You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by di...@apache.org on 2021/02/08 09:32:26 UTC
[oozie] 02/04: OOZIE-3549 Add back support for truststore passwords
(matijhs via asalamon74)
This is an automated email from the ASF dual-hosted git repository.
dionusos pushed a commit to branch branch-5.2
in repository https://gitbox.apache.org/repos/asf/oozie.git
commit c93c05e0ac0e3d8fe8d6f6ed50286f99c3a1f90c
Author: Andras Salamon <as...@apache.org>
AuthorDate: Thu Nov 28 11:58:21 2019 +0100
OOZIE-3549 Add back support for truststore passwords (matijhs via asalamon74)
---
core/src/main/resources/oozie-default.xml | 8 ++++++++
docs/src/site/markdown/AG_Install.md | 3 ++-
release-log.txt | 2 ++
.../org/apache/oozie/server/EmbeddedOozieServer.java | 18 ++++++++++++++++++
.../oozie/server/SSLServerConnectorFactory.java | 2 +-
.../apache/oozie/server/TestEmbeddedOozieServer.java | 19 ++++++++++++++++++-
.../oozie/server/TestSSLServerConnectorFactory.java | 2 +-
7 files changed, 50 insertions(+), 4 deletions(-)
diff --git a/core/src/main/resources/oozie-default.xml b/core/src/main/resources/oozie-default.xml
index 56c5b59..8d34be4 100644
--- a/core/src/main/resources/oozie-default.xml
+++ b/core/src/main/resources/oozie-default.xml
@@ -2745,6 +2745,14 @@ will be the requeue interval for the actions which are waiting for a long time w
</property>
<property>
+ <name>oozie.https.truststore.pass</name>
+ <value></value>
+ <description>
+ Password to the TrustStore.
+ </description>TestSSLServerConnectorFactory
+ </property>
+
+ <property>
<name>oozie.https.keystore.file</name>
<value></value>
<description>
diff --git a/docs/src/site/markdown/AG_Install.md b/docs/src/site/markdown/AG_Install.md
index f18528f..8996e8a 100644
--- a/docs/src/site/markdown/AG_Install.md
+++ b/docs/src/site/markdown/AG_Install.md
@@ -932,7 +932,8 @@ included with your JRE. If it's not on your path, you should be able to find it
2b. Set location and password for the keystore and location for truststore by setting `oozie.https.keystore.file`,
`oozie.https.keystore.pass`, `oozie.https.truststore.file`.
- **Note:** `oozie.https.truststore.file` can be overridden by setting `javax.net.ssl.trustStore` system property.
+ **Note:** `oozie.https.truststore.file` can be overridden by setting `javax.net.ssl.trustStore` system property,
+ `oozie.https.keystore.pass` by setting `javax.net.ssl.trustStorePassword`.
The default HTTPS port Oozie listens on for secure connections is 11443; it can be changed via `oozie.https.port`.
diff --git a/release-log.txt b/release-log.txt
index b4bb718..d1b1599 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,7 @@
-- Oozie 5.2.1 release (unreleased)
+OOZIE-3549 Add back support for truststore passwords (matijhs via asalamon74)
+
-- Oozie 5.2.0 release
OOZIE-3553 [examples] Fix sqoop example (asalamon74 via kmarton)
diff --git a/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java b/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java
index daf5237..76c1fd6 100644
--- a/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java
+++ b/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java
@@ -52,7 +52,9 @@ import java.util.Objects;
public class EmbeddedOozieServer {
private static final Logger LOG = LoggerFactory.getLogger(EmbeddedOozieServer.class);
protected static final String OOZIE_HTTPS_TRUSTSTORE_FILE = "oozie.https.truststore.file";
+ protected static final String OOZIE_HTTPS_TRUSTSTORE_PASS = "oozie.https.truststore.pass";
protected static final String TRUSTSTORE_PATH_SYSTEM_PROPERTY = "javax.net.ssl.trustStore";
+ protected static final String TRUSTSTORE_PASS_SYSTEM_PROPERTY = "javax.net.ssl.trustStorePassword";
private static String contextPath;
protected Server server;
private int httpPort;
@@ -122,6 +124,7 @@ public class EmbeddedOozieServer {
HandlerCollection handlerCollection = new HandlerCollection();
setTrustStore();
+ setTrustStorePassword();
if (isSecured()) {
httpsPort = getConfigPort(ConfigUtils.OOZIE_HTTPS_PORT);
@@ -163,6 +166,21 @@ public class EmbeddedOozieServer {
}
}
+ /**
+ * set the truststore password from the config file, if is not set by the user
+ */
+ private void setTrustStorePassword() {
+ if (System.getProperty(TRUSTSTORE_PASS_SYSTEM_PROPERTY) == null) {
+ final String trustStorePassword = conf.get(OOZIE_HTTPS_TRUSTSTORE_PASS);
+ if (trustStorePassword != null) {
+ LOG.info("Setting javax.net.ssl.trustStorePassword from config file");
+ System.setProperty(TRUSTSTORE_PASS_SYSTEM_PROPERTY, trustStorePassword);
+ }
+ } else {
+ LOG.info("javax.net.ssl.trustStorePassword is already set. The value from config file will be ignored");
+ }
+ }
+
private void addErrorHandler() {
ErrorPageErrorHandler errorHandler = new ErrorPageErrorHandler();
errorHandler.addErrorPage(HttpServletResponse.SC_BAD_REQUEST, "/error");
diff --git a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
index 62f84b1..9110d7f 100644
--- a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
+++ b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
@@ -137,7 +137,7 @@ class SSLServerConnectorFactory {
private void setKeystorePass() {
String keystorePass = ConfigurationService.getPassword(conf, OOZIE_HTTPS_KEYSTORE_PASS);
Objects.requireNonNull(keystorePass, "keystorePass is null");
- sslContextFactory.setKeyManagerPassword(keystorePass);
+ sslContextFactory.setKeyStorePassword(keystorePass);
}
private void setKeyStoreFile() {
diff --git a/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java b/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java
index ee12186..e144dae 100644
--- a/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java
+++ b/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java
@@ -28,7 +28,6 @@ import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.webapp.WebAppContext;
import org.junit.After;
import org.junit.Assert;
@@ -95,6 +94,7 @@ public class TestEmbeddedOozieServer {
@After public void tearDown() {
System.clearProperty(EmbeddedOozieServer.TRUSTSTORE_PATH_SYSTEM_PROPERTY);
+ System.clearProperty(EmbeddedOozieServer.TRUSTSTORE_PASS_SYSTEM_PROPERTY);
verify(mockServices).get(ConfigurationService.class);
@@ -135,6 +135,23 @@ public class TestEmbeddedOozieServer {
verify(mockConfiguration, never()).get(EmbeddedOozieServer.OOZIE_HTTPS_TRUSTSTORE_FILE);
}
+ /**
+ * test case for when the trustore password is set via system property
+ * expected result: the password is used from the system property and the value is not even retrieved from the config file
+ */
+ @Test
+ public void testServerSetupTruststorePassSetViaSystemProperty() throws Exception {
+ final String trustStorePassword = "myTrustedPassword";
+ doReturn(String.valueOf(false)).when(mockConfiguration).get("oozie.https.enabled");
+ System.setProperty(EmbeddedOozieServer.TRUSTSTORE_PASS_SYSTEM_PROPERTY, trustStorePassword);
+
+ embeddedOozieServer.setup();
+ verify(mockJspHandler).setupWebAppContext(isA(WebAppContext.class));
+ verify(oozieFilterMapper).addFilters();
+
+ Assert.assertEquals(trustStorePassword, System.getProperty("javax.net.ssl.trustStorePassword"));
+ verify(mockConfiguration, never()).get(EmbeddedOozieServer.OOZIE_HTTPS_TRUSTSTORE_PASS);
+ }
@Test
public void testSecureServerSetup() throws Exception {
diff --git a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
index f6ff5de..b05a9ce 100644
--- a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
+++ b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
@@ -83,7 +83,7 @@ public class TestSSLServerConnectorFactory {
public void tearDown() {
testConfig.clear();
verify(mockSSLContextFactory).setKeyStorePath(anyString());
- verify(mockSSLContextFactory).setKeyManagerPassword(anyString());
+ verify(mockSSLContextFactory).setKeyStorePassword(anyString());
verifyNoMoreInteractions(
mockServerConnector,
mockSSLServerConnectorFactory);