You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by as...@apache.org on 2018/01/26 15:53:13 UTC
oozie git commit: OOZIE-3157 Setup truststore so that it also works
in HTTP only mode (kmarton via asasvari)
Repository: oozie
Updated Branches:
refs/heads/master acdf291ae -> ef6d0af5e
OOZIE-3157 Setup truststore so that it also works in HTTP only mode (kmarton via asasvari)
Project: http://git-wip-us.apache.org/repos/asf/oozie/repo
Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/ef6d0af5
Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/ef6d0af5
Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/ef6d0af5
Branch: refs/heads/master
Commit: ef6d0af5edeb18fbc0259d1962ac70f8ad7c2a0c
Parents: acdf291
Author: Attila Sasvari <as...@cloudera.com>
Authored: Fri Jan 26 16:52:56 2018 +0100
Committer: Attila Sasvari <as...@cloudera.com>
Committed: Fri Jan 26 16:52:56 2018 +0100
----------------------------------------------------------------------
core/src/main/resources/oozie-default.xml | 8 -----
docs/src/site/twiki/AG_Install.twiki | 6 ++--
docs/src/site/twiki/DG_QuickStart.twiki | 5 +++
release-log.txt | 1 +
.../oozie/server/EmbeddedOozieServer.java | 18 +++++++++++
.../oozie/server/SSLServerConnectorFactory.java | 19 +-----------
.../oozie/server/TestEmbeddedOozieServer.java | 32 +++++++++++++++++++-
.../server/TestSSLServerConnectorFactory.java | 6 ----
8 files changed, 60 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/core/src/main/resources/oozie-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/oozie-default.xml b/core/src/main/resources/oozie-default.xml
index 5b5e34f..e53b17b 100644
--- a/core/src/main/resources/oozie-default.xml
+++ b/core/src/main/resources/oozie-default.xml
@@ -2645,14 +2645,6 @@ will be the requeue interval for the actions which are waiting for a long time w
</property>
<property>
- <name>oozie.https.truststore.pass</name>
- <value></value>
- <description>
- Password to the TrustStore.
- </description>
- </property>
-
- <property>
<name>oozie.https.keystore.file</name>
<value></value>
<description>
http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/docs/src/site/twiki/AG_Install.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/AG_Install.twiki b/docs/src/site/twiki/AG_Install.twiki
index 8f331e4..1504215 100644
--- a/docs/src/site/twiki/AG_Install.twiki
+++ b/docs/src/site/twiki/AG_Install.twiki
@@ -763,8 +763,10 @@ The keystore file will be named =.keystore= and located in the Oozie user's home
2. Configure settings necessary for enabling SSL/TLS support in =oozie-site.xml=.
2a. Set =oozie.https.enabled= to =true=. To revert back to HTTP, set =oozie.https.enabled= to =false=.
-2b. Set location and password for both the keystore and truststore by setting =oozie.https.keystore.file=,
-=oozie.https.keystore.pass=, =oozie.https.truststore.file= and =oozie.https.truststore.pass=.
+2b. Set location and password for the keystore and location for truststore by setting =oozie.https.keystore.file=,
+=oozie.https.keystore.pass=, =oozie.https.truststore.file=.
+
+*Note:* =oozie.https.truststore.file= can be overridden by setting =javax.net.ssl.trustStore= system property.
The default HTTPS port Oozie listens on for secure connections is 11443; it can be changed via =oozie.https.port=.
http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/docs/src/site/twiki/DG_QuickStart.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/DG_QuickStart.twiki b/docs/src/site/twiki/DG_QuickStart.twiki
index 08b574f..e3bdf32 100644
--- a/docs/src/site/twiki/DG_QuickStart.twiki
+++ b/docs/src/site/twiki/DG_QuickStart.twiki
@@ -146,6 +146,11 @@ $ bin/oozie-setup.sh sharelib create -fs <FS_URI> [-locallib <PATH>]
db create|upgrade|postupgrade -run [-sqlfile <FILE>]
</verbatim>
+*IMPORTANT*: If the Oozie server needs to establish secure connection with an external server with a self-signed certificate,
+make sure you specify the location of a truststore that contains required certificates. It can be done by configuring
+=oozie.https.truststore.file= in =oozie-site.xml=, or by setting the =javax.net.ssl.trustStore= system property.
+If it is set in both places, the value passed as system property will be used.
+
The =-secure= option will configure Oozie to use HTTP (SSL); refer to
[[AG_Install#Setting_Up_Oozie_with_HTTPS_SSL][Setting Up Oozie with HTTPS (SSL)]] for more details.
http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index 7e42c7f..59c4d9b 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
-- Oozie 5.0.0 release (trunk - unreleased)
+OOZIE-3157 Setup truststore so that it also works in HTTP only mode (kmarton via asasvari)
OOZIE-3166 Remove tomcat alias from AG_Install.twiki: To use a Self-Signed Certificate part (kmarton via andras.piros)
OOZIE-2775 Oozie server does not stop if there is an exception during service initalization at startup (asasvari)
OOZIE-3145 >git status< should be clean after >mvn test< was called (kmarton via gezapeti)
http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java b/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java
index a0c27b8..e2bb730 100644
--- a/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java
+++ b/server/src/main/java/org/apache/oozie/server/EmbeddedOozieServer.java
@@ -51,6 +51,8 @@ import java.net.URISyntaxException;
*/
public class EmbeddedOozieServer {
private static final Logger LOG = LoggerFactory.getLogger(EmbeddedOozieServer.class);
+ protected static final String OOZIE_HTTPS_TRUSTSTORE_FILE = "oozie.https.truststore.file";
+ protected static final String TRUSTSTORE_PATH_SYSTEM_PROPERTY = "javax.net.ssl.trustStore";
private static String contextPath;
protected Server server;
private int httpPort;
@@ -119,6 +121,7 @@ public class EmbeddedOozieServer {
connector.setHost(conf.get(ConfigUtils.OOZIE_HTTP_HOSTNAME));
HandlerCollection handlerCollection = new HandlerCollection();
+ setTrustStore();
if (isSecured()) {
httpsPort = getConfigPort(ConfigUtils.OOZIE_HTTPS_PORT);
@@ -145,6 +148,21 @@ public class EmbeddedOozieServer {
server.setHandler(handlerCollection);
}
+ /**
+ * set the truststore path from the config file, if is not set by the user
+ */
+ private void setTrustStore() {
+ if (System.getProperty(TRUSTSTORE_PATH_SYSTEM_PROPERTY) == null) {
+ final String trustStorePath = conf.get(OOZIE_HTTPS_TRUSTSTORE_FILE);
+ if (trustStorePath != null) {
+ LOG.info("Setting javax.net.ssl.trustStore from config file");
+ System.setProperty(TRUSTSTORE_PATH_SYSTEM_PROPERTY, trustStorePath);
+ }
+ } else {
+ LOG.info("javax.net.ssl.trustStore is already set. The value from config file will be ignored");
+ }
+ }
+
private void addErrorHandler() {
ErrorPageErrorHandler errorHandler = new ErrorPageErrorHandler();
errorHandler.addErrorPage(HttpServletResponse.SC_BAD_REQUEST, "/error");
http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
index 0b024e8..466cefc 100644
--- a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
+++ b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
@@ -41,8 +41,6 @@ import java.util.Arrays;
*/
class SSLServerConnectorFactory {
private static final Logger LOG = LoggerFactory.getLogger(SSLServerConnectorFactory.class);
- public static final String OOZIE_HTTPS_TRUSTSTORE_FILE = "oozie.https.truststore.file";
- public static final String OOZIE_HTTPS_TRUSTSTORE_PASS = "oozie.https.truststore.pass";
public static final String OOZIE_HTTPS_KEYSTORE_PASS = "oozie.https.keystore.pass";
public static final String OOZIE_HTTPS_KEYSTORE_FILE = "oozie.https.keystore.file";
public static final String OOZIE_HTTPS_EXCLUDE_PROTOCOLS = "oozie.https.exclude.protocols";
@@ -79,9 +77,6 @@ class SSLServerConnectorFactory {
setIncludeCipherSuites();
setExludeCipherSuites();
- setTrustStorePath();
- setTrustStorePass();
-
setKeyStoreFile();
setKeystorePass();
@@ -134,20 +129,8 @@ class SSLServerConnectorFactory {
LOG.info(String.format("SSL context - excluding protocols: %s", Arrays.toString(excludedProtocols)));
}
- private void setTrustStorePath() {
- String trustStorePath = conf.get(OOZIE_HTTPS_TRUSTSTORE_FILE);
- Preconditions.checkNotNull(trustStorePath, "trustStorePath is null");
- sslContextFactory.setTrustStorePath(trustStorePath);
- }
-
- private void setTrustStorePass() {
- String trustStorePass = ConfigurationService.getPassword(conf, OOZIE_HTTPS_TRUSTSTORE_PASS).trim();
- Preconditions.checkNotNull(trustStorePass, "setTrustStorePass is null");
- sslContextFactory.setTrustStorePassword(trustStorePass);
- }
-
private void setKeystorePass() {
- String keystorePass = ConfigurationService.getPassword(conf, OOZIE_HTTPS_KEYSTORE_PASS).trim();
+ String keystorePass = ConfigurationService.getPassword(conf, OOZIE_HTTPS_KEYSTORE_PASS);
Preconditions.checkNotNull(keystorePass, "keystorePass is null");
sslContextFactory.setKeyManagerPassword(keystorePass);
}
http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java b/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java
index b72247e..58543e6 100644
--- a/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java
+++ b/server/src/test/java/org/apache/oozie/server/TestEmbeddedOozieServer.java
@@ -31,6 +31,7 @@ import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.webapp.WebAppContext;
import org.junit.After;
+import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -47,6 +48,7 @@ import static org.mockito.Matchers.anyObject;
import static org.mockito.Matchers.isA;
import static org.mockito.Mockito.doNothing;
import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
@@ -69,8 +71,10 @@ public class TestEmbeddedOozieServer {
@Mock private FilterMapper oozieFilterMapper;
@Mock private ConstraintSecurityHandler constraintSecurityHandler;
private EmbeddedOozieServer embeddedOozieServer;
+ private String confTruststoreFile = "oozie.truststore";
- @Before public void setUp() {
+
+ @Before public void setUp() throws IOException {
embeddedOozieServer = new EmbeddedOozieServer(mockServer, mockJspHandler, mockServices, mockSSLServerConnectorFactory,
mockOozieRewriteHandler, servletContextHandler, oozieServletMapper, oozieFilterMapper, constraintSecurityHandler);
@@ -87,9 +91,13 @@ public class TestEmbeddedOozieServer {
doReturn(new Handler[0]).when(mockOozieRewriteHandler).getChildHandlers();
doReturn(new Handler[0]).when(servletContextHandler).getChildHandlers();
doReturn(new Handler[0]).when(constraintSecurityHandler).getChildHandlers();
+ doReturn(confTruststoreFile).when(mockConfiguration).get(EmbeddedOozieServer.OOZIE_HTTPS_TRUSTSTORE_FILE);
+ System.clearProperty(EmbeddedOozieServer.TRUSTSTORE_PATH_SYSTEM_PROPERTY);
}
@After public void tearDown() {
+ System.clearProperty(EmbeddedOozieServer.TRUSTSTORE_PATH_SYSTEM_PROPERTY);
+
verify(mockServices).get(ConfigurationService.class);
verifyNoMoreInteractions(
@@ -105,8 +113,29 @@ public class TestEmbeddedOozieServer {
embeddedOozieServer.setup();
verify(mockJspHandler).setupWebAppContext(isA(WebAppContext.class));
+
+ // trustore parameters will have to be set even in case of an insecure setup
+ Assert.assertEquals(confTruststoreFile, System.getProperty("javax.net.ssl.trustStore"));
}
+ /**
+ * test case for when the trustore path is set via system property
+ * expected result: the path is used from the system property and the value is not even retrieved from the config file
+ */
+ @Test
+ public void testServerSetupTruststorePathSetViaSystemProperty() throws Exception {
+ final String truststorePath2 = "truststore.jks";
+ doReturn(String.valueOf(false)).when(mockConfiguration).get("oozie.https.enabled");
+ System.setProperty(EmbeddedOozieServer.TRUSTSTORE_PATH_SYSTEM_PROPERTY, truststorePath2);
+
+ embeddedOozieServer.setup();
+ verify(mockJspHandler).setupWebAppContext(isA(WebAppContext.class));
+
+ Assert.assertEquals(truststorePath2, System.getProperty("javax.net.ssl.trustStore"));
+ verify(mockConfiguration, never()).get(EmbeddedOozieServer.OOZIE_HTTPS_TRUSTSTORE_FILE);
+ }
+
+
@Test
public void testSecureServerSetup() throws Exception {
doReturn("true").when(mockConfiguration).get("oozie.https.enabled");
@@ -121,6 +150,7 @@ public class TestEmbeddedOozieServer {
verify(mockJspHandler).setupWebAppContext(isA(WebAppContext.class));
verify(mockSSLServerConnectorFactory).createSecureServerConnector(
isA(Integer.class), isA(Configuration.class), isA(Server.class));
+ Assert.assertEquals(confTruststoreFile, System.getProperty("javax.net.ssl.trustStore"));
}
@Test(expected=NumberFormatException.class)
http://git-wip-us.apache.org/repos/asf/oozie/blob/ef6d0af5/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
index 2b48f7f..f926a09 100644
--- a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
+++ b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
@@ -39,8 +39,6 @@ import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_INCL
import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_INCLUDE_PROTOCOLS;
import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_FILE;
import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_PASS;
-import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_TRUSTSTORE_FILE;
-import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_TRUSTSTORE_PASS;
import static org.apache.oozie.util.ConfigUtils.OOZIE_HTTP_PORT;
import static org.mockito.Matchers.anyString;
import static org.mockito.Mockito.never;
@@ -62,8 +60,6 @@ public class TestSSLServerConnectorFactory {
@Before public void setUp() {
testConfig = new Configuration();
- testConfig.set(OOZIE_HTTPS_TRUSTSTORE_FILE, "test_truststore_file");
- testConfig.set(OOZIE_HTTPS_TRUSTSTORE_PASS, "trustpass");
testConfig.set(OOZIE_HTTPS_KEYSTORE_FILE, "test_keystore_file");
testConfig.set(OOZIE_HTTPS_KEYSTORE_PASS, "keypass");
testConfig.set(OOZIE_HTTP_PORT, "11000");
@@ -81,8 +77,6 @@ public class TestSSLServerConnectorFactory {
@After
public void tearDown() {
- verify(mockSSLContextFactory).setTrustStorePath(anyString());
- verify(mockSSLContextFactory).setTrustStorePassword(anyString());
verify(mockSSLContextFactory).setKeyStorePath(anyString());
verify(mockSSLContextFactory).setKeyManagerPassword(anyString());
verifyNoMoreInteractions(