This is an automated email from the ASF dual-hosted git repository.
elserj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/master by this push:
new c033667 Do not require a password on the truststore JKS
c033667 is described below
commit c033667b007d329d05203e21fe5af4c28f63cb13
Author: Romil Choksi <rcho...@hortonworks.com>
AuthorDate: Wed Sep 12 15:07:20 2018 -0400
Do not require a password on the truststore JKS
A password on a truststore provides no security value, only validation
that the JKS is the JKS that the user expects. Log a warning when the
truststore is empty.
Closes #646
Signed-off-by: Josh Elser <els...@apache.org>
---
.../org/apache/accumulo/monitor/EmbeddedWebServer.java | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git
a/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
b/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
index 2d254ea..ee2ebaa 100644
---
a/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
+++
b/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
@@ -29,8 +29,12 @@ import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
public class EmbeddedWebServer {
+ private static final Logger LOG =
LoggerFactory.getLogger(EmbeddedWebServer.class);
+
private final Server server;
private final ServerConnector connector;
private final ServletContextHandler handler;
@@ -51,17 +55,21 @@ public class EmbeddedWebServer {
private static AbstractConnectionFactory[]
getConnectionFactories(AccumuloConfiguration conf) {
HttpConnectionFactory httpFactory = new HttpConnectionFactory();
EnumSet<Property> requireForSecure =
EnumSet.of(Property.MONITOR_SSL_KEYSTORE,
- Property.MONITOR_SSL_KEYSTOREPASS, Property.MONITOR_SSL_TRUSTSTORE,
- Property.MONITOR_SSL_TRUSTSTOREPASS);
+ Property.MONITOR_SSL_KEYSTOREPASS, Property.MONITOR_SSL_TRUSTSTORE);
+
if (requireForSecure.stream().map(p -> conf.get(p)).anyMatch(s -> s ==
null || s.isEmpty())) {
return new AbstractConnectionFactory[] {httpFactory};
} else {
+ final String trustStorePass =
conf.get(Property.MONITOR_SSL_TRUSTSTOREPASS);
+ if (trustStorePass.isEmpty()) {
+ LOG.warn("Truststore JKS file has an empty password which prevents any
integrity checks.");
+ }
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(conf.get(Property.MONITOR_SSL_KEYSTORE));
sslContextFactory.setKeyStorePassword(conf.get(Property.MONITOR_SSL_KEYSTOREPASS));
sslContextFactory.setKeyStoreType(conf.get(Property.MONITOR_SSL_KEYSTORETYPE));
sslContextFactory.setTrustStorePath(conf.get(Property.MONITOR_SSL_TRUSTSTORE));
-
sslContextFactory.setTrustStorePassword(conf.get(Property.MONITOR_SSL_TRUSTSTOREPASS));
+ sslContextFactory.setTrustStorePassword(trustStorePass);
sslContextFactory.setTrustStoreType(conf.get(Property.MONITOR_SSL_TRUSTSTORETYPE));
final String includedCiphers =
conf.get(Property.MONITOR_SSL_INCLUDE_CIPHERS);
