Return-Path: X-Original-To: apmail-incubator-ambari-commits-archive@minotaur.apache.org Delivered-To: apmail-incubator-ambari-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BF04110A90 for ; Wed, 10 Jul 2013 17:57:47 +0000 (UTC) Received: (qmail 31451 invoked by uid 500); 10 Jul 2013 17:57:39 -0000 Delivered-To: apmail-incubator-ambari-commits-archive@incubator.apache.org Received: (qmail 31267 invoked by uid 500); 10 Jul 2013 17:57:34 -0000 Mailing-List: contact ambari-commits-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@incubator.apache.org Delivered-To: mailing list ambari-commits@incubator.apache.org Received: (qmail 31091 invoked by uid 99); 10 Jul 2013 17:57:30 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jul 2013 17:57:30 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 3CEB688C106; Wed, 10 Jul 2013 17:57:30 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: smohanty@apache.org To: ambari-commits@incubator.apache.org Message-Id: <7e3e30efe19b4fc2ab44089f6449283a@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: git commit: AMBARI-2618. Save truststore password in encrypted form. (Dmitry Lysnichenko via smohanty) Date: Wed, 10 Jul 2013 17:57:30 +0000 (UTC) Updated Branches: refs/heads/trunk 635ff2af1 -> e2d42ea27 AMBARI-2618. Save truststore password in encrypted form. (Dmitry Lysnichenko via smohanty) Project: http://git-wip-us.apache.org/repos/asf/incubator-ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ambari/commit/e2d42ea2 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ambari/tree/e2d42ea2 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ambari/diff/e2d42ea2 Branch: refs/heads/trunk Commit: e2d42ea2714084c7c13518bf3856d4b3d1b2e104 Parents: 635ff2a Author: Sumit Mohanty Authored: Wed Jul 10 10:57:14 2013 -0700 Committer: Sumit Mohanty Committed: Wed Jul 10 10:57:14 2013 -0700 ---------------------------------------------------------------------- .../server/configuration/Configuration.java | 21 +++++++--- ambari-server/src/main/python/ambari-server.py | 15 ++++++- .../server/configuration/ConfigurationTest.java | 26 ++++++++++++ .../src/test/python/TestAmbaryServer.py | 44 +++++++------------- 4 files changed, 71 insertions(+), 35 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/e2d42ea2/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 538885c..7808003 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -170,6 +170,10 @@ public class Configuration { public static final String SSL_TRUSTSTORE_PATH_KEY = "ssl.trustStore.path"; public static final String SSL_TRUSTSTORE_PASSWORD_KEY = "ssl.trustStore.password"; public static final String SSL_TRUSTSTORE_TYPE_KEY = "ssl.trustStore.type"; + public static final String JAVAX_SSL_TRUSTSTORE = "javax.net.ssl.trustStore"; + public static final String JAVAX_SSL_TRUSTSTORE_PASSWORD = "javax.net.ssl.trustStorePassword"; + public static final String JAVAX_SSL_TRUSTSTORE_TYPE = "javax.net.ssl.trustStoreType"; + private static final String SRVR_TWO_WAY_SSL_DEFAULT = "false"; private static final String SRVR_KSTR_DIR_DEFAULT = "."; @@ -348,15 +352,22 @@ public class Configuration { /** * Loads trusted certificates store properties */ - private void loadSSLParams(){ + void loadSSLParams(){ if (properties.getProperty(SSL_TRUSTSTORE_PATH_KEY) != null) { - System.setProperty("javax.net.ssl.trustStore", properties.getProperty(SSL_TRUSTSTORE_PATH_KEY)); + System.setProperty(JAVAX_SSL_TRUSTSTORE, properties.getProperty(SSL_TRUSTSTORE_PATH_KEY)); } if (properties.getProperty(SSL_TRUSTSTORE_PASSWORD_KEY) != null) { - System.setProperty("javax.net.ssl.trustStorePassword", properties.getProperty(SSL_TRUSTSTORE_PASSWORD_KEY)); + String ts_password = readPasswordFromStore( + properties.getProperty(SSL_TRUSTSTORE_PASSWORD_KEY)); + if (ts_password != null) { + System.setProperty(JAVAX_SSL_TRUSTSTORE_PASSWORD, ts_password); + } else { + System.setProperty(JAVAX_SSL_TRUSTSTORE_PASSWORD, + properties.getProperty(SSL_TRUSTSTORE_PASSWORD_KEY)); + } } if (properties.getProperty(SSL_TRUSTSTORE_TYPE_KEY) != null) { - System.setProperty("javax.net.ssl.trustStoreType", properties.getProperty(SSL_TRUSTSTORE_TYPE_KEY)); + System.setProperty(JAVAX_SSL_TRUSTSTORE_TYPE, properties.getProperty(SSL_TRUSTSTORE_TYPE_KEY)); } } @@ -588,7 +599,7 @@ public class Configuration { } } - private String readPasswordFromStore(String aliasStr) { + String readPasswordFromStore(String aliasStr) { String password = null; loadCredentialProvider(); if (credentialProvider != null) { http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/e2d42ea2/ambari-server/src/main/python/ambari-server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py index 2d2a5b7..47fe3f2 100755 --- a/ambari-server/src/main/python/ambari-server.py +++ b/ambari-server/src/main/python/ambari-server.py @@ -184,6 +184,7 @@ LDAP_MGR_PASSWORD_ALIAS = "ambari.ldap.manager.password" LDAP_MGR_PASSWORD_PROPERTY = "authentication.ldap.managerPassword" LDAP_MGR_USERNAME_PROPERTY = "authentication.ldap.managerDn" +SSL_TRUSTSTORE_PASSWORD_ALIAS="ambari.ssl.trustStore.password" SSL_TRUSTSTORE_PATH_PROPERTY = "ssl.trustStore.path" SSL_TRUSTSTORE_PASSWORD_PROPERTY = "ssl.trustStore.password" SSL_TRUSTSTORE_TYPE_PROPERTY = "ssl.trustStore.type" @@ -2574,6 +2575,7 @@ def setup_master_key(): db_password = file.read() ldap_password = properties.get_property(LDAP_MGR_PASSWORD_PROPERTY) + ts_password = properties.get_property(SSL_TRUSTSTORE_PASSWORD_PROPERTY) resetKey = False masterKey = None @@ -2604,6 +2606,9 @@ def setup_master_key(): if ldap_password and is_alias_string(ldap_password): print err.format('LDAP manager password', '"' + LDAP_SETUP_ACTION + '"') return 1 + if ts_password and is_alias_string(ts_password): + print err.format('TrustStore password', '"' + LDAP_SETUP_ACTION + '"') + return 1 pass pass pass @@ -2613,7 +2618,8 @@ def setup_master_key(): db_password = read_passwd_for_alias(JDBC_RCA_PASSWORD_ALIAS, masterKey) if ldap_password and is_alias_string(ldap_password): ldap_password = read_passwd_for_alias(LDAP_MGR_PASSWORD_ALIAS, masterKey) - + if ts_password and is_alias_string(ts_password): + ts_password = read_passwd_for_alias(SSL_TRUSTSTORE_PASSWORD_ALIAS, masterKey) # Read master key, if non-secure or reset is true if resetKey or not isSecure: masterKey = read_master_key() @@ -2661,6 +2667,13 @@ def setup_master_key(): print 'Failed to save secure LDAP password.' pass + if ts_password and not is_alias_string(ts_password): + retCode = save_passwd_for_alias(SSL_TRUSTSTORE_PASSWORD_ALIAS, ts_password, masterKey) + propertyMap[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = get_alias_string(SSL_TRUSTSTORE_PASSWORD_ALIAS) + if retCode != 0: + print 'Failed to save secure TrustStore password.' + pass + update_properties(properties, propertyMap) # Since files for store and master are created we need to ensure correct http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/e2d42ea2/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java index 96e3288..d6367a5 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java @@ -28,6 +28,8 @@ import org.apache.commons.io.FileUtils; import org.junit.After; import org.junit.Before; import org.junit.Test; +import static org.mockito.Mockito.*; +import static org.mockito.Matchers.*; import java.io.File; import java.io.IOException; @@ -129,4 +131,28 @@ public class ConfigurationTest { } + @Test + public void testLoadSSLParams_unencrypted() throws IOException { + Properties ambariProperties = new Properties(); + String unencrypted = "fake-unencrypted-password"; + String encrypted = "fake-encrypted-password"; + ambariProperties.setProperty(Configuration.SSL_TRUSTSTORE_PASSWORD_KEY, unencrypted); + Configuration conf = spy(new Configuration(ambariProperties)); + doReturn(null).when(conf).readPasswordFromStore(anyString()); + conf.loadSSLParams(); + Assert.assertEquals(System.getProperty(conf.JAVAX_SSL_TRUSTSTORE_PASSWORD, "unknown"), unencrypted); + } + + @Test + public void testLoadSSLParams_encrypted() throws IOException { + Properties ambariProperties = new Properties(); + String unencrypted = "fake-unencrypted-password"; + String encrypted = "fake-encrypted-password"; + ambariProperties.setProperty(Configuration.SSL_TRUSTSTORE_PASSWORD_KEY, unencrypted); + Configuration conf = spy(new Configuration(ambariProperties)); + doReturn(encrypted).when(conf).readPasswordFromStore(anyString()); + conf.loadSSLParams(); + Assert.assertEquals(System.getProperty(conf.JAVAX_SSL_TRUSTSTORE_PASSWORD, "unknown"), encrypted); + } + } http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/e2d42ea2/ambari-server/src/test/python/TestAmbaryServer.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/TestAmbaryServer.py b/ambari-server/src/test/python/TestAmbaryServer.py index 197737e..db8d9a1 100644 --- a/ambari-server/src/test/python/TestAmbaryServer.py +++ b/ambari-server/src/test/python/TestAmbaryServer.py @@ -3050,12 +3050,9 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV read_ambari_user_method, read_master_key_method, save_passwd_for_alias_method, remove_password_file_method): - out = StringIO.StringIO() - sys.stdout = out - is_root_method.return_value = True p = get_ambari_properties_method.return_value - p.get_property.side_effect = [ None, "fakepasswd", "fakepasswd" ] + p.get_property.side_effect = [ None, "fakepasswd", "fakepasswd", "fakepasswd"] read_master_key_method.return_value = "aaa" get_YN_input_method.return_value = False read_ambari_user_method.return_value = None @@ -3069,13 +3066,15 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV self.assertTrue(update_properties_method.called) self.assertFalse(save_master_key_method.called) self.assertTrue(save_passwd_for_alias_method.called) - self.assertEquals(2, save_passwd_for_alias_method.call_count) + self.assertEquals(3, save_passwd_for_alias_method.call_count) self.assertTrue(remove_password_file_method.called) result_expected = {ambari_server.JDBC_PASSWORD_PROPERTY : ambari_server.get_alias_string(ambari_server.JDBC_RCA_PASSWORD_ALIAS), ambari_server.LDAP_MGR_PASSWORD_PROPERTY : ambari_server.get_alias_string(ambari_server.LDAP_MGR_PASSWORD_ALIAS), + ambari_server.SSL_TRUSTSTORE_PASSWORD_PROPERTY : + ambari_server.get_alias_string(ambari_server.SSL_TRUSTSTORE_PASSWORD_ALIAS), ambari_server.SECURITY_IS_ENCRYPTION_ENABLED : 'true'} sorted_x = sorted(result_expected.iteritems(), key=operator.itemgetter(0)) @@ -3083,8 +3082,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV key=operator.itemgetter(0)) self.assertEquals(sorted_x, sorted_y) - sys.stdout = sys.__stdout__ - @patch.object(ambari_server, 'read_master_key') @patch.object(ambari_server, 'read_ambari_user') @@ -3101,12 +3098,9 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV update_properties_method, get_master_key_location_method, read_ambari_user_method, read_master_key_method): - out = StringIO.StringIO() - sys.stdout = out - is_root_method.return_value = True p = get_ambari_properties_method.return_value - p.get_property.side_effect = [ None, "fakepasswd", None ] + p.get_property.side_effect = [ None, "fakepasswd", None, None] read_master_key_method.return_value = "aaa" get_YN_input_method.side_effect = [True, False] read_ambari_user_method.return_value = None @@ -3128,8 +3122,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV key=operator.itemgetter(0)) self.assertEquals(sorted_x, sorted_y) - sys.stdout = sys.__stdout__ - @patch.object(ambari_server, 'read_master_key') @patch.object(ambari_server, 'remove_password_file') @@ -3155,9 +3147,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV read_ambari_user_method, exists_mock, remove_password_file_method, read_master_key_method): - out = StringIO.StringIO() - sys.stdout = out - # Testing call under non-root is_root_method.return_value = False try: @@ -3175,7 +3164,7 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV read_ambari_user_method.return_value = None p = get_ambari_properties_method.return_value p.get_property.side_effect = [ 'true', '${alias=fakealias}', - '${alias=fakealias}' ] + '${alias=fakealias}', '${alias=fakealias}'] get_YN_input_method.side_effect = [ True, True ] read_master_key_method.return_value = "aaa" @@ -3190,13 +3179,15 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV self.assertTrue(read_master_key_method.called) self.assertTrue(update_properties_method.called) self.assertTrue(read_passwd_for_alias_method.called) - self.assertTrue(2, read_passwd_for_alias_method.call_count) - self.assertTrue(2, save_passwd_for_alias_method.call_count) + self.assertTrue(3, read_passwd_for_alias_method.call_count) + self.assertTrue(3, save_passwd_for_alias_method.call_count) result_expected = {ambari_server.JDBC_PASSWORD_PROPERTY: ambari_server.get_alias_string(ambari_server.JDBC_RCA_PASSWORD_ALIAS), ambari_server.LDAP_MGR_PASSWORD_PROPERTY: ambari_server.get_alias_string(ambari_server.LDAP_MGR_PASSWORD_ALIAS), + ambari_server.SSL_TRUSTSTORE_PASSWORD_PROPERTY: + ambari_server.get_alias_string(ambari_server.SSL_TRUSTSTORE_PASSWORD_ALIAS), ambari_server.SECURITY_IS_ENCRYPTION_ENABLED: 'true'} sorted_x = sorted(result_expected.iteritems(), key=operator.itemgetter(0)) @@ -3204,8 +3195,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV key=operator.itemgetter(0)) self.assertEquals(sorted_x, sorted_y) - sys.stdout = sys.__stdout__ - @patch.object(ambari_server, 'remove_password_file') @patch("os.path.exists") @@ -3230,15 +3219,12 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV get_master_key_location_method, read_ambari_user_method, exists_mock, remove_password_file_method): - out = StringIO.StringIO() - sys.stdout = out - is_root_method.return_value = True search_file_message.return_value = False read_ambari_user_method.return_value = None p = get_ambari_properties_method.return_value p.get_property.side_effect = [ 'true', '${alias=fakealias}', - '${alias=fakealias}' ] + '${alias=fakealias}', '${alias=fakealias}'] get_YN_input_method.side_effect = [ True, False ] get_validated_string_input_method.return_value = "aaa" @@ -3253,14 +3239,16 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV self.assertTrue(get_validated_string_input_method.called) self.assertTrue(update_properties_method.called) self.assertTrue(read_passwd_for_alias_method.called) - self.assertTrue(2, read_passwd_for_alias_method.call_count) - self.assertTrue(2, save_passwd_for_alias_method.call_count) + self.assertTrue(3, read_passwd_for_alias_method.call_count) + self.assertTrue(3, save_passwd_for_alias_method.call_count) self.assertFalse(save_master_key_method.called) result_expected = {ambari_server.JDBC_PASSWORD_PROPERTY: ambari_server.get_alias_string(ambari_server.JDBC_RCA_PASSWORD_ALIAS), ambari_server.LDAP_MGR_PASSWORD_PROPERTY: ambari_server.get_alias_string(ambari_server.LDAP_MGR_PASSWORD_ALIAS), + ambari_server.SSL_TRUSTSTORE_PASSWORD_PROPERTY: + ambari_server.get_alias_string(ambari_server.SSL_TRUSTSTORE_PASSWORD_ALIAS), ambari_server.SECURITY_IS_ENCRYPTION_ENABLED: 'true'} sorted_x = sorted(result_expected.iteritems(), key=operator.itemgetter(0)) @@ -3268,8 +3256,6 @@ MIIFHjCCAwYCCQDpHKOBI+Lt0zANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJV key=operator.itemgetter(0)) self.assertEquals(sorted_x, sorted_y) - sys.stdout = sys.__stdout__ - @patch.object(ambari_server, 'save_passwd_for_alias') @patch.object(ambari_server, 'get_YN_input')