You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2018/04/12 04:01:33 UTC
ranger git commit: RANGER-2058: Add SSL enabled Postgres support in
Ranger Admin
Repository: ranger
Updated Branches:
refs/heads/master 343668b42 -> c394fa42c
RANGER-2058: Add SSL enabled Postgres support in Ranger Admin
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/c394fa42
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/c394fa42
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/c394fa42
Branch: refs/heads/master
Commit: c394fa42c770deb4981e226b8037174f5a9d260a
Parents: 343668b
Author: pradeep <pr...@apache.org>
Authored: Wed Apr 11 18:11:59 2018 +0530
Committer: pradeep <pr...@apache.org>
Committed: Thu Apr 12 09:30:47 2018 +0530
----------------------------------------------------------------------
kms/scripts/db_setup.py | 31 ++++++++++++++---
kms/scripts/dba_script.py | 33 ++++++++++++++----
.../apache/hadoop/crypto/key/RangerKMSDB.java | 23 +++++++++----
security-admin/scripts/db_setup.py | 35 ++++++++++++++++----
security-admin/scripts/dba_script.py | 34 +++++++++++++++----
.../apache/ranger/common/PropertiesUtil.java | 15 +++++++--
6 files changed, 137 insertions(+), 34 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/c394fa42/kms/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py
index a431b60..b68ff5c 100644
--- a/kms/scripts/db_setup.py
+++ b/kms/scripts/db_setup.py
@@ -292,19 +292,39 @@ class OracleConf(BaseDB):
class PostgresConf(BaseDB):
# Constructor
- def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN):
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
self.host = host
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
+ self.db_ssl_enabled=db_ssl_enabled.lower()
+ self.db_ssl_required=db_ssl_required.lower()
+ self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
+ self.db_ssl_auth_type=db_ssl_auth_type.lower()
+ self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
+ self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
+ self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
+ self.javax_net_ssl_trustStorePassword=javax_net_ssl_trustStorePassword
def get_jisql_cmd(self, user, password, db_name):
#TODO: User array for forming command
path = RANGER_KMS_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
+ db_ssl_param=''
+ db_ssl_cert_param=''
+ if self.db_ssl_enabled == 'true':
+ db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
+ if self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
+ db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
+ if self.db_ssl_auth_type == '1-way':
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_param="?ssl=%s&sslfactory=org.postgresql.ssl.NonValidatingFactory" %(self.db_ssl_enabled)
if is_unix:
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,self.host, db_name, user, password)
+ jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path, self.host, db_name, db_ssl_param,user, password)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
+ jisql_cmd = "%s %s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR, path, self.host, db_name, db_ssl_param,user, password)
return jisql_cmd
def check_connection(self, db_name, db_user, db_password):
@@ -583,7 +603,7 @@ def main(argv):
javax_net_ssl_trustStore=''
javax_net_ssl_trustStorePassword=''
- if XA_DB_FLAVOR == "MYSQL":
+ if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "POSTGRES":
if 'db_ssl_enabled' in globalDict:
db_ssl_enabled=globalDict['db_ssl_enabled'].lower()
if db_ssl_enabled == 'true':
@@ -616,6 +636,7 @@ def main(argv):
log("[E] Invalid ssl keystore password!","error")
sys.exit(1)
+ if XA_DB_FLAVOR == "MYSQL":
MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR']
xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_core_file = os.path.join(RANGER_KMS_HOME , mysql_core_file)
@@ -629,7 +650,7 @@ def main(argv):
db_user=db_user.lower()
db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
- xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
+ xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_core_file = os.path.join(RANGER_KMS_HOME , postgres_core_file)
elif XA_DB_FLAVOR == "MSSQL":
http://git-wip-us.apache.org/repos/asf/ranger/blob/c394fa42/kms/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py
index bcd4aa2..91477c6 100755
--- a/kms/scripts/dba_script.py
+++ b/kms/scripts/dba_script.py
@@ -577,19 +577,38 @@ class OracleConf(BaseDB):
class PostgresConf(BaseDB):
# Constructor
- def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN):
- self.host = host
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
+ self.host = host.lower()
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
+ self.db_ssl_enabled=db_ssl_enabled.lower()
+ self.db_ssl_required=db_ssl_required.lower()
+ self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
+ self.db_ssl_auth_type=db_ssl_auth_type.lower()
+ self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
+ self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
+ self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
+ self.javax_net_ssl_trustStorePassword=javax_net_ssl_trustStorePassword
def get_jisql_cmd(self, user, password, db_name):
#TODO: User array for forming command
path = RANGER_KMS_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
+ db_ssl_param=''
+ db_ssl_cert_param=''
+ if self.db_ssl_enabled == 'true':
+ db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
+ if self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
+ if self.db_ssl_auth_type == '1-way':
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_param="?ssl=%s&sslfactory=org.postgresql.ssl.NonValidatingFactory" %(self.db_ssl_enabled)
if is_unix:
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,self.host, db_name, user, password)
+ jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path, self.host, db_name, db_ssl_param,user, password)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
+ jisql_cmd = "%s %s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR, path, self.host, db_name, db_ssl_param,user, password)
return jisql_cmd
def verify_user(self, root_user, db_root_password, db_user,dryMode):
@@ -1374,7 +1393,7 @@ def main(argv):
javax_net_ssl_keyStorePassword=''
javax_net_ssl_trustStore=''
javax_net_ssl_trustStorePassword=''
- if XA_DB_FLAVOR == "MYSQL":
+ if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "POSTGRES":
if 'db_ssl_enabled' in globalDict:
db_ssl_enabled=globalDict['db_ssl_enabled'].lower()
if db_ssl_enabled == 'true':
@@ -1407,7 +1426,7 @@ def main(argv):
log("[E] Invalid ssl keystore password!","error")
sys.exit(1)
-
+ if XA_DB_FLAVOR == "MYSQL":
MYSQL_CONNECTOR_JAR=CONNECTOR_JAR
xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_core_file = os.path.join(RANGER_KMS_HOME,mysql_core_file)
@@ -1424,7 +1443,7 @@ def main(argv):
db_user=db_user.lower()
db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR
- xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
+ xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_core_file = os.path.join(RANGER_KMS_HOME,postgres_core_file)
elif XA_DB_FLAVOR == "MSSQL":
http://git-wip-us.apache.org/repos/asf/ranger/blob/c394fa42/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
index 12585ca..8b9bf4b 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
@@ -94,7 +94,7 @@ public class RangerKMSDB {
jpaProperties.put(JPA_DB_URL, conf.get(PROPERTY_PREFIX+DB_URL));
jpaProperties.put(JPA_DB_USER, conf.get(PROPERTY_PREFIX+DB_USER));
jpaProperties.put(JPA_DB_PASSWORD, conf.get(PROPERTY_PREFIX+DB_PASSWORD));
- if(getDBFlavor(conf)==DB_FLAVOR_MYSQL){
+ if(getDBFlavor(conf)==DB_FLAVOR_MYSQL || getDBFlavor(conf)==DB_FLAVOR_POSTGRES){
updateDBSSLURL();
}
@@ -185,14 +185,25 @@ public class RangerKMSDB {
conf.set(PROPERTY_PREFIX+DB_SSL_AUTH_TYPE, db_ssl_auth_type);
String ranger_jpa_jdbc_url=conf.get(PROPERTY_PREFIX+DB_URL);
if(!StringUtils.isEmpty(ranger_jpa_jdbc_url)){
- String ranger_jpa_jdbc_url_ssl= ranger_jpa_jdbc_url + "?useSSL=" + db_ssl_enabled +
- "&requireSSL=" + db_ssl_required + "&verifyServerCertificate=" + db_ssl_verifyServerCertificate;
- conf.set(PROPERTY_PREFIX+DB_URL, ranger_jpa_jdbc_url_ssl);
+ if(ranger_jpa_jdbc_url.contains("?")) {
+ ranger_jpa_jdbc_url=ranger_jpa_jdbc_url.substring(0,ranger_jpa_jdbc_url.indexOf("?"));
+ }
+ StringBuffer ranger_jpa_jdbc_url_ssl=new StringBuffer(ranger_jpa_jdbc_url);
+ if(getDBFlavor(conf)==DB_FLAVOR_MYSQL){
+ ranger_jpa_jdbc_url_ssl.append("?useSSL="+db_ssl_enabled+"&requireSSL="+db_ssl_required+"&verifyServerCertificate="+db_ssl_verifyServerCertificate);
+ }else if(getDBFlavor(conf)==DB_FLAVOR_POSTGRES){
+ if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)){
+ ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled);
+ }else{
+ ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslfactory=org.postgresql.ssl.NonValidatingFactory");
+ }
+ }
+ conf.set(PROPERTY_PREFIX+DB_URL, ranger_jpa_jdbc_url_ssl.toString());
jpaProperties.put(JPA_DB_URL, conf.get(PROPERTY_PREFIX+DB_URL));
- logger.info(PROPERTY_PREFIX+DB_URL+"="+ranger_jpa_jdbc_url_ssl);
+ logger.info(PROPERTY_PREFIX+DB_URL+"="+ranger_jpa_jdbc_url_ssl.toString());
}
- if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate)){
+ if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)){
if(!"1-way".equalsIgnoreCase((db_ssl_auth_type))){
// update system key store path with custom key store.
String keystore=conf.get(PROPERTY_PREFIX+DB_SSL_KEYSTORE);
http://git-wip-us.apache.org/repos/asf/ranger/blob/c394fa42/security-admin/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py
index b8664d2..2cbe665 100644
--- a/security-admin/scripts/db_setup.py
+++ b/security-admin/scripts/db_setup.py
@@ -1554,19 +1554,39 @@ class OracleConf(BaseDB):
class PostgresConf(BaseDB):
# Constructor
- def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN):
- self.host = host
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
+ self.host = host.lower()
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
+ self.db_ssl_enabled=db_ssl_enabled.lower()
+ self.db_ssl_required=db_ssl_required.lower()
+ self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
+ self.db_ssl_auth_type=db_ssl_auth_type.lower()
+ self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
+ self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
+ self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
+ self.javax_net_ssl_trustStorePassword=javax_net_ssl_trustStorePassword
def get_jisql_cmd(self, user, password, db_name):
#TODO: User array for forming command
path = RANGER_ADMIN_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
+ db_ssl_param=''
+ db_ssl_cert_param=''
+ if self.db_ssl_enabled == 'true':
+ db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
+ if self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
+ db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
+ if self.db_ssl_auth_type == '1-way':
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_param="?ssl=%s&sslfactory=org.postgresql.ssl.NonValidatingFactory" %(self.db_ssl_enabled)
if is_unix:
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
+ jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path, self.host, db_name, db_ssl_param,user, password)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
+ jisql_cmd = "%s %s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR, path, self.host, db_name, db_ssl_param,user, password)
return jisql_cmd
def check_connection(self, db_name, db_user, db_password):
@@ -3615,7 +3635,7 @@ def main(argv):
javax_net_ssl_trustStore=''
javax_net_ssl_trustStorePassword=''
- if XA_DB_FLAVOR == "MYSQL":
+ if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "POSTGRES":
if 'db_ssl_enabled' in globalDict:
db_ssl_enabled=globalDict['db_ssl_enabled'].lower()
if db_ssl_enabled == 'true':
@@ -3648,6 +3668,7 @@ def main(argv):
log("[E] Invalid ssl keystore password!","error")
sys.exit(1)
+ if XA_DB_FLAVOR == "MYSQL":
MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR']
xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME , mysql_dbversion_catalog)
@@ -3671,7 +3692,7 @@ def main(argv):
db_user=db_user.lower()
db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
- xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
+ xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME , postgres_dbversion_catalog)
xa_db_core_file = os.path.join(RANGER_ADMIN_HOME , postgres_core_file)
xa_patch_file = os.path.join(RANGER_ADMIN_HOME , postgres_patches)
@@ -3721,7 +3742,7 @@ def main(argv):
audit_db_user=audit_db_user.lower()
audit_db_name=audit_db_name.lower()
POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
- audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
+ audit_sqlObj = PostgresConf(audit_db_host,POSTGRES_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
audit_db_file = os.path.join(RANGER_ADMIN_HOME , postgres_audit_file)
elif AUDIT_DB_FLAVOR == "MSSQL":
http://git-wip-us.apache.org/repos/asf/ranger/blob/c394fa42/security-admin/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py
index 69fff41..4a57bba 100644
--- a/security-admin/scripts/dba_script.py
+++ b/security-admin/scripts/dba_script.py
@@ -727,19 +727,38 @@ class OracleConf(BaseDB):
class PostgresConf(BaseDB):
# Constructor
- def __init__(self, host, SQL_CONNECTOR_JAR, JAVA_BIN):
- self.host = host
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
+ self.host = host.lower()
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
+ self.db_ssl_enabled=db_ssl_enabled.lower()
+ self.db_ssl_required=db_ssl_required.lower()
+ self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
+ self.db_ssl_auth_type=db_ssl_auth_type.lower()
+ self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
+ self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
+ self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
+ self.javax_net_ssl_trustStorePassword=javax_net_ssl_trustStorePassword
def get_jisql_cmd(self, user, password, db_name):
#TODO: User array for forming command
path = RANGER_ADMIN_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
+ db_ssl_param=''
+ db_ssl_cert_param=''
+ if self.db_ssl_enabled == 'true':
+ db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
+ if self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
+ if self.db_ssl_auth_type == '1-way':
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_param="?ssl=%s&sslfactory=org.postgresql.ssl.NonValidatingFactory" %(self.db_ssl_enabled)
if is_unix:
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, self.host, db_name, user, password)
+ jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path, self.host, db_name, db_ssl_param,user, password)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
+ jisql_cmd = "%s %s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p \"%s\" -noheader -trim" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR, path, self.host, db_name, db_ssl_param,user, password)
return jisql_cmd
def verify_user(self, root_user, db_root_password, db_user,dryMode):
@@ -1673,7 +1692,7 @@ def main(argv):
javax_net_ssl_keyStorePassword=''
javax_net_ssl_trustStore=''
javax_net_ssl_trustStorePassword=''
- if XA_DB_FLAVOR == "MYSQL":
+ if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "POSTGRES":
if 'db_ssl_enabled' in globalDict:
db_ssl_enabled=globalDict['db_ssl_enabled'].lower()
if db_ssl_enabled == 'true':
@@ -1706,6 +1725,7 @@ def main(argv):
log("[E] Invalid ssl keystore password!","error")
sys.exit(1)
+ if XA_DB_FLAVOR == "MYSQL":
MYSQL_CONNECTOR_JAR=CONNECTOR_JAR
xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,mysql_dbversion_catalog)
@@ -1726,7 +1746,7 @@ def main(argv):
db_user=db_user.lower()
db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR
- xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
+ xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,postgres_dbversion_catalog)
xa_db_core_file = os.path.join(RANGER_ADMIN_HOME,postgres_core_file)
xa_patch_file = os.path.join(RANGER_ADMIN_HOME,postgres_patches)
@@ -1769,7 +1789,7 @@ def main(argv):
audit_db_user=audit_db_user.lower()
audit_db_name=audit_db_name.lower()
POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR
- audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
+ audit_sqlObj = PostgresConf(audit_db_host,POSTGRES_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
audit_db_file = os.path.join(RANGER_ADMIN_HOME,postgres_audit_file)
elif AUDIT_DB_FLAVOR == "MSSQL":
http://git-wip-us.apache.org/repos/asf/ranger/blob/c394fa42/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index edd9d36..ee8ce8d 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -250,7 +250,7 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
propertiesMap.put("ranger.sha256Password.update.disable", sha256PasswordUpdateDisable);
props.put("ranger.sha256Password.update.disable", sha256PasswordUpdateDisable);
}
- if(RangerBizUtil.getDBFlavor()==AppConstants.DB_FLAVOR_MYSQL){
+ if(RangerBizUtil.getDBFlavor()==AppConstants.DB_FLAVOR_MYSQL || RangerBizUtil.getDBFlavor()==AppConstants.DB_FLAVOR_POSTGRES){
if(propertiesMap!=null && propertiesMap.containsKey("ranger.db.ssl.enabled")){
String db_ssl_enabled=propertiesMap.get("ranger.db.ssl.enabled");
if(StringUtils.isEmpty(db_ssl_enabled)|| !"true".equalsIgnoreCase(db_ssl_enabled)){
@@ -282,8 +282,19 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
props.put("ranger.db.ssl.auth.type", db_ssl_auth_type);
String ranger_jpa_jdbc_url=propertiesMap.get("ranger.jpa.jdbc.url");
if(!StringUtils.isEmpty(ranger_jpa_jdbc_url)){
+ if(ranger_jpa_jdbc_url.contains("?")) {
+ ranger_jpa_jdbc_url=ranger_jpa_jdbc_url.substring(0,ranger_jpa_jdbc_url.indexOf("?"));
+ }
StringBuffer ranger_jpa_jdbc_url_ssl=new StringBuffer(ranger_jpa_jdbc_url);
- ranger_jpa_jdbc_url_ssl.append("?useSSL="+db_ssl_enabled+"&requireSSL="+db_ssl_required+"&verifyServerCertificate="+db_ssl_verifyServerCertificate);
+ if (RangerBizUtil.getDBFlavor()==AppConstants.DB_FLAVOR_MYSQL) {
+ ranger_jpa_jdbc_url_ssl.append("?useSSL="+db_ssl_enabled+"&requireSSL="+db_ssl_required+"&verifyServerCertificate="+db_ssl_verifyServerCertificate);
+ }else if(RangerBizUtil.getDBFlavor()==AppConstants.DB_FLAVOR_POSTGRES) {
+ if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)){
+ ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled);
+ }else{
+ ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslfactory=org.postgresql.ssl.NonValidatingFactory");
+ }
+ }
propertiesMap.put("ranger.jpa.jdbc.url", ranger_jpa_jdbc_url_ssl.toString());
props.put("ranger.jpa.jdbc.url", ranger_jpa_jdbc_url_ssl.toString());
logger.info("ranger.jpa.jdbc.url="+ranger_jpa_jdbc_url_ssl.toString());