Repository: ambari Updated Branches: refs/heads/trunk 4bc2263fc -> 4a4a16aa9
AMBARI-19333. Store LogSearch truststore/keystore passwords in file (oleewere) Change-Id: Ifbf2b1c72df7f20f31ce0e4ef8bf7f5fa4d5ac55 Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/4a4a16aa Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/4a4a16aa Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/4a4a16aa Branch: refs/heads/trunk Commit: 4a4a16aa9bd0d07e20e683dd9d428227e23f076f Parents: 4bc2263 Author: oleewere <[email protected]> Authored: Wed Jan 4 13:19:17 2017 +0100 Committer: oleewere <[email protected]> Committed: Wed Jan 4 13:39:29 2017 +0100 ---------------------------------------------------------------------- .../org/apache/ambari/logsearch/LogSearch.java | 7 +-- .../apache/ambari/logsearch/util/SSLUtil.java | 46 ++++++++++++++++---- .../src/main/scripts/run.sh | 2 +- .../test-config/logsearch/logsearch-env.sh | 2 - .../LOGSEARCH/0.5.0/package/scripts/params.py | 1 + .../0.5.0/package/scripts/setup_logsearch.py | 20 +++++++++ .../0.5.0/properties/logsearch-env.sh.j2 | 2 - .../stacks/2.4/LOGSEARCH/test_logsearch.py | 20 +++++++++ .../test/python/stacks/2.4/configs/default.json | 2 + 9 files changed, 86 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java index 614e91e..88cc8bb 100644 --- a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java +++ b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/LogSearch.java @@ -84,14 +84,15 @@ public class LogSearch { private static final String ROOT_CONTEXT = "/"; private static final Integer SESSION_TIMEOUT = 60 * 30; - private static final String LOGSEARCH_CERT_DEFAULT_FOLDER = "/etc/ambari-logsearch-portal/conf/keys"; private static final String LOGSEARCH_CERT_FILENAME = "logsearch.crt"; private static final String LOGSEARCH_KEYSTORE_FILENAME = "logsearch.jks"; private static final String LOGSEARCH_KEYSTORE_PRIVATE_KEY = "logsearch.private.key"; private static final String LOGSEARCH_KEYSTORE_PUBLIC_KEY = "logsearch.public.key"; - private static final String LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD = "bigdata"; private static final String LOGSEARCH_CERT_DEFAULT_ALGORITHM = "sha256WithRSAEncryption"; + public static final String LOGSEARCH_CERT_DEFAULT_FOLDER = "/etc/ambari-logsearch-portal/conf/keys"; + public static final String LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD = "bigdata"; + public static void main(String[] argv) { LogSearch logSearch = new LogSearch(); ManageStartEndTime.manage(); @@ -300,7 +301,7 @@ public class LogSearch { fileSet.setDir(new File(certFolder)); fileSet.setIncludes("**"); chmod.addFileset(fileSet); - chmod.setPerm("640"); + chmod.setPerm("600"); chmod.execute(); } } http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java index 7a93305..2fb4ff3 100644 --- a/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java +++ b/ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/util/SSLUtil.java @@ -50,6 +50,9 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Date; +import static org.apache.ambari.logsearch.LogSearch.LOGSEARCH_CERT_DEFAULT_FOLDER; +import static org.apache.ambari.logsearch.LogSearch.LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD; + public class SSLUtil { private static final Logger LOG = LoggerFactory.getLogger(SSLUtil.class); @@ -61,6 +64,8 @@ public class SSLUtil { private static final String TRUSTSTORE_PASSWORD_ARG = "javax.net.ssl.trustStorePassword"; private static final String TRUSTSTORE_TYPE_ARG = "javax.net.ssl.trustStoreType"; private static final String DEFAULT_TRUSTSTORE_TYPE = "JKS"; + private static final String KEYSTORE_PASSWORD_FILE = "ks_pass.txt"; + private static final String TRUSTSTORE_PASSWORD_FILE = "ts_pass.txt"; private SSLUtil() { throw new UnsupportedOperationException(); @@ -69,11 +74,11 @@ public class SSLUtil { public static String getKeyStoreLocation() { return System.getProperty(KEYSTORE_LOCATION_ARG); } - + public static String getKeyStorePassword() { return System.getProperty(KEYSTORE_PASSWORD_ARG); } - + public static String getKeyStoreType() { return System.getProperty(KEYSTORE_TYPE_ARG, DEFAULT_KEYSTORE_TYPE); } @@ -81,24 +86,26 @@ public class SSLUtil { public static String getTrustStoreLocation() { return System.getProperty(TRUSTSTORE_LOCATION_ARG); } - + public static String getTrustStorePassword() { return System.getProperty(TRUSTSTORE_PASSWORD_ARG); } - + public static String getTrustStoreType() { return System.getProperty(TRUSTSTORE_TYPE_ARG, DEFAULT_TRUSTSTORE_TYPE); } - + public static boolean isKeyStoreSpecified() { - return StringUtils.isNotEmpty(getKeyStoreLocation()) && StringUtils.isNotEmpty(getKeyStorePassword()); + return StringUtils.isNotEmpty(getKeyStoreLocation()); } private static boolean isTrustStoreSpecified() { - return StringUtils.isNotEmpty(getTrustStoreLocation()) && StringUtils.isNotEmpty(getTrustStorePassword()); + return StringUtils.isNotEmpty(getTrustStoreLocation()); } public static SslContextFactory getSslContextFactory() { + setPasswordIfSysPropIsEmpty(KEYSTORE_PASSWORD_ARG, KEYSTORE_PASSWORD_FILE); + setPasswordIfSysPropIsEmpty(TRUSTSTORE_PASSWORD_ARG, TRUSTSTORE_PASSWORD_FILE); SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setKeyStorePath(getKeyStoreLocation()); sslContextFactory.setKeyStorePassword(getKeyStorePassword()); @@ -111,7 +118,7 @@ public class SSLUtil { return sslContextFactory; } - + public static SSLContext getSSLContext() { SslContextFactory sslContextFactory = getSslContextFactory(); @@ -130,6 +137,22 @@ public class SSLUtil { } } + private static String getPasswordFromFile(String certFolder, String fileName, String defaultPassword) { + try { + String pwdFileName = String.format("%s/%s", certFolder, fileName); + File pwdFile = new File(pwdFileName); + if (!pwdFile.exists()) { + FileUtils.writeStringToFile(pwdFile, defaultPassword); + return defaultPassword; + } else { + return FileUtils.readFileToString(pwdFile); + } + } catch (Exception e) { + String errMsg = "Exception occurred during read/write password file for keystore."; + throw new RuntimeException(errMsg, e); + } + } + /** * Put private key into in-memory keystore and write it to a file (JKS file) */ @@ -177,6 +200,13 @@ public class SSLUtil { } } + private static void setPasswordIfSysPropIsEmpty(String prop, String pwdFile) { + if (StringUtils.isEmpty(System.getProperty(prop))) { + String password = getPasswordFromFile(LOGSEARCH_CERT_DEFAULT_FOLDER, pwdFile, LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD); + System.setProperty(prop, password); + } + } + private static X509Certificate getCertFile(String location) throws Exception { try (FileInputStream fos = new FileInputStream(location)) { CertificateFactory factory = CertificateFactory.getInstance("X.509"); http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh b/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh index 1204ef3..b8fd6c4 100755 --- a/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh +++ b/ambari-logsearch/ambari-logsearch-portal/src/main/scripts/run.sh @@ -52,7 +52,7 @@ if [ "$LOGSEARCH_DEBUG" = "true" ] && [ ! -z "$LOGSEARCH_DEBUG_PORT" ]; then fi if [ "$LOGSEARCH_SSL" = "true" ]; then - LOGSEARCH_JAVA_OPTS="$LOGSEARCH_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGSEARCH_KEYSTORE_LOCATION -Djavax.net.ssl.keyStoreType=$LOGSEARCH_KEYSTORE_TYPE -Djavax.net.ssl.keyStorePassword=$LOGSEARCH_KEYSTORE_PASSWORD -Djavax.net.ssl.trustStore=$LOGSEARCH_TRUSTSTORE_LOCATION -Djavax.net.ssl.trustStoreType=$LOGSEARCH_TRUSTSTORE_TYPE -Djavax.net.ssl.trustStorePassword=$LOGSEARCH_TRUSTSTORE_PASSWORD" + LOGSEARCH_JAVA_OPTS="$LOGSEARCH_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGSEARCH_KEYSTORE_LOCATION -Djavax.net.ssl.keyStoreType=$LOGSEARCH_KEYSTORE_TYPE -Djavax.net.ssl.trustStore=$LOGSEARCH_TRUSTSTORE_LOCATION -Djavax.net.ssl.trustStoreType=$LOGSEARCH_TRUSTSTORE_TYPE" fi if [ "$PID_FILE" = "" ]; then http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh ---------------------------------------------------------------------- diff --git a/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh b/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh index 2c2d056..8d92e20 100644 --- a/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh +++ b/ambari-logsearch/docker/test-config/logsearch/logsearch-env.sh @@ -37,8 +37,6 @@ export LOGSEARCH_DEBUG_PORT=5005 export LOGSEARCH_SSL="true" export LOGSEARCH_KEYSTORE_LOCATION=/root/config/ssl/logsearch.keyStore.jks -export LOGSEARCH_KEYSTORE_PASSWORD=bigdata export LOGSEARCH_KEYSTORE_TYPE=jks export LOGSEARCH_TRUSTSTORE_LOCATION=/root/config/ssl/logsearch.trustStore.jks -export LOGSEARCH_TRUSTSTORE_PASSWORD=bigdata export LOGSEARCH_TRUSTSTORE_TYPE=jks http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py index ff88abc..811b3ea 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py @@ -42,6 +42,7 @@ sudo = AMBARI_SUDO_BINARY security_enabled = status_params.security_enabled logsearch_server_conf = "/etc/ambari-logsearch-portal/conf" +logsearch_server_keys_folder = logsearch_server_conf + "/keys" logsearch_logfeeder_conf = "/etc/ambari-logsearch-logfeeder/conf" logsearch_config_set_dir = format("{logsearch_server_conf}/solr_configsets") http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py index 874b90b..9ff9c74 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py @@ -46,6 +46,26 @@ def setup_logsearch(): recursive_ownership=True ) + Directory(params.logsearch_server_keys_folder, + cd_access='a', + mode=0755, + owner= params.logsearch_user, + group=params.user_group) + + File(format("{logsearch_server_keys_folder}/ks_pass.txt"), + content=params.logsearch_keystore_password, + mode=0600, + owner= params.logsearch_user, + group=params.user_group + ) + + File(format("{logsearch_server_keys_folder}/ts_pass.txt"), + content=params.logsearch_truststore_password, + mode=0600, + owner= params.logsearch_user, + group=params.user_group + ) + File(params.logsearch_log, mode=0644, owner=params.logsearch_user, http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2 b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2 index a179983..338c7f7 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2 +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logsearch-env.sh.j2 @@ -41,9 +41,7 @@ export LOGSEARCH_DEBUG_PORT={{logsearch_debug_port}} {% if logsearch_solr_ssl_enabled or logsearch_ui_protocol == 'https' or ambari_server_use_ssl %} export LOGSEARCH_SSL="true" export LOGSEARCH_KEYSTORE_LOCATION={{logsearch_keystore_location}} -export LOGSEARCH_KEYSTORE_PASSWORD={{logsearch_keystore_password}} export LOGSEARCH_KEYSTORE_TYPE={{logsearch_keystore_type}} export LOGSEARCH_TRUSTSTORE_LOCATION={{logsearch_truststore_location}} -export LOGSEARCH_TRUSTSTORE_PASSWORD={{logsearch_truststore_password}} export LOGSEARCH_TRUSTSTORE_TYPE={{logsearch_truststore_type}} {% endif %} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py index c3e8930..00dd641 100644 --- a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py +++ b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py @@ -63,6 +63,26 @@ class TestLogSearch(RMFTestCase): cd_access = 'a', mode = 0755 ) + self.assertResourceCalled('Directory', '/etc/ambari-logsearch-portal/conf/keys', + owner = 'logsearch', + group = 'hadoop', + cd_access = 'a', + mode = 0755 + ) + + self.assertResourceCalled('File', '/etc/ambari-logsearch-portal/conf/keys/ks_pass.txt', + owner='logsearch', + group='hadoop', + mode=0600, + content='bigdata' + ) + + self.assertResourceCalled('File', '/etc/ambari-logsearch-portal/conf/keys/ts_pass.txt', + owner='logsearch', + group='hadoop', + mode=0600, + content='bigdata' + ) self.assertResourceCalled('File', '/var/log/ambari-logsearch-portal/logsearch.out', owner = 'logsearch', http://git-wip-us.apache.org/repos/asf/ambari/blob/4a4a16aa/ambari-server/src/test/python/stacks/2.4/configs/default.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.4/configs/default.json b/ambari-server/src/test/python/stacks/2.4/configs/default.json index 7591adb..a601f0b 100644 --- a/ambari-server/src/test/python/stacks/2.4/configs/default.json +++ b/ambari-server/src/test/python/stacks/2.4/configs/default.json @@ -273,6 +273,8 @@ "logsearch_debug_port": "5005", "logsearch_ui_protocol": "http", "logsearch_ui_port" : "61888", + "logsearch_keystore_password" : "bigdata", + "logsearch_truststore_password" : "bigdata", "logsearch_solr_audit_logs_use_ranger": "false", "content": "# Licensed to the Apache Software Foundation (ASF) under one or more\n# contributor license agreements. See the NOTICE file distributed with\n# this work for additional information regarding copyright ownership.\n# The ASF licenses this file to You under the Apache License, Version 2.0\n# (the \"License\"); you may not use this file except in compliance with\n# the License. You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n#solr.url=http://{{solr_host}}:{{solr_port}}/solr\n\n#Service Logs and History colletion\nlogsearch.solr.zkhosts={{zookeeper_quorum}}{{solr_znode}}\nlogsearch.solr.collection.ser vice.logs={{logsearch_collection_service_logs}}\nlogsearch.solr.collection.history=history\n\nlogsearch.service.logs.split.interval.mins={{logsearch_service_logs_split_interval_mins}}\nlogsearch.collection.service.logs.numshards={{logsearch_collection_service_logs_numshards}}\nlogsearch.collection.service.logs.replication.factor={{logsearch_collection_service_logs_replication_factor}}\n\nlogsearch.service.logs.fields={{logsearch_service_logs_fields}}\n\n#Audit logs\nlogsearch.solr.audit.logs.zkhosts={{logsearch_solr_zk_quorum}}{{logsearch_solr_zk_znode}}\nogsearch.solr.collection.audit.logs={{solr_collection_audit_logs}}\nlogsearch.solr.audit.logs.url={{logsearch_solr_audit_logs_url}}\n\nlogsearch.audit.logs.split.interval.mins={{logsearch_audit_logs_split_interval_mins}}\nlogsearch.collection.audit.logs.numshards={{logsearch_collection_audit_logs_numshards}}\nlogsearch.collection.audit.logs.replication.factor={{logsearch_collection_audit_logs_replication_factor}}\n{% if logsearch_s olr_ssl_enabled %}\nexport LOGSEARCH_SSL=\"true\"\nexport LOGSEARCH_KEYSTORE_LOCATION={{logsearch_keystore_location}}\nexport LOGSEARCH_KEYSTORE_PASSWORD={{logsearch_keystore_password}}\nexport LOGSEARCH_KEYSTORE_TYPE={{logsearch_keystore_type}}\nexport LOGSEARCH_TRUSTSTORE_LOCATION={{logsearch_truststore_location}}\nexport LOGSEARCH_TRUSTSTORE_PASSWORD={{logsearch_truststore_password}}\nexport LOGSEARCH_TRUSTSTORE_TYPE={{logsearch_truststore_type}}\n{% endif %}" },
