You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Pradeep Agrawal <pr...@freestoneinfotech.com> on 2018/04/09 10:14:58 UTC
Review Request 66504: RANGER-2058: Add SSL enabled Postgres support in
Ranger Admin
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/
-----------------------------------------------------------
Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2058
https://issues.apache.org/jira/browse/RANGER-2058
Repository: ranger
Description
-------
**Problem Statement:** Ranger can not communicate to ssl enabled Postgres server
**Proposed Solution:**
To connect to a SSL Enabled Postgres Server JDBC connection string could be : "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&sslmode=verify-ca".
The 'ssl=true' property is added to the JDBC URL to attempt to communicate via SSL.
The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to bypass certificate validation.
The 'sslmode=verify-ca' property is set to connect only if the Postgres server trust certificate is available. If user want to connect using truststore then he can configure truststore files(certificate information for the postgres server and client both).
Ranger application and jisql utility should know from where to pick the certificates which can be set in the System properties like this :
-Djavax.net.ssl.keyStore=path_to_keystore_file
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=path_to_truststore_file
-Djavax.net.ssl.trustStorePassword=password
Following properties of install.properties file can be use to provide the SSL config options, keystore and truststore path to connect to SSL enabled Postgres server:
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
javax_net_ssl_keyStore=/etc/postgres/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/etc/postgres/truststore
javax_net_ssl_trustStorePassword=secret
Diffs
-----
kms/scripts/db_setup.py a431b60
kms/scripts/dba_script.py bcd4aa2
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca
security-admin/scripts/db_setup.py b8664d2
security-admin/scripts/dba_script.py 69fff41
security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java edd9d36
Diff: https://reviews.apache.org/r/66504/diff/1/
Testing
-------
**Steps Performed(with patch):**
1. Installed Postgres and enabled SSL with the help of doc :
Untar ranger-admin from Build having changes of proposed patch.
Provided ranger db root and admin db details in install.properties.
Provided values for below properties of install.properties file.
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
javax_net_ssl_keyStore=/root/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/root/truststore
javax_net_ssl_trustStorePassword=secret
Executed setup.sh script.
Tried to start ranger admin service.
**Expected behaviour :** Ranger admin should start normally and User should able to see Dashboard page after login.
**Actual behaviour :** Ranger admin was started and was able to login and see Ranger UI.
**Note :**
Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and two-way ssl configurations.
Tried below combination of SSL properties also with different ranger db combination to install ranger admin and ranger kms.
db_ssl_enabled | db_ssl_required | db_ssl_verifyServerCertificate
true |true |true
true |true |false
true |false |true
true |false |false
Thanks,
Pradeep Agrawal
Re: Review Request 66504: RANGER-2058: Add SSL enabled Postgres
support in Ranger Admin
Posted by Qiang Zhang <zh...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/#review200820
-----------------------------------------------------------
.git/rebase-apply/patch:195: trailing whitespace.
warning: 1 line adds whitespace errors.
Please fix above warning.
- Qiang Zhang
On April 9, 2018, 2:55 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66504/
> -----------------------------------------------------------
>
> (Updated April 9, 2018, 2:55 p.m.)
>
>
> Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2058
> https://issues.apache.org/jira/browse/RANGER-2058
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Ranger can not communicate to ssl enabled Postgres server
>
>
> **Proposed Solution:**
> To connect to a SSL Enabled Postgres Server JDBC connection string could be :
> =>For validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&sslmode=verify-ca".
> =>For Non validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory".
>
> The 'ssl=true' property is added to the JDBC URL to attempt to communicate via SSL.
> The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to bypass certificate validation.
> The 'sslmode=verify-ca' property is set to connect only if the Postgres server trust certificate is available. If user wants to connect using truststore then he can configure truststore files(certificate information for the postgres server and client both).
> ---
> Following properties of install.properties file can be used to provide the SSL config options, keystore and truststore path to connect to SSL enabled Postgres server:
>
> db_ssl_enabled=
> db_ssl_required=
> db_ssl_verifyServerCertificate=
> db_ssl_auth_type=
> javax_net_ssl_keyStore=
> javax_net_ssl_keyStorePassword=
> javax_net_ssl_trustStore=
> javax_net_ssl_trustStorePassword=
> ---
> **Rules:**
> 1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to communicate to postgres via SSL.
> 2. if [db_ssl_enabled=true and [db_ssl_required=false and db_ssl_verifyServerCertificate=false]] then JDBC url will have parameter 'sslfactory=org.postgresql.ssl.NonValidatingFactory' in it and CA validation will be skipped.
> 3. if [db_ssl_enabled=true and [db_ssl_required=true or db_ssl_verifyServerCertificate=true]] then JDBC url will have parameter 'sslmode=verify-ca' in it and CA validation will be mandatory.
> 3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
> 3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore and password through keystore properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword).
>
> **Note:**
> Ranger application and jisql utility should know from where to pick the certificates which can be set in the System properties like this :
> -Djavax.net.ssl.keyStore=path_to_keystore_file
> -Djavax.net.ssl.keyStorePassword=password
> -Djavax.net.ssl.trustStore=path_to_truststore_file
> -Djavax.net.ssl.trustStorePassword=password
>
>
> Diffs
> -----
>
> kms/scripts/db_setup.py a431b60
> kms/scripts/dba_script.py bcd4aa2
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca
> security-admin/scripts/db_setup.py b8664d2
> security-admin/scripts/dba_script.py 69fff41
> security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java edd9d36
>
>
> Diff: https://reviews.apache.org/r/66504/diff/1/
>
>
> Testing
> -------
>
> **Steps Performed(with patch):**
> Installed Postgres and enabled SSL with the help of doc : https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
>
> Untar ranger-admin from Build having changes of proposed patch.
> Provided ranger db root and admin db details in install.properties.
> Provided values for below properties of install.properties file.
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> db_ssl_auth_type=1-way
> javax_net_ssl_keyStore=/root/keystore
> javax_net_ssl_keyStorePassword=secret
> javax_net_ssl_trustStore=/root/truststore
> javax_net_ssl_trustStorePassword=secret
>
> Executed setup.sh script.
>
> Tried to start ranger admin service.
>
> **Expected behaviour :** Ranger admin should start normally and User should able to see Dashboard page after login.
>
> **Actual behaviour :** Ranger admin was started and was able to login and see Ranger UI.
>
> **Note :**
> Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and two-way ssl configurations.
> Tried below combination of SSL properties also with different ranger db combination to install ranger admin and ranger kms.
>
> db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore javax_net_ssl_trustStore
> TRUE TRUE TRUE 2-way provided provided
> TRUE TRUE TRUE 2-way provided not provided
> TRUE TRUE TRUE 2-way not provided provided
> TRUE TRUE TRUE 2-way not provided not provided
> TRUE TRUE TRUE 1-way provided provided
> TRUE TRUE TRUE 1-way provided not provided
> TRUE TRUE TRUE 1-way not provided provided
> TRUE TRUE TRUE 1-way not provided not provided
> TRUE TRUE FALSE 2-way provided provided
> TRUE TRUE FALSE 2-way provided not provided
> TRUE TRUE FALSE 2-way not provided provided
> TRUE TRUE FALSE 2-way not provided not provided
> TRUE TRUE FALSE 1-way provided provided
> TRUE TRUE FALSE 1-way provided not provided
> TRUE TRUE FALSE 1-way not provided provided
> TRUE TRUE FALSE 1-way not provided not provided
> TRUE FALSE TRUE 2-way provided provided
> TRUE FALSE TRUE 2-way provided not provided
> TRUE FALSE TRUE 2-way not provided provided
> TRUE FALSE TRUE 2-way not provided not provided
> TRUE FALSE TRUE 1-way provided provided
> TRUE FALSE TRUE 1-way provided not provided
> TRUE FALSE TRUE 1-way not provided provided
> TRUE FALSE TRUE 1-way not provided not provided
> TRUE FALSE FALSE 2-way provided provided
> TRUE FALSE FALSE 2-way provided not provided
> TRUE FALSE FALSE 2-way not provided provided
> TRUE FALSE FALSE 2-way not provided not provided
> TRUE FALSE FALSE 1-way provided provided
> TRUE FALSE FALSE 1-way provided not provided
> TRUE FALSE FALSE 1-way not provided provided
> TRUE FALSE FALSE 1-way not provided not provided
> FALSE TRUE TRUE 2-way provided provided
> FALSE TRUE TRUE 2-way provided not provided
> FALSE TRUE TRUE 2-way not provided provided
> FALSE TRUE TRUE 2-way not provided not provided
> FALSE TRUE TRUE 1-way provided provided
> FALSE TRUE TRUE 1-way provided not provided
> FALSE TRUE TRUE 1-way not provided provided
> FALSE TRUE TRUE 1-way not provided not provided
> FALSE TRUE FALSE 2-way provided provided
> FALSE TRUE FALSE 2-way provided not provided
> FALSE TRUE FALSE 2-way not provided provided
> FALSE TRUE FALSE 2-way not provided not provided
> FALSE TRUE FALSE 1-way provided provided
> FALSE TRUE FALSE 1-way provided not provided
> FALSE TRUE FALSE 1-way not provided provided
> FALSE TRUE FALSE 1-way not provided not provided
> FALSE FALSE TRUE 2-way provided provided
> FALSE FALSE TRUE 2-way provided not provided
> FALSE FALSE TRUE 2-way not provided provided
> FALSE FALSE TRUE 2-way not provided not provided
> FALSE FALSE TRUE 1-way provided provided
> FALSE FALSE TRUE 1-way provided not provided
> FALSE FALSE TRUE 1-way not provided provided
> FALSE FALSE TRUE 1-way not provided not provided
> FALSE FALSE FALSE 2-way provided provided
> FALSE FALSE FALSE 2-way provided not provided
> FALSE FALSE FALSE 2-way not provided provided
> FALSE FALSE FALSE 2-way not provided not provided
> FALSE FALSE FALSE 1-way provided provided
> FALSE FALSE FALSE 1-way provided not provided
> FALSE FALSE FALSE 1-way not provided provided
> FALSE FALSE FALSE 1-way not provided not provided
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 66504: RANGER-2058: Add SSL enabled Postgres
support in Ranger Admin
Posted by Qiang Zhang <zh...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/#review200948
-----------------------------------------------------------
Ship it!
Ship It!
- Qiang Zhang
On April 11, 2018, 12:49 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66504/
> -----------------------------------------------------------
>
> (Updated April 11, 2018, 12:49 p.m.)
>
>
> Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2058
> https://issues.apache.org/jira/browse/RANGER-2058
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Ranger can not communicate to ssl enabled Postgres server
>
>
> **Proposed Solution:**
> To connect to a SSL Enabled Postgres Server JDBC connection string could be :
> =>For validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true".
> =>For Non validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory".
>
> The 'ssl=true' property is added to the JDBC URL to attempt to communicate via SSL.
> The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to bypass certificate validation.
> ---
> Following properties of install.properties file can be used to provide the SSL config options, keystore and truststore path to connect to SSL enabled Postgres server:
>
> db_ssl_enabled=
> db_ssl_required=
> db_ssl_verifyServerCertificate=
> db_ssl_auth_type=
> javax_net_ssl_keyStore=
> javax_net_ssl_keyStorePassword=
> javax_net_ssl_trustStore=
> javax_net_ssl_trustStorePassword=
> ---
> **Rules:**
> 1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to communicate to postgres via SSL.
> 2. if [db_ssl_enabled=true and [db_ssl_required=false and db_ssl_verifyServerCertificate=false]] then JDBC url will have parameter 'sslfactory=org.postgresql.ssl.NonValidatingFactory' in it and CA validation will be skipped.
> 3. if [db_ssl_enabled=true and [db_ssl_required=true or db_ssl_verifyServerCertificate=true]] then CA validation will be mandatory.
> 3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
> 3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore and password through keystore properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword).
>
> **Note:**
> Ranger application and jisql utility should know from where to pick the certificates which can be set in the System properties like this :
> -Djavax.net.ssl.keyStore=path_to_keystore_file
> -Djavax.net.ssl.keyStorePassword=password
> -Djavax.net.ssl.trustStore=path_to_truststore_file
> -Djavax.net.ssl.trustStorePassword=password
>
>
> Diffs
> -----
>
> kms/scripts/db_setup.py a431b60
> kms/scripts/dba_script.py bcd4aa2
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca
> security-admin/scripts/db_setup.py b8664d2
> security-admin/scripts/dba_script.py 69fff41
> security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java edd9d36
>
>
> Diff: https://reviews.apache.org/r/66504/diff/2/
>
>
> Testing
> -------
>
> **Steps Performed(with patch):**
> Installed Postgres and enabled SSL with the help of doc : https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
>
> Untar ranger-admin from Build having changes of proposed patch.
> Provided ranger db root and admin db details in install.properties.
> Provided values for below properties of install.properties file.
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> db_ssl_auth_type=1-way
> javax_net_ssl_keyStore=/root/keystore
> javax_net_ssl_keyStorePassword=secret
> javax_net_ssl_trustStore=/root/truststore
> javax_net_ssl_trustStorePassword=secret
>
> Executed setup.sh script.
>
> Tried to start ranger admin service.
>
> **Expected behaviour :** Ranger admin should start normally and User should able to see Dashboard page after login.
>
> **Actual behaviour :** Ranger admin was started and was able to login and see Ranger UI.
>
> **Note :**
> Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and two-way ssl configurations.
> Tried below combination of SSL properties also with different ranger db combination to install ranger admin and ranger kms.
>
> db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore javax_net_ssl_trustStore
> TRUE TRUE TRUE 2-way provided provided
> TRUE TRUE TRUE 2-way provided not provided
> TRUE TRUE TRUE 2-way not provided provided
> TRUE TRUE TRUE 2-way not provided not provided
> TRUE TRUE TRUE 1-way provided provided
> TRUE TRUE TRUE 1-way provided not provided
> TRUE TRUE TRUE 1-way not provided provided
> TRUE TRUE TRUE 1-way not provided not provided
> TRUE TRUE FALSE 2-way provided provided
> TRUE TRUE FALSE 2-way provided not provided
> TRUE TRUE FALSE 2-way not provided provided
> TRUE TRUE FALSE 2-way not provided not provided
> TRUE TRUE FALSE 1-way provided provided
> TRUE TRUE FALSE 1-way provided not provided
> TRUE TRUE FALSE 1-way not provided provided
> TRUE TRUE FALSE 1-way not provided not provided
> TRUE FALSE TRUE 2-way provided provided
> TRUE FALSE TRUE 2-way provided not provided
> TRUE FALSE TRUE 2-way not provided provided
> TRUE FALSE TRUE 2-way not provided not provided
> TRUE FALSE TRUE 1-way provided provided
> TRUE FALSE TRUE 1-way provided not provided
> TRUE FALSE TRUE 1-way not provided provided
> TRUE FALSE TRUE 1-way not provided not provided
> TRUE FALSE FALSE 2-way provided provided
> TRUE FALSE FALSE 2-way provided not provided
> TRUE FALSE FALSE 2-way not provided provided
> TRUE FALSE FALSE 2-way not provided not provided
> TRUE FALSE FALSE 1-way provided provided
> TRUE FALSE FALSE 1-way provided not provided
> TRUE FALSE FALSE 1-way not provided provided
> TRUE FALSE FALSE 1-way not provided not provided
> FALSE TRUE TRUE 2-way provided provided
> FALSE TRUE TRUE 2-way provided not provided
> FALSE TRUE TRUE 2-way not provided provided
> FALSE TRUE TRUE 2-way not provided not provided
> FALSE TRUE TRUE 1-way provided provided
> FALSE TRUE TRUE 1-way provided not provided
> FALSE TRUE TRUE 1-way not provided provided
> FALSE TRUE TRUE 1-way not provided not provided
> FALSE TRUE FALSE 2-way provided provided
> FALSE TRUE FALSE 2-way provided not provided
> FALSE TRUE FALSE 2-way not provided provided
> FALSE TRUE FALSE 2-way not provided not provided
> FALSE TRUE FALSE 1-way provided provided
> FALSE TRUE FALSE 1-way provided not provided
> FALSE TRUE FALSE 1-way not provided provided
> FALSE TRUE FALSE 1-way not provided not provided
> FALSE FALSE TRUE 2-way provided provided
> FALSE FALSE TRUE 2-way provided not provided
> FALSE FALSE TRUE 2-way not provided provided
> FALSE FALSE TRUE 2-way not provided not provided
> FALSE FALSE TRUE 1-way provided provided
> FALSE FALSE TRUE 1-way provided not provided
> FALSE FALSE TRUE 1-way not provided provided
> FALSE FALSE TRUE 1-way not provided not provided
> FALSE FALSE FALSE 2-way provided provided
> FALSE FALSE FALSE 2-way provided not provided
> FALSE FALSE FALSE 2-way not provided provided
> FALSE FALSE FALSE 2-way not provided not provided
> FALSE FALSE FALSE 1-way provided provided
> FALSE FALSE FALSE 1-way provided not provided
> FALSE FALSE FALSE 1-way not provided provided
> FALSE FALSE FALSE 1-way not provided not provided
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 66504: RANGER-2058: Add SSL enabled Postgres
support in Ranger Admin
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/#review200951
-----------------------------------------------------------
Ship it!
Ship It!
- Velmurugan Periasamy
On April 11, 2018, 12:49 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66504/
> -----------------------------------------------------------
>
> (Updated April 11, 2018, 12:49 p.m.)
>
>
> Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2058
> https://issues.apache.org/jira/browse/RANGER-2058
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Ranger can not communicate to ssl enabled Postgres server
>
>
> **Proposed Solution:**
> To connect to a SSL Enabled Postgres Server JDBC connection string could be :
> =>For validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true".
> =>For Non validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory".
>
> The 'ssl=true' property is added to the JDBC URL to attempt to communicate via SSL.
> The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to bypass certificate validation.
> ---
> Following properties of install.properties file can be used to provide the SSL config options, keystore and truststore path to connect to SSL enabled Postgres server:
>
> db_ssl_enabled=
> db_ssl_required=
> db_ssl_verifyServerCertificate=
> db_ssl_auth_type=
> javax_net_ssl_keyStore=
> javax_net_ssl_keyStorePassword=
> javax_net_ssl_trustStore=
> javax_net_ssl_trustStorePassword=
> ---
> **Rules:**
> 1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to communicate to postgres via SSL.
> 2. if [db_ssl_enabled=true and [db_ssl_required=false and db_ssl_verifyServerCertificate=false]] then JDBC url will have parameter 'sslfactory=org.postgresql.ssl.NonValidatingFactory' in it and CA validation will be skipped.
> 3. if [db_ssl_enabled=true and [db_ssl_required=true or db_ssl_verifyServerCertificate=true]] then CA validation will be mandatory.
> 3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
> 3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore and password through keystore properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword).
>
> **Note:**
> Ranger application and jisql utility should know from where to pick the certificates which can be set in the System properties like this :
> -Djavax.net.ssl.keyStore=path_to_keystore_file
> -Djavax.net.ssl.keyStorePassword=password
> -Djavax.net.ssl.trustStore=path_to_truststore_file
> -Djavax.net.ssl.trustStorePassword=password
>
>
> Diffs
> -----
>
> kms/scripts/db_setup.py a431b60
> kms/scripts/dba_script.py bcd4aa2
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca
> security-admin/scripts/db_setup.py b8664d2
> security-admin/scripts/dba_script.py 69fff41
> security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java edd9d36
>
>
> Diff: https://reviews.apache.org/r/66504/diff/2/
>
>
> Testing
> -------
>
> **Steps Performed(with patch):**
> Installed Postgres and enabled SSL with the help of doc : https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
>
> Untar ranger-admin from Build having changes of proposed patch.
> Provided ranger db root and admin db details in install.properties.
> Provided values for below properties of install.properties file.
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> db_ssl_auth_type=1-way
> javax_net_ssl_keyStore=/root/keystore
> javax_net_ssl_keyStorePassword=secret
> javax_net_ssl_trustStore=/root/truststore
> javax_net_ssl_trustStorePassword=secret
>
> Executed setup.sh script.
>
> Tried to start ranger admin service.
>
> **Expected behaviour :** Ranger admin should start normally and User should able to see Dashboard page after login.
>
> **Actual behaviour :** Ranger admin was started and was able to login and see Ranger UI.
>
> **Note :**
> Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and two-way ssl configurations.
> Tried below combination of SSL properties also with different ranger db combination to install ranger admin and ranger kms.
>
> db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore javax_net_ssl_trustStore
> TRUE TRUE TRUE 2-way provided provided
> TRUE TRUE TRUE 2-way provided not provided
> TRUE TRUE TRUE 2-way not provided provided
> TRUE TRUE TRUE 2-way not provided not provided
> TRUE TRUE TRUE 1-way provided provided
> TRUE TRUE TRUE 1-way provided not provided
> TRUE TRUE TRUE 1-way not provided provided
> TRUE TRUE TRUE 1-way not provided not provided
> TRUE TRUE FALSE 2-way provided provided
> TRUE TRUE FALSE 2-way provided not provided
> TRUE TRUE FALSE 2-way not provided provided
> TRUE TRUE FALSE 2-way not provided not provided
> TRUE TRUE FALSE 1-way provided provided
> TRUE TRUE FALSE 1-way provided not provided
> TRUE TRUE FALSE 1-way not provided provided
> TRUE TRUE FALSE 1-way not provided not provided
> TRUE FALSE TRUE 2-way provided provided
> TRUE FALSE TRUE 2-way provided not provided
> TRUE FALSE TRUE 2-way not provided provided
> TRUE FALSE TRUE 2-way not provided not provided
> TRUE FALSE TRUE 1-way provided provided
> TRUE FALSE TRUE 1-way provided not provided
> TRUE FALSE TRUE 1-way not provided provided
> TRUE FALSE TRUE 1-way not provided not provided
> TRUE FALSE FALSE 2-way provided provided
> TRUE FALSE FALSE 2-way provided not provided
> TRUE FALSE FALSE 2-way not provided provided
> TRUE FALSE FALSE 2-way not provided not provided
> TRUE FALSE FALSE 1-way provided provided
> TRUE FALSE FALSE 1-way provided not provided
> TRUE FALSE FALSE 1-way not provided provided
> TRUE FALSE FALSE 1-way not provided not provided
> FALSE TRUE TRUE 2-way provided provided
> FALSE TRUE TRUE 2-way provided not provided
> FALSE TRUE TRUE 2-way not provided provided
> FALSE TRUE TRUE 2-way not provided not provided
> FALSE TRUE TRUE 1-way provided provided
> FALSE TRUE TRUE 1-way provided not provided
> FALSE TRUE TRUE 1-way not provided provided
> FALSE TRUE TRUE 1-way not provided not provided
> FALSE TRUE FALSE 2-way provided provided
> FALSE TRUE FALSE 2-way provided not provided
> FALSE TRUE FALSE 2-way not provided provided
> FALSE TRUE FALSE 2-way not provided not provided
> FALSE TRUE FALSE 1-way provided provided
> FALSE TRUE FALSE 1-way provided not provided
> FALSE TRUE FALSE 1-way not provided provided
> FALSE TRUE FALSE 1-way not provided not provided
> FALSE FALSE TRUE 2-way provided provided
> FALSE FALSE TRUE 2-way provided not provided
> FALSE FALSE TRUE 2-way not provided provided
> FALSE FALSE TRUE 2-way not provided not provided
> FALSE FALSE TRUE 1-way provided provided
> FALSE FALSE TRUE 1-way provided not provided
> FALSE FALSE TRUE 1-way not provided provided
> FALSE FALSE TRUE 1-way not provided not provided
> FALSE FALSE FALSE 2-way provided provided
> FALSE FALSE FALSE 2-way provided not provided
> FALSE FALSE FALSE 2-way not provided provided
> FALSE FALSE FALSE 2-way not provided not provided
> FALSE FALSE FALSE 1-way provided provided
> FALSE FALSE FALSE 1-way provided not provided
> FALSE FALSE FALSE 1-way not provided provided
> FALSE FALSE FALSE 1-way not provided not provided
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 66504: RANGER-2058: Add SSL enabled Postgres
support in Ranger Admin
Posted by Pradeep Agrawal <pr...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/
-----------------------------------------------------------
(Updated April 11, 2018, 12:49 p.m.)
Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Addressed review comment and removed optional verify-ca url parameter.
Bugs: RANGER-2058
https://issues.apache.org/jira/browse/RANGER-2058
Repository: ranger
Description (updated)
-------
**Problem Statement:** Ranger can not communicate to ssl enabled Postgres server
**Proposed Solution:**
To connect to a SSL Enabled Postgres Server JDBC connection string could be :
=>For validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true".
=>For Non validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory".
The 'ssl=true' property is added to the JDBC URL to attempt to communicate via SSL.
The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to bypass certificate validation.
---
Following properties of install.properties file can be used to provide the SSL config options, keystore and truststore path to connect to SSL enabled Postgres server:
db_ssl_enabled=
db_ssl_required=
db_ssl_verifyServerCertificate=
db_ssl_auth_type=
javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
javax_net_ssl_trustStorePassword=
---
**Rules:**
1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to communicate to postgres via SSL.
2. if [db_ssl_enabled=true and [db_ssl_required=false and db_ssl_verifyServerCertificate=false]] then JDBC url will have parameter 'sslfactory=org.postgresql.ssl.NonValidatingFactory' in it and CA validation will be skipped.
3. if [db_ssl_enabled=true and [db_ssl_required=true or db_ssl_verifyServerCertificate=true]] then CA validation will be mandatory.
3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore and password through keystore properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword).
**Note:**
Ranger application and jisql utility should know from where to pick the certificates which can be set in the System properties like this :
-Djavax.net.ssl.keyStore=path_to_keystore_file
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=path_to_truststore_file
-Djavax.net.ssl.trustStorePassword=password
Diffs (updated)
-----
kms/scripts/db_setup.py a431b60
kms/scripts/dba_script.py bcd4aa2
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca
security-admin/scripts/db_setup.py b8664d2
security-admin/scripts/dba_script.py 69fff41
security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java edd9d36
Diff: https://reviews.apache.org/r/66504/diff/2/
Changes: https://reviews.apache.org/r/66504/diff/1-2/
Testing
-------
**Steps Performed(with patch):**
Installed Postgres and enabled SSL with the help of doc : https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
Untar ranger-admin from Build having changes of proposed patch.
Provided ranger db root and admin db details in install.properties.
Provided values for below properties of install.properties file.
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
db_ssl_auth_type=1-way
javax_net_ssl_keyStore=/root/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/root/truststore
javax_net_ssl_trustStorePassword=secret
Executed setup.sh script.
Tried to start ranger admin service.
**Expected behaviour :** Ranger admin should start normally and User should able to see Dashboard page after login.
**Actual behaviour :** Ranger admin was started and was able to login and see Ranger UI.
**Note :**
Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and two-way ssl configurations.
Tried below combination of SSL properties also with different ranger db combination to install ranger admin and ranger kms.
db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore javax_net_ssl_trustStore
TRUE TRUE TRUE 2-way provided provided
TRUE TRUE TRUE 2-way provided not provided
TRUE TRUE TRUE 2-way not provided provided
TRUE TRUE TRUE 2-way not provided not provided
TRUE TRUE TRUE 1-way provided provided
TRUE TRUE TRUE 1-way provided not provided
TRUE TRUE TRUE 1-way not provided provided
TRUE TRUE TRUE 1-way not provided not provided
TRUE TRUE FALSE 2-way provided provided
TRUE TRUE FALSE 2-way provided not provided
TRUE TRUE FALSE 2-way not provided provided
TRUE TRUE FALSE 2-way not provided not provided
TRUE TRUE FALSE 1-way provided provided
TRUE TRUE FALSE 1-way provided not provided
TRUE TRUE FALSE 1-way not provided provided
TRUE TRUE FALSE 1-way not provided not provided
TRUE FALSE TRUE 2-way provided provided
TRUE FALSE TRUE 2-way provided not provided
TRUE FALSE TRUE 2-way not provided provided
TRUE FALSE TRUE 2-way not provided not provided
TRUE FALSE TRUE 1-way provided provided
TRUE FALSE TRUE 1-way provided not provided
TRUE FALSE TRUE 1-way not provided provided
TRUE FALSE TRUE 1-way not provided not provided
TRUE FALSE FALSE 2-way provided provided
TRUE FALSE FALSE 2-way provided not provided
TRUE FALSE FALSE 2-way not provided provided
TRUE FALSE FALSE 2-way not provided not provided
TRUE FALSE FALSE 1-way provided provided
TRUE FALSE FALSE 1-way provided not provided
TRUE FALSE FALSE 1-way not provided provided
TRUE FALSE FALSE 1-way not provided not provided
FALSE TRUE TRUE 2-way provided provided
FALSE TRUE TRUE 2-way provided not provided
FALSE TRUE TRUE 2-way not provided provided
FALSE TRUE TRUE 2-way not provided not provided
FALSE TRUE TRUE 1-way provided provided
FALSE TRUE TRUE 1-way provided not provided
FALSE TRUE TRUE 1-way not provided provided
FALSE TRUE TRUE 1-way not provided not provided
FALSE TRUE FALSE 2-way provided provided
FALSE TRUE FALSE 2-way provided not provided
FALSE TRUE FALSE 2-way not provided provided
FALSE TRUE FALSE 2-way not provided not provided
FALSE TRUE FALSE 1-way provided provided
FALSE TRUE FALSE 1-way provided not provided
FALSE TRUE FALSE 1-way not provided provided
FALSE TRUE FALSE 1-way not provided not provided
FALSE FALSE TRUE 2-way provided provided
FALSE FALSE TRUE 2-way provided not provided
FALSE FALSE TRUE 2-way not provided provided
FALSE FALSE TRUE 2-way not provided not provided
FALSE FALSE TRUE 1-way provided provided
FALSE FALSE TRUE 1-way provided not provided
FALSE FALSE TRUE 1-way not provided provided
FALSE FALSE TRUE 1-way not provided not provided
FALSE FALSE FALSE 2-way provided provided
FALSE FALSE FALSE 2-way provided not provided
FALSE FALSE FALSE 2-way not provided provided
FALSE FALSE FALSE 2-way not provided not provided
FALSE FALSE FALSE 1-way provided provided
FALSE FALSE FALSE 1-way provided not provided
FALSE FALSE FALSE 1-way not provided provided
FALSE FALSE FALSE 1-way not provided not provided
Thanks,
Pradeep Agrawal
Re: Review Request 66504: RANGER-2058: Add SSL enabled Postgres
support in Ranger Admin
Posted by Pradeep Agrawal <pr...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66504/
-----------------------------------------------------------
(Updated April 9, 2018, 2:55 p.m.)
Review request for ranger, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Updated Description and Testing done section
Bugs: RANGER-2058
https://issues.apache.org/jira/browse/RANGER-2058
Repository: ranger
Description (updated)
-------
**Problem Statement:** Ranger can not communicate to ssl enabled Postgres server
**Proposed Solution:**
To connect to a SSL Enabled Postgres Server JDBC connection string could be :
=>For validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&sslmode=verify-ca".
=>For Non validating CA: "jdbc:postgresql://127.0.0.1:3306/ranger?ssl=true&org.postgresql.ssl.NonValidatingFactory".
The 'ssl=true' property is added to the JDBC URL to attempt to communicate via SSL.
The 'sslfactory=org.postgresql.ssl.NonValidatingFactory' property is set to bypass certificate validation.
The 'sslmode=verify-ca' property is set to connect only if the Postgres server trust certificate is available. If user wants to connect using truststore then he can configure truststore files(certificate information for the postgres server and client both).
---
Following properties of install.properties file can be used to provide the SSL config options, keystore and truststore path to connect to SSL enabled Postgres server:
db_ssl_enabled=
db_ssl_required=
db_ssl_verifyServerCertificate=
db_ssl_auth_type=
javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
javax_net_ssl_trustStorePassword=
---
**Rules:**
1. if [db_ssl_enabled=true] then ranger admin/kms JDBC URL will attempt to communicate to postgres via SSL.
2. if [db_ssl_enabled=true and [db_ssl_required=false and db_ssl_verifyServerCertificate=false]] then JDBC url will have parameter 'sslfactory=org.postgresql.ssl.NonValidatingFactory' in it and CA validation will be skipped.
3. if [db_ssl_enabled=true and [db_ssl_required=true or db_ssl_verifyServerCertificate=true]] then JDBC url will have parameter 'sslmode=verify-ca' in it and CA validation will be mandatory.
3.1) if [db_ssl_auth_type=1-way] then User have to provide the certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword)
3.2) if [db_ssl_auth_type=2-way] then User have to provide the keystore and password through keystore properties(javax_net_ssl_keyStore,javax_net_ssl_keyStorePassword) and CA certificate and password through truststore properties(javax_net_ssl_trustStore,javax_net_ssl_trustStorePassword).
**Note:**
Ranger application and jisql utility should know from where to pick the certificates which can be set in the System properties like this :
-Djavax.net.ssl.keyStore=path_to_keystore_file
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=path_to_truststore_file
-Djavax.net.ssl.trustStorePassword=password
Diffs
-----
kms/scripts/db_setup.py a431b60
kms/scripts/dba_script.py bcd4aa2
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSDB.java 12585ca
security-admin/scripts/db_setup.py b8664d2
security-admin/scripts/dba_script.py 69fff41
security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java edd9d36
Diff: https://reviews.apache.org/r/66504/diff/1/
Testing (updated)
-------
**Steps Performed(with patch):**
Installed Postgres and enabled SSL with the help of doc : https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
Untar ranger-admin from Build having changes of proposed patch.
Provided ranger db root and admin db details in install.properties.
Provided values for below properties of install.properties file.
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
db_ssl_auth_type=1-way
javax_net_ssl_keyStore=/root/keystore
javax_net_ssl_keyStorePassword=secret
javax_net_ssl_trustStore=/root/truststore
javax_net_ssl_trustStorePassword=secret
Executed setup.sh script.
Tried to start ranger admin service.
**Expected behaviour :** Ranger admin should start normally and User should able to see Dashboard page after login.
**Actual behaviour :** Ranger admin was started and was able to login and see Ranger UI.
**Note :**
Tested Ranger admin and Ranger kms on SSL enabled Postgres with one-way and two-way ssl configurations.
Tried below combination of SSL properties also with different ranger db combination to install ranger admin and ranger kms.
db_ssl_enabled|db_ssl_required|db_ssl_verifyServerCertificate|db_ssl_auth_type|javax_net_ssl_keyStore javax_net_ssl_trustStore
TRUE TRUE TRUE 2-way provided provided
TRUE TRUE TRUE 2-way provided not provided
TRUE TRUE TRUE 2-way not provided provided
TRUE TRUE TRUE 2-way not provided not provided
TRUE TRUE TRUE 1-way provided provided
TRUE TRUE TRUE 1-way provided not provided
TRUE TRUE TRUE 1-way not provided provided
TRUE TRUE TRUE 1-way not provided not provided
TRUE TRUE FALSE 2-way provided provided
TRUE TRUE FALSE 2-way provided not provided
TRUE TRUE FALSE 2-way not provided provided
TRUE TRUE FALSE 2-way not provided not provided
TRUE TRUE FALSE 1-way provided provided
TRUE TRUE FALSE 1-way provided not provided
TRUE TRUE FALSE 1-way not provided provided
TRUE TRUE FALSE 1-way not provided not provided
TRUE FALSE TRUE 2-way provided provided
TRUE FALSE TRUE 2-way provided not provided
TRUE FALSE TRUE 2-way not provided provided
TRUE FALSE TRUE 2-way not provided not provided
TRUE FALSE TRUE 1-way provided provided
TRUE FALSE TRUE 1-way provided not provided
TRUE FALSE TRUE 1-way not provided provided
TRUE FALSE TRUE 1-way not provided not provided
TRUE FALSE FALSE 2-way provided provided
TRUE FALSE FALSE 2-way provided not provided
TRUE FALSE FALSE 2-way not provided provided
TRUE FALSE FALSE 2-way not provided not provided
TRUE FALSE FALSE 1-way provided provided
TRUE FALSE FALSE 1-way provided not provided
TRUE FALSE FALSE 1-way not provided provided
TRUE FALSE FALSE 1-way not provided not provided
FALSE TRUE TRUE 2-way provided provided
FALSE TRUE TRUE 2-way provided not provided
FALSE TRUE TRUE 2-way not provided provided
FALSE TRUE TRUE 2-way not provided not provided
FALSE TRUE TRUE 1-way provided provided
FALSE TRUE TRUE 1-way provided not provided
FALSE TRUE TRUE 1-way not provided provided
FALSE TRUE TRUE 1-way not provided not provided
FALSE TRUE FALSE 2-way provided provided
FALSE TRUE FALSE 2-way provided not provided
FALSE TRUE FALSE 2-way not provided provided
FALSE TRUE FALSE 2-way not provided not provided
FALSE TRUE FALSE 1-way provided provided
FALSE TRUE FALSE 1-way provided not provided
FALSE TRUE FALSE 1-way not provided provided
FALSE TRUE FALSE 1-way not provided not provided
FALSE FALSE TRUE 2-way provided provided
FALSE FALSE TRUE 2-way provided not provided
FALSE FALSE TRUE 2-way not provided provided
FALSE FALSE TRUE 2-way not provided not provided
FALSE FALSE TRUE 1-way provided provided
FALSE FALSE TRUE 1-way provided not provided
FALSE FALSE TRUE 1-way not provided provided
FALSE FALSE TRUE 1-way not provided not provided
FALSE FALSE FALSE 2-way provided provided
FALSE FALSE FALSE 2-way provided not provided
FALSE FALSE FALSE 2-way not provided provided
FALSE FALSE FALSE 2-way not provided not provided
FALSE FALSE FALSE 1-way provided provided
FALSE FALSE FALSE 1-way provided not provided
FALSE FALSE FALSE 1-way not provided provided
FALSE FALSE FALSE 1-way not provided not provided
Thanks,
Pradeep Agrawal