You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2018/06/18 03:37:13 UTC
ranger git commit: RANGER-2131:Ranger UserSync port (ie 5151)
supports TLSv1.0
Repository: ranger
Updated Branches:
refs/heads/master f1a71e0a9 -> 6cf1471c2
RANGER-2131:Ranger UserSync port (ie 5151) supports TLSv1.0
Signed-off-by: Mehul Parikh <me...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/6cf1471c
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/6cf1471c
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/6cf1471c
Branch: refs/heads/master
Commit: 6cf1471c240930d33a4d3334a2d011a9dfd22ea8
Parents: f1a71e0
Author: Nikhil P <ni...@gmail.com>
Authored: Thu Jun 14 18:43:24 2018 +0530
Committer: Mehul Parikh <me...@apache.org>
Committed: Mon Jun 18 09:06:58 2018 +0530
----------------------------------------------------------------------
unixauthservice/conf.dist/ranger-ugsync-default.xml | 4 ++++
.../ranger/authentication/UnixAuthenticationService.java | 8 ++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cf1471c/unixauthservice/conf.dist/ranger-ugsync-default.xml
----------------------------------------------------------------------
diff --git a/unixauthservice/conf.dist/ranger-ugsync-default.xml b/unixauthservice/conf.dist/ranger-ugsync-default.xml
index c02be51..e2e014b 100644
--- a/unixauthservice/conf.dist/ranger-ugsync-default.xml
+++ b/unixauthservice/conf.dist/ranger-ugsync-default.xml
@@ -26,6 +26,10 @@
<value>true</value>
</property>
<property>
+ <name>ranger.usersync.https.ssl.enabled.protocols</name>
+ <value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
+ </property>
+ <property>
<name>ranger.usersync.passwordvalidator.path</name>
<value>./native/credValidator.uexe</value>
</property>
http://git-wip-us.apache.org/repos/asf/ranger/blob/6cf1471c/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
----------------------------------------------------------------------
diff --git a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 6ed2174..45834f4 100644
--- a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++ b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -29,6 +29,7 @@ import java.net.Socket;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;
@@ -70,6 +71,7 @@ public class UnixAuthenticationService {
private static final String CREDSTORE_FILENAME_PARAM = "ranger.usersync.credstore.filename";
private String keyStorePath;
+ private List<String> enabledProtocolsList;
private String keyStorePathPassword;
private String trustStorePath;
private String trustStorePathPassword;
@@ -191,7 +193,9 @@ public class UnixAuthenticationService {
String SSLEnabledProp = prop.getProperty(SSL_ENABLED_PARAM);
SSLEnabled = (SSLEnabledProp != null && (SSLEnabledProp.equalsIgnoreCase("true")));
-
+ String defaultEnabledProtocols = "SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2";
+ String enabledProtocols = prop.getProperty("ranger.usersync.https.ssl.enabled.protocols", defaultEnabledProtocols);
+ enabledProtocolsList=new ArrayList<String>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*")));
// LOG.info("Key:" + keyStorePath);
// LOG.info("KeyPassword:" + keyStorePathPassword);
// LOG.info("TrustStore:" + trustStorePath);
@@ -273,7 +277,7 @@ public class UnixAuthenticationService {
String[] protocols = secureSocket.getEnabledProtocols();
Set<String> allowedProtocols = new HashSet<String>();
for(String ep : protocols) {
- if (! ep.toUpperCase().startsWith("SSLV3")) {
+ if (enabledProtocolsList.contains(ep.toUpperCase())){
LOG.info("Enabling Protocol: [" + ep + "]");
allowedProtocols.add(ep);
}