This is an automated email from the ASF dual-hosted git repository.
dhavalshah9131 pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new 55496d5 RANGER-3673 : Need to enable cipher configuration for Usersync
55496d5 is described below
commit 55496d57776ed0417d66733780371ac29c26b67c
Author: Vishal Suvagia <[email protected]>
AuthorDate: Tue Mar 1 14:06:10 2022 +0530
RANGER-3673 : Need to enable cipher configuration for Usersync
Issue:
Currently Ranger Usersync support enabling of TLS, but does not allow
cipher suites to be configurable.
Need to provide a property to configure the same.
Changes:
Made ciphers configurable for Ranger Usersync.
---
.../authentication/UnixAuthenticationService.java | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 03d2302..d03f450 100644
---
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -79,6 +79,7 @@ public class UnixAuthenticationService {
private String keyStorePath;
private String keyStoreType;
private List<String> enabledProtocolsList;
+ private List<String> enabledCipherSuiteList;
private String keyStorePathPassword;
private String trustStorePath;
private String trustStorePathPassword;
@@ -227,7 +228,9 @@ public class UnixAuthenticationService {
SSLEnabled = (SSLEnabledProp != null &&
(SSLEnabledProp.equalsIgnoreCase("true")));
String defaultEnabledProtocols = "TLSv1.2";
String enabledProtocols =
prop.getProperty("ranger.usersync.https.ssl.enabled.protocols",
defaultEnabledProtocols);
+ String enabledCipherSuites =
prop.getProperty("ranger.usersync.https.ssl.enabled.cipher.suites", "");
enabledProtocolsList=new
ArrayList<String>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*")));
+ enabledCipherSuiteList = new
ArrayList<String>(Arrays.asList(enabledCipherSuites.toUpperCase().trim().split("\\s*,\\s*")));
// LOG.info("Key:" + keyStorePath);
// LOG.info("KeyPassword:" + keyStorePathPassword);
// LOG.info("TrustStore:" + trustStorePath);
@@ -321,6 +324,23 @@ public class UnixAuthenticationService {
if (!allowedProtocols.isEmpty()) {
secureSocket.setEnabledProtocols(allowedProtocols.toArray(new String[0]));
}
+ String[] enabledCipherSuites =
secureSocket.getEnabledCipherSuites();
+ Set<String> allowedCipherSuites = new HashSet<String>();
+ for(String enabledCipherSuite : enabledCipherSuites) {
+ if
(enabledCipherSuiteList.contains(enabledCipherSuite)) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Enabling CipherSuite
: [" + enabledCipherSuite + "]");
+ }
+
allowedCipherSuites.add(enabledCipherSuite);
+ } else {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Disabling
CipherSuite : [" + enabledCipherSuite + "]");
+ }
+ }
+ }
+ if (!allowedCipherSuites.isEmpty()) {
+
secureSocket.setEnabledCipherSuites(allowedCipherSuites.toArray(new String[0]));
+ }
}