Repository: ambari Updated Branches: refs/heads/trunk e0552d62e -> 17db42826
AMBARI-19519 Log Feeder should store keystore / truststore passwords in files (mgergely) Change-Id: I1d5b39b035391c01d1911715cffcd20b7561b65d Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/17db4282 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/17db4282 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/17db4282 Branch: refs/heads/trunk Commit: 17db42826eb7f4c03f554fc7b2f5633d0a480934 Parents: e0552d6 Author: Miklos Gergely <[email protected]> Authored: Mon Jan 16 23:57:10 2017 +0100 Committer: Miklos Gergely <[email protected]> Committed: Mon Jan 16 23:57:10 2017 +0100 ---------------------------------------------------------------------- .../org/apache/ambari/logfeeder/LogFeeder.java | 2 + .../apache/ambari/logfeeder/util/SSLUtil.java | 68 ++++++++++++++++++++ .../src/main/scripts/run.sh | 2 +- .../LOGSEARCH/0.5.0/package/scripts/params.py | 1 + .../0.5.0/package/scripts/setup_logfeeder.py | 20 ++++++ .../0.5.0/package/scripts/setup_logsearch.py | 6 +- .../0.5.0/properties/logfeeder-env.sh.j2 | 2 - .../stacks/2.4/LOGSEARCH/test_logfeeder.py | 20 ++++++ .../test/python/stacks/2.4/configs/default.json | 4 +- 9 files changed, 118 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java index 6d0f22c..24651ba 100644 --- a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java +++ b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/LogFeeder.java @@ -45,6 +45,7 @@ import org.apache.ambari.logfeeder.output.OutputManager; import org.apache.ambari.logfeeder.util.AliasUtil; import org.apache.ambari.logfeeder.util.FileUtil; import org.apache.ambari.logfeeder.util.LogFeederUtil; +import org.apache.ambari.logfeeder.util.SSLUtil; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.io.FileUtils; import org.apache.commons.io.IOUtils; @@ -97,6 +98,7 @@ public class LogFeeder { mergeAllConfigs(); LogConfigHandler.handleConfig(); + SSLUtil.ensureStorePasswords(); outputManager.init(); inputManager.init(); http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/util/SSLUtil.java ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/util/SSLUtil.java b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/util/SSLUtil.java new file mode 100644 index 0000000..317f5ae --- /dev/null +++ b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/java/org/apache/ambari/logfeeder/util/SSLUtil.java @@ -0,0 +1,68 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ambari.logfeeder.util; + +import org.apache.commons.io.FileUtils; +import org.apache.commons.lang.StringUtils; + +import java.io.File; + +public class SSLUtil { + private static final String KEYSTORE_LOCATION_ARG = "javax.net.ssl.keyStore"; + private static final String TRUSTSTORE_LOCATION_ARG = "javax.net.ssl.trustStore"; + private static final String KEYSTORE_PASSWORD_ARG = "javax.net.ssl.keyStorePassword"; + private static final String TRUSTSTORE_PASSWORD_ARG = "javax.net.ssl.trustStorePassword"; + private static final String KEYSTORE_PASSWORD_FILE = "ks_pass.txt"; + private static final String TRUSTSTORE_PASSWORD_FILE = "ts_pass.txt"; + + private static final String LOGFEEDER_CERT_DEFAULT_FOLDER = "/etc/ambari-logsearch-portal/conf/keys"; + private static final String LOGFEEDER_STORE_DEFAULT_PASSWORD = "bigdata"; + + private SSLUtil() { + throw new UnsupportedOperationException(); + } + + public static void ensureStorePasswords() { + ensureStorePassword(KEYSTORE_LOCATION_ARG, KEYSTORE_PASSWORD_ARG, KEYSTORE_PASSWORD_FILE); + ensureStorePassword(TRUSTSTORE_LOCATION_ARG, TRUSTSTORE_PASSWORD_ARG, TRUSTSTORE_PASSWORD_FILE); + } + + private static void ensureStorePassword(String locationArg, String pwdArg, String pwdFile) { + if (StringUtils.isNotEmpty(System.getProperty(locationArg)) && StringUtils.isEmpty(System.getProperty(pwdArg))) { + String password = getPasswordFromFile(pwdFile); + System.setProperty(pwdArg, password); + } + } + + private static String getPasswordFromFile(String fileName) { + try { + File pwdFile = new File(LOGFEEDER_CERT_DEFAULT_FOLDER, fileName); + if (!pwdFile.exists()) { + FileUtils.writeStringToFile(pwdFile, LOGFEEDER_STORE_DEFAULT_PASSWORD); + return LOGFEEDER_STORE_DEFAULT_PASSWORD; + } else { + return FileUtils.readFileToString(pwdFile); + } + } catch (Exception e) { + throw new RuntimeException("Exception occurred during read/write password file for keystore/truststore.", e); + } + } + +} http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh ---------------------------------------------------------------------- diff --git a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh index 5aecd00..645c5f0 100644 --- a/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh +++ b/ambari-logsearch/ambari-logsearch-logfeeder/src/main/scripts/run.sh @@ -70,7 +70,7 @@ LOGFEEDER_GC_OPTS="-XX:+PrintGCDetails -XX:+PrintGCDateStamps -Xloggc:$LOGFEEDER #JMX="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=2098" if [ "$LOGFEEDER_SSL" = "true" ]; then - LOGFEEDER_JAVA_OPTS="$LOGFEEDER_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGFEEDER_KEYSTORE_LOCATION -Djavax.net.ssl.keyStoreType=$LOGFEEDER_KEYSTORE_TYPE -Djavax.net.ssl.keyStorePassword=$LOGFEEDER_KEYSTORE_PASSWORD -Djavax.net.ssl.trustStore=$LOGFEEDER_TRUSTSTORE_LOCATION -Djavax.net.ssl.trustStoreType=$LOGFEEDER_TRUSTSTORE_TYPE -Djavax.net.ssl.trustStorePassword=$LOGFEEDER_TRUSTSTORE_PASSWORD" + LOGFEEDER_JAVA_OPTS="$LOGFEEDER_JAVA_OPTS -Djavax.net.ssl.keyStore=$LOGFEEDER_KEYSTORE_LOCATION -Djavax.net.ssl.keyStoreType=$LOGFEEDER_KEYSTORE_TYPE -Djavax.net.ssl.trustStore=$LOGFEEDER_TRUSTSTORE_LOCATION -Djavax.net.ssl.trustStoreType=$LOGFEEDER_TRUSTSTORE_TYPE" fi if [ $foreground -eq 0 ]; then http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py index 5ffd5e6..25e947d 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py @@ -44,6 +44,7 @@ security_enabled = status_params.security_enabled logsearch_server_conf = "/etc/ambari-logsearch-portal/conf" logsearch_server_keys_folder = logsearch_server_conf + "/keys" logsearch_logfeeder_conf = "/etc/ambari-logsearch-logfeeder/conf" +logsearch_logfeeder_keys_folder = logsearch_logfeeder_conf + "/keys" logsearch_config_set_dir = format("{logsearch_server_conf}/solr_configsets") http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py index 14f8d20..a04618f 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py @@ -39,6 +39,26 @@ def setup_logfeeder(): recursive_ownership=True ) + Directory(params.logsearch_logfeeder_keys_folder, + cd_access='a', + mode=0755, + owner=params.logsearch_user, + group=params.user_group) + + File(format("{logsearch_logfeeder_keys_folder}/ks_pass.txt"), + content=params.logfeeder_keystore_password, + mode=0600, + owner=params.logsearch_user, + group=params.user_group + ) + + File(format("{logsearch_logfeeder_keys_folder}/ts_pass.txt"), + content=params.logfeeder_truststore_password, + mode=0600, + owner=params.logsearch_user, + group=params.user_group + ) + File(params.logfeeder_log, mode=0644, content='' http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py index 9ff9c74..2690a3a 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py @@ -49,20 +49,20 @@ def setup_logsearch(): Directory(params.logsearch_server_keys_folder, cd_access='a', mode=0755, - owner= params.logsearch_user, + owner=params.logsearch_user, group=params.user_group) File(format("{logsearch_server_keys_folder}/ks_pass.txt"), content=params.logsearch_keystore_password, mode=0600, - owner= params.logsearch_user, + owner=params.logsearch_user, group=params.user_group ) File(format("{logsearch_server_keys_folder}/ts_pass.txt"), content=params.logsearch_truststore_password, mode=0600, - owner= params.logsearch_user, + owner=params.logsearch_user, group=params.user_group ) http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2 b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2 index 6795dab..6d1c445 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2 +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/properties/logfeeder-env.sh.j2 @@ -35,9 +35,7 @@ fi {% if logsearch_solr_ssl_enabled %} export LOGFEEDER_SSL="true" export LOGFEEDER_KEYSTORE_LOCATION={{logfeeder_keystore_location}} -export LOGFEEDER_KEYSTORE_PASSWORD={{logfeeder_keystore_password}} export LOGFEEDER_KEYSTORE_TYPE={{logfeeder_keystore_type}} export LOGFEEDER_TRUSTSTORE_LOCATION={{logfeeder_truststore_location}} -export LOGFEEDER_TRUSTSTORE_PASSWORD={{logfeeder_truststore_password}} export LOGFEEDER_TRUSTSTORE_TYPE={{logfeeder_truststore_type}} {% endif %} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py index 02570e2..b172f64 100644 --- a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py +++ b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py @@ -55,6 +55,26 @@ class TestLogFeeder(RMFTestCase): cd_access='a', mode=0755 ) + self.assertResourceCalled('Directory', '/etc/ambari-logsearch-logfeeder/conf/keys', + owner = 'logsearch', + group = 'hadoop', + cd_access = 'a', + mode = 0755 + ) + + self.assertResourceCalled('File', '/etc/ambari-logsearch-logfeeder/conf/keys/ks_pass.txt', + owner='logsearch', + group='hadoop', + mode=0600, + content='bigdata' + ) + + self.assertResourceCalled('File', '/etc/ambari-logsearch-logfeeder/conf/keys/ts_pass.txt', + owner='logsearch', + group='hadoop', + mode=0600, + content='bigdata' + ) self.assertResourceCalled('File', '/var/log/ambari-logsearch-logfeeder/logfeeder.out', mode=0644, http://git-wip-us.apache.org/repos/asf/ambari/blob/17db4282/ambari-server/src/test/python/stacks/2.4/configs/default.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.4/configs/default.json b/ambari-server/src/test/python/stacks/2.4/configs/default.json index 30e12e9..dd8a096 100644 --- a/ambari-server/src/test/python/stacks/2.4/configs/default.json +++ b/ambari-server/src/test/python/stacks/2.4/configs/default.json @@ -315,7 +315,9 @@ "logfeeder_pid_dir": "/var/run/ambari-logsearch-logfeeder", "logfeeder_log_dir": "/var/log/ambari-logsearch-logfeeder", "logfeeder_max_mem": "512m", - "content": "# Licensed to the Apache Software Foundation (ASF) under one or more\n# contributor license agreements. See the NOTICE file distributed with\n# this work for additional information regarding copyright ownership.\n# The ASF licenses this file to You under the Apache License, Version 2.0\n# (the \"License\"); you may not use this file except in compliance with\n# the License. You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nlogsearch.solr.metrics.collector.hosts=http://{{metrics_collector_hosts}}:{{metrics_collector_port}}/ws/v1/timeline/metrics\n{% if logsearch_solr_ssl_enabled %}\nexport LOGFEED ER_SSL=\"true\"\nexport LOGFEEDER_KEYSTORE_LOCATION={{logfeeder_keystore_location}}\nexport LOGFEEDER_KEYSTORE_PASSWORD={{logfeeder_keystore_password}}\nexport LOGFEEDER_KEYSTORE_TYPE={{logfeeder_keystore_type}}\nexport LOGFEEDER_TRUSTSTORE_LOCATION={{logfeeder_truststore_location}}\nexport LOGFEEDER_TRUSTSTORE_PASSWORD={{logfeeder_truststore_password}}\nexport LOGFEEDER_TRUSTSTORE_TYPE={{logfeeder_truststore_type}}\n{% endif %}" + "logfeeder_keystore_password" : "bigdata", + "logfeeder_truststore_password" : "bigdata", + "content": "# Licensed to the Apache Software Foundation (ASF) under one or more\n# contributor license agreements. See the NOTICE file distributed with\n# this work for additional information regarding copyright ownership.\n# The ASF licenses this file to You under the Apache License, Version 2.0\n# (the \"License\"); you may not use this file except in compliance with\n# the License. You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nlogsearch.solr.metrics.collector.hosts=http://{{metrics_collector_hosts}}:{{metrics_collector_port}}/ws/v1/timeline/metrics\n{% if logsearch_solr_ssl_enabled %}\nexport LOGFEED ER_SSL=\"true\"\nexport LOGFEEDER_KEYSTORE_LOCATION={{logfeeder_keystore_location}}\n\nexport LOGFEEDER_KEYSTORE_TYPE={{logfeeder_keystore_type}}\nexport LOGFEEDER_TRUSTSTORE_LOCATION={{logfeeder_truststore_location}}\n\nexport LOGFEEDER_TRUSTSTORE_TYPE={{logfeeder_truststore_type}}\n{% endif %}" }, "logfeeder-output-config" : { "content" : "output-grok-filter"
