Return-Path: X-Original-To: apmail-argus-commits-archive@minotaur.apache.org Delivered-To: apmail-argus-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7AAD611BD6 for ; Tue, 19 Aug 2014 01:19:15 +0000 (UTC) Received: (qmail 39379 invoked by uid 500); 19 Aug 2014 01:19:15 -0000 Delivered-To: apmail-argus-commits-archive@argus.apache.org Received: (qmail 39361 invoked by uid 500); 19 Aug 2014 01:19:15 -0000 Mailing-List: contact commits-help@argus.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@argus.incubator.apache.org Delivered-To: mailing list commits@argus.incubator.apache.org Received: (qmail 39352 invoked by uid 99); 19 Aug 2014 01:19:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Aug 2014 01:19:15 +0000 X-ASF-Spam-Status: No, hits=-1997.2 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD,URIBL_BLACK X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 19 Aug 2014 01:19:12 +0000 Received: (qmail 37323 invoked by uid 99); 19 Aug 2014 01:18:52 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Aug 2014 01:18:52 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 3F2799C6DB0; Tue, 19 Aug 2014 01:18:52 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: dillidorai@apache.org To: commits@argus.incubator.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: git commit: ARGUS-7: knox configwacher need not initialize credentialstore when it is talking to non ssl policy store Date: Tue, 19 Aug 2014 01:18:52 +0000 (UTC) X-Virus-Checked: Checked by ClamAV on apache.org Repository: incubator-argus Updated Branches: refs/heads/master 466f72fb4 -> 086831ef8 ARGUS-7: knox configwacher need not initialize credentialstore when it is talking to non ssl policy store Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/086831ef Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/086831ef Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/086831ef Branch: refs/heads/master Commit: 086831ef838f6dc3619618051c28b38b9efd0e70 Parents: 466f72f Author: Dilli Dorai Arumugam Authored: Mon Aug 18 17:51:38 2014 -0700 Committer: Dilli Dorai Arumugam Committed: Mon Aug 18 18:18:46 2014 -0700 ---------------------------------------------------------------------- .../pdp/config/Jersey2ConfigWatcher.java | 104 +++++++++++-------- knox-agent/conf/xasecure-audit-changes.cfg | 2 +- knox-agent/conf/xasecure-audit.xml | 5 - .../conf/xasecure-knox-security-changes.cfg | 1 + knox-agent/conf/xasecure-policymgr-ssl.xml | 14 --- knox-agent/scripts/install.properties | 20 ++++ knox-agent/scripts/install.sh | 59 +++++++++++ src/main/assembly/knox-agent.xml | 33 +++++- 8 files changed, 172 insertions(+), 66 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java b/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java index 7ef504a..d541479 100644 --- a/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java +++ b/agents-impl/src/main/java/com/xasecure/pdp/config/Jersey2ConfigWatcher.java @@ -73,7 +73,9 @@ public abstract class Jersey2ConfigWatcher extends Thread { private static final String AGENT_NAME_PARAM = "agentId" ; private static final int MAX_AGENT_NAME_LEN = 255 ; - + + private static final String XASECURE_KNOX_CREDENTIAL_PROVIDER_FILE + = "xasecure.knox.credential.provider.file"; private String url; @@ -95,11 +97,11 @@ public abstract class Jersey2ConfigWatcher extends Thread { private String keyStoreFile = null ; private String keyStoreFilepwd = null; - private String keyStoreURL = null; + private String credentialProviderFile = null; private String keyStoreAlias = null; private String trustStoreFile = null ; private String trustStoreFilepwd = null ; - private String trustStoreURL = null; + // private String trustStoreURL = null; private String trustStoreAlias = null; private String keyStoreType = null ; private String trustStoreType = null ; @@ -133,61 +135,73 @@ public abstract class Jersey2ConfigWatcher extends Thread { public void init() { if (sslConfigFileName != null) { - LOG.debug("Loading SSL Configuration from [" + sslConfigFileName + "]"); - InputStream in = null ; + LOG.debug("Loading SSL Configuration from [" + sslConfigFileName + + "]"); + InputStream in = null; try { - Configuration conf = new Configuration() ; - in = getFileInputStream(sslConfigFileName) ; + Configuration conf = new Configuration(); + in = getFileInputStream(sslConfigFileName); if (in != null) { conf.addResource(in); } - - xasecurecp = XaSecureCredentialProvider.getInstance(); - - keyStoreFile = conf.get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE); - - keyStoreURL=conf.get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL); - keyStoreAlias=XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS; - - char[] v_keyStoreFilePwd = getCredential(keyStoreURL,keyStoreAlias); - if ( v_keyStoreFilePwd == null ) { - keyStoreFilepwd = null; - } else { - keyStoreFilepwd = new String(v_keyStoreFilePwd); - } - - trustStoreFile = conf.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE); - - trustStoreURL=conf.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL); - trustStoreAlias=XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS; - - char[] v_TrustStoreFilePwd = getCredential(trustStoreURL,trustStoreAlias); - if ( v_TrustStoreFilePwd == null ) { - trustStoreFilepwd = null; - } else { - trustStoreFilepwd = new String(v_TrustStoreFilePwd); + + if (url.startsWith("https")) { + xasecurecp = XaSecureCredentialProvider.getInstance(); + + keyStoreFile = conf + .get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE); + + credentialProviderFile = conf + .get(XASECURE_KNOX_CREDENTIAL_PROVIDER_FILE); + keyStoreAlias = XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_CREDENTIAL_ALIAS; + + char[] v_keyStoreFilePwd = getCredential(credentialProviderFile, + keyStoreAlias); + if (v_keyStoreFilePwd == null) { + keyStoreFilepwd = null; + } else { + keyStoreFilepwd = new String(v_keyStoreFilePwd); + } + + trustStoreFile = conf + .get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE); + + //trustStoreURL = conf + // .get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL); + trustStoreAlias = XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_CREDENTIAL_ALIAS; + + char[] v_TrustStoreFilePwd = getCredential(credentialProviderFile, + trustStoreAlias); + if (v_TrustStoreFilePwd == null) { + trustStoreFilepwd = null; + } else { + trustStoreFilepwd = new String(v_TrustStoreFilePwd); + } + + keyStoreType = conf + .get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE, + XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT); + trustStoreType = conf + .get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE, + XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT); } - - - keyStoreType = conf.get(XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE, XaSecureConstants.XASECURE_POLICYMGR_CLIENT_KEY_FILE_TYPE_DEFAULT); - trustStoreType = conf.get(XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE, XaSecureConstants.XASECURE_POLICYMGR_TRUSTSTORE_FILE_TYPE_DEFAULT); - } - catch(IOException ioe) { - LOG.error("Unable to load SSL Config FileName: [" + sslConfigFileName + "]", ioe); - } - finally { + } catch (IOException ioe) { + LOG.error("Unable to load SSL Config FileName: [" + + sslConfigFileName + "]", ioe); + } finally { if (in != null) { try { - in.close() ; + in.close(); } catch (IOException e) { - LOG.error("Unable to close SSL Config FileName: [" + sslConfigFileName + "]", e) ; + LOG.error("Unable to close SSL Config FileName: [" + + sslConfigFileName + "]", e); } } } - + LOG.debug("Keystore filename:[" + keyStoreFile + "]"); LOG.debug("TrustStore filename:[" + trustStoreFile + "]"); - + } } http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/conf/xasecure-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/knox-agent/conf/xasecure-audit-changes.cfg b/knox-agent/conf/xasecure-audit-changes.cfg index e3e09da..0c69ebd 100644 --- a/knox-agent/conf/xasecure-audit-changes.cfg +++ b/knox-agent/conf/xasecure-audit-changes.cfg @@ -1,4 +1,4 @@ xasecure.audit.jpa.javax.persistence.jdbc.url jdbc:mysql://%XAAUDIT.DB.HOSTNAME%/%XAAUDIT.DB.DATABASE_NAME% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.password %XAAUDIT.DB.PASSWORD% mod create-if-not-exists +xasecure.audit.credential.provider.file %CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/conf/xasecure-audit.xml ---------------------------------------------------------------------- diff --git a/knox-agent/conf/xasecure-audit.xml b/knox-agent/conf/xasecure-audit.xml index 996d06f..d72a3c9 100644 --- a/knox-agent/conf/xasecure-audit.xml +++ b/knox-agent/conf/xasecure-audit.xml @@ -19,11 +19,6 @@ - xasecure.audit.jpa.javax.persistence.jdbc.password - xaaudit - - - xasecure.audit.jpa.javax.persistence.jdbc.driver com.mysql.jdbc.Driver http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/conf/xasecure-knox-security-changes.cfg ---------------------------------------------------------------------- diff --git a/knox-agent/conf/xasecure-knox-security-changes.cfg b/knox-agent/conf/xasecure-knox-security-changes.cfg index e7dd10b..6bb832d 100644 --- a/knox-agent/conf/xasecure-knox-security-changes.cfg +++ b/knox-agent/conf/xasecure-knox-security-changes.cfg @@ -6,4 +6,5 @@ knox.authorization.verifier.classname com.xasecure.pdp.knox.XASecureAuthoriz xasecure.knox.policymgr.url %POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% mod create-if-not-exists xasecure.knox.policymgr.url.saveAsFile /tmp/knox%REPOSITORY_NAME%_json mod create-if-not-exists xasecure.knox.policymgr.url.reloadIntervalInMillis 30000 mod create-if-not-exists +hadoop.security.credential.provider.path %CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists xasecure.knox.policymgr.ssl.config /etc/knox/conf/xasecure-policymgr-ssl.xml mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/conf/xasecure-policymgr-ssl.xml ---------------------------------------------------------------------- diff --git a/knox-agent/conf/xasecure-policymgr-ssl.xml b/knox-agent/conf/xasecure-policymgr-ssl.xml index 60f5387..61d9e1a 100644 --- a/knox-agent/conf/xasecure-policymgr-ssl.xml +++ b/knox-agent/conf/xasecure-policymgr-ssl.xml @@ -10,24 +10,10 @@ - xasecure.policymgr.clientssl.keystore.password - xasecure - - password for keystore - - - xasecure.policymgr.clientssl.truststore cacerts-xasecure.jks java truststore file - - xasecure.policymgr.clientssl.truststore.password - changeit - - java truststore password - - http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/scripts/install.properties ---------------------------------------------------------------------- diff --git a/knox-agent/scripts/install.properties b/knox-agent/scripts/install.properties index 548cab9..84be394 100644 --- a/knox-agent/scripts/install.properties +++ b/knox-agent/scripts/install.properties @@ -26,6 +26,26 @@ REPOSITORY_NAME=knoxdev KNOX_HOME=/usr/lib/knox # +# POLICY CACHE FILE PATH +# +# This information is used to configure the path where the policy cache is stored. +# +# Example: +# POLICY_CACHE_FILE_PATH=/home/knox +# + +POLICY_CACHE_FILE_PATH= + +# +# Credential Provider File Path +# +# CREDENTIAL_PROVIDER_FILE=/etc/xasecure/conf/{repoName}-credstore.jceks +# + +CREDENTIAL_PROVIDER_FILE=/etc/xasecure/conf/knoxdev-credstore.jceks + +# + # AUDIT DB Configuration # # This information should match with the one you specified during the PolicyManager Installation http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/knox-agent/scripts/install.sh ---------------------------------------------------------------------- diff --git a/knox-agent/scripts/install.sh b/knox-agent/scripts/install.sh index 753e71d..50800d1 100644 --- a/knox-agent/scripts/install.sh +++ b/knox-agent/scripts/install.sh @@ -2,6 +2,16 @@ # TODO: change AclsAuthz to XASecurePDPKnox for provider authorization +function create_jceks() +{ + alias=$1 + pass=$2 + jceksFile=$3 + java -cp "${install_dir}/cred/lib/*" com.hortonworks.credentialapi.buildks create ${alias} -value ${pass} -provider jceks://file${jceksFile} +} + + + MY_ID=`id -u` if [ "${MY_ID}" -ne 0 ] @@ -171,6 +181,55 @@ done chmod go-rwx ${KNOX_CONF}/xasecure-policymgr-ssl.xml chown ${CONFIG_FILE_OWNER} ${KNOX_CONF}/xasecure-policymgr-ssl.xml +# +# -- Cred Changes +# + +CredFile=`grep '^CREDENTIAL_PROVIDER_FILE' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + +if ! [ `echo ${CredFile} | grep '^/.*'` ] +then + echo "Please enter the Credential File Store with proper file path" + exit 1 +fi + +# +# Generate Credential Provider file and Credential for Audit DB access. +# + + +auditDbPasswordAlias="auditDBCred" + +auditDbPassword=`grep '^XAAUDIT.DB.PASSWORD' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + +create_jceks ${auditDbPasswordAlias} ${auditDbPassword} ${CredFile} + + +# +# Generate Credential Provider file and Credential for SSL KEYSTORE AND TRUSTSTORE +# + + +sslKeystorePasswordAlias="sslKeyStorePassword" + +sslKeystorePassword=`grep '^SSL_KEYSTORE_PASSWORD' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + +create_jceks ${sslKeystorePasswordAlias} ${sslKeystorePassword} ${CredFile} + + +sslTruststorePasswordAlias="sslTrustStorePassword" + +sslTruststorePassword=`grep '^SSL_TRUSTSTORE_PASSWORD' ${install_dir}/install.properties | awk -F= '{ print $2 }'` + +create_jceks ${sslTruststorePasswordAlias} ${sslTruststorePassword} ${CredFile} + +chown ${CONFIG_FILE_OWNER} ${CredFile} + +# +# -- End - Cred Changes +# + + # update topology files - replace AclsAuthz with XASecurePDPKnox # ${PRE_INSTALL_CONFIG}/topologies/topologies/*.xml for fn in `ls ${PRE_INSTALL_CONFIG}/topologies/*.xml` http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/086831ef/src/main/assembly/knox-agent.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml index 2ca6e08..b83bb1a 100644 --- a/src/main/assembly/knox-agent.xml +++ b/src/main/assembly/knox-agent.xml @@ -16,8 +16,10 @@ /lib + commons-configuration:commons-configuration + org.glassfish.jersey.core:jersey-client com.google.code.gson:gson* - org.eclipse.persistence:eclipselink + org.eclipse.persistence:eclipselink org.eclipse.persistence:javax.persistence false @@ -43,6 +45,35 @@ security_agents.agents-installer:agents-installer + + + false + /cred/lib + false + 755 + 644 + + + /cred/lib + false + + commons-cli:commons-cli + commons-collections:commons-collections + commons-configuration:commons-configuration + commons-lang:commons-lang + commons-logging:commons-logging + com.google.guava:guava + org.hamcrest:hamcrest-all + junit:junit + org.slf4j:slf4j-api + org.apache.hadoop:hadoop-common + org.apache.hadoop:hadoop-auth + com.hortonworks.hadoop.security:credentialbuilder + + + + +