You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by co...@apache.org on 2017/01/18 09:55:40 UTC
[1/2] incubator-ranger git commit: RANGER-1273 - Add tests for Kafka
+ SASL_SSL + PLAIN
Repository: incubator-ranger
Updated Branches:
refs/heads/master b2774746c -> 18406ea59
RANGER-1273 - Add tests for Kafka + SASL_SSL + PLAIN
Signed off by Vel.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/07f0fee7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/07f0fee7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/07f0fee7
Branch: refs/heads/master
Commit: 07f0fee7c8cd8355d5c184ae772ac2aa7dd33563
Parents: b277474
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jan 16 15:09:31 2017 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Jan 18 09:53:13 2017 +0000
----------------------------------------------------------------------
plugin-kafka/pom.xml | 10 +
.../KafkaRangerAuthorizerSASLSSLTest.java | 267 +++++++++++++++++++
.../authorizer/KafkaRangerAuthorizerTest.java | 54 +---
.../kafka/authorizer/KafkaTestUtils.java | 74 +++++
.../src/test/resources/kafka_plain.jaas | 13 +
pom.xml | 1 +
6 files changed, 371 insertions(+), 48 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/07f0fee7/plugin-kafka/pom.xml
----------------------------------------------------------------------
diff --git a/plugin-kafka/pom.xml b/plugin-kafka/pom.xml
index 05aace2..2f58010 100644
--- a/plugin-kafka/pom.xml
+++ b/plugin-kafka/pom.xml
@@ -103,5 +103,15 @@
<filtering>false</filtering>
</testResource>
</testResources>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <version>2.19.1</version>
+ <configuration>
+ <reuseForks>false</reuseForks>
+ </configuration>
+ </plugin>
+ </plugins>
</build>
</project>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/07f0fee7/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
new file mode 100644
index 0000000..235523b
--- /dev/null
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
@@ -0,0 +1,267 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.authorization.kafka.authorizer;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.math.BigInteger;
+import java.net.ServerSocket;
+import java.security.KeyStore;
+import java.util.Arrays;
+import java.util.Properties;
+import java.util.concurrent.Future;
+
+import org.I0Itec.zkclient.ZkClient;
+import org.I0Itec.zkclient.ZkConnection;
+import org.apache.curator.test.TestingServer;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.kafka.clients.CommonClientConfigs;
+import org.apache.kafka.clients.consumer.ConsumerRecord;
+import org.apache.kafka.clients.consumer.ConsumerRecords;
+import org.apache.kafka.clients.consumer.KafkaConsumer;
+import org.apache.kafka.clients.producer.KafkaProducer;
+import org.apache.kafka.clients.producer.Producer;
+import org.apache.kafka.clients.producer.ProducerRecord;
+import org.apache.kafka.clients.producer.RecordMetadata;
+import org.apache.kafka.common.config.SslConfigs;
+import org.junit.Assert;
+import org.junit.Test;
+
+import kafka.admin.AdminUtils;
+import kafka.admin.RackAwareMode;
+import kafka.server.KafkaConfig;
+import kafka.server.KafkaServerStartable;
+import kafka.utils.ZKStringSerializer$;
+import kafka.utils.ZkUtils;
+
+/**
+ * A simple test that starts a Kafka broker, creates "test" and "dev" topics, sends a message to them and consumes it. We also plug in a
+ * CustomAuthorizer that enforces some authorization rules:
+ *
+ * - The "IT" group can do anything
+ * - The "public" group can only "read/describe" on the "test" topic, not "write".
+ *
+ * Policies available from admin via:
+ *
+ * http://localhost:6080/service/plugins/policies/download/KafkaTest
+ *
+ * Clients and services authenticate to Kafka using the SASL SSL protocol as part of this test.
+ */
+public class KafkaRangerAuthorizerSASLSSLTest {
+
+ private static KafkaServerStartable kafkaServer;
+ private static TestingServer zkServer;
+ private static int port;
+ private static String serviceKeystorePath;
+ private static String clientKeystorePath;
+ private static String truststorePath;
+
+ @org.junit.BeforeClass
+ public static void setup() throws Exception {
+ // JAAS Config file
+ String basedir = System.getProperty("basedir");
+ if (basedir == null) {
+ basedir = new File(".").getCanonicalPath();
+ }
+
+ File f = new File(basedir + "/src/test/resources/kafka_plain.jaas");
+ System.setProperty("java.security.auth.login.config", f.getPath());
+
+ // Create keys
+ String serviceDN = "CN=Service,O=Apache,L=Dublin,ST=Leinster,C=IE";
+ String clientDN = "CN=Client,O=Apache,L=Dublin,ST=Leinster,C=IE";
+
+ // Create a truststore
+ KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+ keystore.load(null, "security".toCharArray());
+
+ serviceKeystorePath =
+ KafkaTestUtils.createAndStoreKey(serviceDN, serviceDN, BigInteger.valueOf(30),
+ "sspass", "myservicekey", "skpass", keystore);
+ clientKeystorePath =
+ KafkaTestUtils.createAndStoreKey(clientDN, clientDN, BigInteger.valueOf(31),
+ "cspass", "myclientkey", "ckpass", keystore);
+
+ File truststoreFile = File.createTempFile("kafkatruststore", ".jks");
+ keystore.store(new FileOutputStream(truststoreFile), "security".toCharArray());
+ truststorePath = truststoreFile.getPath();
+
+ zkServer = new TestingServer();
+
+ // Get a random port
+ ServerSocket serverSocket = new ServerSocket(0);
+ port = serverSocket.getLocalPort();
+ serverSocket.close();
+
+ final Properties props = new Properties();
+ props.put("broker.id", 1);
+ props.put("host.name", "localhost");
+ props.put("port", port);
+ props.put("log.dir", "/tmp/kafka");
+ props.put("zookeeper.connect", zkServer.getConnectString());
+ props.put("replica.socket.timeout.ms", "1500");
+ props.put("controlled.shutdown.enable", Boolean.TRUE.toString());
+ // Enable SASL_SSL
+ props.put("listeners", "SASL_SSL://localhost:" + port);
+ props.put("security.inter.broker.protocol", "SASL_SSL");
+ props.put("sasl.enabled.mechanisms", "PLAIN");
+ props.put("sasl.mechanism.inter.broker.protocol", "PLAIN");
+
+ props.put("ssl.keystore.location", serviceKeystorePath);
+ props.put("ssl.keystore.password", "sspass");
+ props.put("ssl.key.password", "skpass");
+ props.put("ssl.truststore.location", truststorePath);
+ props.put("ssl.truststore.password", "security");
+
+ // Plug in Apache Ranger authorizer
+ props.put("authorizer.class.name", "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer");
+
+ // Create users for testing
+ UserGroupInformation.createUserForTesting("alice", new String[] {"IT"});
+
+ KafkaConfig config = new KafkaConfig(props);
+ kafkaServer = new KafkaServerStartable(config);
+ kafkaServer.startup();
+
+ // Create some topics
+ ZkClient zkClient = new ZkClient(zkServer.getConnectString(), 30000, 30000, ZKStringSerializer$.MODULE$);
+
+ final ZkUtils zkUtils = new ZkUtils(zkClient, new ZkConnection(zkServer.getConnectString()), false);
+ AdminUtils.createTopic(zkUtils, "test", 1, 1, new Properties(), RackAwareMode.Enforced$.MODULE$);
+ AdminUtils.createTopic(zkUtils, "dev", 1, 1, new Properties(), RackAwareMode.Enforced$.MODULE$);
+ }
+
+ @org.junit.AfterClass
+ public static void cleanup() throws Exception {
+ if (kafkaServer != null) {
+ kafkaServer.shutdown();
+ }
+ if (zkServer != null) {
+ zkServer.stop();
+ }
+
+ File clientKeystoreFile = new File(clientKeystorePath);
+ if (clientKeystoreFile.exists()) {
+ clientKeystoreFile.delete();
+ }
+ File serviceKeystoreFile = new File(serviceKeystorePath);
+ if (serviceKeystoreFile.exists()) {
+ serviceKeystoreFile.delete();
+ }
+ File truststoreFile = new File(truststorePath);
+ if (truststoreFile.exists()) {
+ truststoreFile.delete();
+ }
+ }
+
+ @Test
+ public void testAuthorizedRead() throws Exception {
+ // Create the Producer
+ Properties producerProps = new Properties();
+ producerProps.put("bootstrap.servers", "localhost:" + port);
+ producerProps.put("acks", "all");
+ producerProps.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer");
+ producerProps.put("value.serializer", "org.apache.kafka.common.serialization.StringSerializer");
+ producerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_SSL");
+ producerProps.put("sasl.mechanism", "PLAIN");
+
+ producerProps.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+ producerProps.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, serviceKeystorePath);
+ producerProps.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "sspass");
+ producerProps.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "skpass");
+ producerProps.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, truststorePath);
+ producerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "security");
+
+ final Producer<String, String> producer = new KafkaProducer<>(producerProps);
+
+ // Create the Consumer
+ Properties consumerProps = new Properties();
+ consumerProps.put("bootstrap.servers", "localhost:" + port);
+ consumerProps.put("group.id", "test");
+ consumerProps.put("enable.auto.commit", "true");
+ consumerProps.put("auto.offset.reset", "earliest");
+ consumerProps.put("auto.commit.interval.ms", "1000");
+ consumerProps.put("session.timeout.ms", "30000");
+ consumerProps.put("key.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
+ consumerProps.put("value.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
+ consumerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_SSL");
+ consumerProps.put("sasl.mechanism", "PLAIN");
+
+ consumerProps.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+ consumerProps.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, clientKeystorePath);
+ consumerProps.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "cspass");
+ consumerProps.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "ckpass");
+ consumerProps.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, truststorePath);
+ consumerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "security");
+
+ final KafkaConsumer<String, String> consumer = new KafkaConsumer<>(consumerProps);
+ consumer.subscribe(Arrays.asList("test"));
+
+ // Send a message
+ producer.send(new ProducerRecord<String, String>("test", "somekey", "somevalue"));
+ producer.flush();
+
+ // Poll until we consume it
+
+ ConsumerRecord<String, String> record = null;
+ for (int i = 0; i < 1000; i++) {
+ ConsumerRecords<String, String> records = consumer.poll(100);
+ if (records.count() > 0) {
+ record = records.iterator().next();
+ break;
+ }
+ Thread.sleep(1000);
+ }
+
+ Assert.assertNotNull(record);
+ Assert.assertEquals("somevalue", record.value());
+
+ producer.close();
+ consumer.close();
+ }
+
+ @Test
+ public void testAuthorizedWrite() throws Exception {
+ // Create the Producer
+ Properties producerProps = new Properties();
+ producerProps.put("bootstrap.servers", "localhost:" + port);
+ producerProps.put("acks", "all");
+ producerProps.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer");
+ producerProps.put("value.serializer", "org.apache.kafka.common.serialization.StringSerializer");
+ producerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_SSL");
+ producerProps.put("sasl.mechanism", "PLAIN");
+
+ producerProps.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+ producerProps.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, serviceKeystorePath);
+ producerProps.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "sspass");
+ producerProps.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "skpass");
+ producerProps.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, truststorePath);
+ producerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "security");
+
+ final Producer<String, String> producer = new KafkaProducer<>(producerProps);
+
+ // Send a message
+ Future<RecordMetadata> record =
+ producer.send(new ProducerRecord<String, String>("dev", "somekey", "somevalue"));
+ producer.flush();
+ record.get();
+
+ producer.close();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/07f0fee7/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
index 4a4e2b5..80e3144 100644
--- a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
@@ -23,14 +23,8 @@ import java.math.BigInteger;
import java.net.ServerSocket;
import java.nio.file.Files;
import java.nio.file.Path;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
import java.security.KeyStore;
-import java.security.SecureRandom;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
import java.util.Arrays;
-import java.util.Date;
import java.util.Properties;
import java.util.concurrent.Future;
@@ -48,13 +42,6 @@ import org.apache.kafka.clients.producer.Producer;
import org.apache.kafka.clients.producer.ProducerRecord;
import org.apache.kafka.clients.producer.RecordMetadata;
import org.apache.kafka.common.config.SslConfigs;
-import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.asn1.x500.style.RFC4519Style;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.bouncycastle.cert.X509v3CertificateBuilder;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
-import org.bouncycastle.operator.ContentSigner;
-import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.junit.Assert;
import org.junit.Test;
@@ -96,8 +83,12 @@ public class KafkaRangerAuthorizerTest {
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(null, "security".toCharArray());
- serviceKeystorePath = createAndStoreKey(serviceDN, serviceDN, BigInteger.valueOf(30), "sspass", "myservicekey", "skpass", keystore);
- clientKeystorePath = createAndStoreKey(clientDN, clientDN, BigInteger.valueOf(31), "cspass", "myclientkey", "ckpass", keystore);
+ serviceKeystorePath =
+ KafkaTestUtils.createAndStoreKey(serviceDN, serviceDN, BigInteger.valueOf(30),
+ "sspass", "myservicekey", "skpass", keystore);
+ clientKeystorePath =
+ KafkaTestUtils.createAndStoreKey(clientDN, clientDN, BigInteger.valueOf(31),
+ "cspass", "myclientkey", "ckpass", keystore);
File truststoreFile = File.createTempFile("kafkatruststore", ".jks");
keystore.store(new FileOutputStream(truststoreFile), "security".toCharArray());
@@ -175,39 +166,6 @@ public class KafkaRangerAuthorizerTest {
}
}
- private static String createAndStoreKey(String subjectName, String issuerName, BigInteger serial, String keystorePassword,
- String keystoreAlias, String keyPassword, KeyStore trustStore) throws Exception {
-
- // Create KeyPair
- KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
- keyPairGenerator.initialize(2048, new SecureRandom());
- KeyPair keyPair = keyPairGenerator.generateKeyPair();
-
- Date currentDate = new Date();
- Date expiryDate = new Date(currentDate.getTime() + 365L * 24L * 60L * 60L * 1000L);
-
- // Create X509Certificate
- X509v3CertificateBuilder certBuilder =
- new X509v3CertificateBuilder(new X500Name(RFC4519Style.INSTANCE, issuerName), serial, currentDate, expiryDate,
- new X500Name(RFC4519Style.INSTANCE, subjectName), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()));
- ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
- X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
-
- // Store Private Key + Certificate in Keystore
- KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
- keystore.load(null, keystorePassword.toCharArray());
- keystore.setKeyEntry(keystoreAlias, keyPair.getPrivate(), keyPassword.toCharArray(), new Certificate[] {certificate});
-
- File keystoreFile = File.createTempFile("kafkakeystore", ".jks");
- keystore.store(new FileOutputStream(keystoreFile), keystorePassword.toCharArray());
-
- // Now store the Certificate in the truststore
- trustStore.setCertificateEntry(keystoreAlias, certificate);
-
- return keystoreFile.getPath();
-
- }
-
// The "public" group can read from "test"
@Test
public void testAuthorizedRead() throws Exception {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/07f0fee7/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaTestUtils.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaTestUtils.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaTestUtils.java
new file mode 100644
index 0000000..3186615
--- /dev/null
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaTestUtils.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.authorization.kafka.authorizer;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.RFC4519Style;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+
+public final class KafkaTestUtils {
+
+ public static String createAndStoreKey(String subjectName, String issuerName, BigInteger serial, String keystorePassword,
+ String keystoreAlias, String keyPassword, KeyStore trustStore) throws Exception {
+
+ // Create KeyPair
+ KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+ keyPairGenerator.initialize(2048, new SecureRandom());
+ KeyPair keyPair = keyPairGenerator.generateKeyPair();
+
+ Date currentDate = new Date();
+ Date expiryDate = new Date(currentDate.getTime() + 365L * 24L * 60L * 60L * 1000L);
+
+ // Create X509Certificate
+ X509v3CertificateBuilder certBuilder =
+ new X509v3CertificateBuilder(new X500Name(RFC4519Style.INSTANCE, issuerName), serial, currentDate, expiryDate,
+ new X500Name(RFC4519Style.INSTANCE, subjectName), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()));
+ ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
+ X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
+
+ // Store Private Key + Certificate in Keystore
+ KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+ keystore.load(null, keystorePassword.toCharArray());
+ keystore.setKeyEntry(keystoreAlias, keyPair.getPrivate(), keyPassword.toCharArray(), new Certificate[] {certificate});
+
+ File keystoreFile = File.createTempFile("kafkakeystore", ".jks");
+ keystore.store(new FileOutputStream(keystoreFile), keystorePassword.toCharArray());
+
+ // Now store the Certificate in the truststore
+ trustStore.setCertificateEntry(keystoreAlias, certificate);
+
+ return keystoreFile.getPath();
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/07f0fee7/plugin-kafka/src/test/resources/kafka_plain.jaas
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/resources/kafka_plain.jaas b/plugin-kafka/src/test/resources/kafka_plain.jaas
new file mode 100644
index 0000000..6c090f7
--- /dev/null
+++ b/plugin-kafka/src/test/resources/kafka_plain.jaas
@@ -0,0 +1,13 @@
+KafkaServer {
+ org.apache.kafka.common.security.plain.PlainLoginModule required
+ username="admin"
+ password="password"
+ user_admin="password"
+ user_alice="security";
+};
+
+KafkaClient {
+ org.apache.kafka.common.security.plain.PlainLoginModule required
+ username="alice"
+ password="security";
+};
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/07f0fee7/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 13e5da8..2ad43d5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -578,6 +578,7 @@
<exclude>atlassian-ide-plugin.xml</exclude>
<exclude>**/.pydevproject</exclude>
<exclude>**/derby.log</exclude>
+ <exclude>**/*.jaas</exclude>
</excludes>
</configuration>
</plugin>
[2/2] incubator-ranger git commit: RANGER-1309 - Check for header
first in RangerCSRFPreventionFilter
Posted by co...@apache.org.
RANGER-1309 - Check for header first in RangerCSRFPreventionFilter
Signed off by Vel
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/18406ea5
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/18406ea5
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/18406ea5
Branch: refs/heads/master
Commit: 18406ea591c17c2e8c6d2e522ea8ac6fe7f6b21a
Parents: 07f0fee
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Jan 18 09:53:20 2017 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Jan 18 09:53:20 2017 +0000
----------------------------------------------------------------------
.../ranger/security/web/filter/RangerCSRFPreventionFilter.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/18406ea5/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
index 4942eb3..36a0fa3 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
@@ -160,9 +160,9 @@ public class RangerCSRFPreventionFilter implements Filter {
public void handleHttpInteraction(HttpInteraction httpInteraction)
throws IOException, ServletException {
- if (!isBrowser(httpInteraction.getHeader(HEADER_USER_AGENT))
- || methodsToIgnore.contains(httpInteraction.getMethod())
- || httpInteraction.getHeader(headerName) != null) {
+ if (httpInteraction.getHeader(headerName) != null
+ || !isBrowser(httpInteraction.getHeader(HEADER_USER_AGENT))
+ || methodsToIgnore.contains(httpInteraction.getMethod())) {
httpInteraction.proceed();
}else {
httpInteraction.sendError(HttpServletResponse.SC_BAD_REQUEST,"Missing Required Header for CSRF Vulnerability Protection");