You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by arina-ielchiieva <gi...@git.apache.org> on 2017/10/04 14:48:00 UTC
[GitHub] drill pull request #950: DRILL-5431: SSL Support
Github user arina-ielchiieva commented on a diff in the pull request:
https://github.com/apache/drill/pull/950#discussion_r142674202
--- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/ssl/SSLConfig.java ---
@@ -0,0 +1,265 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.ssl;
+
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslProvider;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import org.apache.drill.common.exceptions.DrillException;
+import org.apache.drill.exec.memory.BufferAllocator;
+import org.apache.hadoop.security.ssl.SSLFactory;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.security.KeyStore;
+
+public abstract class SSLConfig {
+
+ private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(SSLConfig.class);
+
+ public static final String DEFAULT_SSL_PROVIDER = "JDK"; // JDK or OPENSSL
+ public static final String DEFAULT_SSL_PROTOCOL = "TLSv1.2";
+ public static final int DEFAULT_SSL_HANDSHAKE_TIMEOUT_MS = 10 * 1000; // 10 seconds
+
+ // Either the Netty SSL context or the JDK SSL context will be initialized
+ // The JDK SSL context is use iff the useSystemTrustStore setting is enabled.
+ protected SslContext nettySslContext;
+ protected SSLContext jdkSSlContext;
+
+ private static final boolean isWindows = System.getProperty("os.name").toLowerCase().indexOf("win") >= 0;
+ private static final boolean isMacOs = System.getProperty("os.name").toLowerCase().indexOf("mac") >= 0;
+
+ public static final String HADOOP_SSL_CONF_TPL_KEY = "hadoop.ssl.{0}.conf";
+ public static final String HADOOP_SSL_KEYSTORE_LOCATION_TPL_KEY = "ssl.{0}.keystore.location";
+ public static final String HADOOP_SSL_KEYSTORE_PASSWORD_TPL_KEY = "ssl.{0}.keystore.password";
+ public static final String HADOOP_SSL_KEYSTORE_TYPE_TPL_KEY = "ssl.{0}.keystore.type";
+ public static final String HADOOP_SSL_KEYSTORE_KEYPASSWORD_TPL_KEY =
+ "ssl.{0}.keystore.keypassword";
+ public static final String HADOOP_SSL_TRUSTSTORE_LOCATION_TPL_KEY = "ssl.{0}.truststore.location";
+ public static final String HADOOP_SSL_TRUSTSTORE_PASSWORD_TPL_KEY = "ssl.{0}.truststore.password";
+ public static final String HADOOP_SSL_TRUSTSTORE_TYPE_TPL_KEY = "ssl.{0}.truststore.type";
+
+ public SSLConfig() {
+ }
+
+ public abstract void validateKeyStore() throws DrillException;
+
+ // We need to use different SSLContext objects depending on what the user has chosen
+ // For most uses we will use the Netty SslContext class. This allows us to use either
+ // the JDK implementation or the OpenSSL implementation. However if the user wants to
+ // use the system trust store, then the only way to access it is via the JDK's
+ // SSLContext class. (See the createSSLEngine method below).
+
+ public abstract SslContext initNettySslContext() throws DrillException;
+
+ public abstract SSLContext initJDKSSLContext() throws DrillException;
+
+ public abstract boolean isUserSslEnabled();
+
+ public abstract boolean isHttpsEnabled();
+
+ public abstract String getKeyStoreType();
+
+ public abstract String getKeyStorePath();
+
+ public abstract String getKeyStorePassword();
+
+ public abstract String getKeyPassword();
+
+ public abstract String getTrustStoreType();
+
+ public abstract boolean hasTrustStorePath();
+
+ public abstract String getTrustStorePath();
+
+ public abstract boolean hasTrustStorePassword();
+
+ public abstract String getTrustStorePassword();
+
+ public abstract String getProtocol();
+
+ public abstract SslProvider getProvider();
+
+ public abstract int getHandshakeTimeout();
+
+ public abstract SSLFactory.Mode getMode();
+
+ public abstract boolean disableHostVerification();
+
+ public abstract boolean disableCertificateVerification();
+
+ public abstract boolean useSystemTrustStore();
+
+ public abstract boolean isSslValid();
+
+ public SslContext getNettySslContext() {
+ return nettySslContext;
+ }
+
+ public TrustManagerFactory initializeTrustManagerFactory() throws DrillException {
+ TrustManagerFactory tmf;
+ KeyStore ts = null;
+ //Support Windows/MacOs system trust store
+ try {
+ String trustStoreType = getTrustStoreType();
+ if ((isWindows || isMacOs) && useSystemTrustStore()) {
+ // This is valid for MS-Windows and MacOs
+ logger.debug("Initializing System truststore.");
+ ts = KeyStore.getInstance(!trustStoreType.isEmpty() ? trustStoreType : KeyStore.getDefaultType());
+ ts.load(null, null);
+ } else if (!getTrustStorePath().isEmpty()) {
+ // if truststore is not provided then we will use the default. Note that the default depends on
+ // the TrustManagerFactory that in turn depends on the Security Provider.
+ // Use null as the truststore which will result in the default truststore being picked up
+ logger.debug("Initializing truststore {}.", getTrustStorePath());
+ ts = KeyStore.getInstance(!trustStoreType.isEmpty() ? trustStoreType : KeyStore.getDefaultType());
+ InputStream tsStream = new FileInputStream(getTrustStorePath());
+ ts.load(tsStream, getTrustStorePassword().toCharArray());
+ } else {
+ logger.debug("Initializing default truststore.");
+ }
+ if (disableCertificateVerification()) {
+ tmf = InsecureTrustManagerFactory.INSTANCE;
+ } else {
+ tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ }
+ tmf.init(ts);
+ } catch (Exception e) {
+ // Catch any SSL initialization Exceptions here and abort.
+ throw new DrillException(
--- End diff --
May be it is good to add original exception as well to have full stacktrace?
---