OOZIE-2756 Extend HTTPS configuration settings for embedded Jetty (asasvari via abhishekbafna)
Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/d9a4d3f6 Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/d9a4d3f6 Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/d9a4d3f6 Branch: refs/heads/oya Commit: d9a4d3f69cd96ec7287f452190a1d181ead4ec89 Parents: 4cec1ad Author: abhisek bafna <[email protected]> Authored: Tue Jan 10 09:50:23 2017 +0530 Committer: abhisek bafna <[email protected]> Committed: Tue Jan 10 09:50:23 2017 +0530 ---------------------------------------------------------------------- core/src/main/resources/oozie-default.xml | 20 ++++- .../oozie/service/TestConfigurationService.java | 10 +++ release-log.txt | 1 + .../oozie/server/SSLServerConnectorFactory.java | 38 ++++++++- .../server/TestSSLServerConnectorFactory.java | 86 ++++++++++++-------- 5 files changed, 113 insertions(+), 42 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/core/src/main/resources/oozie-default.xml ---------------------------------------------------------------------- diff --git a/core/src/main/resources/oozie-default.xml b/core/src/main/resources/oozie-default.xml index 2d7650a..943f9bc 100644 --- a/core/src/main/resources/oozie-default.xml +++ b/core/src/main/resources/oozie-default.xml @@ -2537,7 +2537,7 @@ will be the requeue interval for the actions which are waiting for a long time w <property> <name>oozie.https.truststore.file</name> - <value>custom.truststore</value> + <value></value> <description> Path to a TrustStore file. </description> @@ -2545,7 +2545,7 @@ will be the requeue interval for the actions which are waiting for a long time w <property> <name>oozie.https.truststore.pass</name> - <value>cloudera</value> + <value></value> <description> Password to the TrustStore. </description> @@ -2576,6 +2576,22 @@ will be the requeue interval for the actions which are waiting for a long time w </property> <property> + <name>oozie.https.exclude.protocols</name> + <value></value> + <description> + Disabled TLS protocols. + </description> + </property> + + <property> + <name>oozie.https.include.cipher.suites</name> + <value></value> + <description> + List of Cipher suites to include. + </description> + </property> + + <property> <name>oozie.https.exclude.cipher.suites</name> <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5</value> <description> http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java b/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java index f18a8c0..42ffdbe 100644 --- a/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java +++ b/core/src/test/java/org/apache/oozie/service/TestConfigurationService.java @@ -276,6 +276,16 @@ public class TestConfigurationService extends XTestCase { assertEquals(5000, ConfigurationService.getInt(SLAService.CONF_CAPACITY)); assertEquals(11000, ConfigurationService.getInt("oozie.http.port")); assertEquals(11443, ConfigurationService.getInt("oozie.https.port")); + assertFalse(ConfigurationService.getBoolean("oozie.https.enabled")); + assertEquals(65536, ConfigurationService.getInt("oozie.http.response.header.size")); + assertEquals(65536, ConfigurationService.getInt("oozie.http.request.header.size")); + assertEquals("TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2", ConfigurationService.get("oozie.https.include.protocols")); + assertEquals("", ConfigurationService.get("oozie.https.exclude.protocols")); + assertEquals("", ConfigurationService.get("oozie.https.include.cipher.suites")); + assertEquals("TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA," + + "SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA," + + "SSL_RSA_WITH_RC4_128_MD5", ConfigurationService.get("oozie.https.exclude.cipher.suites")); + assertEquals(150, ConfigurationService.getInt("oozie.server.threadpool.max.threads")); cl.destroy(); } http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 577e071..21cc717 100644 --- a/release-log.txt +++ b/release-log.txt @@ -1,5 +1,6 @@ -- Oozie 4.4.0 release (trunk - unreleased) +OOZIE-2756 Extend HTTPS configuration settings for embedded Jetty (asasvari via abhishekbafna) OOZIE-2727 OozieDBCLI creates temporary directories and do not delete them (gezapeti via rkanter) OOZIE-2728 Typo in Error E0405 (gezapeti via rkanter) OOZIE-2748 NPE in LauncherMapper.printArgs() (pbacsko via rkanter) http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java ---------------------------------------------------------------------- diff --git a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java index 2797cf4..1ab0ec4 100644 --- a/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java +++ b/server/src/main/java/org/apache/oozie/server/SSLServerConnectorFactory.java @@ -44,6 +44,10 @@ class SSLServerConnectorFactory { public static final String OOZIE_HTTPS_TRUSTSTORE_PASS = "oozie.https.truststore.pass"; public static final String OOZIE_HTTPS_KEYSTORE_PASS = "oozie.https.keystore.pass"; public static final String OOZIE_HTTPS_KEYSTORE_FILE = "oozie.https.keystore.file"; + public static final String OOZIE_HTTPS_EXCLUDE_PROTOCOLS = "oozie.https.exclude.protocols"; + public static final String OOZIE_HTTPS_INCLUDE_PROTOCOLS = "oozie.https.include.protocols"; + public static final String OOZIE_HTTPS_INCLUDE_CIPHER_SUITES = "oozie.https.include.cipher.suites"; + public static final String OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES = "oozie.https.exclude.cipher.suites"; private SslContextFactory sslContextFactory; private Configuration conf; @@ -69,7 +73,11 @@ class SSLServerConnectorFactory { String.format("Invalid port number specified: \'%d\'. It should be between 1 and 65535.", oozieHttpsPort)); setIncludeProtocols(); - setCipherSuites(); + setExcludeProtocols(); + + setIncludeCipherSuites(); + setExludeCipherSuites(); + setTrustStorePath(); setTrustStorePass(); @@ -87,22 +95,44 @@ class SSLServerConnectorFactory { return secureServerConnector; } - private void setCipherSuites() { - String excludeCipherList = conf.get("oozie.https.exclude.cipher.suites"); + private void setExludeCipherSuites() { + String excludeCipherList = conf.get(OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES); String[] excludeCipherSuites = excludeCipherList.split(","); sslContextFactory.setExcludeCipherSuites(excludeCipherSuites); LOG.info(String.format("SSL context - excluding cipher suites: %s", Arrays.toString(excludeCipherSuites))); } + private void setIncludeCipherSuites() { + String includeCipherList = conf.get(OOZIE_HTTPS_INCLUDE_CIPHER_SUITES); + if (includeCipherList == null || includeCipherList.isEmpty()) { + return; + } + + String[] includeCipherSuites = includeCipherList.split(","); + sslContextFactory.setIncludeCipherSuites(includeCipherSuites); + + LOG.info(String.format("SSL context - including cipher suites: %s", Arrays.toString(includeCipherSuites))); + } + private void setIncludeProtocols() { - String enabledProtocolsList = conf.get("oozie.https.include.protocols"); + String enabledProtocolsList = conf.get(OOZIE_HTTPS_INCLUDE_PROTOCOLS); String[] enabledProtocols = enabledProtocolsList.split(","); sslContextFactory.setIncludeProtocols(enabledProtocols); LOG.info(String.format("SSL context - including protocols: %s", Arrays.toString(enabledProtocols))); } + private void setExcludeProtocols() { + String excludedProtocolsList = conf.get(OOZIE_HTTPS_EXCLUDE_PROTOCOLS); + if (excludedProtocolsList == null || excludedProtocolsList.isEmpty()) { + return; + } + String[] excludedProtocols = excludedProtocolsList.split(","); + sslContextFactory.setExcludeProtocols(excludedProtocols); + LOG.info(String.format("SSL context - excluding protocols: %s", Arrays.toString(excludedProtocols))); + } + private void setTrustStorePath() { String trustStorePath = conf.get(OOZIE_HTTPS_TRUSTSTORE_FILE); Preconditions.checkNotNull(trustStorePath, "trustStorePath is null"); http://git-wip-us.apache.org/repos/asf/oozie/blob/d9a4d3f6/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java ---------------------------------------------------------------------- diff --git a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java index 9634da8..da1a246 100644 --- a/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java +++ b/server/src/test/java/org/apache/oozie/server/TestSSLServerConnectorFactory.java @@ -22,6 +22,7 @@ import org.apache.hadoop.conf.Configuration; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.util.ssl.SslContextFactory; + import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -29,7 +30,19 @@ import org.junit.runner.RunWith; import org.mockito.Mock; import org.mockito.runners.MockitoJUnitRunner; +import static org.apache.oozie.server.HttpConfigurationWrapper.OOZIE_HTTP_REQUEST_HEADER_SIZE; +import static org.apache.oozie.server.HttpConfigurationWrapper.OOZIE_HTTP_RESPONSE_HEADER_SIZE; +import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES; +import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_EXCLUDE_PROTOCOLS; +import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_INCLUDE_CIPHER_SUITES; +import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_INCLUDE_PROTOCOLS; +import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_FILE; +import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_KEYSTORE_PASS; +import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_TRUSTSTORE_FILE; +import static org.apache.oozie.server.SSLServerConnectorFactory.OOZIE_HTTPS_TRUSTSTORE_PASS; +import static org.apache.oozie.util.ConfigUtils.OOZIE_HTTP_PORT; import static org.mockito.Matchers.anyString; +import static org.mockito.Mockito.never; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoMoreInteractions; @@ -48,19 +61,20 @@ public class TestSSLServerConnectorFactory { @Before public void setUp() { testConfig = new Configuration(); - testConfig.set("oozie.https.truststore.file", "test_truststore_file"); - testConfig.set("oozie.https.truststore.pass", "trustpass"); - testConfig.set("oozie.https.keystore.file", "test_keystore_file"); - testConfig.set("oozie.https.keystore.pass", "keypass"); - testConfig.set("oozie.http.port", "11000"); - testConfig.set("oozie.http.request.header.size", "65536"); - testConfig.set("oozie.http.response.header.size", "65536"); - testConfig.set("oozie.https.include.protocols", "TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2"); - testConfig.set("oozie.https.exclude.cipher.suites", + testConfig.set(OOZIE_HTTPS_TRUSTSTORE_FILE, "test_truststore_file"); + testConfig.set(OOZIE_HTTPS_TRUSTSTORE_PASS, "trustpass"); + testConfig.set(OOZIE_HTTPS_KEYSTORE_FILE, "test_keystore_file"); + testConfig.set(OOZIE_HTTPS_KEYSTORE_PASS, "keypass"); + testConfig.set(OOZIE_HTTP_PORT, "11000"); + testConfig.set(OOZIE_HTTP_REQUEST_HEADER_SIZE, "65536"); + testConfig.set(OOZIE_HTTP_RESPONSE_HEADER_SIZE, "65536"); + testConfig.set(OOZIE_HTTPS_INCLUDE_PROTOCOLS, "TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2"); + testConfig.set(OOZIE_HTTPS_EXCLUDE_PROTOCOLS, ""); + testConfig.set(OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES, "TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA," + "SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA," + "SSL_RSA_WITH_RC4_128_MD5"); - + testConfig.set(OOZIE_HTTPS_INCLUDE_CIPHER_SUITES, ""); sslServerConnectorFactory = new SSLServerConnectorFactory(mockSSLContextFactory); } @@ -75,56 +89,57 @@ public class TestSSLServerConnectorFactory { mockSSLServerConnectorFactory); } - private void verifyDefaultExcludeCipherSuites() { - verify(mockSSLContextFactory).setExcludeCipherSuites( - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_RSA_WITH_DES_CBC_SHA", - "SSL_RSA_EXPORT_WITH_RC4_40_MD5", - "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_RSA_WITH_RC4_128_MD5"); - } + @Test + public void includeProtocolsCanBeSetViaConfig() throws Exception { + SSLServerConnectorFactory sslServerConnectorFactory = new SSLServerConnectorFactory(mockSSLContextFactory); + testConfig.set(OOZIE_HTTPS_INCLUDE_PROTOCOLS, "TLSv1,TLSv1.2"); + sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer); - private void verifyDefaultIncludeProtocols() { verify(mockSSLContextFactory).setIncludeProtocols( "TLSv1", - "SSLv2Hello", - "TLSv1.1", "TLSv1.2"); } @Test - public void includeProtocolsHaveDefaultValues() throws Exception { + public void emptyExcludeProtocolsAreNotSet() throws Exception { sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer); - - verifyDefaultIncludeProtocols(); - verifyDefaultExcludeCipherSuites(); + verify(mockSSLContextFactory, never()).setExcludeProtocols(anyString()); } @Test - public void includeProtocolsCanBeSetViaConfigFile() throws Exception { + public void excludeProtocolsCanBeSetViaConfig() throws Exception { SSLServerConnectorFactory sslServerConnectorFactory = new SSLServerConnectorFactory(mockSSLContextFactory); - testConfig.set("oozie.https.include.protocols", "TLSv1,TLSv1.2"); + testConfig.set(OOZIE_HTTPS_INCLUDE_PROTOCOLS, "TLSv1,TLSv1.2"); + testConfig.set(OOZIE_HTTPS_EXCLUDE_PROTOCOLS, "TLSv1"); sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer); verify(mockSSLContextFactory).setIncludeProtocols( "TLSv1", "TLSv1.2"); + + verify(mockSSLContextFactory).setExcludeProtocols( + "TLSv1"); } @Test - public void excludeCipherSuitesHaveDefaultValues() throws Exception { + public void emptyIncludeCipherSuitesAreNotSet() throws Exception { sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer); + verify(mockSSLContextFactory, never()).setIncludeCipherSuites(anyString()); + } - verifyDefaultExcludeCipherSuites(); - verifyDefaultIncludeProtocols(); + @Test + public void includeCipherSuitesCanBeSetViaConfig() throws Exception { + testConfig.set(OOZIE_HTTPS_INCLUDE_CIPHER_SUITES, "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"); + + sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer); + verify(mockSSLContextFactory).setIncludeCipherSuites("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"); } + @Test - public void excludeCipherSuitesCanBeSetViaConfigFile() throws Exception { - testConfig.set("oozie.https.exclude.cipher.suites","TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA," - + "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"); + public void excludeCipherSuitesCanBeSetViaConfig() throws Exception { + testConfig.set(OOZIE_HTTPS_EXCLUDE_CIPHER_SUITES, "TLS_ECDHE_RSA_WITH_RC4_128_SHA," + + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"); sslServerConnectorFactory.createSecureServerConnector(42, testConfig, mockServer); @@ -132,6 +147,5 @@ public class TestSSLServerConnectorFactory { "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"); - verifyDefaultIncludeProtocols(); } }
