You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by le...@apache.org on 2017/02/28 02:12:36 UTC
hadoop git commit: HADOOP-14083. KMS should support old SSL clients.
(John Zhuge via Lei Xu)
Repository: hadoop
Updated Branches:
refs/heads/branch-2 1eec911cd -> d440ad46b
HADOOP-14083. KMS should support old SSL clients. (John Zhuge via Lei Xu)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d440ad46
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d440ad46
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d440ad46
Branch: refs/heads/branch-2
Commit: d440ad46b5c42c369e476e7eb7375b857405cc78
Parents: 1eec911
Author: Lei Xu <le...@cloudera.com>
Authored: Mon Feb 27 18:12:00 2017 -0800
Committer: Lei Xu <le...@cloudera.com>
Committed: Mon Feb 27 18:12:00 2017 -0800
----------------------------------------------------------------------
hadoop-common-project/hadoop-kms/pom.xml | 3 ++
.../hadoop-kms/src/main/conf/kms-env.sh | 4 ++
.../hadoop-kms/src/main/libexec/kms-config.sh | 35 +++++++++++++-
.../hadoop-kms/src/main/sbin/kms.sh | 51 +++++++++++++++-----
.../src/main/tomcat/ssl-server.xml.conf | 1 +
.../hadoop-kms/src/site/markdown/index.md.vm | 6 ++-
6 files changed, 84 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d440ad46/hadoop-common-project/hadoop-kms/pom.xml
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/pom.xml b/hadoop-common-project/hadoop-kms/pom.xml
index 5dae19f..ab5e58d 100644
--- a/hadoop-common-project/hadoop-kms/pom.xml
+++ b/hadoop-common-project/hadoop-kms/pom.xml
@@ -394,6 +394,9 @@
<delete dir="${project.build.directory}/tomcat.exp"/>
<delete dir="${kms.tomcat.dist.dir}/webapps"/>
<mkdir dir="${kms.tomcat.dist.dir}/webapps"/>
+ <delete file="${kms.tomcat.dist.dir}/conf/catalina-default.properties"/>
+ <copy file="${basedir}/src/main/tomcat/catalina-default.properties"
+ toDir="${kms.tomcat.dist.dir}/conf"/>
<delete file="${kms.tomcat.dist.dir}/conf/server.xml"/>
<copy file="${basedir}/src/main/tomcat/server.xml"
toDir="${kms.tomcat.dist.dir}/conf"/>
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d440ad46/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh b/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
index 1c70c28..7deee5d 100644
--- a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
@@ -66,6 +66,10 @@
#
# export KMS_MAX_HTTP_HEADER_SIZE=65536
+# The comma separated list of encryption ciphers for SSL
+#
+# export KMS_SSL_CIPHERS=
+
# The location of the SSL keystore if using SSL
#
# export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d440ad46/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
index bfdb83b..009f9c4 100644
--- a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
@@ -56,7 +56,10 @@ print "Setting KMS_HOME: ${KMS_HOME}"
if [ -e "${KMS_HOME}/bin/kms-env.sh" ]; then
print "Sourcing: ${KMS_HOME}/bin/kms-env.sh"
source ${KMS_HOME}/bin/kms-env.sh
- grep "^ *export " ${KMS_HOME}/bin/kms-env.sh | sed 's/ *export/ setting/'
+ if [ "${KMS_SILENT}" != "true" ]; then
+ grep "^ *export " "${KMS_HOME}/bin/kms-env.sh" |
+ sed 's/ *export/ setting/'
+ fi
fi
# verify that the sourced env file didn't change KMS_HOME
@@ -81,7 +84,10 @@ kms_config=${KMS_CONFIG}
if [ -e "${KMS_CONFIG}/kms-env.sh" ]; then
print "Sourcing: ${KMS_CONFIG}/kms-env.sh"
source ${KMS_CONFIG}/kms-env.sh
- grep "^ *export " ${KMS_CONFIG}/kms-env.sh | sed 's/ *export/ setting/'
+ if [ "${KMS_SILENT}" != "true" ]; then
+ grep "^ *export " "${KMS_CONFIG}/kms-env.sh" |
+ sed 's/ *export/ setting/'
+ fi
fi
# verify that the sourced env file didn't change KMS_HOME
@@ -171,6 +177,31 @@ else
print "Using KMS_MAX_HTTP_HEADER_SIZE: ${KMS_MAX_HTTP_HEADER_SIZE}"
fi
+if [ "${KMS_SSL_CIPHERS}" = "" ]; then
+ export KMS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+ KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
+ KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+ KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"
+ KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"
+ KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"
+ KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
+ KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
+ KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA256"
+ KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA"
+ KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA256"
+ KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA"
+ KMS_SSL_CIPHERS+=",TLS_RSA_WITH_3DES_EDE_CBC_SHA"
+ KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
+ KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
+ KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
+ KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
+ KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
+ print "Setting KMS_SSL_CIPHERS: ${KMS_SSL_CIPHERS}"
+else
+ print "Using KMS_SSL_CIPHERS: ${KMS_SSL_CIPHERS}"
+fi
+
if [ "${KMS_SSL_KEYSTORE_FILE}" = "" ]; then
export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
print "Setting KMS_SSL_KEYSTORE_FILE: ${KMS_SSL_KEYSTORE_FILE}"
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d440ad46/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
index dc14054..9bfad42 100644
--- a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
@@ -59,18 +59,6 @@ CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/t
print "Using CATALINA_OPTS: ${CATALINA_OPTS_DISP}"
catalina_opts="-Dproc_kms"
-catalina_opts="${catalina_opts} -Dkms.home.dir=${KMS_HOME}";
-catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}";
-catalina_opts="${catalina_opts} -Dkms.log.dir=${KMS_LOG}";
-catalina_opts="${catalina_opts} -Dkms.temp.dir=${KMS_TEMP}";
-catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}";
-catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}";
-catalina_opts="${catalina_opts} -Dkms.protocol=${KMS_PROTOCOL}";
-catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}";
-catalina_opts="${catalina_opts} -Dkms.accept.count=${KMS_ACCEPT_COUNT}";
-catalina_opts="${catalina_opts} -Dkms.acceptor.thread.count=${KMS_ACCEPTOR_THREAD_COUNT}";
-catalina_opts="${catalina_opts} -Dkms.max.http.header.size=${KMS_MAX_HTTP_HEADER_SIZE}";
-catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}";
catalina_opts="${catalina_opts} -Djava.library.path=${JAVA_LIBRARY_PATH}";
print "Adding to CATALINA_OPTS: ${catalina_opts}"
@@ -78,6 +66,39 @@ print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/
export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
+catalina_init_properties() {
+ cp "${CATALINA_BASE}/conf/catalina-default.properties" \
+ "${CATALINA_BASE}/conf/catalina.properties"
+}
+
+catalina_set_property() {
+ local key=$1
+ local value=$2
+ [[ -z "${value}" ]] && return
+ local disp_value="${3:-${value}}"
+ print "Setting catalina property ${key} to ${disp_value}"
+ echo "${key}=${value}" >> "${CATALINA_BASE}/conf/catalina.properties"
+}
+
+if [[ "${1}" = "start" || "${1}" = "run" ]]; then
+ catalina_init_properties
+ catalina_set_property "kms.home.dir" "${KMS_HOME}"
+ catalina_set_property "kms.config.dir" "${KMS_CONFIG}"
+ catalina_set_property "kms.log.dir" "${KMS_LOG}"
+ catalina_set_property "kms.temp.dir" "${KMS_TEMP}"
+ catalina_set_property "kms.admin.port" "${KMS_ADMIN_PORT}"
+ catalina_set_property "kms.http.port" "${KMS_HTTP_PORT}"
+ catalina_set_property "kms.protocol" "${KMS_PROTOCOL}"
+ catalina_set_property "kms.max.threads" "${KMS_MAX_THREADS}"
+ catalina_set_property "kms.accept.count" "${KMS_ACCEPT_COUNT}"
+ catalina_set_property "kms.acceptor.thread.count" \
+ "${KMS_ACCEPTOR_THREAD_COUNT}"
+ catalina_set_property "kms.max.http.header.size" \
+ "${KMS_MAX_HTTP_HEADER_SIZE}"
+ catalina_set_property "kms.ssl.ciphers" "${KMS_SSL_CIPHERS}"
+ catalina_set_property "kms.ssl.keystore.file" "${KMS_SSL_KEYSTORE_FILE}"
+fi
+
# A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
#
if [ "${1}" = "stop" ]; then
@@ -95,4 +116,8 @@ if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "
| sed 's/"_kms_ssl_truststore_pass_"/'"\"${KMS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' > ${CATALINA_BASE}/conf/ssl-server.xml
fi
-exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@"
+if [ "${KMS_SILENT}" != "true" ]; then
+ exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@"
+else
+ exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@" > /dev/null
+fi
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d440ad46/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
index 760da2f..4c12fe9 100644
--- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
+++ b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
@@ -74,6 +74,7 @@
acceptorThreadCount="${kms.acceptor.thread.count}"
maxHttpHeaderSize="${kms.max.http.header.size}"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
+ ciphers="${kms.ssl.ciphers}"
truststorePass="_kms_ssl_truststore_pass_"
keystoreFile="${kms.ssl.keystore.file}"
keystorePass="_kms_ssl_keystore_pass_"/>
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d440ad46/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
index bbce0b3..bfe1b88 100644
--- a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
@@ -301,7 +301,11 @@ The answer to "What is your first and last name?" (i.e. "CN") must be the hostna
NOTE: You need to restart the KMS for the configuration changes to take effect.
-NOTE: Some old SSL clients may use weak ciphers that are not supported by the KMS server. It is recommended to upgrade the SSL client.
+In order to support some old SSL clients, the default encryption ciphers
+include a few relatively weaker ciphers. Set environment variable
+`KMS_SSL_CIPHERS` or property `kms.ssl.ciphers` to override. The value is a
+comma separated list of ciphers documented in this
+[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
$H4 ACLs (Access Control Lists)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org