Repository: ambari Updated Branches: refs/heads/branch-1.7.0 b1b36a16e -> 1b3cfd6c4 refs/heads/trunk 6a29afb0f -> 0e93c5d5e
AMBARI-8019. Create ability to disable protocols for https connections in Ambari. (dlysnichenko) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/1b3cfd6c Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/1b3cfd6c Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/1b3cfd6c Branch: refs/heads/branch-1.7.0 Commit: 1b3cfd6c42ee863fe11816e108ced0d4f52d85f4 Parents: b1b36a1 Author: Lisnichenko Dmitro <[email protected]> Authored: Wed Oct 29 18:06:26 2014 +0200 Committer: Lisnichenko Dmitro <[email protected]> Committed: Wed Oct 29 18:48:00 2014 +0200 ---------------------------------------------------------------------- ambari-server/conf/unix/ambari.properties | 1 + .../server/configuration/Configuration.java | 12 ++++++- .../ambari/server/controller/AmbariServer.java | 33 +++++++++++--------- 3 files changed, 31 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/1b3cfd6c/ambari-server/conf/unix/ambari.properties ---------------------------------------------------------------------- diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties index 760441b..6539f8e 100644 --- a/ambari-server/conf/unix/ambari.properties +++ b/ambari-server/conf/unix/ambari.properties @@ -18,6 +18,7 @@ security.server.keys_dir = /var/lib/ambari-server/keys #security.server.disabled.ciphers=SSL_RSA_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_RC4_40_MD5|SSL_DHE_RSA_WITH_DES_CBC_SHA|SSL_DHE_DSS_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|SSL_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_RSA_WITH_DES_CBC_SHA +#security.server.disabled.protocols=SSL|SSLv2|SSLv3 resources.dir = /var/lib/ambari-server/resources custom.action.definitions = /var/lib/ambari-server/resources/custom_action_definitions jdk1.6.url=http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-6u31-linux-x64.bin http://git-wip-us.apache.org/repos/asf/ambari/blob/1b3cfd6c/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 8f95b6e..0734cfb 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -91,6 +91,7 @@ public class Configuration { "security.server.passphrase_env_var"; public static final String PASSPHRASE_KEY = "security.server.passphrase"; public static final String SRVR_DISABLED_CIPHERS = "security.server.disabled.ciphers"; + public static final String SRVR_DISABLED_PROTOCOLS = "security.server.disabled.protocols"; public static final String RESOURCES_DIR_KEY = "resources.dir"; public static final String METADETA_DIR_PATH = "metadata.path"; public static final String SERVER_VERSION_FILE = "server.version.file"; @@ -260,6 +261,7 @@ public class Configuration { private static final String SRVR_CRT_PASS_FILE_DEFAULT = "pass.txt"; private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50"; private static final String SRVR_DISABLED_CIPHERS_DEFAULT = ""; + private static final String SRVR_DISABLED_PROTOCOLS_DEFAULT = ""; private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE"; private static final String RESOURCES_DIR_DEFAULT = "/var/lib/ambari-server/resources/"; @@ -363,7 +365,9 @@ public class Configuration { configsMap.put(SRVR_CRT_PASS_LEN_KEY, properties.getProperty( SRVR_CRT_PASS_LEN_KEY, SRVR_CRT_PASS_LEN_DEFAULT)); configsMap.put(SRVR_DISABLED_CIPHERS, properties.getProperty( - SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT)); + SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT)); + configsMap.put(SRVR_DISABLED_PROTOCOLS, properties.getProperty( + SRVR_DISABLED_PROTOCOLS, SRVR_DISABLED_PROTOCOLS_DEFAULT)); configsMap.put(CLIENT_API_SSL_KSTR_DIR_NAME_KEY, properties.getProperty( CLIENT_API_SSL_KSTR_DIR_NAME_KEY, configsMap.get(SRVR_KSTR_DIR_KEY))); @@ -919,6 +923,12 @@ public class Configuration { return disabledCiphers.trim(); } + public String getSrvrDisabledProtocols() { + String disabledProtocols = properties.getProperty(SRVR_DISABLED_PROTOCOLS, + properties.getProperty(SRVR_DISABLED_PROTOCOLS, SRVR_DISABLED_PROTOCOLS_DEFAULT)); + return disabledProtocols.trim(); + } + public int getOneWayAuthPort() { return Integer.parseInt(properties.getProperty(SRVR_ONE_WAY_SSL_PORT_KEY, String.valueOf(SRVR_ONE_WAY_SSL_PORT_DEFAULT))); } http://git-wip-us.apache.org/repos/asf/ambari/blob/1b3cfd6c/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index 1990e4b..68097ff 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -132,7 +132,7 @@ public class AmbariServer { final String CONTEXT_PATH = "/"; final String SPRING_CONTEXT_LOCATION = "classpath:/webapp/WEB-INF/spring-security.xml"; - final String DISABLED_CIPHERS_SPLITTER = "\\|"; + final String DISABLED_ENTRIES_SPLITTER = "\\|"; @Inject Configuration configs; @@ -274,10 +274,7 @@ public class AmbariServer { //Secured connector for 2-way auth SslContextFactory contextFactoryTwoWay = new SslContextFactory(); - if (! configs.getSrvrDisabledCiphers().isEmpty()) { - String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER); - contextFactoryTwoWay.setExcludeCipherSuites(masks); - } + disableInsecureProtocols(contextFactoryTwoWay); SslSelectChannelConnector sslConnectorTwoWay = new SslSelectChannelConnector(contextFactoryTwoWay); sslConnectorTwoWay.setPort(configs.getTwoWayAuthPort()); @@ -305,10 +302,7 @@ public class AmbariServer { contextFactoryOneWay.setKeyStoreType("PKCS12"); contextFactoryOneWay.setTrustStoreType("PKCS12"); contextFactoryOneWay.setNeedClientAuth(false); - if (! configs.getSrvrDisabledCiphers().isEmpty()) { - String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER); - contextFactoryOneWay.setExcludeCipherSuites(masks); - } + disableInsecureProtocols(contextFactoryOneWay); //Secured connector for 1-way auth SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactoryOneWay); @@ -397,11 +391,7 @@ public class AmbariServer { String httpsCrtPass = configsMap.get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY); SslContextFactory contextFactoryApi = new SslContextFactory(); - if (! configs.getSrvrDisabledCiphers().isEmpty()) { - String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER); - contextFactoryApi.setExcludeCipherSuites(masks); - } - + disableInsecureProtocols(contextFactoryApi); SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(contextFactoryApi); sapiConnector.setPort(configs.getClientSSLApiPort()); sapiConnector.setKeystore(httpsKeystore); @@ -484,6 +474,21 @@ public class AmbariServer { } /** + * Disables insecure protocols and cipher suites (exact list is defined + * at server properties) + */ + private void disableInsecureProtocols(SslContextFactory factory) { + if (! configs.getSrvrDisabledCiphers().isEmpty()) { + String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_ENTRIES_SPLITTER); + factory.setExcludeCipherSuites(masks); + } + if (! configs.getSrvrDisabledProtocols().isEmpty()) { + String [] masks = configs.getSrvrDisabledProtocols().split(DISABLED_ENTRIES_SPLITTER); + factory.setExcludeProtocols(masks); + } + } + + /** * Performs basic configuration of root handler with static values and values from * configuration file. *
