Repository: ambari Updated Branches: refs/heads/trunk 244aa3ff0 -> aad6fdb94
AMBARI-5040 2-way auth fails when using jdk7 (dsen) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/aad6fdb9 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/aad6fdb9 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/aad6fdb9 Branch: refs/heads/trunk Commit: aad6fdb94d2e08672ac48311493ee8badf5b8685 Parents: 244aa3f Author: Dmitry Sen <[email protected]> Authored: Thu Mar 13 14:43:17 2014 +0200 Committer: Dmitry Sen <[email protected]> Committed: Thu Mar 13 14:43:42 2014 +0200 ---------------------------------------------------------------------- ambari-server/conf/unix/ca.config | 7 +++- ambari-server/pom.xml | 1 - .../server/configuration/Configuration.java | 6 ++- .../server/security/CertificateManager.java | 12 +++--- ambari-server/src/main/resources/ca.config | 24 ------------ .../server/security/CertGenerationTest.java | 41 ++++++++++++++------ 6 files changed, 47 insertions(+), 44 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/aad6fdb9/ambari-server/conf/unix/ca.config ---------------------------------------------------------------------- diff --git a/ambari-server/conf/unix/ca.config b/ambari-server/conf/unix/ca.config index d838131..b80f797 100644 --- a/ambari-server/conf/unix/ca.config +++ b/ambari-server/conf/unix/ca.config @@ -19,6 +19,11 @@ countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional -organizationalUnitName = supplied +organizationalUnitName = optional commonName = optional emailAddress = optional + +[ jdk7_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/aad6fdb9/ambari-server/pom.xml ---------------------------------------------------------------------- diff --git a/ambari-server/pom.xml b/ambari-server/pom.xml index 24c78ff..2a2407e 100644 --- a/ambari-server/pom.xml +++ b/ambari-server/pom.xml @@ -116,7 +116,6 @@ <exclude>src/test/resources/gsInstaller-hosts.txt</exclude> <exclude>src/test/resources/temporal_ganglia_data.txt</exclude> <exclude>src/test/resources/users.ldif</exclude> - <exclude>src/main/resources/ca.config</exclude> <exclude>src/main/resources/hive-schema-0.10.0.oracle.sql</exclude> <exclude>src/main/resources/hive-schema-0.12.0.oracle.sql</exclude> <exclude>src/main/resources/db/serial</exclude> http://git-wip-us.apache.org/repos/asf/ambari/blob/aad6fdb9/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 68d3d88..151541a 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -66,6 +66,7 @@ public class Configuration { public static final String SRVR_ONE_WAY_SSL_PORT_KEY = "security.server.one_way_ssl.port"; public static final String SRVR_KSTR_DIR_KEY = "security.server.keys_dir"; public static final String SRVR_CRT_NAME_KEY = "security.server.cert_name"; + public static final String SRVR_CSR_NAME_KEY = "security.server.csr_name"; public static final String SRVR_KEY_NAME_KEY = "security.server.key_name"; public static final String KSTR_NAME_KEY = "security.server.keystore_name"; @@ -176,6 +177,7 @@ public class Configuration { public static final String SRVR_ONE_WAY_SSL_PORT_DEFAULT = "8440"; public static final String SRVR_CRT_NAME_DEFAULT = "ca.crt"; public static final String SRVR_KEY_NAME_DEFAULT = "ca.key"; + public static final String SRVR_CSR_NAME_DEFAULT = "ca.csr"; public static final String KSTR_NAME_DEFAULT = "keystore.p12"; public static final String CLIENT_API_SSL_KSTR_NAME_DEFAULT = "https.keystore.p12"; public static final String CLIENT_API_SSL_CRT_PASS_FILE_NAME_DEFAULT = "https.pass.txt"; @@ -299,7 +301,9 @@ public class Configuration { configsMap.put(SRVR_CRT_NAME_KEY, properties.getProperty( SRVR_CRT_NAME_KEY, SRVR_CRT_NAME_DEFAULT)); configsMap.put(SRVR_KEY_NAME_KEY, properties.getProperty( - SRVR_KEY_NAME_KEY, SRVR_KEY_NAME_DEFAULT)); + SRVR_KEY_NAME_KEY, SRVR_KEY_NAME_DEFAULT)); + configsMap.put(SRVR_CSR_NAME_KEY, properties.getProperty( + SRVR_CSR_NAME_KEY, SRVR_CSR_NAME_DEFAULT)); configsMap.put(KSTR_NAME_KEY, properties.getProperty( KSTR_NAME_KEY, KSTR_NAME_DEFAULT)); configsMap.put(SRVR_CRT_PASS_FILE_KEY, properties.getProperty( http://git-wip-us.apache.org/repos/asf/ambari/blob/aad6fdb9/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java b/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java index d0f7dba..1dbc064 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java @@ -49,10 +49,11 @@ public class CertificateManager { private static final String GEN_SRVR_KEY = "openssl genrsa -des3 " + "-passout pass:{0} -out {1}/{2} 4096 "; private static final String GEN_SRVR_REQ = "openssl req -passin pass:{0} " + - "-new -key {1}/{2} -out {1}/{3} -batch"; - private static final String SIGN_SRVR_CRT = "openssl x509 " + - "-passin pass:{0} -req -days 365 -in {1}/{3} -signkey {1}/{2} " + - "-out {1}/{3} \n"; + "-new -key {1}/{2} -out {1}/{5} -batch"; + private static final String SIGN_SRVR_CRT = "openssl ca -create_serial " + + "-out {1}/{3} -days 365 -keyfile {1}/{2} -key {0} -selfsign " + + "-extensions jdk7_ca -config {1}/ca.config -batch " + + "-infiles {1}/{5}"; private static final String EXPRT_KSTR = "openssl pkcs12 -export" + " -in {1}/{3} -inkey {1}/{2} -certfile {1}/{3} -out {1}/{4} " + "-password pass:{0} -passin pass:{0} \n"; @@ -139,12 +140,13 @@ public class CertificateManager { Map<String, String> configsMap = configs.getConfigsMap(); String srvrKstrDir = configsMap.get(Configuration.SRVR_KSTR_DIR_KEY); String srvrCrtName = configsMap.get(Configuration.SRVR_CRT_NAME_KEY); + String srvrCsrName = configsMap.get(Configuration.SRVR_CSR_NAME_KEY);; String srvrKeyName = configsMap.get(Configuration.SRVR_KEY_NAME_KEY); String kstrName = configsMap.get(Configuration.KSTR_NAME_KEY); String srvrCrtPass = configsMap.get(Configuration.SRVR_CRT_PASS_KEY); Object[] scriptArgs = {srvrCrtPass, srvrKstrDir, srvrKeyName, - srvrCrtName, kstrName}; + srvrCrtName, kstrName, srvrCsrName}; String command = MessageFormat.format(GEN_SRVR_KEY,scriptArgs); runCommand(command); http://git-wip-us.apache.org/repos/asf/ambari/blob/aad6fdb9/ambari-server/src/main/resources/ca.config ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/ca.config b/ambari-server/src/main/resources/ca.config deleted file mode 100644 index 7324275..0000000 --- a/ambari-server/src/main/resources/ca.config +++ /dev/null @@ -1,24 +0,0 @@ -[ ca ] -default_ca = CA_CLIENT -[ CA_CLIENT ] -dir = keystore/db -certs = $dir/certs -new_certs_dir = $dir/newcerts - -database = $dir/index.txt -serial = $dir/serial -default_days = 365 - -default_crl_days = 7 -default_md = md5 - -policy = policy_anything - -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = supplied -commonName = optional -emailAddress = optional http://git-wip-us.apache.org/repos/asf/ambari/blob/aad6fdb9/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java index b73b5c8..45ced24 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java @@ -23,7 +23,9 @@ import java.lang.reflect.Constructor; import java.util.Map; import java.util.Properties; +import com.google.common.io.Files; import org.apache.ambari.server.configuration.Configuration; +import org.apache.commons.io.IOUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.junit.After; @@ -64,17 +66,16 @@ public class CertGenerationTest extends TestCase { protected Properties buildTestProperties() { try { - temp.create(); - } catch (IOException e) { - e.printStackTrace(); - } - Properties properties = new Properties(); - properties.setProperty(Configuration.SRVR_KSTR_DIR_KEY, temp.getRoot().getAbsolutePath()); - - - System.out.println(properties.get(Configuration.SRVR_CRT_PASS_KEY)); + temp.create(); + } catch (IOException e) { + e.printStackTrace(); + } + Properties properties = new Properties(); + properties.setProperty(Configuration.SRVR_KSTR_DIR_KEY, + temp.getRoot().getAbsolutePath()); + System.out.println(properties.get(Configuration.SRVR_CRT_PASS_KEY)); - return properties; + return properties; } protected Constructor<Configuration> getConfigurationConstructor() { @@ -92,6 +93,24 @@ public class CertGenerationTest extends TestCase { injector = Guice.createInjector(new SecurityModule()); certMan = injector.getInstance(CertificateManager.class); + //Test using actual ca.config. + try { + File caConfig = new File("conf/unix/ca.config"); + File caConfigTest = + new File(temp.getRoot().getAbsolutePath(), "ca.config"); + File newCertsDir = new File(temp.getRoot().getAbsolutePath(), "newcerts"); + newCertsDir.mkdirs(); + File indexTxt = new File(temp.getRoot().getAbsolutePath(), "index.txt"); + indexTxt.createNewFile(); + + String content = IOUtils.toString(new FileInputStream(caConfig)); + content = content.replaceAll("/var/lib/ambari-server/keys/db", temp.getRoot().getAbsolutePath()); + IOUtils.write(content, new FileOutputStream(caConfigTest)); + } catch (IOException e) { + e.printStackTrace(); + fail(); + } + certMan.initRootCert(); } @@ -139,8 +158,6 @@ public class CertGenerationTest extends TestCase { //Emulate existing agent certificate File fakeAgentCertFile = new File(temp.getRoot().getAbsoluteFile() + File.separator + agentHostname + ".crt"); - assertFalse(fakeAgentCertFile.exists()); - fakeAgentCertFile.createNewFile(); assertTrue(fakeAgentCertFile.exists()); //Revoke command was executed
