You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@livy.apache.org by gg...@apache.org on 2023/08/18 11:57:47 UTC
[incubator-livy] branch master updated: [LIVY-793] Make keystore type configurable (#395)
This is an automated email from the ASF dual-hosted git repository.
ggal pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-livy.git
The following commit(s) were added to refs/heads/master by this push:
new 5dccc479 [LIVY-793] Make keystore type configurable (#395)
5dccc479 is described below
commit 5dccc479c6087112f048a7e5cff0723855ef14e9
Author: Andras Beni <an...@gmail.com>
AuthorDate: Fri Aug 18 13:57:43 2023 +0200
[LIVY-793] Make keystore type configurable (#395)
## What changes were proposed in this pull request?
This change introduces configuration parameter livy.keystore.type.
The default value is JKS which is equivalent to current functionality.
## How was this patch tested?
This change was tested by running existing tests and manually verifying functionality using non-JKS keystore.
---
conf/livy.conf.template | 3 +++
server/src/main/scala/org/apache/livy/LivyConf.scala | 1 +
server/src/main/scala/org/apache/livy/server/WebServer.scala | 3 +++
.../org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala | 3 ++-
.../scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala | 2 ++
5 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/conf/livy.conf.template b/conf/livy.conf.template
index aedc6329..7566971c 100644
--- a/conf/livy.conf.template
+++ b/conf/livy.conf.template
@@ -23,6 +23,9 @@
# Specify the key password.
# livy.key-password =
+# Name of the keystore implementation that was used when generating the keystore
+# livy.keystore.type = JKS
+
# Hadoop Credential Provider Path to get "livy.keystore.password" and "livy.key-password".
# Credential Provider can be created using command as follow:
# hadoop credential create "livy.keystore.password" -value "secret" -provider jceks://hdfs/path/to/livy.jceks
diff --git a/server/src/main/scala/org/apache/livy/LivyConf.scala b/server/src/main/scala/org/apache/livy/LivyConf.scala
index 51179e13..31b68725 100644
--- a/server/src/main/scala/org/apache/livy/LivyConf.scala
+++ b/server/src/main/scala/org/apache/livy/LivyConf.scala
@@ -85,6 +85,7 @@ object LivyConf {
val SSL_KEYSTORE = Entry("livy.keystore", null)
val SSL_KEYSTORE_PASSWORD = Entry("livy.keystore.password", null)
val SSL_KEY_PASSWORD = Entry("livy.key-password", null)
+ val SSL_KEYSTORE_TYPE = Entry("livy.keystore.type", "JKS")
val HADOOP_CREDENTIAL_PROVIDER_PATH = Entry("livy.hadoop.security.credential.provider.path", null)
diff --git a/server/src/main/scala/org/apache/livy/server/WebServer.scala b/server/src/main/scala/org/apache/livy/server/WebServer.scala
index 8bab4dd9..36d601b5 100644
--- a/server/src/main/scala/org/apache/livy/server/WebServer.scala
+++ b/server/src/main/scala/org/apache/livy/server/WebServer.scala
@@ -71,6 +71,9 @@ class WebServer(livyConf: LivyConf, var host: String, var port: Int) extends Log
keyStorePassword.foreach(sslContextFactory.setKeyStorePassword)
keyPassword.foreach(sslContextFactory.setKeyManagerPassword)
+ val keystoreType = livyConf.get(LivyConf.SSL_KEYSTORE_TYPE)
+ sslContextFactory.setKeyStoreType(keystoreType)
+
(new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, "http/1.1"),
new HttpConnectionFactory(https)), "https")
diff --git a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala
index 734768fd..72b69301 100644
--- a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala
+++ b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftBinaryCLIService.scala
@@ -77,8 +77,9 @@ class ThriftBinaryCLIService(override val cliService: LivyCLIService, val oomHoo
s"${LivyConf.SSL_KEYSTORE.key} Not configured for SSL connection")
}
val keyStorePassword = getKeyStorePassword()
+ val keystoreType = livyConf.get(LivyConf.SSL_KEYSTORE_TYPE)
val params = new TSSLTransportFactory.TSSLTransportParameters
- params.setKeyStore(keyStorePath, keyStorePassword)
+ params.setKeyStore(keyStorePath, keyStorePassword, null, keystoreType)
serverSocket =
TSSLTransportFactory.getServerSocket(portNum, 0, serverAddress.getAddress, params)
if (serverSocket.getServerSocket.isInstanceOf[SSLServerSocket]) {
diff --git a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala
index 80122dce..15eba2be 100644
--- a/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala
+++ b/thriftserver/server/src/main/scala/org/apache/livy/thriftserver/cli/ThriftHttpCLIService.scala
@@ -88,6 +88,7 @@ class ThriftHttpCLIService(
s"${LivyConf.SSL_KEYSTORE.key} Not configured for SSL connection")
}
val keyStorePassword = getKeyStorePassword()
+ val keystoreType = livyConf.get(LivyConf.SSL_KEYSTORE_TYPE)
val sslContextFactory = new SslContextFactory
val excludedProtocols = livyConf.get(LivyConf.THRIFT_SSL_PROTOCOL_BLACKLIST).split(",")
info(s"HTTP Server SSL: adding excluded protocols: $excludedProtocols")
@@ -96,6 +97,7 @@ class ThriftHttpCLIService(
sslContextFactory.getExcludeProtocols)
sslContextFactory.setKeyStorePath(keyStorePath)
sslContextFactory.setKeyStorePassword(keyStorePassword)
+ sslContextFactory.setKeyStoreType(keystoreType)
new ServerConnector(server, sslContextFactory, http)
} else {
new ServerConnector(server, http)