUSTSTORE_PASSWORD_ALIAS, masterKey)
   # Read master key, if non-secure or reset is true
   if resetKey or not isSecure:
     masterKey = read_master_key()
@@ -2661,6 +2667,13 @@ def setup_master_key():
       print 'Failed to save secure LDAP password.'
   pass
 
+  if ts_password and not is_alias_string(ts_password):
+    retCode = save_passwd_for_alias(SSL_TRUSTSTORE_PASSWORD_ALIAS, ts_password, masterKey)
+    propertyMap[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = get_alias_string(SSL_TRUSTSTORE_PASSWORD_ALIAS)
+    if retCode != 0:
+      print 'Failed to save secure TrustStore password.'
+  pass
+
   update_properties(properties, propertyMap)
 
   # Since files for store and master are created we need to ensure correct

http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/e2d42ea2/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
index 96e3288..d6367a5 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
@@ -28,6 +28,8 @@ import org.apache.commons.io.FileUtils;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+import static org.mockito.Mockito.*;
+import static org.mockito.Matchers.*;
 
 import java.io.File;
 import java.io.IOException;
@@ -129,4 +131,28 @@ public class ConfigurationTest {
 
   }
 
+  @Test
+  public void testLoadSSLParams_unencrypted() throws IOException {
+    Properties ambariProperties = new Properties();
+    String unencrypted = "fake-unencrypted-password";
+    String encrypted = "fake-encrypted-password";
+    ambariProperties.setProperty(Configuration.SSL_TRUSTSTORE_PASSWORD_KEY, unencrypted);
+    Configuration conf = spy(new Configuration(ambariProperties));
+    doReturn(null).when(conf).readPasswordFromStore(anyString());
+    conf.loadSSLParams();
+    Assert.assertEquals(System.getProperty(conf.JAVAX_SSL_TRUSTSTORE_PASSWORD, "unknown"),
unencrypted);
+  }
+
+  @Test
+  public void testLoadSSLParams_encrypted() throws IOException {
+    Properties ambariProperties = new Properties();
+    String unencrypted = "fake-unencrypted-password";
+    String encrypted = "fake-encrypted-password";
+    ambariProperties.setProperty(Configuration.SSL_TRUSTSTORE_PASSWORD_KEY, unencrypted);
+    Configuration conf = spy(new Configuration(ambariProperties));
+    doReturn(encrypted).when(conf).readPasswordFromStore(anyString());
+    conf.loadSSLParams();
+    Assert.assertEquals(System.getProperty(conf.JAVAX_SSL_TRUSTSTORE_PASSWORD, "unknown"),
encrypted);
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/e2d42ea2/ambari-server/src/test/python/TestAmbaryServer.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/TestAmbaryServer.py b/ambari-server/src/test/python/TestAmbaryServer.py
index 197737e..db8d9a1 100644
--- a/ambari-server/src/test/python/TestAmbaryServer.py
+++ b/ambari-server/src/test/python/TestAmbaryServer.py
@@ -3050,12 +3050,9 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
               read_ambari_user_method, read_master_key_method,
               save_passwd_for_alias_method, remove_password_file_method):
 
-    out = StringIO.StringIO()
-    sys.stdout = out
-
     is_root_method.return_value = True
     p = get_ambari_properties_method.return_value
-    p.get_property.side_effect = [ None, "fakepasswd", "fakepasswd" ]
+    p.get_property.side_effect = [ None, "fakepasswd", "fakepasswd", "fakepasswd"]
     read_master_key_method.return_value = "aaa"
     get_YN_input_method.return_value = False
     read_ambari_user_method.return_value = None
@@ -3069,13 +3066,15 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
     self.assertTrue(update_properties_method.called)
     self.assertFalse(save_master_key_method.called)
     self.assertTrue(save_passwd_for_alias_method.called)
-    self.assertEquals(2, save_passwd_for_alias_method.call_count)
+    self.assertEquals(3, save_passwd_for_alias_method.call_count)
     self.assertTrue(remove_password_file_method.called)
 
     result_expected = {ambari_server.JDBC_PASSWORD_PROPERTY :
         ambari_server.get_alias_string(ambari_server.JDBC_RCA_PASSWORD_ALIAS),
         ambari_server.LDAP_MGR_PASSWORD_PROPERTY :
         ambari_server.get_alias_string(ambari_server.LDAP_MGR_PASSWORD_ALIAS),
+        ambari_server.SSL_TRUSTSTORE_PASSWORD_PROPERTY :
+          ambari_server.get_alias_string(ambari_server.SSL_TRUSTSTORE_PASSWORD_ALIAS),
         ambari_server.SECURITY_IS_ENCRYPTION_ENABLED : 'true'}
 
     sorted_x = sorted(result_expected.iteritems(), key=operator.itemgetter(0))
@@ -3083,8 +3082,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
                       key=operator.itemgetter(0))
     self.assertEquals(sorted_x, sorted_y)
 
-    sys.stdout = sys.__stdout__
-
 
   @patch.object(ambari_server, 'read_master_key')
   @patch.object(ambari_server, 'read_ambari_user')
@@ -3101,12 +3098,9 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
               update_properties_method, get_master_key_location_method,
               read_ambari_user_method, read_master_key_method):
 
-    out = StringIO.StringIO()
-    sys.stdout = out
-
     is_root_method.return_value = True
     p = get_ambari_properties_method.return_value
-    p.get_property.side_effect = [ None, "fakepasswd", None ]
+    p.get_property.side_effect = [ None, "fakepasswd", None, None]
     read_master_key_method.return_value = "aaa"
     get_YN_input_method.side_effect = [True, False]
     read_ambari_user_method.return_value = None
@@ -3128,8 +3122,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
                       key=operator.itemgetter(0))
     self.assertEquals(sorted_x, sorted_y)
 
-    sys.stdout = sys.__stdout__
-
 
   @patch.object(ambari_server, 'read_master_key')
   @patch.object(ambari_server, 'remove_password_file')
@@ -3155,9 +3147,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
               read_ambari_user_method, exists_mock,
               remove_password_file_method, read_master_key_method):
 
-    out = StringIO.StringIO()
-    sys.stdout = out
-
     # Testing call under non-root
     is_root_method.return_value = False
     try:
@@ -3175,7 +3164,7 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
     read_ambari_user_method.return_value = None
     p = get_ambari_properties_method.return_value
     p.get_property.side_effect = [ 'true', '${alias=fakealias}',
-                                   '${alias=fakealias}' ]
+                                   '${alias=fakealias}', '${alias=fakealias}']
 
     get_YN_input_method.side_effect = [ True, True ]
     read_master_key_method.return_value = "aaa"
@@ -3190,13 +3179,15 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
     self.assertTrue(read_master_key_method.called)
     self.assertTrue(update_properties_method.called)
     self.assertTrue(read_passwd_for_alias_method.called)
-    self.assertTrue(2, read_passwd_for_alias_method.call_count)
-    self.assertTrue(2, save_passwd_for_alias_method.call_count)
+    self.assertTrue(3, read_passwd_for_alias_method.call_count)
+    self.assertTrue(3, save_passwd_for_alias_method.call_count)
 
     result_expected = {ambari_server.JDBC_PASSWORD_PROPERTY:
         ambari_server.get_alias_string(ambari_server.JDBC_RCA_PASSWORD_ALIAS),
         ambari_server.LDAP_MGR_PASSWORD_PROPERTY:
         ambari_server.get_alias_string(ambari_server.LDAP_MGR_PASSWORD_ALIAS),
+        ambari_server.SSL_TRUSTSTORE_PASSWORD_PROPERTY:
+        ambari_server.get_alias_string(ambari_server.SSL_TRUSTSTORE_PASSWORD_ALIAS),
         ambari_server.SECURITY_IS_ENCRYPTION_ENABLED: 'true'}
 
     sorted_x = sorted(result_expected.iteritems(), key=operator.itemgetter(0))
@@ -3204,8 +3195,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
                       key=operator.itemgetter(0))
     self.assertEquals(sorted_x, sorted_y)
 
-    sys.stdout = sys.__stdout__
-
 
   @patch.object(ambari_server, 'remove_password_file')
   @patch("os.path.exists")
@@ -3230,15 +3219,12 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
               get_master_key_location_method, read_ambari_user_method,
               exists_mock, remove_password_file_method):
 
-    out = StringIO.StringIO()
-    sys.stdout = out
-
     is_root_method.return_value = True
     search_file_message.return_value = False
     read_ambari_user_method.return_value = None
     p = get_ambari_properties_method.return_value
     p.get_property.side_effect = [ 'true', '${alias=fakealias}',
-                                   '${alias=fakealias}' ]
+                                   '${alias=fakealias}', '${alias=fakealias}']
 
     get_YN_input_method.side_effect = [ True, False ]
     get_validated_string_input_method.return_value = "aaa"
@@ -3253,14 +3239,16 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
     self.assertTrue(get_validated_string_input_method.called)
     self.assertTrue(update_properties_method.called)
     self.assertTrue(read_passwd_for_alias_method.called)
-    self.assertTrue(2, read_passwd_for_alias_method.call_count)
-    self.assertTrue(2, save_passwd_for_alias_method.call_count)
+    self.assertTrue(3, read_passwd_for_alias_method.call_count)
+    self.assertTrue(3, save_passwd_for_alias_method.call_count)
     self.assertFalse(save_master_key_method.called)
 
     result_expected = {ambari_server.JDBC_PASSWORD_PROPERTY:
         ambari_server.get_alias_string(ambari_server.JDBC_RCA_PASSWORD_ALIAS),
         ambari_server.LDAP_MGR_PASSWORD_PROPERTY:
         ambari_server.get_alias_string(ambari_server.LDAP_MGR_PASSWORD_ALIAS),
+        ambari_server.SSL_TRUSTSTORE_PASSWORD_PROPERTY:
+          ambari_server.get_alias_string(ambari_server.SSL_TRUSTSTORE_PASSWORD_ALIAS),
         ambari_server.SECURITY_IS_ENCRYPTION_ENABLED: 'true'}
 
     sorted_x = sorted(result_expected.iteritems(), key=operator.itemgetter(0))
@@ -3268,8 +3256,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV
                       key=operator.itemgetter(0))
     self.assertEquals(sorted_x, sorted_y)
 
-    sys.stdout = sys.__stdout__
-
 
   @patch.object(ambari_server, 'save_passwd_for_alias')
   @patch.object(ambari_server, 'get_YN_input')


Mime
View raw message