AMBARI-7980. Create ability to disable ciphers for https connections in Ambari. (dlysnichenko)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/950ed5da Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/950ed5da Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/950ed5da Branch: refs/heads/trunk Commit: 950ed5da567e5b1f597a24c99fe000ddf89d870b Parents: a019383 Author: Lisnichenko Dmitro <[email protected]> Authored: Sun Oct 26 20:24:47 2014 +0200 Committer: Lisnichenko Dmitro <[email protected]> Committed: Sun Oct 26 20:24:47 2014 +0200 ---------------------------------------------------------------------- ambari-server/conf/unix/ambari.properties | 1 + .../server/configuration/Configuration.java | 10 +++++ .../ambari/server/controller/AmbariServer.java | 40 ++++++++++++++------ 3 files changed, 39 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/950ed5da/ambari-server/conf/unix/ambari.properties ---------------------------------------------------------------------- diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties index 531d717..ebd3aa5 100644 --- a/ambari-server/conf/unix/ambari.properties +++ b/ambari-server/conf/unix/ambari.properties @@ -17,6 +17,7 @@ # limitations under the License. security.server.keys_dir = /var/lib/ambari-server/keys +#security.server.disabled.ciphers=SSL_RSA_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_RC4_40_MD5|SSL_DHE_RSA_WITH_DES_CBC_SHA|SSL_DHE_DSS_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|SSL_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_RSA_WITH_DES_CBC_SHA resources.dir = /var/lib/ambari-server/resources shared.resources.dir = /usr/lib/ambari-server/lib/ambari_commons/resources custom.action.definitions = /var/lib/ambari-server/resources/custom_action_definitions http://git-wip-us.apache.org/repos/asf/ambari/blob/950ed5da/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 535e569..feb4318 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -90,6 +90,7 @@ public class Configuration { public static final String PASSPHRASE_ENV_KEY = "security.server.passphrase_env_var"; public static final String PASSPHRASE_KEY = "security.server.passphrase"; + public static final String SRVR_DISABLED_CIPHERS = "security.server.disabled.ciphers"; public static final String RESOURCES_DIR_KEY = "resources.dir"; public static final String METADETA_DIR_PATH = "metadata.path"; public static final String SERVER_VERSION_FILE = "server.version.file"; @@ -259,6 +260,7 @@ public class Configuration { private static final String API_CSRF_PREVENTION_DEFAULT = "true"; private static final String SRVR_CRT_PASS_FILE_DEFAULT = "pass.txt"; private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50"; + private static final String SRVR_DISABLED_CIPHERS_DEFAULT = ""; private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE"; private static final String RESOURCES_DIR_DEFAULT = "/var/lib/ambari-server/resources/"; @@ -362,6 +364,8 @@ public class Configuration { RESOURCES_DIR_KEY, RESOURCES_DIR_DEFAULT)); configsMap.put(SRVR_CRT_PASS_LEN_KEY, properties.getProperty( SRVR_CRT_PASS_LEN_KEY, SRVR_CRT_PASS_LEN_DEFAULT)); + configsMap.put(SRVR_DISABLED_CIPHERS, properties.getProperty( + SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT)); configsMap.put(CLIENT_API_SSL_KSTR_DIR_NAME_KEY, properties.getProperty( CLIENT_API_SSL_KSTR_DIR_NAME_KEY, configsMap.get(SRVR_KSTR_DIR_KEY))); @@ -918,6 +922,12 @@ public class Configuration { return defaultDir + File.separator + MASTER_KEY_FILENAME_DEFAULT; } + public String getSrvrDisabledCiphers() { + String disabledCiphers = properties.getProperty(SRVR_DISABLED_CIPHERS, + properties.getProperty(SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT)); + return disabledCiphers.trim(); + } + public int getOneWayAuthPort() { return Integer.parseInt(properties.getProperty(SRVR_ONE_WAY_SSL_PORT_KEY, String.valueOf(SRVR_ONE_WAY_SSL_PORT_DEFAULT))); } http://git-wip-us.apache.org/repos/asf/ambari/blob/950ed5da/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index cfb73bc..0d5ee95 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -140,6 +140,7 @@ public class AmbariServer { final String CONTEXT_PATH = "/"; final String SPRING_CONTEXT_LOCATION = "classpath:/webapp/WEB-INF/spring-security.xml"; + final String DISABLED_CIPHERS_SPLITTER = "\\|"; @Inject Configuration configs; @@ -290,8 +291,13 @@ public class AmbariServer { //Secured connector for 2-way auth + SslContextFactory contextFactoryTwoWay = new SslContextFactory(); + if (! configs.getSrvrDisabledCiphers().isEmpty()) { + String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER); + contextFactoryTwoWay.setExcludeCipherSuites(masks); + } SslSelectChannelConnector sslConnectorTwoWay = new - SslSelectChannelConnector(); + SslSelectChannelConnector(contextFactoryTwoWay); sslConnectorTwoWay.setPort(configs.getTwoWayAuthPort()); Map<String, String> configsMap = configs.getConfigsMap(); @@ -308,18 +314,22 @@ public class AmbariServer { sslConnectorTwoWay.setNeedClientAuth(configs.getTwoWaySsl()); //SSL Context Factory - SslContextFactory contextFactory = new SslContextFactory(true); - contextFactory.setKeyStorePath(keystore); - contextFactory.setTrustStore(keystore); - contextFactory.setKeyStorePassword(srvrCrtPass); - contextFactory.setKeyManagerPassword(srvrCrtPass); - contextFactory.setTrustStorePassword(srvrCrtPass); - contextFactory.setKeyStoreType("PKCS12"); - contextFactory.setTrustStoreType("PKCS12"); - contextFactory.setNeedClientAuth(false); + SslContextFactory contextFactoryOneWay = new SslContextFactory(true); + contextFactoryOneWay.setKeyStorePath(keystore); + contextFactoryOneWay.setTrustStore(keystore); + contextFactoryOneWay.setKeyStorePassword(srvrCrtPass); + contextFactoryOneWay.setKeyManagerPassword(srvrCrtPass); + contextFactoryOneWay.setTrustStorePassword(srvrCrtPass); + contextFactoryOneWay.setKeyStoreType("PKCS12"); + contextFactoryOneWay.setTrustStoreType("PKCS12"); + contextFactoryOneWay.setNeedClientAuth(false); + if (! configs.getSrvrDisabledCiphers().isEmpty()) { + String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER); + contextFactoryOneWay.setExcludeCipherSuites(masks); + } //Secured connector for 1-way auth - SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactory); + SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactoryOneWay); sslConnectorOneWay.setPort(configs.getOneWayAuthPort()); sslConnectorOneWay.setAcceptors(2); sslConnectorTwoWay.setAcceptors(2); @@ -404,7 +414,13 @@ public class AmbariServer { String httpsCrtPass = configsMap.get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY); - SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(); + SslContextFactory contextFactoryApi = new SslContextFactory(); + if (! configs.getSrvrDisabledCiphers().isEmpty()) { + String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER); + contextFactoryApi.setExcludeCipherSuites(masks); + } + + SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(contextFactoryApi); sapiConnector.setPort(configs.getClientSSLApiPort()); sapiConnector.setKeystore(httpsKeystore); sapiConnector.setTruststore(httpsKeystore);
