You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2014/10/24 00:21:43 UTC
git commit: KNOX-455 - Configuration for Excluding SSL Protocols
Repository: knox
Updated Branches:
refs/heads/v0.5.0 3265a1c83 -> 22c466a11
KNOX-455 - Configuration for Excluding SSL Protocols
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/22c466a1
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/22c466a1
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/22c466a1
Branch: refs/heads/v0.5.0
Commit: 22c466a1185b4d31c27a361797fc0cde07307d78
Parents: 3265a1c
Author: Larry McCay <lm...@hortonworks.com>
Authored: Thu Oct 23 18:20:59 2014 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Thu Oct 23 18:20:59 2014 -0400
----------------------------------------------------------------------
.../gateway/config/impl/GatewayConfigImpl.java | 16 ++++++++++++++++
.../services/security/impl/JettySSLService.java | 8 +++++++-
.../src/main/resources/conf/gateway-default.xml | 11 ++++++++---
.../hadoop/gateway/GatewayGlobalConfigTest.java | 12 ++++++++++++
.../resources/conf-demo/conf/gateway-default.xml | 5 +++++
.../resources/conf-full/conf/gateway-default.xml | 6 ++++++
.../test/resources/conf-full/conf/gateway-site.xml | 5 +++++
.../apache/hadoop/gateway/config/GatewayConfig.java | 13 ++++++++-----
.../apache/hadoop/gateway/GatewayTestConfig.java | 12 ++++++++++++
9 files changed, 79 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/22c466a1/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
index 53ce31f..35739b1 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
@@ -28,6 +28,8 @@ import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.UnknownHostException;
+import java.util.Arrays;
+import java.util.List;
import java.util.Map;
/**
@@ -103,6 +105,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
public static final String DEFAULT_HTTP_PATH = "gateway";
public static final String DEFAULT_DEPLOYMENT_DIR = "deployments";
private static final String SSL_ENABLED = "ssl.enabled";
+ private static final String SSL_EXCLUDE_PROTOCOLS = "ssl.exclude.protocols";
// public static final String DEFAULT_SHIRO_CONFIG_FILE = "shiro.ini";
public GatewayConfigImpl() {
@@ -332,5 +335,18 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
public String getDefaultAppRedirectPath() {
return "/" + getGatewayPath() + "/" + getDefaultTopologyName();
}
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.config.GatewayConfig#getExcludedSSLProtocols()
+ */
+ @Override
+ public List<String> getExcludedSSLProtocols() {
+ List<String> protocols = null;
+ String value = get(SSL_EXCLUDE_PROTOCOLS);
+ if (!"none".equals(value)) {
+ protocols = Arrays.asList(value.split("\\s*,\\s*"));
+ }
+ return protocols;
+ }
}
http://git-wip-us.apache.org/repos/asf/knox/blob/22c466a1/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index 757ac48..85753b0 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -17,12 +17,12 @@
*/
package org.apache.hadoop.gateway.services.security.impl;
-import java.io.File;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Date;
+import java.util.List;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
@@ -49,6 +49,7 @@ public class JettySSLService implements SSLService {
private MasterService ms;
private KeystoreService ks;
private AliasService as;
+ private List<String> sslExcludeProtocols = null;
public void setMasterService(MasterService ms) {
this.ms = ms;
@@ -93,6 +94,8 @@ public class JettySSLService implements SSLService {
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e);
}
+
+ sslExcludeProtocols = config.getExcludedSSLProtocols();
}
private void logAndValidateCertificate() throws ServiceLifecycleException {
@@ -145,6 +148,9 @@ public class JettySSLService implements SSLService {
// sslContextFactory.setTrustStorePassword(new String(keypass));
sslContextFactory.setNeedClientAuth( false );
sslContextFactory.setTrustAll( true );
+ if (sslExcludeProtocols != null) {
+ sslContextFactory.setExcludeProtocols((String[]) sslExcludeProtocols.toArray());
+ }
SslConnector sslConnector = new SslSelectChannelConnector( sslContextFactory );
return sslConnector;
http://git-wip-us.apache.org/repos/asf/knox/blob/22c466a1/gateway-server/src/main/resources/conf/gateway-default.xml
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/resources/conf/gateway-default.xml b/gateway-server/src/main/resources/conf/gateway-default.xml
index a7f997f..83e3aa1 100644
--- a/gateway-server/src/main/resources/conf/gateway-default.xml
+++ b/gateway-server/src/main/resources/conf/gateway-default.xml
@@ -21,7 +21,7 @@ limitations under the License.
<property>
<name>gateway.port</name>
- <value>8888</value>
+ <value>8443</value>
<description>The HTTP port for the Gateway.</description>
</property>
@@ -33,8 +33,13 @@ limitations under the License.
<property>
<name>gateway.gateway.conf.dir</name>
- <value>clusters</value>
- <description>The directory within GATEWAY_HOME that contains gateway topology files and deployments.</description>
+ <value>deployments</value>
+ <description>The directory within GATEWAY_HOME that contains gateway topology deployments.</description>
</property>
+ <property>
+ <name>ssl.exclude.protocols</name>
+ <value>SSLv3</value>
+ <description>SSL protocols to be excluded from the connector.</description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/knox/blob/22c466a1/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java b/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java
index 27b8207..279198c 100644
--- a/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java
+++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/GatewayGlobalConfigTest.java
@@ -25,7 +25,9 @@ import java.io.File;
import java.net.URL;
import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
public class GatewayGlobalConfigTest {
@@ -42,6 +44,16 @@ public class GatewayGlobalConfigTest {
System.setProperty( GatewayConfigImpl.GATEWAY_HOME_VAR, getHomeDirName( "conf-full/conf/gateway-default.xml" ) );
GatewayConfig config = new GatewayConfigImpl();
assertThat( config.getGatewayPort(), is( 7777 ) );
+ assertNull("ssl.exclude.protocols should be null.", config.getExcludedSSLProtocols());
+ //assertThat( config.getShiroConfigFile(), is( "full-shiro.ini") );
+ }
+
+ @Test
+ public void testDemoConfig() {
+ System.setProperty( GatewayConfigImpl.GATEWAY_HOME_VAR, getHomeDirName( "conf-demo/conf/gateway-default.xml" ) );
+ GatewayConfig config = new GatewayConfigImpl();
+ assertThat(config.getGatewayPort(), is( 8888 ) );
+ assertTrue( config.getExcludedSSLProtocols().get(0).equals("SSLv3"));
//assertThat( config.getShiroConfigFile(), is( "full-shiro.ini") );
}
http://git-wip-us.apache.org/repos/asf/knox/blob/22c466a1/gateway-server/src/test/resources/conf-demo/conf/gateway-default.xml
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/resources/conf-demo/conf/gateway-default.xml b/gateway-server/src/test/resources/conf-demo/conf/gateway-default.xml
index 944e32d..80a4c96 100644
--- a/gateway-server/src/test/resources/conf-demo/conf/gateway-default.xml
+++ b/gateway-server/src/test/resources/conf-demo/conf/gateway-default.xml
@@ -43,4 +43,9 @@ limitations under the License.
<description>The default address of WebHCat.</description>
</property>
+ <property>
+ <name>ssl.exclude.protocols</name>
+ <value>SSLv3</value>
+ <description>Excluded SSL protocols.</description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/knox/blob/22c466a1/gateway-server/src/test/resources/conf-full/conf/gateway-default.xml
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/resources/conf-full/conf/gateway-default.xml b/gateway-server/src/test/resources/conf-full/conf/gateway-default.xml
index ab220cf..e1ae138 100644
--- a/gateway-server/src/test/resources/conf-full/conf/gateway-default.xml
+++ b/gateway-server/src/test/resources/conf-full/conf/gateway-default.xml
@@ -49,4 +49,10 @@ limitations under the License.
<description>The location of the Shiro configuration file.</description>
</property>
+ <property>
+ <name>ssl.exclude.protocols</name>
+ <value>SSLv3</value>
+ <description>Excluded SSL protocols.</description>
+ </property>
+
</configuration>
http://git-wip-us.apache.org/repos/asf/knox/blob/22c466a1/gateway-server/src/test/resources/conf-full/conf/gateway-site.xml
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/resources/conf-full/conf/gateway-site.xml b/gateway-server/src/test/resources/conf-full/conf/gateway-site.xml
index 8ba5278..791ce2c 100644
--- a/gateway-server/src/test/resources/conf-full/conf/gateway-site.xml
+++ b/gateway-server/src/test/resources/conf-full/conf/gateway-site.xml
@@ -49,4 +49,9 @@ limitations under the License.
<description>The location of the Shiro configuration file.</description>
</property>
+ <property>
+ <name>ssl.exclude.protocols</name>
+ <value>none</value>
+ <description>Excluded SSL protocols.</description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/knox/blob/22c466a1/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
index 57b5acb..8981294 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
@@ -19,6 +19,7 @@ package org.apache.hadoop.gateway.config;
import java.net.InetSocketAddress;
import java.net.UnknownHostException;
+import java.util.List;
public interface GatewayConfig {
@@ -66,17 +67,19 @@ public interface GatewayConfig {
String getGatewayDeploymentDir();
InetSocketAddress getGatewayAddress() throws UnknownHostException;
-
+
boolean isSSLEnabled();
+ List<String> getExcludedSSLProtocols();
+
boolean isHadoopKerberosSecured();
-
+
String getKerberosConfig();
-
+
boolean isKerberosDebugEnabled();
-
+
String getKerberosLoginConfig();
-
+
String getDefaultTopologyName();
String getDefaultAppRedirectPath();
http://git-wip-us.apache.org/repos/asf/knox/blob/22c466a1/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
index 2ca2289..fb6caa5 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
@@ -21,6 +21,8 @@ import org.apache.hadoop.gateway.config.GatewayConfig;
import java.net.InetSocketAddress;
import java.net.UnknownHostException;
+import java.util.ArrayList;
+import java.util.List;
public class GatewayTestConfig implements GatewayConfig {
@@ -162,6 +164,16 @@ public class GatewayTestConfig implements GatewayConfig {
// TODO Auto-generated method stub
return "/gateway/sandbox";
}
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.config.GatewayConfig#getExcludedSSLProtocols()
+ */
+ @Override
+ public List getExcludedSSLProtocols() {
+ List<String> protocols = new ArrayList<String>();
+ protocols.add("SSLv3");
+ return protocols;
+ }
// public void setKerberosLoginConfig(String kerberosLoginConfig) {
// this.kerberosLoginConfig = kerberosLoginConfig;