You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2017/09/22 17:40:43 UTC
knox git commit: KNOX-1046 - Add Client Cert Wanted Capability with
Configurable Validation that Checks for It
Repository: knox
Updated Branches:
refs/heads/master 8537d4242 -> 5432c8722
KNOX-1046 - Add Client Cert Wanted Capability with Configurable Validation that Checks for It
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/5432c872
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/5432c872
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/5432c872
Branch: refs/heads/master
Commit: 5432c872271e42d1ba8981e5f5de2059d5509ba2
Parents: 8537d42
Author: Larry McCay <lm...@hortonworks.com>
Authored: Fri Sep 22 13:40:18 2017 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Fri Sep 22 13:40:31 2017 -0400
----------------------------------------------------------------------
.../hadoop/gateway/config/impl/GatewayConfigImpl.java | 10 ++++++++++
.../gateway/services/security/impl/JettySSLService.java | 11 +++++++++--
.../org/apache/hadoop/gateway/config/GatewayConfig.java | 2 ++
.../org/apache/hadoop/gateway/GatewayTestConfig.java | 5 +++++
4 files changed, 26 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/5432c872/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
index 3b7d19e..0956a4a 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
@@ -118,6 +118,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
public static final String FRONTEND_URL = GATEWAY_CONFIG_FILE_PREFIX + ".frontend.url";
private static final String TRUST_ALL_CERTS = GATEWAY_CONFIG_FILE_PREFIX + ".trust.all.certs";
private static final String CLIENT_AUTH_NEEDED = GATEWAY_CONFIG_FILE_PREFIX + ".client.auth.needed";
+ private static final String CLIENT_AUTH_WANTED = GATEWAY_CONFIG_FILE_PREFIX + ".client.auth.wanted";
private static final String TRUSTSTORE_PATH = GATEWAY_CONFIG_FILE_PREFIX + ".truststore.path";
private static final String TRUSTSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".truststore.type";
private static final String KEYSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".keystore.type";
@@ -535,6 +536,15 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
}
/* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.config.GatewayConfig#isClientAuthWanted()
+ */
+ @Override
+ public boolean isClientAuthWanted() {
+ String clientAuthWanted = get( CLIENT_AUTH_WANTED, "false" );
+ return "true".equals(clientAuthWanted);
+ }
+
+ /* (non-Javadoc)
* @see org.apache.hadoop.gateway.config.GatewayConfig#getTruststorePath()
*/
@Override
http://git-wip-us.apache.org/repos/asf/knox/blob/5432c872/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index ac4bfa3..52c06d9 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -63,6 +63,7 @@ public class JettySSLService implements SSLService {
private String truststorePath;
private String keystoreType;
private String trustStoreType;
+ private boolean clientAuthWanted;
public void setMasterService(MasterService ms) {
this.ms = ms;
@@ -126,6 +127,7 @@ public class JettySSLService implements SSLService {
sslExcludeCiphers = config.getExcludedSSLCiphers();
sslExcludeProtocols = config.getExcludedSSLProtocols();
clientAuthNeeded = config.isClientAuthNeeded();
+ clientAuthWanted = config.isClientAuthWanted();
truststorePath = config.getTruststorePath();
trustAllCerts = config.getTrustAllCerts();
trustStoreType = config.getTruststoreType();
@@ -186,7 +188,7 @@ public class JettySSLService implements SSLService {
sslContextFactory.setKeyManagerPassword(new String(keypass));
String truststorePassword = null;
- if (clientAuthNeeded) {
+ if (clientAuthNeeded || clientAuthWanted) {
if (truststorePath != null) {
sslContextFactory.setTrustStore(loadKeyStore(keystoreFileName, keystoreType, master));
char[] truststorePwd = null;
@@ -212,7 +214,12 @@ public class JettySSLService implements SSLService {
sslContextFactory.setTrustStoreType(keystoreType);
}
}
- sslContextFactory.setNeedClientAuth( clientAuthNeeded );
+ if (clientAuthNeeded) {
+ sslContextFactory.setNeedClientAuth( clientAuthNeeded );
+ }
+ else {
+ sslContextFactory.setWantClientAuth( clientAuthWanted );
+ }
sslContextFactory.setTrustAll( trustAllCerts );
if (sslIncludeCiphers != null && !sslIncludeCiphers.isEmpty()) {
sslContextFactory.setIncludeCipherSuites( sslIncludeCiphers.toArray(new String[sslIncludeCiphers.size()]) );
http://git-wip-us.apache.org/repos/asf/knox/blob/5432c872/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
index 506c31e..66fb83c 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
@@ -108,6 +108,8 @@ public interface GatewayConfig {
boolean isClientAuthNeeded();
+ boolean isClientAuthWanted();
+
String getTruststorePath();
boolean getTrustAllCerts();
http://git-wip-us.apache.org/repos/asf/knox/blob/5432c872/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java
----------------------------------------------------------------------
diff --git a/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java b/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java
index 09b0d94..ff9a877 100644
--- a/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java
+++ b/gateway-test-release-utils/src/main/java/org/apache/hadoop/gateway/GatewayTestConfig.java
@@ -609,4 +609,9 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig {
public boolean isGatewayServerHeaderEnabled() {
return false;
}
+
+ @Override
+ public boolean isClientAuthWanted() {
+ return false;
+ }
}