zeppelin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ahyoung...@apache.org
Subject zeppelin git commit: [ZEPPELIN-1074][ZEPPELIN-1811] Enhance SSL Support
Date Fri, 30 Dec 2016 15:47:35 GMT
Repository: zeppelin
Updated Branches:
  refs/heads/master 505686eaf -> 989a73f20


[ZEPPELIN-1074][ZEPPELIN-1811] Enhance SSL Support

### What is this PR for?

- Run SLL on the defined SSL port
- If Client Authentication is not enabled does not use it's properties
- Update Install documentation with instructions to enable SSL

### What type of PR is it?
[Bug Fix]

### What is the Jira issue?
* [ZEPPELIN-1074](https://issues.apache.org/jira/browse/ZEPPELIN-1074)
* [ZEPPELIN-1811](https://issues.apache.org/jira/browse/ZEPPELIN-1811)

Author: Luciano Resende <lresende@apache.org>

Closes #1757 from lresende/zeppelin-1074 and squashes the following commits:

d0a64f9 [Luciano Resende] [ZEPPELIN-1074][ZEPPELIN-1811] Move SSL configuration to website
7263abd [Luciano Resende] [ZEPPELIN-1074] Update documentation on how to obfuscate passwords
ecc964f [Luciano Resende] [ZEPPELIN-1074] Update SSL Configuration information
96f6a7b [Luciano Resende] [ZEPPELIN-1074] Defaults missing configuration to TrustStore value
1b1050e [Luciano Resende] [ZEPPELIN-1074] Enhance SSL Support


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/989a73f2
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/989a73f2
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/989a73f2

Branch: refs/heads/master
Commit: 989a73f20010c64d76b8e1ac8102c7cf24b66abb
Parents: 505686e
Author: Luciano Resende <lresende@apache.org>
Authored: Tue Dec 20 16:48:13 2016 -0800
Committer: ahyoungryu <ahyoungryu@apache.org>
Committed: Sat Dec 31 00:47:21 2016 +0900

----------------------------------------------------------------------
 conf/README.md                                  |  15 --
 docs/install/install.md                         | 184 ++++++++++++++++---
 .../apache/zeppelin/server/ZeppelinServer.java  |  22 ++-
 .../zeppelin/conf/ZeppelinConfiguration.java    |   9 +-
 4 files changed, 182 insertions(+), 48 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/989a73f2/conf/README.md
----------------------------------------------------------------------
diff --git a/conf/README.md b/conf/README.md
deleted file mode 100644
index ab32e27..0000000
--- a/conf/README.md
+++ /dev/null
@@ -1,15 +0,0 @@
-## Enabling SSL
-Enabling SSL requires a few changes. The first is to set zeppelin.ssl to true. If you'll
like to use client side certificate authentication as well, then set zeppelin.ssl.client.auth
to true too.
-
-Information how about to generate certificates and a keystore can be found [here](https://wiki.eclipse.org/Jetty/Howto/Configure_SSL).
-
-A condensed example can be found in the top answer to this [StackOverflow post](http://stackoverflow.com/questions/4008837/configure-ssl-on-jetty).
-
-The keystore holds the private key and certificate on the server end. The trustore holds
the trusted client certificates. Be sure that the path and password for these two stores are
correctly configured in the password fields below. They can be obfuscated using the Jetty
password tool. After Maven pulls in all the dependency to build Zeppelin, one of the Jetty
jars contain the Password tool. Invoke this command from the Zeppelin home build directory
with the appropriate version, user, and password.
-
-```
-java -cp ./zeppelin-server/target/lib/jetty-all-server-<version>.jar org.eclipse.jetty.util.security.Password
<user> <password>
-```
-
-If you are using a self-signed, a certificate signed by an untrusted CA, or if client authentication
is enabled, then the client must have a browser create exceptions for both the normal HTTPS
port and WebSocket port. This can by done by trying to establish an HTTPS connection to both
ports in a browser (i.e. if the ports are 443 and 8443, then visit https://127.0.0.1:443 and
https://127.0.0.1:8443). This step can be skipped if the server certificate is signed by a
trusted CA and client auth is disabled.
-

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/989a73f2/docs/install/install.md
----------------------------------------------------------------------
diff --git a/docs/install/install.md b/docs/install/install.md
index 2edecc6..9b6c783 100644
--- a/docs/install/install.md
+++ b/docs/install/install.md
@@ -56,8 +56,9 @@ Two binary packages are available on the [Apache Zeppelin Download Page](http://
 
   Unpack and follow [install additional interpreters](../manual/interpreterinstallation.html)
to install interpreters. If you're unsure, just run `./bin/install-interpreter.sh --all` and
install all interpreters.
 
-## Starting Apache Zeppelin from the Command Line
-#### Starting Apache Zeppelin
+## Starting Apache Zeppelin 
+
+#### Starting Apache Zeppelin from the Command Line
 
 On all unix like platforms:
 
@@ -79,6 +80,48 @@ After Zeppelin has started successfully, go to [http://localhost:8080](http://lo
 bin/zeppelin-daemon.sh stop
 ```
 
+#### Start Apache Zeppelin with a service manager
+
+> **Note :** The below description was written based on Ubuntu Linux.
+
+Apache Zeppelin can be auto-started as a service with an init script, using a service manager
like **upstart**.
+
+This is an example upstart script saved as `/etc/init/zeppelin.conf`
+This allows the service to be managed with commands such as
+
+```
+sudo service zeppelin start  
+sudo service zeppelin stop  
+sudo service zeppelin restart
+```
+
+Other service managers could use a similar approach with the `upstart` argument passed to
the `zeppelin-daemon.sh` script.
+
+```
+bin/zeppelin-daemon.sh upstart
+```
+
+**zeppelin.conf**
+
+```
+description "zeppelin"
+
+start on (local-filesystems and net-device-up IFACE!=lo)
+stop on shutdown
+
+# Respawn the process on unexpected termination
+respawn
+
+# respawn the job up to 7 times within a 5 second period.
+# If the job exceeds these values, it will be stopped and marked as failed.
+respawn limit 7 5
+
+# zeppelin was installed in /usr/share/zeppelin in this example
+chdir /usr/share/zeppelin
+exec bin/zeppelin-daemon.sh upstart
+```
+
+
 ## Next Steps
 
 Congratulations, you have successfully installed Apache Zeppelin! Here are few steps you
might find useful:
@@ -109,6 +152,11 @@ Congratulations, you have successfully installed Apache Zeppelin! Here
are few s
  * If you're using previous version please see [Upgrade Zeppelin version](./upgrade.html).
 
 
+## Building Apache Zeppelin from Source
+
+If you want to build from source instead of using binary package, follow the instructions
[here](./build.html).
+
+
 ## Apache Zeppelin Configuration
 
 You can configure Apache Zeppelin with either **environment variables** in `conf/zeppelin-env.sh`
(`conf\zeppelin-env.cmd` for Windows) or **Java properties** in `conf/zeppelin-site.xml`.
If both are defined, then the **environment variables** will take priority.
@@ -339,48 +387,132 @@ You can configure Apache Zeppelin with either **environment variables**
in `conf
 </table>
 
 
-#### Start Apache Zeppelin with a service manager
+## Apache Zeppelin Configuration to enable SSL
 
-> **Note :** The below description was written based on Ubuntu Linux.
+Enabling SSL requires a few configuration changes. First you need to create certificates
and then update necessary configurations to enable server side SSL and/or client side certificate
authentication.
 
-Apache Zeppelin can be auto-started as a service with an init script, using a service manager
like **upstart**.
+#### Creating and configuring the Certificates
 
-This is an example upstart script saved as `/etc/init/zeppelin.conf`
-This allows the service to be managed with commands such as
+Information how about to generate certificates and a keystore can be found [here](https://wiki.eclipse.org/Jetty/Howto/Configure_SSL).
+
+A condensed example can be found in the top answer to this [StackOverflow post](http://stackoverflow.com/questions/4008837/configure-ssl-on-jetty).
+
+The keystore holds the private key and certificate on the server end. The trustore holds
the trusted client certificates. Be sure that the path and password for these two stores are
correctly configured in the password fields below. They can be obfuscated using the Jetty
password tool. After Maven pulls in all the dependency to build Zeppelin, one of the Jetty
jars contain the Password tool. Invoke this command from the Zeppelin home build directory
with the appropriate version, user, and password.
 
 ```
-sudo service zeppelin start  
-sudo service zeppelin stop  
-sudo service zeppelin restart
+java -cp ./zeppelin-server/target/lib/jetty-all-server-<version>.jar org.eclipse.jetty.util.security.Password
<user> <password>
 ```
 
-Other service managers could use a similar approach with the `upstart` argument passed to
the `zeppelin-daemon.sh` script.
+If you are using a self-signed, a certificate signed by an untrusted CA, or if client authentication
is enabled, then the client must have a browser create exceptions for both the normal HTTPS
port and WebSocket port. This can by done by trying to establish an HTTPS connection to both
ports in a browser (i.e. if the ports are 443 and 8443, then visit https://127.0.0.1:443 and
https://127.0.0.1:8443). This step can be skipped if the server certificate is signed by a
trusted CA and client auth is disabled.
+
+#### Configuring server side SSL
+
+The following properties needs to be updated in the **zeppeling-site.xml** in order to enable
server side SSL.
 
 ```
-bin/zeppelin-daemon.sh upstart
+<property>
+  <name>zeppelin.server.ssl.port</name>
+  <value>8443</value>
+  <description>Server ssl port. (used when ssl property is set to true)</description>
+</property>
+
+<property>
+  <name>zeppelin.ssl</name>
+  <value>true</value>
+  <description>Should SSL be used by the servers?</description>
+</property>
+
+<property>
+  <name>zeppelin.ssl.keystore.path</name>
+  <value>keystore</value>
+  <description>Path to keystore relative to Zeppelin configuration directory</description>
+</property>
+
+<property>
+  <name>zeppelin.ssl.keystore.type</name>
+  <value>JKS</value>
+  <description>The format of the given keystore (e.g. JKS or PKCS12)</description>
+</property>
+
+<property>
+  <name>zeppelin.ssl.keystore.password</name>
+  <value>change me</value>
+  <description>Keystore password. Can be obfuscated by the Jetty Password tool</description>
+</property>
+
+<property>
+  <name>zeppelin.ssl.key.manager.password</name>
+  <value>change me</value>
+  <description>Key Manager password. Defaults to keystore password. Can be obfuscated.</description>
+</property>
 ```
 
-**zeppelin.conf**
+
+#### Enabling client side certificate authentication
+
+The following properties needs to be updated in the **zeppeling-site.xml** in order to enable
client side certificate authentication.
 
 ```
-description "zeppelin"
+<property>
+  <name>zeppelin.server.ssl.port</name>
+  <value>8443</value>
+  <description>Server ssl port. (used when ssl property is set to true)</description>
+</property>
+
+<property>
+  <name>zeppelin.ssl.client.auth</name>
+  <value>true</value>
+  <description>Should client authentication be used for SSL connections?</description>
+</property>
+
+<property>
+  <name>zeppelin.ssl.truststore.path</name>
+  <value>truststore</value>
+  <description>Path to truststore relative to Zeppelin configuration directory. Defaults
to the keystore path</description>
+</property>
+
+<property>
+  <name>zeppelin.ssl.truststore.type</name>
+  <value>JKS</value>
+  <description>The format of the given truststore (e.g. JKS or PKCS12). Defaults to
the same type as the keystore type</description>
+</property>
+
+<property>
+  <name>zeppelin.ssl.truststore.password</name>
+  <value>change me</value>
+  <description>Truststore password. Can be obfuscated by the Jetty Password tool. Defaults
to the keystore password</description>
+</property>
+```
 
-start on (local-filesystems and net-device-up IFACE!=lo)
-stop on shutdown
 
-# Respawn the process on unexpected termination
-respawn
+#### Obfuscating Passwords using the Jetty Password Tool
 
-# respawn the job up to 7 times within a 5 second period.
-# If the job exceeds these values, it will be stopped and marked as failed.
-respawn limit 7 5
+Security best practices advise to not use plain text passwords and Jetty provides a password
tool to help obfuscating the passwords used to access the KeyStore and TrustStore.
+ 
+The Password tool documentation can be found [here](http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html)
+
+After using the tool:
 
-# zeppelin was installed in /usr/share/zeppelin in this example
-chdir /usr/share/zeppelin
-exec bin/zeppelin-daemon.sh upstart
+```
+java -cp $ZEPPELIN_HOME/zeppelin-server/target/lib/jetty-util-9.2.15.v20160210.jar \
+         org.eclipse.jetty.util.security.Password  \
+         password
+
+2016-12-15 10:46:47.931:INFO::main: Logging initialized @101ms
+password
+OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
+MD5:5f4dcc3b5aa765d61d8327deb882cf99
 ```
 
+update your configuration with the obfuscated password :
 
-## Building from Source
+```
+<property>
+  <name>zeppelin.ssl.keystore.password</name>
+  <value>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</value>
+  <description>Keystore password. Can be obfuscated by the Jetty Password tool</description>
+</property>
+```
 
-If you want to build from source instead of using binary package, follow the instructions
[here](./build.html).
+
+**Note:** After updating these configurations, Zeppelin server needs to be restarted.

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/989a73f2/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
index eec9973..c1307e4 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
@@ -187,10 +187,14 @@ public class ZeppelinServer extends Application {
     ServerConnector connector;
 
     if (conf.useSsl()) {
+      LOG.debug("Enabling SSL for Zeppelin Server on port " + conf.getServerSslPort());
       HttpConfiguration httpConfig = new HttpConfiguration();
       httpConfig.setSecureScheme("https");
       httpConfig.setSecurePort(conf.getServerSslPort());
       httpConfig.setOutputBufferSize(32768);
+      httpConfig.setRequestHeaderSize(8192);
+      httpConfig.setResponseHeaderSize(8192);
+      httpConfig.setSendServerVersion(true);
 
       HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
       SecureRequestCustomizer src = new SecureRequestCustomizer();
@@ -212,7 +216,11 @@ public class ZeppelinServer extends Application {
     connector.setIdleTimeout(timeout);
     connector.setSoLingerTime(-1);
     connector.setHost(conf.getServerAddress());
-    connector.setPort(conf.getServerPort());
+    if (conf.useSsl()) {
+      connector.setPort(conf.getServerSslPort());
+    } else {
+      connector.setPort(conf.getServerPort());
+    }
 
     server.addConnector(connector);
 
@@ -241,12 +249,14 @@ public class ZeppelinServer extends Application {
     sslContextFactory.setKeyStorePassword(conf.getKeyStorePassword());
     sslContextFactory.setKeyManagerPassword(conf.getKeyManagerPassword());
 
-    // Set truststore
-    sslContextFactory.setTrustStorePath(conf.getTrustStorePath());
-    sslContextFactory.setTrustStoreType(conf.getTrustStoreType());
-    sslContextFactory.setTrustStorePassword(conf.getTrustStorePassword());
+    if (conf.useClientAuth()) {
+      sslContextFactory.setNeedClientAuth(conf.useClientAuth());
 
-    sslContextFactory.setNeedClientAuth(conf.useClientAuth());
+      // Set truststore
+      sslContextFactory.setTrustStorePath(conf.getTrustStorePath());
+      sslContextFactory.setTrustStoreType(conf.getTrustStoreType());
+      sslContextFactory.setTrustStorePassword(conf.getTrustStorePassword());
+    }
 
     return sslContextFactory;
   }

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/989a73f2/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 763fe65..499c338 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -107,7 +107,11 @@ public class ZeppelinConfiguration extends XMLConfiguration {
     }
     
     LOG.info("Server Host: " + conf.getServerAddress());
-    LOG.info("Server Port: " + conf.getServerPort());
+    if (conf.useSsl() == false) {
+      LOG.info("Server Port: " + conf.getServerPort());
+    } else {
+      LOG.info("Server SSL Port: " + conf.getServerSslPort());
+    }
     LOG.info("Context Path: " + conf.getServerContextPath());
     LOG.info("Zeppelin Version: " + Util.getVersion());
 
@@ -314,6 +318,9 @@ public class ZeppelinConfiguration extends XMLConfiguration {
 
   public String getTrustStorePath() {
     String path = getString(ConfVars.ZEPPELIN_SSL_TRUSTSTORE_PATH);
+    if (path == null) {
+      path = getKeyStorePath();
+    }
     if (path != null && path.startsWith("/") || isWindowsPath(path)) {
       return path;
     } else {


Mime
View raw message