You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by dh...@apache.org on 2022/03/22 12:31:37 UTC
[ranger] branch master updated: RANGER-3673 : Need to enable cipher configuration for Usersync
This is an automated email from the ASF dual-hosted git repository.
dhavalshah9131 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new f66c559 RANGER-3673 : Need to enable cipher configuration for Usersync
f66c559 is described below
commit f66c5593ba43d7206df3043add90e967a2f5586d
Author: Vishal Suvagia <vs...@apache.org>
AuthorDate: Tue Mar 1 14:06:10 2022 +0530
RANGER-3673 : Need to enable cipher configuration for Usersync
Issue:
Currently Ranger Usersync support enabling of TLS, but does not allow cipher suites to be configurable.
Need to provide a property to configure the same.
Changes:
Made ciphers configurable for Ranger Usersync.
---
.../authentication/UnixAuthenticationService.java | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 03d2302..d03f450 100644
--- a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++ b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -79,6 +79,7 @@ public class UnixAuthenticationService {
private String keyStorePath;
private String keyStoreType;
private List<String> enabledProtocolsList;
+ private List<String> enabledCipherSuiteList;
private String keyStorePathPassword;
private String trustStorePath;
private String trustStorePathPassword;
@@ -227,7 +228,9 @@ public class UnixAuthenticationService {
SSLEnabled = (SSLEnabledProp != null && (SSLEnabledProp.equalsIgnoreCase("true")));
String defaultEnabledProtocols = "TLSv1.2";
String enabledProtocols = prop.getProperty("ranger.usersync.https.ssl.enabled.protocols", defaultEnabledProtocols);
+ String enabledCipherSuites = prop.getProperty("ranger.usersync.https.ssl.enabled.cipher.suites", "");
enabledProtocolsList=new ArrayList<String>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*")));
+ enabledCipherSuiteList = new ArrayList<String>(Arrays.asList(enabledCipherSuites.toUpperCase().trim().split("\\s*,\\s*")));
// LOG.info("Key:" + keyStorePath);
// LOG.info("KeyPassword:" + keyStorePathPassword);
// LOG.info("TrustStore:" + trustStorePath);
@@ -321,6 +324,23 @@ public class UnixAuthenticationService {
if (!allowedProtocols.isEmpty()) {
secureSocket.setEnabledProtocols(allowedProtocols.toArray(new String[0]));
}
+ String[] enabledCipherSuites = secureSocket.getEnabledCipherSuites();
+ Set<String> allowedCipherSuites = new HashSet<String>();
+ for(String enabledCipherSuite : enabledCipherSuites) {
+ if (enabledCipherSuiteList.contains(enabledCipherSuite)) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Enabling CipherSuite : [" + enabledCipherSuite + "]");
+ }
+ allowedCipherSuites.add(enabledCipherSuite);
+ } else {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Disabling CipherSuite : [" + enabledCipherSuite + "]");
+ }
+ }
+ }
+ if (!allowedCipherSuites.isEmpty()) {
+ secureSocket.setEnabledCipherSuites(allowedCipherSuites.toArray(new String[0]));
+ }
}