AMBARI-7980. Create ability to disable ciphers for https connections in Ambari. (dlysnichenko)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f6d39a9d Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f6d39a9d Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f6d39a9d Branch: refs/heads/branch-1.7.0 Commit: f6d39a9d6f733df3813fd4df834efcf667ea7229 Parents: 6b2a91c Author: Lisnichenko Dmitro <[email protected]> Authored: Sun Oct 26 20:27:52 2014 +0200 Committer: Lisnichenko Dmitro <[email protected]> Committed: Sun Oct 26 20:27:52 2014 +0200 ---------------------------------------------------------------------- ambari-server/conf/unix/ambari.properties | 1 + .../server/configuration/Configuration.java | 10 +++++ .../ambari/server/controller/AmbariServer.java | 40 ++++++++++++++------ 3 files changed, 39 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/f6d39a9d/ambari-server/conf/unix/ambari.properties ---------------------------------------------------------------------- diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties index d37174f..760441b 100644 --- a/ambari-server/conf/unix/ambari.properties +++ b/ambari-server/conf/unix/ambari.properties @@ -17,6 +17,7 @@ # limitations under the License. security.server.keys_dir = /var/lib/ambari-server/keys +#security.server.disabled.ciphers=SSL_RSA_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_RC4_40_MD5|SSL_DHE_RSA_WITH_DES_CBC_SHA|SSL_DHE_DSS_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|SSL_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_RSA_WITH_DES_CBC_SHA resources.dir = /var/lib/ambari-server/resources custom.action.definitions = /var/lib/ambari-server/resources/custom_action_definitions jdk1.6.url=http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-6u31-linux-x64.bin http://git-wip-us.apache.org/repos/asf/ambari/blob/f6d39a9d/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index c3172f2..8f95b6e 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -90,6 +90,7 @@ public class Configuration { public static final String PASSPHRASE_ENV_KEY = "security.server.passphrase_env_var"; public static final String PASSPHRASE_KEY = "security.server.passphrase"; + public static final String SRVR_DISABLED_CIPHERS = "security.server.disabled.ciphers"; public static final String RESOURCES_DIR_KEY = "resources.dir"; public static final String METADETA_DIR_PATH = "metadata.path"; public static final String SERVER_VERSION_FILE = "server.version.file"; @@ -258,6 +259,7 @@ public class Configuration { private static final String API_CSRF_PREVENTION_DEFAULT = "true"; private static final String SRVR_CRT_PASS_FILE_DEFAULT = "pass.txt"; private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50"; + private static final String SRVR_DISABLED_CIPHERS_DEFAULT = ""; private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE"; private static final String RESOURCES_DIR_DEFAULT = "/var/lib/ambari-server/resources/"; @@ -360,6 +362,8 @@ public class Configuration { RESOURCES_DIR_KEY, RESOURCES_DIR_DEFAULT)); configsMap.put(SRVR_CRT_PASS_LEN_KEY, properties.getProperty( SRVR_CRT_PASS_LEN_KEY, SRVR_CRT_PASS_LEN_DEFAULT)); + configsMap.put(SRVR_DISABLED_CIPHERS, properties.getProperty( + SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT)); configsMap.put(CLIENT_API_SSL_KSTR_DIR_NAME_KEY, properties.getProperty( CLIENT_API_SSL_KSTR_DIR_NAME_KEY, configsMap.get(SRVR_KSTR_DIR_KEY))); @@ -909,6 +913,12 @@ public class Configuration { return defaultDir + File.separator + MASTER_KEY_FILENAME_DEFAULT; } + public String getSrvrDisabledCiphers() { + String disabledCiphers = properties.getProperty(SRVR_DISABLED_CIPHERS, + properties.getProperty(SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT)); + return disabledCiphers.trim(); + } + public int getOneWayAuthPort() { return Integer.parseInt(properties.getProperty(SRVR_ONE_WAY_SSL_PORT_KEY, String.valueOf(SRVR_ONE_WAY_SSL_PORT_DEFAULT))); } http://git-wip-us.apache.org/repos/asf/ambari/blob/f6d39a9d/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index f61341d..1990e4b 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -132,6 +132,7 @@ public class AmbariServer { final String CONTEXT_PATH = "/"; final String SPRING_CONTEXT_LOCATION = "classpath:/webapp/WEB-INF/spring-security.xml"; + final String DISABLED_CIPHERS_SPLITTER = "\\|"; @Inject Configuration configs; @@ -272,8 +273,13 @@ public class AmbariServer { //Secured connector for 2-way auth + SslContextFactory contextFactoryTwoWay = new SslContextFactory(); + if (! configs.getSrvrDisabledCiphers().isEmpty()) { + String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER); + contextFactoryTwoWay.setExcludeCipherSuites(masks); + } SslSelectChannelConnector sslConnectorTwoWay = new - SslSelectChannelConnector(); + SslSelectChannelConnector(contextFactoryTwoWay); sslConnectorTwoWay.setPort(configs.getTwoWayAuthPort()); Map<String, String> configsMap = configs.getConfigsMap(); @@ -290,18 +296,22 @@ public class AmbariServer { sslConnectorTwoWay.setNeedClientAuth(configs.getTwoWaySsl()); //SSL Context Factory - SslContextFactory contextFactory = new SslContextFactory(true); - contextFactory.setKeyStorePath(keystore); - contextFactory.setTrustStore(keystore); - contextFactory.setKeyStorePassword(srvrCrtPass); - contextFactory.setKeyManagerPassword(srvrCrtPass); - contextFactory.setTrustStorePassword(srvrCrtPass); - contextFactory.setKeyStoreType("PKCS12"); - contextFactory.setTrustStoreType("PKCS12"); - contextFactory.setNeedClientAuth(false); + SslContextFactory contextFactoryOneWay = new SslContextFactory(true); + contextFactoryOneWay.setKeyStorePath(keystore); + contextFactoryOneWay.setTrustStore(keystore); + contextFactoryOneWay.setKeyStorePassword(srvrCrtPass); + contextFactoryOneWay.setKeyManagerPassword(srvrCrtPass); + contextFactoryOneWay.setTrustStorePassword(srvrCrtPass); + contextFactoryOneWay.setKeyStoreType("PKCS12"); + contextFactoryOneWay.setTrustStoreType("PKCS12"); + contextFactoryOneWay.setNeedClientAuth(false); + if (! configs.getSrvrDisabledCiphers().isEmpty()) { + String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER); + contextFactoryOneWay.setExcludeCipherSuites(masks); + } //Secured connector for 1-way auth - SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactory); + SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactoryOneWay); sslConnectorOneWay.setPort(configs.getOneWayAuthPort()); sslConnectorOneWay.setAcceptors(2); sslConnectorTwoWay.setAcceptors(2); @@ -386,7 +396,13 @@ public class AmbariServer { String httpsCrtPass = configsMap.get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY); - SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(); + SslContextFactory contextFactoryApi = new SslContextFactory(); + if (! configs.getSrvrDisabledCiphers().isEmpty()) { + String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER); + contextFactoryApi.setExcludeCipherSuites(masks); + } + + SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(contextFactoryApi); sapiConnector.setPort(configs.getClientSSLApiPort()); sapiConnector.setKeystore(httpsKeystore); sapiConnector.setTruststore(httpsKeystore);
