ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dillido...@apache.org
Subject git commit: ARGUS-16: knox agent installer should store passwords encrypted in credential store
Date Thu, 21 Aug 2014 01:01:07 GMT
Repository: incubator-argus
Updated Branches:
  refs/heads/master e5656c1b7 -> 6b5bf61cf


ARGUS-16: knox agent installer should store passwords encrypted in credential store


Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/6b5bf61c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/6b5bf61c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/6b5bf61c

Branch: refs/heads/master
Commit: 6b5bf61cf389b304583eea62b9189768aa14499f
Parents: e5656c1
Author: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Authored: Wed Aug 20 17:35:56 2014 -0700
Committer: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Committed: Wed Aug 20 17:58:46 2014 -0700

----------------------------------------------------------------------
 .../pdp/config/Jersey2ConfigWatcher.java        | 43 +++++++++-----------
 knox-agent/conf/xasecure-audit-changes.cfg      |  2 +-
 knox-agent/conf/xasecure-audit.xml              | 11 +++--
 .../conf/xasecure-policymgr-ssl-changes.cfg     |  3 +-
 knox-agent/conf/xasecure-policymgr-ssl.xml      |  4 +-
 knox-agent/scripts/install.properties           | 20 +++------
 knox-agent/scripts/install.sh                   |  2 -
 src/main/assembly/knox-agent.xml                |  2 +
 8 files changed, 39 insertions(+), 48 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6b5bf61c/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java b/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java
index d541479..e58ff60 100644
--- a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java
+++ b/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java
@@ -95,14 +95,11 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 	
 	public abstract void doOnChange();
 	
-	private String keyStoreFile =  null ;
-	private String keyStoreFilepwd = null; 
 	private String credentialProviderFile = null;
-	private String keyStoreAlias = null;
+	private String keyStoreFile =  null ;
+	private String keyStorePassword = null; 
 	private String trustStoreFile = null ;
-	private String trustStoreFilepwd = null ;
-	// private String trustStoreURL = null;
-	private String trustStoreAlias = null;
+	private String trustStorePassword = null ;
 	private String keyStoreType = null ;
 	private String trustStoreType = null ;
 	private SSLContext sslContext = null ;
@@ -153,14 +150,14 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 
 					credentialProviderFile = conf
 							.get(XASECURE_KNOX_CREDENTIAL_PROVIDER_FILE);
-					keyStoreAlias = XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS;
+					String keyStorePasswordAlias = XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS;
 
-					char[] v_keyStoreFilePwd = getCredential(credentialProviderFile,
-							keyStoreAlias);
-					if (v_keyStoreFilePwd == null) {
-						keyStoreFilepwd = null;
+					char[] v_keyStorePassword = getCredential(credentialProviderFile,
+							keyStorePasswordAlias);
+					if (v_keyStorePassword == null) {
+						keyStorePassword = null;
 					} else {
-						keyStoreFilepwd = new String(v_keyStoreFilePwd);
+						keyStorePassword = new String(v_keyStorePassword);
 					}
 
 					trustStoreFile = conf
@@ -168,14 +165,14 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 
 					//trustStoreURL = conf
 					//		.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL);
-					trustStoreAlias = XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS;
+					String trustStorePasswordAlias = XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS;
 
-					char[] v_TrustStoreFilePwd = getCredential(credentialProviderFile,
-							trustStoreAlias);
-					if (v_TrustStoreFilePwd == null) {
-						trustStoreFilepwd = null;
+					char[] v_trustStorePassword = getCredential(credentialProviderFile,
+							trustStorePasswordAlias);
+					if (v_trustStorePassword == null) {
+						trustStorePassword = null;
 					} else {
-						trustStoreFilepwd = new String(v_TrustStoreFilePwd);
+						trustStorePassword = new String(v_trustStorePassword);
 					}
 
 					keyStoreType = conf
@@ -392,7 +389,7 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 				KeyManager[] kmList = null;
 				TrustManager[] tmList = null;
 	
-				if (keyStoreFile != null && keyStoreFilepwd != null) {
+				if (keyStoreFile != null && keyStorePassword != null) {
 	
 					KeyStore keyStore = KeyStore.getInstance(keyStoreType);
 					InputStream in = null ;
@@ -402,9 +399,9 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 							LOG.error("Unable to obtain keystore from file [" + keyStoreFile + "]");
 							return client ;
 						}
-						keyStore.load(in, keyStoreFilepwd.toCharArray());
+						keyStore.load(in, keyStorePassword.toCharArray());
 						KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(XaSecureConstants.XASECURE_SSL_KEYMANAGER_ALGO_TYPE);
-						keyManagerFactory.init(keyStore, keyStoreFilepwd.toCharArray());
+						keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
 						kmList = keyManagerFactory.getKeyManagers();
 					}
 					finally {
@@ -415,7 +412,7 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 					 
 				}
 	
-				if (trustStoreFile != null && trustStoreFilepwd != null) {
+				if (trustStoreFile != null && trustStorePassword != null) {
 	
 					KeyStore trustStore = KeyStore.getInstance(trustStoreType);
 					InputStream in = null ;
@@ -425,7 +422,7 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 							LOG.error("Unable to obtain keystore from file [" + trustStoreFile + "]");
 							return client ;
 						}
-						trustStore.load(in, trustStoreFilepwd.toCharArray());
+						trustStore.load(in, trustStorePassword.toCharArray());
 						TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(XaSecureConstants.XASECURE_SSL_TRUSTMANAGER_ALGO_TYPE);
 						trustManagerFactory.init(trustStore);
 						tmList = trustManagerFactory.getTrustManagers();

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6b5bf61c/knox-agent/conf/xasecure-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/knox-agent/conf/xasecure-audit-changes.cfg b/knox-agent/conf/xasecure-audit-changes.cfg
index 0c69ebd..d788796 100644
--- a/knox-agent/conf/xasecure-audit-changes.cfg
+++ b/knox-agent/conf/xasecure-audit-changes.cfg
@@ -1,4 +1,4 @@
 xasecure.audit.jpa.javax.persistence.jdbc.url	jdbc:mysql://%XAAUDIT.DB.HOSTNAME%/%XAAUDIT.DB.DATABASE_NAME%
mod create-if-not-exists
 xasecure.audit.jpa.javax.persistence.jdbc.user	%XAAUDIT.DB.USER_NAME% mod create-if-not-exists
-xasecure.audit.credential.provider.file %CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
+xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
 xasecure.audit.repository.name	%REPOSITORY_NAME% mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6b5bf61c/knox-agent/conf/xasecure-audit.xml
----------------------------------------------------------------------
diff --git a/knox-agent/conf/xasecure-audit.xml b/knox-agent/conf/xasecure-audit.xml
index d72a3c9..a5252d1 100644
--- a/knox-agent/conf/xasecure-audit.xml
+++ b/knox-agent/conf/xasecure-audit.xml
@@ -10,12 +10,17 @@
 	<!--  Properties whose name begin with "xasecure.audit." are used to configure JPA -->
 	<property>
 		<name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
-		<value>jdbc:mysql://localhost:3306/xa_db</value>
+		<value>jdbc:mysql://localhost:3306/xasecure_audit</value>
 	</property>
 
 	<property>
 		<name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
-		<value>xaaudit</value>
+		<value>xalogger</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
+		<value>crypted</value>
 	</property>
 
 	<property>
@@ -60,7 +65,7 @@
 	
 	<property>
 		<name>xasecure.audit.db.is.async</name>
-		<value>true</value>
+		<value>false</value>
 	</property>	
 	
 	<property>

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6b5bf61c/knox-agent/conf/xasecure-policymgr-ssl-changes.cfg
----------------------------------------------------------------------
diff --git a/knox-agent/conf/xasecure-policymgr-ssl-changes.cfg b/knox-agent/conf/xasecure-policymgr-ssl-changes.cfg
index 99900d7..41d161f 100644
--- a/knox-agent/conf/xasecure-policymgr-ssl-changes.cfg
+++ b/knox-agent/conf/xasecure-policymgr-ssl-changes.cfg
@@ -2,6 +2,5 @@
 # SSL Params
 #
 xasecure.policymgr.clientssl.keystore				%SSL_KEYSTORE_FILE_PATH%												mod create-if-not-exists
-xasecure.policymgr.clientssl.keystore.password		%SSL_KEYSTORE_PASSWORD%													mod create-if-not-exists
 xasecure.policymgr.clientssl.truststore				%SSL_TRUSTSTORE_FILE_PATH%												mod create-if-not-exists
-xasecure.policymgr.clientssl.truststore.password	%SSL_TRUSTSTORE_PASSWORD%												mod
create-if-not-exists
\ No newline at end of file
+xasecure.knox.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6b5bf61c/knox-agent/conf/xasecure-policymgr-ssl.xml
----------------------------------------------------------------------
diff --git a/knox-agent/conf/xasecure-policymgr-ssl.xml b/knox-agent/conf/xasecure-policymgr-ssl.xml
index 61d9e1a..d527f7a 100644
--- a/knox-agent/conf/xasecure-policymgr-ssl.xml
+++ b/knox-agent/conf/xasecure-policymgr-ssl.xml
@@ -4,14 +4,14 @@
 	<!--  The following properties are used for 2-way SSL client server validation -->
 	<property>
 		<name>xasecure.policymgr.clientssl.keystore</name>
-		<value>knoxdev-clientcert.jks</value>
+		<value>/usr/lib/knox/conf/knox-clientcert.jks</value>
 		<description> 
 			Java Keystore files 
 		</description>
 	</property>
 	<property>
 		<name>xasecure.policymgr.clientssl.truststore</name>
-		<value>cacerts-xasecure.jks</value>
+		<value>/usr/lib/knox/conf/knox-cacets.jks</value>
 		<description> 
 			java truststore file
 		</description>

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6b5bf61c/knox-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/knox-agent/scripts/install.properties b/knox-agent/scripts/install.properties
index 84be394..b7db025 100644
--- a/knox-agent/scripts/install.properties
+++ b/knox-agent/scripts/install.properties
@@ -25,24 +25,14 @@ REPOSITORY_NAME=knoxdev
 # KNOX_HOME directory, would contain conf/, ext/ subdirectories
 KNOX_HOME=/usr/lib/knox
 
-#
-# POLICY CACHE FILE PATH
-# 
-# This information is used to configure the path where the policy cache is stored.
-# 
-# Example:
-# POLICY_CACHE_FILE_PATH=/home/knox
-# 
-
-POLICY_CACHE_FILE_PATH=
 
 #
 # Credential Provider File Path
 #
-# CREDENTIAL_PROVIDER_FILE=/etc/xasecure/conf/{repoName}-credstore.jceks
+# CREDENTIAL_PROVIDER_FILE=/usr/lib/knox/conf/{repoName}-credstore.jceks
 #
 
-CREDENTIAL_PROVIDER_FILE=/etc/xasecure/conf/knoxdev-credstore.jceks
+CREDENTIAL_PROVIDER_FILE=/usr/lib/knox/conf/xasecure-knoxdev-credstore.jceks
 
 #
 
@@ -52,14 +42,14 @@ CREDENTIAL_PROVIDER_FILE=/etc/xasecure/conf/knoxdev-credstore.jceks
 # 
 # Example:
 # XAAUDIT.DB.HOSTNAME=localhost
-# XAAUDIT.DB.DATABASE_NAME=xasecure
+# XAAUDIT.DB.DATABASE_NAME=xasecure_audit
 # XAAUDIT.DB.USER_NAME=xalogger
-# XAAUDIT.DB.PASSWORD=
+# XAAUDIT.DB.PASSWORD=xalogger
 #
 #
 
 XAAUDIT.DB.HOSTNAME=localhost
-XAAUDIT.DB.DATABASE_NAME=xasecure
+XAAUDIT.DB.DATABASE_NAME=xasecure_audit
 XAAUDIT.DB.USER_NAME=xalogger
 XAAUDIT.DB.PASSWORD=xalogger
 

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6b5bf61c/knox-agent/scripts/install.sh
----------------------------------------------------------------------
diff --git a/knox-agent/scripts/install.sh b/knox-agent/scripts/install.sh
index 50800d1..9ae9213 100644
--- a/knox-agent/scripts/install.sh
+++ b/knox-agent/scripts/install.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-# TODO: change <name>AclsAuthz<name> to <name>XASecurePDPKnox</name>
for provider <role>authorization<role>
-
 function create_jceks()
 {
        alias=$1

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6b5bf61c/src/main/assembly/knox-agent.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml
index b83bb1a..c865265 100644
--- a/src/main/assembly/knox-agent.xml
+++ b/src/main/assembly/knox-agent.xml
@@ -17,6 +17,8 @@
                 <outputDirectory>/lib</outputDirectory>
                 <includes>
                     <include>commons-configuration:commons-configuration</include>
+                    <include>org.apache.hadoop:hadoop-common</include>
+                    <include>org.apache.hadoop:hadoop-common-plus</include>
                     <include>org.glassfish.jersey.core:jersey-client</include>
                     <include>com.google.code.gson:gson*</include>
                     <include>org.eclipse.persistence:eclipselink</include>


Mime
View raw message