You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2014/11/09 09:37:19 UTC
incubator-argus git commit: ARGUS-175:Remove hardcoded certificates
and keystores from the repo
Repository: incubator-argus
Updated Branches:
refs/heads/master e0fe4865f -> 6a3118ae6
ARGUS-175:Remove hardcoded certificates and keystores from the repo
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/6a3118ae
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/6a3118ae
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/6a3118ae
Branch: refs/heads/master
Commit: 6a3118ae6396f4beb8989a6384b24130f19afc5d
Parents: e0fe486
Author: vperiasamy <vp...@hortonworks.com>
Authored: Sun Nov 9 03:11:19 2014 -0500
Committer: sneethiraj <sn...@apache.org>
Committed: Sun Nov 9 03:36:47 2014 -0500
----------------------------------------------------------------------
security-admin/unixauth-config/cacerts | Bin 232758 -> 0 bytes
security-admin/unixauth-config/keystore.jks | Bin 2257 -> 0 bytes
security-admin/unixauth-config/server.crt | 19 -----
.../unixauth-config/unixauth.properties | 11 +--
.../unix/jaas/RemoteUnixLoginModule.java | 78 +++++++++++++------
unixauthservice/cert/authserver.jks | Bin 2278 -> 0 bytes
unixauthservice/cert/mytruststore.jks | Bin 174807 -> 0 bytes
.../conf.dist/unixauthservice.properties | 8 +-
unixauthservice/scripts/set_globals.sh | 2 +-
unixauthservice/scripts/setup.sh | 17 +++-
10 files changed, 82 insertions(+), 53 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/security-admin/unixauth-config/cacerts
----------------------------------------------------------------------
diff --git a/security-admin/unixauth-config/cacerts b/security-admin/unixauth-config/cacerts
deleted file mode 100644
index 8548f2c..0000000
Binary files a/security-admin/unixauth-config/cacerts and /dev/null differ
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/security-admin/unixauth-config/keystore.jks
----------------------------------------------------------------------
diff --git a/security-admin/unixauth-config/keystore.jks b/security-admin/unixauth-config/keystore.jks
deleted file mode 100644
index adee30f..0000000
Binary files a/security-admin/unixauth-config/keystore.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/security-admin/unixauth-config/server.crt
----------------------------------------------------------------------
diff --git a/security-admin/unixauth-config/server.crt b/security-admin/unixauth-config/server.crt
deleted file mode 100644
index 9680f72..0000000
--- a/security-admin/unixauth-config/server.crt
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDlzCCAn+gAwIBAgIEWsSk3zANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzERMA8GA1UE
-CBMIdmlyZ2luaWExFjAUBgNVBAcTDVBvdG9tYWMgRmFsbHMxETAPBgNVBAoTCHhhc2VjdXJlMRkw
-FwYDVQQLExBjZXJ0aWZpY2F0ZSBkZXB0MRQwEgYDVQQDEwthdXRoc2VydmljZTAeFw0xMzEyMDQx
-NTQyMDdaFw0xNDExMjkxNTQyMDdaMHwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwh2aXJnaW5pYTEW
-MBQGA1UEBxMNUG90b21hYyBGYWxsczERMA8GA1UEChMIeGFzZWN1cmUxGTAXBgNVBAsTEGNlcnRp
-ZmljYXRlIGRlcHQxFDASBgNVBAMTC2F1dGhzZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAp49e8gb8W0YzhtFn71zhK2jhxKJj0bprS+Xojf6jf67219B9DCShB8FQ2/xtUq1k
-qM6hbS3PFoAJ5YCjF7lOOQ6kywK8Uzy15bH3bqDmu+V3WlBUj2qFIWQtAoEHItnDinpBkTVIMzz/
-0e8oSh+ijomH728vBzxrHkYPb6uYaJJJxBsIpbFIBDFhlZZAHxNT+N1kynTea2+KyiVmkK8IK5YI
-kSWrW1sx2xWQa/bh3Kdb2FQT54iocv2J1akzhTogfERy+yEluCe8WIA0PTcbwm08M0IVpjFAS6R6
-3Qjobqtab8BurS4+Mtaiien6kOxdL9qRsnqU1aK0PR5Z8gCJewIDAQABoyEwHzAdBgNVHQ4EFgQU
-QnSmA+pPaTOBxiZpOACcgQyTsiIwDQYJKoZIhvcNAQELBQADggEBADSFFrb6DdPvhLW3b89fSBGm
-YSwC4BMnvptgkbPz/I0277kJV2FaCdE6FNmn/eSfverz7/SaYp949NSnzvwaPsX7HVeFwNN8denL
-iPHq776HpR+4eRaQsyBI5f9J2vEBQqQJjRwWS78nUN2d2G85bRPImyFIJD7M9UT6aJumGlSdi49b
-EF96itjtZWPdvY96bK8YNDiUbbguZt1Wz3cSCivF6kfKMG2uVQqyaMn1HKFFO7a9NoxiW3AbBCJw
-21wI5WATSre89f3NZGzPf1SyJRhJ9DMQG2AlVXJ4AYUqGI2HmBlPHHTrgYHvSO/TW8060IwZXFX2
-ZWCNp2BwRMsKgQA=
------END CERTIFICATE-----
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/security-admin/unixauth-config/unixauth.properties
----------------------------------------------------------------------
diff --git a/security-admin/unixauth-config/unixauth.properties b/security-admin/unixauth-config/unixauth.properties
index ef780dc..7047e58 100644
--- a/security-admin/unixauth-config/unixauth.properties
+++ b/security-admin/unixauth-config/unixauth.properties
@@ -16,9 +16,10 @@
remoteLoginEnabled=true
authServiceHostName=bigdata.xasecure.net
authServicePort=5151
-keyStore=keystore.jks
-keyStorePassword=password
-trustStore=cacerts
-trustStorePassword=changeit
+#keyStore=keystore.jks
+#keyStorePassword=password
+#trustStore=cacerts
+#trustStorePassword=changeit
sslEnabled=true
-debug=true
\ No newline at end of file
+debug=false
+serverCertValidation=false
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java
----------------------------------------------------------------------
diff --git a/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java b/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java
index 1aceca1..e2b93c1 100644
--- a/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java
+++ b/unixauthclient/src/main/java/com/xasecure/authentication/unix/jaas/RemoteUnixLoginModule.java
@@ -30,6 +30,8 @@ import java.io.OutputStreamWriter;
import java.net.Socket;
import java.security.KeyStore;
import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Properties;
@@ -39,6 +41,7 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
@@ -61,10 +64,11 @@ public class RemoteUnixLoginModule implements LoginModule {
private static final String SSL_TRUSTSTORE_PATH_PARAM = "trustStore";
private static final String SSL_TRUSTSTORE_PATH_PASSWORD_PARAM = "trustStorePassword";
private static final String SSL_ENABLED_PARAM = "sslEnabled";
+ private static final String SERVER_CERT_VALIDATION_PARAM = "serverCertValidation" ;
private static final String JAAS_ENABLED_PARAM = "remoteLoginEnabled" ;
- private static final String SSL_ALGORITHM = "SSLv3";
+ private static final String SSL_ALGORITHM = "TLS";
private String userName;
private char[] password;
@@ -85,6 +89,8 @@ public class RemoteUnixLoginModule implements LoginModule {
private boolean SSLEnabled = false;
+ private boolean serverCertValidation = true ;
+
private boolean remoteLoginEnabled = true ;
public RemoteUnixLoginModule() {
@@ -133,7 +139,7 @@ public class RemoteUnixLoginModule implements LoginModule {
Properties config = null ;
String val = (String) options.get(REMOTE_UNIX_AUTHENICATION_CONFIG_FILE_PARAM);
- logError("Remote Unix Auth Configuration file [" + val + "]") ;
+ log("Remote Unix Auth Configuration file [" + val + "]") ;
if (val != null) {
InputStream in = null ;
try {
@@ -217,9 +223,12 @@ public class RemoteUnixLoginModule implements LoginModule {
}
log("keyStorePathPassword:" + keyStorePathPassword);
}
+
+ String certValidationFlag = (String) options.get(SERVER_CERT_VALIDATION_PARAM) ;
+ serverCertValidation = (! (certValidationFlag != null && ("false".equalsIgnoreCase(certValidationFlag.trim().toLowerCase())))) ;
+ log("Server Cert Validation : " + serverCertValidation) ;
}
-
}
@Override
@@ -330,28 +339,53 @@ public class RemoteUnixLoginModule implements LoginModule {
}
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-
- KeyStore trustStoreKeyStore = null;
-
- if (trustStorePath != null) {
- trustStoreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-
- InputStream in = null;
-
- in = getFileInputStream(trustStorePath);
-
- try {
- trustStoreKeyStore.load(in, trustStorePathPassword.toCharArray());
- } finally {
- if (in != null) {
- in.close();
+
+ TrustManager[] tm = null ;
+
+ if (serverCertValidation) {
+
+ KeyStore trustStoreKeyStore = null;
+
+ if (trustStorePath != null) {
+ trustStoreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+
+ InputStream in = null;
+
+ in = getFileInputStream(trustStorePath);
+
+ try {
+ trustStoreKeyStore.load(in, trustStorePathPassword.toCharArray());
+
+ trustManagerFactory.init(trustStoreKeyStore);
+
+ tm = trustManagerFactory.getTrustManagers();
+
+ } finally {
+ if (in != null) {
+ in.close();
+ }
}
}
}
-
- trustManagerFactory.init(trustStoreKeyStore);
-
- TrustManager[] tm = trustManagerFactory.getTrustManagers();
+ else {
+ TrustManager ignoreValidationTM = new X509TrustManager() {
+ public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ // Ignore Server Certificate Validation
+ }
+
+ public X509Certificate[] getAcceptedIssuers() {
+ return new X509Certificate[0];
+ }
+
+ public void checkServerTrusted(X509Certificate[] chain,
+ String authType)
+ throws CertificateException {
+ // Ignore Server Certificate Validation
+ }
+ };
+
+ tm = new TrustManager[] {ignoreValidationTM} ;
+ }
SecureRandom random = new SecureRandom();
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/cert/authserver.jks
----------------------------------------------------------------------
diff --git a/unixauthservice/cert/authserver.jks b/unixauthservice/cert/authserver.jks
deleted file mode 100644
index 85dfb88..0000000
Binary files a/unixauthservice/cert/authserver.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/cert/mytruststore.jks
----------------------------------------------------------------------
diff --git a/unixauthservice/cert/mytruststore.jks b/unixauthservice/cert/mytruststore.jks
deleted file mode 100644
index 8a00a73..0000000
Binary files a/unixauthservice/cert/mytruststore.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/conf.dist/unixauthservice.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/conf.dist/unixauthservice.properties b/unixauthservice/conf.dist/unixauthservice.properties
index 3b75abd..d38d3f1 100644
--- a/unixauthservice/conf.dist/unixauthservice.properties
+++ b/unixauthservice/conf.dist/unixauthservice.properties
@@ -22,10 +22,10 @@ useSSL = true
# SSL Parameters
#
-keyStore = ./conf/cert/authserver.jks
-keyStorePassword = aNtHSrV086
-trustStore = ./conf/cert/mytruststore.jks
-trustStorePassword = changeit
+keyStore = ./conf/cert/unixauthservice.jks
+keyStorePassword = UnIx529p
+#trustStore = ./conf/cert/mytruststore.jks
+#trustStorePassword = changeit
passwordValidatorPath = ./native/credValidator.uexe
#
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/scripts/set_globals.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/set_globals.sh b/unixauthservice/scripts/set_globals.sh
index 6227575..c77fbf9 100755
--- a/unixauthservice/scripts/set_globals.sh
+++ b/unixauthservice/scripts/set_globals.sh
@@ -76,7 +76,7 @@ if [ ! -d /etc/ranger/usersync/conf ]; then
chown -R $unix_user:$unix_group /etc/ranger/usersync/conf
fi
-log "[I] Soft linking /etc/ranger/usersync/conf to ews/webapp/WEB-INF/classes/conf"
+log "[I] Soft linking /etc/ranger/usersync/conf to conf"
mv -f conf conf.$curDt 2> /dev/null
ln -sf /etc/ranger/usersync/conf conf
http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/6a3118ae/unixauthservice/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.sh b/unixauthservice/scripts/setup.sh
index aed42b7..d17a869 100755
--- a/unixauthservice/scripts/setup.sh
+++ b/unixauthservice/scripts/setup.sh
@@ -231,8 +231,21 @@ if [ ! -d conf ]; then
log "[I] Copying conf.dist conf"
mkdir conf
cp conf.dist/* conf
- chown ${unix_user}:${unix_group} conf
- chmod 750 conf
+ chown ${unix_user}:${unix_group} conf
+ chmod 750 conf
+fi
+if [ ! -f conf/cert/unixauthservice.jks ]
+then
+ if [ ! -d conf/cert ]
+ then
+ mkdir -p conf/cert
+ fi
+ ${JAVA_HOME}/bin/keytool -genkeypair -keyalg RSA -alias selfsigned -keystore conf/cert/unixauthservice.jks \
+ -keypass UnIx529p -storepass UnIx529p -validity 360 -keysize 2048 \
+ -dname "cn=unixauthservice,ou=authenticator,o=mycompany,c=US"
+
+ chmod o-rwx conf/cert/unixauthservice.jks
+
fi
echo "export JAVA_HOME=${JAVA_HOME}" > conf/java_home.sh