ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dillido...@apache.org
Subject git commit: ARGUS-7: knox configwacher need not initialize credentialstore when it is talking to non ssl policy store
Date Tue, 19 Aug 2014 01:18:52 GMT
Repository: incubator-argus
Updated Branches:
  refs/heads/master 466f72fb4 -> 086831ef8


ARGUS-7: knox configwacher need not initialize credentialstore when it is talking to non ssl
policy store


Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/086831ef
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/086831ef
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/086831ef

Branch: refs/heads/master
Commit: 086831ef838f6dc3619618051c28b38b9efd0e70
Parents: 466f72f
Author: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Authored: Mon Aug 18 17:51:38 2014 -0700
Committer: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Committed: Mon Aug 18 18:18:46 2014 -0700

----------------------------------------------------------------------
 .../pdp/config/Jersey2ConfigWatcher.java        | 104 +++++++++++--------
 knox-agent/conf/xasecure-audit-changes.cfg      |   2 +-
 knox-agent/conf/xasecure-audit.xml              |   5 -
 .../conf/xasecure-knox-security-changes.cfg     |   1 +
 knox-agent/conf/xasecure-policymgr-ssl.xml      |  14 ---
 knox-agent/scripts/install.properties           |  20 ++++
 knox-agent/scripts/install.sh                   |  59 +++++++++++
 src/main/assembly/knox-agent.xml                |  33 +++++-
 8 files changed, 172 insertions(+), 66 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java b/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java
index 7ef504a..d541479 100644
--- a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java
+++ b/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java
@@ -73,7 +73,9 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 	private static final String AGENT_NAME_PARAM = "agentId" ;
 
 	private static final int MAX_AGENT_NAME_LEN = 255 ;
-
+	
+	private static final String XASECURE_KNOX_CREDENTIAL_PROVIDER_FILE  
+		= "xasecure.knox.credential.provider.file";
 
 	private String url;
 
@@ -95,11 +97,11 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 	
 	private String keyStoreFile =  null ;
 	private String keyStoreFilepwd = null; 
-	private String keyStoreURL = null;
+	private String credentialProviderFile = null;
 	private String keyStoreAlias = null;
 	private String trustStoreFile = null ;
 	private String trustStoreFilepwd = null ;
-	private String trustStoreURL = null;
+	// private String trustStoreURL = null;
 	private String trustStoreAlias = null;
 	private String keyStoreType = null ;
 	private String trustStoreType = null ;
@@ -133,61 +135,73 @@ public abstract class Jersey2ConfigWatcher extends Thread {
 	
 	public void init() {
 		if (sslConfigFileName != null) {
-			LOG.debug("Loading SSL Configuration from [" + sslConfigFileName + "]");
-			InputStream in =  null ;
+			LOG.debug("Loading SSL Configuration from [" + sslConfigFileName
+					+ "]");
+			InputStream in = null;
 			try {
-				Configuration conf = new Configuration() ;
-				in = getFileInputStream(sslConfigFileName) ;
+				Configuration conf = new Configuration();
+				in = getFileInputStream(sslConfigFileName);
 				if (in != null) {
 					conf.addResource(in);
 				}
-				
-				xasecurecp = XaSecureCredentialProvider.getInstance();
-				
-				keyStoreFile = conf.get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE);
-				
-				keyStoreURL=conf.get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL);
-				keyStoreAlias=XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS;
-				
-				char[] v_keyStoreFilePwd = getCredential(keyStoreURL,keyStoreAlias);
-				if (  v_keyStoreFilePwd == null ) {
-					keyStoreFilepwd = null;
-				} else {
-					keyStoreFilepwd = new String(v_keyStoreFilePwd);
-				}
-				
-				trustStoreFile = conf.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE);
-				
-				trustStoreURL=conf.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL);
-				trustStoreAlias=XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS;
-				
-				char[] v_TrustStoreFilePwd = getCredential(trustStoreURL,trustStoreAlias);
-				if (  v_TrustStoreFilePwd == null ) {
-					trustStoreFilepwd = null;
-				} else {
-					trustStoreFilepwd = new String(v_TrustStoreFilePwd);
+
+				if (url.startsWith("https")) { 
+					xasecurecp = XaSecureCredentialProvider.getInstance();
+
+					keyStoreFile = conf
+							.get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE);
+
+					credentialProviderFile = conf
+							.get(XASECURE_KNOX_CREDENTIAL_PROVIDER_FILE);
+					keyStoreAlias = XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS;
+
+					char[] v_keyStoreFilePwd = getCredential(credentialProviderFile,
+							keyStoreAlias);
+					if (v_keyStoreFilePwd == null) {
+						keyStoreFilepwd = null;
+					} else {
+						keyStoreFilepwd = new String(v_keyStoreFilePwd);
+					}
+
+					trustStoreFile = conf
+							.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE);
+
+					//trustStoreURL = conf
+					//		.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL);
+					trustStoreAlias = XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS;
+
+					char[] v_TrustStoreFilePwd = getCredential(credentialProviderFile,
+							trustStoreAlias);
+					if (v_TrustStoreFilePwd == null) {
+						trustStoreFilepwd = null;
+					} else {
+						trustStoreFilepwd = new String(v_TrustStoreFilePwd);
+					}
+
+					keyStoreType = conf
+							.get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE,
+									XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT);
+					trustStoreType = conf
+							.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE,
+									XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT);
 				}
-			
-				
-				keyStoreType = conf.get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE, XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT);
-				trustStoreType = conf.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE,
XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT);
-			}
-			catch(IOException ioe) {
-				LOG.error("Unable to load SSL Config FileName: [" + sslConfigFileName + "]", ioe);
-			}
-			finally {
+			} catch (IOException ioe) {
+				LOG.error("Unable to load SSL Config FileName: ["
+						+ sslConfigFileName + "]", ioe);
+			} finally {
 				if (in != null) {
 					try {
-						in.close() ;
+						in.close();
 					} catch (IOException e) {
-						LOG.error("Unable to close SSL Config FileName: [" + sslConfigFileName + "]", e) ;
+						LOG.error("Unable to close SSL Config FileName: ["
+								+ sslConfigFileName + "]", e);
 					}
 				}
 			}
-			
+
 			LOG.debug("Keystore filename:[" + keyStoreFile + "]");
 			LOG.debug("TrustStore filename:[" + trustStoreFile + "]");
-			
+
 		}
 	}
 

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/conf/xasecure-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/knox-agent/conf/xasecure-audit-changes.cfg b/knox-agent/conf/xasecure-audit-changes.cfg
index e3e09da..0c69ebd 100644
--- a/knox-agent/conf/xasecure-audit-changes.cfg
+++ b/knox-agent/conf/xasecure-audit-changes.cfg
@@ -1,4 +1,4 @@
 xasecure.audit.jpa.javax.persistence.jdbc.url	jdbc:mysql://%XAAUDIT.DB.HOSTNAME%/%XAAUDIT.DB.DATABASE_NAME%
mod create-if-not-exists
 xasecure.audit.jpa.javax.persistence.jdbc.user	%XAAUDIT.DB.USER_NAME% mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.password	%XAAUDIT.DB.PASSWORD% mod create-if-not-exists
+xasecure.audit.credential.provider.file %CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
 xasecure.audit.repository.name	%REPOSITORY_NAME% mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/conf/xasecure-audit.xml
----------------------------------------------------------------------
diff --git a/knox-agent/conf/xasecure-audit.xml b/knox-agent/conf/xasecure-audit.xml
index 996d06f..d72a3c9 100644
--- a/knox-agent/conf/xasecure-audit.xml
+++ b/knox-agent/conf/xasecure-audit.xml
@@ -19,11 +19,6 @@
 	</property>
 
 	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
-		<value>xaaudit</value>
-	</property>
-
-	<property>
 		<name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name>
 		<value>com.mysql.jdbc.Driver</value>
 	</property>

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/conf/xasecure-knox-security-changes.cfg
----------------------------------------------------------------------
diff --git a/knox-agent/conf/xasecure-knox-security-changes.cfg b/knox-agent/conf/xasecure-knox-security-changes.cfg
index e7dd10b..6bb832d 100644
--- a/knox-agent/conf/xasecure-knox-security-changes.cfg
+++ b/knox-agent/conf/xasecure-knox-security-changes.cfg
@@ -6,4 +6,5 @@ knox.authorization.verifier.classname					com.xasecure.pdp.knox.XASecureAuthoriz
 xasecure.knox.policymgr.url							%POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME%
	    mod create-if-not-exists
 xasecure.knox.policymgr.url.saveAsFile				   	/tmp/knox%REPOSITORY_NAME%_json  									mod
create-if-not-exists
 xasecure.knox.policymgr.url.reloadIntervalInMillis 	30000 																mod create-if-not-exists
+hadoop.security.credential.provider.path %CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
 xasecure.knox.policymgr.ssl.config						/etc/knox/conf/xasecure-policymgr-ssl.xml							mod
create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/conf/xasecure-policymgr-ssl.xml
----------------------------------------------------------------------
diff --git a/knox-agent/conf/xasecure-policymgr-ssl.xml b/knox-agent/conf/xasecure-policymgr-ssl.xml
index 60f5387..61d9e1a 100644
--- a/knox-agent/conf/xasecure-policymgr-ssl.xml
+++ b/knox-agent/conf/xasecure-policymgr-ssl.xml
@@ -10,24 +10,10 @@
 		</description>
 	</property>
 	<property>
-		<name>xasecure.policymgr.clientssl.keystore.password</name>
-		<value>xasecure</value>
-		<description> 
-			password for keystore 
-		</description>
-	</property>
-	<property>
 		<name>xasecure.policymgr.clientssl.truststore</name>
 		<value>cacerts-xasecure.jks</value>
 		<description> 
 			java truststore file
 		</description>
 	</property>
-		<property>
-		<name>xasecure.policymgr.clientssl.truststore.password</name>
-		<value>changeit</value>
-		<description> 
-			java  truststore password
-		</description>
-	</property>
 </configuration>

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/knox-agent/scripts/install.properties b/knox-agent/scripts/install.properties
index 548cab9..84be394 100644
--- a/knox-agent/scripts/install.properties
+++ b/knox-agent/scripts/install.properties
@@ -26,6 +26,26 @@ REPOSITORY_NAME=knoxdev
 KNOX_HOME=/usr/lib/knox
 
 #
+# POLICY CACHE FILE PATH
+# 
+# This information is used to configure the path where the policy cache is stored.
+# 
+# Example:
+# POLICY_CACHE_FILE_PATH=/home/knox
+# 
+
+POLICY_CACHE_FILE_PATH=
+
+#
+# Credential Provider File Path
+#
+# CREDENTIAL_PROVIDER_FILE=/etc/xasecure/conf/{repoName}-credstore.jceks
+#
+
+CREDENTIAL_PROVIDER_FILE=/etc/xasecure/conf/knoxdev-credstore.jceks
+
+#
+
 # AUDIT DB Configuration
 # 
 #  This information should match with the one you specified during the PolicyManager Installation

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/scripts/install.sh
----------------------------------------------------------------------
diff --git a/knox-agent/scripts/install.sh b/knox-agent/scripts/install.sh
index 753e71d..50800d1 100644
--- a/knox-agent/scripts/install.sh
+++ b/knox-agent/scripts/install.sh
@@ -2,6 +2,16 @@
 
 # TODO: change <name>AclsAuthz<name> to <name>XASecurePDPKnox</name>
for provider <role>authorization<role>
 
+function create_jceks()
+{
+       alias=$1
+       pass=$2
+       jceksFile=$3
+       java -cp "${install_dir}/cred/lib/*" com.hortonworks.credentialapi.buildks create
${alias} -value ${pass} -provider jceks://file${jceksFile}
+}
+
+
+
 MY_ID=`id -u`
 
 if [ "${MY_ID}" -ne 0 ]
@@ -171,6 +181,55 @@ done
 chmod go-rwx ${KNOX_CONF}/xasecure-policymgr-ssl.xml
 chown ${CONFIG_FILE_OWNER} ${KNOX_CONF}/xasecure-policymgr-ssl.xml
 
+#
+# -- Cred Changes
+#
+
+CredFile=`grep '^CREDENTIAL_PROVIDER_FILE' ${install_dir}/install.properties | awk -F= '{
print $2 }'`
+
+if ! [ `echo ${CredFile} | grep '^/.*'` ]
+then
+  echo "Please enter the Credential File Store with proper file path"
+  exit 1
+fi
+
+#
+# Generate Credential Provider file and Credential for Audit DB access.
+#
+
+
+auditDbPasswordAlias="auditDBCred"
+
+auditDbPassword=`grep '^XAAUDIT.DB.PASSWORD' ${install_dir}/install.properties | awk -F=
'{ print $2 }'`
+
+create_jceks ${auditDbPasswordAlias} ${auditDbPassword} ${CredFile}
+
+
+#
+# Generate Credential Provider file and Credential for SSL KEYSTORE AND TRUSTSTORE
+#
+
+
+sslKeystorePasswordAlias="sslKeyStorePassword"
+
+sslKeystorePassword=`grep '^SSL_KEYSTORE_PASSWORD' ${install_dir}/install.properties | awk
-F= '{ print $2 }'`
+
+create_jceks ${sslKeystorePasswordAlias} ${sslKeystorePassword} ${CredFile}
+
+
+sslTruststorePasswordAlias="sslTrustStorePassword"
+
+sslTruststorePassword=`grep '^SSL_TRUSTSTORE_PASSWORD' ${install_dir}/install.properties
| awk -F= '{ print $2 }'`
+
+create_jceks ${sslTruststorePasswordAlias} ${sslTruststorePassword} ${CredFile}
+
+chown ${CONFIG_FILE_OWNER} ${CredFile} 
+
+#
+# -- End - Cred Changes
+#
+
+
 # update topology files - replace <name>AclsAuthz</name> with <name>XASecurePDPKnox</name>
 # ${PRE_INSTALL_CONFIG}/topologies/topologies/*.xml
 for fn in `ls ${PRE_INSTALL_CONFIG}/topologies/*.xml`

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/src/main/assembly/knox-agent.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml
index 2ca6e08..b83bb1a 100644
--- a/src/main/assembly/knox-agent.xml
+++ b/src/main/assembly/knox-agent.xml
@@ -16,8 +16,10 @@
             <dependencySet>
                 <outputDirectory>/lib</outputDirectory>
                 <includes>
+                    <include>commons-configuration:commons-configuration</include>
+                    <include>org.glassfish.jersey.core:jersey-client</include>
                     <include>com.google.code.gson:gson*</include>
-					<include>org.eclipse.persistence:eclipselink</include>
+                    <include>org.eclipse.persistence:eclipselink</include>
                     <include>org.eclipse.persistence:javax.persistence</include>
                 </includes>
                 <unpack>false</unpack>
@@ -43,6 +45,35 @@
 	<include>security_agents.agents-installer:agents-installer</include>
      </includes>
     </moduleSet>
+    <moduleSet>
+         <binaries>
+            <includeDependencies>false</includeDependencies>
+            <outputDirectory>/cred/lib</outputDirectory>
+            <unpack>false</unpack>
+            <directoryMode>755</directoryMode>
+            <fileMode>644</fileMode>
+            <dependencySets>
+                <dependencySet>
+                    <outputDirectory>/cred/lib</outputDirectory>
+                    <unpack>false</unpack>
+                    <includes>
+                        <include>commons-cli:commons-cli</include>
+                        <include>commons-collections:commons-collections</include>
+                        <include>commons-configuration:commons-configuration</include>
+                        <include>commons-lang:commons-lang</include>
+                        <include>commons-logging:commons-logging</include>
+                        <include>com.google.guava:guava</include>
+                        <include>org.hamcrest:hamcrest-all</include>
+                        <include>junit:junit</include>
+                        <include>org.slf4j:slf4j-api</include>
+                        <include>org.apache.hadoop:hadoop-common</include>
+                        <include>org.apache.hadoop:hadoop-auth</include>
+                        <include>com.hortonworks.hadoop.security:credentialbuilder</include>
+                    </includes>
+                </dependencySet>
+            </dependencySets>
+         </binaries>
+        </moduleSet>
   </moduleSets> 	
   <fileSets>
 	<fileSet>


Mime
View raw message