ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sneet...@apache.org
Subject incubator-argus git commit: ARGUS-175:Remove hardcoded certificates and keystores from the repo
Date Sun, 09 Nov 2014 08:37:19 GMT
Repository: incubator-argus
Updated Branches:
  refs/heads/master e0fe4865f -> 6a3118ae6


ARGUS-175:Remove hardcoded certificates and keystores from the repo

Signed-off-by: sneethiraj <sneethir@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/6a3118ae
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/6a3118ae
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/6a3118ae

Branch: refs/heads/master
Commit: 6a3118ae6396f4beb8989a6384b24130f19afc5d
Parents: e0fe486
Author: vperiasamy <vperiasamy@hortonworks.com>
Authored: Sun Nov 9 03:11:19 2014 -0500
Committer: sneethiraj <sneethir@apache.org>
Committed: Sun Nov 9 03:36:47 2014 -0500

----------------------------------------------------------------------
 security-admin/unixauth-config/cacerts          | Bin 232758 -> 0 bytes
 security-admin/unixauth-config/keystore.jks     | Bin 2257 -> 0 bytes
 security-admin/unixauth-config/server.crt       |  19 -----
 .../unixauth-config/unixauth.properties         |  11 +--
 .../unix/jaas/RemoteUnixLoginModule.java        |  78 +++++++++++++------
 unixauthservice/cert/authserver.jks             | Bin 2278 -> 0 bytes
 unixauthservice/cert/mytruststore.jks           | Bin 174807 -> 0 bytes
 .../conf.dist/unixauthservice.properties        |   8 +-
 unixauthservice/scripts/set_globals.sh          |   2 +-
 unixauthservice/scripts/setup.sh                |  17 +++-
 10 files changed, 82 insertions(+), 53 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/security-admin/unixauth-config/cacerts
----------------------------------------------------------------------
diff --git a/security-admin/unixauth-config/cacerts b/security-admin/unixauth-config/cacerts
deleted file mode 100644
index 8548f2c..0000000
Binary files a/security-admin/unixauth-config/cacerts and /dev/null differ

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/security-admin/unixauth-config/keystore.jks
----------------------------------------------------------------------
diff --git a/security-admin/unixauth-config/keystore.jks b/security-admin/unixauth-config/keystore.jks
deleted file mode 100644
index adee30f..0000000
Binary files a/security-admin/unixauth-config/keystore.jks and /dev/null differ

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/security-admin/unixauth-config/server.crt
----------------------------------------------------------------------
diff --git a/security-admin/unixauth-config/server.crt b/security-admin/unixauth-config/server.crt
deleted file mode 100644
index 9680f72..0000000
--- a/security-admin/unixauth-config/server.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDlzCCAn+gAwIBAgIEWsSk3zANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzERMA8GA1UE
-CBMIdmlyZ2luaWExFjAUBgNVBAcTDVBvdG9tYWMgRmFsbHMxETAPBgNVBAoTCHhhc2VjdXJlMRkw
-FwYDVQQLExBjZXJ0aWZpY2F0ZSBkZXB0MRQwEgYDVQQDEwthdXRoc2VydmljZTAeFw0xMzEyMDQx
-NTQyMDdaFw0xNDExMjkxNTQyMDdaMHwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwh2aXJnaW5pYTEW
-MBQGA1UEBxMNUG90b21hYyBGYWxsczERMA8GA1UEChMIeGFzZWN1cmUxGTAXBgNVBAsTEGNlcnRp
-ZmljYXRlIGRlcHQxFDASBgNVBAMTC2F1dGhzZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAp49e8gb8W0YzhtFn71zhK2jhxKJj0bprS+Xojf6jf67219B9DCShB8FQ2/xtUq1k
-qM6hbS3PFoAJ5YCjF7lOOQ6kywK8Uzy15bH3bqDmu+V3WlBUj2qFIWQtAoEHItnDinpBkTVIMzz/
-0e8oSh+ijomH728vBzxrHkYPb6uYaJJJxBsIpbFIBDFhlZZAHxNT+N1kynTea2+KyiVmkK8IK5YI
-kSWrW1sx2xWQa/bh3Kdb2FQT54iocv2J1akzhTogfERy+yEluCe8WIA0PTcbwm08M0IVpjFAS6R6
-3Qjobqtab8BurS4+Mtaiien6kOxdL9qRsnqU1aK0PR5Z8gCJewIDAQABoyEwHzAdBgNVHQ4EFgQU
-QnSmA+pPaTOBxiZpOACcgQyTsiIwDQYJKoZIhvcNAQELBQADggEBADSFFrb6DdPvhLW3b89fSBGm
-YSwC4BMnvptgkbPz/I0277kJV2FaCdE6FNmn/eSfverz7/SaYp949NSnzvwaPsX7HVeFwNN8denL
-iPHq776HpR+4eRaQsyBI5f9J2vEBQqQJjRwWS78nUN2d2G85bRPImyFIJD7M9UT6aJumGlSdi49b
-EF96itjtZWPdvY96bK8YNDiUbbguZt1Wz3cSCivF6kfKMG2uVQqyaMn1HKFFO7a9NoxiW3AbBCJw
-21wI5WATSre89f3NZGzPf1SyJRhJ9DMQG2AlVXJ4AYUqGI2HmBlPHHTrgYHvSO/TW8060IwZXFX2
-ZWCNp2BwRMsKgQA=
------END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/security-admin/unixauth-config/unixauth.properties
----------------------------------------------------------------------
diff --git a/security-admin/unixauth-config/unixauth.properties b/security-admin/unixauth-config/unixauth.properties
index ef780dc..7047e58 100644
--- a/security-admin/unixauth-config/unixauth.properties
+++ b/security-admin/unixauth-config/unixauth.properties
@@ -16,9 +16,10 @@
 remoteLoginEnabled=true
 authServiceHostName=bigdata.xasecure.net
 authServicePort=5151
-keyStore=keystore.jks
-keyStorePassword=password
-trustStore=cacerts
-trustStorePassword=changeit
+#keyStore=keystore.jks
+#keyStorePassword=password
+#trustStore=cacerts
+#trustStorePassword=changeit
 sslEnabled=true
-debug=true
\ No newline at end of file
+debug=false
+serverCertValidation=false

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java
----------------------------------------------------------------------
diff --git a/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java
b/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java
index 1aceca1..e2b93c1 100644
--- a/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java
+++ b/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java
@@ -30,6 +30,8 @@ import java.io.OutputStreamWriter;
 import java.net.Socket;
 import java.security.KeyStore;
 import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.Map;
 import java.util.Properties;
 
@@ -39,6 +41,7 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
@@ -61,10 +64,11 @@ public class RemoteUnixLoginModule implements LoginModule {
 	private static final String SSL_TRUSTSTORE_PATH_PARAM = "trustStore";
 	private static final String SSL_TRUSTSTORE_PATH_PASSWORD_PARAM = "trustStorePassword";
 	private static final String SSL_ENABLED_PARAM = "sslEnabled";
+	private static final String SERVER_CERT_VALIDATION_PARAM = "serverCertValidation" ;
 	
 	private static final String JAAS_ENABLED_PARAM = "remoteLoginEnabled" ;
 
-	private static final String SSL_ALGORITHM = "SSLv3";
+	private static final String SSL_ALGORITHM = "TLS";
 
 	private String userName;
 	private char[] password;
@@ -85,6 +89,8 @@ public class RemoteUnixLoginModule implements LoginModule {
 
 	private boolean SSLEnabled = false;
 	
+	private boolean serverCertValidation = true ;
+	
 	private boolean remoteLoginEnabled = true ;
 
 	public RemoteUnixLoginModule() {
@@ -133,7 +139,7 @@ public class RemoteUnixLoginModule implements LoginModule {
 		Properties config = null ;
 
 		String val = (String) options.get(REMOTE_UNIX_AUTHENICATION_CONFIG_FILE_PARAM);
-		logError("Remote Unix Auth Configuration file [" + val + "]") ;
+		log("Remote Unix Auth Configuration file [" + val + "]") ;
 		if (val != null) {
 			InputStream in = null ;
 			try {
@@ -217,9 +223,12 @@ public class RemoteUnixLoginModule implements LoginModule {
 				}
 				log("keyStorePathPassword:" + keyStorePathPassword);
 			}
+			
+			String certValidationFlag = (String) options.get(SERVER_CERT_VALIDATION_PARAM) ;
+			serverCertValidation = (! (certValidationFlag != null && ("false".equalsIgnoreCase(certValidationFlag.trim().toLowerCase()))))
;
+			log("Server Cert Validation : " + serverCertValidation) ;
 		}
 
-
 	}
 
 	@Override
@@ -330,28 +339,53 @@ public class RemoteUnixLoginModule implements LoginModule {
 					}
 	
 					TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-	
-					KeyStore trustStoreKeyStore = null;
-	
-					if (trustStorePath != null) {
-						trustStoreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-	
-						InputStream in = null;
-	
-						in = getFileInputStream(trustStorePath);
-	
-						try {
-							trustStoreKeyStore.load(in, trustStorePathPassword.toCharArray());
-						} finally {
-							if (in != null) {
-								in.close();
+					
+					TrustManager[] tm = null ;
+					
+					if (serverCertValidation) {
+
+						KeyStore trustStoreKeyStore = null;
+
+						if (trustStorePath != null) {
+							trustStoreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+		
+							InputStream in = null;
+		
+							in = getFileInputStream(trustStorePath);
+		
+							try {
+								trustStoreKeyStore.load(in, trustStorePathPassword.toCharArray());
+								
+								trustManagerFactory.init(trustStoreKeyStore);
+								
+								tm = trustManagerFactory.getTrustManagers();
+
+							} finally {
+								if (in != null) {
+									in.close();
+								}
 							}
 						}
 					}
-	
-					trustManagerFactory.init(trustStoreKeyStore);
-	
-					TrustManager[] tm = trustManagerFactory.getTrustManagers();
+					else {
+						TrustManager ignoreValidationTM = new X509TrustManager() {
+						    public void checkClientTrusted(X509Certificate[] chain, String authType) throws
CertificateException {
+						    	// Ignore Server Certificate Validation
+						    }
+
+						    public X509Certificate[] getAcceptedIssuers() {
+						        return new X509Certificate[0];
+						    }
+
+						    public void checkServerTrusted(X509Certificate[] chain,
+						                    String authType)
+						                    throws CertificateException {
+						    	// Ignore Server Certificate Validation
+						    }
+						};
+						
+						tm  = new TrustManager[] {ignoreValidationTM} ;
+					}
 	
 					SecureRandom random = new SecureRandom();
 	

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/cert/authserver.jks
----------------------------------------------------------------------
diff --git a/unixauthservice/cert/authserver.jks b/unixauthservice/cert/authserver.jks
deleted file mode 100644
index 85dfb88..0000000
Binary files a/unixauthservice/cert/authserver.jks and /dev/null differ

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/cert/mytruststore.jks
----------------------------------------------------------------------
diff --git a/unixauthservice/cert/mytruststore.jks b/unixauthservice/cert/mytruststore.jks
deleted file mode 100644
index 8a00a73..0000000
Binary files a/unixauthservice/cert/mytruststore.jks and /dev/null differ

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/conf.dist/unixauthservice.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/conf.dist/unixauthservice.properties b/unixauthservice/conf.dist/unixauthservice.properties
index 3b75abd..d38d3f1 100644
--- a/unixauthservice/conf.dist/unixauthservice.properties
+++ b/unixauthservice/conf.dist/unixauthservice.properties
@@ -22,10 +22,10 @@ useSSL = true
 # SSL Parameters
 #
 
-keyStore 			= 	./conf/cert/authserver.jks
-keyStorePassword	=	aNtHSrV086
-trustStore			=	./conf/cert/mytruststore.jks
-trustStorePassword  =   changeit
+keyStore 			= 	./conf/cert/unixauthservice.jks
+keyStorePassword	=	UnIx529p
+#trustStore			=	./conf/cert/mytruststore.jks
+#trustStorePassword  =   changeit
 passwordValidatorPath = ./native/credValidator.uexe
 
 #

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/scripts/set_globals.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/set_globals.sh b/unixauthservice/scripts/set_globals.sh
index 6227575..c77fbf9 100755
--- a/unixauthservice/scripts/set_globals.sh
+++ b/unixauthservice/scripts/set_globals.sh
@@ -76,7 +76,7 @@ if [ ! -d /etc/ranger/usersync/conf ]; then
 	chown -R $unix_user:$unix_group /etc/ranger/usersync/conf
 fi
 
-log "[I] Soft linking /etc/ranger/usersync/conf to ews/webapp/WEB-INF/classes/conf"
+log "[I] Soft linking /etc/ranger/usersync/conf to conf"
 mv -f conf conf.$curDt 2> /dev/null
 ln -sf /etc/ranger/usersync/conf conf
 

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.sh b/unixauthservice/scripts/setup.sh
index aed42b7..d17a869 100755
--- a/unixauthservice/scripts/setup.sh
+++ b/unixauthservice/scripts/setup.sh
@@ -231,8 +231,21 @@ if [ ! -d conf ]; then
     log "[I] Copying conf.dist conf"
     mkdir conf
     cp conf.dist/* conf
-	chown ${unix_user}:${unix_group} conf
-	chmod 750 conf
+    chown ${unix_user}:${unix_group} conf
+    chmod 750 conf
+fi
+if [ ! -f conf/cert/unixauthservice.jks ] 
+then
+    if [ ! -d conf/cert ]
+    then
+        mkdir -p conf/cert
+    fi
+    ${JAVA_HOME}/bin/keytool -genkeypair -keyalg RSA -alias selfsigned -keystore conf/cert/unixauthservice.jks
\
+                             -keypass UnIx529p -storepass UnIx529p -validity 360 -keysize
2048 \
+                             -dname "cn=unixauthservice,ou=authenticator,o=mycompany,c=US"

+
+	chmod o-rwx conf/cert/unixauthservice.jks
+
 fi
 
 echo "export JAVA_HOME=${JAVA_HOME}" > conf/java_home.sh


Mime
View raw message