This is an automated email from the ASF dual-hosted git repository.

dhavalshah9131 pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.3 by this push:
     new 55496d5  RANGER-3673 : Need to enable cipher configuration for Usersync
55496d5 is described below

commit 55496d57776ed0417d66733780371ac29c26b67c
Author: Vishal Suvagia <[email protected]>
AuthorDate: Tue Mar 1 14:06:10 2022 +0530

    RANGER-3673 : Need to enable cipher configuration for Usersync
    
    Issue:
    Currently Ranger Usersync support enabling of TLS, but does not allow 
cipher suites to be configurable.
    Need to provide a property to configure the same.
    
    Changes:
    Made ciphers configurable for Ranger Usersync.
---
 .../authentication/UnixAuthenticationService.java    | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git 
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
 
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 03d2302..d03f450 100644
--- 
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++ 
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -79,6 +79,7 @@ public class UnixAuthenticationService {
        private String keyStorePath;
        private String keyStoreType;
        private List<String> enabledProtocolsList;
+       private List<String> enabledCipherSuiteList;
        private String keyStorePathPassword;
        private String trustStorePath;
        private String trustStorePathPassword;
@@ -227,7 +228,9 @@ public class UnixAuthenticationService {
                SSLEnabled = (SSLEnabledProp != null &&  
(SSLEnabledProp.equalsIgnoreCase("true")));
                String defaultEnabledProtocols = "TLSv1.2";
                String enabledProtocols = 
prop.getProperty("ranger.usersync.https.ssl.enabled.protocols", 
defaultEnabledProtocols);
+               String enabledCipherSuites = 
prop.getProperty("ranger.usersync.https.ssl.enabled.cipher.suites", "");
                enabledProtocolsList=new 
ArrayList<String>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*")));
+               enabledCipherSuiteList = new 
ArrayList<String>(Arrays.asList(enabledCipherSuites.toUpperCase().trim().split("\\s*,\\s*")));
 //             LOG.info("Key:" + keyStorePath);
 //             LOG.info("KeyPassword:" + keyStorePathPassword);
 //             LOG.info("TrustStore:" + trustStorePath);
@@ -321,6 +324,23 @@ public class UnixAuthenticationService {
                        if (!allowedProtocols.isEmpty()) {
                                
secureSocket.setEnabledProtocols(allowedProtocols.toArray(new String[0]));
                        }
+                       String[] enabledCipherSuites = 
secureSocket.getEnabledCipherSuites();
+                       Set<String> allowedCipherSuites = new HashSet<String>();
+                       for(String enabledCipherSuite : enabledCipherSuites) {
+                               if 
(enabledCipherSuiteList.contains(enabledCipherSuite)) {
+                                       if(LOG.isDebugEnabled()) {
+                                               LOG.debug("Enabling CipherSuite 
: [" + enabledCipherSuite + "]");
+                                       }
+                                       
allowedCipherSuites.add(enabledCipherSuite);
+                               } else {
+                                       if(LOG.isDebugEnabled()) {
+                                               LOG.debug("Disabling 
CipherSuite : [" + enabledCipherSuite + "]");
+                                       }
+                               }
+                       }
+                       if (!allowedCipherSuites.isEmpty()) {
+                               
secureSocket.setEnabledCipherSuites(allowedCipherSuites.toArray(new String[0]));
+                       }
                }
                
                                

Reply via email to