You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by ab...@apache.org on 2017/01/10 04:21:26 UTC
oozie git commit: OOZIE-2756 Extend HTTPS configuration settings for
embedded Jetty (asasvari via abhishekbafna)
Repository: oozie
Updated Branches:
refs/heads/master 4cec1ad34 -> d9a4d3f69
OOZIE-2756 Extend HTTPS configuration settings for embedded Jetty (asasvari via abhishekbafna)
Project: http://git-wip-us.apache.org/repos/asf/oozie/repo
Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/d9a4d3f6
Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/d9a4d3f6
Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/d9a4d3f6
Branch: refs/heads/master
Commit: d9a4d3f69cd96ec7287f452190a1d181ead4ec89
Parents: 4cec1ad
Author: abhisek bafna <ab...@hortonworks.com>
Authored: Tue Jan 10 09:50:23 2017 +0530
Committer: abhisek bafna <ab...@hortonworks.com>
Committed: Tue Jan 10 09:50:23 2017 +0530
----------------------------------------------------------------------
core/src/main/resources/oozie-default.xml | 20 ++++-
.../oozie/service/TestConfigurationService.java | 10 +++
release-log.txt | 1 +
.../oozie/server/SSLServerConnectorFactory.java | 38 ++++++++-
.../server/TestSSLServerConnectorFactory.java | 86 ++++++++++++--------
5 files changed, 113 insertions(+), 42 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/core/src/main/resources/oozie-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/oozie-default.xml b/core/src/main/resources/oozie-default.xml
index 2d7650a..943f9bc 100644
--- a/core/src/main/resources/oozie-default.xml
+++ b/core/src/main/resources/oozie-default.xml
@@ -2537,7 +2537,7 @@ will be the requeue interval for the actions which are waiting for a long time w
<property>
<name>oozie.https.truststore.file</name>
- <value>custom.truststore</value>
+ <value></value>
<description>
Path to a TrustStore file.
</description>
@@ -2545,7 +2545,7 @@ will be the requeue interval for the actions which are waiting for a long time w
<property>
<name>oozie.https.truststore.pass</name>
- <value>cloudera</value>
+ <value></value>
<description>
Password to the TrustStore.
</description>
@@ -2576,6 +2576,22 @@ will be the requeue interval for the actions which are waiting for a long time w
</property>
<property>
+ <name>oozie.https.exclude.protocols</name>
+ <value></value>
+ <description>
+ Disabled TLS protocols.
+ </description>
+ </property>
+
+ <property>
+ <name>oozie.https.include.cipher.suites</name>
+ <value></value>
+ <description>
+ List of Cipher suites to include.
+ </description>
+ </property>
+
+ <property>
<name>oozie.https.exclude.cipher.suites</name>
<value>TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5</value>
<description>
http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java b/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java
index f18a8c0..42ffdbe 100644
--- a/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java
+++ b/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java
@@ -276,6 +276,16 @@ public class TestConfigurationService extends XTestCase {
assertEquals(5000, ConfigurationService.getInt(SLAService.CONF_CAPACITY));
assertEquals(11000, ConfigurationService.getInt("oozie.http.port"));
assertEquals(11443, ConfigurationService.getInt("oozie.https.port"));
+ assertFalse(ConfigurationService.getBoolean("oozie.https.enabled"));
+ assertEquals(65536, ConfigurationService.getInt("oozie.http.response.header.size"));
+ assertEquals(65536, ConfigurationService.getInt("oozie.http.request.header.size"));
+ assertEquals("TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2", ConfigurationService.get("oozie.https.include.protocols"));
+ assertEquals("", ConfigurationService.get("oozie.https.exclude.protocols"));
+ assertEquals("", ConfigurationService.get("oozie.https.include.cipher.suites"));
+ assertEquals("TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA," +
+ "SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA," +
+ "SSL_RSA_WITH_RC4_128_MD5", ConfigurationService.get("oozie.https.exclude.cipher.suites"));
+ assertEquals(150, ConfigurationService.getInt("oozie.server.threadpool.max.threads"));
cl.destroy();
}
http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index 577e071..21cc717 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
-- Oozie 4.4.0 release (trunk - unreleased)
+OOZIE-2756 Extend HTTPS configuration settings for embedded Jetty (asasvari via abhishekbafna)
OOZIE-2727 OozieDBCLI creates temporary directories and do not delete them (gezapeti via rkanter)
OOZIE-2728 Typo in Error E0405 (gezapeti via rkanter)
OOZIE-2748 NPE in LauncherMapper.printArgs() (pbacsko via rkanter)
http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
index 2797cf4..1ab0ec4 100644
--- a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
+++ b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java
@@ -44,6 +44,10 @@ class SSLServerConnectorFactory {
public static final String OOZIE_HTTPS_TRUSTSTORE_PASS = "oozie.https.truststore.pass";
public static final String OOZIE_HTTPS_KEYSTORE_PASS = "oozie.https.keystore.pass";
public static final String OOZIE_HTTPS_KEYSTORE_FILE = "oozie.https.keystore.file";
+ public static final String OOZIE_HTTPS_EXCLUDE_PROTOCOLS = "oozie.https.exclude.protocols";
+ public static final String OOZIE_HTTPS_INCLUDE_PROTOCOLS = "oozie.https.include.protocols";
+ public static final String OOZIE_HTTPS_INCLUDE_CIPHER_SUITES = "oozie.https.include.cipher.suites";
+ public static final String OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES = "oozie.https.exclude.cipher.suites";
private SslContextFactory sslContextFactory;
private Configuration conf;
@@ -69,7 +73,11 @@ class SSLServerConnectorFactory {
String.format("Invalid port number specified: \'%d\'. It should be between 1 and 65535.", oozieHttpsPort));
setIncludeProtocols();
- setCipherSuites();
+ setExcludeProtocols();
+
+ setIncludeCipherSuites();
+ setExludeCipherSuites();
+
setTrustStorePath();
setTrustStorePass();
@@ -87,22 +95,44 @@ class SSLServerConnectorFactory {
return secureServerConnector;
}
- private void setCipherSuites() {
- String excludeCipherList = conf.get("oozie.https.exclude.cipher.suites");
+ private void setExludeCipherSuites() {
+ String excludeCipherList = conf.get(OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES);
String[] excludeCipherSuites = excludeCipherList.split(",");
sslContextFactory.setExcludeCipherSuites(excludeCipherSuites);
LOG.info(String.format("SSL context - excluding cipher suites: %s", Arrays.toString(excludeCipherSuites)));
}
+ private void setIncludeCipherSuites() {
+ String includeCipherList = conf.get(OOZIE_HTTPS_INCLUDE_CIPHER_SUITES);
+ if (includeCipherList == null || includeCipherList.isEmpty()) {
+ return;
+ }
+
+ String[] includeCipherSuites = includeCipherList.split(",");
+ sslContextFactory.setIncludeCipherSuites(includeCipherSuites);
+
+ LOG.info(String.format("SSL context - including cipher suites: %s", Arrays.toString(includeCipherSuites)));
+ }
+
private void setIncludeProtocols() {
- String enabledProtocolsList = conf.get("oozie.https.include.protocols");
+ String enabledProtocolsList = conf.get(OOZIE_HTTPS_INCLUDE_PROTOCOLS);
String[] enabledProtocols = enabledProtocolsList.split(",");
sslContextFactory.setIncludeProtocols(enabledProtocols);
LOG.info(String.format("SSL context - including protocols: %s", Arrays.toString(enabledProtocols)));
}
+ private void setExcludeProtocols() {
+ String excludedProtocolsList = conf.get(OOZIE_HTTPS_EXCLUDE_PROTOCOLS);
+ if (excludedProtocolsList == null || excludedProtocolsList.isEmpty()) {
+ return;
+ }
+ String[] excludedProtocols = excludedProtocolsList.split(",");
+ sslContextFactory.setExcludeProtocols(excludedProtocols);
+ LOG.info(String.format("SSL context - excluding protocols: %s", Arrays.toString(excludedProtocols)));
+ }
+
private void setTrustStorePath() {
String trustStorePath = conf.get(OOZIE_HTTPS_TRUSTSTORE_FILE);
Preconditions.checkNotNull(trustStorePath, "trustStorePath is null");
http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
----------------------------------------------------------------------
diff --git a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
index 9634da8..da1a246 100644
--- a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
+++ b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java
@@ -22,6 +22,7 @@ import org.apache.hadoop.conf.Configuration;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
+
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -29,7 +30,19 @@ import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
+import static org.apache.oozie.server.HttpConfigurationWrapper.OOZIE_HTTP_REQUEST_HEADER_SIZE;
+import static org.apache.oozie.server.HttpConfigurationWrapper.OOZIE_HTTP_RESPONSE_HEADER_SIZE;
+import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES;
+import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_EXCLUDE_PROTOCOLS;
+import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_INCLUDE_CIPHER_SUITES;
+import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_INCLUDE_PROTOCOLS;
+import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_FILE;
+import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_PASS;
+import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_TRUSTSTORE_FILE;
+import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_TRUSTSTORE_PASS;
+import static org.apache.oozie.util.ConfigUtils.OOZIE_HTTP_PORT;
import static org.mockito.Matchers.anyString;
+import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
@@ -48,19 +61,20 @@ public class TestSSLServerConnectorFactory {
@Before public void setUp() {
testConfig = new Configuration();
- testConfig.set("oozie.https.truststore.file", "test_truststore_file");
- testConfig.set("oozie.https.truststore.pass", "trustpass");
- testConfig.set("oozie.https.keystore.file", "test_keystore_file");
- testConfig.set("oozie.https.keystore.pass", "keypass");
- testConfig.set("oozie.http.port", "11000");
- testConfig.set("oozie.http.request.header.size", "65536");
- testConfig.set("oozie.http.response.header.size", "65536");
- testConfig.set("oozie.https.include.protocols", "TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2");
- testConfig.set("oozie.https.exclude.cipher.suites",
+ testConfig.set(OOZIE_HTTPS_TRUSTSTORE_FILE, "test_truststore_file");
+ testConfig.set(OOZIE_HTTPS_TRUSTSTORE_PASS, "trustpass");
+ testConfig.set(OOZIE_HTTPS_KEYSTORE_FILE, "test_keystore_file");
+ testConfig.set(OOZIE_HTTPS_KEYSTORE_PASS, "keypass");
+ testConfig.set(OOZIE_HTTP_PORT, "11000");
+ testConfig.set(OOZIE_HTTP_REQUEST_HEADER_SIZE, "65536");
+ testConfig.set(OOZIE_HTTP_RESPONSE_HEADER_SIZE, "65536");
+ testConfig.set(OOZIE_HTTPS_INCLUDE_PROTOCOLS, "TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2");
+ testConfig.set(OOZIE_HTTPS_EXCLUDE_PROTOCOLS, "");
+ testConfig.set(OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES,
"TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA," +
"SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA," +
"SSL_RSA_WITH_RC4_128_MD5");
-
+ testConfig.set(OOZIE_HTTPS_INCLUDE_CIPHER_SUITES, "");
sslServerConnectorFactory = new SSLServerConnectorFactory(mockSSLContextFactory);
}
@@ -75,56 +89,57 @@ public class TestSSLServerConnectorFactory {
mockSSLServerConnectorFactory);
}
- private void verifyDefaultExcludeCipherSuites() {
- verify(mockSSLContextFactory).setExcludeCipherSuites(
- "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
- "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
- "SSL_RSA_WITH_DES_CBC_SHA",
- "SSL_DHE_RSA_WITH_DES_CBC_SHA",
- "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
- "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
- "SSL_RSA_WITH_RC4_128_MD5");
- }
+ @Test
+ public void includeProtocolsCanBeSetViaConfig() throws Exception {
+ SSLServerConnectorFactory sslServerConnectorFactory = new SSLServerConnectorFactory(mockSSLContextFactory);
+ testConfig.set(OOZIE_HTTPS_INCLUDE_PROTOCOLS, "TLSv1,TLSv1.2");
+ sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer);
- private void verifyDefaultIncludeProtocols() {
verify(mockSSLContextFactory).setIncludeProtocols(
"TLSv1",
- "SSLv2Hello",
- "TLSv1.1",
"TLSv1.2");
}
@Test
- public void includeProtocolsHaveDefaultValues() throws Exception {
+ public void emptyExcludeProtocolsAreNotSet() throws Exception {
sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer);
-
- verifyDefaultIncludeProtocols();
- verifyDefaultExcludeCipherSuites();
+ verify(mockSSLContextFactory, never()).setExcludeProtocols(anyString());
}
@Test
- public void includeProtocolsCanBeSetViaConfigFile() throws Exception {
+ public void excludeProtocolsCanBeSetViaConfig() throws Exception {
SSLServerConnectorFactory sslServerConnectorFactory = new SSLServerConnectorFactory(mockSSLContextFactory);
- testConfig.set("oozie.https.include.protocols", "TLSv1,TLSv1.2");
+ testConfig.set(OOZIE_HTTPS_INCLUDE_PROTOCOLS, "TLSv1,TLSv1.2");
+ testConfig.set(OOZIE_HTTPS_EXCLUDE_PROTOCOLS, "TLSv1");
sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer);
verify(mockSSLContextFactory).setIncludeProtocols(
"TLSv1",
"TLSv1.2");
+
+ verify(mockSSLContextFactory).setExcludeProtocols(
+ "TLSv1");
}
@Test
- public void excludeCipherSuitesHaveDefaultValues() throws Exception {
+ public void emptyIncludeCipherSuitesAreNotSet() throws Exception {
sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer);
+ verify(mockSSLContextFactory, never()).setIncludeCipherSuites(anyString());
+ }
- verifyDefaultExcludeCipherSuites();
- verifyDefaultIncludeProtocols();
+ @Test
+ public void includeCipherSuitesCanBeSetViaConfig() throws Exception {
+ testConfig.set(OOZIE_HTTPS_INCLUDE_CIPHER_SUITES, "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA");
+
+ sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer);
+ verify(mockSSLContextFactory).setIncludeCipherSuites("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA");
}
+
@Test
- public void excludeCipherSuitesCanBeSetViaConfigFile() throws Exception {
- testConfig.set("oozie.https.exclude.cipher.suites","TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,"
- + "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA");
+ public void excludeCipherSuitesCanBeSetViaConfig() throws Exception {
+ testConfig.set(OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES, "TLS_ECDHE_RSA_WITH_RC4_128_SHA,"
+ + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA");
sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer);
@@ -132,6 +147,5 @@ public class TestSSLServerConnectorFactory {
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA");
- verifyDefaultIncludeProtocols();
}
}