You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2018/09/27 09:50:41 UTC
ranger git commit: RANGER-1990: Support one-way SSL connection to DB
Repository: ranger
Updated Branches:
refs/heads/ranger-0.7 822e76472 -> 678bf58dd
RANGER-1990: Support one-way SSL connection to DB
(cherry picked from commit 625cd35a49c772a7df44ae65ba02b0129e98c9f9)
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/678bf58d
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/678bf58d
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/678bf58d
Branch: refs/heads/ranger-0.7
Commit: 678bf58dd6ab2ac9710497385a444142f505084f
Parents: 822e764
Author: pradeep <pr...@apache.org>
Authored: Thu Feb 22 19:37:20 2018 +0530
Committer: Pradeep <pr...@apache.org>
Committed: Thu Sep 27 15:01:37 2018 +0530
----------------------------------------------------------------------
kms/config/kms-webapp/dbks-site.xml | 4 +++
kms/scripts/db_setup.py | 34 +++++++++++-------
kms/scripts/dba_script.py | 35 ++++++++++++-------
kms/scripts/install.properties | 2 ++
kms/scripts/ranger-kms | 2 +-
kms/scripts/setup.sh | 24 ++++++++++---
.../apache/hadoop/crypto/key/RangerKMSDB.java | 27 +++++++++------
security-admin/scripts/db_setup.py | 36 ++++++++++++--------
security-admin/scripts/dba_script.py | 36 ++++++++++++--------
security-admin/scripts/install.properties | 2 ++
security-admin/scripts/setup.sh | 18 +++++++++-
.../apache/ranger/common/PropertiesUtil.java | 6 ++++
.../conf.dist/ranger-admin-default-site.xml | 4 +++
13 files changed, 159 insertions(+), 71 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/kms/config/kms-webapp/dbks-site.xml
----------------------------------------------------------------------
diff --git a/kms/config/kms-webapp/dbks-site.xml b/kms/config/kms-webapp/dbks-site.xml
index a098db1..0e0f2ec 100755
--- a/kms/config/kms-webapp/dbks-site.xml
+++ b/kms/config/kms-webapp/dbks-site.xml
@@ -167,4 +167,8 @@
<name>ranger.ks.db.ssl.verifyServerCertificate</name>
<value>false</value>
</property>
+ <property>
+ <name>ranger.ks.db.ssl.auth.type</name>
+ <value>2-way</value>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/kms/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py
index d8b4b63..090e551 100644
--- a/kms/scripts/db_setup.py
+++ b/kms/scripts/db_setup.py
@@ -102,13 +102,14 @@ class BaseDB(object):
class MysqlConf(BaseDB):
# Constructor
- def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword):
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
self.host = host
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
self.db_ssl_enabled=db_ssl_enabled.lower()
self.db_ssl_required=db_ssl_required.lower()
self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
+ self.db_ssl_auth_type=db_ssl_auth_type.lower()
self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
@@ -121,7 +122,10 @@ class MysqlConf(BaseDB):
if self.db_ssl_enabled == 'true':
db_ssl_param="?useSSL=%s&requireSSL=%s&verifyServerCertificate=%s" %(self.db_ssl_enabled,self.db_ssl_required,self.db_ssl_verifyServerCertificate)
if self.db_ssl_verifyServerCertificate == 'true':
- db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ if self.db_ssl_auth_type == '1-way':
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if is_unix:
jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path,self.host,db_name,db_ssl_param,user,password)
@@ -572,6 +576,7 @@ def main(argv):
db_ssl_enabled='false'
db_ssl_required='false'
db_ssl_verifyServerCertificate='false'
+ db_ssl_auth_type='2-way'
javax_net_ssl_keyStore=''
javax_net_ssl_keyStorePassword=''
javax_net_ssl_trustStore=''
@@ -585,30 +590,33 @@ def main(argv):
db_ssl_required=globalDict['db_ssl_required'].lower()
if 'db_ssl_verifyServerCertificate' in globalDict:
db_ssl_verifyServerCertificate=globalDict['db_ssl_verifyServerCertificate'].lower()
+ if 'db_ssl_auth_type' in globalDict:
+ db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower()
if db_ssl_verifyServerCertificate == 'true':
- if 'javax_net_ssl_keyStore' in globalDict:
- javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
- if 'javax_net_ssl_keyStorePassword' in globalDict:
- javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
if 'javax_net_ssl_trustStore' in globalDict:
javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
if 'javax_net_ssl_trustStorePassword' in globalDict:
javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
- if not os.path.exists(javax_net_ssl_keyStore):
- log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
- sys.exit(1)
if not os.path.exists(javax_net_ssl_trustStore):
log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
sys.exit(1)
- if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
- log("[E] Invalid ssl keystore password!","error")
- sys.exit(1)
if javax_net_ssl_trustStorePassword is None or javax_net_ssl_trustStorePassword =="":
log("[E] Invalid ssl truststore password!","error")
sys.exit(1)
+ if db_ssl_auth_type == '2-way':
+ if 'javax_net_ssl_keyStore' in globalDict:
+ javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
+ if 'javax_net_ssl_keyStorePassword' in globalDict:
+ javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
+ if not os.path.exists(javax_net_ssl_keyStore):
+ log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
+ sys.exit(1)
+ if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
+ log("[E] Invalid ssl keystore password!","error")
+ sys.exit(1)
MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR']
- xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
+ xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_core_file = os.path.join(RANGER_KMS_HOME , mysql_core_file)
elif XA_DB_FLAVOR == "ORACLE":
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/kms/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py
index 1e264cc..6350d7d 100755
--- a/kms/scripts/dba_script.py
+++ b/kms/scripts/dba_script.py
@@ -133,13 +133,14 @@ class BaseDB(object):
class MysqlConf(BaseDB):
# Constructor
- def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword):
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
self.host = host
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
self.db_ssl_enabled=db_ssl_enabled.lower()
self.db_ssl_required=db_ssl_required.lower()
self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
+ self.db_ssl_auth_type=db_ssl_auth_type.lower()
self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
@@ -153,7 +154,10 @@ class MysqlConf(BaseDB):
if self.db_ssl_enabled == 'true':
db_ssl_param="?useSSL=%s&requireSSL=%s&verifyServerCertificate=%s" %(self.db_ssl_enabled,self.db_ssl_required,self.db_ssl_verifyServerCertificate)
if self.db_ssl_verifyServerCertificate == 'true':
- db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ if self.db_ssl_auth_type == '1-way':
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
if is_unix:
jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path,self.host,db_name,db_ssl_param,user,password)
elif os_name == "WINDOWS":
@@ -1363,6 +1367,7 @@ def main(argv):
db_ssl_enabled='false'
db_ssl_required='false'
db_ssl_verifyServerCertificate='false'
+ db_ssl_auth_type='2-way'
javax_net_ssl_keyStore=''
javax_net_ssl_keyStorePassword=''
javax_net_ssl_trustStore=''
@@ -1375,30 +1380,34 @@ def main(argv):
db_ssl_required=globalDict['db_ssl_required'].lower()
if 'db_ssl_verifyServerCertificate' in globalDict:
db_ssl_verifyServerCertificate=globalDict['db_ssl_verifyServerCertificate'].lower()
+ if 'db_ssl_auth_type' in globalDict:
+ db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower()
if db_ssl_verifyServerCertificate == 'true':
- if 'javax_net_ssl_keyStore' in globalDict:
- javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
- if 'javax_net_ssl_keyStorePassword' in globalDict:
- javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
if 'javax_net_ssl_trustStore' in globalDict:
javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
if 'javax_net_ssl_trustStorePassword' in globalDict:
javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
- if not os.path.exists(javax_net_ssl_keyStore):
- log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
- sys.exit(1)
if not os.path.exists(javax_net_ssl_trustStore):
log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
sys.exit(1)
- if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
- log("[E] Invalid ssl keystore password!","error")
- sys.exit(1)
if javax_net_ssl_trustStorePassword is None or javax_net_ssl_trustStorePassword =="":
log("[E] Invalid ssl truststore password!","error")
sys.exit(1)
+ if db_ssl_auth_type == '2-way':
+ if 'javax_net_ssl_keyStore' in globalDict:
+ javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
+ if 'javax_net_ssl_keyStorePassword' in globalDict:
+ javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
+ if not os.path.exists(javax_net_ssl_keyStore):
+ log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
+ sys.exit(1)
+ if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
+ log("[E] Invalid ssl keystore password!","error")
+ sys.exit(1)
+
MYSQL_CONNECTOR_JAR=CONNECTOR_JAR
- xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
+ xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_core_file = os.path.join(RANGER_KMS_HOME,mysql_core_file)
elif XA_DB_FLAVOR == "ORACLE":
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/kms/scripts/install.properties
----------------------------------------------------------------------
diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties
index b173d13..ddc779d 100755
--- a/kms/scripts/install.properties
+++ b/kms/scripts/install.properties
@@ -55,6 +55,8 @@ db_host=localhost
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
+#db_ssl_auth_type=1-way|2-way, where 1-way represents standard one way ssl authentication and 2-way represents mutual ssl authentication
+db_ssl_auth_type=2-way
javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/kms/scripts/ranger-kms
----------------------------------------------------------------------
diff --git a/kms/scripts/ranger-kms b/kms/scripts/ranger-kms
index dd14639..d1e3360 100755
--- a/kms/scripts/ranger-kms
+++ b/kms/scripts/ranger-kms
@@ -89,7 +89,7 @@ fi
KMS_CONF_DIR=${RANGER_KMS_EWS_DIR}/webapp/WEB-INF/classes/conf
SERVER_NAME=rangerkms
-JAVA_OPTS="${JAVA_OPTS} -Dservername=${SERVER_NAME} -Dcatalina.base=${RANGER_KMS_EWS_DIR} -Dkms.config.dir=${KMS_CONF_DIR} -Dkms.log.dir=${TOMCAT_LOG_DIR} -cp ${RANGER_KMS_EWS_CONF_DIR}:${RANGER_KMS_EWS_LIB_DIR}/*:${RANGER_KMS_EWS_DIR}/webapp/lib/*:${JAVA_HOME}/lib/*:${RANGER_HADOOP_CONF_DIR}/*:$CLASSPATH "
+JAVA_OPTS="${JAVA_OPTS} ${DB_SSL_PARAM} -Dservername=${SERVER_NAME} -Dcatalina.base=${RANGER_KMS_EWS_DIR} -Dkms.config.dir=${KMS_CONF_DIR} -Dkms.log.dir=${TOMCAT_LOG_DIR} -cp ${RANGER_KMS_EWS_CONF_DIR}:${RANGER_KMS_EWS_LIB_DIR}/*:${RANGER_KMS_EWS_DIR}/webapp/lib/*:${JAVA_HOME}/lib/*:${RANGER_HADOOP_CONF_DIR}/*:$CLASSPATH "
createRangerKMSPid () {
SLEEP_TIME_AFTER_START=5
nohup java -D${PROC_NAME} ${JAVA_OPTS} ${START_CLASS_NAME} ${KMS_CONFIG_FILENAME} > ${TOMCAT_LOG_FILE} 2>&1 &
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/kms/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh
index c8d7519..2db05b8 100755
--- a/kms/scripts/setup.sh
+++ b/kms/scripts/setup.sh
@@ -66,6 +66,7 @@ db_password=$(get_prop 'db_password' $PROPFILE)
db_ssl_enabled=$(get_prop 'db_ssl_enabled' $PROPFILE)
db_ssl_required=$(get_prop 'db_ssl_required' $PROPFILE)
db_ssl_verifyServerCertificate=$(get_prop 'db_ssl_verifyServerCertificate' $PROPFILE)
+db_ssl_auth_type=$(get_prop 'db_ssl_auth_type' $PROPFILE)
KMS_MASTER_KEY_PASSWD=$(get_prop 'KMS_MASTER_KEY_PASSWD' $PROPFILE)
unix_user=$(get_prop 'unix_user' $PROPFILE)
unix_group=$(get_prop 'unix_group' $PROPFILE)
@@ -270,11 +271,13 @@ init_variables(){
db_ssl_enabled="false"
db_ssl_required="false"
db_ssl_verifyServerCertificate="false"
+ db_ssl_auth_type="2-way"
fi
if [ "${db_ssl_enabled}" == "true" ]
then
db_ssl_required=`echo $db_ssl_required | tr '[:upper:]' '[:lower:]'`
db_ssl_verifyServerCertificate=`echo $db_ssl_verifyServerCertificate | tr '[:upper:]' '[:lower:]'`
+ db_ssl_auth_type=`echo $db_ssl_auth_type | tr '[:upper:]' '[:lower:]'`
if [ "${db_ssl_required}" != "true" ]
then
db_ssl_required="false"
@@ -283,6 +286,10 @@ init_variables(){
then
db_ssl_verifyServerCertificate="false"
fi
+ if [ "${db_ssl_auth_type}" != "1-way" ]
+ then
+ db_ssl_auth_type="2-way"
+ fi
fi
}
@@ -448,17 +455,21 @@ update_properties() {
if [ "${db_ssl_enabled}" != "" ]
then
- propertyName=ranger.db.ssl.enabled
+ propertyName=ranger.ks.db.ssl.enabled
newPropertyValue="${db_ssl_enabled}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file
- propertyName=ranger.db.ssl.required
+ propertyName=ranger.ks.db.ssl.required
newPropertyValue="${db_ssl_required}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file
- propertyName=ranger.db.ssl.verifyServerCertificate
+ propertyName=ranger.ks.db.ssl.verifyServerCertificate
newPropertyValue="${db_ssl_verifyServerCertificate}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+ propertyName=ranger.ks.db.ssl.auth.type
+ newPropertyValue="${db_ssl_auth_type}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
fi
if [ "${DB_FLAVOR}" == "MYSQL" ]
@@ -891,7 +902,12 @@ setup_install_files(){
if [ "${db_ssl_verifyServerCertificate}" == "true" ]
then
- DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ if [ "${db_ssl_auth_type}" == "1-way" ]
+ then
+ DB_SSL_PARAM="' -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ else
+ DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ fi
echo "export DB_SSL_PARAM=${DB_SSL_PARAM}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh
chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh
else
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
index 649da30..c745438 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java
@@ -57,6 +57,7 @@ public class RangerKMSDB {
private static final String DB_SSL_ENABLED="db.ssl.enabled";
private static final String DB_SSL_REQUIRED="db.ssl.required";
private static final String DB_SSL_VerifyServerCertificate="db.ssl.verifyServerCertificate";
+ private static final String DB_SSL_AUTH_TYPE="db.ssl.auth.type";
private static final String DB_SSL_KEYSTORE="keystore.file";
private static final String DB_SSL_KEYSTORE_PASSWORD="keystore.password";
private static final String DB_SSL_TRUSTSTORE="truststore.file";
@@ -190,9 +191,11 @@ public class RangerKMSDB {
db_ssl_verifyServerCertificate="false";
}
db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.toLowerCase();
+ String db_ssl_auth_type=conf.get(PROPERTY_PREFIX+DB_SSL_AUTH_TYPE,"2-way");
conf.set(PROPERTY_PREFIX+DB_SSL_ENABLED, db_ssl_enabled);
conf.set(PROPERTY_PREFIX+DB_SSL_REQUIRED, db_ssl_required);
conf.set(PROPERTY_PREFIX+DB_SSL_VerifyServerCertificate, db_ssl_verifyServerCertificate);
+ conf.set(PROPERTY_PREFIX+DB_SSL_AUTH_TYPE, db_ssl_auth_type);
String ranger_jpa_jdbc_url=conf.get(PROPERTY_PREFIX+DB_URL);
if(!StringUtils.isEmpty(ranger_jpa_jdbc_url)){
StringBuffer ranger_jpa_jdbc_url_ssl=new StringBuffer(ranger_jpa_jdbc_url);
@@ -204,19 +207,21 @@ public class RangerKMSDB {
if("true".equalsIgnoreCase(db_ssl_verifyServerCertificate)){
if (conf!=null) {
- // update system key store path with custom key store.
- String keystore=conf.get(PROPERTY_PREFIX+DB_SSL_KEYSTORE);
- if(!StringUtils.isEmpty(keystore)){
- Path path = Paths.get(keystore);
- if (Files.exists(path) && Files.isReadable(path)) {
- System.setProperty("javax.net.ssl.keyStore", conf.get(PROPERTY_PREFIX+DB_SSL_KEYSTORE));
- System.setProperty("javax.net.ssl.keyStorePassword", conf.get(PROPERTY_PREFIX+DB_SSL_KEYSTORE_PASSWORD));
- System.setProperty("javax.net.ssl.keyStoreType", KeyStore.getDefaultType());
+ if(!"1-way".equalsIgnoreCase((db_ssl_auth_type))){
+ // update system key store path with custom key store.
+ String keystore=conf.get(PROPERTY_PREFIX+DB_SSL_KEYSTORE);
+ if(!StringUtils.isEmpty(keystore)){
+ Path path = Paths.get(keystore);
+ if (Files.exists(path) && Files.isReadable(path)) {
+ System.setProperty("javax.net.ssl.keyStore", conf.get(PROPERTY_PREFIX+DB_SSL_KEYSTORE));
+ System.setProperty("javax.net.ssl.keyStorePassword", conf.get(PROPERTY_PREFIX+DB_SSL_KEYSTORE_PASSWORD));
+ System.setProperty("javax.net.ssl.keyStoreType", KeyStore.getDefaultType());
+ }else{
+ logger.debug("Could not find or read keystore file '"+keystore+"'");
+ }
}else{
- logger.debug("Could not find or read keystore file '"+keystore+"'");
+ logger.debug("keystore property '"+PROPERTY_PREFIX+DB_SSL_KEYSTORE+"' value not found!");
}
- }else{
- logger.debug("keystore property '"+PROPERTY_PREFIX+DB_SSL_KEYSTORE+"' value not found!");
}
// update system trust store path with custom trust store.
String truststore=conf.get(PROPERTY_PREFIX+DB_SSL_TRUSTSTORE);
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/security-admin/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py
index 6e79151..d4f37ed 100644
--- a/security-admin/scripts/db_setup.py
+++ b/security-admin/scripts/db_setup.py
@@ -183,13 +183,14 @@ class BaseDB(object):
class MysqlConf(BaseDB):
# Constructor
- def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword):
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
self.host = host
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
self.db_ssl_enabled=db_ssl_enabled.lower()
self.db_ssl_required=db_ssl_required.lower()
self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
+ self.db_ssl_auth_type=db_ssl_auth_type.lower()
self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
@@ -202,7 +203,10 @@ class MysqlConf(BaseDB):
if self.db_ssl_enabled == 'true':
db_ssl_param="?useSSL=%s&requireSSL=%s&verifyServerCertificate=%s" %(self.db_ssl_enabled,self.db_ssl_required,self.db_ssl_verifyServerCertificate)
if self.db_ssl_verifyServerCertificate == 'true':
- db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ if self.db_ssl_auth_type == '1-way':
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if is_unix:
jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path,self.host,db_name,db_ssl_param,user,password)
@@ -3604,6 +3608,7 @@ def main(argv):
db_ssl_enabled='false'
db_ssl_required='false'
db_ssl_verifyServerCertificate='false'
+ db_ssl_auth_type='2-way'
javax_net_ssl_keyStore=''
javax_net_ssl_keyStorePassword=''
javax_net_ssl_trustStore=''
@@ -3617,30 +3622,33 @@ def main(argv):
db_ssl_required=globalDict['db_ssl_required'].lower()
if 'db_ssl_verifyServerCertificate' in globalDict:
db_ssl_verifyServerCertificate=globalDict['db_ssl_verifyServerCertificate'].lower()
+ if 'db_ssl_auth_type' in globalDict:
+ db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower()
if db_ssl_verifyServerCertificate == 'true':
- if 'javax_net_ssl_keyStore' in globalDict:
- javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
- if 'javax_net_ssl_keyStorePassword' in globalDict:
- javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
if 'javax_net_ssl_trustStore' in globalDict:
javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
if 'javax_net_ssl_trustStorePassword' in globalDict:
javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
- if not os.path.exists(javax_net_ssl_keyStore):
- log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
- sys.exit(1)
if not os.path.exists(javax_net_ssl_trustStore):
log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
sys.exit(1)
- if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
- log("[E] Invalid ssl keystore password!","error")
- sys.exit(1)
if javax_net_ssl_trustStorePassword is None or javax_net_ssl_trustStorePassword =="":
log("[E] Invalid ssl truststore password!","error")
sys.exit(1)
+ if db_ssl_auth_type == '2-way':
+ if 'javax_net_ssl_keyStore' in globalDict:
+ javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
+ if 'javax_net_ssl_keyStorePassword' in globalDict:
+ javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
+ if not os.path.exists(javax_net_ssl_keyStore):
+ log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
+ sys.exit(1)
+ if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
+ log("[E] Invalid ssl keystore password!","error")
+ sys.exit(1)
MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR']
- xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
+ xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME , mysql_dbversion_catalog)
xa_db_core_file = os.path.join(RANGER_ADMIN_HOME , mysql_core_file)
xa_patch_file = os.path.join(RANGER_ADMIN_HOME ,mysql_patches)
@@ -3700,7 +3708,7 @@ def main(argv):
if AUDIT_DB_FLAVOR == "MYSQL":
MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR']
- audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
+ audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
audit_db_file = os.path.join(RANGER_ADMIN_HOME ,mysql_audit_file)
elif AUDIT_DB_FLAVOR == "ORACLE":
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/security-admin/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py
index 83d6fe7..6843aa8 100644
--- a/security-admin/scripts/dba_script.py
+++ b/security-admin/scripts/dba_script.py
@@ -157,13 +157,14 @@ class BaseDB(object):
class MysqlConf(BaseDB):
# Constructor
- def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword):
+ def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type):
self.host = host
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
self.db_ssl_enabled=db_ssl_enabled.lower()
self.db_ssl_required=db_ssl_required.lower()
self.db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.lower()
+ self.db_ssl_auth_type=db_ssl_auth_type.lower()
self.javax_net_ssl_keyStore=javax_net_ssl_keyStore
self.javax_net_ssl_keyStorePassword=javax_net_ssl_keyStorePassword
self.javax_net_ssl_trustStore=javax_net_ssl_trustStore
@@ -177,7 +178,10 @@ class MysqlConf(BaseDB):
if self.db_ssl_enabled == 'true':
db_ssl_param="?useSSL=%s&requireSSL=%s&verifyServerCertificate=%s" %(self.db_ssl_enabled,self.db_ssl_required,self.db_ssl_verifyServerCertificate)
if self.db_ssl_verifyServerCertificate == 'true':
- db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ if self.db_ssl_auth_type == '1-way':
+ db_ssl_cert_param=" -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
+ else:
+ db_ssl_cert_param=" -Djavax.net.ssl.keyStore=%s -Djavax.net.ssl.keyStorePassword=%s -Djavax.net.ssl.trustStore=%s -Djavax.net.ssl.trustStorePassword=%s " %(self.javax_net_ssl_keyStore,self.javax_net_ssl_keyStorePassword,self.javax_net_ssl_trustStore,self.javax_net_ssl_trustStorePassword)
if is_unix:
jisql_cmd = "%s %s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s%s -u %s -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,db_ssl_cert_param,self.SQL_CONNECTOR_JAR,path,self.host,db_name,db_ssl_param,user,password)
elif os_name == "WINDOWS":
@@ -1644,6 +1648,7 @@ def main(argv):
db_ssl_enabled='false'
db_ssl_required='false'
db_ssl_verifyServerCertificate='false'
+ db_ssl_auth_type='2-way'
javax_net_ssl_keyStore=''
javax_net_ssl_keyStorePassword=''
javax_net_ssl_trustStore=''
@@ -1656,30 +1661,33 @@ def main(argv):
db_ssl_required=globalDict['db_ssl_required'].lower()
if 'db_ssl_verifyServerCertificate' in globalDict:
db_ssl_verifyServerCertificate=globalDict['db_ssl_verifyServerCertificate'].lower()
+ if 'db_ssl_auth_type' in globalDict:
+ db_ssl_auth_type=globalDict['db_ssl_auth_type'].lower()
if db_ssl_verifyServerCertificate == 'true':
- if 'javax_net_ssl_keyStore' in globalDict:
- javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
- if 'javax_net_ssl_keyStorePassword' in globalDict:
- javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
if 'javax_net_ssl_trustStore' in globalDict:
javax_net_ssl_trustStore=globalDict['javax_net_ssl_trustStore']
if 'javax_net_ssl_trustStorePassword' in globalDict:
javax_net_ssl_trustStorePassword=globalDict['javax_net_ssl_trustStorePassword']
- if not os.path.exists(javax_net_ssl_keyStore):
- log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
- sys.exit(1)
if not os.path.exists(javax_net_ssl_trustStore):
log("[E] Invalid file Name! Unable to find truststore file:"+javax_net_ssl_trustStore,"error")
sys.exit(1)
- if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
- log("[E] Invalid ssl keystore password!","error")
- sys.exit(1)
if javax_net_ssl_trustStorePassword is None or javax_net_ssl_trustStorePassword =="":
log("[E] Invalid ssl truststore password!","error")
sys.exit(1)
+ if db_ssl_auth_type == '2-way':
+ if 'javax_net_ssl_keyStore' in globalDict:
+ javax_net_ssl_keyStore=globalDict['javax_net_ssl_keyStore']
+ if 'javax_net_ssl_keyStorePassword' in globalDict:
+ javax_net_ssl_keyStorePassword=globalDict['javax_net_ssl_keyStorePassword']
+ if not os.path.exists(javax_net_ssl_keyStore):
+ log("[E] Invalid file Name! Unable to find keystore file:"+javax_net_ssl_keyStore,"error")
+ sys.exit(1)
+ if javax_net_ssl_keyStorePassword is None or javax_net_ssl_keyStorePassword =="":
+ log("[E] Invalid ssl keystore password!","error")
+ sys.exit(1)
MYSQL_CONNECTOR_JAR=CONNECTOR_JAR
- xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
+ xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,mysql_dbversion_catalog)
xa_db_core_file = os.path.join(RANGER_ADMIN_HOME,mysql_core_file)
xa_patch_file = os.path.join(RANGER_ADMIN_HOME,mysql_patches)
@@ -1726,7 +1734,7 @@ def main(argv):
if AUDIT_DB_FLAVOR == "MYSQL":
MYSQL_CONNECTOR_JAR=CONNECTOR_JAR
- audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
+ audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN,db_ssl_enabled,db_ssl_required,db_ssl_verifyServerCertificate,javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword,javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword,db_ssl_auth_type)
audit_db_file = os.path.join(RANGER_ADMIN_HOME,mysql_audit_file)
elif AUDIT_DB_FLAVOR == "ORACLE":
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index f323c95..687bd99 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -56,6 +56,8 @@ db_host=localhost
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
+#db_ssl_auth_type=1-way|2-way, where 1-way represents standard one way ssl authentication and 2-way represents mutual ssl authentication
+db_ssl_auth_type=2-way
javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 87be127..633d363 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -68,6 +68,7 @@ db_password=$(get_prop 'db_password' $PROPFILE)
db_ssl_enabled=$(get_prop 'db_ssl_enabled' $PROPFILE)
db_ssl_required=$(get_prop 'db_ssl_required' $PROPFILE)
db_ssl_verifyServerCertificate=$(get_prop 'db_ssl_verifyServerCertificate' $PROPFILE)
+db_ssl_auth_type=$(get_prop 'db_ssl_auth_type' $PROPFILE)
javax_net_ssl_keyStore=$(get_prop 'javax_net_ssl_keyStore' $PROPFILE)
javax_net_ssl_keyStorePassword=$(get_prop 'javax_net_ssl_keyStorePassword' $PROPFILE)
javax_net_ssl_trustStore=$(get_prop 'javax_net_ssl_trustStore' $PROPFILE)
@@ -254,11 +255,13 @@ init_variables(){
db_ssl_enabled="false"
db_ssl_required="false"
db_ssl_verifyServerCertificate="false"
+ db_ssl_auth_type="2-way"
fi
if [ "${db_ssl_enabled}" == "true" ]
then
db_ssl_required=`echo $db_ssl_required | tr '[:upper:]' '[:lower:]'`
db_ssl_verifyServerCertificate=`echo $db_ssl_verifyServerCertificate | tr '[:upper:]' '[:lower:]'`
+ db_ssl_auth_type=`echo $db_ssl_auth_type | tr '[:upper:]' '[:lower:]'`
if [ "${db_ssl_required}" != "true" ]
then
db_ssl_required="false"
@@ -267,6 +270,10 @@ init_variables(){
then
db_ssl_verifyServerCertificate="false"
fi
+ if [ "${db_ssl_auth_type}" != "1-way" ]
+ then
+ db_ssl_auth_type="2-way"
+ fi
fi
}
@@ -485,6 +492,10 @@ update_properties() {
propertyName=ranger.db.ssl.verifyServerCertificate
newPropertyValue="${db_ssl_verifyServerCertificate}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
+
+ propertyName=ranger.db.ssl.auth.type
+ newPropertyValue="${db_ssl_auth_type}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
fi
if [ "${DB_FLAVOR}" == "MYSQL" ]
@@ -1377,7 +1388,12 @@ setup_install_files(){
if [ "${db_ssl_verifyServerCertificate}" == "true" ]
then
- DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ if [ "${db_ssl_auth_type}" == "1-way" ]
+ then
+ DB_SSL_PARAM="' -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ else
+ DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} '"
+ fi
echo "export DB_SSL_PARAM=${DB_SSL_PARAM}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-admin-env-dbsslparam.sh
chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-admin-env-dbsslparam.sh
else
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index 537d556..0dc5df8 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -268,12 +268,18 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
db_ssl_verifyServerCertificate="false";
}
db_ssl_verifyServerCertificate=db_ssl_verifyServerCertificate.toLowerCase();
+ String db_ssl_auth_type=propertiesMap.get("ranger.db.ssl.auth.type");
+ if(StringUtils.isEmpty(db_ssl_auth_type)|| !"1-way".equalsIgnoreCase(db_ssl_auth_type)){
+ db_ssl_auth_type="2-way";
+ }
propertiesMap.put("ranger.db.ssl.enabled", db_ssl_enabled);
props.put("ranger.db.ssl.enabled", db_ssl_enabled);
propertiesMap.put("ranger.db.ssl.required", db_ssl_required);
props.put("ranger.db.ssl.required", db_ssl_required);
propertiesMap.put("ranger.db.ssl.verifyServerCertificate", db_ssl_verifyServerCertificate);
props.put("ranger.db.ssl.verifyServerCertificate", db_ssl_verifyServerCertificate);
+ propertiesMap.put("ranger.db.ssl.auth.type", db_ssl_auth_type);
+ props.put("ranger.db.ssl.auth.type", db_ssl_auth_type);
String ranger_jpa_jdbc_url=propertiesMap.get("ranger.jpa.jdbc.url");
if(!StringUtils.isEmpty(ranger_jpa_jdbc_url)){
StringBuffer ranger_jpa_jdbc_url_ssl=new StringBuffer(ranger_jpa_jdbc_url);
http://git-wip-us.apache.org/repos/asf/ranger/blob/678bf58d/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index 9dfc03d..1e52a44 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -507,6 +507,10 @@
<name>ranger.db.ssl.verifyServerCertificate</name>
<value>false</value>
</property>
+ <property>
+ <name>ranger.db.ssl.auth.type</name>
+ <value>2-way</value>
+ </property>
<property>
<name>ranger.keystore.file</name>
<value></value>