You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ve...@apache.org on 2020/11/23 22:41:25 UTC
[ranger] branch ranger-2.2 updated: RANGER-3084: Ranger database
connection fails when postgres is SSL enabled & postgresql-42.2.14 driver
jar is used
This is an automated email from the ASF dual-hosted git repository.
vel pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new d551135 RANGER-3084: Ranger database connection fails when postgres is SSL enabled & postgresql-42.2.14 driver jar is used
d551135 is described below
commit d5511352c63466a603a7090b7ee1b54b0a17060f
Author: Mahesh Bandal <ma...@gmail.com>
AuthorDate: Sat Nov 21 12:51:01 2020 +0530
RANGER-3084: Ranger database connection fails when postgres is SSL enabled & postgresql-42.2.14 driver jar is used
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
---
kms/config/kms-webapp/dbks-site.xml | 12 +++++
kms/scripts/db_setup.py | 56 ++++++++++++++--------
kms/scripts/install.properties | 7 +++
kms/scripts/setup.sh | 53 +++++++++++++++++---
.../org/apache/hadoop/crypto/key/RangerKMSDB.java | 19 ++++----
security-admin/scripts/db_setup.py | 56 ++++++++++++++--------
security-admin/scripts/install.properties | 6 +++
security-admin/scripts/setup.sh | 51 ++++++++++++++++++--
.../org/apache/ranger/common/PropertiesUtil.java | 28 +++++++----
.../conf.dist/ranger-admin-default-site.xml | 12 +++++
10 files changed, 233 insertions(+), 67 deletions(-)
diff --git a/kms/config/kms-webapp/dbks-site.xml b/kms/config/kms-webapp/dbks-site.xml
index 6990fb7..75f21c8 100755
--- a/kms/config/kms-webapp/dbks-site.xml
+++ b/kms/config/kms-webapp/dbks-site.xml
@@ -341,4 +341,16 @@
<name>ranger.ks.db.ssl.auth.type</name>
<value>2-way</value>
</property>
+ <property>
+ <name>ranger.ks.db.ssl.certificateFile</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.truststore.file.type</name>
+ <value>jks</value>
+ </property>
+ <property>
+ <name>ranger.keystore.file.type</name>
+ <value>jks</value>
+ </property>
</configuration>
diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py
index 9928f46..c1f8523 100644
--- a/kms/scripts/db_setup.py
+++ b/kms/scripts/db_setup.py
@@ -292,7 +292,7 @@ class OracleConf(BaseDB):
class PostgresConf(BaseDB):
# Constructor
- def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type,db_ssl_certificate_file,javax_net_ssl_trustStore_type,javax_net_ssl_keyStore_type):
self.host = host
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
@@ -300,10 +300,13 @@ class PostgresConf(BaseDB):
self.db_ssl_required=db_ssl_required.lower()
self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
self.db_ssl_auth_type=db_ssl_auth_type.lower()
+ self.db_ssl_certificate_file=db_ssl_certificate_file
self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
+ self.javax_net_ssl_keyStore_type=javax_net_ssl_keyStore_type.lower()
self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
self.javax_net_ssl_trustStorePassword=javax_net_ssl_trustStorePassword
+ self.javax_net_ssl_trustStore_type=javax_net_ssl_trustStore_type.lower()
def get_jisql_cmd(self, user, password, db_name):
#TODO: User array for forming command
@@ -312,15 +315,16 @@ class PostgresConf(BaseDB):
db_ssl_param=''
db_ssl_cert_param=''
if self.db_ssl_enabled == 'true':
- db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
- if self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
- db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
+ if self.db_ssl_certificate_file != "":
+ db_ssl_param="?ssl=%s&sslmode=verify-full&sslrootcert=%s" %(self.db_ssl_enabled,self.db_ssl_certificate_file)
+ elif self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
+ db_ssl_param="?ssl=%s&sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory" %(self.db_ssl_enabled)
if self.db_ssl_auth_type == '1-way':
- db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s -Djavax.net.ssl.trustStoreType=%s" %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword,self.javax_net_ssl_trustStore_type)
else:
- db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s -Djavax.net.ssl.trustStoreType=%s -Djavax.net.ssl.keyStoreType=%s" %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword,self.javax_net_ssl_trustStore_type,self.javax_net_ssl_keyStore_type)
else:
- db_ssl_param="?ssl=%s&sslfactory=org.postgresql.ssl.NonValidatingFactory" %(self.db_ssl_enabled)
+ db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
if is_unix:
jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path, self.host, db_name, db_ssl_param,user, password)
elif os_name == "WINDOWS":
@@ -602,6 +606,9 @@ def main(argv):
javax_net_ssl_keyStorePassword=''
javax_net_ssl_trustStore=''
javax_net_ssl_trustStorePassword=''
+ db_ssl_certificate_file=''
+ javax_net_ssl_trustStore_type='bcfks'
+ javax_net_ssl_keyStore_type='bcfks'
if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "POSTGRES":
if 'db_ssl_enabled' in globalDict:
@@ -613,26 +620,37 @@ def main(argv):
db_ssl_verifyServerCertificate=globalDict['db_ssl_verifyServerCertificate'].lower()
if 'db_ssl_auth_type' in globalDict:
db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower()
+ if 'db_ssl_certificate_file' in globalDict:
+ db_ssl_certificate_file=globalDict['db_ssl_certificate_file']
+ if 'javax_net_ssl_trustStore' in globalDict:
+ javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
+ if 'javax_net_ssl_trustStorePassword' in globalDict:
+ javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
+ if 'javax_net_ssl_trustStore_type' in globalDict:
+ javax_net_ssl_trustStore_type=globalDict['javax_net_ssl_trustStore_type']
if db_ssl_verifyServerCertificate == 'true':
- if 'javax_net_ssl_trustStore' in globalDict:
- javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
- if 'javax_net_ssl_trustStorePassword' in globalDict:
- javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
- if not os.path.exists(javax_net_ssl_trustStore):
- log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
- sys.exit(1)
- if javax_net_ssl_trustStorePassword is None or javax_net_ssl_trustStorePassword =="":
- log("[E] Invalid ssl truststore password!","error")
- sys.exit(1)
+ if db_ssl_certificate_file != "":
+ if not os.path.exists(db_ssl_certificate_file):
+ log("[E] Invalid file Name! Unable to find certificate file:"+db_ssl_certificate_file,"error")
+ sys.exit(1)
+ elif db_ssl_auth_type == '1-way' and db_ssl_certificate_file == "" :
+ if not os.path.exists(javax_net_ssl_trustStore):
+ log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
+ sys.exit(1)
+ if javax_net_ssl_trustStorePassword =="":
+ log("[E] Invalid ssl truststore password!","error")
+ sys.exit(1)
if db_ssl_auth_type == '2-way':
if 'javax_net_ssl_keyStore' in globalDict:
javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
if 'javax_net_ssl_keyStorePassword' in globalDict:
javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
+ if 'javax_net_ssl_keyStore_type' in globalDict:
+ javax_net_ssl_keyStore_type=globalDict['javax_net_ssl_keyStore_type']
if not os.path.exists(javax_net_ssl_keyStore):
log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
sys.exit(1)
- if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
+ if javax_net_ssl_keyStorePassword =="":
log("[E] Invalid ssl keystore password!","error")
sys.exit(1)
@@ -650,7 +668,7 @@ def main(argv):
db_user=db_user.lower()
db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
- xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
+ xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type,db_ssl_certificate_file,javax_net_ssl_trustStore_type,javax_net_ssl_keyStore_type)
xa_db_core_file = os.path.join(RANGER_KMS_HOME , postgres_core_file)
elif XA_DB_FLAVOR == "MSSQL":
diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties
index 814edb3..137a729 100755
--- a/kms/scripts/install.properties
+++ b/kms/scripts/install.properties
@@ -52,6 +52,7 @@ SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
db_root_user=root
db_root_password=
db_host=localhost
+#SSL config
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
@@ -61,6 +62,12 @@ javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
javax_net_ssl_trustStorePassword=
+javax_net_ssl_trustStore_type=jks
+javax_net_ssl_keyStore_type=jks
+
+# For postgresql db
+db_ssl_certificate_file=
+
#
# DB UserId used for the Ranger KMS schema
#
diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh
index 9b4df38..a7691f3 100755
--- a/kms/scripts/setup.sh
+++ b/kms/scripts/setup.sh
@@ -60,6 +60,9 @@ db_ssl_enabled=$(get_prop 'db_ssl_enabled' $PROPFILE)
db_ssl_required=$(get_prop 'db_ssl_required' $PROPFILE)
db_ssl_verifyServerCertificate=$(get_prop 'db_ssl_verifyServerCertificate' $PROPFILE)
db_ssl_auth_type=$(get_prop 'db_ssl_auth_type' $PROPFILE)
+db_ssl_certificate_file=$(get_prop 'db_ssl_certificate_file' $PROPFILE)
+javax_net_ssl_trustStore_type=$(get_prop 'javax_net_ssl_trustStore_type' $PROPFILE)
+javax_net_ssl_keyStore_type=$(get_prop 'javax_net_ssl_keyStore_type' $PROPFILE)
KMS_MASTER_KEY_PASSWD=$(get_prop 'KMS_MASTER_KEY_PASSWD' $PROPFILE)
unix_user=$(get_prop 'unix_user' $PROPFILE)
unix_user_pwd=$(get_prop 'unix_user_pwd' $PROPFILE)
@@ -282,12 +285,17 @@ init_variables(){
db_ssl_required="false"
db_ssl_verifyServerCertificate="false"
db_ssl_auth_type="2-way"
+ db_ssl_certificate_file=''
+ javax_net_ssl_trustStore_type='jks'
+ javax_net_ssl_keyStore_type='jks'
fi
if [ "${db_ssl_enabled}" == "true" ]
then
db_ssl_required=`echo $db_ssl_required | tr '[:upper:]' '[:lower:]'`
db_ssl_verifyServerCertificate=`echo $db_ssl_verifyServerCertificate | tr '[:upper:]' '[:lower:]'`
db_ssl_auth_type=`echo $db_ssl_auth_type | tr '[:upper:]' '[:lower:]'`
+ javax_net_ssl_trustStore_type=`echo $javax_net_ssl_trustStore_type | tr '[:upper:]' '[:lower:]'`
+ javax_net_ssl_keyStore_type=`echo $javax_net_ssl_keyStore_type | tr '[:upper:]' '[:lower:]'`
if [ "${db_ssl_required}" != "true" ]
then
db_ssl_required="false"
@@ -300,6 +308,14 @@ init_variables(){
then
db_ssl_auth_type="2-way"
fi
+ if [ "${javax_net_ssl_trustStore_type}" == "" ]
+ then
+ javax_net_ssl_trustStore_type="jks"
+ fi
+ if [ "${javax_net_ssl_keyStore_type}" == "" ]
+ then
+ javax_net_ssl_keyStore_type="jks"
+ fi
fi
}
@@ -466,7 +482,7 @@ update_properties() {
log "[I] $to_file file found"
else
log "[E] $to_file does not exists" ; exit 1;
- fi
+ fi
if [ "${db_ssl_enabled}" != "" ]
then
@@ -485,6 +501,18 @@ update_properties() {
propertyName=ranger.ks.db.ssl.auth.type
newPropertyValue="${db_ssl_auth_type}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+ propertyName=ranger.ks.db.ssl.certificateFile
+ newPropertyValue="${db_ssl_certificate_file}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+ propertyName=ranger.truststore.file.type
+ newPropertyValue="${javax_net_ssl_trustStore_type}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+ propertyName=ranger.keystore.file.type
+ newPropertyValue="${javax_net_ssl_keyStore_type}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
fi
if [ "${DB_FLAVOR}" == "MYSQL" ]
@@ -530,9 +558,22 @@ update_properties() {
db_name=`echo ${db_name} | tr '[:upper:]' '[:lower:]'`
db_user=`echo ${db_user} | tr '[:upper:]' '[:lower:]'`
- propertyName=ranger.ks.jpa.jdbc.url
- newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+ if [ "${db_ssl_enabled}" == "true" ]
+ then
+ if test -f $db_ssl_certificate_file; then
+ propertyName=ranger.ks.jpa.jdbc.url
+ newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}?ssl=true&sslmode=verify-full&sslrootcert=${db_ssl_certificate_file}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+ else
+ propertyName=ranger.ks.jpa.jdbc.url
+ newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}?ssl=true&sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+ fi
+ else
+ propertyName=ranger.ks.jpa.jdbc.url
+ newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+ fi
propertyName=ranger.ks.jpa.jdbc.dialect
newPropertyValue="org.eclipse.persistence.platform.database.PostgreSQLPlatform"
@@ -1083,9 +1124,9 @@ setup_install_files(){
then
if [ "${db_ssl_auth_type}" == "1-way" ]
then
- DB_SSL_PARAM="' -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ DB_SSL_PARAM="' -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} -Djavax.net.ssl.trustStoreType=${javax_net_ssl_trustStore_type} '"
else
- DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.keyStoreType={javax_net_ssl_keyStore_type} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} -Djavax.net.ssl.trustStoreType=${javax_net_ssl_trustStore_type} '"
fi
echo "export DB_SSL_PARAM=${DB_SSL_PARAM}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh
chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
index 8b9bf4b..28e5e6f 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
@@ -62,6 +62,7 @@ public class RangerKMSDB {
private static final String DB_SSL_KEYSTORE_PASSWORD="keystore.password";
private static final String DB_SSL_TRUSTSTORE="truststore.file";
private static final String DB_SSL_TRUSTSTORE_PASSWORD="truststore.password";
+ private static final String DB_SSL_CERTIFICATE_FILE="db.ssl.certificateFile";
public static final int DB_FLAVOR_UNKNOWN = 0;
public static final int DB_FLAVOR_MYSQL = 1;
@@ -184,24 +185,24 @@ public class RangerKMSDB {
conf.set(PROPERTY_PREFIX+DB_SSL_VerifyServerCertificate, db_ssl_verifyServerCertificate);
conf.set(PROPERTY_PREFIX+DB_SSL_AUTH_TYPE, db_ssl_auth_type);
String ranger_jpa_jdbc_url=conf.get(PROPERTY_PREFIX+DB_URL);
- if(!StringUtils.isEmpty(ranger_jpa_jdbc_url)){
- if(ranger_jpa_jdbc_url.contains("?")) {
- ranger_jpa_jdbc_url=ranger_jpa_jdbc_url.substring(0,ranger_jpa_jdbc_url.indexOf("?"));
- }
+ if(StringUtils.isNotEmpty(ranger_jpa_jdbc_url) && !ranger_jpa_jdbc_url.contains("?")){
StringBuffer ranger_jpa_jdbc_url_ssl=new StringBuffer(ranger_jpa_jdbc_url);
if(getDBFlavor(conf)==DB_FLAVOR_MYSQL){
ranger_jpa_jdbc_url_ssl.append("?useSSL="+db_ssl_enabled+"&requireSSL="+db_ssl_required+"&verifyServerCertificate="+db_ssl_verifyServerCertificate);
}else if(getDBFlavor(conf)==DB_FLAVOR_POSTGRES){
- if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)){
+ String db_ssl_certificate_file = conf.get(PROPERTY_PREFIX+DB_SSL_CERTIFICATE_FILE);
+ if(StringUtils.isNotEmpty(db_ssl_certificate_file)) {
+ ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslmode=verify-full"+"&sslrootcert="+db_ssl_certificate_file);
+ } else if ("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)) {
+ ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslmode=verify-full"+"&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory");
+ } else {
ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled);
- }else{
- ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslfactory=org.postgresql.ssl.NonValidatingFactory");
}
}
conf.set(PROPERTY_PREFIX+DB_URL, ranger_jpa_jdbc_url_ssl.toString());
- jpaProperties.put(JPA_DB_URL, conf.get(PROPERTY_PREFIX+DB_URL));
- logger.info(PROPERTY_PREFIX+DB_URL+"="+ranger_jpa_jdbc_url_ssl.toString());
}
+ jpaProperties.put(JPA_DB_URL, conf.get(PROPERTY_PREFIX+DB_URL));
+ logger.info(PROPERTY_PREFIX+DB_URL+"="+conf.get(PROPERTY_PREFIX+DB_URL));
if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)){
if(!"1-way".equalsIgnoreCase((db_ssl_auth_type))){
diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py
index b448738..09fab95 100644
--- a/security-admin/scripts/db_setup.py
+++ b/security-admin/scripts/db_setup.py
@@ -837,7 +837,7 @@ class OracleConf(BaseDB):
class PostgresConf(BaseDB):
# Constructor
- def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type,db_ssl_certificate_file,javax_net_ssl_trustStore_type,javax_net_ssl_keyStore_type):
self.host = host.lower()
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
@@ -845,10 +845,13 @@ class PostgresConf(BaseDB):
self.db_ssl_required=db_ssl_required.lower()
self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
self.db_ssl_auth_type=db_ssl_auth_type.lower()
+ self.db_ssl_certificate_file=db_ssl_certificate_file
self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
+ self.javax_net_ssl_keyStore_type=javax_net_ssl_keyStore_type.lower()
self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
self.javax_net_ssl_trustStorePassword=javax_net_ssl_trustStorePassword
+ self.javax_net_ssl_trustStore_type=javax_net_ssl_trustStore_type.lower()
self.commandTerminator=" "
self.XA_DB_FLAVOR = "POSTGRES"
@@ -858,15 +861,16 @@ class PostgresConf(BaseDB):
db_ssl_param=''
db_ssl_cert_param=''
if self.db_ssl_enabled == 'true':
- db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
- if self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
- db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
+ if self.db_ssl_certificate_file != "":
+ db_ssl_param="?ssl=%s&sslmode=verify-full&sslrootcert=%s" %(self.db_ssl_enabled,self.db_ssl_certificate_file)
+ elif self.db_ssl_verifyServerCertificate == 'true' or self.db_ssl_required == 'true':
+ db_ssl_param="?ssl=%s&sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory" %(self.db_ssl_enabled)
if self.db_ssl_auth_type == '1-way':
- db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s -Djavax.net.ssl.trustStoreType=%s" %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword,self.javax_net_ssl_trustStore_type)
else:
- db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s -Djavax.net.ssl.trustStoreType=%s -Djavax.net.ssl.keyStoreType=%s" %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword,self.javax_net_ssl_trustStore_type,self.javax_net_ssl_keyStore_type)
else:
- db_ssl_param="?ssl=%s&sslfactory=org.postgresql.ssl.NonValidatingFactory" %(self.db_ssl_enabled)
+ db_ssl_param="?ssl=%s" %(self.db_ssl_enabled)
if is_unix:
jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://%s/%s%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN, db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path, self.host, db_name, db_ssl_param,user, password)
elif os_name == "WINDOWS":
@@ -1113,6 +1117,9 @@ def main(argv):
javax_net_ssl_keyStorePassword=''
javax_net_ssl_trustStore=''
javax_net_ssl_trustStorePassword=''
+ db_ssl_certificate_file=''
+ javax_net_ssl_trustStore_type='bcfks'
+ javax_net_ssl_keyStore_type='bcfks'
if XA_DB_FLAVOR == "MYSQL" or XA_DB_FLAVOR == "POSTGRES":
if 'db_ssl_enabled' in globalDict:
@@ -1124,26 +1131,37 @@ def main(argv):
db_ssl_verifyServerCertificate=globalDict['db_ssl_verifyServerCertificate'].lower()
if 'db_ssl_auth_type' in globalDict:
db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower()
+ if 'db_ssl_certificate_file' in globalDict:
+ db_ssl_certificate_file=globalDict['db_ssl_certificate_file']
+ if 'javax_net_ssl_trustStore' in globalDict:
+ javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
+ if 'javax_net_ssl_trustStorePassword' in globalDict:
+ javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
+ if 'javax_net_ssl_trustStore_type' in globalDict:
+ javax_net_ssl_trustStore_type=globalDict['javax_net_ssl_trustStore_type']
if db_ssl_verifyServerCertificate == 'true':
- if 'javax_net_ssl_trustStore' in globalDict:
- javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
- if 'javax_net_ssl_trustStorePassword' in globalDict:
- javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
- if not os.path.exists(javax_net_ssl_trustStore):
- log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
- sys.exit(1)
- if javax_net_ssl_trustStorePassword is None or javax_net_ssl_trustStorePassword =="":
- log("[E] Invalid ssl truststore password!","error")
- sys.exit(1)
+ if db_ssl_certificate_file != "":
+ if not os.path.exists(db_ssl_certificate_file):
+ log("[E] Invalid file Name! Unable to find certificate file:"+db_ssl_certificate_file,"error")
+ sys.exit(1)
+ elif db_ssl_auth_type == '1-way' and db_ssl_certificate_file == "" :
+ if not os.path.exists(javax_net_ssl_trustStore):
+ log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
+ sys.exit(1)
+ if javax_net_ssl_trustStorePassword =="":
+ log("[E] Invalid ssl truststore password!","error")
+ sys.exit(1)
if db_ssl_auth_type == '2-way':
if 'javax_net_ssl_keyStore' in globalDict:
javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
if 'javax_net_ssl_keyStorePassword' in globalDict:
javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
+ if 'javax_net_ssl_keyStore_type' in globalDict:
+ javax_net_ssl_keyStore_type=globalDict['javax_net_ssl_keyStore_type']
if not os.path.exists(javax_net_ssl_keyStore):
log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
sys.exit(1)
- if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
+ if javax_net_ssl_keyStorePassword =="":
log("[E] Invalid ssl keystore password!","error")
sys.exit(1)
@@ -1169,7 +1187,7 @@ def main(argv):
db_user=db_user.lower()
db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
- xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
+ xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type,db_ssl_certificate_file,javax_net_ssl_trustStore_type,javax_net_ssl_keyStore_type)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME , postgres_dbversion_catalog)
xa_db_core_file = os.path.join(RANGER_ADMIN_HOME , postgres_core_file)
xa_patch_file = os.path.join(RANGER_ADMIN_HOME , postgres_patches)
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index a18bcd5..d300de1 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -62,6 +62,12 @@ javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
javax_net_ssl_trustStorePassword=
+javax_net_ssl_trustStore_type=jks
+javax_net_ssl_keyStore_type=jks
+
+# For postgresql db
+db_ssl_certificate_file=
+
#
# DB UserId used for the Ranger schema
#
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 949c242..e761c95 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -63,6 +63,9 @@ db_ssl_enabled=$(get_prop 'db_ssl_enabled' $PROPFILE)
db_ssl_required=$(get_prop 'db_ssl_required' $PROPFILE)
db_ssl_verifyServerCertificate=$(get_prop 'db_ssl_verifyServerCertificate' $PROPFILE)
db_ssl_auth_type=$(get_prop 'db_ssl_auth_type' $PROPFILE)
+db_ssl_certificate_file=$(get_prop 'db_ssl_certificate_file' $PROPFILE)
+javax_net_ssl_trustStore_type=$(get_prop 'javax_net_ssl_trustStore_type' $PROPFILE)
+javax_net_ssl_keyStore_type=$(get_prop 'javax_net_ssl_keyStore_type' $PROPFILE)
rangerAdmin_password=$(get_prop 'rangerAdmin_password' $PROPFILE)
rangerTagsync_password=$(get_prop 'rangerTagsync_password' $PROPFILE)
rangerUsersync_password=$(get_prop 'rangerUsersync_password' $PROPFILE)
@@ -271,12 +274,17 @@ init_variables(){
db_ssl_required="false"
db_ssl_verifyServerCertificate="false"
db_ssl_auth_type="2-way"
+ db_ssl_certificate_file=''
+ javax_net_ssl_trustStore_type='jks'
+ javax_net_ssl_keyStore_type='jks'
fi
if [ "${db_ssl_enabled}" == "true" ]
then
db_ssl_required=`echo $db_ssl_required | tr '[:upper:]' '[:lower:]'`
db_ssl_verifyServerCertificate=`echo $db_ssl_verifyServerCertificate | tr '[:upper:]' '[:lower:]'`
db_ssl_auth_type=`echo $db_ssl_auth_type | tr '[:upper:]' '[:lower:]'`
+ javax_net_ssl_trustStore_type=`echo $javax_net_ssl_trustStore_type | tr '[:upper:]' '[:lower:]'`
+ javax_net_ssl_keyStore_type=`echo $javax_net_ssl_keyStore_type | tr '[:upper:]' '[:lower:]'`
if [ "${db_ssl_required}" != "true" ]
then
db_ssl_required="false"
@@ -289,6 +297,14 @@ init_variables(){
then
db_ssl_auth_type="2-way"
fi
+ if [ "${javax_net_ssl_trustStore_type}" == "" ]
+ then
+ javax_net_ssl_trustStore_type="jks"
+ fi
+ if [ "${javax_net_ssl_keyStore_type}" == "" ]
+ then
+ javax_net_ssl_keyStore_type="jks"
+ fi
fi
}
@@ -562,6 +578,18 @@ update_properties() {
propertyName=ranger.db.ssl.auth.type
newPropertyValue="${db_ssl_auth_type}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
+
+ propertyName=ranger.db.ssl.certificateFile
+ newPropertyValue="${db_ssl_certificate_file}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
+
+ propertyName=ranger.truststore.file.type
+ newPropertyValue="${javax_net_ssl_trustStore_type}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
+
+ propertyName=ranger.keystore.file.type
+ newPropertyValue="${javax_net_ssl_keyStore_type}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
fi
if [ "${DB_FLAVOR}" == "MYSQL" ]
@@ -629,9 +657,22 @@ update_properties() {
db_name=`echo ${db_name} | tr '[:upper:]' '[:lower:]'`
db_user=`echo ${db_user} | tr '[:upper:]' '[:lower:]'`
- propertyName=ranger.jpa.jdbc.url
- newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ if [ "${db_ssl_enabled}" == "true" ]
+ then
+ if test -f $db_ssl_certificate_file; then
+ propertyName=ranger.jpa.jdbc.url
+ newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}?ssl=true&sslmode=verify-full&sslrootcert=${db_ssl_certificate_file}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ else
+ propertyName=ranger.jpa.jdbc.url
+ newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}?ssl=true&sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+ else
+ propertyName=ranger.jpa.jdbc.url
+ newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
propertyName=ranger.jpa.jdbc.dialect
newPropertyValue="org.eclipse.persistence.platform.database.PostgreSQLPlatform"
@@ -1472,9 +1513,9 @@ setup_install_files(){
then
if [ "${db_ssl_auth_type}" == "1-way" ]
then
- DB_SSL_PARAM="' -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ DB_SSL_PARAM="' -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} -Djavax.net.ssl.trustStoreType=${javax_net_ssl_trustStore_type} '"
else
- DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.keyStoreType={javax_net_ssl_keyStore_type} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} -Djavax.net.ssl.trustStoreType=${javax_net_ssl_trustStore_type} '"
fi
echo "export DB_SSL_PARAM=${DB_SSL_PARAM}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-admin-env-dbsslparam.sh
chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-admin-env-dbsslparam.sh
diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index 43bbdfb..c58258b 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -32,6 +32,7 @@ import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
+
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.biz.RangerBizUtil;
@@ -282,24 +283,27 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
propertiesMap.put("ranger.db.ssl.auth.type", db_ssl_auth_type);
props.put("ranger.db.ssl.auth.type", db_ssl_auth_type);
String ranger_jpa_jdbc_url=propertiesMap.get("ranger.jpa.jdbc.url");
- if(!StringUtils.isEmpty(ranger_jpa_jdbc_url)){
- if(ranger_jpa_jdbc_url.contains("?")) {
- ranger_jpa_jdbc_url=ranger_jpa_jdbc_url.substring(0,ranger_jpa_jdbc_url.indexOf("?"));
- }
+ if(StringUtils.isNotEmpty(ranger_jpa_jdbc_url) && !ranger_jpa_jdbc_url.contains("?")){
StringBuffer ranger_jpa_jdbc_url_ssl=new StringBuffer(ranger_jpa_jdbc_url);
if (RangerBizUtil.getDBFlavor()==AppConstants.DB_FLAVOR_MYSQL) {
ranger_jpa_jdbc_url_ssl.append("?useSSL="+db_ssl_enabled+"&requireSSL="+db_ssl_required+"&verifyServerCertificate="+db_ssl_verifyServerCertificate);
}else if(RangerBizUtil.getDBFlavor()==AppConstants.DB_FLAVOR_POSTGRES) {
- if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)){
+ String db_ssl_certificate_file = propertiesMap.get("ranger.db.ssl.certificateFile");
+ if(StringUtils.isNotEmpty(db_ssl_certificate_file)) {
+ ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslmode=verify-full"+"&sslrootcert="+db_ssl_certificate_file);
+ } else if ("true".equalsIgnoreCase(db_ssl_verifyServerCertificate) || "true".equalsIgnoreCase(db_ssl_required)) {
+ ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslmode=verify-full"+"&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory");
+ } else {
ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled);
- }else{
- ranger_jpa_jdbc_url_ssl.append("?ssl="+db_ssl_enabled+"&sslfactory=org.postgresql.ssl.NonValidatingFactory");
}
}
propertiesMap.put("ranger.jpa.jdbc.url", ranger_jpa_jdbc_url_ssl.toString());
- props.put("ranger.jpa.jdbc.url", ranger_jpa_jdbc_url_ssl.toString());
- logger.info("ranger.jpa.jdbc.url="+ranger_jpa_jdbc_url_ssl.toString());
}
+ ranger_jpa_jdbc_url=propertiesMap.get("ranger.jpa.jdbc.url");
+ if(StringUtils.isNotEmpty(ranger_jpa_jdbc_url)) {
+ props.put("ranger.jpa.jdbc.url", ranger_jpa_jdbc_url);
+ }
+ logger.info("ranger.jpa.jdbc.url="+ranger_jpa_jdbc_url);
}
}
}
@@ -313,6 +317,12 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
props.put(RangerCommonConstants.PROP_COOKIE_NAME, cookieName);
}
+ keySet = props.keySet();
+ for (Object key : keySet) {
+ String keyStr = key.toString();
+ logger.debug("PropertiesUtil:[" + keyStr + "][" + props.get(keyStr) + "]");
+ }
+
super.processProperties(beanFactory, props);
}
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index fcd4bd0..fd957ca 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -555,6 +555,18 @@
<value>2-way</value>
</property>
<property>
+ <name>ranger.db.ssl.certificateFile</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.truststore.file.type</name>
+ <value>jks</value>
+ </property>
+ <property>
+ <name>ranger.keystore.file.type</name>
+ <value>jks</value>
+ </property>
+ <property>
<name>ranger.keystore.file</name>
<value></value>
</property>