You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ol...@apache.org on 2017/01/04 12:39:04 UTC
ambari git commit: AMBARI-19333. Store LogSearch truststore/keystore
passwords in file (oleewere)
Repository: ambari
Updated Branches:
refs/heads/branch-2.5 0c5bae7e2 -> a29343fc9
AMBARI-19333. Store LogSearch truststore/keystore passwords in file (oleewere)
Change-Id: Ifbf2b1c72df7f20f31ce0e4ef8bf7f5fa4d5ac55
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/a29343fc
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/a29343fc
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/a29343fc
Branch: refs/heads/branch-2.5
Commit: a29343fc944ac0e07142ab256ac2cac73d2d5ad3
Parents: 0c5bae7
Author: oleewere <ol...@gmail.com>
Authored: Wed Jan 4 13:19:17 2017 +0100
Committer: oleewere <ol...@gmail.com>
Committed: Wed Jan 4 13:38:48 2017 +0100
----------------------------------------------------------------------
.../org/apache/ambari/logsearch/LogSearch.java | 7 +--
.../apache/ambari/logsearch/util/SSLUtil.java | 46 ++++++++++++++++----
.../src/main/scripts/run.sh | 2 +-
.../test-config/logsearch/logsearch-env.sh | 2 -
.../LOGSEARCH/0.5.0/package/scripts/params.py | 1 +
.../0.5.0/package/scripts/setup_logsearch.py | 20 +++++++++
.../0.5.0/properties/logsearch-env.sh.j2 | 2 -
.../stacks/2.4/LOGSEARCH/test_logsearch.py | 20 +++++++++
.../test/python/stacks/2.4/configs/default.json | 2 +
9 files changed, 86 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/a29343fc/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java
----------------------------------------------------------------------
diff --git a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java
index 614e91e..88cc8bb 100644
--- a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java
+++ b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java
@@ -84,14 +84,15 @@ public class LogSearch {
private static final String ROOT_CONTEXT = "/";
private static final Integer SESSION_TIMEOUT = 60 * 30;
- private static final String LOGSEARCH_CERT_DEFAULT_FOLDER = "/etc/ambari-logsearch-portal/conf/keys";
private static final String LOGSEARCH_CERT_FILENAME = "logsearch.crt";
private static final String LOGSEARCH_KEYSTORE_FILENAME = "logsearch.jks";
private static final String LOGSEARCH_KEYSTORE_PRIVATE_KEY = "logsearch.private.key";
private static final String LOGSEARCH_KEYSTORE_PUBLIC_KEY = "logsearch.public.key";
- private static final String LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD = "bigdata";
private static final String LOGSEARCH_CERT_DEFAULT_ALGORITHM = "sha256WithRSAEncryption";
+ public static final String LOGSEARCH_CERT_DEFAULT_FOLDER = "/etc/ambari-logsearch-portal/conf/keys";
+ public static final String LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD = "bigdata";
+
public static void main(String[] argv) {
LogSearch logSearch = new LogSearch();
ManageStartEndTime.manage();
@@ -300,7 +301,7 @@ public class LogSearch {
fileSet.setDir(new File(certFolder));
fileSet.setIncludes("**");
chmod.addFileset(fileSet);
- chmod.setPerm("640");
+ chmod.setPerm("600");
chmod.execute();
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/a29343fc/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java
----------------------------------------------------------------------
diff --git a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java
index 7a93305..2fb4ff3 100644
--- a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java
+++ b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java
@@ -50,6 +50,9 @@ import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Date;
+import static org.apache.ambari.logsearch.LogSearch.LOGSEARCH_CERT_DEFAULT_FOLDER;
+import static org.apache.ambari.logsearch.LogSearch.LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD;
+
public class SSLUtil {
private static final Logger LOG = LoggerFactory.getLogger(SSLUtil.class);
@@ -61,6 +64,8 @@ public class SSLUtil {
private static final String TRUSTSTORE_PASSWORD_ARG = "javax.net.ssl.trustStorePassword";
private static final String TRUSTSTORE_TYPE_ARG = "javax.net.ssl.trustStoreType";
private static final String DEFAULT_TRUSTSTORE_TYPE = "JKS";
+ private static final String KEYSTORE_PASSWORD_FILE = "ks_pass.txt";
+ private static final String TRUSTSTORE_PASSWORD_FILE = "ts_pass.txt";
private SSLUtil() {
throw new UnsupportedOperationException();
@@ -69,11 +74,11 @@ public class SSLUtil {
public static String getKeyStoreLocation() {
return System.getProperty(KEYSTORE_LOCATION_ARG);
}
-
+
public static String getKeyStorePassword() {
return System.getProperty(KEYSTORE_PASSWORD_ARG);
}
-
+
public static String getKeyStoreType() {
return System.getProperty(KEYSTORE_TYPE_ARG, DEFAULT_KEYSTORE_TYPE);
}
@@ -81,24 +86,26 @@ public class SSLUtil {
public static String getTrustStoreLocation() {
return System.getProperty(TRUSTSTORE_LOCATION_ARG);
}
-
+
public static String getTrustStorePassword() {
return System.getProperty(TRUSTSTORE_PASSWORD_ARG);
}
-
+
public static String getTrustStoreType() {
return System.getProperty(TRUSTSTORE_TYPE_ARG, DEFAULT_TRUSTSTORE_TYPE);
}
-
+
public static boolean isKeyStoreSpecified() {
- return StringUtils.isNotEmpty(getKeyStoreLocation()) && StringUtils.isNotEmpty(getKeyStorePassword());
+ return StringUtils.isNotEmpty(getKeyStoreLocation());
}
private static boolean isTrustStoreSpecified() {
- return StringUtils.isNotEmpty(getTrustStoreLocation()) && StringUtils.isNotEmpty(getTrustStorePassword());
+ return StringUtils.isNotEmpty(getTrustStoreLocation());
}
public static SslContextFactory getSslContextFactory() {
+ setPasswordIfSysPropIsEmpty(KEYSTORE_PASSWORD_ARG, KEYSTORE_PASSWORD_FILE);
+ setPasswordIfSysPropIsEmpty(TRUSTSTORE_PASSWORD_ARG, TRUSTSTORE_PASSWORD_FILE);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(getKeyStoreLocation());
sslContextFactory.setKeyStorePassword(getKeyStorePassword());
@@ -111,7 +118,7 @@ public class SSLUtil {
return sslContextFactory;
}
-
+
public static SSLContext getSSLContext() {
SslContextFactory sslContextFactory = getSslContextFactory();
@@ -130,6 +137,22 @@ public class SSLUtil {
}
}
+ private static String getPasswordFromFile(String certFolder, String fileName, String defaultPassword) {
+ try {
+ String pwdFileName = String.format("%s/%s", certFolder, fileName);
+ File pwdFile = new File(pwdFileName);
+ if (!pwdFile.exists()) {
+ FileUtils.writeStringToFile(pwdFile, defaultPassword);
+ return defaultPassword;
+ } else {
+ return FileUtils.readFileToString(pwdFile);
+ }
+ } catch (Exception e) {
+ String errMsg = "Exception occurred during read/write password file for keystore.";
+ throw new RuntimeException(errMsg, e);
+ }
+ }
+
/**
* Put private key into in-memory keystore and write it to a file (JKS file)
*/
@@ -177,6 +200,13 @@ public class SSLUtil {
}
}
+ private static void setPasswordIfSysPropIsEmpty(String prop, String pwdFile) {
+ if (StringUtils.isEmpty(System.getProperty(prop))) {
+ String password = getPasswordFromFile(LOGSEARCH_CERT_DEFAULT_FOLDER, pwdFile, LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD);
+ System.setProperty(prop, password);
+ }
+ }
+
private static X509Certificate getCertFile(String location) throws Exception {
try (FileInputStream fos = new FileInputStream(location)) {
CertificateFactory factory = CertificateFactory.getInstance("X.509");
http://git-wip-us.apache.org/repos/asf/ambari/blob/a29343fc/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh
----------------------------------------------------------------------
diff --git a/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh b/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh
index 1204ef3..b8fd6c4 100755
--- a/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh
+++ b/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh
@@ -52,7 +52,7 @@ if [ "$LOGSEARCH_DEBUG" = "true" ] && [ ! -z "$LOGSEARCH_DEBUG_PORT" ]; then
fi
if [ "$LOGSEARCH_SSL" = "true" ]; then
- LOGSEARCH_JAVA_OPTS="$LOGSEARCH_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGSEARCH_KEYSTORE_LOCATION -Djavax.net.ssl.keyStoreType=$LOGSEARCH_KEYSTORE_TYPE -Djavax.net.ssl.keyStorePassword=$LOGSEARCH_KEYSTORE_PASSWORD -Djavax.net.ssl.trustStore=$LOGSEARCH_TRUSTSTORE_LOCATION -Djavax.net.ssl.trustStoreType=$LOGSEARCH_TRUSTSTORE_TYPE -Djavax.net.ssl.trustStorePassword=$LOGSEARCH_TRUSTSTORE_PASSWORD"
+ LOGSEARCH_JAVA_OPTS="$LOGSEARCH_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGSEARCH_KEYSTORE_LOCATION -Djavax.net.ssl.keyStoreType=$LOGSEARCH_KEYSTORE_TYPE -Djavax.net.ssl.trustStore=$LOGSEARCH_TRUSTSTORE_LOCATION -Djavax.net.ssl.trustStoreType=$LOGSEARCH_TRUSTSTORE_TYPE"
fi
if [ "$PID_FILE" = "" ]; then
http://git-wip-us.apache.org/repos/asf/ambari/blob/a29343fc/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh
----------------------------------------------------------------------
diff --git a/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh b/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh
index 2c2d056..8d92e20 100644
--- a/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh
+++ b/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh
@@ -37,8 +37,6 @@ export LOGSEARCH_DEBUG_PORT=5005
export LOGSEARCH_SSL="true"
export LOGSEARCH_KEYSTORE_LOCATION=/root/config/ssl/logsearch.keyStore.jks
-export LOGSEARCH_KEYSTORE_PASSWORD=bigdata
export LOGSEARCH_KEYSTORE_TYPE=jks
export LOGSEARCH_TRUSTSTORE_LOCATION=/root/config/ssl/logsearch.trustStore.jks
-export LOGSEARCH_TRUSTSTORE_PASSWORD=bigdata
export LOGSEARCH_TRUSTSTORE_TYPE=jks
http://git-wip-us.apache.org/repos/asf/ambari/blob/a29343fc/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
index ff88abc..811b3ea 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
@@ -42,6 +42,7 @@ sudo = AMBARI_SUDO_BINARY
security_enabled = status_params.security_enabled
logsearch_server_conf = "/etc/ambari-logsearch-portal/conf"
+logsearch_server_keys_folder = logsearch_server_conf + "/keys"
logsearch_logfeeder_conf = "/etc/ambari-logsearch-logfeeder/conf"
logsearch_config_set_dir = format("{logsearch_server_conf}/solr_configsets")
http://git-wip-us.apache.org/repos/asf/ambari/blob/a29343fc/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
index 874b90b..9ff9c74 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
@@ -46,6 +46,26 @@ def setup_logsearch():
recursive_ownership=True
)
+ Directory(params.logsearch_server_keys_folder,
+ cd_access='a',
+ mode=0755,
+ owner= params.logsearch_user,
+ group=params.user_group)
+
+ File(format("{logsearch_server_keys_folder}/ks_pass.txt"),
+ content=params.logsearch_keystore_password,
+ mode=0600,
+ owner= params.logsearch_user,
+ group=params.user_group
+ )
+
+ File(format("{logsearch_server_keys_folder}/ts_pass.txt"),
+ content=params.logsearch_truststore_password,
+ mode=0600,
+ owner= params.logsearch_user,
+ group=params.user_group
+ )
+
File(params.logsearch_log,
mode=0644,
owner=params.logsearch_user,
http://git-wip-us.apache.org/repos/asf/ambari/blob/a29343fc/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2 b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2
index a179983..338c7f7 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2
@@ -41,9 +41,7 @@ export LOGSEARCH_DEBUG_PORT={{logsearch_debug_port}}
{% if logsearch_solr_ssl_enabled or logsearch_ui_protocol == 'https' or ambari_server_use_ssl %}
export LOGSEARCH_SSL="true"
export LOGSEARCH_KEYSTORE_LOCATION={{logsearch_keystore_location}}
-export LOGSEARCH_KEYSTORE_PASSWORD={{logsearch_keystore_password}}
export LOGSEARCH_KEYSTORE_TYPE={{logsearch_keystore_type}}
export LOGSEARCH_TRUSTSTORE_LOCATION={{logsearch_truststore_location}}
-export LOGSEARCH_TRUSTSTORE_PASSWORD={{logsearch_truststore_password}}
export LOGSEARCH_TRUSTSTORE_TYPE={{logsearch_truststore_type}}
{% endif %}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/a29343fc/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
index c3e8930..00dd641 100644
--- a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
+++ b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
@@ -63,6 +63,26 @@ class TestLogSearch(RMFTestCase):
cd_access = 'a',
mode = 0755
)
+ self.assertResourceCalled('Directory', '/etc/ambari-logsearch-portal/conf/keys',
+ owner = 'logsearch',
+ group = 'hadoop',
+ cd_access = 'a',
+ mode = 0755
+ )
+
+ self.assertResourceCalled('File', '/etc/ambari-logsearch-portal/conf/keys/ks_pass.txt',
+ owner='logsearch',
+ group='hadoop',
+ mode=0600,
+ content='bigdata'
+ )
+
+ self.assertResourceCalled('File', '/etc/ambari-logsearch-portal/conf/keys/ts_pass.txt',
+ owner='logsearch',
+ group='hadoop',
+ mode=0600,
+ content='bigdata'
+ )
self.assertResourceCalled('File', '/var/log/ambari-logsearch-portal/logsearch.out',
owner = 'logsearch',
http://git-wip-us.apache.org/repos/asf/ambari/blob/a29343fc/ambari-server/src/test/python/stacks/2.4/configs/default.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/configs/default.json b/ambari-server/src/test/python/stacks/2.4/configs/default.json
index 7591adb..a601f0b 100644
--- a/ambari-server/src/test/python/stacks/2.4/configs/default.json
+++ b/ambari-server/src/test/python/stacks/2.4/configs/default.json
@@ -273,6 +273,8 @@
"logsearch_debug_port": "5005",
"logsearch_ui_protocol": "http",
"logsearch_ui_port" : "61888",
+ "logsearch_keystore_password" : "bigdata",
+ "logsearch_truststore_password" : "bigdata",
"logsearch_solr_audit_logs_use_ranger": "false",
"content": "# Licensed to the Apache Software Foundation (ASF) under one or more\n# contributor license agreements. See the NOTICE file distributed with\n# this work for additional information regarding copyright ownership.\n# The ASF licenses this file to You under the Apache License, Version 2.0\n# (the \"License\"); you may not use this file except in compliance with\n# the License. You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n#solr.url=http://{{solr_host}}:{{solr_port}}/solr\n\n#Service Logs and History colletion\nlogsearch.solr.zkhosts={{zookeeper_quorum}}{{solr_znode}}\nlogsearch.solr.collection.ser
vice.logs={{logsearch_collection_service_logs}}\nlogsearch.solr.collection.history=history\n\nlogsearch.service.logs.split.interval.mins={{logsearch_service_logs_split_interval_mins}}\nlogsearch.collection.service.logs.numshards={{logsearch_collection_service_logs_numshards}}\nlogsearch.collection.service.logs.replication.factor={{logsearch_collection_service_logs_replication_factor}}\n\nlogsearch.service.logs.fields={{logsearch_service_logs_fields}}\n\n#Audit logs\nlogsearch.solr.audit.logs.zkhosts={{logsearch_solr_zk_quorum}}{{logsearch_solr_zk_znode}}\nogsearch.solr.collection.audit.logs={{solr_collection_audit_logs}}\nlogsearch.solr.audit.logs.url={{logsearch_solr_audit_logs_url}}\n\nlogsearch.audit.logs.split.interval.mins={{logsearch_audit_logs_split_interval_mins}}\nlogsearch.collection.audit.logs.numshards={{logsearch_collection_audit_logs_numshards}}\nlogsearch.collection.audit.logs.replication.factor={{logsearch_collection_audit_logs_replication_factor}}\n{% if logsearch_s
olr_ssl_enabled %}\nexport LOGSEARCH_SSL=\"true\"\nexport LOGSEARCH_KEYSTORE_LOCATION={{logsearch_keystore_location}}\nexport LOGSEARCH_KEYSTORE_PASSWORD={{logsearch_keystore_password}}\nexport LOGSEARCH_KEYSTORE_TYPE={{logsearch_keystore_type}}\nexport LOGSEARCH_TRUSTSTORE_LOCATION={{logsearch_truststore_location}}\nexport LOGSEARCH_TRUSTSTORE_PASSWORD={{logsearch_truststore_password}}\nexport LOGSEARCH_TRUSTSTORE_TYPE={{logsearch_truststore_type}}\n{% endif %}"
},